an140001 - draytek - dmz - isp routerhabitech.s3.amazonaws.com/pdfs/dra/tech notes... ·...

AN140001 - DrayTek - DMZ - ISP router

Application Note:-

To configure a DrayTek 2860 router to function behind a Sky router which is providing broadband

internet access. The connection between the two routers is configured as a DMZ.

Application Note Reference: AN140001-DrayTek - DMZ - ISP router

Produced by: Tony Prout - IP Product Manager, Habitech

E-mail: [email protected]

Tel: 01420 540054

Document written: 17th June 2014


of 14

This application note describes introducing and using a DrayTek router as a ‘secondary’ router,

allowing the ‘primary’ router, provided by the ISP (Internet Service Provider) to remain as the

internet gateway (sometimes referred to as ‘modem mode’), typically monitored and supported by

the ISP. This configuration is also known as a DMZ (an internet term, Demilitarised Zone)

configuration.

As we move from broadband internet connectivity environments which simply supported one or two

home PCs, to an era of upsurge in IP attached devices (PCs, laptops, printers, tablets, mobile phones,

televisions, video and audio devices, NAS, CCTV, remote and intelligent Wi-Fi access points, control

devices, and many more), complex router configurations and complex in-house network connectivity

are becoming more the norm. Relying on an ISP for the router element is no longer ideal.

ISPs include; Virgin Media, Sky, BT, TalkTalk, PlusNet, and many others. Introducing this ‘primary’,

‘secondary’ two router method would typically be where the end environment requires a more

complex router configuration or features than that provided by the ISP’s router, the ISP’s router may

not be capable or support some of the more complex requirements. In this dual router method the

ISP’s router is reduced to little more than providing an ISP monitored and managed device offering a

gateway to the internet via a wide area circuit, typically broadband or cable.

The benefits of using this two router method include;

ISPs may not permit (as a condition of their service and support), and/or may charge for, none

standard or complex configurations on their standard routers. ISPs may use methods such as MAC

Encapsulated Routing to ‘tie’ their router to the provided circuit, such that an alternate router

cannot directly be used in place.

Many of the more basic routers provided by ISPs, each competing in a busy cost and price driven

market, are limited in terms of capacity or processing power for the features such as firewalling they

offer, resulting in reducing upload/download speed. Wi-Fi capability of ISPs standard routers may

also be limited in other than basic configurations.

Moving between ISPs. With competing ISPs constantly offering new features, greater speeds and

more competitive pricing. Changing ISP is a simpler exercise if the ISP is simply providing internet

access and DMZ to a second router which provides the actual complex local configuration.

Those installing, configuring and subsequently monitoring and maintaining these systems need

immediate, secure and often remote access to the router configurations and the components they

support inbound of the router. Which form a key part of the services they provide.

A DMZ is introduced between the primary and secondary routers, allowing the ISP’s router to pass

data packets to, and receive data packets from the secondary (DrayTek in this case) router, the

DrayTek router now assumes functions previously performed by the ISP router, functions such as

firewall, and communicating with the devices on the local network, either wired or wireless.

This application note assumes that an existing, proven, stable ISP router and internet connection

exists. This application note is a guide for individuals who are conversant with internet access

elements such as routers, cables and IP addresses. This application note is not written for ‘first time

users’.


of 14

Connect laptop (with appropriately configured Ethernet adapter, i.e. set to “obtain IP address

automatically”) using RJ45 cable to a LAN port on the 2860 router. A DrayTek v2860 ADSL/VDSL/3G

Router, Code: DRA-V2860 is used in this application note.

The 2860 can be accessed via its default IP address, 192.168.1.1, entered in the laptop’s browser (for

example: Internet Explorer)

This will produce the DrayTek Login panel (below), the default Username and default Password are

both ‘admin’ (lower case).

Login, will produce the ‘Dashboard’, a starting panel for all activities on the 2860.

In this example, the laptop is connected to LAN (port) 6 in the router, port 6 shows ‘lighted/green’

on areas of the dashboard display. Top left of the dashboard is a dropdown which is default ‘Auto

Logout’, this can be changed to ‘Off’, ‘1 min’, ‘3 min’ etc. which can assist in not being logged out

part way through a sequence of commands.


of 14

STEP ONE – CONFIGURE 2860 WAN PORT TO NETWORK OF ISP ROUTER

This example assumes the ISP LAN is IP network 192.168.0.1/24, which is the Sky default (each ISP

has their default IP settings).

The 2860 has four WAN ports, WAN1 is ADSL/VDSL, WAN2 is Ethernet, WAN3 and WAN4 are USB.

The 2860 is to be connected to the ISP router using RJ45, from 2860 port WAN2 (Ethernet), thus

2860 WAN2 needs to obtain an address in the ISP LAN 192.168.0.1/24.

Choose ‘WAN’ in the list in the vertical bar on the left side of the ‘Dashboard’, and then choose

‘Internet Access’ from the options.

From the panel now within the main area of the display, select WAN2 (the port to be used in this

configuration), and from the drop down options, select ‘Static or Dynamic IP’.

The WAN2 ‘Details Page’ button will now become highlighted. Select this, (the WAN2 ‘Details Page’

button). This produces the panel which follows.


of 14

Highlight ‘Enable’, highlight ‘Obtain IP Address Automatically’, and enter ‘Router Name’ (IP of ISP’s

router, 192.168.0.1 in this instance). Select ‘OK’.

The DrayTek should soon acquire an IP address (from the ISP router’s DHCP range) on WAN2. As

shown in the screen shot below. In this example 192.168.0.2 has been acquired. Note also the MAC

address of WAN2 (00-1D-AA-B4-B5-4A in this instance).


of 14

The hardware environment built should now be similar to that shown in the diagram below

The laptop attached to the 2860 will be now able to access the ISP’s router, (via the newly created

interconnection) to progress configuring the DMZ interconnection.

The Windows, Command Prompt display below checks the connectivity setup in this application

note. The Windows laptop is connected as per the diagram, and a ping to 192.168.0.1 (the Sky

router, via the DrayTek) is successful. Likewise a tracert (traceroot) shows the DrayTek Vigor router

and then the Sky router.


of 14

STEP TWO – RESERVE IP ADDRESS FOR DRAYTEK ROUTER ON THE ISP ROUTER

Open a second laptop browser and enter the default IP address of the ISP’s router (192.168.0.1, if

Sky, as per this example).

Login will produce the Sky router ‘Status Summary’ display as shown below. In this instance showing

that a connected device, Cabled, exists. This is the DrayTek 2860. The Sky router (in this test

environment) is not connected to a broadband service, and thus has a status of ‘disconnected’.

Selecting any option (such as SETUP, SECURITY, MAINTENANCE or ADVANCED, in the top bar. Or any

of the options in the right side column, such as Change Router Password, down to Reboot Router) on

the Summary Status panel will require a User name/Password, entered into the following display.


of 14

The default User name is admin, the default Password is sky.

Having entered a valid User name and password, selecting MAINTENANCE, and then ROUTER

STATUS, which will show a more detailed version of the Summary Status. Of interest are; the ADSL

Port, Network Type, which shows as MER/PPPoA and the LAN Port, MAC Address, which will be

unique per Sky router (7c:03:4c:9d:0d:8c in this instance).


of 14

MER/PPPoA, refers to MAC Encapsulated Routing (MER) which means that Sky have tied the MAC

address of this router to the IP address they provide on the WAN (broadband/internet) link. Such

that only a Sky provided router can be used on their internet link.

However, as per this application note, by setting up a DMZ from the Sky router, via a direct RJ45

cable connection into a DrayTek router, with associated configuration, allows the Sky router to pass

and receive data from the DrayTek router such that the DrayTek router can provide major function

on the LAN with the Sky router acting as little more than an interface to the broadband/internet.

Select the ADVANCED option from the top bar, and then select the LAN IP SETUP option, which

produces a display as follows.

In the ‘Address Reservation’ area, select ‘ADD’. Which produces the following display, which shows

192.168.0.2 (which is the DrayTek router’s connection to the Sky router).


of 14

Highlight the radio button for the device you wish to reserve (a choice of one in this example), this

produces the following display.


of 14

Selecting ‘APPLY’ will complete this step.

This step reserves the MAC of the DrayTek router’s WAN2 to this IP address. Such that this IP

address will always be allocated to the DrayTek (even after restarts, power off/on type events).


of 14

STEP THREE – CONFIGURE DMZ ON ISP ROUTER

The DrayTek router can now be set as a Default DMZ Server for the Sky router.

Now, select the ADVANCED option from the top bar, and then select the WAN SETUP option, which

produces a display as follows.

Select (tick) the Default DMZ Server box and add the IP address (192.168.0.2 in this example), and

enter 1500 in the MTU Size (in bytes): field

Note: The MTU Size is blank by default, but a message panel ‘MTU value can not be blank’ appears.

Enter 1500, consitent with setting in other area of router configuration.


of 14

The two routers are now configured as per the objective of this application note, “To configure a

DrayTek 2860 router to function behind a Sky router which is providing broadband internet access.

The connection between the two routers is configured as a DMZ.”.

It is likely, in this two router environment that the wireless/Wi-Fi facility of the ISP router would be

disabled/turned off, and the wireless/Wi-Fi facility of the Draytek router is used. This avoid potential

clashes/overlaps.

It is also likely, in the complex in-house connectivity which may exist, that wireless/Wi-Fi is not

provided directly by either of the two routers, but via dedicated high specification access point

system such as Ruckus.

The RJ45 LAN ports of the ISP’s router which are not used in the DMZ configuration (i.e. those not

connected to the DrayTek) will still be available for use from the ISP router. In the event of apparent

internet access problems, a network device, such as a laptop, RJ45 connected to one of these ports

on the ISP router could be used to identify if the perceived problem was at ISP level or within the

local network, as in the environment supported from the DrayTek.


of 14

This could be seen as a check similar to the ISP asking is there telephone dial tone on a circuit where

broadband/ADSL problems are being experienced.

Check and test to ensure all expected and previously available wired and wireless/Wi-Fi connectivity

and services continue to be available via the new two router environment to before subsequent

changes or additions are made.

an140001 - draytek - dmz - isp routerhabitech.s3.amazonaws.com/pdfs/dra/tech notes... ·...

Documents