Introduction
| At a Glance | |
|---|---|
| Product | Draytek Vigor 2830n plus Dual-WAN ADSL2/2+ Security Firewall (2830n plus) |
| Summary | ADSL2+/Ethernet/3G USB WAN router with 4 port 10/100/1000 Ethernet switch, VPN endpoints and USB drive FTP and file sharing |
| Pros | • Ethernet, ADSL2+ and 3G WWAN Support • Up and downlink bandwidth control • Gigabit LAN with Jumbo Frame Support • 32 PPTP, IPsec, L2TP VPNs |
| Cons | • Configuration not for newbies • Documentation lacks examples • “Easy” VPN client isn’t |
The Vigor 2830n plus is Draytek’s newest multi-wan xDSL router, supporting WAN connection via built-in ADSL2/2+ modem, Gigabit Ethernet or USB-connected 3G / 4G modem. Similar to Draytek’s other lines, the 2830 comes in two other models; the 2830 without wireless and the 2830Vn plus with wireless and two FXS ports for VoIP telephony. Also in the 2830 product pipeline are the 2830n and 2830Vn, which are versions with single-band N radios, due out in June.
The 2830n plus is housed in a white plastic case that can sit on a desk or be wall-mounted using the slots on the bottom. Like the 2920, which was the last Draytek we reviewed, all ports and indicator lights are on the front of the device, shown in Figure 1.
Figure 1: 2830n plus indicators
Note that one non-lighted switch serves to both start a Wi-Fi Protected Setup (WPS) pushbutton session and turn on and off the radio. This isn’t the greatest design, since it is easy to mis-time your button pushes and get an undesired result.
The back of the router has the power connector, power switch and three RP-SMA connectors for the supplied dual-band antennas.
Figure 2: 2830n plus connectors
Inside
Opening the 2830n plus case isn’t too helpful for component identification since both the CPU and switch devices are covered with ceramic heat spreaders. So I asked Draytek for the component details. It turns out that the 2830n plus and 2920 are very similar designs, with the former using an Infineon Danube-S clocked at 333 MHz and the latter using a Danube clocked at 133 MHz.
RAM and flash complements are the same at 64 MB and 8 MB, respectively and both designs use an Atheros AR8316 Gigabit switch to provide the four LAN and one WAN ports.
Figure 3: Vigor 2830n plus board
The radio is an Alpha Networks WMP-ND02 mini PCI card, using a Ralink RT2880F MIMO Wireless AP/Router SoC for the BB/MAC and Ralink RT2850L 2.4 / 5 GHz 2T3R transceiver.
Features
The 2830n plus shares many features with the last Draytek we reviewed, the Vigor 2920. Although the 2920 was reviewed with 3.3.3.1 firmware. The current web demo running 3.3.6.1 firmware presents a feature set very similar to the 2830n plus’.
The table below, pulled from the 2830 plus’ web page summarizes its feature set.
| Multi-WAN | Outbound Policy-based Load-balance | |||
| BoD (Bandwidth On Demand) | ||||
| WAN Connection Fail-over | ||||
| WAN Protocol | ADSL2+ (WAN-1) | DHCP Client | ||
| Static IP | ||||
| PPPoE / PPPoA | ||||
| BPA | ||||
| Giga Ethernet (WAN-2) | DHCP Client | |||
| Static IP | ||||
| PPPoE | ||||
| PPTP | ||||
| L2TP | ||||
| BPA | ||||
| USB (WAN-3) | PPP | |||
| VPN | Up to 32 VPN Tunnels | |||
| Protocol : PPTP, IPSec, L2TP, L2TP over IPSec | ||||
| Encryption : MPPE and Hardware-based AES / DES / 3DES | ||||
| Authentication : MD5, SHA-1 | ||||
| IKE Authentication : Pre-shared Key and Digital Signature (X.509) | ||||
| LAN-to-LAN, Teleworker-to-LAN | ||||
| DHCP over IPSec | ||||
| IPSec NAT-traversal (NAT-T) | ||||
| Dead Peer Detection (DPD) | ||||
| VPN Pass-through | ||||
| VPN Wizard | ||||
| mOTP | ||||
| Firewall | Multi-NAT / DMZ Host / Port-redirection / Open Port | |||
| Object-based Firewall | ||||
| MAC Address Filter | ||||
| SPI (Stateful Packet Inspection) (Flow Track) | ||||
| DoS / DDoS Prevention | ||||
| IP address Anti-spoofing | ||||
| E-Mail Alert and Logging via Syslog | ||||
| Bind IP to MAC Address | ||||
| Time Schedule Control | Firewall v3 | |||
| Bandwidth Management | QoS | Guarantee Bandwidth for VoIP | ||
| Class-based Bandwidth Guarantee by User-Defined Traffic Categories | ||||
| DiffServ Code Point Classifying | ||||
| 4-level Priority for Each Direction (Inbound / Outbound) | ||||
| Bandwidth Borrowed | ||||
| Bandwidth / Session Limitation | ||||
| Layer-2 (802.1 p) and Layer-3 (TOS/DSCP) QoS Mapping | ||||
| CSM (Content Security Management) | IM/P2P Application V3 (App Enforcement) | |||
| GlobalView Web Content Filter (Powered by Commtouch) | ||||
| User Management | ||||
| URL Content Filter | URL Keyword Blocking (Whitelist and Blacklist) | |||
| Java Applet, Cookies, Active X, Compressed, Executable, Multimedia File Blocking | ||||
| Excepting Subnets | ||||
| Time Schedule Control | ||||
| Network Feature | Packet Forwarding Acceleration | |||
| DHCP Client / Relay / Server | ||||
| IGMP Version 2 and Version 3 | ||||
| Dynamic DNS | ||||
| NTP Client | ||||
| Call Scheduling | ||||
| RADIUS Client | ||||
| DNS Cache/Proxy | ||||
| UPnP 30 sessions | ||||
| Multiple Subnets | ||||
| VLAN Tagging (802.1q) on LAN | ||||
| Routing Protocol | Static Routing | |||
| RIP V2 | ||||
| USB | 3.5G/4G * as WAN – 3 | |||
| Printer Sharing | ||||
| File System | Support FAT32/FAT16 File System | |||
| Support FTP Function for File Sharing | ||||
| Network Management | Web-based User Interface (HTTP / HTTPS) | |||
| Quick Start Wizard | ||||
| CLI (Command Line Interface , Telnet / SSH) | ||||
| Administration Access Control | ||||
| Configuration Backup / Restore | ||||
| Built-in Diagnostic Function | ||||
| Firmware Upgrade via TFTP / FTP / HTTP / TR-069 | ||||
| Logging via Syslog | ||||
| SNMP Management MIB-II | ||||
| Management Session Time Out | ||||
| 2-level Management (Admin/User Mode) | ||||
| TR-069 | ||||
| TR-104 | ||||
| Switch | Port-based VLAN | |||
| Triple-Play Application | ||||
| IGMP Snooping | ||||
| Tag-based (802.1 q) VLAN | ||||
| Layer-2 (802.1 p) QoS | ||||
Table 1: Vigor 2830n plus feature set
It’s hard to tell whether the 2830n plus brings additional routing features to the party over the 2920, since the downloadable product matrix doesn’t include the 2830 and the online spec sheets have slightly different formats. But given the design and firmware similarities, it appears that routing and VPN feature sets are essentially the same, with both products supporting a total of 32 site-to-site and client-to-gateway tunnels that can be mixes of PPTP, IPSec, L2TP and L2TP over IPSec.
One difference I could find by comparing the 2920 and 2830n online simulators was the 2830’s WAN > Multi-PVC menu (Figure 4) vs. the 2920’s WAN > Multi-VLAN menu (Figure 5). (PVCs [Permanent Virtual Circuit] are used in ATM networks.)
Figure 4: Vigor 2830 Multi-PVC menu
I think this difference is primarily due to the 2830’s ADSL2+ modem.
Figure 5: Vigor 2920 Multi-VLAN menu
It also looks like Draytek has granted Doug’s wish for 802.1q VLAN tagging (Figure 6). The 3.3.6.1 2920 firmware also expands the number of VLANs to 8 and enables SSID’s to be assigned to VLANs, but doesn’t support tagging on the LAN side.
Figure 6: 2830 VLAN with tagging
The 2830 supports three WAN connections, but only one each of Gigabit Ethernet, ADSL2+ and USB WWAN. The three connections can be configured for fail-over, “Outbound Policy-based Load-balance” and bandwidth-on-demand modes. I didn’t check any of these modes since Doug did a good job of that in the 2920 review. While you’re over there, you might as well read through the rest of the feature details, since the 2830 supports them too.
I asked Draytek about jumbo frame support because there aren’t any controls visible in the Web GUI. The answer was that they are supported, but you still need to set them up via the command line interface as Doug described.
The 2830’s Firewall features use the same hierarchical model, i.e. creating Objects and Profiles and then applying them to Rules. The menus are the same—NAT, Firewall, Objects, Users and Content Security Management (CSM.)—but I found a subtle difference in the NAT menu.
Figure 7 shows the Address Mapping page that is not present in the 2830n. This menu appears to support mapping multiple WAN IP addresses to internal LAN subnet ranges. But I say appears, because the feature isn’t described in the 2920 User Guide that I downloaded.
Figure 7: 2920 Address mapping menu
All the other Firewall-related menus appear to be the same, including the ability to activate subscription-based content filtering. You get a free 30 day trial of the CommTouch service when you register your new router. But after 30 days, the subscription costs $95 – $110 / year.
Doug liked the logging features better than I did, probably because he used the free syslog server software that you can download from Draytek. I tried to view logs via the web GUI, which first involved a trip to the System Maintenance > SysLog / Mail Alert page to enable syslog and point it to the 2830 itself. I then hit the Diagnostics > Web Firewall Syslog page (not present in the 2920) to view the log. Figure 8 shows the log from a successful L2TP / IPsec client connection as an example.
Figure 8: Example log
But I wouldn’t recommend this method. Each time I changed the Syslog Type dropdown, the log appeared to be cleared rather than just filtered. And this log method was no help in diagnosing failed VPN connects. I asked Draytek about this and they said the best approach is to use the Syslog tool.
The other tools in the Diagnostics menu that Doug liked in the 2920 (route table, arp cache, DHCP table, and NAT sessions, ping and traceroute tool) are also found in the 2830, along with the data flow monitor and traffic graph (Figure 9).
Figure 9: Traffic graph
USB
Like the 2920, the single USB port can share a USB printer, a USB drive or support a USB WWAN modem. I asked Draytek if the single port can be shared via a USB hub and found that it can. But since the 2830’s port provides only 500mA of current, you may need to use a powered USB hub if you’re attaching a power-hungry device like a WWAN modem.
Speaking of WWAN modems, the list of supported modems isn’t huge. This downloadable PDF lists the compatible USB modems and this one the compatible cellphones for all Draytek routers. The 2830’s list shows only a few mostly lesser-known (in the U.S.) Taiwanese brands supported. And more notably, none of the listed Novatel and Sierra modems are supported.
My experience with the drive sharing feature was similar to Doug’s. I mounted a FAT-formatted USB drive and ran the same robocopy-based file copy test used in the NAS Chart benchmarks. This test copies a ripped DVD folder containing mixed file sizes, including a handful of 1 GB VOB files.
When writing to the shared drive, only 32 of 38 files were copied because robocopy had trouble adjusting the copied file time stamp. But the write speed for the files it did copy averaged 1.6 MB/s.
For read, robocopy again had problems and couldn’t successfully read all the files, but still reported a 1.5 MB/s read rate.
I didn’t check FTP performance, but with lower overhead it would probably be a bit faster.
VPN
There are three options for remote access VPN connections: PPTP, L2TP with IPSec, and IPSec. I was able to make PPTP and L2TP with IPSec connections using the VPN client built into Windows 7. I also tried using version 4.0.0.4 of Draytek’s Smart VPN Client. But even though it told me that it was successfully connected to the 2830n, a tunnel didn’t show up in the router’s VPN connection status page and I had no connection to the router.
I asked Draytek about this and was told that the Smart VPN Client is just an interface that manipulates Microsoft’s VPN client. So you’re better off using an IPsec client that you are familiar with or using the native Windows client and using L2TP/IPsec.
Figure 10 shows a successful L2TP / IPsec tunnel made using the Windows 7 VPN client. All I had to do was enter the WAN IP address of the 2830n on the Windows VPN connection General tab, choose L2TP/IPsec on the Security tab (leaving the other defaults), enter the Preshared key on the Security tab Advanced Settings page and I was good to go.
Figure 10: Successful L2TP / IPsec tunnel
Note that if you just leave the Windows VPN client connection type as Automatic and all the Draytek VPN settings at defaults, you’ll get a PPTP connection.
The only changes I made to the Remote Dial-In user page (Figure 11) were to enable the account, enter a username and password and change the Allowed Dial-In Type L2TP with IPsec policy to Must.
Figure 11: Remote dial-in user settings
IPsec General Settings were left at the defaults (Figure 12).
Figure 12: IPsec General settings
VPN Performance
I tested PPTP and L2TP / IPsec throughput using IxChariot‘s throughput.scr script, with all defaults and changing only the test file size to 1,000,000 Bytes. Table 2 summarizes the results along with those for the 2920. Note that these results aren’t apples-to-apples because the 2920 was tested with iperf and the 2830n with IxChariot.
| Test Description | 2920 Throughput – (Mbps) |
2830n plus Throughput – (Mbps) |
|---|---|---|
| Remote Access PPTP Client to Gateway |
19.9 | 17.8 |
| Remote Access PPTP Gateway to Client |
Not run | 18.5 |
| Remote Access L2TP/IPsec Client to Gateway |
12.5 | 13.3 |
| Remote Access L2TP/IPsec Gateway to Client |
Not run | 11.7 |
Table 2: VPN throughput
Tunnel throughput is just about equal in both directions. Throughput falloff with the higher AES-128 encryption level used in the L2TP/IPsec connection is moderate. Figure 13 is a shot of an IxChariot test with data running in both directions simultaneously. Total tunnel throughput is about the same as the unidirectional tests. But note that Client to Gateway traffic gets more throughput than Gateway to Client.
Figure 13: L2TP simultaneous traffic throughput test
Routing Performance
The 2830n plus was tested using our router test process, using 3.3.6 firmware. The LAN side machine was put in DMZ and QoS had to be disabled on WAN2 (Ethernet). Otherwise all router defaults were used.
I was surprised to see throughput remain below 100 Mbps in all cases. But that’s probably fast enough for most of the places where the router will be used. Note that the Maximum Simultaneous Connections test maxed out at our test limit of 34,925.
| Test Description | Throughput – (Mbps) |
|---|---|
| WAN – LAN | 78.3 |
| LAN – WAN | 94.3 |
| Total Simultaneous | 83.5 |
| Max Simultaneous Connections | 34,925 |
| Firmware Version | 3.3.6 |
Table 3: Routing throughput
Figure 14 shows the IxChariot aggregate plots for WAN to LAN, LAN to WAN and simultaneous routing throughput tests, with pretty steady throughput for all.
Figure 14: Draytek 2830n plus routing throughput
Wireless Features
The 2830n plus’ wireless feature set is surprisingly rich. You can step through the various screens in the gallery below to get a feel for the options, which are among the most complete I’ve seen.
General settings include multiple SSIDs, ability to isolate wireless clients from each other and from VPN clients and upload and download speed caps. All 5 GHz band channels are supported (36, 40, 44, 48, 52, 56, 60, 64, 149,153, 157, 161, 165)
Both Home and Enterprise (RADIUS) security modes are supported and note that WEP is still supported. Each SSID can have its own security settings.
MAC address filters for each SSID can be set in either black or white list mode.
Wi-Fi Protected setup lacks a control to reset it. The ‘Configured’ WPS status shown is incorrect because WPS was not in use.
WDS is supported in both bridge and repeater modes. WEP/WPA/WPA2 are all supported for encryption, but note the ‘WPA and WPA2 are not compitable with DrayTek WPA’ Note.
Here is where you change channel bandwidth. It defaults to 20/40.
These settings are best left alone.
This scanner helps to find WDS partners. Note the incorrect channel number for the 5 GHz AP shown.
This station list provides a quick way to add a STA to a MAC Access Control list.
But that doesn’t mean that everything works. I was unable to perform a Wi-Fi Protected Setup connection despite multiple attempts. My notebook with an Intel Wi-Fi Link 5300 AGN card normally detects routers with WPS active and asks me to enter the PIN code. But even after verifying that WPS was enabled on the 2830n, my client never detected it.
You should also note that the 2830n plus is not Wi-Fi Certified and does not default to 20 MHz bandwidth mode when the radio is set to the 2.4 GHz band.
Wireless Performance
I tested the 2830n plus using our wireless test process with a WPA2/AES secured connection in both bands and in 20 and 40 MHz bandwidth modes. I generated Performance Tables for both bands (Figures 15 and 16) and included another VPN router for comparison, the Cisco RV 220W.
Highest 2.4 GHz throughput of 68 Mbps was measured in Location A running uplink with the client set to 20/40 mode. Running a simultaneous up and downlink test yielded 87 Mbps in the same location and condition. So running multiple clients will get you somewhat higher total throughput.
The two routers appear evenly matched in 2.4 Ghz performance with stronger signal levels. But in the weak signal locations E and F, the RV 220W clearly dominates, particularly in 40 MHz bandwidth mode.
Figure 15: 2.4 GHz wireless performance table
For the 5 GHz band, best case throughput of 73 Mbps was again found at Location A, running uplink in 40 MHz bandwidth mode. This time running up and downlink tests simultaneously didn’t boost throughput as much as it did in the 2.4 GHz band, with only 78 Mbps measured in Location A.
Once again, the RV 220W seems to do better than the 2830n plus overall. But neither could reach into the weak signal test locations E and F, where only one 5 GHz router / AP, the D-Link DIR-665, has gone before.
Figure 16: 5 GHz wireless performance table
Figure 17 shows the IxChariot throughput plot for the 2.4 GHz band, 20 MHz bandwidth mode, downlink. Throughput stability was pretty good.
Figure 17: IxChariot throughput plot, 2.4 GHz, 20 MHz mode, downlink
Here are links to the other plots if you’d like to check them out.
- 2.4 GHz / 20 MHz uplink
- 2.4 GHz / 20 MHz up and downlink
- 2.4 GHz / 40 MHz downlink
- 2.4 GHz / 40 MHz uplink
- 2.4 GHz / 40 MHz up and downlink
- 5 GHz / 20 MHz downlink
- 5 GHz / 20 MHz uplink
- 5 GHz / 20 MHz up and downlink
- 5 GHz / 40 MHz downlink
- 5 GHz / 40 MHz uplink
- 5GHz / 40 MHz up and downlink
In general, the 2830n has the best performing and featured wireless section of the Draytek wireless routers we’ve tested.
Closing Thoughts
The Vigor 2830n plus is the most feature-rich VPN router we’ve seen yet from Draytek with flexible WAN connection options, firewall features typically found in routers costing much more and wireless capability that is well-suited to small-business use.
But I share Doug’s frustration with Draytek’s documentation, which doesn’t appear to have improved much since last December’s review. The 2830n’s manual has a few application examples, but none that helped me set up a successful IPsec connection using Draytek’s free SmartVPN client. The Smart VPN client – WinXP to Vigor Router – IPSec – Smart VPN Client online app note wasn’t much help either and didn’t reflect the settings available in the latest 4.0.0.4 Smart VPN version.
In all, I’m not as enthusiastic about Draytek as some of their fans in the forums are, especially for U.S. customers. While the feature set may be broad and reliability reportedly good, they are still essentially single-sourced from one web vendor ($362 from VoIPon.com) and support comes out of Taiwan via email.
I understand from Draytek that they are in the process of trying to reorganize their U.S. resources, which are a confusing mix of websites (us.draytek.com and draytek.us take you to two very different places). But I seem to have heard this story for a few years now and nothing has seemed to change.
If you want a lot of business class router for a very competitive price and don’t mind incomplete and confusing documentation and emailing support resources many time zones away, then Draytek should be on your VPN router short list. But if you want to be able to pick up the phone and get help or overnight warranty repair turnaround, then you’d best stick with Cisco or NETGEAR.