Updated 12/29/2010: Updated VLAN support info
Updated 12/13/2010: Updated web content filtering pricing
|At a Glance|
|Product||Draytek Vigor 2920 Dual-WAN Security Router (2920)|
|Summary||Wired dual-WAN router with 4 port 10/100/1000 Ethernet switch, VPN endpoints and FTP to USB drive|
|Pros||• Dual-WAN and 3G WWAN Support
• Up and downlink bandwidth control
• Gigabit LAN with Jumbo Frame Support
|Cons||• Slow file transfer rates with USB FTP
• Documentation lacks examples
The Vigor 2920 is a new router from Draytek, an update to the previously reviewed 2910. The 2920 is one of three models in Draytek’s 2920 line. A “V” in the model name means the router has 2 FXS ports for VoIP applications, and an “n” in the model name means the router has 802.11n wireless capability. I’m going to cover the base level 2920.
Draytek calls the 2920 a “Dual-WAN Security Router,” aptly identifying its key differentiating features of multiple WAN ports and a highly configurable firewall. The 2920 has some improvements over the 2910, such as much higher routing throughput, greater USB functionality and Jumbo Frame support, but also moves to a subscription based Content Filtering service as opposed to the free service on the 2910.
The 2920 is enclosed in a black plastic case measuring 9.375” wide by 6.5” deep and 1.625” high. It is a table top design with rubber feet. All the ports and indicator lights are on the front of the device, shown in Figure 1.
Figure 1: Front view of 2920
The back of the router has the power connector and a power switch. The power cable has a smaller wall wart that plugs into an AC outlet. I always appreciate a power switch. If you’re power cycling a device, it is better to be able to use a switch than to have to pull out the cable and plug it back in.
Figure 2: Rear view of 2920
Draytek states the 2920’s chipset is the Infineon Danube chipset. The CPU is an Infineon 32 bit 133/266 MHz, coupled with 64 MB SDRAM and 8 MB of Flash memory. An Atheros AR8316 Gigabit switch handles the four LAN and one of the two WAN ports.
Figure 3: Vigor 2920 board
There is no cooling fan, making the 2920 completely silent. This is a nice feature for a device running in an office or on a desktop. The case seems large enough to permit decent airflow, and it never seemed warm to the touch during my testing.
Draytek surprised me with new firmware midway through writing this review, which changed and or added functionality to the 2920. This new firmware, v3.3.6, adds new menu options, USB file and printer functionality, increased WAN functionality, jumbo frame capability, and changes several other features and functions on the router.
The release notes for this new firmware are on the download section of this web page here and an updated User Manual can be downloaded using the User’s Guide link on the product page. Draytek also summarizes v3.3.6 in this press release and has a online simulator. Note, this simulator is based on the original firmware, v3.3.1.
I hope Draytek adds examples to future user manuals There is a FAQ section on their website with more detailed explanations. But it’s hard to bounce around from one source to another to figure out how to configure a device. As I mentioned in my review of the 2910, Draytek’s documentation is challenging to follow because it lacks examples and clear explanation on how to configure desired functions.
The menu in the 2920 is quite detailed, with 14 different menus, each with 3 to 11 submenus. Table 1 shows you the menu tree.
Table 1: Menu tree
Dual WAN Features
The 2920 is a dual WAN router with two Ethernet WAN ports plus a USB port that can function as a WAN port. WAN1 is the default WAN port, which operates at 100 Mbps. Obviously, WAN1 is intended to connect to your ISP, so the fact that it isn’t 1000 Mbps shouldn’t be an issue unless you have an unusually fast Internet service.
WAN2 is the other Ethernet WAN port, it operates at 1000 Mbps. The default configuration is for WAN1 to be primary, and WAN2 to be “Active on demand,” meaning WAN2 runs in a standby status.
I had no problem connecting WAN1 to a standard DSL service. To access the Internet through the 2920, you have to either use the Quick Start Wizard or manually configure a WAN interface. Either way, it is a couple of clicks and you’re able to surf.
To test WAN1 to WAN2 failover, I set up a continuous ping to the Internet, disconnected WAN1, and timed how long before my ping succeeded through WAN2. The 2920 consistently switched to WAN2 in approximately 15 seconds. Upon reconnecting WAN1, the 2920 automatically restored WAN1 within approximately 15 seconds and placed WAN2 back into standby.
In addition to the two WAN ports, the 2920 has a USB port on the front which can be used to connect to a 3G wireless service. Draytek provides a list of supported 3G modems on their website. But it would be useful if Draytek identified supported carriers as well. So you need to find the make and model of your modem on your service provider’s supported model list to determine compatibility with the 2920.
I looked up 3G modems on both Verizon and AT&T wireless websites. Verizon advertises Qualcomm 3G CMDA and Qualcomm MSM7625 USB Modems. Neither Qualcomm modem is listed on the Draytek supported modem list. AT&T doesn’t list the make and model of its 3G USB Modems on their website. Bottom line, if you’re looking to use the USB port on the 2920, make sure your USB modem is compatible, first.
In addition to basic failover and 3G support, the WAN ports can be configured for load balancing. Load balancing modes are “Auto Weighting” or “According to Line Speed.” The Auto Weighting options are to either run both WAN interfaces active at all times, or for one interface to be in “Active on demand” status as tested above.
The “According to Line Speed” option enables traffic distribution based on your WAN link speeds. (An easy way to measure your ISP speed is through a speed site, such as speedtest.net.) I set up WAN1 with twice the speed of WAN2 as shown in Figure 4, and then ran a simple traceroute to determine the interface the traffic flowed through.
Figure 4: Load Balancing setup
With the above configuration, my traffic went out WAN1 as expected. Configuring WAN2 with a higher speed than WAN1, my traffic went out WAN2 as expected.
Load Balancing Policies can be created to specify which types of traffic go over which interfaces. For example, you could configure all Web, Email and other TCP based traffic to go over WAN1, and VOIP or other UDP based traffic over WAN2, as shown in Figure 5.
Figure 5: Load Balancing policy
I found the 2920’s bandwidth management menus and features unchanged from those on the 2910, with three configuration options.
First, individual devices can be limited to how many sessions they can establish simultaneously. I tested this feature by setting up a limit of two sessions for my PC (based on IP address). I then opened two browser sessions at once, and was presented with the warning message shown in Figure 6.
Figure 6: Maximum sessions warning
Second, bandwidth can be limited by IP address. With this option, a maximum transmit and receive rate can be set per device, based on its IP address.
Third, the 2920 offers multiple QoS controls. Bandwidth can be allocated to three different user-defined classes of traffic. Traffic classes can be defined based on IP addresses, DSCP markings, or protocol. There are 29 defined protocols such as DNS, SIP, H.323, HTTP, etc…, and you can add your own protocol as needed.
As you can see in Figure 7, I’ve set up classes for Web, FTP, and VOIP traffic, allocating 25% of the available bandwidth to each protocol.
Figure 7: Bandwidth management
If you’re not using the front USB port for a 3G USB Modem, the 2920 supports sharing a USB printer or USB drive. Supported printers are listed here.
USB file sharing is a new feature on the 2920 with firmware v3.3.6. Draytek calls USB File Sharing the “DrayTek NAS facility.” I tested several USB drives with the 2920. My 1GB, 2GB, and 4GB thumb drives all were recognized by the 2920, but a SimpleTech 40GB USB drive was not. I used a Sandisk Cruzer 4GB USB drive for my tests.
Notes on the Draytek website indicate some external USB drives may require external power. My SimpleTech 40GB USB drive must be one of them. My SimpleTech 40GB USB drive runs fine on USB power from my laptop but unfortunately isn’t recognized by the 2920.
Once a USB drive is connected and recognized by the 2920, there is a USB indicator light on the front of the router that lights when the thumb drive is ready for use. Further, the Online Status menu of the 2920 has an icon of a thumb drive when the a USB drive is detected, as shown in the top of Figure 8.
Figure 8: USB drive detected
A nice feature on the 2920 is the File Explorer option. This feature allows you to browse the content of the USB drive while connected to the router, enabling you to see the files you’re sharing from the router.
To drag and drop files via Windows Explorer with the 2920, you enable the Samba Service and create a USB user on the router. Once complete, I found the easiest way to connect to the shared drive was to browse to ftp://192.168.1.1, click Page, and then click Open FTP Site in Windows Explorer. From there, I was able to drag and drop files to/from my Windows desktop and the Draytek NAS.
I started by copying a 2.98 GB file from my laptop to the 2920 (write). I was a bit surprised when it said it was going to take 55 minutes, but I waited it out. It ended up taking 61 minutes for a write rate of 0.8 MB/s. Copying the same file from the 2920 to my laptop (read) was quicker, it completed in just under 30 minutes or about 1.6 MB/s.
I tried smaller files. Copying a 121 MB file to the Draytek took over 2 minutes, and copying it back to my laptop took just under 1 minute. A 2 MB file copies within seconds.
Bottom line, the "Draytek NAS facility" works, but it isn’t very fast (about 1 MB/s). It can come in handy for sharing pictures or other smaller files, but is pretty slow for large file operations.
The new firmware also enables jumbo frames on the 2920. Jumbo frame support isn’t documented anywhere in the manual or product datasheet, but was mentioned in the new firmware release notes.
Enabling jumbo frames required telneting to the router and poking through various command line interface (CLI) options. Fortunately, the Draytek CLI has a useful “?” help function.
I enabled jumbo frames with the commands port jumbo size 9022 and port jumbo on as shown in Figure 8 below.
Figure 9: Jumbo frame command line enable
Note, the maximum supported frame size on the 2920 is 9022 bytes. I tested jumbo frames on the 2920 with two devices that support jumbo frames, one that supports up to 9000 byte frames and the other supports 7936 byte frames. Thus, the largest frame size I could test is 7936 bytes.
I’m happy to report that I was able to successfully pass 7936 byte frames between my two devices. I believe this is first router I’ve tested with true jumbo frame support!
As with the 2910, the 2920 has basic VLAN capability in the form of physical port based VLANs. Each of the four LAN ports can be a member of one or more of VLAN0-VLAN3.
802.1q VLANs are not supported, however. I hope Draytek adds 802.1q in future firmware. I think 802.1q support is a useful feature, especially on a device that has so many different bandwidth management and QoS options.
Drayteks new firmware adds support for VLAN tagging on the WAN interface only This is an interesting choice. WAN interfaces can apply a VLAN ID on all outbound packets. Further, the new Multi-VLAN functionality, which is part of the WAN menu, allows for creating virtual interfaces on the WAN side. Additional functionality with VLANs on the WAN side is via the Bridge option in the WAN-Multi-VLAN menu. With this option, incoming packets with a VLAN tag can be forwarded to specific LAN interfaces.
The intent of my original statement was Id like to see VLAN capability on the LAN side, where I think it will have the most utility. Nevertheless, I applaud Draytek for their innovative use of VLAN technology on the WAN side.
There are three options for remote access VPN connections: PPTP, L2TP with IPSec, and IPSec. I tested all three options on a 32-bit Windows 7 laptop.
The disk that comes with the 2920 has a copy of Draytek’s Smart VPN Client 3.6.3 for IPSec client connections. Draytek’s website has a new version, 220.127.116.11, which is the version I used.
The configuration options are basic on both the router and the client software. On the router, set up user names and passwords a pre-shared Key if using L2TP with IPSec or IPSec. Figure 10 shows the configuration on the 2920 for creating a user name and password for a remote access PPTP VPN connection.
Figure 10: VPN user account setup
On the client software, enter the same settings as on the router, plus enter the IP or Host Name of the router. Figure 11 shows a screenshot of the Draytek VPN client software.
Figure 11: Draytek IPsec client configuration
The 2920 also supports standard IPSec options for creating a VPN tunnel between two or more routers. The 2920 can have up to 40 defined VPN tunnels, but only 2 can be active at any one time.
I tested the 2920 by setting up an IPSec tunnel to a Netgear SRX5308. The 2920 supports DES, 3DES and AES encryption and I set up a tunnel using 3DES. I created this tunnel early in my testing, and it stayed up continuously for days without fail.
As you can see in Figure 12, a IPSec tunnel is up between the 2920 and Netgear. At the same time, I have a remote access PPTP connection running.
Figure 12: VPN Connection status
I ran a basic iperf TCP test using all default values to measure throughput, which is the same methodology I use in all my reviews. This test measures TCP/IP throughput with a TCP window size of 8 KBytes.
Draytek rates the 2920 with up to 40 Mbps VPN throughput. Table 2 summarizes average throughput results over the remote access VPN and the Site-to-Site VPN tunnels tested. The fact that the 2920’s throughput fell short of the 40Mbps rating doesn’t surprise me. I haven’t tested a device yet that matched the manufacturer’s VPN throughput rating.
|Test Description||Throughput – (Mbps)|
|Remote Access PPTP||19.9|
|Remote Access L2TP w/ IPsec||12.5|
|Remote Access IPsec||17.8|
Table 2: VPN throughput
I used the SRX5308 to test Site-to-Site VPN with the 2920 because I had measured 42.6 Mbps throughput on the SRX5308 in my previous review. Thus, the SRX isn’t was not a limiting factor in the site-to-site test.
Testing and analysis by Tim Higgins
The 2920 was tested using our updated router test process, using 18.104.22.168 firmware. Since the 2910G routing throughput measured only in the high 20 Mbps range, the 2920’s performance is a definite improvement.
|Test Description||Throughput – (Mbps)|
|WAN – LAN||147.5|
|LAN – WAN||136.5|
|Max Simultaneous Connections||34,925|
Table 3: Routing throughput
Figure 13 shows the IxChariot aggregate plots for WAN to LAN, LAN to WAN and simultaneous routing throughput tests, with pretty steady throughput.
Figure 13: Draytek 2920 routing throughput
The new Maximum Simultaneous sessions test, which has a limit above 40,000 sessions, came through with a best case of just shy of 35,000 sessions.
The 2920 is a highly customizable security device for controlling network traffic. Configuration is hierarchical, meaning you can create Objects and Profiles and then apply them to various Rules as desired.
There are five menus devoted to security configurations: NAT, Firewall, Objects, Users and Content Security Management (CSM.)
The NAT menu is where basic firewall configurations, such as opening ports, forwarding ports and setting up a DMZ are configured.
The Firewall menu is for configuring Traffic Filtering Rules and Denial of Service (DoS) prevention. Traffic Filtering and DoS options are highly detailed. You can create 12 different Traffic Filters using different combinations of CSM profiles, which I’ll describe shortly. Further, there are 15 different DoS attacks recognized by the 2920, as shown in Figure 14.
Figure 14: DoS attack defenses
The Object menu is where you’ll create custom traffic sources, destinations, or types that you want to filter. Specifically, this menu allows for defining single or groups of IP addresses, ranges or subnets; single or groups of traffic types by layer 4 protocol and port; single or groups of keywords; and file extensions.
The User menu is new as of firmware 3.3.6. I found this feature quite useful. It enables you to set web browsing and network access levels based on users. In a home, you could set up user names for kids and parents, with different levels of permissions. In a business, you can set up different levels of permissions based on employee responsibilities.
Note, the User menu determines whether the 2920 operates in either Rule-Based or User-Based mode. If Rule-Based is selected, traffic is filtered equally for all users, as on the 2910. If User-Based is selected, individual users must authenticate to the router and their network activity is controlled based on their allowed permissions.
I tested the 2920 configured as User-Based. I set up two users on the 2920, one restricted via the CSM features, the other unrestricted. The user menu allows you to create up to 200 different users. The 2920 also supports connecting to a RADIUS server for external user authentication. Individual users can be placed into groups, and security policies can be applied by individual or group.
Each user can be assigned a different policy defining their level of network access. Time limits and schedules for network access can be applied to each user as well.
The CSM menu is where you define specific traffic to filter. CSM on the 2920 has three elements, Application, URL, and Web Filtering.
The Application control, previously labeled as the IM/P2P menu in the original firmware, provides options for filtering Instant Messaging (IM) applications, Peer to Peer (P2P) applications, well known protocols, and various network services.
Filterable IM applications include both client and web based apps. There are 19 specific IM applications recognized by the 2920, as shown in Figure 15. I tested this functionality by configuring the 2920 to block access to Yahoo IM on my restricted user account, and permitted Yahoo IM on the other. It worked as expected and blocked access to Yahoo IM on the restricted user account and permitted Yahoo IM on the user.
Figure 15: IM blocking
In addition to the IM filters, there are 17 recognized P2P applications, 20 well known protocols, and 63 miscellaneous protocols filterable by the 2920. As mentioned earlier in this section, additional traffic flows can be identified and filtered by port number in the Object menu.
URL filtering on the 2920 is done by keyword. Eight different URL profiles can be created, each using up to 200 different keywords for filtering. Keywords are defined in the Object menu, described previously. I set up a URL profile to block the word “yahoo,” assigned it to one of my users, and then tried to surf yahoo.com with that user. I received the message shown in Figure 16, confirming that the URL filter was blocking my web activity as intended.
Figure 16: URL filtering message
Updated 12/13/2010: Updated web content filtering pricing
Web filtering, also known as content filtering, is one of the biggest changes to the 2920 with firmware 3.3.6. This new firmware changed the router from using free web site categorization services to a subscription based service via a partnership with CommTouch. You get a free 30 day trial of the CommTouch service when you register your new router, but after 30 days, the subscription costs
$50/year $95 – $110 / year.
Eight different web filtering profiles can be created. On each one, you can chose from 65 different categories of web sites to block or permit. The router menu has a handy link to CommTouch’s website to determine the category of a website.
When a user browses a site, it is first checked via CommTouch to determine its category. If the category matches a blocked category, the user is presented with a message such as shown in Figure 17.
Figure 17: Content filter message
I set up a one rule to block websites and applied it to my restricted user account, and another rule to pass all websites for my unrestricted user account. When I opened a browser, I was prompted to enter my user name and password. I logged in with my restricted user account and was blocked from restriced sites with the messages shown in Figure 17. (This message can be customized.) Users stay authenticated unless they specifically log out or close all browser windows. Logging in as my unrestricted user allowed me to surf the blocked site.
The 2920 includes software to run a syslog server on a Windows PC, which has been updated over the version provided with the 2910. This software was useful for troubleshooting my configurations and examining the performance of the 2920. The new syslog software, v4.2.0 shown in Figure 18, adds tabs for collecting data on DoS attacks, CSM activity, network traffic, VPN traffic, and network statistics.
Figure 18: Syslog application
In addition to the syslog software, the 2920 has quite a few other useful network tools. The route table, arp cache, DHCP table, and NAT sessions table are viewable via menu options. A ping and traceroute tool are provided. As with the 2910, there is an option for monitoring data flows, as well as viewing traffic graphs, as shown in Figure 19.
Figure 19: Traffic graph
I pulled data from our Router Charts to compare throughput with several other Dual WAN routers I’ve tested. I looked at the Draytek 2920 compared to the older Draytek 2910G, as well as the Netgear SRX5308 and the NETGEAR 336G.
|WAN-LAN||LAN-WAN||Total Simultaneous Throughput||Max Connections||Price|
Table 4: Router performance comparison
As you can see, the 2920 is a nice upgrade from the 2910, significantly outperforming it in all throughput measurements. Further, the 2920 handily outperforms the older NETGEAR 336G as well. On the other hand, the 2920 isn’t in the same league for raw throughput as the NETGEAR SRX5308.
I put an asterisk next to the $190 price because Draytek told me the recommended list price of the 2920 is $190-210, the recommended list price on the 2920n is $230-250, and the recommended list price on the 2920Vn is $280-300.
This didn’t quite jibe with what I found on the web, though. The lowest price I could find for the 2920 was at guideband.com for $294. I also found the 2920n on Amazon for $347.00 and at DSLwarehouse.com for $335. So, no sign of Draytek’s suggested price. It looks that buyers could benefit from having Draytek widen its U.S. distribution, so that there could be some competition.
Overall, I liked the addition of the User Management features in the latest 3.3.6 firmware because they add to the overall security feature set. Gigabit LAN ports and higher throughput are also significant improvements over the 2910. The addition of jumbo frame support is a plus, even if it was a bit of a challenge to figure out.
But I remain disappointed with the user manual and documentation on Draytek products. I’ve configured a lot of different VPN devices, and I can usually figure things out without the manual. But for those with less experience, I think the 2920 will be a challenge.
In my review of the 2910, I was impressed that web filtering was free. So when I first got the 2920, I was pleased to see it was still free. But after I upgraded to the new firmware, free was no more and web filtering is now
$50 about $100 per year.
Relatively speaking, $50 / year is
competitive compared comparable to other devices, such as the SonicWall TZ100W, where web filtering runs $95 / year. Nevertheless, I think Draytek should have found a way to keep web filtering free; it was one of the reasons I recommended the 2910.
I concluded my review of the 2910 saying I was “pleasantly surprised by the Draytek 2910G” and “it’s priced right,” with the weakness being throughput performance.
To conclude this review on the 2920, I am pleasantly surprised this time by the new features. I’m also pleased that throughput performance is no longer a weakness. When the 2920 becomes available in the US for $190-210 as Draytek says, I’ll say the same thing about the 2920 as I did the 2910—that it is a relatively inexpensive, yet effective, solution to control web traffic on a small network.