Draytek Vigor 2830n plus Dual-WAN ADSL2/2+ Security Firewall Reviewed

Photo of author

Tim Higgins

Introduction

Draytek 2830n Plus

At a Glance
Product Draytek Vigor 2830n plus Dual-WAN ADSL2/2+ Security Firewall (2830n plus)
Summary ADSL2+/Ethernet/3G USB WAN router with 4 port 10/100/1000 Ethernet switch, VPN endpoints and USB drive FTP and file sharing
Pros • Ethernet, ADSL2+ and 3G WWAN Support
• Up and downlink bandwidth control
• Gigabit LAN with Jumbo Frame Support
• 32 PPTP, IPsec, L2TP VPNs
Cons • Configuration not for newbies
• Documentation lacks examples
• “Easy” VPN client isn’t

The Vigor 2830n plus is Draytek’s newest multi-wan xDSL router, supporting WAN connection via built-in ADSL2/2+ modem, Gigabit Ethernet or USB-connected 3G / 4G modem. Similar to Draytek’s other lines, the 2830 comes in two other models; the 2830 without wireless and the 2830Vn plus with wireless and two FXS ports for VoIP telephony. Also in the 2830 product pipeline are the 2830n and 2830Vn, which are versions with single-band N radios, due out in June.

The 2830n plus is housed in a white plastic case that can sit on a desk or be wall-mounted using the slots on the bottom. Like the 2920, which was the last Draytek we reviewed, all ports and indicator lights are on the front of the device, shown in Figure 1.

Draytek 2830n plus indicators

Figure 1: 2830n plus indicators

Note that one non-lighted switch serves to both start a Wi-Fi Protected Setup (WPS) pushbutton session and turn on and off the radio. This isn’t the greatest design, since it is easy to mis-time your button pushes and get an undesired result.

The back of the router has the power connector, power switch and three RP-SMA connectors for the supplied dual-band antennas.

Draytek 2830n plus connectors

Figure 2: 2830n plus connectors

Inside

Opening the 2830n plus case isn’t too helpful for component identification since both the CPU and switch devices are covered with ceramic heat spreaders. So I asked Draytek for the component details. It turns out that the 2830n plus and 2920 are very similar designs, with the former using an Infineon Danube-S clocked at 333 MHz and the latter using a Danube clocked at 133 MHz.

RAM and flash complements are the same at 64 MB and 8 MB, respectively and both designs use an Atheros AR8316 Gigabit switch to provide the four LAN and one WAN ports.

Vigor 2830n plus board

Figure 3: Vigor 2830n plus board

The radio is an Alpha Networks WMP-ND02 mini PCI card, using a Ralink RT2880F MIMO Wireless AP/Router SoC for the BB/MAC and Ralink RT2850L 2.4 / 5 GHz 2T3R transceiver.

Features

The 2830n plus shares many features with the last Draytek we reviewed, the Vigor 2920. Although the 2920 was reviewed with 3.3.3.1 firmware. The current web demo running 3.3.6.1 firmware presents a feature set very similar to the 2830n plus’.

The table below, pulled from the 2830 plus’ web page summarizes its feature set.

Multi-WAN Outbound Policy-based Load-balance
BoD (Bandwidth On Demand)
WAN Connection Fail-over
WAN Protocol ADSL2+ (WAN-1) DHCP Client
Static IP
PPPoE / PPPoA
BPA
Giga Ethernet (WAN-2) DHCP Client
Static IP
PPPoE
PPTP
L2TP
BPA
USB (WAN-3) PPP
VPN Up to 32 VPN Tunnels
Protocol : PPTP, IPSec, L2TP, L2TP over IPSec
Encryption : MPPE and Hardware-based AES / DES / 3DES
Authentication : MD5, SHA-1
IKE Authentication : Pre-shared Key and Digital Signature (X.509)
LAN-to-LAN, Teleworker-to-LAN
DHCP over IPSec
IPSec NAT-traversal (NAT-T)
Dead Peer Detection (DPD)
VPN Pass-through
VPN Wizard
mOTP
Firewall Multi-NAT / DMZ Host / Port-redirection / Open Port
Object-based Firewall
MAC Address Filter
SPI (Stateful Packet Inspection) (Flow Track)
DoS / DDoS Prevention
IP address Anti-spoofing
E-Mail Alert and Logging via Syslog
Bind IP to MAC Address
Time Schedule Control Firewall v3
Bandwidth Management QoS Guarantee Bandwidth for VoIP
Class-based Bandwidth Guarantee by User-Defined Traffic Categories
DiffServ Code Point Classifying
4-level Priority for Each Direction (Inbound / Outbound)
Bandwidth Borrowed
Bandwidth / Session Limitation
Layer-2 (802.1 p) and Layer-3 (TOS/DSCP) QoS Mapping
CSM (Content Security Management) IM/P2P Application V3 (App Enforcement)
GlobalView Web Content Filter (Powered by Commtouch)
User Management
URL Content Filter URL Keyword Blocking (Whitelist and Blacklist)
Java Applet, Cookies, Active X, Compressed, Executable, Multimedia File Blocking
Excepting Subnets
Time Schedule Control
Network Feature Packet Forwarding Acceleration
DHCP Client / Relay / Server
IGMP Version 2 and Version 3
Dynamic DNS
NTP Client
Call Scheduling
RADIUS Client
DNS Cache/Proxy
UPnP 30 sessions
Multiple Subnets
VLAN Tagging (802.1q) on LAN
Routing Protocol Static Routing
RIP V2
USB 3.5G/4G * as WAN – 3
Printer Sharing
File System Support FAT32/FAT16 File System
Support FTP Function for File Sharing
Network Management Web-based User Interface (HTTP / HTTPS)
Quick Start Wizard
CLI (Command Line Interface , Telnet / SSH)
Administration Access Control
Configuration Backup / Restore
Built-in Diagnostic Function
Firmware Upgrade via TFTP / FTP / HTTP / TR-069
Logging via Syslog
SNMP Management MIB-II
Management Session Time Out
2-level Management (Admin/User Mode)
TR-069
TR-104
Switch Port-based VLAN
Triple-Play Application
IGMP Snooping
Tag-based (802.1 q) VLAN
Layer-2 (802.1 p) QoS
Table 1: Vigor 2830n plus feature set

It’s hard to tell whether the 2830n plus brings additional routing features to the party over the 2920, since the downloadable product matrix doesn’t include the 2830 and the online spec sheets have slightly different formats. But given the design and firmware similarities, it appears that routing and VPN feature sets are essentially the same, with both products supporting a total of 32 site-to-site and client-to-gateway tunnels that can be mixes of PPTP, IPSec, L2TP and L2TP over IPSec.

One difference I could find by comparing the 2920 and 2830n online simulators was the 2830’s WAN > Multi-PVC menu (Figure 4) vs. the 2920’s WAN > Multi-VLAN menu (Figure 5). (PVCs [Permanent Virtual Circuit] are used in ATM networks.)

Vigor 2830 Multi-PVC menu

Figure 4: Vigor 2830 Multi-PVC menu

I think this difference is primarily due to the 2830’s ADSL2+ modem.

Vigor 2920 Multi-VLAN menu

Figure 5: Vigor 2920 Multi-VLAN menu

It also looks like Draytek has granted Doug’s wish for 802.1q VLAN tagging (Figure 6). The 3.3.6.1 2920 firmware also expands the number of VLANs to 8 and enables SSID’s to be assigned to VLANs, but doesn’t support tagging on the LAN side.

2830 VLAN with tagging

Figure 6: 2830 VLAN with tagging

The 2830 supports three WAN connections, but only one each of Gigabit Ethernet, ADSL2+ and USB WWAN. The three connections can be configured for fail-over, “Outbound Policy-based Load-balance” and bandwidth-on-demand modes. I didn’t check any of these modes since Doug did a good job of that in the 2920 review. While you’re over there, you might as well read through the rest of the feature details, since the 2830 supports them too.

I asked Draytek about jumbo frame support because there aren’t any controls visible in the Web GUI. The answer was that they are supported, but you still need to set them up via the command line interface as Doug described.

The 2830’s Firewall features use the same hierarchical model, i.e. creating Objects and Profiles and then applying them to Rules. The menus are the same—NAT, Firewall, Objects, Users and Content Security Management (CSM.)—but I found a subtle difference in the NAT menu.

Figure 7 shows the Address Mapping page that is not present in the 2830n. This menu appears to support mapping multiple WAN IP addresses to internal LAN subnet ranges. But I say appears, because the feature isn’t described in the 2920 User Guide that I downloaded.

2920 Address mapping menu

Figure 7: 2920 Address mapping menu

All the other Firewall-related menus appear to be the same, including the ability to activate subscription-based content filtering. You get a free 30 day trial of the CommTouch service when you register your new router. But after 30 days, the subscription costs $95 – $110 / year.

Doug liked the logging features better than I did, probably because he used the free syslog server software that you can download from Draytek. I tried to view logs via the web GUI, which first involved a trip to the System Maintenance > SysLog / Mail Alert page to enable syslog and point it to the 2830 itself. I then hit the Diagnostics > Web Firewall Syslog page (not present in the 2920) to view the log. Figure 8 shows the log from a successful L2TP / IPsec client connection as an example.

Example log

Figure 8: Example log

But I wouldn’t recommend this method. Each time I changed the Syslog Type dropdown, the log appeared to be cleared rather than just filtered. And this log method was no help in diagnosing failed VPN connects. I asked Draytek about this and they said the best approach is to use the Syslog tool.

The other tools in the Diagnostics menu that Doug liked in the 2920 (route table, arp cache, DHCP table, and NAT sessions, ping and traceroute tool) are also found in the 2830, along with the data flow monitor and traffic graph (Figure 9).

Traffic graph

Figure 9: Traffic graph

USB

Like the 2920, the single USB port can share a USB printer, a USB drive or support a USB WWAN modem. I asked Draytek if the single port can be shared via a USB hub and found that it can. But since the 2830’s port provides only 500mA of current, you may need to use a powered USB hub if you’re attaching a power-hungry device like a WWAN modem.

Speaking of WWAN modems, the list of supported modems isn’t huge. This downloadable PDF lists the compatible USB modems and this one the compatible cellphones for all Draytek routers. The 2830’s list shows only a few mostly lesser-known (in the U.S.) Taiwanese brands supported. And more notably, none of the listed Novatel and Sierra modems are supported.

My experience with the drive sharing feature was similar to Doug’s. I mounted a FAT-formatted USB drive and ran the same robocopy-based file copy test used in the NAS Chart benchmarks. This test copies a ripped DVD folder containing mixed file sizes, including a handful of 1 GB VOB files.

When writing to the shared drive, only 32 of 38 files were copied because robocopy had trouble adjusting the copied file time stamp. But the write speed for the files it did copy averaged 1.6 MB/s.

For read, robocopy again had problems and couldn’t successfully read all the files, but still reported a 1.5 MB/s read rate.

I didn’t check FTP performance, but with lower overhead it would probably be a bit faster.

VPN

There are three options for remote access VPN connections: PPTP, L2TP with IPSec, and IPSec. I was able to make PPTP and L2TP with IPSec connections using the VPN client built into Windows 7. I also tried using version 4.0.0.4 of Draytek’s Smart VPN Client. But even though it told me that it was successfully connected to the 2830n, a tunnel didn’t show up in the router’s VPN connection status page and I had no connection to the router.

I asked Draytek about this and was told that the Smart VPN Client is just an interface that manipulates Microsoft’s VPN client. So you’re better off using an IPsec client that you are familiar with or using the native Windows client and using L2TP/IPsec.

Figure 10 shows a successful L2TP / IPsec tunnel made using the Windows 7 VPN client. All I had to do was enter the WAN IP address of the 2830n on the Windows VPN connection General tab, choose L2TP/IPsec on the Security tab (leaving the other defaults), enter the Preshared key on the Security tab Advanced Settings page and I was good to go.

Successful L2TP / IPsec tunnel

Figure 10: Successful L2TP / IPsec tunnel

Note that if you just leave the Windows VPN client connection type as Automatic and all the Draytek VPN settings at defaults, you’ll get a PPTP connection.

The only changes I made to the Remote Dial-In user page (Figure 11) were to enable the account, enter a username and password and change the Allowed Dial-In Type L2TP with IPsec policy to Must.

Remote dial-in user settings

Figure 11: Remote dial-in user settings

IPsec General Settings were left at the defaults (Figure 12).

IPsec General settings

Figure 12: IPsec General settings

VPN Performance

I tested PPTP and L2TP / IPsec throughput using IxChariot‘s throughput.scr script, with all defaults and changing only the test file size to 1,000,000 Bytes. Table 2 summarizes the results along with those for the 2920. Note that these results aren’t apples-to-apples because the 2920 was tested with iperf and the 2830n with IxChariot.

Test Description 2920
Throughput – (Mbps)
2830n plus
Throughput – (Mbps)
Remote Access PPTP
Client to Gateway
19.9 17.8
Remote Access PPTP
Gateway to Client
Not run 18.5
Remote Access L2TP/IPsec
Client to Gateway
12.5 13.3
Remote Access L2TP/IPsec
Gateway to Client
Not run 11.7
Table 2: VPN throughput

Tunnel throughput is just about equal in both directions. Throughput falloff with the higher AES-128 encryption level used in the L2TP/IPsec connection is moderate. Figure 13 is a shot of an IxChariot test with data running in both directions simultaneously. Total tunnel throughput is about the same as the unidirectional tests. But note that Client to Gateway traffic gets more throughput than Gateway to Client.

L2TP simultaneous traffic throughput test

Figure 13: L2TP simultaneous traffic throughput test

Routing Performance

The 2830n plus was tested using our router test process, using 3.3.6 firmware. The LAN side machine was put in DMZ and QoS had to be disabled on WAN2 (Ethernet). Otherwise all router defaults were used.

I was surprised to see throughput remain below 100 Mbps in all cases. But that’s probably fast enough for most of the places where the router will be used. Note that the Maximum Simultaneous Connections test maxed out at our test limit of 34,925.

Test Description Throughput – (Mbps)
WAN – LAN 78.3
LAN – WAN 94.3
Total Simultaneous 83.5
Max Simultaneous Connections 34,925
Firmware Version 3.3.6
Table 3: Routing throughput

Figure 14 shows the IxChariot aggregate plots for WAN to LAN, LAN to WAN and simultaneous routing throughput tests, with pretty steady throughput for all.

Draytek 2830n plus routing throughput

Figure 14: Draytek 2830n plus routing throughput

Wireless Features

The 2830n plus’ wireless feature set is surprisingly rich. You can step through the various screens in the gallery below to get a feel for the options, which are among the most complete I’ve seen.

Wireless General

General settings include multiple SSIDs, ability to isolate wireless clients from each other and from VPN clients and upload and download speed caps. All 5 GHz band channels are supported (36, 40, 44, 48, 52, 56, 60, 64, 149,153, 157, 161, 165)

Wireless Security

Both Home and Enterprise (RADIUS) security modes are supported and note that WEP is still supported. Each SSID can have its own security settings.

Wireless Access Control

MAC address filters for each SSID can be set in either black or white list mode.

WPS

Wi-Fi Protected setup lacks a control to reset it. The ‘Configured’ WPS status shown is incorrect because WPS was not in use.

WDS

WDS is supported in both bridge and repeater modes. WEP/WPA/WPA2 are all supported for encryption, but note the ‘WPA and WPA2 are not compitable with DrayTek WPA’ Note.

Wireless advanced

Here is where you change channel bandwidth. It defaults to 20/40.

WMM

These settings are best left alone.

AP Discovery

This scanner helps to find WDS partners. Note the incorrect channel number for the 5 GHz AP shown.

Station List

This station list provides a quick way to add a STA to a MAC Access Control list.

But that doesn’t mean that everything works. I was unable to perform a Wi-Fi Protected Setup connection despite multiple attempts. My notebook with an Intel Wi-Fi Link 5300 AGN card normally detects routers with WPS active and asks me to enter the PIN code. But even after verifying that WPS was enabled on the 2830n, my client never detected it.

You should also note that the 2830n plus is not Wi-Fi Certified and does not default to 20 MHz bandwidth mode when the radio is set to the 2.4 GHz band.

Wireless Performance

I tested the 2830n plus using our wireless test process with a WPA2/AES secured connection in both bands and in 20 and 40 MHz bandwidth modes. I generated Performance Tables for both bands (Figures 15 and 16) and included another VPN router for comparison, the Cisco RV 220W.

Highest 2.4 GHz throughput of 68 Mbps was measured in Location A running uplink with the client set to 20/40 mode. Running a simultaneous up and downlink test yielded 87 Mbps in the same location and condition. So running multiple clients will get you somewhat higher total throughput.

The two routers appear evenly matched in 2.4 Ghz performance with stronger signal levels. But in the weak signal locations E and F, the RV 220W clearly dominates, particularly in 40 MHz bandwidth mode.

2.4 GHz wireless performance table

Figure 15: 2.4 GHz wireless performance table

For the 5 GHz band, best case throughput of 73 Mbps was again found at Location A, running uplink in 40 MHz bandwidth mode. This time running up and downlink tests simultaneously didn’t boost throughput as much as it did in the 2.4 GHz band, with only 78 Mbps measured in Location A.

Once again, the RV 220W seems to do better than the 2830n plus overall. But neither could reach into the weak signal test locations E and F, where only one 5 GHz router / AP, the D-Link DIR-665, has gone before.

5 GHz wireless performance table

Figure 16: 5 GHz wireless performance table

Figure 17 shows the IxChariot throughput plot for the 2.4 GHz band, 20 MHz bandwidth mode, downlink. Throughput stability was pretty good.

IxChariot throughput plot, 2.4 GHz, 20 MHz mode, downlink

Figure 17: IxChariot throughput plot, 2.4 GHz, 20 MHz mode, downlink

Here are links to the other plots if you’d like to check them out.

In general, the 2830n has the best performing and featured wireless section of the Draytek wireless routers we’ve tested.

Closing Thoughts

The Vigor 2830n plus is the most feature-rich VPN router we’ve seen yet from Draytek with flexible WAN connection options, firewall features typically found in routers costing much more and wireless capability that is well-suited to small-business use.

But I share Doug’s frustration with Draytek’s documentation, which doesn’t appear to have improved much since last December’s review. The 2830n’s manual has a few application examples, but none that helped me set up a successful IPsec connection using Draytek’s free SmartVPN client. The Smart VPN client – WinXP to Vigor Router – IPSec – Smart VPN Client online app note wasn’t much help either and didn’t reflect the settings available in the latest 4.0.0.4 Smart VPN version.

In all, I’m not as enthusiastic about Draytek as some of their fans in the forums are, especially for U.S. customers. While the feature set may be broad and reliability reportedly good, they are still essentially single-sourced from one web vendor ($362 from VoIPon.com) and support comes out of Taiwan via email.

I understand from Draytek that they are in the process of trying to reorganize their U.S. resources, which are a confusing mix of websites (us.draytek.com and draytek.us take you to two very different places). But I seem to have heard this story for a few years now and nothing has seemed to change.

If you want a lot of business class router for a very competitive price and don’t mind incomplete and confusing documentation and emailing support resources many time zones away, then Draytek should be on your VPN router short list. But if you want to be able to pick up the phone and get help or overnight warranty repair turnaround, then you’d best stick with Cisco or NETGEAR.

Related posts

Amped Wireless RTA1200 High Power AC1200 Wi-Fi Router Reviewed

Updated - The Amped Wireless RTA1200 High Power AC1200 Wi-Fi Router is an expensive AC1200 class router that doesn't earn its premium price.

Ubiquiti UAP-LR (Long Range) Access Point Reviewed

The Ubiquiti's UAP-LR is a decent, inexpensive access point. But only partially lives up to its "Long Range" moniker.

Cisco Linksys E2500 Advanced Dual-Band N Router Reviewed

The Cisco Linksys E2500 High Performance Dual-Band N Router sports a significantly different design from its E3200 Gigabit sibling.