Earth Notes: On the Vigor 2862ac VDSL2 Router and WiFi: Setup How-ToUpdated 2021-03-25 21:41 GMT.
By Damon Hart-Davis.
- Initial review 2019-06-09, updated 2020-08-08.
- Rating: 3.5 out of 5.
Initial review as of 2019-06-09: after a possible initial crash the Vigor seems to have been stable and reliable and maintaining a good connection for a few weeks now, and feels solidly consistent. This has not yet been tested for stability in hot weather, nor will I get a chance to play with its IPv6 or advanced routing features any time soon.
2020-08-08: even with two firmware upgrades, now at 126.96.36.199_BT, the device is unstable in a number of regards, eg 5GHz WiFi just going away, and generally gettng more cranky over time and needing a monthly power cycling. Also one of our older laptops, running Windows 10, gets thrown off the 2.3GHz WiFi as much as several times per day. Disappointing for quite an up-market device, and with few obvious alternatives to handle the static allocation that I have.
The DrayTek Vigor 2862ac VDSL2 Security Firewall arrived from the ISP early afternoon 2019-05-02. I powered it up and measured power consumption (~9W) but did not plug it into the VDSL2/FTTC BT socket.
(The TG582n+ECI used ~12W between them. I'd like to reduce networking power load so that I can have the networking kit powered off-grid more of the time. I was attempting to eliminate the 8W of the TG582n with the RPi3 by folding networking functions into the server itself. I still hope to get there at some point soon. I hope that the Vigor is not too power-hungry in the interim.)
On the dispatch note the device was described as set up for TR-069 remote configuration, so rather than attempt to (re-/de-)configure it all myself, I called the ISP and asked a few questions:
- The Vigor can be plugged directly into the BT master socket from the DSL port, or into the ECI VDSL modem Ethernet from the WAN2 port. Which should I do?
- What password should I used to log in with to do any residual configuration such as setting the WiFi SSID and key? (I don't want to assume that the defaults listed in the manual are the right thing to use with TR-069 in place.)
- Which port or ports should I plug the RPi 2 into that uses my static IP block? With the TG582n as last provisioned by the ISP, one specific port was designated 'DMZ' and used for this, with everything else being NATted/DHCP, wired or WiFi.
The answer to the first was to go directly from Vigor to the FTTC line, the ECI now being considered obsolete.
Beyond that, no further visible progress was made today, and I am not around tomorrow. So I have to stick with my current flaky arrangement through the long weekend at least...
2019-05-07: False Start
The old router survived the long weekend relatively well, with even WiFi being sensible. Possibly due to me balancing the router upside down on its edge for better cooling. Possibly the cooler weather. Possibly whichever bad actor is paid to break remote systems taking the weekend off also...
After un unhelpful email and a couple of calls I finally got someone to start helping me set up the router enough for them to take over the main configuration at ~16:00. (The ISP had failed to set it up for remote provisioning before dispatch, again, I am told.) I left it plugged into the VDSL2 line for them to remotely footle. (My sites, etc, are down while this happens.)
By 17:30-ish when I called to check progress they had decided to defer it until tomorrow and to their third-line support, though say that they will restart at 07:30 if I plug it back in, so I can leave for a meeting in good time tomorrow morning.
(I almost certainly could now configure it myself faster, given that the basic outbound connection was working, ie I could get email and browse over the Vigor's WiFi, but I didn't want to wade into whatever configuration they might have had in place or in mind...)
2019-05-12: How To: Config from Scratch
More interaction with the ISP's support team resulted in a semi-bricked unit, which needed a factory reset to be able to do anything with it again. Setting up IPv4 routing for a static subnet is as the ISP's CTO says is "a dying art", and it will almost certainly be easier all round if I do it.
This will be a quick how-to highlights, and does not cover all the bells and whistles. It'll help remind me when I need to revisit it!
How To Minimally Configure Vigor2862ac for FTTC/VDSL2 and Static Public IP Block
Time (including initial write-up):
(Note: some screenshots were taken after the configuration was largely complete.)
- Vigor2862ac modem/router
- Laptop (MacBook running macOS 10.14.4 Mojave)
- Ethernet cable and adapter for MacBook
- Factory-reset the Vigor if needed.
- (Starting from scratch rather than fiddling around with some existing half-baked config is likely to be easier and more secure.)
- Set the laptop's wired Ethernet to 'manual' configuration, NOT DHCP.
- Set the laptop wired port to be 192.168.1.10 (subnet mask 255.255.255.0), ie within the Vigor's LAN address space, and clear the 'Router' box.
- On the Mac's Network Preferences, click on the cog, select service order, and drag the wired interface below WiFi.
- (These steps should avoid the Vigor grabbing routing and DNS lookups, which it then can't usefully handle.)
- Connect the Vigor's LAN 1 port (192.168.1.X is routed to that port), and power up the Vigor if not already done.
Point your browser at 192.168.1.1 and log in as
Change the Vigor's
adminpassword to something sensible and unguessable. Now. (Under "System Maintenance" in the main (left-hand-side) menu.)
- Under WAN >> Internet Access >> Details Page, set the (RADIUS/CHAP) Username and Password as supplied by the ISP, and set the MTU to 1460.
Routing the public static IP range
Under LAN >> General Setup >> IP Routed Subnet >> Details Page, follow the DrayTek instructions to
Use a Public IP on LAN by IP Routed Subnet...
- ... Enable IP Routed Subnet.
- ... Enter the IP Address for the router. Note that this could be the same as router's WAN IP. (It is for me, at X.X.X.65, and where the RPi3 got stuck)
- ... Enter the Subnet Mask according to ISP.
- ... Enter the Subnet Mask according to ISP.
- ... Set up DHCP IP Pool, enable Use LAN Port... (For this use a chunk of the static space for DHCP leaving the perm hosts IPs free, and use a shortish (2h) lease time since there are not many available addresses. Enable these routes to LAN P1 and LAN P2.)
- (I could now, after the Vigor reboots, switch the Mac to talk to it from a fixed addess in the static range, preferably neither in DHCP nor the fixed allocation used by the servers. But everything seems to still be happy with the 192.168.1.10 address for now.)
- Under LAN >> General Setup >> IP Routed Subnet >> Details Page, follow the DrayTek instructions to
- [Non-critical] Under System Maintenance >> Time and Date, I have changed the NTP server to be one of my own.
5GHz WiFi setup
- Under Wireless LAN(5G) >> General Setup, set local SSID.
- Under Wireless LAN(5G) >> Security Settings, set SSID 1 and local pre-shared key (PSK).
- Under Wireless LAN(5G) >> Access Point Discovery, do a scan to see what else is out there. (For me, 5 other APs.)
- Under System Maintenance >> Panel Control, enable sleep mode for the LED, and turn off one USB port leaving the other potentially to power my Loop network dongle.
- Under LAN >> Bind IP to MAC, enable, and set any fixed MAC addresses required. (Such as for my Enphase Envoy for simplicity in polling it from the RPi.) The Vigor has to be handling the appropriate address range to accept a binding.
- Shut down the Vigor, shut down and unplug the old router, plug in the Vigor to DSL and power up, and see if routing vis 5G WiFi and to the static Web/DNS/etc IPs appears to be working. (If not, revert to old router and scratch head.)
2.4GHz WiFi setup
- Under Wireless LAN(2.4G) >> General Setup, set local SSID.
- Under Wireless LAN(2.4G) >> Security Settings, set SSID 1 and local pre-shared key (PSK).
- Under Wireless LAN(2.4G) >> Access Point Discovery, do a scan to see what else is out there. (For me, 14 other APs.)
- Under LAN >> General Setup, set LAN address to 192.168.0.1 to match previous router. (Requires subsequent access at 192.168.0.1.)
- Under Firewall >> General Setup, periodically review settings.
- Under System Maintenance >> Firmware Upgrade, periodically check that firmware is up to date, and upgrade if not. Note that my Firefox 66.0.5 / NoScript 10.6.1 prevented the "Check Firmware" popup from displaying the available upgrade; I switched briefly to Chrome (74).
Largely done after ~4h. A few loose ends to tie up, probably.
Seeing download speed of over 70Mbps, upload 16Mbps, ping 23ms, measured from my laptop connecting to the Vigor on 5G WiFi. (A matching test late at night gave a speed of 76/18Mbps.)
Power consumption from mains seems to be a fairly steady 9.2W. So lower than the TG+ECI combination.
Allow RPi to talk to LAN
DONE: allow RPi on static/public addresses to talk to Envoy on its NATted IP. A laptop on another NATted/DHCP IP is already able to do so. (Possibly just camp on an uncontended 192.168.0.X address statically, and see if the Vigor can su=ort routing; client will have to bind to that LAN address explicitly somehow, eg
Restricted Guest Hotspot
TO DO: allow (restricted) guest access to the hotspot. Limit bandwidth, length of time, and block outgoing SPAMmy connections such as to a SMTP port directly.
Measure Power Supply Voltage
DONE: measure power-supply voltage to the Vigor with a view to being able to supply/'dump' from off-grid power (eg via ideal-diode) arrangement. Measure open-circuit and under typical (~9W) load. (Compare with existing 12V on-/off- grid supply also.) 2019-09-03: voltage for existing supply seemed close (~13V floating/unloaded) and Vigor seems happy with it, and draws ~11W off-grid via that supply.
12:28Z and all net traffic just stopped. Logging into the Vigor revealed an uptime of under a minute, ie it had just crashed and restarted. Not so good.
Other users have reported a number of outages today so far (by mid-afternoon).
I have turned back on remote status monitoring with SMSes, which I hope will now not gobble up all my credits!
I have also loaded the latest available firmware release for the Vigor.
2019-05-14: PPP Restart!
12:30Z: connectivity has been slow or lost (at Windows 10 client dropped the WiFi and refused to reconnect). Logging in to the Vigor shows that the VDSL2/PPPoE connection had restarted.
13:10Z: link down again.
I spoke to the ISP, and the ISP called back at the end of the day. I attempted a "quiet line test" as requested (17070 option 2), but my available handset is ancient and crackly, so hardly definitive. We have arranged for a BT Openreach visit.
I asked the ISP what it could see in terms of line drops from its side for the only full Vigor day so far (yesterday, Monday). Starting at about 13:30 BST the ISP saw nine drops in total. One of those was probably me trying to get some life back into the connection at ~10pm when a five minute job was being stretched to a two hour job by the rotten throughput, but most of the rest weren't!
Coming up to 100h with the DSL connection not restarted, and over 160h of the Vigor not restarted, and line error metrics fairly low and hardly moving, it looks like the FTTC connection is 'fixed' for now.
The profile is "17a" with bandwidth capped at 80/20Mbps (down/up).
The fix took several weeks and two routers (I haven't had a returns number from the ISP for the first one yet!) and many hours, and three engineer site visits. Eeek.
2019-07-02: Trouble at t'Mill?
The 5G WiFi seems to have gone off-line and attempts to scan for adjacent APs seem to hang the Web interface.
"System Up Time" is reported as 1136:20:23, and VDSL2/PPPoE uptime as 773:02:46.
Time to try a reboot...
Yes, after rebooting, 5G is back, and "AP Discovery" doesn't hang... So this router will need babysitting, just as the Technicolor did. Bah!
I just took an 'upgrade' to version
However, the device is now extremely unstable and I can barely even log into it over WiFi. Connectivity has been up and down many times in the few hours since the upgrade. It has been necessary to power cycle the device at least a couple of times by 3pm today to get even admin access to it.
Even the auto-logout feature of the admin console seems broken!
2019-12-14: Upgrade II
Now attempting upgrade to 188.8.131.52_BT. (Current version: 779517/773F01, 77B507/775401; upgrade version: 779517/773F01, 77B507/775401.)
After the upgrade the dashboard shows
Firmware Version | 184.108.40.206_BT
Build Date/Time | Oct 18 2019 11:45:17, and
DSL Version | 779517_A/B/C HW: A.
I have taken a config backup. It is opaque binary, which is unhelpful. (I have also kept a safe copy of the firmware binary.)
It's probably better than the TG582n, but bits of functionality fall over requiring manual intervention at least about weekly. Not all require power cycling (I can log into the Web interface and usually cycle individual WiFi frequencies, or more dramatically request a reboot). But it's sad for a fairly upmarket bit of equipment to be this flaky.
Maybe worst is that a laptop we were using for working from home with until very recently had difficulty maintaining a (2.3GHz) WiFi connection. That caused a lot of annoyance when using cloud services such as Google Drive and Office 365.
No newer firmware seems to be available.
220.127.116.11_BT seems to be the latest.
I've needed to cycle 5G and/or reboot the Vigor periodically, so there's still clearly some software nasties in there.
We've also had a fairly unstable FTTC/DSL connection for many days and longer, with sometimes several dropouts of service (of maybe up to a minute each) in a row.
Looking at the Vigor DSL status shows connection drops and training. This may currently be more a feature of a poor physical connection and some unusally wet weather mixed in (eg causing a first-time-ever leak in our shed too) than the Vigor's fault.
When I went for my daily lockdown walk, near the house were a couple of parked BT Openreach vans. The engineers were there to fix broadband for a house nearby, from failing aluminium cables. They weren't aware of any larger problem. (The fixee and I connect to the same cabinet; maybe if their modem isn't having to shout any more, our connection may get better too?*)
It remains disappointing that a relatively expensive bit of kit has enough internal flaws that this isn't the only annoyance...
2020-10-13: Line Fault?
I reported the problems to my ISP, and when their support chap looked at the Radius server he exclaimed! I believe that he saw maybe 20 line drops per day (or ~120 over a week), with the last few timings lining up with what I'd observed. So there's no attempt to claim that I'm making it all up!
The latest communication from the ISP includes:
... our next best step would be to go for a replacement router in which case I'll need to refer this to the Provisioning Team to arrange. The testing on the line is picking up a fault either close to or internal to the premises ...
I'm not inclined to believe that it really is a router fault. More like that dodgy line spice 50m up the line from us. But I don't know.
I also took the opportunity to wiggle the RJ45 cable (router to BT master box) fairly thoroughly at both ends to try and ensure good connections. Equivalent to a strategic "engineer's thump" AKA "percussive maintenance".
I really don't want to have to do another "How To" soon!
2020-10-14: Wiggle Power?
Likely unconnected to wiggling, etc, but as of 7pm BST the connection has been up for over 31 hours.
The connection may have been poor for some of that time (I experienced very bad audio in a Meet call 24h ago for a while for example), but it has been up.
I want to check link uptime this morning and firstly WiFi dropped out (and 5G din't come back) more or less as soon as I connected.
Then the display changed to a cut-down sub-display with no means to escape (logout was not functional, browser reload did nothing).
So I had to power cycle the box. Not good.
It is possible that NoScript was interfering in some way. All is back now.
2021-03-25: Still Flaky
The router still seems to be very unreliable, given its spec and price.
To the extent that I wonder if it is being deliberately attacked somehow. I think I had that happen a long time back, over 20 years ago, with a borrowed router that could be (and apparently was) downed remotely without any credentials.