Earth Notes: On the Vigor 2862ac VDSL2 Router and WiFi: Setup How-To

Updated 2024-10-20.
Read how replacing a failing Internet router with a slightly unusual configuration was ... fun ... but now all is well!
Replacing a TG582n router and BT Openreach ECI Telecom ON316150 FTTC modem combo that had become very flaky, repeatedly crashing over two or three weeks, with the DrayTek Vigor 2862ac... The problem is supporting a block of public fixed (static) IP addresses rather than just one or none, which seems almost beyond the wit of man these days.

Product: DrayTek Vigor 2862

Vigor2862ac just installed still rats nest
ADSL/VDSL Business Class Router/Firewall with 802.11ac Wireless.
  • Brand:
  • Colour: white
  • MPN: V2862AC-K
  • GTIN/UPC/EAN: 4712909121873
    Review summary
    • DrayTek Vigor 2862
    • Initial review as of 2019-06-09: after a possible initial crash the Vigor seems to have been stable and reliable and maintaining a good connection for a few weeks now, and feels solidly consistent. This has not yet been tested for stability in hot weather, nor will I get a chance to play with its IPv6 or advanced routing features any time soon.

      2020-08-08: even with two firmware upgrades, now at 3.9.1.3_BT, the device is unstable in a number of regards, eg 5GHz WiFi just going away, and generally gettng more cranky over time and needing a monthly power cycling. Also one of our older laptops, running Windows 10, gets thrown off the 2.3GHz WiFi as much as several times per day. Disappointing for quite an up-market device, and with few obvious alternatives to handle the static allocation that I have.

    • Pros:
      • supports static public address block
    • Cons:
      • flaky, needs daily auto-reboot to be reliable enough
      • 5G WiFi is particularly prone to stop working
    • Rating: 3.5/5
    • Published:
    • Updated:

    2019-05-02: Arrival

    The DrayTek Vigor 2862ac VDSL2 Security Firewall arrived from the ISP early afternoon 2019-05-02. I powered it up and measured power consumption (~9W) but did not plug it into the VDSL2/FTTC BT socket.

    (The TG582n+ECI used ~12W between them. I'd like to reduce networking power load so that I can have the networking kit powered off-grid more of the time. I was attempting to eliminate the 8W of the TG582n with the RPi3 by folding networking functions into the server itself. I still hope to get there at some point soon. I hope that the Vigor is not too power-hungry in the interim.)

    (2019-09-03: Vigor consumption measured at ~11W drawn via the off-grid 'dump' supply. Some networking load will now be covered off-grid again.)

    TR-069

    On the dispatch note the device was described as set up for TR-069 remote configuration, so rather than attempt to (re-/de-)configure it all myself, I called the ISP and asked a few questions:

    • The Vigor can be plugged directly into the BT master socket from the DSL port, or into the ECI VDSL modem Ethernet from the WAN2 port. Which should I do?
    • What password should I used to log in with to do any residual configuration such as setting the WiFi SSID and key? (I don't want to assume that the defaults listed in the manual are the right thing to use with TR-069 in place.)
    • Which port or ports should I plug the RPi 2 into that uses my static IP block? With the TG582n as last provisioned by the ISP, one specific port was designated 'DMZ' and used for this, with everything else being NATted/DHCP, wired or WiFi.

    The answer to the first was to go directly from Vigor to the FTTC line, the ECI now being considered obsolete.

    Beyond that, no further visible progress was made today, and I am not around tomorrow. So I have to stick with my current flaky arrangement through the long weekend at least...

    2019-05-07: False Start

    The old router survived the long weekend relatively well, with even WiFi being sensible. Possibly due to me balancing the router upside down on its edge for better cooling. Possibly the cooler weather. Possibly whichever bad actor is paid to break remote systems taking the weekend off also...

    After an unhelpful email and a couple of calls I finally got someone to start helping me set up the router enough for them to take over the main configuration at ~16:00. (The ISP had failed to set it up for remote provisioning before dispatch, again, I am told.) I left it plugged into the VDSL2 line for them to remotely footle. (My sites, etc, are down while this happens.)

    By 17:30-ish when I called to check progress they had decided to defer it until tomorrow and to their third-line support, though say that they will restart at 07:30 if I plug it back in, so I can leave for a meeting in good time tomorrow morning.

    (I almost certainly could now configure it myself faster, given that the basic outbound connection was working, ie I could get email and browse over the Vigor's WiFi, but I did not want to wade into whatever configuration they might have had in place or in mind...)

    2019-05-12: How To: Config from Scratch

    More interaction with the ISP's support team resulted in a semi-bricked unit, which needed a factory reset to be able to do anything with it again. Setting up IPv4 routing for a static subnet is as the ISP's CTO says is "a dying art", and it will almost certainly be easier all round if I do it.

    This will be a quick how-to highlights, and does not cover all the bells and whistles. It'll help remind me when I need to revisit it!

    How To Minimally Configure Vigor2862ac for FTTC/VDSL2 and Static Public IP Block

    Time (including initial write-up):

    (Note: some screenshots were taken after the configuration was largely complete.)

    Ingredients

    • Vigor2862ac modem/router
    • Laptop (MacBook running macOS 10.14.4 Mojave)
    • Ethernet cable and adapter for MacBook
    • Patience

    Preparation

    Vigor2862ac prep with laptop
    1. Factory-reset the Vigor if needed.
    2. (Starting from scratch rather than fiddling around with some existing half-baked config is likely to be easier and more secure.)
    3. Set the laptop's wired Ethernet to 'manual' configuration, NOT DHCP.
    4. Set the laptop wired port to be 192.168.1.10 (subnet mask 255.255.255.0), ie within the Vigor's LAN address space, and clear the 'Router' box.
    5. On the Mac's Network Preferences, click on the cog, select service order, and drag the wired interface below WiFi.
    6. (These steps should avoid the Vigor grabbing routing and DNS lookups, which it then can't usefully handle.)
    7. Connect the Vigor's LAN 1 port (192.168.1.X is routed to that port), and power up the Vigor if not already done.
    8. Point your browser at 192.168.1.1 and log in as admin.
    9. Change the Vigor's admin password to something sensible and unguessable. Now. (Under "System Maintenance" in the main (left-hand-side) menu.)

    Configuration

    1. Vigor2862ac VDSL2 setup screenshot Under WAN >> Internet Access >> Details Page, set the (RADIUS/CHAP) Username and Password as supplied by the ISP, and set the MTU to 1460.
    2. Routing the public static IP range Vigor2862ac IP Routed Subnet button screenshot
      1. Under LAN >> General Setup >> IP Routed Subnet >> Details Page, follow the DrayTek instructions to Use a Public IP on LAN by IP Routed Subnet...
      2. ... Enable IP Routed Subnet.
      3. ... Enter the IP Address for the router. Note that this could be the same as router's WAN IP. (It is for me, at X.X.X.65, and where the RPi3 got stuck)
      4. ... Enter the Subnet Mask according to ISP.
      5. ... Enter the Subnet Mask according to ISP.
      6. ... Set up DHCP IP Pool, enable Use LAN Port... (For this use a chunk of the static space for DHCP leaving the perm hosts IPs free, and use a shortish (2h) lease time since there are not many available addresses. Enable these routes to LAN P1 and LAN P2.)
      7. (I could now, after the Vigor reboots, switch the Mac to talk to it from a fixed address in the static range, preferably neither in DHCP nor the fixed allocation used by the servers. But everything seems to still be happy with the 192.168.1.10 address for now.)
    3. Vigor2862ac NTP screenshot [Non-critical] Under System Maintenance >> Time and Date, I have changed the NTP server to be one of my own.
    4. 5GHz WiFi setup Vigor2862ac 5GHz WiFi SSID screenshot
      1. Under Wireless LAN(5G) >> General Setup, set local SSID.
      2. Under Wireless LAN(5G) >> Security Settings, set SSID 1 and local pre-shared key (PSK).
      3. Under Wireless LAN(5G) >> Access Point Discovery, do a scan to see what else is out there. (For me, 5 other APs.)
    5. Vigor2862ac LED sleep enable screenshot Under System Maintenance >> Panel Control, enable sleep mode for the LED, and turn off one USB port leaving the other potentially to power my Loop network dongle.
    6. Vigor2862ac Bind IP fixed addresses by MAC screenshot Under LAN >> Bind IP to MAC, enable, and set any fixed MAC addresses required. (Such as for my Enphase Envoy for simplicity in polling it from the RPi.) The Vigor has to be handling the appropriate address range to accept a binding.
    7. Vigor2862ac just installed still rats nest Shut down the Vigor, shut down and unplug the old router, plug in the Vigor to DSL and power up, and see if routing via 5G WiFi and to the static Web/DNS/etc IPs appears to be working. (If not, revert to old router and scratch head.)
    8. 2.4GHz WiFi setup Vigor2862ac 2.4GHz WiFi setup screenshot
      1. Under Wireless LAN(2.4G) >> General Setup, set local SSID.
      2. Under Wireless LAN(2.4G) >> Security Settings, set SSID 1 and local pre-shared key (PSK).
      3. Under Wireless LAN(2.4G) >> Access Point Discovery, do a scan to see what else is out there. (For me, 14 other APs.)
    9. Vigor2862ac LAN 0 X address change screenshot Under LAN >> General Setup, set LAN address to 192.168.0.1 to match previous router. (Requires subsequent access at 192.168.0.1.)
    10. Maintenance Vigor2862ac Firmware Upgrade screenshot
      1. Under Firewall >> General Setup, periodically review settings.
      2. Under System Maintenance >> Firmware Upgrade, periodically check that firmware is up to date, and upgrade if not. Note that my Firefox 66.0.5 / NoScript 10.6.1 prevented the "Check Firmware" popup from displaying the available upgrade; I switched briefly to Chrome (74).

    Largely Done

    Largely done after ~4h. A few loose ends to tie up, probably.

    Seeing download speed of over 70Mbps, upload 16Mbps, ping 23ms, measured from my laptop connecting to the Vigor on 5G WiFi. (A matching test late at night gave a speed of 76/18Mbps.)

    (A similar speed test run on the evening of 2019-05-18, after the line had been seemingly stable for over 24h, and with "Interleave Depth 1096" on the downstream side, gave download ~63Mbps, upload ~18Mbps, ping 31ms. Maybe the interleaving on downstream is costing 8ms.)

    (The DSL line evidently restarted ~2019-05-19T03:00Z according to the Vigor diagnostics, though the Vigor itself has not restarted. The interleaving has gone and downstream is now 'FAST', and most downstream error counters are back at or near zero, eg UAS down from 69 to 28, CRC and FECS at zero, but LOS at 6. A speed test reports 73Mbps down, 18Mbps up, 33ms ping. A second test reports 74Mbps down, 18Mbps up, 23ms ping.) A third test reports 72Mbps down, 18Mbps up, 27ms ping.)

    Power consumption from mains seems to be a fairly steady 9.2W. So lower than the TG+ECI combination.

    Allow RPi to talk to LAN

    DONE: allow RPi on static/public addresses to talk to Envoy on its NATted IP. A laptop on another NATted/DHCP IP is already able to do so. (Possibly just camp on an uncontended 192.168.0.X address statically, and see if the Vigor can sort routing; client will have to bind to that LAN address explicitly somehow, eg wget --bind-address=...)

    Add a new virtual interface to the RPi with an uncontended LAN address, eg:

    # DHD20190513: allow talking to devices on LAN.
    auto eth0:8
    iface eth0:8 inet static
        address 192.168.0.X
        netmask 255.255.255.0
        gateway A.B.C.D
    

    Then access using that interface address as the source address, eg:

    wget --bind-address=192.168.0.X http://192.168.0.Y/production.json
    

    Restricted Guest Hotspot

    TO DO: allow (restricted) guest access to the hotspot. Limit bandwidth, length of time, and block outgoing SPAMmy connections such as to a SMTP port directly.

    Measure Power Supply Voltage

    DONE: measure power-supply voltage to the Vigor with a view to being able to supply/'dump' from off-grid power (eg via ideal-diode) arrangement. Measure open-circuit and under typical (~9W) load. (Compare with existing 12V on-/off- grid supply also.) 2019-09-03: voltage for existing supply seemed close (~13V floating/unloaded) and Vigor seems happy with it, and draws ~11W off-grid via that supply.

    2019-05-13: Crash!

    12:28Z and all net traffic just stopped. Logging into the Vigor revealed an uptime of under a minute, ie it had just crashed and restarted. Not so good.

    Other users have reported a number of outages today so far (by mid-afternoon).

    I have turned back on remote status monitoring with SMSes, which I hope will now not gobble up all my credits!

    I have also loaded the latest available firmware release for the Vigor.

    2019-05-14: PPP Restart!

    12:30Z: connectivity has been slow or lost (at Windows 10 client dropped the WiFi and refused to reconnect). Logging in to the Vigor shows that the VDSL2/PPPoE connection had restarted.

    13:10Z: link down again.

    I spoke to the ISP, and the ISP called back at the end of the day. I attempted a "quiet line test" as requested (17070 option 2), but my available handset is ancient and crackly, so hardly definitive. We have arranged for a BT Openreach visit.

    I asked the ISP what it could see in terms of line drops from its side for the only full Vigor day so far (yesterday, Monday). Starting at about 13:30 BST the ISP saw nine drops in total. One of those was probably me trying to get some life back into the connection at ~10pm when a five minute job was being stretched to a two hour job by the rotten throughput, but most of the rest were not!

    (2019-05-16: an Openreach phone (not broadband) engineer arrived (early, hurrah!) and found the line to be acceptably quiet from his testing. Advised me to chase ISP to get Openreach broadband engineer in ASAP, so I did.)

    (2019-05-17: Openreach broadband engineer found a bad crimp kills fibre two inspection hatches up and thus eliminated a blip he found 30m from my master socket by TDR. Magic. Has fixed joint and replaced the master socket. Let's see if this sorts it.)

    2019-05-23: Stable?

    Vigor2862ac DSL tones graph screenshot

    Coming up to 100h with the DSL connection not restarted, and over 160h of the Vigor not restarted, and line error metrics fairly low and hardly moving, it looks like the FTTC connection is 'fixed' for now.

    The profile is "17a" with bandwidth capped at 80/20Mbps (down/up).

    The fix took several weeks and two routers (I haven't had a returns number from the ISP for the first one yet!) and many hours, and three engineer site visits. Eeek.

    2019-07-02: Trouble at t'Mill?

    The 5G WiFi seems to have gone off-line and attempts to scan for adjacent APs seem to hang the Web interface.

    "System Up Time" is reported as 1136:20:23, and VDSL2/PPPoE uptime as 773:02:46.

    Time to try a reboot...

    Yes, after rebooting, 5G is back, and "AP Discovery" does not hang... So this router will need babysitting, just as the Technicolor did. Bah!

    2019-11-04: Upgrade?

    I just took an 'upgrade' to version 3.9.1.2_BT.

    However, the device is now extremely unstable and I can barely even log into it over WiFi. Connectivity has been up and down many times in the few hours since the upgrade. It has been necessary to power cycle the device at least a couple of times by 3pm today to get even admin access to it.

    Even the auto-logout feature of the admin console seems broken!

    2019-12-14: Upgrade II

    Now attempting upgrade to 3.9.1.3_BT. (Current version: 779517/773F01, 77B507/775401; upgrade version: 779517/773F01, 77B507/775401.)

    After the upgrade the dashboard shows Firmware Version | 3.9.1.3_BT with Build Date/Time | Oct 18 2019 11:45:17, and DSL Version | 779517_A/B/C HW: A.

    I have taken a config backup. It is opaque binary, which is unhelpful. (I have also kept a safe copy of the firmware binary.)

    2019-12-29: seems to be working fairly reliably so far. Far fewer drop-outs as seen by my site-monitoring service for example.

    2020-08-08: Unstable

    It's probably better than the TG582n, but bits of functionality fall over requiring manual intervention at least about weekly. Not all require power cycling (I can log into the Web interface and usually cycle individual WiFi frequencies, or more dramatically request a reboot). But it's sad for a fairly upmarket bit of equipment to be this flaky.

    Maybe worst is that a laptop we were using for working from home with until very recently had difficulty maintaining a (2.3GHz) WiFi connection. That caused a lot of annoyance when using cloud services such as Google Drive and Office 365.

    No newer firmware seems to be available. 3.9.1.3_BT seems to be the latest.

    2020-10-11: Struggling?

    Vigor2862ac DSL tones graph 20201011 connection has been dropping repeatedly for a while

    I have needed to cycle 5G and/or reboot the Vigor periodically, so there's still clearly some software nasties in there.

    We have had a fairly unstable FTTC/DSL connection for many days and longer, with sometimes several dropouts of service (of maybe up to a minute each) in a row.

    Looking at the Vigor DSL status shows connection drops and training. This may currently be more a feature of a poor physical connection and some unusually wet weather mixed in (eg causing a first-time-ever leak in our shed too) than the Vigor's fault.

    When I went for my daily lockdown walk, near the house were a couple of parked BT Openreach vans. The engineers were there to fix broadband for a house nearby, from failing aluminium cables. They were not aware of any larger problem. (The fixee and I connect to the same cabinet; maybe if their modem is not having to shout any more, our connection may get better too?*)

    It remains disappointing that a relatively expensive bit of kit has enough internal flaws that this is not the only annoyance...

    (*Though the connection stayed up for many hours, maybe 12 or more while I was watching, when I checked the next morning it was in the process of retraining, and appears to have been up and down all night.)

    2020-10-13: Line Fault?

    I reported the problems to my ISP, and when their support chap looked at the Radius server he exclaimed! I believe that he saw maybe 20 line drops per day (or ~120 over a week), with the last few timings lining up with what I'd observed. So there's no attempt to claim that I'm making it all up!

    The latest communication from the ISP includes:

    ... our next best step would be to go for a replacement router in which case I'll need to refer this to the Provisioning Team to arrange. The testing on the line is picking up a fault either close to or internal to the premises ...

    I'm not inclined to believe that it really is a router fault. More like that dodgy line spice 50m up the line from us. But I don't know.

    I also took the opportunity to wiggle the RJ45 cable (router to BT master box) fairly thoroughly at both ends to try and ensure good connections. Equivalent to a strategic "engineer's thump" AKA "percussive maintenance".

    I really don't want to have to do another "How To" soon!

    2020-10-14: Wiggle Power?

    Likely unconnected to wiggling, etc, but as of 7pm BST the connection has been up for over 31 hours.

    The connection may have been poor for some of that time (I experienced very bad audio in a Meet call 24h ago for a while for example), but it has been up.

    (The connection did drop at least briefly, at least once, overnight before 2am on the 15th, though not long enough to trigger site monitoring alerts.)

    (The connection has now — 16th 7am BST — been up for 29h25.)

    (As of 17th ~8am BST the connection is being reported as up for 5h38, implying a restart ~01:30Z.)

    (As of 18th ~10am BST the connection is being reported as up for 31h15.)

    2020-10-19: Stuck?

    20201019 stuck in strange mode

    I want to check link uptime this morning and firstly WiFi dropped out (and 5G din't come back) more or less as soon as I connected.

    Then the display changed to a cut-down sub-display with no means to escape (logout was not functional, browser reload did nothing).

    So I had to power cycle the box. Not good.

    It is possible that NoScript was interfering in some way. All is back now.

    Having seen this happen again during a Firefox upgrade, with the router behaving sensibly when logged into from a separate browser, I'd say the problem is more likely some state lost in the Firefox restart which was not possible for me to recover from. This may be compounded by NoScript interaction.

    In any case, it is unfortunate behaviour that could and should be avoided.

    (As of the evening of the 23rd, uptime of 108h is being shown.)

    (As of the morning of the 25th, uptime of 8h22 is being shown.)

    2021-03-25: Still Flaky

    The router still seems to be very unreliable, given its spec and price.

    To the extent that I wonder if it is being deliberately attacked somehow. I think I had that happen a long time back, over 20 years ago, with a borrowed router that could be (and apparently was) downed remotely without any credentials.

    2022-09-19: Daily Boot

    At the moment I have the router rebooting (basically) daily at a quiet time. Also, to attempt to save a little energy and help keep it working nicely, I have the 5GHz WiFi disabled overnight and otherwise running at reduced TX power.

    2024-10-07: Router Patch

    This DrayTek router was open to remote hijacking so I updated it from 3.9.1.3_BT to 3.9.9.7_STD.

    I made a couple of other tiny tweaks such as pointing the router at the new name for our NTP server, and changing its regular reboot time to be marginally less annoying.

    I have captured the firmware ZIP and new config in my system repository, which means that there are copies on my laptop and server.