AN140001 - DrayTek - DMZ - ISP router Application Note:To configure a DrayTek 2860 router to function behind a Sky router which is providing broadband internet access. The connection between the two routers is configured as a DMZ. Application Note Reference: AN140001-DrayTek - DMZ - ISP router Produced by: Tony Prout - IP Product Manager, Habitech E-mail: [email protected] Tel: 01420 540054 Document written: 17th June 2014 AN140001 - DrayTek - DMZ - ISP router This application note describes introducing and using a DrayTek router as a ‘secondary’ router, allowing the ‘primary’ router, provided by the ISP (Internet Service Provider) to remain as the internet gateway (sometimes referred to as ‘modem mode’), typically monitored and supported by the ISP. This configuration is also known as a DMZ (an internet term, Demilitarised Zone) configuration. As we move from broadband internet connectivity environments which simply supported one or two home PCs, to an era of upsurge in IP attached devices (PCs, laptops, printers, tablets, mobile phones, televisions, video and audio devices, NAS, CCTV, remote and intelligent Wi-Fi access points, control devices, and many more), complex router configurations and complex in-house network connectivity are becoming more the norm. Relying on an ISP for the router element is no longer ideal. ISPs include; Virgin Media, Sky, BT, TalkTalk, PlusNet, and many others. Introducing this ‘primary’, ‘secondary’ two router method would typically be where the end environment requires a more complex router configuration or features than that provided by the ISP’s router, the ISP’s router may not be capable or support some of the more complex requirements. In this dual router method the ISP’s router is reduced to little more than providing an ISP monitored and managed device offering a gateway to the internet via a wide area circuit, typically broadband or cable. The benefits of using this two router method include; ISPs may not permit (as a condition of their service and support), and/or may charge for, none standard or complex configurations on their standard routers. ISPs may use methods such as MAC Encapsulated Routing to ‘tie’ their router to the provided circuit, such that an alternate router cannot directly be used in place. Many of the more basic routers provided by ISPs, each competing in a busy cost and price driven market, are limited in terms of capacity or processing power for the features such as firewalling they offer, resulting in reducing upload/download speed. Wi-Fi capability of ISPs standard routers may also be limited in other than basic configurations. Moving between ISPs. With competing ISPs constantly offering new features, greater speeds and more competitive pricing. Changing ISP is a simpler exercise if the ISP is simply providing internet access and DMZ to a second router which provides the actual complex local configuration. Those installing, configuring and subsequently monitoring and maintaining these systems need immediate, secure and often remote access to the router configurations and the components they support inbound of the router. Which form a key part of the services they provide. A DMZ is introduced between the primary and secondary routers, allowing the ISP’s router to pass data packets to, and receive data packets from the secondary (DrayTek in this case) router, the DrayTek router now assumes functions previously performed by the ISP router, functions such as firewall, and communicating with the devices on the local network, either wired or wireless. This application note assumes that an existing, proven, stable ISP router and internet connection exists. This application note is a guide for individuals who are conversant with internet access elements such as routers, cables and IP addresses. This application note is not written for ‘first time users’. Page 2 of 14 AN140001 - DrayTek - DMZ - ISP router Connect laptop (with appropriately configured Ethernet adapter, i.e. set to “obtain IP address automatically”) using RJ45 cable to a LAN port on the 2860 router. A DrayTek v2860 ADSL/VDSL/3G Router, Code: DRA-V2860 is used in this application note. The 2860 can be accessed via its default IP address, 192.168.1.1, entered in the laptop’s browser (for example: Internet Explorer) This will produce the DrayTek Login panel (below), the default Username and default Password are both ‘admin’ (lower case). Login, will produce the ‘Dashboard’, a starting panel for all activities on the 2860. In this example, the laptop is connected to LAN (port) 6 in the router, port 6 shows ‘lighted/green’ on areas of the dashboard display. Top left of the dashboard is a dropdown which is default ‘Auto Logout’, this can be changed to ‘Off’, ‘1 min’, ‘3 min’ etc. which can assist in not being logged out part way through a sequence of commands. Page 3 of 14 AN140001 - DrayTek - DMZ - ISP router STEP ONE – CONFIGURE 2860 WAN PORT TO NETWORK OF ISP ROUTER This example assumes the ISP LAN is IP network 192.168.0.1/24, which is the Sky default (each ISP has their default IP settings). The 2860 has four WAN ports, WAN1 is ADSL/VDSL, WAN2 is Ethernet, WAN3 and WAN4 are USB. The 2860 is to be connected to the ISP router using RJ45, from 2860 port WAN2 (Ethernet), thus 2860 WAN2 needs to obtain an address in the ISP LAN 192.168.0.1/24. Choose ‘WAN’ in the list in the vertical bar on the left side of the ‘Dashboard’, and then choose ‘Internet Access’ from the options. From the panel now within the main area of the display, select WAN2 (the port to be used in this configuration), and from the drop down options, select ‘Static or Dynamic IP’. The WAN2 ‘Details Page’ button will now become highlighted. Select this, (the WAN2 ‘Details Page’ button). This produces the panel which follows. Page 4 of 14 AN140001 - DrayTek - DMZ - ISP router Highlight ‘Enable’, highlight ‘Obtain IP Address Automatically’, and enter ‘Router Name’ (IP of ISP’s router, 192.168.0.1 in this instance). Select ‘OK’. The DrayTek should soon acquire an IP address (from the ISP router’s DHCP range) on WAN2. As shown in the screen shot below. In this example 192.168.0.2 has been acquired. Note also the MAC address of WAN2 (00-1D-AA-B4-B5-4A in this instance). Page 5 of 14 AN140001 - DrayTek - DMZ - ISP router The hardware environment built should now be similar to that shown in the diagram below The laptop attached to the 2860 will be now able to access the ISP’s router, (via the newly created interconnection) to progress configuring the DMZ interconnection. The Windows, Command Prompt display below checks the connectivity setup in this application note. The Windows laptop is connected as per the diagram, and a ping to 192.168.0.1 (the Sky router, via the DrayTek) is successful. Likewise a tracert (traceroot) shows the DrayTek Vigor router and then the Sky router. Page 6 of 14 AN140001 - DrayTek - DMZ - ISP router STEP TWO – RESERVE IP ADDRESS FOR DRAYTEK ROUTER ON THE ISP ROUTER Open a second laptop browser and enter the default IP address of the ISP’s router (192.168.0.1, if Sky, as per this example). Login will produce the Sky router ‘Status Summary’ display as shown below. In this instance showing that a connected device, Cabled, exists. This is the DrayTek 2860. The Sky router (in this test environment) is not connected to a broadband service, and thus has a status of ‘disconnected’. Selecting any option (such as SETUP, SECURITY, MAINTENANCE or ADVANCED, in the top bar. Or any of the options in the right side column, such as Change Router Password, down to Reboot Router) on the Summary Status panel will require a User name/Password, entered into the following display. Page 7 of 14 AN140001 - DrayTek - DMZ - ISP router The default User name is admin, the default Password is sky. Having entered a valid User name and password, selecting MAINTENANCE, and then ROUTER STATUS, which will show a more detailed version of the Summary Status. Of interest are; the ADSL Port, Network Type, which shows as MER/PPPoA and the LAN Port, MAC Address, which will be unique per Sky router (7c:03:4c:9d:0d:8c in this instance). Page 8 of 14 AN140001 - DrayTek - DMZ - ISP router MER/PPPoA, refers to MAC Encapsulated Routing (MER) which means that Sky have tied the MAC address of this router to the IP address they provide on the WAN (broadband/internet) link. Such that only a Sky provided router can be used on their internet link. However, as per this application note, by setting up a DMZ from the Sky router, via a direct RJ45 cable connection into a DrayTek router, with associated configuration, allows the Sky router to pass and receive data from the DrayTek router such that the DrayTek router can provide major function on the LAN with the Sky router acting as little more than an interface to the broadband/internet. Select the ADVANCED option from the top bar, and then select the LAN IP SETUP option, which produces a display as follows. In the ‘Address Reservation’ area, select ‘ADD’. Which produces the following display, which shows 192.168.0.2 (which is the DrayTek router’s connection to the Sky router). Page 9 of 14 AN140001 - DrayTek - DMZ - ISP router Highlight the radio button for the device you wish to reserve (a choice of one in this example), this produces the following display. Page 10 of 14 AN140001 - DrayTek - DMZ - ISP router Selecting ‘APPLY’ will complete this step. This step reserves the MAC of the DrayTek router’s WAN2 to this IP address. Such that this IP address will always be allocated to the DrayTek (even after restarts, power off/on type events). Page 11 of 14 AN140001 - DrayTek - DMZ - ISP router STEP THREE – CONFIGURE DMZ ON ISP ROUTER The DrayTek router can now be set as a Default DMZ Server for the Sky router. Now, select the ADVANCED option from the top bar, and then select the WAN SETUP option, which produces a display as follows. Select (tick) the Default DMZ Server box and add the IP address (192.168.0.2 in this example), and enter 1500 in the MTU Size (in bytes): field Note: The MTU Size is blank by default, but a message panel ‘MTU value can not be blank’ appears. Enter 1500, consitent with setting in other area of router configuration. Page 12 of 14 AN140001 - DrayTek - DMZ - ISP router The two routers are now configured as per the objective of this application note, “To configure a DrayTek 2860 router to function behind a Sky router which is providing broadband internet access. The connection between the two routers is configured as a DMZ.”. It is likely, in this two router environment that the wireless/Wi-Fi facility of the ISP router would be disabled/turned off, and the wireless/Wi-Fi facility of the Draytek router is used. This avoid potential clashes/overlaps. It is also likely, in the complex in-house connectivity which may exist, that wireless/Wi-Fi is not provided directly by either of the two routers, but via dedicated high specification access point system such as Ruckus. The RJ45 LAN ports of the ISP’s router which are not used in the DMZ configuration (i.e. those not connected to the DrayTek) will still be available for use from the ISP router. In the event of apparent internet access problems, a network device, such as a laptop, RJ45 connected to one of these ports on the ISP router could be used to identify if the perceived problem was at ISP level or within the local network, as in the environment supported from the DrayTek. Page 13 of 14 AN140001 - DrayTek - DMZ - ISP router This could be seen as a check similar to the ISP asking is there telephone dial tone on a circuit where broadband/ADSL problems are being experienced. Check and test to ensure all expected and previously available wired and wireless/Wi-Fi connectivity and services continue to be available via the new two router environment to before subsequent changes or additions are made. Page 14 of 14
© Copyright 2024 ExpyDoc