AN140001 - DrayTek - DMZ - ISP router

AN140001 - DrayTek - DMZ - ISP router
Application Note:To configure a DrayTek 2860 router to function behind a Sky router which is providing broadband
internet access. The connection between the two routers is configured as a DMZ.
Application Note Reference: AN140001-DrayTek - DMZ - ISP router
Produced by:
Tony Prout - IP Product Manager, Habitech
E-mail: [email protected]
Tel: 01420 540054
Document written: 17th June 2014
AN140001 - DrayTek - DMZ - ISP router
This application note describes introducing and using a DrayTek router as a ‘secondary’ router,
allowing the ‘primary’ router, provided by the ISP (Internet Service Provider) to remain as the
internet gateway (sometimes referred to as ‘modem mode’), typically monitored and supported by
the ISP. This configuration is also known as a DMZ (an internet term, Demilitarised Zone)
configuration.
As we move from broadband internet connectivity environments which simply supported one or two
home PCs, to an era of upsurge in IP attached devices (PCs, laptops, printers, tablets, mobile phones,
televisions, video and audio devices, NAS, CCTV, remote and intelligent Wi-Fi access points, control
devices, and many more), complex router configurations and complex in-house network connectivity
are becoming more the norm. Relying on an ISP for the router element is no longer ideal.
ISPs include; Virgin Media, Sky, BT, TalkTalk, PlusNet, and many others. Introducing this ‘primary’,
‘secondary’ two router method would typically be where the end environment requires a more
complex router configuration or features than that provided by the ISP’s router, the ISP’s router may
not be capable or support some of the more complex requirements. In this dual router method the
ISP’s router is reduced to little more than providing an ISP monitored and managed device offering a
gateway to the internet via a wide area circuit, typically broadband or cable.
The benefits of using this two router method include;
ISPs may not permit (as a condition of their service and support), and/or may charge for, none
standard or complex configurations on their standard routers. ISPs may use methods such as MAC
Encapsulated Routing to ‘tie’ their router to the provided circuit, such that an alternate router
cannot directly be used in place.
Many of the more basic routers provided by ISPs, each competing in a busy cost and price driven
market, are limited in terms of capacity or processing power for the features such as firewalling they
offer, resulting in reducing upload/download speed. Wi-Fi capability of ISPs standard routers may
also be limited in other than basic configurations.
Moving between ISPs. With competing ISPs constantly offering new features, greater speeds and
more competitive pricing. Changing ISP is a simpler exercise if the ISP is simply providing internet
access and DMZ to a second router which provides the actual complex local configuration.
Those installing, configuring and subsequently monitoring and maintaining these systems need
immediate, secure and often remote access to the router configurations and the components they
support inbound of the router. Which form a key part of the services they provide.
A DMZ is introduced between the primary and secondary routers, allowing the ISP’s router to pass
data packets to, and receive data packets from the secondary (DrayTek in this case) router, the
DrayTek router now assumes functions previously performed by the ISP router, functions such as
firewall, and communicating with the devices on the local network, either wired or wireless.
This application note assumes that an existing, proven, stable ISP router and internet connection
exists. This application note is a guide for individuals who are conversant with internet access
elements such as routers, cables and IP addresses. This application note is not written for ‘first time
users’.
Page 2 of 14
AN140001 - DrayTek - DMZ - ISP router
Connect laptop (with appropriately configured Ethernet adapter, i.e. set to “obtain IP address
automatically”) using RJ45 cable to a LAN port on the 2860 router. A DrayTek v2860 ADSL/VDSL/3G
Router, Code: DRA-V2860 is used in this application note.
The 2860 can be accessed via its default IP address, 192.168.1.1, entered in the laptop’s browser (for
example: Internet Explorer)
This will produce the DrayTek Login panel (below), the default Username and default Password are
both ‘admin’ (lower case).
Login, will produce the ‘Dashboard’, a starting panel for all activities on the 2860.
In this example, the laptop is connected to LAN (port) 6 in the router, port 6 shows ‘lighted/green’
on areas of the dashboard display. Top left of the dashboard is a dropdown which is default ‘Auto
Logout’, this can be changed to ‘Off’, ‘1 min’, ‘3 min’ etc. which can assist in not being logged out
part way through a sequence of commands.
Page 3 of 14
AN140001 - DrayTek - DMZ - ISP router
STEP ONE – CONFIGURE 2860 WAN PORT TO NETWORK OF ISP ROUTER
This example assumes the ISP LAN is IP network 192.168.0.1/24, which is the Sky default (each ISP
has their default IP settings).
The 2860 has four WAN ports, WAN1 is ADSL/VDSL, WAN2 is Ethernet, WAN3 and WAN4 are USB.
The 2860 is to be connected to the ISP router using RJ45, from 2860 port WAN2 (Ethernet), thus
2860 WAN2 needs to obtain an address in the ISP LAN 192.168.0.1/24.
Choose ‘WAN’ in the list in the vertical bar on the left side of the ‘Dashboard’, and then choose
‘Internet Access’ from the options.
From the panel now within the main area of the display, select WAN2 (the port to be used in this
configuration), and from the drop down options, select ‘Static or Dynamic IP’.
The WAN2 ‘Details Page’ button will now become highlighted. Select this, (the WAN2 ‘Details Page’
button). This produces the panel which follows.
Page 4 of 14
AN140001 - DrayTek - DMZ - ISP router
Highlight ‘Enable’, highlight ‘Obtain IP Address Automatically’, and enter ‘Router Name’ (IP of ISP’s
router, 192.168.0.1 in this instance). Select ‘OK’.
The DrayTek should soon acquire an IP address (from the ISP router’s DHCP range) on WAN2. As
shown in the screen shot below. In this example 192.168.0.2 has been acquired. Note also the MAC
address of WAN2 (00-1D-AA-B4-B5-4A in this instance).
Page 5 of 14
AN140001 - DrayTek - DMZ - ISP router
The hardware environment built should now be similar to that shown in the diagram below
The laptop attached to the 2860 will be now able to access the ISP’s router, (via the newly created
interconnection) to progress configuring the DMZ interconnection.
The Windows, Command Prompt display below checks the connectivity setup in this application
note. The Windows laptop is connected as per the diagram, and a ping to 192.168.0.1 (the Sky
router, via the DrayTek) is successful. Likewise a tracert (traceroot) shows the DrayTek Vigor router
and then the Sky router.
Page 6 of 14
AN140001 - DrayTek - DMZ - ISP router
STEP TWO – RESERVE IP ADDRESS FOR DRAYTEK ROUTER ON THE ISP ROUTER
Open a second laptop browser and enter the default IP address of the ISP’s router (192.168.0.1, if
Sky, as per this example).
Login will produce the Sky router ‘Status Summary’ display as shown below. In this instance showing
that a connected device, Cabled, exists. This is the DrayTek 2860. The Sky router (in this test
environment) is not connected to a broadband service, and thus has a status of ‘disconnected’.
Selecting any option (such as SETUP, SECURITY, MAINTENANCE or ADVANCED, in the top bar. Or any
of the options in the right side column, such as Change Router Password, down to Reboot Router) on
the Summary Status panel will require a User name/Password, entered into the following display.
Page 7 of 14
AN140001 - DrayTek - DMZ - ISP router
The default User name is admin, the default Password is sky.
Having entered a valid User name and password, selecting MAINTENANCE, and then ROUTER
STATUS, which will show a more detailed version of the Summary Status. Of interest are; the ADSL
Port, Network Type, which shows as MER/PPPoA and the LAN Port, MAC Address, which will be
unique per Sky router (7c:03:4c:9d:0d:8c in this instance).
Page 8 of 14
AN140001 - DrayTek - DMZ - ISP router
MER/PPPoA, refers to MAC Encapsulated Routing (MER) which means that Sky have tied the MAC
address of this router to the IP address they provide on the WAN (broadband/internet) link. Such
that only a Sky provided router can be used on their internet link.
However, as per this application note, by setting up a DMZ from the Sky router, via a direct RJ45
cable connection into a DrayTek router, with associated configuration, allows the Sky router to pass
and receive data from the DrayTek router such that the DrayTek router can provide major function
on the LAN with the Sky router acting as little more than an interface to the broadband/internet.
Select the ADVANCED option from the top bar, and then select the LAN IP SETUP option, which
produces a display as follows.
In the ‘Address Reservation’ area, select ‘ADD’. Which produces the following display, which shows
192.168.0.2 (which is the DrayTek router’s connection to the Sky router).
Page 9 of 14
AN140001 - DrayTek - DMZ - ISP router
Highlight the radio button for the device you wish to reserve (a choice of one in this example), this
produces the following display.
Page 10 of 14
AN140001 - DrayTek - DMZ - ISP router
Selecting ‘APPLY’ will complete this step.
This step reserves the MAC of the DrayTek router’s WAN2 to this IP address. Such that this IP
address will always be allocated to the DrayTek (even after restarts, power off/on type events).
Page 11 of 14
AN140001 - DrayTek - DMZ - ISP router
STEP THREE – CONFIGURE DMZ ON ISP ROUTER
The DrayTek router can now be set as a Default DMZ Server for the Sky router.
Now, select the ADVANCED option from the top bar, and then select the WAN SETUP option, which
produces a display as follows.
Select (tick) the Default DMZ Server box and add the IP address (192.168.0.2 in this example), and
enter 1500 in the MTU Size (in bytes): field
Note: The MTU Size is blank by default, but a message panel ‘MTU value can not be blank’ appears.
Enter 1500, consitent with setting in other area of router configuration.
Page 12 of 14
AN140001 - DrayTek - DMZ - ISP router
The two routers are now configured as per the objective of this application note, “To configure a
DrayTek 2860 router to function behind a Sky router which is providing broadband internet access.
The connection between the two routers is configured as a DMZ.”.
It is likely, in this two router environment that the wireless/Wi-Fi facility of the ISP router would be
disabled/turned off, and the wireless/Wi-Fi facility of the Draytek router is used. This avoid potential
clashes/overlaps.
It is also likely, in the complex in-house connectivity which may exist, that wireless/Wi-Fi is not
provided directly by either of the two routers, but via dedicated high specification access point
system such as Ruckus.
The RJ45 LAN ports of the ISP’s router which are not used in the DMZ configuration (i.e. those not
connected to the DrayTek) will still be available for use from the ISP router. In the event of apparent
internet access problems, a network device, such as a laptop, RJ45 connected to one of these ports
on the ISP router could be used to identify if the perceived problem was at ISP level or within the
local network, as in the environment supported from the DrayTek.
Page 13 of 14
AN140001 - DrayTek - DMZ - ISP router
This could be seen as a check similar to the ISP asking is there telephone dial tone on a circuit where
broadband/ADSL problems are being experienced.
Check and test to ensure all expected and previously available wired and wireless/Wi-Fi connectivity
and services continue to be available via the new two router environment to before subsequent
changes or additions are made.
Page 14 of 14

Download Report