Router setup summary

Over time we've enabled and disabled various functionality on our internet router (a DrayTek Vigor 2860ac running firmware 3.8.6_BT), so here's a summary of what's what and why:

WANs

We have BT Infinity 1 FTTC as our primary WAN connection, with a cellular modem on the EE 4G network set up as a failover connection.

The setup for BT Infinity requires little configuration. Leave the DSL mode as Auto and Modem Code as Default. Set the Active Mode to Always On, and check the Load Balance box. For BT Infinity you should enable the VLAN tags in the VDSL2 Service cell in the table. Set the Tag Value to 101, and the Priority to 0.

The setup for the cellular modem is focused on the failover mode. Set Active Model to Failover, uncheck the Load Balance box, and set the failover on WAN Failure. Set the Active When option to Any, and ensure that at least WAN1 is checked.

Internet access via the WAN connections requires BT Infinity to be set up as PPPoE/PPPoA, and the cellular modem to be set up in DHCP mode.

Internet Access configuration for BT Infinity is minimal, just set the Username to bthomehub@btbroadband.com and the MTU to 1492.

Internet access via the cellular modem is also straightforward. We're using the EE network, so just set the APN Name to everywhere.

LAN

We have the router set up with IPv6 disabled, and located at IPv4 address 192.168.1.1. We're only using the 192.168.1.x address space, so the subnet mask is set to 255.255.255.0. The router hosts a DHCP server, but we manually allocate addresses 192.168.1.2 through to 192.168.1.149. The DHCP server leases addresses for 1 day (86400 seconds), and periodically clears the leases for inactive devices. The DNS servers are not specified, so the ones allocated by the active WAN connection are used.

Manually allocated IP addresses are bound to device MAC addresses. We do not use strict binding, i.e. if the device's MAC address isn't in the list then it is not allowed to use the network, as it would be a pain to have to register friends and family's devices every time they visited or changed.

WiFi

WiFi connectivity is provided by the router, as well as two additional access points. A single SSID is used at all three transceivers, on both 2.4GHz and 5GHz bands. Additionally two more SSIDs are used, but hidden, one each on each band, for devices that struggle with the single common SSID.

To minimise the possibility of interference the router is on Channel 1, whilst the two other access points are on Channel 11 (to enable the WDS bridge), and all access points are set up in Mixed Mode with 20MHz channels.

Each SSID is secured using a Pre-Shared Key (PSK) exchanged with WPA2 only.

The extension of WPA2 called WiFi Protected Setup (WPS) is disabled due to known vulnerabilities.

In order to promote the use of the 5GHz band, to maximise the bandwidth available for the WDS wireless link from the house to the workshop, Band Steering is enabled. When the access points detect a device trying to simultaneously connect to the common SSID on both 2.4GHz and 5GHz bands, the device will be deliberately stopped from joining 2.4GHz for 15 seconds. By which time the device should have connected to the 5GHz band.

The setup for the 5GHz band is similar to the 2.4GHz band.

As the 20MHz channels in the 5GHZ band do not overlap with each other, the router uses Channel 36, whilst the other access points use Channels 40 and 44. These are in the A-Lower (5150-5250GHz) band, so Dynamic Frequency Selection (DFS) and Transmission Power Control (TPC) do not apply.

Security on the 5GHz band is setup the same as the 2.4GHz band, and WPS is also disabled on the 5GHz band.

Hardware Acceleration

We do not use hardware acceleration, so that all traffic passes through the Data Flow Monitor and Traffic Graphs.

UPnP

Universal Plug and Play (UPnP) is disabled, as it is insecure by design and enables devices on the LAN to open up ports in the Firewall in order to communicate with external servers.

IGMP

The BT TV YouView PVR uses a combination of the terrestrial aerial to receive FreeView channels and IPTV to stream the other channels via Infinity. This means the PVR needs to be able to join IP Multicast groups, so the IGMP proxy must be enabled. Additionally to avoid swamping the WiFi with multicast packets IGMP Snooping and IGMP Fast Leave should be enabled.

Dynamic DNS

The router is dynamically assigned an IP address for the WAN interface, so in order to enable VPN access to the LAN via the router there are 2 dynamic DNS entries maintained. Every 1 day (1440 minutes) the router reconfirms the WAN IP address with the dynamic DNS service.

These are provided by the free service No-IP.com, and are set up with a Domain Name, Login and Password provided by No-IP.com.

VPN

The router runs a VPN server so that we can connect remotely to the home network via smartphone or laptop in order to access the security cameras, or geo-locked services such as the BBC iPlayer when travelling abroad. We use the Draytek Smart VPN Client, which has clients for the two OS that we use: Android and Windows.

First we will enable VPN via an SSL Tunnel.

Then add a Remote Access user account, with access via the SSL Tunnel enabled, and a 5 minute timeout.

If you create more than one Remote Access user account, you can individually activate and deactivate them.

When the user connects remotely this is indicated with green text, rather than red text.

More detailed stats on the connection are also available.

On a Windows PC you need to install the Smart VPN Client, and then Insert a new Profile for the router that uses the SSL Tunnel and supplies the same credentials as the Remote Access user account.

Once connected Windows sees a new virtual network connection called DraySSLTunnel.

On an Android phone the Smart VPN Client is available through the Google Play App Store, and once installed is available either via the app matrix or via the VPN Settings.

As per the Windows setup, first create a Profile using the + symbol at the bottom of the screen.

 

Then pressing on the Profile connects and disconnects the phone to the router via the SSL Tunnel.

IGMP and WiFi

Since the arrival of BT TV we noticed an interesting/annoying behaviour with our WiFi. All of the non-FreeView channels are streamed to the YouView box over the internet. As mentioned in the last post, to get this to happen I needed to enable an IGMP proxy on our DrayTek Vigor 2860ac router. This lets the YouView box join the multicast group for the channel we want to watch. Initially this appeared to be all that we needed to do. However we found that when watching an HD channel delivered this way all WiFi traffic ground to a halt. Wired computers and gadgets didn't have a problem, but anything connected via WiFi would essentially see their data connection time out. The WiFi itself was still up and broadcasting, and our phones and tablets could see the signal, but with no data traffic. Switching to a streamed SD channel got the WiFi working again, so initially I thought this was a bandwidth issue, with the YouView box commandeering all the available broadband bandwidth. However according to the router's traffic graph an HD channel is only about 6.5Mbps, leaving more than enough bandwidth for other devices. And all the wired computers were able to use the internet just fine, so bandwidth wasn't the issue.

A knowledge base article from DrayTek states that only the IGMP proxy on their routers "need typically be enabled on a home network". However the router offers two optimisation settings for IGMP; Snooping (the ability to only forward multicast packets to LAN sockets that have devices that have subscribed to that multicast group) and Fast Leave (the ability to stop forwarding multicast packets when it detects there are no more multicast group subscribers). These two options "could be useful on larger networks or networks with a large quantity of IGMP packets that could limit normal LAN throughput".

I guess we have one of those networks then, although DrayTek don't specifically mention WiFi in their article. Our YouView box was already connected to a different LAN socket on the router to the other wired devices, and by enabling both IGMP Snooping and Fast Leave the ability to simultaneously watch streamed HD channels and surf the internet on our phones and tablets was restored. My best guess is that previously when the YouView box subscribed to a multicast group, the multicast packets for that channel were sent to all connected wired and wireless devices, which swamped the WiFi. Now they're not even going to the other wired connections let alone the wireless connections.

WiFi Coverage - Stage 2

Today I've been playing with setting up WDS (WiFi Distribution System) on the two DrayTek VigorAP 910C access points that beam the internet to the workshop. In principle this should enable them to function both as a point-to-point link between house and workshop, and function as access points for wireless devices nearby. For wireless devices in the workshop, this would mean that they could connect to the 910C in the workshop, and have that wireless traffic relayed to 910C in the house, and then onto the router and the wider internet.

Previously I'd used two different SSIDs for the networks on the 2.4GHz and 5GHz bands, as I found it useful to know which band a device was connecting on. But the DrayTek website makes such a big thing about keeping the configuration of the 910Cs exactly the same, even down to the wireless channel they're using, that I decided to set up all of the SSIDs and pre-shared keys on each 910C the same. This would also enable them and the Vigor 2860ac router to use band steering, and bump any capable wireless devices onto the 5GHz band automatically. This in turn would keep the 2.4GHz band as clear as possible, which should all help with the bandwidth of the point-to-point link with the workshop, which is only in the 2.4GHz band.

Setting up the 910Cs for WDS was fairly straight forward in the end. After setting the Operational Mode to AP Bridge - WDS, the settings and rules used for Point-to-Point mode transferred over. But whereas previously wireless devices at the workshop couldn't see an access point, they can now. Unfortunately it doesn't appear that in WDS mode the 910C can internally route traffic from wireless devices connected on the 5GHz band to the 2.4GHz WDS link, just like the point-to-point mode. So there's still a hole in my WiFi coverage at the workshop, in the 5GHz band. Looks like that trench is inevitable.

WiFi Coverage - Stage 1

The WiFi coverage through the house has never been particularly great, probably due to all the internal walls being brick, rather than wood and plasterboard. The broadband router and WiFi access point is in the hallway, near the telephone socket, probably just like a lot of homes. Unfortunately this puts it in between two brick walls that neatly divide the house in half, one of which also incorporates the chimney. The signal strength in the hall is superb, but by the time you get a room away it has dropped off noticeably, and it has completely gone by the patio. When we moved in a few years ago this wasn't a huge issue, but the number of wirelessly connected devices has slowly increased, as have my expectations. Additionally I'm spending more time in my man cave in the workshop, 30 metres or so up the hill from the house. Initially I used some powerline adaptors to serve up internet access from the router in the hallway to the workshop. But the combination of additional RCBs, 30 metres of cable and a second consumer unit meant that the powerline adaptors struggled to both maintain a connection and provide sufficient bandwidth. So a temporary fix was to run a very long network cable through the garden alongside the satellite tv cable, until I get around to digging that trench I was talking about several years ago.

The over-winter fix is the addition of a point to point wireless link, using a couple of WiFi access points, one in the house and one in the workshop. As well as providing internet to the workshop, they should also function as standard access points, eliminating the coverage blackspots in the house and garden. As we have a DrayTek Vigor 2860 router, I ordered a pair of DrayTek VigorAP 910C ceiling/wall mount access points, which would allow me to manage all three items from a single dashboard, and not have to log into each one individually to make any changes. I've been pretty happy with the 2860 router which, whilst being pretty expensive and not having the most intuitive user interface, has been very reliable, gets regular firmware updates from DrayTek, has got the most out of our broadband, and has a wealth of functionality. For example, when (if?!) fibre broadband arrives in our corner of Ironbridge the support for it is already built in.

When the VigorAP 910C access points arrived, the first thing I did was read the MAC addresses off of the labels, and add them to the routers IP binding table, so I'd know which IP address they were using if I ever needed to configure them individually. Then once the access points were plugged in, I opened up the router's management web page and opened up the Central Management section. The two 910Cs were automatically recognised and listed in the status table. The next thing to do is give the access points friendly names, so that you don't have to remember which access point is using which IP address.

The status table also stated that both access points were sent to me with v1.2.0 firmware, the last critical firmware update, but the DrayTek support website was showing a v1.2.1 regular update with a couple of new features and improvements, so I updated both access points as a matter of course. Using the 2860 router's central management feature, you can update multiple access points in one go.

You can also set up a WLAN Profile, which is essentially a template configuration for an access point, which you can then push to all the access points in one go. By doing this I ensured that finger trouble didn't mean that I ended up with different configurations at either end of my wireless link, and things like SSIDs and pre-shared keys were the same everywhere.

Anything you can configure on the access point itself, you can set up in the profile. It would be nice if you could duplicate the wireless settings from the router itself to the access points, but as far as I can see you have to copy the settings over to a template manually.

The long term plan, once that dastardly trench is dug, is to use the two 910Cs purely as access points, and have a wired link between house and workshop. So seeing as the temporary cable was in place, I first set up the access points in AP mode. This also was good to demonstrate the directional antennae in the access points, unlike the router which has omni-directional antennae. The 910C are designed to be wall or ceiling mounted, and so focus the majority of their wireless energy to the front of them. With the workshop being up the hill from the house, I mounted the access point there on the ceiling, with a line-of-sight to the house. At the house I went into the loft and mounted the access point on the side of the chimney, not only facing the workshop but also the patio and garden. There's going to be some energy wasted up into the sky, but the coverage in the house has been transformed, and you now have to go into the lee of the chimney to see any drop off in signal strength.

The next step is that point-to-point link, so that the network cable can be removed from the equation. The VigorAP 910C has several operating modes, one of which is AP Bridge - Point to Point mode.

This mode is only available using the 2.4GHz band, not the 5GHz band, and in this mode the access point doesn't broadcast an SSID so that other wireless clients can connect to it, it simply connects to another 910C access point. There are four key configuration changes to make for this mode. 1) Both ends of the link must be set to AP Bridge Point to Point mode. 2) Both ends of the link must have static IP addresses, and their own DHCP servers turned off. 3) Both ends of the link must be configured to use the exact same wireless mode, channel and channel width. 4) Each end of the link must be configured with the MAC address and security settings of the other end of the link.

Essentially in this mode, any network packet arriving at a 910C is duplicated at the other 910C, and in effect they become transparent to the network. This means that when devices, such as the IP cameras and my desktop PC, boot up at the workshop they can still request IP addresses and other network configuration information from the DHCP server in the router, because every packet transmitted in the workshop is replicated in the house. Just like having a cable, which we now don't.

For the 910C in the house, I've also left the 5GHz band in regular access point mode. So wireless devices in and around the house will connect to either the router or the access point depending on which signal is stronger. At the workshop the 910C cannot internally connect the point-to-point link with the 5GHz access point, so whilst I can turn on the 5GHz access point mode at the workshop, anything that connects can only see the other devices at the workshop, nor the house or router.

When I get the time, I'm going to investigate AP Bridge - WDS (WiFi Distribution System) mode, which apparently enables the 910Cs to be access points in both the 2.4GHz and 5GHz bands, and simultaneously keep the 2.4GHz point-to-point link in place. That would allow me to connect wireless devices, as well as wired devices, to the 910C at the workshop.