Router setup summary

Over time we've enabled and disabled various functionality on our internet router (a DrayTek Vigor 2860ac running firmware 3.8.6_BT), so here's a summary of what's what and why:

WANs

We have BT Infinity 1 FTTC as our primary WAN connection, with a cellular modem on the EE 4G network set up as a failover connection.

The setup for BT Infinity requires little configuration. Leave the DSL mode as Auto and Modem Code as Default. Set the Active Mode to Always On, and check the Load Balance box. For BT Infinity you should enable the VLAN tags in the VDSL2 Service cell in the table. Set the Tag Value to 101, and the Priority to 0.

The setup for the cellular modem is focused on the failover mode. Set Active Model to Failover, uncheck the Load Balance box, and set the failover on WAN Failure. Set the Active When option to Any, and ensure that at least WAN1 is checked.

Internet access via the WAN connections requires BT Infinity to be set up as PPPoE/PPPoA, and the cellular modem to be set up in DHCP mode.

Internet Access configuration for BT Infinity is minimal, just set the Username to bthomehub@btbroadband.com and the MTU to 1492.

Internet access via the cellular modem is also straightforward. We're using the EE network, so just set the APN Name to everywhere.

LAN

We have the router set up with IPv6 disabled, and located at IPv4 address 192.168.1.1. We're only using the 192.168.1.x address space, so the subnet mask is set to 255.255.255.0. The router hosts a DHCP server, but we manually allocate addresses 192.168.1.2 through to 192.168.1.149. The DHCP server leases addresses for 1 day (86400 seconds), and periodically clears the leases for inactive devices. The DNS servers are not specified, so the ones allocated by the active WAN connection are used.

Manually allocated IP addresses are bound to device MAC addresses. We do not use strict binding, i.e. if the device's MAC address isn't in the list then it is not allowed to use the network, as it would be a pain to have to register friends and family's devices every time they visited or changed.

WiFi

WiFi connectivity is provided by the router, as well as two additional access points. A single SSID is used at all three transceivers, on both 2.4GHz and 5GHz bands. Additionally two more SSIDs are used, but hidden, one each on each band, for devices that struggle with the single common SSID.

To minimise the possibility of interference the router is on Channel 1, whilst the two other access points are on Channel 11 (to enable the WDS bridge), and all access points are set up in Mixed Mode with 20MHz channels.

Each SSID is secured using a Pre-Shared Key (PSK) exchanged with WPA2 only.

The extension of WPA2 called WiFi Protected Setup (WPS) is disabled due to known vulnerabilities.

In order to promote the use of the 5GHz band, to maximise the bandwidth available for the WDS wireless link from the house to the workshop, Band Steering is enabled. When the access points detect a device trying to simultaneously connect to the common SSID on both 2.4GHz and 5GHz bands, the device will be deliberately stopped from joining 2.4GHz for 15 seconds. By which time the device should have connected to the 5GHz band.

The setup for the 5GHz band is similar to the 2.4GHz band.

As the 20MHz channels in the 5GHZ band do not overlap with each other, the router uses Channel 36, whilst the other access points use Channels 40 and 44. These are in the A-Lower (5150-5250GHz) band, so Dynamic Frequency Selection (DFS) and Transmission Power Control (TPC) do not apply.

Security on the 5GHz band is setup the same as the 2.4GHz band, and WPS is also disabled on the 5GHz band.

Hardware Acceleration

We do not use hardware acceleration, so that all traffic passes through the Data Flow Monitor and Traffic Graphs.

UPnP

Universal Plug and Play (UPnP) is disabled, as it is insecure by design and enables devices on the LAN to open up ports in the Firewall in order to communicate with external servers.

IGMP

The BT TV YouView PVR uses a combination of the terrestrial aerial to receive FreeView channels and IPTV to stream the other channels via Infinity. This means the PVR needs to be able to join IP Multicast groups, so the IGMP proxy must be enabled. Additionally to avoid swamping the WiFi with multicast packets IGMP Snooping and IGMP Fast Leave should be enabled.

Dynamic DNS

The router is dynamically assigned an IP address for the WAN interface, so in order to enable VPN access to the LAN via the router there are 2 dynamic DNS entries maintained. Every 1 day (1440 minutes) the router reconfirms the WAN IP address with the dynamic DNS service.

These are provided by the free service No-IP.com, and are set up with a Domain Name, Login and Password provided by No-IP.com.

VPN

The router runs a VPN server so that we can connect remotely to the home network via smartphone or laptop in order to access the security cameras, or geo-locked services such as the BBC iPlayer when travelling abroad. We use the Draytek Smart VPN Client, which has clients for the two OS that we use: Android and Windows.

First we will enable VPN via an SSL Tunnel.

Then add a Remote Access user account, with access via the SSL Tunnel enabled, and a 5 minute timeout.

If you create more than one Remote Access user account, you can individually activate and deactivate them.

When the user connects remotely this is indicated with green text, rather than red text.

More detailed stats on the connection are also available.

On a Windows PC you need to install the Smart VPN Client, and then Insert a new Profile for the router that uses the SSL Tunnel and supplies the same credentials as the Remote Access user account.

Once connected Windows sees a new virtual network connection called DraySSLTunnel.

On an Android phone the Smart VPN Client is available through the Google Play App Store, and once installed is available either via the app matrix or via the VPN Settings.

As per the Windows setup, first create a Profile using the + symbol at the bottom of the screen.

 

Then pressing on the Profile connects and disconnects the phone to the router via the SSL Tunnel.

Broadband issues

Every so often our broadband connection, provided by BT, has a bit of a wobble. Yesterday was one of those days, and after it was down for a couple of hours I gave BT a call to see if there were any problems at their end. One long call later on a Friday lunchtime, and the customer service rep had booked a technician to go out to the exchange and take a look... on Monday afternoon. As he explained, the technicians don't work on the weekend, but if the system sorted itself out he would be happy for me to phone back and cancel the booking. (As it happened, the broadband came back at 5.30pm, and has been up ever since.)

Working from home is a regular thing for us, and a day without broadband is a major headache. So I looked at options for increasing the resiliency of our internet connection, and decided to add a cellular modem as a backup to our ADSL modem. On the opposite side of the gorge from our house is the cell base station for the town, which was upgraded to 4G last year. So there should be plenty of bandwidth available from the cellular connection, if the landline connection goes down.

As we've been having broadband issues for a while, we've long since ditched the BT-supplied Home Hub 4 and have been using a DrayTek Vigor 2860ac ADSL2+ router. This has enabled us to get the maximum speed from our connection, and has plenty of manual configuration for other services such as VPN, IP binding, QoS, etc.

The Vigor 2860 also has load balancing and auto-failover for multiple WANs. By adding a USB cellular modem, it is possible to configure the Vigor 2860 to switch over to that when it detects the ADSL has gone down. So I bought a ZTE MF823 and EE PAYG data SIM, and hooked them up to the Vigor 2860.

Within the Vigor 2860 administrative interface (firmware 3.8.4.2_BT from 7-Dec-2016) the USB modem needs to be enabled.

The Active Mode is set to 'Failover' and Load Balance in unchecked, as I only want the cellular connection used when there's a WAN failure, specifically when WAN1 (BT Broadband) goes down.

The next thing is to set up the USB cellular modem itself.

The Vigor 2860 supports the MF823 when in DHCP mode, as opposed to PPP mode.

The only configuration information the MF823 needs is the APN for the EE network, which is 'everywhere'. With the MF823 configured, the Vigor 2860 reports that it has a potential 42Mbps symmetric internet connection.

Which rather puts our ADSL2+ speeds of 20Mbps/1Mbps to shame.

So the final step is to test that the Vigor 2860 switches over from the ADSL connection to the cellular connection, and back again, when the BT landline goes down. Disconnecting the RJ11 modem cable from the BT master socket triggers the failover behaviour in the Vigor 2860, and after a short delay as the MF823 connects to the network the internet is restored.

There is a break in the internet connection, so this isn't a seamless failover setup. The Vigor 2860 could be setup with the MF823 always on, but with load balancing rules sending all the traffic down the ADSL connection. When the ADSL goes down there wouldn't be the delay while the MF823 connects to the network. However it would still confuse the hell out of any VoIP and streaming connections as the packet routing transitioned from ADSL to cellular, and keeping the MF823 permanently connected would slowly eat through its data allowance. So on balance, I'm happy with the small disruption in connection with the current setup.

(I also note that Openreach is now accepting orders for fibre connections from the Ironbridge WNIB exchange! We're connected to 'cabinet 2', which is currently is in the Build phase, and the guidance is that connections to homes should be available within 5 months.)