Draytek Experts Here ?
R Johnson
I'm told the 2800 series can do NAT and ROUTED at the same time. Say for
a block of 8 IP's you can assign one to be natted and route the others
through. Is this correct? Are there alternatives to Draytek for this
(Other than megabuck Cisco's)
Also what is the difference between the 2800, 2800g and 2800v. I see
these coming up cheaply now and can't find the information.
Gordon Henderson
R Johnson <bou...@null.invalid> wrote:
>Any Draytek experts here?
>
>I'm told the 2800 series can do NAT and ROUTED at the same time. Say for
>a block of 8 IP's you can assign one to be natted and route the others
>through. Is this correct? Are there alternatives to Draytek for this
>(Other than megabuck Cisco's)
The internal side of things can have 2 IP addresses/ranges. One can be
the routed subnet and the other NATted (with the NATted devices presenting
the routers own external IP address.
I've only tried this once though - much prefer to use a 2nd router doing
NAT. The early Drayteks have NAT issues (2600's - not sure about the 2800's
I currently use 2820's)
>Also what is the difference between the 2800, 2800g and 2800v. I see
>these coming up cheaply now and can't find the information.
with all Drayteks:
modelNum: basic,
modelNum+g: Wi-Fi 802.11g
modelNum+v: built=in 2-port ATA for VoIP.
modelnum+gv - both VoIP and Wi-Fi.
I'm not sure the difference between the 2800 and the 2820's though. The
2800 I way yesterday was in the same blue case the 2600 came in - maybe
it's jsut software. I think the 2820's have hardware crypto to make VPNs
run faster... I had speed and jitter problems some time back with the
crypto VPNs on the 2600's and 2900's...
Gordon
R Johnson
I'm glad it was you than answered Gordon :-) I just knew that you would
know. Thanks.
What I want to do - and in all my years I've never needed to get involved
in the network side of this as such - is set up a small 8 block so that
one of the addresses nats a soho network for ten user, one of the others
would go straight to the public IP on a secondary box. Looks like this
will do just as I need without having to set up shed loads of additional
hardware.
Thanks and very much obliged to you.
Gordon Henderson
It should do what you need, but personally, I'd be tempted to stick in
a 2nd router (a 'cable' one with Ethernet ports). That way you can pick
the IP address used for the NATted LAN, otherwise it will be the one
assigned to the Draytek (which you may not have any control over).
E.g. my setup - I have 8 IPs from .104 through .111. My router (an
older 2600) has .105 and this was fixed by the ISP. 104 and 111 are the
(unusable) broadcast addresses.
So it looks like:
-BT-Phone-ADSL-
|
2600 .105
|
+------------+-----------+--------------+
| | | |
Server.106 Server.107 Server.108 Router.110
| NAT 192.168.x.y/24
|
+-----------+--------+--------+
| | | |
Worksation Server Laptop Phone
The external servers are in the "DMZ". It physically separates internal
LAN traffic from the external LAN, so if a server were to be compromised,
it still can't get access through the Router.110 into the LAN and other
servers.
The Draytek 2600.105 doesn't do any NAT at all - that's handled by the
Rotuer.110.
Gordon
R Johnson
I've got a old 50p eBay Edimax cable router here that will probably do
that just fine - redrawn to:
> -BT-Phone-ADSL-
> |
> 2600 .105
> |
> +------------+-----------+
> | | |
> MAIL SERVER SNORT BOX EDIMAX {or SWITCH}
> | NAT 192.168.x.y/24
> |
> +-----------+--------+--------+
> | | | |
> WS 1 W/L AP Laptop Phone
You are a star GH. Always a first class contributor to U/N. Thank you.
Gordon Henderson
<occassional...@nospam.co.uk> wrote:
>
> Gordon Henderson <gordon...@drogon.net> wrote:
>
>>I had speed and jitter problems some time back with the
>>crypto VPNs on the 2600's and 2900's...
>
>them and also a dial-in VPN.
>
>The VPN functionality works most of the time but not often enough.
>
>Would a newer model be more reliable? The VPN is used to run
>PC/Anywhere only.
Issues I had some time back was with a pair of 2900's over a 10Mb LAN
Extension and another pair, one in the UK, the other in the US. Best speed
I could get with encryption turned on was about 1.5Mb/sec. We didn't
really notice this until the US end went to a bonded T1 connection -
about 3Mb/sec., and they started to use video conferencing. Turning
the encryption off instantly allowd the speed to be at full line-rate,
and jitter dropped to a steady level - noticable as a marked improvement
on the video picture (it's data rate was only 225Kb/sec, so well inside
the speed)
As I understand it, the older 2600's and 2900 did the encryption in
software and I think it more or less maxed out the processor - especially
trying to encrypt compressed video and audio data. They were suitable when
ADSL in the UK was 2Mb/sec max. The 2820 does the encryption in hardware,
although I've not had the opportunity to try that to the limit yet -
I use them mainly for their traffic shaping abilitys for VoIP.
>Otherwise, these routers run reliably for months without a reboot,
>though they seem to slow down after some months and then I reboot
>them.
Not noticed that myself, but have had 2600's crash with multiple VPN
connections into them.
>I would also like something which does a VPN over port 443, which
>should work over any mobile internet connections (all except Voda
>don't support PPTP).
ssh vpn?
Gordon
Jono
> I would also like something which does a VPN over port 443, which
> should work over any mobile internet connections (all except Voda
> don't support PPTP).
In what way do Voda not support PPTP?
I've a PPTP VPN working fine using a Voda mobile broadband dongle...
Jono
Doh! Re-read OP. Ignore me.
Andy Burns
> Jono <noth...@blueyonder.invalid> wrote:
>
>> In what way do Voda not support PPTP?
>
> in routing equipment etc.
>
> Voda is the only UK network which provides this, and it works
> everywhere I've been in Europe (on Voda).
>
> One proposed solution has been IPSEC which requires no special support
> but one whizzkid I know has tried this and could not get it to work,
> ever, on GPRS/3G.
>
> Whereas port 443 "must" work otherwise the network would be useless
> for web browsing.
I use openVPN, usually over UDP/1194, but for "difficult" situations I
also run the server on TCP/443 so it appears to be https traffic and can
even can pass through web proxies where necessary.
Andy Burns
> Andy Burns <usenet....@adslpipe.co.uk> wrote:
>
>> I use openVPN, usually over UDP/1194, but for "difficult" situations I
>> also run the server on TCP/443 so it appears to be https traffic and can
>> even can pass through web proxies where necessary.
>
> OK; that's a software router you are running on some unix machine
> sitting behind a real router, and you have opened that IP to pass
> through the real router I assume (AIUI).
Nearly ... I replaced the firmware on my Linksys WRT54G router with
openWRT, then installed openVPN directly on the router.
Gordon Henderson
<occassional...@nospam.co.uk> wrote:
>I know for a fact that turning on encryption in PC/A slows it down
>drastically, even when running over a 256/512 basic ADSL.
Good encryption requires CPU horsepower to make it work. Most algorithms
are computationally intensive - sometimes deliberately to reduce the
effects of a brute-force attack.
So a simple substitution cipher, is easy, but AES is "hard" to compute,
and in an interactive situation, it may be encrypting every packet each
way, adds up to a lot of CPU cycles just to do the encryption.
On faster PCs it should be hardly noticable, but on slower ones it's
really noticable. Irnonically, some of the slower processors aimed at the
embedded market (VIA, Geode) have on-board hardware encryption engines,
while the faster ones don't...
Gordon