Draytek or FitzBox for Site2Site VPN

[David Wade]

Until recently I had

1. a Draytek 2862 on FTTC in the UK
2. an old 2820 at my holiday home.

The internet in my holiday home is 300Mb FTTP with CG NAT on a Huawei
EG8145V5 router. The 2820 connects to the EG8145V5 via 100mb LAN cable
and then back to the 2862 via a VPN.

I recently upgraded my UK setup to Zen FTTP 500/75 and telephony from
Voipfone. I installed the ZEN Fritz!Box 7530AX router and set up the
2862 as a so called "DMZ" device. I configured VOIP on the 7530, so I
now have:-

Draytek 2862 <-- DMZ/NAT --> Fitz!Box 7530AX <-- Internet --> EG8145V5
<-- Draytek 2820

Now the 2820 seem to be a bit of a bottleneck, so I was wondering if I
would be better replacing it with a newer Draytek, or as they seem
cheaper and more widely available a Fritz!Box 7530.

I can see the Fritz!Box does not have a local DNS. Are there any other
features I might miss?

Any other points?

Dave

[Graham J]

I don't think any Draytek has local DNS either. But generally the
Drayteks have superior management and monitoring - although CG NAT at
your holiday home means that these probably won't be remotely
accessible. I think using a Fritz!Box at the holiday home may mean it
is impossible to set up a VPN to the 2862.

Since you have Voipfone I don't see why you need the Fritz!Box - Zen
only provide them so you can use their proprietary VoIP service. Why
not connect the 2862 drect to the ONT?


--
Graham J

[Andy Burns]

Graham J wrote:

> I don't think any Draytek has local DNS either.

sure they do, under
Applications > LAN DNS / DNS Forwarding

[Roderick Stewart]

On Fri, 3 Nov 2023 22:56:18 +0000, David Wade <g4...@dave.invalid>
wrote:

>I can see the Fritz!Box does not have a local DNS. Are there any other
>features I might miss?

Mine has.

Home Network - Network - Network Settings tab, then scroll down to IP
Addresses and click the IPV4 (or IPV6) Settings button.

Here you can set the router's own IP address, DHCP range and lease
time, DNS server address and guest network address.

Rod.

[Chris Green]

Graham J <nob...@nowhere.co.uk> wrote:
> David Wade wrote:
> > Until recently I had
> >
> > 1. a Draytek 2862 on FTTC in the UK
> > 2. an old 2820 at my holiday home.
> >
> > The internet in my holiday home is 300Mb FTTP with CG NAT on a Huawei
> > EG8145V5 router. The 2820 connects to the EG8145V5 via 100mb LAN cable
> > and then back to the 2862 via a VPN.
> >
> > I recently upgraded my UK setup to Zen FTTP 500/75 and telephony from
> > Voipfone. I installed the ZEN Fritz!Box 7530AX router and set up the
> > 2862 as a so called "DMZ" device. I configured VOIP on the 7530, so I
> > now have:-
> >
> > Draytek 2862 <-- DMZ/NAT --> Fitz!Box 7530AX <-- Internet --> EG8145V5
> > <-- Draytek 2820
> >
> > Now the 2820 seem to be a bit of a bottleneck, so I was wondering if I
> > would be better replacing it with a newer Draytek, or as they seem
> > cheaper and more widely available a Fritz!Box 7530.
> >
> > I can see the Fritz!Box does not have a local DNS. Are there any other
> > features I might miss?
> >
> > Any other points?
>
> I don't think any Draytek has local DNS either. But generally the

They do but it's not very good, i.e. you can't give names to systems,
it's just a caching DNS server.

--
Chris Green
·

[Graham J]

That is DNS forwarding, not a local DNS server. It does not resolve
node names to local IP addresses, it forwards name requests to the
external DNS server(s).

Others here have complained bitterly about this inadequacy.



--
Graham J

[grinch]

My Zen provided 7530 is on the latest firmware and the DNS server
settings are under /account information/internet/DNS server.

You can set the DNS servers you require or let it use your isp's DNS
servers.

As my firewall is also my internal DNS server I have left the fritzbox
defaults i.e. the isp's provided servers for ipv4 and ipv6

[Andy Burns]

Graham J wrote:

> Andy Burns wrote:
>
>> Graham J wrote:
>>
>>> I don't think any Draytek has local DNS either.
>>
>> sure they do, under
>> Applications > LAN DNS / DNS Forwarding
>
> That is DNS forwarding, not a local DNS server.  It does not resolve
> node names to local IP addresses, it forwards name requests to the
> external DNS server(s).

Err, no.

It forwards if you set the type to "DNS forwarding" but it resolves
names to IPs if you set the type to "LAN DNS"

> Others here have complained bitterly about this inadequacy.

Well they should look closer at it then, it certainly resolves local
names, I use it here, it works ...

<http://andyburns.uk/misc/draytek-local-dns.png>

[SH]

>
> The internet in my holiday home is 300Mb FTTP with CG NAT on a Huawei
> EG8145V5 router. The 2820 connects to the EG8145V5 via 100mb LAN cable
> and then back to the 2862 via a VPN.
>

CG NAT on FTTP? I thought CGNAT was only used on mobile phone networks,
and that on FTTP products you had a dynamic IP and you could get a
static IP for free or for extra monthly fee.

I have static IP on my 500 Mb/s FTTP product, makes setting up a VPN so
much easier :-)

As for DNS, I run my own Pi Hole along with Wireguard.

[Andy Burns]

SH wrote:

> CG NAT on FTTP? I thought CGNAT was only used on mobile phone networks

You can have CGNAT anywhere the ISP has more customers than IPv4 addresses.

[SH]

thought all FTTP products were all now on IP v6?

My static IP address is a IP v4 address which was free of charge :-)

It might be worth the OP switching to vodafone Gigafast just for teh
static IP address one :-)

S.

[David Wade]

I don't have an ONT. ZEN leave the voip in the 7530 unlocked if you
don't take their VOIP service and I connect that to Voipfone

Dave

[David Wade]

I should point out that the end point with the Huawei router is in Spain....
.... and switching to a supplier without CGNAT would double my monthly
bill to 40€ + VAT...

Dave

[David Wade]

On 04/11/2023 08:50, Graham J wrote:

> David Wade wrote:
>> Until recently I had
>>
>> 1. a Draytek 2862 on FTTC in the UK
>> 2. an old 2820 at my holiday home.
>>
>> The internet in my holiday home is 300Mb FTTP with CG NAT on a Huawei
>> EG8145V5 router. The 2820 connects to the EG8145V5 via 100mb LAN cable
>> and then back to the 2862 via a VPN.
>>
>> I recently upgraded my UK setup to Zen FTTP 500/75 and telephony from
>> Voipfone. I installed the ZEN Fritz!Box 7530AX router and set up the
>> 2862 as a so called "DMZ" device. I configured VOIP on the 7530, so I
>> now have:-
>>
>> Draytek 2862 <-- DMZ/NAT --> Fitz!Box 7530AX <-- Internet --> EG8145V5
>> <-- Draytek 2820
>>
>> Now the 2820 seem to be a bit of a bottleneck, so I was wondering if I
>> would be better replacing it with a newer Draytek, or as they seem
>> cheaper and more widely available a Fritz!Box 7530.
>>
>> I can see the Fritz!Box does not have a local DNS. Are there any other
>> features I might miss?
>>
>> Any other points?
>
> I don't think any Draytek has local DNS either.

Its pretty thick, but its there.

> But generally the
> Drayteks have superior management and monitoring - although CG NAT at
> your holiday home means that these probably won't be remotely
> accessible.

Its OK if the VPN is up. I use 192.168.1.1 main home, 192.168.0.1
Holiday home. looks pretty seamless, except AP config for remote APs
does not work.

I think using a Fritz!Box at the holiday home may mean it
> is impossible to set up a VPN to the 2862.
>
> Since you have Voipfone I don't see why you need the Fritz!Box - Zen
> only provide them so you can use their proprietary VoIP service.  Why
> not connect the 2862 drect to the ONT?
>
>

See other reply.

Dave

[David Wade]

The Draytek will also resolve names -> addresses. I mainly use it for
vintage unix boxes...

Dave

[Graham J]

David Wade wrote:

[snip]

>>
>> Since you have Voipfone I don't see why you need the Fritz!Box - Zen
>> only provide them so you can use their proprietary VoIP service.  Why
>> not connect the 2862 drect to the ONT?
>>
>>
> I don't have an ONT.

What does the Fritz!Box WAN port connect to?

My FTTP arrives on an ONT which has an Ethernet socket - I connect this
to the WAN port of my router.

> ZEN leave the voip in the 7530 unlocked if you
> don't take their VOIP service and I connect that to Voipfone

Other people have asked hear about that. Can you show more details so
we can see how you conenct it to Voipfone, please?






--
Graham J

[Graham J]

David Wade wrote:

[snip]

>
>> But generally the Drayteks have superior management and monitoring -
>> although CG NAT at your holiday home means that these probably won't
>> be remotely accessible.
>
> Its OK if the VPN is up.

Exactly my point! If anything goes wrong with the remote VPN settings
you have to go to Spain to correct it.

> I use 192.168.1.1 main home, 192.168.0.1
> Holiday home. looks pretty seamless, except AP config for remote APs
> does not work.

Have you got the appropriate default gateway set in the the remote APs?



--
Graham J

[Graham J]

David Wade wrote:

[snip]

>> It might be worth the OP switching to vodafone Gigafast just for the

>> static IP address one :-)

As we've seen here in the postings from Peter, we all now know that we
should never use Vodafone!

> I should point out that the end point with the Huawei router is in
> Spain....
> .... and switching to a supplier without CGNAT would double my monthly
> bill to 40€ + VAT...

Does the Spanish supplier offer IPV6? Does the Huawei router connect to
the fibre, or does it use Ethernet to the Spanish equivalent of
Openreach's ONT?


--
Graham J

[David Wade]

Its just a normal SIP connection. Apparently you need Fritz!OS 7.25
The only trick is you need to tick "Provider does not support
REGISTER-fetch"

If you use the voipfone voicemail the call waiting light on the 7530
does not work.



>
>
>
>
>

Dave

[David Wade]

Yes, I meant the central management of remote APs from the routers does
not work. Its because the router in the Holiday Home does not pass a
certain type of packet across to the main router.

Dave

[Andy Burns]

SH wrote:

> thought all FTTP products were all now on IP v6?

Plusnet finally started selling FTTP, but still don't have IPv6 (except
for a few who joined the trial years ago).

> My static IP address is a IP v4 address which was free of charge :-)

Mine is a /29 also free.

[Graham J]

David Wade wrote:
> On 04/11/2023 11:21, Graham J wrote:
>> David Wade wrote:
>>
>> [snip]
>>
>>>>
>>>> Since you have Voipfone I don't see why you need the Fritz!Box - Zen
>>>> only provide them so you can use their proprietary VoIP service.
>>>> Why not connect the 2862 drect to the ONT?
>>>>
>>>>
>>> I don't have an ONT.
>>
>> What does the Fritz!Box WAN port connect to?

Please explaiin ...


--
Graham J

[Roderick Stewart]

On Sat, 4 Nov 2023 10:10:15 +0000, grinch <gri...@somewhere.net>
wrote:

>> Home Network - Network - Network Settings tab, then scroll down to IP
>> Addresses and click the IPV4 (or IPV6) Settings button.
>>
>> Here you can set the router's own IP address, DHCP range and lease
>> time, DNS server address and guest network address.
>>
>> Rod.
>
>My Zen provided 7530 is on the latest firmware and the DNS server
>settings are under /account information/internet/DNS server.

Just checked mine. Yes it's there too. Looks like another route to the
same page. (Fritz OS 7.57)

Rod.

[Java Jive]

No, we've had this same argument before. As in

"Re: Are there any VDSL routers out there that do proper DHCP/DNS with
names?
On 02/02/2022 20:25, Andy Burns wrote:
>
> I did point out that it wouldn't help Chris because even though the
vigor is aware of non-blank device IDs, it doesn't use them for local
DNS lookups. If you want local machine lookups to work (in combination
with external DNS), you do have to type them into the "LAN DNS" entries
section.

Well, fair enough, you didn't type them in, but also, just as I said,
there isn't proper local DNS, because it doesn't 'just work' unless you
do type them in. I don't have to type the PC and NAS names into my
BTHH5a running OpenWRT, it 'just works', and so it should on a DV, but,
appallingly for a top name, it doesn't, and AFAIAA never has."

So that is not true local DNS, because you have manually to set up the
name and IP pairing, just as you would in a hosts file, the only
advantage it offers is having to do this once instead of copying a hosts
file around every PC or other device. A properly functioning local DNS
server would do this automatically.

--

Fake news kills!

I may be contacted via the contact address given on my website:
www.macfh.co.uk

[David Wade]

The Huawei router connects direct to the fibre, so no ONT and you can't
replace the router. No IPV6 but things might change as was small local
ISP (axartel)

https://www.axartel.es/en/

who have now been bought by a bigger one (avatel) although there is a
bigger holding company

Dave

[David Wade]

On 04/11/2023 12:20, Graham J wrote:
> David Wade wrote:
>> On 04/11/2023 11:21, Graham J wrote:
>>> David Wade wrote:
>>>
>>> [snip]
>>>
>>>>>
>>>>> Since you have Voipfone I don't see why you need the Fritz!Box -
>>>>> Zen only provide them so you can use their proprietary VoIP
>>>>> service. Why not connect the 2862 drect to the ONT?
>>>>>
>>>>>
>>>> I don't have an ONT.
>>>

sorry mis-read that as ATA

>>> What does the Fritz!Box WAN port connect to?
> >
> Please explaiin ...
>
>

Of course the Fritz!box connects to the ONT and provides the VOIP ATA. I
plugged my DECT base station into the FON port on the Fritz!box which is
why I don't connect the Draytek directly to the ONT.

[Andy Burns]

Java Jive wrote:

> we've had this same argument before.

Now you're moving the goalposts!

A DNS server doesn't have to do anything other than lookup entries from
a zone file, integration with a separate DHCP server isn't mandatory
(yes it can be convenient).

So yes, a Draytek won't automatically add entries to local DNS
corresponding to every DHCP address issued.

[David Wade]

Sounds like a proper DNS to me. Just because its not updated via dynamic
DNS updates doesn't mean its not "proper". Most of the ISPs that offer
DNS hosting for domains don't offer dynamic DNS or host updates via DHCP.


Dave

[Graham J]

OK understood.

But - if you discard the Fritz!box then your Draytek would connect
directly to the ONT, and you could have remote access into the Draytek
for management and confirming that the internet conenction is live via a
monitoring service such as <https://f8lure.mouselike.org/auth.asp>

It might also make setting up the endpoint for the LAN-to-LAN VPN easier.

Of course you would then require an ATA or a VoIP phone to connect to
your LAN.



--
Graham J

[Graham J]

Indeed.

If you run a server on your LAN, it would integrate DHCP and DNS. You
then would disable the DHCP and DNS forwarding in your router. I'm told
this can be done with a Raspberry Pi.


--
Graham J

[David Wade]

I get remote access to the Draytek in the UK anyway. The Fritz!Box
really only handles the VOIP at present. It routes all other traffic to
the Draytek. I have a fixed IP from Zen.....

.. The other end is the problem. The Draytek 2820 there is old and has
low VPN throughput. It only has one 1Gb link. The link to the ISP router
is only 100mb. The WiFi is Wifi "n" only.

The question is do I replace it with a second Fritz!Box or a newer Draytek.

The Fritz!box would be lower priced, give me a phone port, faster WiFi
(the AX version with WiFi 6 would be more expensive but still less than
a Draytek) but fewer VPN options.

On the other hand a Draytek has more VPN option and could manage the
Draytek Access Points I have.....


Dave

[Graham J]

David Wade wrote:

[snip]

>
> The question is do I replace it with a second Fritz!Box or a newer Draytek.
>
> The Fritz!box would be lower priced, give me a phone port, faster WiFi
> (the AX version with WiFi 6 would be more expensive but still less than
> a Draytek) but fewer VPN options.
>
> On the other hand a Draytek has more VPN option and could manage the
> Draytek Access Points I have.....

I think there will be more modern Drayteks available on the secondhand
market as people discard them in favour of ISP-provided routers such as
the Fritz!Box where the users need a simple "Digital Voice" solution.


--
Graham J

[Graham J]

David Wade wrote:

[snip]

>
> The question is do I replace it with a second Fritz!Box or a newer Draytek.
>
> The Fritz!box would be lower priced, give me a phone port, faster WiFi
> (the AX version with WiFi 6 would be more expensive but still less than
> a Draytek) but fewer VPN options.
>
> On the other hand a Draytek has more VPN option and could manage the
> Draytek Access Points I have.....

[www.GymRatZ.co.uk]

On 03/11/2023 22:56, David Wade wrote:

> I recently upgraded my UK setup to Zen FTTP 500/75 and telephony from
> Voipfone. I installed the ZEN Fritz!Box 7530AX router and set up the
> 2862 as a so called "DMZ" device. I configured VOIP on the 7530, so I
> now have:-
>
> Draytek 2862 <-- DMZ/NAT --> Fitz!Box 7530AX <-- Internet --> EG8145V5
> <-- Draytek 2820
>
> Now the 2820 seem to be a bit of a bottleneck, so I was wondering if I
> would be better replacing it with a newer Draytek, or as they seem
> cheaper and more widely available a Fritz!Box 7530.
>

> I can see the Fritz!Box does not have a local DNS. Are there any other
> features I might miss?

Your set-up sounds very close to my own.

Site to Site Draytek VPN. Upgraded remote site to Zen FTTP and old
draytek 2920 is sadly lacking in throughput to maximise FTTP connection
but it's still fast enough to fulfill the purpose, and the remote site
is the Netfix account holders location which following this years
Netflix clamp down on account sharing meant the same account couldn't be
accessed from both locations but the VPN is fast enough to route all
local t.v. traffic through to the remote end and out on the same Zen IP
address so back to 2 sites being seen by Netflix as a single site.
The Zen supplied Fritz Box 7530 is used on the remote site but replacing
a network switch and adding a 2nd telephone "socket" so not providing
WAN interface.

I have the Fritz Box telephone side registered with both voipfone and
voipcheap accounts for the simple reason that the property alarm
auto-dialer needed to be presented with a POTS interface so I simply
wired it into the FritzBox telephone port. Alarm is triggered Fritzbox
dials out over LAN through Draytek to WAN (Always connect by internet
box ticked). Works perfectly unless power is out of course.

2 things to note. I can't log into the Fritzbox from remote via VPN, I
have to VNC into a computer on the same network and log into the box
from there whereas Draytek to Draytek is Wayyyy more versatile and with
static IP addresses on both ends even if the VPN is down I can still log
into Draytek admin via the "allow admin from WAN" (via specific IP
address for security)

The main reason I've always stuck to a Draytek at each end is simplicity
of duplicating a highly configurable set-up. i.e. Same settings both
ends with the exception of localand remote IP address chages.

I see the FritzBox has done an update and now supports WireGuard but
these features always seem to be to be focused on simplicity of logging
in from a remote client for internet break-out rather than a full-scale
site<->site communications of each end being both host and client.

My scenario is both sites are only 10 miles and 20 minutes apart so
sorting things out isn't a big issue.

Cheers
Pete