Draytek Experts Here ?

Any Draytek experts here?

I'm told the 2800 series can do NAT and ROUTED at the same time. Say for
a block of 8 IP's you can assign one to be natted and route the others
through. Is this correct? Are there alternatives to Draytek for this
(Other than megabuck Cisco's)

Also what is the difference between the 2800, 2800g and 2800v. I see
these coming up cheaply now and can't find the information.

In article <4a5c3f3e$0$2530$(E-Mail Removed)>,
R Johnson <(E-Mail Removed)> wrote:
>Any Draytek experts here?
>
>I'm told the 2800 series can do NAT and ROUTED at the same time. Say for
>a block of 8 IP's you can assign one to be natted and route the others
>through. Is this correct? Are there alternatives to Draytek for this
>(Other than megabuck Cisco's)

The internal side of things can have 2 IP addresses/ranges. One can be
the routed subnet and the other NATted (with the NATted devices presenting
the routers own external IP address.

I've only tried this once though - much prefer to use a 2nd router doing
NAT. The early Drayteks have NAT issues (2600's - not sure about the 2800's
I currently use 2820's)

>Also what is the difference between the 2800, 2800g and 2800v. I see
>these coming up cheaply now and can't find the information.

with all Drayteks:

modelNum: basic,
modelNum+g: Wi-Fi 802.11g
modelNum+v: built=in 2-port ATA for VoIP.

modelnum+gv - both VoIP and Wi-Fi.

I'm not sure the difference between the 2800 and the 2820's though. The
2800 I way yesterday was in the same blue case the 2600 came in - maybe
it's jsut software. I think the 2820's have hardware crypto to make VPNs
run faster... I had speed and jitter problems some time back with the
crypto VPNs on the 2600's and 2900's...

Gordon

On Tue, 14 Jul 2009 09:22:20 +0000, Gordon Henderson wrote:

> In article <4a5c3f3e$0$2530$(E-Mail Removed)>, R Johnson
> <(E-Mail Removed)> wrote:
>>Any Draytek experts here?
>>
>>I'm told the 2800 series can do NAT and ROUTED at the same time. Say for
>>a block of 8 IP's you can assign one to be natted and route the others
>>through. Is this correct? Are there alternatives to Draytek for this
>>(Other than megabuck Cisco's)
>
> The internal side of things can have 2 IP addresses/ranges. One can be
> the routed subnet and the other NATted (with the NATted devices
> presenting the routers own external IP address.
>
> I've only tried this once though - much prefer to use a 2nd router doing
> NAT. The early Drayteks have NAT issues (2600's - not sure about the
> 2800's I currently use 2820's)
>
>>Also what is the difference between the 2800, 2800g and 2800v. I see
>>these coming up cheaply now and can't find the information.
>
> with all Drayteks:
>
> modelNum: basic,
> modelNum+g: Wi-Fi 802.11g
> modelNum+v: built=in 2-port ATA for VoIP.
>
> modelnum+gv - both VoIP and Wi-Fi.
>
> I'm not sure the difference between the 2800 and the 2820's though. The
> 2800 I way yesterday was in the same blue case the 2600 came in - maybe
> it's jsut software. I think the 2820's have hardware crypto to make VPNs
> run faster... I had speed and jitter problems some time back with the
> crypto VPNs on the 2600's and 2900's...
>
> Gordon

I'm glad it was you than answered Gordon :-) I just knew that you would
know. Thanks.

What I want to do - and in all my years I've never needed to get involved
in the network side of this as such - is set up a small 8 block so that
one of the addresses nats a soho network for ten user, one of the others
would go straight to the public IP on a secondary box. Looks like this
will do just as I need without having to set up shed loads of additional
hardware.

Thanks and very much obliged to you.

In article <4a5c51a1$0$2543$(E-Mail Removed)>,
R Johnson <(E-Mail Removed)> wrote:
>On Tue, 14 Jul 2009 09:22:20 +0000, Gordon Henderson wrote:
>
>> In article <4a5c3f3e$0$2530$(E-Mail Removed)>, R Johnson
>> <(E-Mail Removed)> wrote:
>>>Any Draytek experts here?
>>>
>>>I'm told the 2800 series can do NAT and ROUTED at the same time. Say for
>>>a block of 8 IP's you can assign one to be natted and route the others
>>>through. Is this correct? Are there alternatives to Draytek for this
>>>(Other than megabuck Cisco's)
>>
>> The internal side of things can have 2 IP addresses/ranges. One can be
>> the routed subnet and the other NATted (with the NATted devices
>> presenting the routers own external IP address.
>>
>> I've only tried this once though - much prefer to use a 2nd router doing
>> NAT. The early Drayteks have NAT issues (2600's - not sure about the
>> 2800's I currently use 2820's)
>>
>>>Also what is the difference between the 2800, 2800g and 2800v. I see
>>>these coming up cheaply now and can't find the information.
>>
>> with all Drayteks:
>>
>> modelNum: basic,
>> modelNum+g: Wi-Fi 802.11g
>> modelNum+v: built=in 2-port ATA for VoIP.
>>
>> modelnum+gv - both VoIP and Wi-Fi.
>>
>> I'm not sure the difference between the 2800 and the 2820's though. The
>> 2800 I way yesterday was in the same blue case the 2600 came in - maybe
>> it's jsut software. I think the 2820's have hardware crypto to make VPNs
>> run faster... I had speed and jitter problems some time back with the
>> crypto VPNs on the 2600's and 2900's...
>>
>> Gordon
>
>I'm glad it was you than answered Gordon :-) I just knew that you would
>know. Thanks.
>
>What I want to do - and in all my years I've never needed to get involved
>in the network side of this as such - is set up a small 8 block so that
>one of the addresses nats a soho network for ten user, one of the others
>would go straight to the public IP on a secondary box. Looks like this
>will do just as I need without having to set up shed loads of additional
>hardware.

It should do what you need, but personally, I'd be tempted to stick in
a 2nd router (a 'cable' one with Ethernet ports). That way you can pick
the IP address used for the NATted LAN, otherwise it will be the one
assigned to the Draytek (which you may not have any control over).

E.g. my setup - I have 8 IPs from .104 through .111. My router (an
older 2600) has .105 and this was fixed by the ISP. 104 and 111 are the
(unusable) broadcast addresses.

So it looks like:

-BT-Phone-ADSL-
|
2600 .105
|
+------------+-----------+--------------+
| | | |
Server.106 Server.107 Server.108 Router.110
| NAT 192.168.x.y/24
|
+-----------+--------+--------+
| | | |
Worksation Server Laptop Phone

The external servers are in the "DMZ". It physically separates internal
LAN traffic from the external LAN, so if a server were to be compromised,
it still can't get access through the Router.110 into the LAN and other
servers.

The Draytek 2600.105 doesn't do any NAT at all - that's handled by the
Rotuer.110.

Gordon

On Tue, 14 Jul 2009 12:13:00 +0000, Gordon Henderson wrote:

> In article <4a5c51a1$0$2543$(E-Mail Removed)>, R Johnson
> <(E-Mail Removed)> wrote:
>>On Tue, 14 Jul 2009 09:22:20 +0000, Gordon Henderson wrote:
>>
>>> In article <4a5c3f3e$0$2530$(E-Mail Removed)>, R Johnson
>>> <(E-Mail Removed)> wrote:
>>>>Any Draytek experts here?
>>>>
>>>>I'm told the 2800 series can do NAT and ROUTED at the same time. Say
>>>>for a block of 8 IP's you can assign one to be natted and route the
>>>>others through. Is this correct? Are there alternatives to Draytek for
>>>>this (Other than megabuck Cisco's)
>>>
>>> The internal side of things can have 2 IP addresses/ranges. One can be
>>> the routed subnet and the other NATted (with the NATted devices
>>> presenting the routers own external IP address.
>>>
>>> I've only tried this once though - much prefer to use a 2nd router
>>> doing NAT. The early Drayteks have NAT issues (2600's - not sure about
>>> the 2800's I currently use 2820's)
>>>
>>>>Also what is the difference between the 2800, 2800g and 2800v. I see
>>>>these coming up cheaply now and can't find the information.
>>>
>>> with all Drayteks:
>>>
>>> modelNum: basic,
>>> modelNum+g: Wi-Fi 802.11g
>>> modelNum+v: built=in 2-port ATA for VoIP.
>>>
>>> modelnum+gv - both VoIP and Wi-Fi.
>>>
>>> I'm not sure the difference between the 2800 and the 2820's though.
>>> The 2800 I way yesterday was in the same blue case the 2600 came in -
>>> maybe it's jsut software. I think the 2820's have hardware crypto to
>>> make VPNs run faster... I had speed and jitter problems some time back
>>> with the crypto VPNs on the 2600's and 2900's...
>>>
>>> Gordon
>>
>>I'm glad it was you than answered Gordon :-) I just knew that you would
>>know. Thanks.
>>
>>What I want to do - and in all my years I've never needed to get
>>involved in the network side of this as such - is set up a small 8 block
>>so that one of the addresses nats a soho network for ten user, one of
>>the others would go straight to the public IP on a secondary box. Looks
>>like this will do just as I need without having to set up shed loads of
>>additional hardware.
>
> It should do what you need, but personally, I'd be tempted to stick in a
> 2nd router (a 'cable' one with Ethernet ports). That way you can pick
> the IP address used for the NATted LAN, otherwise it will be the one
> assigned to the Draytek (which you may not have any control over).
>
> E.g. my setup - I have 8 IPs from .104 through .111. My router (an older
> 2600) has .105 and this was fixed by the ISP. 104 and 111 are the
> (unusable) broadcast addresses.
>
> So it looks like:
>
> -BT-Phone-ADSL-
> |
> 2600 .105
> |
> +------------+-----------+--------------+ | |
> | |
> Server.106 Server.107 Server.108 Router.110
> | NAT 192.168.x.y/24
> |
> +-----------+--------+--------+
> | | | |
> Worksation Server Laptop Phone
>
> The external servers are in the "DMZ". It physically separates internal
> LAN traffic from the external LAN, so if a server were to be
> compromised, it still can't get access through the Router.110 into the
> LAN and other servers.
>
> The Draytek 2600.105 doesn't do any NAT at all - that's handled by the
> Rotuer.110.
>
> Gordon

I've got a old 50p eBay Edimax cable router here that will probably do
that just fine - redrawn to:

> -BT-Phone-ADSL-
> |
> 2600 .105
> |
> +------------+-----------+
> | | |
> MAIL SERVER SNORT BOX EDIMAX {or SWITCH}
> | NAT 192.168.x.y/24
> |
> +-----------+--------+--------+
> | | | |
> WS 1 W/L AP Laptop Phone

You are a star GH. Always a first class contributor to U/N. Thank you.

In article <(E-Mail Removed)>,
<occassionally-(E-Mail Removed)> wrote:
>
> Gordon Henderson <gordon+(E-Mail Removed)> wrote:
>
>>I had speed and jitter problems some time back with the
>>crypto VPNs on the 2600's and 2900's...
>
>Interesting... I have a couple of 2900Gi units, with a VPN between
>them and also a dial-in VPN.
>
>The VPN functionality works most of the time but not often enough.
>
>Would a newer model be more reliable? The VPN is used to run
>PC/Anywhere only.

Issues I had some time back was with a pair of 2900's over a 10Mb LAN
Extension and another pair, one in the UK, the other in the US. Best speed
I could get with encryption turned on was about 1.5Mb/sec. We didn't
really notice this until the US end went to a bonded T1 connection -
about 3Mb/sec., and they started to use video conferencing. Turning
the encryption off instantly allowd the speed to be at full line-rate,
and jitter dropped to a steady level - noticable as a marked improvement
on the video picture (it's data rate was only 225Kb/sec, so well inside
the speed)

As I understand it, the older 2600's and 2900 did the encryption in
software and I think it more or less maxed out the processor - especially
trying to encrypt compressed video and audio data. They were suitable when
ADSL in the UK was 2Mb/sec max. The 2820 does the encryption in hardware,
although I've not had the opportunity to try that to the limit yet -
I use them mainly for their traffic shaping abilitys for VoIP.

>Otherwise, these routers run reliably for months without a reboot,
>though they seem to slow down after some months and then I reboot
>them.

Not noticed that myself, but have had 2600's crash with multiple VPN
connections into them.

>I would also like something which does a VPN over port 443, which
>should work over any mobile internet connections (all except Voda
>don't support PPTP).

ssh vpn?

Gordon

In article <(E-Mail Removed)>,
<occassionally-(E-Mail Removed)> wrote:

>I know for a fact that turning on encryption in PC/A slows it down
>drastically, even when running over a 256/512 basic ADSL.

Good encryption requires CPU horsepower to make it work. Most algorithms
are computationally intensive - sometimes deliberately to reduce the
effects of a brute-force attack.

So a simple substitution cipher, is easy, but AES is "hard" to compute,
and in an interactive situation, it may be encrypting every packet each
way, adds up to a lot of CPU cycles just to do the encryption.

On faster PCs it should be hardly noticable, but on slower ones it's
really noticable. Irnonically, some of the slower processors aimed at the
embedded market (VIA, Geode) have on-board hardware encryption engines,
while the faster ones don't...

Gordon