Draytek Vigor 2926 WAN question

SDMFer · 20 Jan 2019 at 21:49

So I am in the process of upgrading to a fibre connection for VOIP at work, and whilst I am being provided with a managed Cisco router for QoS, the provider has strongly recommended using this as in bridge mode and keeping my existing router (a TP Link ADSL modem/router) so I can easily maintain the DHCP server for the network as well as firewall settings.

However as I have a second router attached via WAN to provide a second separate network for PCI DSS purposes (this was advice provide by the card machine company), the current router will not have enough LAN/WAN sockets for the required connections - also with impending VOIP traffic I think an upgrade is for the best.

Looking at the Draytek Vigor 2926, it has 2 WAN ports. However in the literature it appears these are designed for multiple incoming internet connections (as load balancing or backup) rather than connection of a secondary network to access the internet via the Draytek. Is it possible to connect the Cisco modem to WAN1, the second router to WAN2 and therefore internet will be accessible from both networks or will the Draytek not allow this?

Thanks for the help with this - it’s not clear to me in any of the manuals or online information!

Edit - if there is a more suitable router (WiFi necessary) please feel to recommend.

Shawreyboy · 21 Jan 2019 at 11:14

So the provider are advising the Cisco that they manage be put in bridge mode - effectively a gateway or Layer 2 device and then pass on the NAT/DHCP to the Router behind?

In which case, the Layer 3 incl. QoS is going to be done by your own Router and if this is the case I would suggest the Draytek (similar multi-WAN Firewall/Router) is the way forward.

You would configure the Draytek to have two separate WAN connections routing traffic to two separate LAN connections via VLAN. The Draytek should be able to handle the NAT/DHCP requirements of both connections so the TP-Link should be redundant.

EDIT:
This should help as you'd effectively be configuring Route Based Policies between WAN/LAN for the traffic. https://www.draytek.com/en/faq/faq-...bpr/how-to-do-load-balancing-by-route-policy/

Shawrey

MTA99 · 21 Jan 2019 at 13:49

We have a 2926 doing load balancing duties but a couple of the Devs have trouble authenticating with Azure because (I assume) they're detected requests from 2 different IPs. So..........their machines are "bound" to a single WAN without using VLANs.

Just clicked on Shawrey's link and that's the method we use

Avalon · 21 Jan 2019 at 14:47

The web based PCI compliance scan can throw a wobbly with some routers depending on settings, you however you don’t ‘need’ to run as you suggest. I remember throwing a TPLink into service to get round a scan at short notice though

SDMFer · 21 Jan 2019 at 17:14

Thanks for the replies. I am going to check with my provider about the Cisco router. It sounds like it would be more sensible to use this business class router to provide improved connection for the VOIP phones - in fact, this was why I was recommended to add this to the package. Routing the VOIP phones through my existing TP Link Archer VR600 would surely be a bottleneck?

I need access to set up the DHCP server as my business software requires specific IP addresses - the alternative to this is to set up static IP addresses on the computers. It seems like buying the Draytek would simply be doubling up on hardware unnecessarily. As it is managed, though, I am not sure what access I will be granted to set up any network features.

Regarding the second router for the card machine, I was told this was the simplest way of separating the networks so as to limit the scope of the scan required. If there is an alternative I’m all ears!

Shawreyboy · 22 Jan 2019 at 15:19

SDMFer said:
Thanks for the replies. I am going to check with my provider about the Cisco router. It sounds like it would be more sensible to use this business class router to provide improved connection for the VOIP phones - in fact, this was why I was recommended to add this to the package. Routing the VOIP phones through my existing TP Link Archer VR600 would surely be a bottleneck?

Regarding the second router for the card machine, I was told this was the simplest way of separating the networks so as to limit the scope of the scan required. If there is an alternative I’m all ears!

Is this a Gamma Converged solution by any chance? If so, why not just have the VoIP phones and your Computers on this Router and separate the other line with your TP-Link for the PDQ's? If these are connected to the location via patch panel / switch then would need a L3 switch to create a VLAN for each network.

Shawrey

SDMFer · 22 Jan 2019 at 16:03

I am not sure who is providing the broadband behind the company setting up the VOIP system. I think the best course of action is to set my small LAN (3 PCs, printer, CCTV NVR, Hive) up on static IP addresses - I have actually done this today to test on my current router and turned off the DHCP server and all is working fine. Therefore I should be able to do the same on the Cisco router and not have to worry about accessing the DHCP server on this. Correct me if I am wrong!

The card machine is then connected to a second router, which is running a different subnet, connected via WAN to the Cisco router. According to the advice I was given by my PCI compliance helpdesk, would be a separate network and therefore limit the scope of any scans. As they have suggested it, the liability of it being wrong lies with them and so that suits me - I am sure this wouldn't hold up if anything went awry though!

I was informed that the router is going to be a Cisco V877, although I have checked and these are apparently end-of-line?! I will update when I receive it, however.