DrayTek Vigor 3900 Enterprise Router

DrayTek Vigor 3900 High-Performance Router/Firewall Router with high capacity VPN
Manufacturer: DrayTek
£599.00 excl tax
£509.00 excl tax

DrayTek Vigor 3900 Quad-WAN VPN Router/Firewall

The Vigor 3900 is a high-performance quad-Gigabit WAN enterprise firewall router for high-performance applications and sophisticated remote access, firewalling, load-balancing and failover. Its WAN throughput runs at up to 1Gb/s for the most demanding applications. The WAN ports on the Vigor 3900 can provide load balancing or WAN failover through different connections and ISPs. Based on a new DrayTek OS platform, the Vigor 3900 combines high performance and capacity with DrayTek's traditional web interface for accessibility but with a more comprehensive features set.

For multi-tenant or departmental flexibility, the Vigor3900 will support multiple LAN IP subnets, together with VLAN capabilities and user management, providing access to WAN resources only to the appropriate users or departments, as well as maintaining infrastructure effciency.

Four WAN ports for load-balancing or failover

Four Gigabit Ethernet WAN ports and one SFP slot (for fibre modules or an additional Ethernet module) provide 5 independent WAN ports for either load-balancing or failover applications. Gigabit Ethernet and SFP LAN Interfaces provide high speed connectivity to your LAN. Fibre is of particular use for longer distance deliveries, beyond the range of standard Ethernet, or where copper connections cannot be used. WAN Load-balancing weight or traffic-type rules can be set or on an automatic basis to spread WAN traffic evenly across all interfaces on a best-endeavour basis.

Vigor 3900 Front panel with cables connected


The Vigor 3900's firewall is fully stateful, with a flowtrack mechanism and comprehensive WAN defences, including DoS/DDoS protection and flexible IP packet filtering. On the content side, the Vigor 3900 has several methods of content filtering to control user access to the web to keep their access appropriate, safe and productive. That helps keep your network efficient, your data secure and your online productivity high.


Extensive QoS facilities allow for efficient local traffic handling, ensuring that critical traffic is given the appropriate priority and that your network topology handles data in the most efficient way to help avoid congestion and bottlenecks. WAN traffic can be assigned one of 7 different priority levels for egress and 2 levels for ingress. Bandwidth can be reserved for critical applications.. Rules can be based on service type, users or IP source/desintations.

QoS Schematic
In this example, VoIP traffic identified and given highest priority
and given a priority of 3:1 over email.


As a VPN endpoint/concentrator, the Vigor 3900 will support up to 500 simultaneous teleworker or LAN-to-LAN VPNs with a VPN throughput of up to 700Mb/s, thanks to its hardware-based VPN co-processor. VPN security includes certificate, MOTP or token/PSK based access and key-hash authentication to ensure maximum security.

VPN Trunking

By the use of multiple WAN connections, the Vigor 3900's VPN-Trunking features can increase the bandwidth/capacity of your VPN connections, creating a single virtual tunnel between locations using 2, 3 or all 4 WAN connections.

VPN Trunking is the facility to create more than one VPN tunnel, over a second Wan connection, to the same remote location in order to provide either increased bandwidth between the two sites (load balancing) or resilience (failover) in the event that one tunnel/connection is interrupted. The Vigor 3900 supports both Failover and Load Balancing modes for VPN Trunks.

The Vigor 3900 already supports load balancing to the Internet using its four-WAN ports. What VPN trunking does is enables a single virtual tunnel to be created across two or more WAN connections to the same remote location creating a single virtual tunnel, recombining the tunnel at the other end. As far as the traffic and LAN devices/clients are concerned, there is just a single tunnel, with increased bandwidth.

DrayTek VPN Trunking

In the diagram above, you can see a single virtual tunnel as far as the LAN at each end is concerned. Within the router, two WAN connections are being used with each router, across which the VPN tunnel can be spread, increasing total capacity and/or redundancy (for failover).


For ease of remote access, the Vigor 3900 can provide up to 20 simultaneous SSL VPN web-proxy tunnels, making remote access to your network possible from virtually anywhere without the inconvenience or compatibility issues of installing a VPN client. As SSL is a standard Internet protocol (used for web sites) )SSL VPNs are also resilient to difficulties in creating tunnels through guest networks (web cafes, hotels etc.) where traditional IPSec/PPTP tunnels can often have difficulties. SSL encryption is strong too, using 128bit DES/3DES or AES. Using MoTP, your teleworker passwords are strong and realtime; a password is generated in real-time by your mobile phone (iphone, Android etc.) which can be used once only, and only at the time its generated. All teleworker methods can also optionally use LDAP or X.509 certificates for authentication. In addition to Web-proxy mode, full SSL VPN tunnelling will be provided as a later firmware updated (schedule ETA Q1/2014).

High Availability

For even greater resilience, the Vigor 3900 provides High Availability (HA). The CARP protocol (equivalent to VRRP or HSRP) lets you set up a master and secondary Vigor 3900 whereby in the event of the master unit failing, the secondary unit can seamlessly and automatically switch over. This can remove the possibility of a single point of failure within your routers. Additionally, multiple active Vigor3900's can provide reciprocal routing backup to other active Vigor3900s.

Vigor 3900 Specification

  • Physical Interfaces:
    • LAN Interfaces:
      • 2 x Gigabit (10/100/1000 Base-T)
      • 1 x Active SFP Slot
    • WAN Interfaces:
      • 4 x Gigabit (10/100/1000 Base-T)
      • 1 x Active SFP Slot
      • 3.5G (Cellular) Access via compatible USB Adaptor ('dongle') - Later firmware upgrade (Schedule TBA)
    • 2 x USB 2.0 Host Ports
    • Console (RJ45)
  • WAN Connectivity/Protocols:
    • DHCP Client
    • Static IP
    • IPv4
    • IPv6 (available on a single WAN port only)
    • PPPoE
    • L2TP (Later firmware upgrade)
    • 3G / 3.5G (later firmware upgrade)
    • Port Load-Balancing
    • Port Failover
    • QoS
    • 802.1q Tag-Based VLAN
  • Network Protocols:
    • DHCP Client/Server
    • DHCP Options
    • Dynamic DNS Service Updating
    • NTP Client
    • DNS Cache/Proxy
    • Static Routing
  • NAT (IPv4):
    • 100,000 Sessions
    • Port Redirection
    • One-to-One Public-to-Private Mappping
    • MultiNAT
  • VPN:
    • Dial-in and Dial-out LAN-to-LAN
    • Dial-in Teleworker
    • Protocols:
      • PPTP
      • L2TP
      • IPSec
      • L2TP over IPSec
    • Encryption/authentication:
      • Hardware-based AES (128, 192, 256 bits)
      • Hardware-based DES/3DES (56 & 168 bits)
      • MPPE (40 or 128 bits)
      • Hardware-based MD5 & SHA-1
      • IKE authentication : Pre-shared Key (PSK)
      • PKI : X.509 Digital Signature (certificate)
      • Certificate Server (CA) / Trusted CA / Local Certificate
      • MOTP for Teleworkers
    • Dead Peer Detection (DPD)
    • VPN Passthrough : PPTP, L2TP, IPSec, SSL
    • NAT Traversal (NAT-T)
    • DHCP over IPSec
    • GRE over IPSec
  • Traffic / Content Management:
    • QoS (7/2 levels egress/ingress)
    • DiffServ Codepoint Classifying
    • Session & Bandwidth Limitation (IP-based)
    • Globalview Categoric Web Content Filtering
    • Web URL Keyword Blocking
  • SSL VPN:
    • Tunnel Mode : up to 200 Web Proxy Tunnels
    • SSL Full tunnelling (firmare upgrade - schedule TBA)
    • SSL Applications : HTTP (web), VNC, RDP
    • Encryption : RC4 (128 bits), AES (128 bits), DES/3DES
    • Digital Signature (X.509)
    • Pre-shared key
    • MOTP
  • Management Facilities:
    • Web Interface (HTTP & HTTPS)
    • CLI : Telnet and SSH
    • Firmware Upgrade : TFTP and HTTP
    • Configuration Backup/Restore (Binary)
    • Admin Access Control
    • SNMP Management (MIB-II))
    • Syslog
    • TR-069
    • Supported by Vigor-ACS Platform
  • Operating Requirements:
    • Rack Mountable. 1U. (Mount brackets included)
    • Temperature Operating : 0°C ~ 45°C
    • Storage : -10°C ~ 70°C
    • Humidity 10% ~ 90% ( non-condensing )
    • Power Consumption: 20W max (typically 10-15W)
    • Dimensions: 443 x 280 x 44 mm (LxWxH) - 1U
    • Operating Power: 220-240VAC
    • Warranty : 2 Years Manufacturer's RTB included


  • Professional Router/Firewall
  • Five Gigabit WAN ports (4 x Ethernet & 1 SFP)
  • Up to 50 WAN ports with optional switch
  • WAN Load Balancing & WAN Failover
  • High-Availability (with CARP)
  • Up to 500 simultaneous IPSec/PPTP/L2TP Tunnels
  • Up to 200 SSL VPN Tunnels (Web-Proxy)
  • 3 Gigabit LAN ports (2 x Ethernet & 1 x SFP)
  • IPv4 & IPv6 Dual-Stack
  • Two Independent USB Ports
  • 802.1q Tagged and port-based VLANs
  • QoS Assurance on different traffic types
  • Mobile One-Time Passwords for Teleworker VPNs
  • VPN Trunking (aggregated/failover links)
  • Up to 50 WAN/LAN-side IP subnets
  • Web Content Filtering
  • Optional VigorCare Available