DrayTek Vigor 3910 High Capacity Router
Now most descriptions of this router will begin with a most obvious statement, that it is the successor to the DrayTek Vigor 3900 and is an improvement, but that is not the whole story.
Yes it is called the DrayTek Vigor 3910 and so the DrayTek 3900 superiority is definitely meant to be inferred.
But it is not a more powerful version of the 3900, with more throughput and features.
It is actually more like a very powerful 2926 router because, unlike the 3900 or the 2960 (both magnificent routers) it does not run the Linux version of the DrayTek software, it runs DrayOS.
Now what does that mean? Well it means that the OS interface pages are identical to those of the 2800, 2830, 2860, 2925, 2926 or 2862 in terms of coding andd features. Which in many ways makes you wonder why they give it so much power.
For starters, the DrayOS system has nowhere near the configurability of the 3900. The system is just wholly inadequate for an enterprise router when it comes to something absolutely vital, like VLAN. Let's take a look at the screens from both of these routers as we do spend a lot of time configuring them here at sircles.net.
Firstly let us imagine you are running many different VLANs behind your DrayTek Vigor 39xx and that you run various VPNs, which pass traffic between various different VLANs. After all, why else would you want so much throughput?
So on the DrayTek Vigor 3900 we can easily deal with this:
As you can see we can select which VLAN is routing and so the system will tag or port switch the VPN traffic accordingly, as one would expect.
Now let us have a look at the 3910:
In the same situation I am attempting to route traffic from/to a VPN endpoint which concerns an individual VLAN behind the DrayTek Vigor 3910.
Straight away we can see that we can only stipulate the VPN by subnet, and that if the router is not intelligent enopugh to realise that means that we need a VLAN tag or port routing request to be attached to this traffic it is just not going to work.
The encryption choices are admirable enough, but they do not actually offer anything above that of the DrayTek Vigor 3900, and the lack of configuration ability severely dents the usefulness of so much VPN throughput. how could you use 500 Lan-LAN VPN tunnels without having VLAN-VPN tag routing? Now we have been in communication with DrayTek support for an hour whilst writing this and they state that the subnet details in the DrayOS should be detected by the router as a VLAN and tagged as appropriate, but although the encryption picked up the VPN, the traffiic did not appear to be routed to the VLAN tag or ports as they described.
As you can see, the traffic is just disappearing even though the routing tables display as correct for the traffice to route through. As far as I can tell, this is because the 28/29xx software does not understand to tassign the traffic to a VLAN as it comes in and so no traffic is received or returned.
We are going to reset the 3910 tonight and upgrade to a special firmware they supplied, but I still think that there will be problems.
And sure enough there were:
In the above I have configured the 3910 with IKEv2 VPNs to both a 2960 and a 3900 and neither will pass traffic as the 3910 does not report or interpret the presence of the tagged VLAN being forwarded to the VPN.
The VLAN set-up is another gripe. If you look at the 3900 it is a highly configurable system once again. The VLANs are individually assigned tags and ports:
This VLAN can be set-up to connect to any port or tag
So any VLAN can be assigned any Tag on any port or be untagged.
Whereas, on the 3910 I can only select if all ports are tagged or untagged, as below:
Now I am told that the VLAN number on the left does not mean actually mean VLAN tag, it just means which VLAN selection, which is very confusing, so technically if I do the following:
I am actually allowing VLAN 9 to be untagged on port 10 and tagged on port 9, so why on earth you would have VLAN numbers down the side is totally beyond me. Either way the set-up is not befitting an alledegly enterprise class router.
In our test 3910 that we are using here, there is also some sort of corruption on the firmware concerning Load-Balance/Route Policy as the OK button appears to be missing:
As you can clearly see, the fact that there is only a cancel button somewhat limits what can be easily configured. If you are using an internal email server that needs to be sendind out on a PTR configured IP and which needs to match SFP records etc. this would be adequate to prevent email from working at all.