Mailing List
Mailing List
Sign Up Here
Like, follow & share: visit DrayTek UK's Facebook page visit DrayTek UK's Twitter page visit DrayTek UK's Linkedin page
Vigor 3200 Series Router Firewall
  • 4 Gigabit WAN Ports selectable for
    either Load Balancing or Failover
  • Dedicated Ethernet DMZ Port
  • Gigabit LAN Port
  • Multiple private LAN subnets support
  • 802.1q VLAN Tagging on LAN and WAN
  • 3G (Cellular) USB Modem support
  • Configurable QoS (For traffic prioritisation)
  • QoS (Layer 2&3, 802.1p & TOS/DCSP)
  • VPN Dial-in/dial-out with VPN co-processor
  • 10 SSL VPN Tunnels for remote dial-in
  • Mobile One-Time Passwords (MOTP)
  • VPN Trunking (up two two channels)
  • Content Filtering (by keyword or data type)
  • Globalview Web Filtering (req. subscription)
  • User Authentication for Internet Access
  • Optional VigorCare Available

Vigor 3200 Quad-WAN Router Firewall

The Vigor 3200 series is a Quad-WAN port Firewall Router. The four Gigabit Ethernet WAN ports can each be connected to its own WAN (Internet) connection, for example an ADSL or VDSL modem, cable modem, satellite feed or any other Ethernet based connection. Each WAN connection can be configured for load balancing (splitting your traffic across multiple Internet connections) or for failover, switching to alternative connectivity when your primary connectivity fails. For ADSL2+ connectivity, you can add DrayTek's Vigor 120 ADSL modem.

Vigor 3200 in Rack mount
Vigor 3200 in optional Rack Mount (RM1)

The Vigor 3200 supports multiple private subnets on the LAN (e.g. 192.168.1.x, 192.168.2.x and so on). This is ideal for increasing security, segmenting or the inclusion of legacy LANs within your infrastructure. Each of these IP subnets can be distributed on separate tagged VLANs (see later) for further physical separation.

Robust & Comprehensive Firewall

The Vigor 3200's firewall includes protection against DoS (Denial of Service) attacks, IP-based attacks and access by unauthorised remote systems. Wireless, wired-Ethernet and VPN are also protected by various protection systems (see later). The DrayTek object-based firewall (new V3) allows vast flexibility, enabling you to create combinations of users, rules and restrictions to suit multi-departmental organisations.

Content control features of the firewall allow you to set restrictions on web site access, blocking download of certain file types, blocking specific web sites, blocking IM/P2P applications or other potentially harmful or wasteful content. Filtering using web site categorisations enable you to block whole categories of web sites (e.g. gambling, adult sites etc.), subject to subscription. Read more about DrayTek WCF here. Different users or user groups can have different firewall rules, web access and time schedules depending on the privileges you grant.

Flexible VLAN & Tagging & QoS

With all this connectivity, your WAN and LAN increases in complexity, but comprehensive VLAN and QoS facilities help you to make the most efficient use of your bandwidth on your LAN and WAN side. 802.1q VLAN tagging, compatible with any other 802.1q device (including DrayTek's own managed switches). By marking packets, they can be transmitted together and split further along in your network topology, as required, or merely ignored/dropped if they fall outside a device's VLAN settings.

802.1q VLAN is supported on both the WAN and LAN ports. In addition QoS (assured Quality of Service) lets you give specific traffic types or clients different levels of prority when it comes to transmitting data so that the most appropriate amount of total bandwidth is reserved for the most important data. QoS supports both 802.1p & TOS/DCSP methods and the VLAN groups can be combined with QoS rules for transmission onward to the Internet

VLAN groups can also be included specifically within firewall rules, including the ability to allow remote VPN links or teleworkers to have access only to the parts of the LAN that they should. VLAN setup can also be used together with the multiple LAN subnet facility which can be particularly useful for multi-tenanted applications or where strict departmental segmentation is required. If you are running publicly accessible services (e.g. a web server) on your network, VLAN segmentation with separate sub-netting can be used to provide a fully isolated connection.

VLAN Tagging

3G Access via the USB Port

The Vigor 3200's USB port provides an alternative connection method for Internet backup by connecting to a compatible USB modem (or cellphone) for access to the high speed 3G cellular networks from UK providers such as Vodafone, O2, 3, and Orange T-Mobile. The 3G access method can be used as your primary/only Internet connection, ideal for temporary locations, mobile applications or where broadband access is not available. For more information about 3G usage click here.

Vigor2820 with 3G Modem

Network Attached Storage (NAS)

Vigor 3200 NAS Facility

The Vigor 3200 Series's USB port can also be used to add storage memory to the unit in the form of a USB memory key (as shown right) or for higher capacity a USB hard drive (normally requires its own power). The Vigor 3200 then provides FTP access file uploading/downloading which can be from the local LAN or from anywhere on the Internet - ideal for a simple to deploy file depository. Access can be 'public' or using usernames and passwords, each of which can have their own directories and/or file access rights. As well as FTP, file sharing is available as a Windows 'network drive'. Using Internet Explorer, you can view the contents of the USB drive connected to the Vigor 3200 and read or write files.

The NAS facility uses any FAT16/FAT32 formatted device (includes USB memory sticks, USB hard drives etc.) and supports a transfer rate of 12Mb/s.

VPNs - LAN-to-LAN, Teleworker & SSL

VPNs (Virtual Private Networks) enable you to link two remote computers or networks securely using the public Internet. An encrypted tunnel is created to carry your private data between the two sites. Tunnels making use of PPTP, L2TP, AES and IPSec protocols have been available on Vigor routers for many years and provide a simple to set up solution for your site-to-site or teleworker VPNs.

For LAN-to-LAN (inter-branch) connections, a DrayTek router at each end can be used but the vigor3200 also provides compatibility with most other leading vendor's VPN appliance. For teleworkers, perhaps working from a web cafe or other public access scenario, you can use a soft client to create the VPN tunnel so you do not need any additional hardware. VPN clients are built-into or available for most operating systems (included in all versions of MS Windows).

The Vigor 3200 provides up to 32 simultaneous Site-to-Site or Teleworker VPN tunnels using IPSEc/L2TP or PPTP. A hardware co-processor ensure the best performance for IPSec encryption giving a total VPN throughput of up to 40Mb/s (depending on your Internet connectivity). (Note : The Vigor3200 can actually allow up to 64 tunnels depending on the traffic volume and Internet connection speed).

Vigor 3200 VPN Connectivity

MOTP (Mobile One-time Passwords)

As an alternative to a fixed password for remote teleworkers, you can make use of DrayTek's Mobile One-Time Password (MOTP) system to add Two-layer authentication. A One-time password is generated dynamically each time you want to connect, works once only and expires immediately. For DrayTek MOTP, the authentication device is your mobile phone; MOTP applets are available for Symbian mobile phones (e.g. Nokia), Android and the Apple iPhone™.

apple iPhone MOTP


SSL VPNs provide a new method for teleworker to central site VPN, providing great convenience, low TCO (Total Cost of Ownership),simplicity and access/usage where other methods may not be possible. The Vigor3200 will support up to 10 simultaneous dial-in SSL VPN tunnels.

The benefits of SSL VPNs

One potential drawback of using traditional methods for a Teleworker-to-central site VPN is that they need compatible protocol stacks at each end (e.g. an IPSec client or hardware) and most importantly those protocols need to be freely passed by your local host network. This isn't normally a problem where you own the computers and the network in use and you can install any client, software or hardware you choose, as well as allowing any traffic types you like. Where it can become a problem is where you are using someone else's computer or network where either you cannot use the O/S VPN client, or the host network blocks VPN protocols or makes them unreliable. This is most commonly a problem when using WiFi hotspots or other public Internet access methods (hotels, conference centres etc.).

You may already have heard of SSL previously, and you have almost certainly used it. SSL (Secure Sockets Layer) is the protocol used by all web browsers for accessing 'secure' web sites. You will have used secure web sites whenever you have used your credit card online or accessed your banking web sites, for example. SSL is supported by all web browsers, and as it is so commonly used, all hotspots and other public Internet will always allow SSL to pass properly. By using the SSL protocol for your telework VPN tunnel you therefore have some important benefits:

Traditional VPN (e.g. AES/IPSecSSL VPN
Requires VPN Client or Hardware Uses Standard Web Browser SSL
Support for popular O/S's only Compatible with all computers/browsers
Licence fees all for some vendor
client software (Not DrayTek though!)
No client licence fees
Requires user to operate VPN Client No special operator procedures.
Just use your web browser.
At OSI 'network' layer At OSI 'session' layer
AES/DES/3DES Encryption SSL Encryption
Full network access (unless filtered) Ability to easily restrict users to
specific web applications
Network Level Access as standard. Network level access via
DrayTel Active-X SSL Tunnel Plug-in
Teleworker or Site-to-Site (LAN-to-LAN) Teleworker-to-Host site only

SSL VPNs are used only for individual teleworker to central office connections, not whole LAN-to-LAN tunnels. The Vigor 3200 can support up to 10 simultaneous incoming SSL VPN tunnels.

Another advantage of web based SSL VPN is that your host Vigor router presents the user with his/her login page to the network within their browser and then can provide access only to the web based applications or local servers which you allow as opposed to a regular VPN which connects the user to the network directly for access to any resource which is accessible locally. No TCP/UDP ports have to be opened on your host router; if the user cannot login to the VPN, they won't get access.

As mentioned previously, an SSL VPN uses your standard web browser; this means that for your web based applications running at your office (webmail, Intranet, Thin Clients etc.) SSL VPNs work really well for this access method, which is called 'SSL Web Proxy' mode. A very common application for SSL VPN is remote desktop. By using the Windows 'Remote Desktop Web Connection', your office desktop will be accessible from your web browser wherever you are and whoever's computer you're using. In addition, by using Vigor web proxy, you can browse external web sites via the tunnel, thus bypassing any local web site blocking policy (content filtering or local policies). If you are familiar with 'port redirection' or 'open ports setup' on Vigor routers, SSL Proxy to your internal web services is very similar in concept to this except that the data passes through a secured tunnel, hence increasing security and privacy.

SSL VPNs beyond the Browser

Using the web browser for your remote access is great for accessing web-based applications (intranet, webmail, remote web desktop etc.) but it does not provide access to the actual network directly, for example for shared directory access, network resources or other applications which are not browser based. Only data or applications which are available in your web browser locally are available remotely via the SSL Proxy (see above).

For full network access, DrayTek provide an Active-X Tunnel plug-in (a VPN client, effectively) which can transfer at the network layer, making a fully VPN tunnel. This is called SSL Tunnel mode. This plug-in is downloaded automatically by your browser from the host Vigor router when you log into the SSL VPN and select Tunnel mode. You are then fully connected to the remote network for direct network resource access. In this way, you are no longer limited to running web-based applications and can access shares and other network resources.

If you'd like to see just how easy it is to set up a DrayTek SSL VPN, Click Here.

User Management/Authentication

The Vigor3200 has built-in user management which allows you to provide internet access to users based on their own unique login (stored in the router). Accounts can be restricted by schedules or maximum usage times but also any other aspect of the firewall or content filtering can be applied on a user-by-user basis. For example, a sales department might not be allowed access to social networking sites except at lunch time. This also works with Wireless (WiFi) clients ('n' models only) so is ideal for guest or temporary access as users can be isolated from the rest of the company LAN.

User Management
user Management Status
User Login

Vigor 3200 Series - Technical Specification

  • Physical Interfaces:
    • LAN Ports (Switch):
      • 1 X Gigabit Ethernet (1000Mb/s) Ports
      • 1 X Gigabit Ethernet DMZ Port
    • WAN Ports:
      • 4 Gigabit Ethernet Ports
      • USB Port for 3G Cellular Modem, NAS or Printer
  • Load Balance/Failover Features:
    • Outbound Policy-Based Load-Balance
    • WAN Connection Fail-over
    • BoD (Bandwidth on Demand)
  • Multiple private LAN subnets support
  • 802.1q VLAN Tagging on LAN and WAN
  • WAN Protocols (Ethernet):
    • DHCP Client
    • Static IP
    • PPPoE
    • PPTP
    • L2TP *
  • Firewall & Security Features:
    • CSM (Content Security Management):
      • URL Keyword Filtering - Whitelist or Blacklist specific sites or keywords in URLs
      • Block Web sites by category (e.g. Adult, Gambling etc. Subject to Globalview subscription)
      • Prevent accessing of web sites by using their direct IP address (thus URLs only)
      • Blocking automatic download of Java applets and ActiveX controls
      • Blocking of web site cookies
      • Block http downloads of file types :
        • Binary Executable : .EXE / .COM / .BAT / .SCR / .PIF
        • Compressed : .ZIP / .SIT / .ARC / .CAB/. ARJ / .RAR
        • Multimedia : .MOV / .MP3 / .MPEG / .MPG / .WMV / .WAV / .RAM / .RA / .RM / .AVI / .AU
      • Time Schedules for enabling/disabling the restrictions
      • Block P2P (Peer-to-Peer) file sharing programs (e.g. Kazza, WinMX etc. )
      • Block Instant Messaging programs (e.g. IRC, MSN/Yahoo Messenger etc.)
    • Multi-NAT, DMZ Host
    • Port Redirection and Open Port Configuration
    • Policy-Based Firewall
    • MAC Address Filter
    • SPI ( Stateful Packet Inspection ) with new FlowTrack Mechanism
    • DoS / DDoS Protection
    • IP Address Anti-spoofing
    • E-Mail Alert and Logging via Syslog
    • Bind IP to MAC Address
  • Bandwidth Management:
    • QoS
    • Guaranteed Bandwidth for VoIP
    • Class-based Bandwidth Guarantee by User-Defined Traffic Categories
    • Layer 2&3 (802.1p & TOS/DCSP)
    • DiffServ Code Point Classifying
    • 4-level Priority for each Direction (Inbound / Outbound)
    • Bandwidth Borrowed
    • Temporary (5 minute) Quick Blocking of any LAN Client
    • Bandwidth / Session Limitation
  • Network/Router Management:
    • Web-Based User Interface (HTTP / HTTPS)
    • CLI ( Command Line Interface ) / Telnet / SSH*
    • Administration Access Control
    • Configuration Backup / Restore
    • Built-in Diagnostic Function
    • Firmware Upgrade via TFTP / FTP
    • Logging via Syslog
    • SNMP Management with MIB-II
    • TR-069
    • TR-104
  • VPN Facilities:
    • Up to 32 Concurrent VPN Tunnels (incoming or outgoing)
      (64 Tunnels can be supported for low data volumes)
    • VPN Trunking & failover (using secondary WAN connecion)
    • Tunnelling Protocols: PPTP, IPSec, L2TP, L2TP over IPSec
    • IPSec Main and Agressive modes
    • Encryption : MPPE and Hardware-Based AES / DES / 3DES
    • Authentication : Hardware-Based MD5 and SHA-1
    • IKE Authentication : Pre-shared Key and X.509 Digital Signature
    • LAN-to-LAN & Teleworker-to-LAN connectivity
    • DHCP over IPSec
    • NAT-Traversal ( NAT-T )
    • SSL VPN (Requires firmware 3.3.7 or later)
    • MOTP
    • Dead Peer Detection (DPD)
    • VPN Pass-Through
  • Network Features:
    • DHCP Client / Relay / Server
    • Dynamic DNS
    • NTP Client (Syncrhonise Router Time)
    • Call Scheduling (Enable/Trigger Internet Access by Time)
    • RADIUS Client
    • Microsoft™ UPnP Support
  • Routing Protocols:
    • Static Routing
    • RIP V2
  • Operating Requirements:
    • Rack Mountable (Optional mounting bracket 'RM1' required)
    • Wall Mountable
    • Temperature Operating : 0°C ~ 45°C
    • Storage : -25°C ~ 70°C
    • Humidity 10% ~ 90% (non-condensing)
    • Power Consumption: 18 Watt Max.
    • Dimensions: L240.96 * W165.07 * H43.96 ( mm )
    • Operating Power: DC 12V (via external PSU, supplied)
    • Warranty : Two (2) Years RTB
    • Power Requirements : 220-240VAC

Online Status Display / IP Configuration

Vigor3200 Online Status
Vigor 3200 Status

Web Content Filtering

Vigor3200 WCF Vigor 3200 WCF Vigor 3200 Globalview