Overview

Vigor 3300V High Performance Firewall, VPN & VoIP Device

The DrayTek Vigor 3300V is an Enterprise-level Firewall and VPN device, providing a robust firewall, QoS management, VPN Tunnelling and flexible multiple WAN interfaces (load balancing/WAN backup). The Vigor 3300V provides extensive cross-compatibility with 3rd party products and each major feature has extensive configuration options to provide great flexibility. Click here for a map of the product's Web Interface menu.

The Vigor 3300V also has up to eight Voice-over-IP ports (via optional plug-in modules), providing PSTN integration and PBX facilities to provide a complete VoIP office solution.

Main Features:

• Robust & Comprehensive Firewall
  
• Up to eight optional VoIP (Voice-over-IP) ports
  FXS (Phone Ports) or FXO (Line Ports) provide PSTN and VoIP integration.
• High Performance VPN Server
  Up to 128 simultaneous IPSec VPN Tunnels with high security encryption managed by a dedicated VPN co-processor.
• Load-balanced WAN Ports
  Connect up to four Internet feeds for increased Internet bandwidth, fault-tolerance and redunancy.
• Port Based VLAN or 802.1q based VLAN, supporting multiple independent or common LAN subnets.
• Physical DMZ Ports
  Up to three of the WAN ports can be alternatively configured to be hardware DMZ ports for the isolated hosting of a public-facing server.
• QoS Assurance
  Quality of Service assurance allows you to set different priorities for different types of Internet traffic to ensure that your mission critical connectivity can always get as much of the available Internet bandwidth as it needs.
• Content Filtering
  The Vigor 3300V has several levels of Internet filtering including URL-keyword blocking and more comprehensive complete Surfcontrol™ category-based filtering.

Robust Firewalling

The Vigor 3300V employs full Stateful Packet Inspection (SPI) to help protect your network from intruders, rogue data and other potential attacks. In additional Dos (Denial-of-Service) and DDoS (Distributed DoS) attacks are protected against by robust coding, allowances for known attacks (e.g. SYN, ICMP Flood, Port Scanning etc.) and algorithms to detect specific rogue data patterns or protocol anomolies. By default, the firewall blocks all incoming data (except where it is an reply to outgoing request) and allows all outgoing data. The user can create specific packet filters to further restrict external/internal access. The Vigor 3300V also provides full NAT/PAT operation enabling you to run your private network on a private subnet.

Content Filtering & Parental Control

The Vigor 3300V has several levels of Internet and IP filtering. At the TCP/IP level, the firewall allows you to block specific internal or external IP addresses (or subnets) from being reached but the Vigor 3300V's actual content filtering can provide application level control. In simple use, you can prevent access to web URLs which contain certain keywords by entering them into the router (e.g. 'hotmail' etc.). You can also block users from downloading potentially harmful java applets, EXE/ZIP/Multimedia files, cookies or using web proxies.

For more comprehensive protection, you can use Surfcontrol™ filtering, also known as Parental Control which permits access only to web sites within your selected categories (e.g. adult, gambling, news etc.). You can also exclude all 'uncategorised' sites. The Surfcontrol online database is continuously updated with new web sites, each one being categorised by Surfcontrol researchers. A 30-day trial licence is supplied with the Vigor 3300V; renewal is subject to an annual subscription fee - currently from approximately £25 (subject to change; Surfcontrol is an independent organsiation to DrayTek).

VPN

VPN Capabilities

The Vigor 3300V can create VPN tunnels across the public internet. The tunnels can be to remote networks, or from a single dial-in teleworker, needing to access your head office LAN where the Vigor 3300V is installed. The Vigor 3300V can create up to 128 simultaneous VPN tunnels, incoming or outgoing, to different locations. A dedicated VPN encryption co-processor ensures that maximum VPN performance in maintained, even with high level encryption.

At the remote sites, small offices can make use of other Vigor routers for the VPN termination, and single teleworkers can use the VPN capabilities built into Microsoft Windows 98SE/2K/XP. The Vigor 3300V also provides compatibility with other third party vendor products, including Cisco™, Symantec™, Nokia™, Sonicwall™, Checkpoint™ and Watchguard™ products.

• Up to 128 Simultaneous VPN tunnels (IPSec & 32 PPTP)
• LAN-to-LAN or teleworker access
• VPN Dial-in, dial-out, always on or on-demand
• Dedicated High Performance VPN Co-Processor
• IPSec Authentication: SHA-1 and MD5
• DES, 3DES and AES Encryption (56-256 bits)
• HMAC-SHA-1 and HMAC-MD5 integrity algorithm
• ESP/AH header protocols
• MPPE Encryption for PPTP connections
• PKI (X.509) digital certificates / CA
• DHCP over IPSec
• Auto or manual keying for IPSec
• VPN Passthrough for all common protocols

VoIP

Voice-over-IP Ports (VoIP) & Voice Call Handling

Voice-over-IP (VoIP) enables you to use your existing broadband Internet connection to carry regular Voice calls. With VoIP, you can call from your device to any other compatible VoIP user, anywhere else in the world. VoIP-to-VoiP calls are totally free of charge (the call is carried over your existing Internet connection) thus keeping your voice lines free, and saving you from having to install or pay rental on additional lines to add call capacity to your office.

For a further explanation of VoIP, see here and for scenarios of integration with an existing PBX, click here.

The Vigor 3300V's Voice-over-IP ports are provided by optional modules which slide into the front of the router. Each VoIP module has four ports which are either FXO or FXS type (see later). You can have one of each type of module, or two the same. The modules can be ordered with the Vigor 3300V, or purchased later. The modules provide standard RJ11 sockets. Understand FXO and FXS ports here.

Voice-over-IP Facilities - Summary

• Up to 8 FXS (phone interface) or FXO (line interface) voice ports (4+4)
• Connect any regular analogue telephone (FXS interfaces only)
• Connect into any standard phone line or PBX extension (FXO interfaces only)
• Integration Possible with your existing PBX
• SIP Compliant
• Multiple Simulataneous SIP Proxy/Registrar Registration
• Speed-Dial phone book available to all local users
• Codecs Supported : G.711, G729A, G723.1, G.726
• Caller ID output on FXS ports to UK Standard
• Call Handling Features:
  • Intercom (Internally between VoIP FXS ports
  • Flexible Call Groups
  • Simultaneous Port or Round Robin ringing on FXS ports
  • Incoming Call Barring
  • Hunt Groups
  • Call Holding
• Vigor T.38 Faxing (Digital Encoding of Analogue Fax)
• Preset (fixed) Destination for FXO Ports
• PIN-Code protection for FXO Port access
• Voice Call Quality Protorols :
  • VAD (Voice Activity Dectection for Silence suppression) and CNG (Comfort Noise Generation)
  • G.168-2000 Echo Cancellation & Jitter Buffer
  • Packet Loss Concealment
  • Adjustable Gain/Attentuation
• DTMF Transmission: Out of Band (RFC2833), In-Band and SIP Info
• Automatic QoS assurance for bandwidth reservation

FXO/FXS

Understanding 'FXO' vs. 'FXS' VoIP Ports

The optional VoIP modules on the vigor3300V provide four ports each. These can be FXO or FXS type ports and it's very important that you understand which type of card you should order, install and use. Using the wrong port with the wrong input can damage the card. An FXS port is where you can plug in a regular telephone - liken an FXS port to a normal phone socket on your wall (for example a regular BT line socket). Like a normal phone socket, an FXS port will ring the phone, and present dial-tone when you lift the phone off the hook. An FXO port, is less commonly used. An FXO port is a 'lisening' port and goes in place of where you would normally connect a telephone - for example into a regular phone socket on the wall. You cannot plug a telephone into an FXO port. An FXO port does not general ring current or dialtone for a telephone - it expects to receive ring current and dialtone from a phone line. FXS is the more commonly used port type - that's the type which allows you to connect in a normal telephone. Please seek further advice if you are still unclear.

What can you use FXO and FXS ports for ?

An FXS Port/Interface accepts a telephone can can be used to :

• Make a VoIP call to another VoIP user on the Internet
• Make a call to another user in the same office on another FXS Port ('Intercom')
• Make a call directly to the PSTN, using the office's existing analogue lines (req. FXO interface too).
• Make a call to the PSTN via the DrayTEL (or other) PSTN Gateway

An FXO Port/Interface can :

• Connect to any regular analogue phone line
• Connect to an extension of an existing office PBX (switchboard), as long as it's an analogue extension, not a digital or keysystem (if you can plug a regular phone in, it's an analogue extension).
• Allow FXS Port users to access the line/extension connected above.
• Accept an incoming call from the analogue line and allow the caller to either:
  • Dial any VoIP destination manually
  • Dial any PSTN destination manually (call then routed via DrayTEL)
  • PIN controlled access to restrict access.
  • Be put through to a pre-set VoIP destination automatically

VoIP Port Integration with a PBX (Office Switchboard)

PBX Integration 1: Using FXS Ports to feed a PBX

In the above example scenario, a Vigor3300V equipped with FXS ports is connected to the Line input ("trunk") interface of a PBX (office switchboard) so that all PBX users (extensions) can use Voice-over-IP, as well as regular PSTN telecoms. An incoming VoIP call to your Vigor3300V is routed through to the office telephones just like calls which come in on your regular analogue lines. If the office workers want to call the teleworker, in the diagram above, they can select the VoIP lines and dial his VoIP number, thus incurring no PSTN call charges and not tying up one of your analogue (PSTN) phone lines. Similarly, he (the teleworker) can call the office using VoIP, again for no cost and not requiring an analogue line.

If your office telephones have LEDs/buttons for each line (see right), you can see which line is ringing and select the preferred line for an outgoing call (VoIP or PSTN). You can also see the DrayTEL gateway in the diagram. This provides an alternative route to the PSTN. Office users can call to the PSTN via DrayTEL, so not tying up one of the office analogue lines. i.e. the office users can call to 'Fred' via their office analogue lines or via VoIP and the DrayTEL gateway. This gives you much greater call capacity without needing to rent more analogue lines. Study the diagram carefullly to identify and understand each component. Other SIP Gateways are available.

PBX Integration 2:. Using FXO ports on PBX Extensions

WAN Ports

Load Balancing & Multi-Purpose WAN Ports

The Vigor 3300V has four WAN/DMZ ports which each be configured as either an Internet-facing WAN interface or as a LAN-facing physical DMZ (a 'Demilitarized Zone' which is isolated from the rest of the LAN). When configured as an Internet-facing (WAN) interface 2,3 or 4 ports can be combined for load balancing or backup, whereby you can use multiple Internet connections to provide greater total bandwidth capacity or fault-tolerance. Load Balancing In basic load-balancing mode, the Vigor 3300V will distribute WAN traffic requests evenly. This means that if you have two 2Mb/s feeds, two LAN users can download at 2Mb/s simultaneously. Alternatively you can select traffic preferences for the load balancing, selecting specific Internet feeds for traffic types of traffic (e.g. VoIP, VPN), by source/destination IP address or TCP/UDP Port ranges. Backup/Fault Tolerance WAN ports can also be configured to act as backup to the main (primary) Internet feed, and only activate in the event of the primacry Internet feed failing (determined by lack of routing). Once the primary internet feed is restored, the backup WAN port goes idle again.

Other Features

Bandwidth Management & QoS

The Vigor 3300V firewall allows the administrator to set Quality of Service (QoS) preferences such that specific services have greater priority over others, or that certain services can never take up more than a certain percentage of your bandwidth. For example, Voice-over-IP (VOIP) telephony might be considered the highest priority so when temporary Internet congestion exists, priority would be given by the Vigor 3300V to the VOIP services so that VOIP calls can still be made, whereas FTP downloads, for example, would be given lower priority, i.e. a smaller percentage of the available bandwidth. Similarly, if you did not want users taking up too much of your valuable bandwith with P2P applications (e.g. downloading music) you could set a maximum percentage of your bandwidth that such applications could take up.

The QoS facility allows service types to be given one of eight levels of priority. Each level has selectable parameters including guaranteed bandwidth (percentage), maximum bandwidth (percentage), DiffServ Codepoint and can recognise applications/targets based on IP Address, Service-Oriented Subnet, TCP/UDP Ports, IP protocol or volume of Traffic.

Vigor 3300V - Front Panel Sockets

On the top row you can see two optional VoIP modules already fitted - one is FXO, the other FXS type. Each of the VoIP RJ11 ports has an LED to indicate when it is in use. The four LAN Ethernet ports on the second row (left) can each be VLAN'd and throttled. The four WAN ports are multi-purpose and can be set as as WAN, load-balanced/redundant WAN or LAN-DMZ. All Ethernet ports are auto-sensing.

VLAN

VLAN & Multiple LAN Private IP Subnets

The Vigor 3300V supports Ethernet port based VLANs, where each of the four LAN (RJ45/Ethernet) ports can be put into common or distinct groups - i.e. isolated or joined to each other. In addition, the Vigor 3300V can support up to four independent LAN-side private IP subnets, with the Vigor providing each with its own DHCP server. For more details of example configurations, Click Here.

The three diagrams below show some example configurations of VLANs, combined with multiple private LAN subnets, intended to illustrate the flexibility of the Vigor 3300V. As each subnet can have its own DHCP server, it effectively provides the equivalence of four independent Internet connections for example to be used for four separate companies, providing complete isolation between each LAN. To follow the feature in each case, in each diagram note the IP address of each PC.

Figure 1 - Simple Port Based VLAN

In the above diagram, four PCs are connected to the router, one on each LAN Ethernet port P1-P4). The PCs are all in the same IP subnet (192.168.1.0/24) however a VLAN has been set up so that the PCs are all distinct - they cannot communicate with each other. You can connect additional Ethernet switches/hubs to each port to expand the groups. You can have up to four groups; each one can exclude or include any of the port ports. All groups have Internet access. We have included a secondary switch/hub (in green) to which two PCs are connected (IP addresses ending .14 and .15). These are within the same VLAN group so can communicate with each other.

Figure 2 - Multiple Private subnets & VLAN

In the above example, each of the four ports is configures in its own distinct VLAN, separated from the others. No communication is permitted between the subnets. All subnets have Internet access but not access to each other. Each LAN interface has its own DHCP service operating on the router.

Figure 3 - Multiple IP Subnets using 802.1q Taggings

Multiple IP subnets can share the same Ethernet network if you have 802.1q compliant switches. Packets are tagged to denote their logical subnet. In the above diagram, we have four different IP subnets operating (192.168.1.0/24, 192.168.2.0/24 etc.). All four subnets are on the same V3300V Ethernet port. In this scenario, a PC on any part of the LAN can be within any of the IP subnets. The four subnets can all also communicate with each other as the PC will route locally between them. Only one DHCP server can operate on each LAN.

Specification

Vigor 3300V Specification

• High Performance Firewall featuring :
  • Easy to navigate Web Interface
  • Full Stateful Packet Inspection for both NAT and non-NAT operation
  • Load Balancing, WAN Port backup & High-Availability
  • Packet Filtering & IP DMZ Support
  • DHCP Client, Server & Relay
  • Bandwidth/Speed Limitation Function
  • Bind IP Address to MAC Address on LAN
  • Physical DMZ Port (selectable)
  • WAN & LAN Port Mirroring (for audit/diagnostic)
  • RFC Compliance Testing
  • Dos & DDoS protection on all interfaces (LAN & WAN side) including signature testing
  • Support for multiple private subnets on the LAN side
  • Built-in diagnostics for all interfaces, and ping/traceroute tools
  • QoS facilities for guaranteeing available bandwidth for traffic categories
• Internet Access Control/Restriction :
  • Web URL filtering based on keywords, with reporting facility
  • Blocking enabled/disabled based on time / day schedules
  • Content Inspection : Real-time detection and blocking of Java Applet, Active X, Ccookies and Web Proxies (selectable).
  • Surfcontrol™ Site Category blocking ('Parental Control')
• Physical Interfaces :
  • WAN-Side 4 X 10/100BaseT Ethernet (3 selectable DMZ)
  • LAN-Side 4 X 10/100BaseT Ethernet
  • Separate LAN-side DMZ Port (10/100BaseT)
  • Power : 220-240VAC; IEC socket on rear
• Comprehensive Reporting & management facilities :
  • Syslog reporting of real-time routing & firewalling activity
  • Email notification of breaches
  • Configuration and management from web-based user interface
  • Secure remote management
  • Test and debug facilities also available on Telnet interface
  • Built-in self-diagnostic tools
  • SNMP Agent with MIB-II
• Rackmountable (19") - Brackets included

Screenshots

VigorCare

Enterprise Product After-Sales Care

The Vigor Enterprise products are sophisticated and something which your business will want to rely on. Vigor Enterprise Partners are required to have technical staff who undergo specific training and experience on the Vigor 3300V, so you can be confident you're buying from someone who can best advise and support you before and after your purchase. The Vigor 3300V is backed up with a manufacturer's 2-year warranty as standard (subject to registration) and when you purchase your Vigor 3300V from a DrayTek Enterprise Partner, you can also choose to join VigorCare, which gives you priority advanced swap-out, giving you peace of mind in the unlikely event that a fault develops. Subject to VigorCare™ terms and conditions and currently available in the UK Mainland only.

Your DrayTek Enterprise Partner is able to provide:

• Experienced Pre-Sales Technical staff able to discuss your requirements - experienced not only in firewalls, routers, VoIP and VPN applications but also specifically the Vigor3300V - they will have seen and used the product themselves.
• Experienced after-sales technical support. Their engineers will be able to assist you, by telephone (or by email if you prefer) in setting up and using your product as required. This is available by telephone during normal office hours and the engineer will have specific experience of the Vigor Enterprise products. Support will be by regular phone numbers, not premium rate or mobile numbers.
• The support engineers have direct access to DrayTek UK's second line support engineers for any complex support issues.
• DrayTek's UK Warranty. The UK service centre will provide prompt service in the unlikely event of your product needing service (subject to registration and normal warranty terms).
• Your supplier will be selling these products on an ongoing basis, not a 'one-off' which means they are familiar with the products capabilies and flexibility, so can use it to best advantage.
• VigorCare - Your new Vigor Enterprise product includes VigorCare cover for 90 days from purchase (subject to registration with DrayTek UK); VigorCare is curently available in the UK only, and can be renewed subject to normal VigorCare terms.
• Your DrayTek Enterprise Partner will supply only UK stock with full UK warranty and all appropriate adaptors/documentation.
• Your supplier may offer value added services at extra cost, such as physical installation, configuration of VPN/filter sets (configuring 128 remote users can take time!) or other on-site or remote services.

Vigorcare™

Vigorcare provides additional benefits in addition to the manufacturer's standard warranty. The standard warranty is a 'return to base' type; in the event of your product developing a fault covered by the warranty, you will need to arrange with the UK service centre to return the product to them for test and repair. The service endeavour to turn products around promptly, particularly the Enterprise level products. With Vigorcare, upon confirmation of a warranty fault with the service centre, they will dispatch a replacement unit or temporary loan unit to you which will normally be with you the next working day. You then return the faulty unit or component to the service centre within 7 days. In this way, you can be up and running much quicker. 90-Days Vigorcare membership is included with all new Draytek Enterprise products in the UK for 90 days after first purchase. It can be extended within that period for an additional 12 months.

Note : VigorCare is not an insurance policy and you are buying membership of the scheme, not an underwritten policy. VigorCare does not provide on-site installation services; you will need to re-install the product yourself or arrange for your systems people to do this. VigorCare does not cover damage or failure caused by factors which are not covered by the standard warranty (for example, fire, flood or lightening damage).

Current VigorCare Terms and Conditions.

Comparison

Router Comparison Chart

The above comparison chart is provided for approximate guidance; please refer to the full specification of each model for the exact product capabilities. E&OE. ©2008