Overview

Vigor 3300V+ High Performance Firewall, Load-Balancer, VPN & VoIP Device

The DrayTek Vigor 3300V+ is is the very latest in the Vigor3300 series of high-performance load-balancing routers. The new Vigor 3300V+ is a 4-Port Load-Balancing Router providing a robust firewall, QoS management, VPN Tunnelling and flexible multiple WAN interfaces for load balancing/WAN backup. The Vigor 3300V+ provides extensive cross-compatibility with 3rd party products and each major feature has extensive configuration options to provide great flexibility. The WAN-failover and high-availability features enable you to build robust and reliable WAN infrastructure. With multiple WAN connections you VPNs can also be 'trunked' to allow bonding or failover, making your inter-office connections more robust and higher performance.

The Vigor 3300V+ also has up to eight Voice-over-IP ports (via optional plug-in modules), providing PSTN integration (ISDN BRI or Analogue) or analogue (voice) phone ports to provide SIP extensions on VoIP PBXs or hosted services.

Main Features:

• Robust & Comprehensive Firewall
  
• Four WAN Ports
  Connect up to four Internet feeds for increased Internet bandwidth, load-balancing, fault-tolerance and redunancy.
• Up to eight optional VoIP (Voice-over-IP) ports
  FXS (Phone Ports), FXO (Line Ports) or ISDN (TE/NT) provide PSTN and VoIP integration.
• High Performance VPN Server
  Up to 128 simultaneous IPSec VPN Tunnels with high security encryption managed by a dedicated VPN co-processor.
• Port Based VLAN or 802.1q based VLAN, supporting multiple independent or common LAN subnets.
• Physical DMZ Ports
  Up to three of the WAN ports can be alternatively configured to be hardware DMZ ports for the isolated hosting of a public-facing server.
• QoS Assurance
  Quality of Service assurance allows you to set different priorities for different types of Internet traffic to ensure that your mission critical connectivity can always get as much of the available Internet bandwidth as it needs.
• Content Filtering
  The Vigor 3300V+ has several levels of Internet filtering including URL-keyword blocking and more comprehensive complete Surfcontrol™ category-based filtering.

Robust Firewalling

The Vigor 3300V+ provides Stateful Packet Inspection (SPI) to help protect your network from intruders, rogue data and other potential attacks. In additional Dos (Denial-of-Service) and DDoS (Distributed DoS) attacks are protected against by robust coding, allowances for known attacks (e.g. SYN, ICMP Flood, Port Scanning etc.) and algorithms to detect specific rogue data patterns or protocol anomolies. By default, the firewall blocks all incoming data (except where it is an reply to outgoing request) and allows all outgoing data. The user can create specific packet filters to further restrict external/internal access. The Vigor 3300V+ also provides full NAT/PAT operation enabling you to run your private network on a private subnet.

Content Filtering & Parental Control

The Vigor 3300V+ has several levels of Internet and IP filtering. At the TCP/IP level, the firewall allows you to block specific internal or external IP addresses (or subnets) from being reached but the Vigor 3300V+'s actual content filtering can provide application level control. In simple use, you can prevent access to web URLs which contain certain keywords by entering them into the router (e.g. 'hotmail' etc.). You can also block users from downloading potentially harmful java applets, EXE/ZIP/Multimedia files, cookies or using web proxies.

For more comprehensive protection, you can use DrayTek GlobalView filtering, also known as Parental Control which permits access only to web sites within your selected categories (e.g. adult, gambling, news etc.). You can also exclude all 'uncategorised' sites. The Surfcontrol online database is continuously updated with new web sites, each one being categorised by GlobalView. A 30-day trial licence is supplied with the Vigor 3300V+ and then you pay an annual subscription fee. In addition to sites banned by category, Globalview will block/blacklist any web site which has been found to be compromised, for example, with drive-by viruses.

VPN

VPN Capabilities

The Vigor 3300V+ can create VPN tunnels across the internet. The tunnels can be to remote networks, or from a single dial-in teleworker, needing to access your head office LAN where the Vigor 3300V+ is installed. The Vigor 3300V+ can create up to 200 simultaneous VPN tunnels, incoming or outgoing, to different locations. A dedicated VPN encryption co-processor ensures that maximum VPN performance in maintained, even with high level encryption.

At the remote sites, small offices can make use of other Vigor routers for the VPN termination, and single teleworkers can use the VPN capabilities built into Microsoft Windows. The Vigor 3300V+ also provides compatibility with other third party vendor products, including Cisco™, Sonicwall™, Checkpoint™ and Watchguard™ products.

• Up to 200 Simultaneous VPN tunnels (IPSec & 32 PPTP)
• LAN-to-LAN or teleworker access
• VPN Dial-in, dial-out, always on or on-demand
• Dedicated High Performance VPN Co-Processor
• IPSec Authentication: SHA-1 and MD5
• DES, 3DES and AES Encryption (56-256 bits)
• HMAC-SHA-1 and HMAC-MD5 integrity algorithm
• ESP/AH header protocols
• MPPE Encryption for PPTP connections
• PKI (X.509) digital certificates / CA
• DHCP over IPSec
• Auto or manual keying for IPSec
• VPN Passthrough for all common protocols

WAN Ports

Load Balancing & Multi-Purpose WAN Ports

The Vigor 3300V+ has four WAN ports which each be configured as either an Internet-facing WAN interface or as a LAN-facing physical DMZ (a 'Demilitarized Zone' which is isolated from the rest of the LAN). When configured as an Internet-facing (WAN) interface 2,3 or 4 ports can be combined for load balancing or backup, whereby you can use multiple Internet connections to provide greater total bandwidth capacity or fault-tolerance. Up to two of the ports can also be configured as DMZ ports. Load Balancing In basic load-balancing mode, the Vigor 3300V+ will distribute WAN traffic requests evenly. This means that if you have, for example, two 2Mb/s feeds, two LAN users can download at 2Mb/s simultaneously. Alternatively you can select traffic preferences for the load balancing, selecting specific Internet feeds for traffic types of traffic (e.g. VoIP, VPN), by source/destination IP address or TCP/UDP Port ranges. Backup/Fault Tolerance WAN ports can also be configured to act as backup to the main (primary) Internet feed, and only activate in the event of the primary Internet feed failing (determined by lack of routing). Once the primary internet feed is restored, the backup WAN port goes idle again. VPN Trunking & Failover The Vigor3300V+ also allos VPN Trunking (or bonding) whereby two WA N connections can carry a VPN to the same remote destination, increasing your total VPN bandwidth to that location. In failover mode, the VPN can automatically switch to a secondary WAN connection in the event of the first one failing.

VoIP

Voice-over-IP Ports (VoIP) & Voice Call Handling

Voice-over-IP (VoIP) enables you to use your existing broadband Internet connection to carry regular Voice calls. With VoIP, you can call from your device to any other compatible VoIP user, anywhere else in the world. VoIP-to-VoiP calls are totally free of charge (the call is carried over your existing Internet connection) thus keeping your voice lines free, and saving you from having to install or pay rental on additional lines to add call capacity to your office.

For a further explanation of VoIP, see here and for scenarios of integration with an existing PBX, click here.

The Vigor 3300V+'s Voice-over-IP ports are provided by optional modules which slide into the front of the router. Each VoIP module has four ports which are either FXO, FXS or ISDN BRI (see later). You can have one of each type of module, or two the same. The modules can be ordered with the Vigor 3300V+, or purchased later. To understand more about FXO and FXS ports click the 'FXO/FXS' tab above.

Voice-over-IP Facilities - Summary

• Compatible with SIP Servers/Trunks/Registrars
• Voice codes: G.711 A/µ laws, G.723.1, G.726, G.729 A/B, VAD/CNG
• Up to 8 FXS (phone interface), FXO (line interface) or ISDN (TE/S0) voice ports (4+4)
• Connect any regular analogue telephone (FXS interfaces only)
• Connect into any standard phone line or PBX extension (FXO interfaces only)
• Integration Possible with your existing PBX
• SIP Compliant Supplementary Call features (transfer, hold, call waiting, barring, DND)
• Multiple Simulataneous SIP Proxy/Registrar Registration
• Speed-Dial phone book available to all local users
• Hotline (dial pre-sent number when handset lifted)
• NAT traversal (STUN, RFC-3489)
• Codecs Supported : G.711, G729A, G723.1, G.726
• Caller ID output on FXS and ISDN ports to UK Standard
• Vigor T.38 Faxing (Digital Encoding of Analogue Fax)
• Preset (fixed) Destination for FXO Ports
• PIN-Code protection for FXO Port access
• Voice Call Quality Protorols :
  • VAD (Voice Activity Dectection for Silence suppression) and CNG (Comfort Noise Generation)
  • G.168-2000 Echo Cancellation & Jitter Buffer
  • Packet Loss Concealment
  • Adjustable Gain/Attentuation
• DTMF Transmission: Out of Band (RFC2833), In-Band and SIP Info
• Automatic QoS assurance for bandwidth reservation

PSTN Interfaces

PSTN Interface Cards: FXO, FXS and ISDN Ports

The optional VoIP modules on the Vigor3300V+ provide four ports each, interfacing to the PSTN. These can be FXO, FXS or ISDN type ports and it's important to understand which type of card you should install and use. Using the wrong port with the wrong input can damage the card or you line/phones. An FXS port is where you can plug in a regular analogue telephone. You can liken an FXS port to a normal phone socket on your wall (for example a regular BT line socket). Like a normal phone socket, an FXS port will ring the phone, and present dial-tone when you lift the phone off the hook. An FXO port is a 'listening' port and goes in place of where you would normally connect a telephone - for example into a regular phone socket on the wall. You cannot plug a telephone into an FXO port. An FXO port does not generate ring current or dialtone for a telephone - it expects to receive ring current and dialtone from a phone line. For ISDN connections, there are also two different types of port. A 'TE' interface is connected into an incoming ISDN2e (BRI) line. An 'S0' (or NT) interface is connected to ISDN equipment, such as an ISDN telephone or existing ISDN voice PBX. Note : The 'Plus' modules (FXSPlus and FXOPlus) are not compatibile with the older Vigor3300V unit (non 'plus') and the older non-plus modules are not compatible with the new Vigor3300+ model. Analogue FXS Module The FXO module provides 4 ports for connection of up to four analogue phones. Instead of a phone, you can connect these FXS ports to the trunk inputs of an existing analogue PBX. That would provide VoIP integration with your existing PBX if you're not ready to replace it just yet. Part No. FXS4P Analogue FXO Module The FXO module provides four inputs for analogue (POTS) lines. This allows integration of your existing phone lines into the Vigor 3300V+. You then can continue to use your analogue lines, but also enjoy the advanced features of the Vigor IPPBX and deploy IP extensions. This is a true hybrid solution for legacy systems. Incoming calls on analogue lines or VoIP can be distributed to extensions exactly as you wish, and outgoing calls made over analogue line or your VoIP trunk according to your own preferences. Part No. FXO4P ISDN 'TE' Module This module has 4 ISDN interfaces which can be connected to standard ISDN2e (BRI) lines providing up to 8 voice channels per module. This allows full integration of your existing ISDN lines into the Vigor3300V+ Part No. TE4P ISDN TE/S0 Module This module provides two switchable TE/S0 ports and two fixed S0 ports. The S0 ports (sometimes called NT ports) )are for connection to an existing ISDN PBX trunk port (input). This is useful where you want to have the benefits of VoIP. You can also connect ISDN phones to the S0 ports. The two switchable TE/S0 ports can be set to be either S0 or TE mode so the module can provide either 2 S0 + 2TE ports, or four S0 ports. When the two switchable S0/TE ports are set to TE mode, they are for connection to ISDN2e lines (as per fixed TE module above). Part No. N22P Note : Please ensure that you are always ordering and using the right module/port for the right purpose. Modules and/or your connected equipment could be damaged by using to wrong module or port types. Installation Examples FXS Module (Part No. FXS4P) Provides 4 analogue extensions FXO Module (Part No. FXO4P) Connects 4 analogue trunks ISDN Module(Part No. TE4P) Connect 4 ISDN2e BRI lines (8 Channels)   What can you use FXO and FXS ports for ? An FXS Port/Interface accepts a telephone can can be used to : Make a VoIP call to another VoIP user on the Internet Make a call to another user in the same office on another FXS Port ('Intercom') Make a call directly to the PSTN, using the office's existing analogue lines (req. FXO interface too). Make a call to the PSTN via the DrayTEL (or other) PSTN Gateway An FXO Port/Interface can : Connect to any regular analogue phone line Connect to an extension of an existing office PBX (switchboard), as long as it's an analogue extension, not a digital or keysystem (if you can plug a regular phone in, it's an analogue extension). Allow FXS Port users to access the line/extension connected above. Accept an incoming call from the analogue line and allow the caller to either: Dial any VoIP destination manually Dial any PSTN destination manually (call then routed via DrayTEL) PIN controlled access to restrict access. Be put through to a pre-set VoIP destination automatically

Other Features

Bandwidth Management & QoS

The Vigor 3300V+ firewall allows the administrator to set Quality of Service (QoS) preferences such that specific services have greater priority over others, or that certain services can never take up more than a certain percentage of your bandwidth. For example, Voice-over-IP (VOIP) telephony might be considered the highest priority so when temporary Internet congestion exists, priority would be given by the Vigor 3300V+ to the VOIP services so that VOIP calls can still be made, whereas FTP downloads, for example, would be given lower priority, i.e. a smaller percentage of the available bandwidth. Similarly, if you did not want users taking up too much of your valuable bandwith with P2P applications (e.g. downloading music) you could set a maximum percentage of your bandwidth that such applications could take up.

The QoS facility allows service types to be given one of eight levels of priority. Each level has selectable parameters including guaranteed bandwidth (percentage), maximum bandwidth (percentage), DiffServ Codepoint and can recognise applications/targets based on IP Address, Service-Oriented Subnet, TCP/UDP Ports, IP protocol or volume of Traffic.

Vigor 3300V+ - Front Panel Sockets

On the top row you can see two optional VoIP modules already fitted - one is FXO, the other FXS type. Each of the VoIP RJ11 ports has an LED to indicate when it is in use. The four LAN Ethernet ports on the second row (left) can each be VLAN'd and throttled. The four WAN ports are multi-purpose and can be set as as WAN, load-balanced/redundant WAN or LAN-DMZ. All Ethernet ports are auto-sensing.

New

New Features in the Vigor 3300+ Series

The following lists the features which have been included in the Vigor3300V+ which were not in the original Vigor3300V. Many of these features can now be added to existing Vigor3300V's by downloading a free firmware upgrade:

• VPN Enhancements:
  • VPN Load-balance and backup
  • Support aggressive mode for IPSEC VPN
  • VPN Trunking (VPN Failover or bonding over multiple WAN Links)
  • PFS (DH Group)
  >
  • DPD (Dead Peer Detection)
  • Support MS-CHAP, MS-CHAPv2 and MPPE for PPPoE/PPTP dial out
  • Allow "Accept all proposal" IPSec Phase1/2 Proposals
  • Append an option for user to create IPSEC route
  • Add encryption without authentication proposal in VPN-IPSec.
  • NAT Traversal(NAT-T)
  • Added watchdog function for IPSEC VPN
  • Support "nas-ip-address" and "nas-identifier" fields in RADIUS authentication packets
  • Add DNS option in VPN-> pptp general setup
• Management Enhancements:
  • User access log added to syslog reporting
  • User-Agent Name is now changeable. Default is "Draytek V3300V-1.0.0".
  • Data Monitoring for LAN
  • SSH remote management function.
  • Added enable / disable toggle for the data flow monitor
  • When management port is enabled, check if VID value is set in 802.1Q VLAN
  • Add an option to turn on or turn off for management in http, telnet and SSH functions
• WAN Enhancements
  • RIP protocol supported on WAN interface
  • Add mtu setup option for static WAN
  • Bandwidth limititation function
  • Port range and source port fields for QoS feature
  • IP Alias function in PPPoE mode.
  • Add LFI(Link Fragmentation and Interleaving) with using MTU in QoS
  • Add the direction of DMZ and VPN options in IP Filter function
  • Support 802.1Q VLAN on WAN interface
  • Append WAN default IP to address mapping option
  • Support strict bind interface mechanism in load balance policy
  • Add an option "block" or "allow" to match key words in URL Filter web page
• LAN
  • Port-based and 802.1Q tag-based VLAN
  • Added high availability function for 802.1Q VLAN on LAN interface
  • IP Bind to Mac function, the algorithm is same with Vigor 2xxx
  • Static DHCP function
  • Implement IP routing function by using multiple WAN interfaces
  • Add physical DMZ function
  • Add tag-based VLAN with multiple LAN interfaces
  • Support IP unnumbered function for IP routing
  • Support gratiutous ARP packet
• VoIP
  • Add line reversal on VoIP ports when callee answers and hangs-up
  • Add Call Waiting feature
  • Play dial tone only when port registered (selectable)
  • Added VoIP pin code for FXO ports
  • "Round Robin" ring option in VoIP Group settings.
  • Add Single Codec function in VoIP, it can be disable or enable.
  • Add line polarity reversal when callee answer the phone.
  • Add Authentication ID in VoIP protocol.
  • Add sip message log, in the CLI (command voip>siplog )

VLAN

VLAN & Multiple LAN Private IP Subnets

The Vigor 3300V+ supports Ethernet port based VLANs, where each of the four LAN (RJ45/Ethernet) ports can be put into common or distinct groups - i.e. isolated or joined to each other. In addition, the Vigor 3300V+ can support up to four independent LAN-side private IP subnets, with the Vigor providing each with its own DHCP server.

The three diagrams below show some example configurations of VLANs, combined with multiple private LAN subnets, intended to illustrate the flexibility of the Vigor 3300V+. As each subnet can have its own DHCP server, it effectively provides the equivalence of four independent Internet connections for example to be used for four separate companies, providing complete isolation between each LAN. To follow the feature in each case, in each diagram note the IP address of each PC.

Figure 1 - Simple Port Based VLAN

In the above diagram, four PCs are connected to the router, one on each LAN Ethernet port P1-P4). The PCs are all in the same IP subnet (192.168.1.0/24) however a VLAN has been set up so that the PCs are all distinct - they cannot communicate with each other. You can connect additional Ethernet switches/hubs to each port to expand the groups. You can have up to four groups; each one can exclude or include any of the port ports. All groups have Internet access. We have included a secondary switch/hub (in green) to which two PCs are connected (IP addresses ending .14 and .15). These are within the same VLAN group so can communicate with each other.

Figure 2 - Multiple Private subnets & VLAN

In the above example, each of the four ports is configures in its own distinct VLAN, separated from the others. No communication is permitted between the subnets. All subnets have Internet access but not access to each other. Each LAN interface has its own DHCP service operating on the router.

Figure 3 - Multiple IP Subnets using 802.1q Taggings

Multiple IP subnets can share the same Ethernet network if you have 802.1q compliant switches. Packets are tagged to denote their logical subnet. In the above diagram, we have four different IP subnets operating (192.168.1.0/24, 192.168.2.0/24 etc.). All four subnets are on the same V3300V+ Ethernet port. In this scenario, a PC on any part of the LAN can be within any of the IP subnets. The four subnets can all also communicate with each other as the PC will route locally between them. Only one DHCP server can operate on each LAN.

Specification

Vigor 3300V+ Specification

• High Performance Firewall featuring :
  • Easy to navigate Web Interface
  • Full Stateful Packet Inspection for both NAT and non-NAT operation
  • Load Balancing & WAN Port backup (failover)
  • High-Availability (VRRP, RFC2338)
  • Packet Filtering & IP DMZ Support
  • DHCP Client, Server & Relay
  • Bandwidth/Speed Limitation Function
  • Port based and 802.1Q tag-based VLAN
  • Bind IP Address to MAC Address on LAN
  • Physical DMZ Port (selectable)
  • WAN & LAN Port Mirroring (for audit/diagnostic)
  • RFC Compliance Testing
  • Dos & DDoS protection on all interfaces (LAN & WAN side) including signature testing
  • Support for multiple private subnets on the LAN side
  • Built-in diagnostics for all interfaces, and ping/traceroute tools
  • QoS facilities for guaranteeing available bandwidth for traffic categories
• Internet Access Control/Restriction :
  • Web URL filtering based on keywords, with reporting facility
  • Blocking enabled/disabled based on time / day schedules
  • Content Inspection : Real-time detection and blocking of Java Applet, Active-X, Ccookies and Web Proxies (selectable).
  • Web Site Category blocking (Globalview 'Parental Control' subject to subscription)
• Physical Interfaces :
  • WAN-Side 4 X 10/100BaseT Ethernet (2 selectable DMZ)
  • LAN-Side 4 X 10/100BaseT Ethernet
  • Power : 240VAC; IEC socket on rear
• Comprehensive Reporting & management facilities :
  • Syslog reporting of real-time routing & firewalling activity
  • Email notification of breaches
  • Configuration and management from web-based user interface
  • Secure remote management
  • Test and debug facilities also available on Telnet interface
  • Built-in self-diagnostic tools
  • SNMP Agent with MIB-II
• Rackmountable (19") - Brackets included