I’ve just upgraded to a DrayTek Vigor 167 (from a 130) due to instability issues and it eventually just gave up.
On the new Vigor it’s possible to specify a time server to keep its time in sync but I can’t seem to allow the modem access to the internet. I can SSH to the Vigor and try to ping 1.1.1.1 from it etc but it just times out and I’ve no idea where to start. I can also ping the Mikrotik from the Vigor and vice-versa.
Even if I VERY temporarily disable all firewall rules and simply use “allow” all traffic on the input and forward chains but it still did not allow the Vigor access out (or isn’t able to receive the response?).
The end goal is to have the Vigor use the Mikrotik as the DNS server (192.168.0.1) and only internet UDP 123 NTP traffic. But I can’t even seem to get it access to the internet after removing all firewall rules.
Can anyone help me as to where I may be going wrong?
The Vigor has no routes other than 192.168.0.0/24 so cannot communicate with anything other than the directly connected Mikrotik. I normally enable the NTP server on the Mikrotik, specify its address (192.168.0.1 in this case) on the modem, and add a firewall rule to allow UDP port 123 input from the ethernet interface (or VLAN in this case) only - not the WAN list as that would expose the NTP server to the internet.
I’m not sure why you are using VLAN101 for communication with the Vigor and PPPoE traffic. In the UK FTTC does require encapsulation with VLAN ID 101 but that can be handled by the modem itself leaving the ethernet link untagged.
Thanks for the reply! So it’s an “issue” on the Vigor side as opposed to something that can be configured to make it work via the Mikrotik?
That’s a good idea with the NTP server on the Mikrotik though. I think I’ll take that approach if it’s not possible for the Vigor to have limited internet access itself.
I’m using Vlan101 on the Mikrotik because I just wanted to have the configuration all in one place. I disabled the VLAN101 tag on the modem.
Certainly in the current firmware (v5.2.5) you cannot set a default route - under Configuration > Routing when adding a new route only subnet masks of /8 to /32 are supported, so unless you know the specific address range an external NTP server, and that it will not change, using the Mikrotik is a better option.
The downside of disabling the FTTC tagging on the modem is that after a factory reset you have to explicitly configure the modem for the PPPoE connection from the Mikrotik to work. Having the PPPoE client untagged on the interface connecting to the modem will just work, changing modem settings is only required for management access - Configuration > LAN to change IP address, System Maintenance > Device Settings > Time to change the Time Server IP and related settings, optionally System Maintenance > Device Settings > SNMP to enable SNMP monitoring in addition to changing access credentials and permitted management services.
Very interesting information, thank you. I may very well reconsider the vlan tagging in the modem itself.
I’m having a bit of a strange issue currently that the Vigor doesn’t seem to be able to sync the time with my Mikrotik even will all firewall rules temporarily set to allow.
Nothing but “unknown error” and i can’t even see the traffic hitting the Mikrotik, yet I can ping to and from it to the router. Very confusing.