Hi,

I've just taken delivery of a 2860 Router but I'm having issues configuring it for static IPs. If I set the WAN to request a Dynamic IP from the ISP (Zen) with MultiNatting, it works fine but obviously I then cannot use the Public IPs.

I have a block of static IPs (changed for this question) on 80.68.43.136/29. This offers me 5 usable IPs, from 137 to 141 and 142 is my Router address.

I have three requirements:

- Configure Port 1 to NAT 80.68.43.137 to a Private IP with DHCP (192.168.x.x)
- Configure Ports 2-5 to be assigned 138-141 so the connected devices have a Public IP.
- Configure the Ports so the devices with the Public IPs on Ports 2-5 are accessible from the internet.

I've followed a couple of guides from Draytek and Zen but I'm still no further forward. I have confirmed with Zen that .142 is my Router IP.

I configure the WAN Internet and add .142 as the Router Static IP and I can see and confirmed with Zen that I have authenticated correctly and they can see a ICMP return from the Router WAN address.

However no matter how I configure the LAN I cannot get this work. I suspect I am getting lost somewhere between VLANs and the IP Routed Subnet but I cannot see it for the life of me.

Help!

I think you can use the public IPs if you set the WAN1 up using PPPoE/PPPoA (with No as the fixed IP option, but I'm not sure that it matters) and add the other IPs using the WAN IP Alias dialogue (only the router IP should be ticked as "Join IP NAT pool")

Then you can set your VLANs to give you the various subnets on various ports and use load balance/route policy to direct traffic via the various WAN IP addresses as you want. You may have to open ports (eg 80) to the various devices and specify which Aux WAN IP they are on. Not sure about that last bit if you are using the route policy, have to suck it and see.

Thank you Piste, I shall give that a go.

I thought the WAN IP Alias was to map a public IP to a private IP, whereas I need the public IP to be on my device as well to rule out any NATing.

I shall report back.

I suspect that you are right, although I've found it's certainly easy to use the WAN IP alias option (I have two network cameras to which I connect externally via their own WAN addresses using this).

Reading this http://www.draytek.co.uk/support/guides/kb-drayos-iprouting#2-dedicated-lan-interface I see that it might be easy to fall foul of the firewall blocking incoming routed traffic by default :?:

Thanks Piste,

So, no further along, I logged a ticket with both the ISP and Draytek.

I still seem to be stumbling at the very beginning. I checked the firewall and it is unticked for good measure.

I've tried to simplify my testing in the first instance which has only really made it more frustrating.

I can successfully configure the Draytek 2860 to connect to my ISP (Zen) with a Dynamic IP without any issue.

On the router I then navigate to the Diagnostics menu and Ping Diagnosis. From there I can successfully ping any IP address from the WAN. I can also configure the assigned Dynamic IP to route to a Private IP without any issue. This also proves that I have entered the ISP username, password and VCI details correctly.

I then navigate back to WAN and change the IP address to the Fixed IP provided by Zen, so I can assign one of my block of 5 usable IPs. Once I have entered the Fixed IP and reboot the Router, I am no longer able to ping anything from the Ping Diagnosis, which had previously worked successfully for a Dynamically assigned IP. I have also checked the Firewall is not blocking IPv4 and Zen are only issuing IPv4. Also Zen confirmed they can see my Fixed IP address when the Router authenticates but they don't see any traffic from me after that.

I also followed this advice: https://www.draytek.com/en/faq/faq-connectivity/connectivity.lan/how-to-use-a-public-ip-on-lan/

I also tried to configure it with MultiNat (https://www.draytek.co.uk/archive/kb_vigor_multinat.html), but the same issue presents which is that Zen state they receive no traffic from the Draytek. Indeed running WireShark on my laptop here, I can't dispute that as I only see traffic between the laptop and the Router when a static IP is assigned.

Zen are telling me that either Draytek is faulty or I am configuring it wrong. I've confirmed with Zen that they have no ACLs or blocks in place.

Is it possible I have the world's most specific bug/fault?

I have both 2960 and 3900 and have several static IP's and have set it up as follows.
Under WAN1 you need to setup IPAlias with all your static address's and you must include your first one even though you have also set it up as the IPAddress.
Then I used the section "NAT" and "Port Redirect" to control which WAN IP goes to which port. Each rule requires "One to One" set for "port redirect mode" and then single alias for "use IP alias", then select required alias, enter both public and private ports and you should be there. Once you have one rule worked out and working then it's easy to enter the rest, just a case of getting the first one working!!
I have observed with the 2960 that it accepts the rules but does not warn that a re-boot is required to actually get it to work!
I do remember that the 2860 is similar but we changed to a 2960 which is what I'm using now and can't remember the exact menu items but it was similar.