Hi all,
I have a Draytek 2865ax with a WAN2 FTTP connection to ONT (DHCP).
I can use ping and traceroute directly from Draytek, which works fine.
All devices cannot access anything other than LAN.
If I turn on Change Default Route to this VPN tunnel (with IP from another VPN), everything will work fine.
e.g.
Tracing route to 8.8.8.8 over a maximum of 30 hops
1 1 ms <1 ms <1 ms 10.121.200.1
2 * * * Request timed out.
...
If I connect ONT -> WAN TP-Link LAN -> WAN2 Draytek, everything works fine
How can I investigate why Draytek blocks access to WAN2 from the LAN?
Static routes are fine.
Thank you.

As I need to remove an additional router, the problem is back.
From the router's point of view, everything with the internet is fine.
Dashboard, WAN2, Ping, traceroute, and all VPNs work fine.
WAN General Setup - Connection Green
Online status WAN2 green with correct IP
The dashboard shows both green.
ping from outside is working fine.
However, all devices cannot see the network.
It is not a DNS issue, as ping (Google by IP) also does not work.
ping 142.250.184.14
Pinging 142.250.184.14 with 32 bytes of data:
Request timed out. (...)
Ping statistics for 142.250.184.14:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
If I connect TP-link between ONT and Draytek (without changing anything in Draytek) all is working fine.
What is going on? What information will you need to help me diagnose the problem?
To write this issue, I use RDP over VPN to different Windows machine.
Moreover, all traffic through VPN works perfectly fine in both ways.
It seems like a simple problem, but I cannot find where it could be.

Hi espin,

Can I help at all?

I’m trying to understand your setup. Did the TP-Link unit arrive with your ONT connection, as in, was it supplied with your FTTP service/install?

Some providers may have tailored their router to work on their network, hence why they might supply you this unit. If so, I’m sure the settings you need to make it work with your Draytek will be available somewhere online or from the ISP provider.

You may be showing green connections on your WAN ports of the Draytek, but that’s just showing you the speed of the ethernet connection, not its “online” status, so to speak; normally green is 1Gb and orange is 100Mb.

If the ONT unit was the only device supplied when installed, can you connect a laptop directly to it and get online, without the TP-Link and Draytek involved at all?

I’m not sure why you would need to mess with a VPN connection to get you online, as that is further down the chain and a simple connection to the WAN from the internal LAN should be achievable more easily than a VPN connection being established and then using it to route LAN traffic through.

Are you using VLANs, and if so, have you set up your separate LANs correctly, so they route traffic to the associated gateway and out onto the internet?

Do you have any firewall settings active?


I’m trying to think of a few things for you to try/investigate.

HI HodgesanDY,
Thank you for your help.
Draytek (and TP-Link) was not a part of the provided ONT.
The ONT provider is a small company (ZonAmber) I can contact through WhatsApp. However, as I can use ONT (through Draytek VPN), the problem is unlikely on their side (or are they guilty parties?). They recently supplied static external IP. Anyway, I asked them as well and am awaiting a response.
No VLAN and firewall are standard settings; the static routes are the same as in TP-Link. I tried randomly changing any settings (including turning off the firewall), but there was no joy.
The MAC address is the same for both routers (from the ONT point of view). The ONT supplied the IP configuration by DHCP, which is the same on both routers.
I have an old and good spare Draytek 2830, which I connected for the test, and it was the same issue.
When I connect the TP-link between ONT and Draytek (without restarting or changing anything), everything starts working as it should.
I do not know what else I can check, even though I have been dealing with Draytek routers for over 15 years, so I am not a noob.
Regarding green, I mean not a connector but the whole text in the WAN2 port (where IP and uptime are).
I will come to the site to check if I can get internet directly from my laptop - thank you for your valuable suggestion.
Thinking out of the box, could ONT IP configuration (broadcast/default gateway IP) be why the NAT fails in Drayteks only?

Hi espin,

I’m trying to get my head around the ‘static route’ setup you keep mentioning. What routes are these, and why have you needed to use them?

Unless you are using multiple routers behind one main router, I can’t see a need for any static routes in this scenario.

It may be that your static routes are the problem, and the only reason it works with the TP-Link in play, is because that is acting as the main router in a static-routing scenario.

Try removing the TP-Link and disabling all static routes in the DrayTek, then check that your ‘Routing Table’ (see diagnostics) has an entry for 0.0.0.0, as that is the entry that will forward ALL traffic if no other route, or routes, are configured for specific devices to make their way out onto other networks, including a WAN network.

This may be why you’re able to VPN past the static routes.

Hi HodgesanDY,
Thank you for your input.
I may have misspelled "Static Routes" a bit. I mean routes created when the WAN connection are set without my intervention (LAN and WAN).
However, when connected laptop, DHCP pick up 172.x.x.x range from ONT. Therefore, I set IP settings manually (same as both routers discovered from DHCP set by the IP) and got this:
"The combination of IP address and subnet mask is invalid. All of the bits in the host address portion of the IP address are set to 1. Please enter a valid combination of IP address and subnet mask." by Windows 10
IP address x.x 204.243
Subnet mask 255.255.255.252
Default gateway: x.x.204.241
I contacted the IP, but they did not answer. I think they do not understand the problem.
I assume those IPs are incorrect?