I have a IKEv2 IPSec site-2-site VPN between my grandparents Vigor 2862 router (Firmware 3.9.6.1_BT, model 2862n ) and a 3rd party Untangle firewall I have at my end.

My subnet is 10.100.1.0/24 and theirs is 10.100.12.0/24. Tunnel dials out at their end, and "always on" and "Enable PING to keep IPsec tunnel alive" options are both enabled.

Now occasionally (such a couple of times a month) their internet goes completely down (i.e. they complain and loose internet access) for long periods (i.e. a few hours) and normally requires a reboot of their Vigor 2862 to fix.

The odd thing is is that if I have a continuous ping going from my server to their router (over site VPN tunnel) during an outage incident, I get a normal reply very occasionally. (say in 1 out of 100 pings or so).

Further more, I can normally access their Vigor 2862 via it's static WAN IP to remotely reboot it (Don't worry, My static WAN IP is whitelisted in the Vigor 2862) during such an outage incident, although it is unusually very slow and sluggish to access during such incidents.

Now my grandparents broadband is not the greatest and they only get a few Mbps up and also have CCTV cameras streaming as well as a Nest doorbell in addition to all the typical things like multiple iPad's.

As verified via Diagnostics > Routing Table, The default 0.0.0.0/0.0.0.0 route on their Vigor 2862 is as expected going to the gateway IP on the WAN interface, and only my 10.100.1.0/24 subnet is being routed via the VPN-1 interface.

What I really want to know is what is causing these hours long "outages" that requires the 2862 to be rebooted to make it all come good?

Is it an issues with the site-2-site VPN tunnel, the saturation of their WAN line from devices like CCTV and Nest doorbell, a setting on the Vigor 2862 that I have misconfigured or got set non-optimally somewhere, or something else like a hardware fault?

They are getting 100Mbps FTTP broadband soon, so I hope that fixies the issues.

Regards: Elliott.

My guess is that this problem lies somewhere between the Vigor and Openreach. This is ADSL presumably?
I'm surprised it's usable with any (let alone all) the things it's being asked to do - but I wouldn't have thought 'saturation' is the issue, as such. (After all, you can saturate most IP networks and still use them ... just s-l-o-w-l-y).

100Mbps FTTP doesn't exactly get the pulse raising though

Is there an ISP-supplied device, that can be put into 'Bridge mode', thence to a WAN port on the 2862? (Whatever the ISP supplies, might be better suited to the line in question...after all, ISPs are experts in such things :lol: )

Why the subnetted 10.0.0.0 network addresses? As in, if you want Class-C addresses, why not use 192.168.x.0. I see this a lot (and I ask the question a lot!); no one ever replies - I may die not knowing

Another post just reminded me: The "SNR" is adjustable on the Vigor (ie it can lie about the strength of the signal it is receiving), which can improve Speed or Reliability.

See: https://www.draytek.com/support/knowledge-base/4800

At the bottom of that page, it says

Draytek wrote: If the SNR value or the DSL stability is not as good as you expected, please try other DSL modem codes to improve

This (alternate firmware) is probably more likely to succeed, when experiencing poor speed and poor reliability.

No it’s VDSL, and it’s using a Openreach modem connected to WAN 2 of the 2862.

As for the 10.xxx.xxx.xxx/24 subnet, I just think it looks more professional and “neater” than 192.168.

You can have 192.168.xxx.xxx subnets less than /24 to though. I.e. 192.168.0.0/21 taking you right up to 192.168.7.255 with the broadcast address for example.

eveares wrote:
No it’s VDSL, and it’s using a Openreach modem connected to WAN 2 of the 2862.

Ah, so none of what I said before is applicable

Maybe you could test your VPN theory, by leaving it disconnected, except when you actually need to use it? (At this point, I'm sure you're going to tell me the 2862 does the 'dialling'...)

eveares wrote:
As for the 10.xxx.xxx.xxx/24 subnet, I just think it looks more professional and “neater” than 192.168.

Now I wasn't expecting that answer! :lol:

You can have 192.168.xxx.xxx subnets less than /24 to though. I.e. 192.168.0.0/21 taking you right up to 192.168.7.255 with the broadcast address for example.

I do have experience of 'subnetting' - about 35 years ago, when the multi-national I was working for, was issued with a selection of (real-world) Class-B IP addresses. Unfortunately, this was not a good match for the hundreds (thousands?) of sites the company had. The experience was not improved by the fact that none of us knew what we were doing, so we had a few attempts at it :wink:
(I tried my best to keep out of it ... at that stage, I had 10 years Decnet experience under my belt and could see no reason for change :wink: )

I've always thought that the best choice for private networks, is the Class B: 172.16. 0.0 — 172.31. 255.255 ranges - subnet-ed as appropriate. (As in far less chance of clashing with any future connections - because nobody ever seems to use them). There again, I've never actually used them either