I have recently moved to BT digital voice and so need to use BT (actually EE) smarthub 2 (SH2) as pimary router in order to use the digital phone line. 
I want to keep using my draytek 2866 as main router for firewall and DHCP behibd the SH2.  Using guidance on this forum I have SH2 as router (IP 192.168.30.1) this is in DMZ mode and forwards all traffic to my draytek (IP 192.168.3.10 - static).  The draytek 2866 then handles all LAN DHCP and firewall on subnet 192.168.1.XX (gateway 192.162.1.1); with this setup all my existing devices are working fine and can access internet as needed.

I don't have fixed IP so using drayDDNS to get dynamic address, this is working fine and as I have my router set to find the internet IP address - which it is doing. 

My main issue external access, in particular Dial-in VPN (L2TP/IPSec) is not working now and not connecting.

Any suggestions welcome!.  

Sometimes this can be caused by ISP routers such as the BT SH2 blocking or not being able to forward protocols such as GRE or ESP. (These protocols don't have port numbers like TCP & UDP do, so can cause problems). In theory NAT-T should be able to circumvent this limitation, but it is something to consider.

I have a similar setup using a Virgin Media Hub rather than BT, and Dial-In IPSec is working fine. I have previously ran a Draytek behind a BT Hub, but I can't remember if VPN worked - It probably did, as I cannot remember it causing a specific problem. 

Can you access any other services on or behind the Draytek from outside your network? (Non-VPN services, such as a web server, the routers built-in one or otherwise).

Thanks I figured out the issue after lots of research and me thinking I had made some mistake configuring VPN / ports etc. This problem is the way IP addresses are allocated. EE and now I tried switching to Community Fibre for their full fibre (FTTP) don't provide static IP or dynamic IP - so my drayddns was never working properly. Instead they use CGNAT (where there is a an external IP but the provider allocates a private my router a private ID 100.x.x.x due to lack of IP4 addresses, so my public internet ID is not directly reachable externally!).

Only option is to pay more for business broadband (with static IP) or 3GB (with Community Fibre that then gives a true dynamic IP).

I'm sure many people will face this issue going forwards so only option is paying more of there are some work arounds using a third party VPN that allow port forwarding that I don't really want to do as my experience with VPNs is that there is a performance hit.