VI. Feature Setup

Configuring management interfaces of DrayTek routers

Products:
Vigor 2620Ln
Vigor 2760
Vigor 2762
Vigor 2765
Show all

Keywords:
External Devices
FTP
HTTP
HTTPS
Show all

Management settings on DrayTek routers

DrayTek Vigor routers have a number of options to control how the router's management interfaces, such as the web interface can be accessed both from the Internet and Local networks.

These are configured in the [System Maintenance] > [Management] menu and its options are described in the table below:

IPv4 Management Setup &
IPv6 Management Setup

Access to the management interfaces through IPv4 and IPv6 are controlled separately.

If IPv6 is enabled on the router, the IPv6 Management Setup tab is used to control how the router is accessed from the Internet.
Note that the router will block IPv6 pings to its WAN IP(s) by default.

Default: Disable Auto-Logout

This option controls the router's management interface idle timeout feature. By default, the router is set to "Auto Logout" which will log out of the router's web interface if that session is inactive for 5 minutes. This can be changed per-session using the drop-down box in the upper left. Ticking this option removes the Auto Logout drop-down box and the router's management interface remains logged in until the router is restarted

Enable Validation Code in Internet/LAN Access

This enables the router's Validation Code feature, which puts a "CAPTCHA" image on the login page that displays a number. To log into the router, this number must be entered along with the username and password. The captcha image changes each time the log in page is reloaded.
This facility has been added to ensure that the login process can only be performed by a person instead of an automated system.

Internet Access Control

This controls access to the router from its internet connection (WAN interfaces).

A quick setup guide for remote management is located here: Configuring a DrayTek router for remote management

Tick Allow management from the Internet to enable management over the internet on the interfaces selected.
i.e. ticking HTTPS Server enables access to the router's HTTPS interface when accessing the router from the internet. The options specified here only affect access from the internet, access from the LAN is controlled from a separate setting.


Disable PING from the Internet stops the router from replying to pings sent to the router's WAN IP addresses.
Domain name allowed is used when the router's DNS Filter is enabled. If this is enabled and the router is accessed from the internet using a hostname, that hostname must be entered in this box.
Enforce HTTPS Access redirects access attempts to the HTTP management interface to the encrypted HTTPS management interface.

LAN Access Control

This controls access to the router's management interfaces from its LAN interfaces.

Check this guide for details on its configuration: LAN Access Control Setup

Access List from the Internet

This controls which IP addresses on the internet are allowed to access the router's enabled management interfaces.

Firmware version 3.8.9 and later - Enter the number of an IP Object configured in the [Object Setting] > [IP Object] menu to select it. The IP Objects allow configuration of entries with a single IP, subnet or range of IP addresses.

Firmware versions before 3.8.9 - The IP addresses can be set as individual IP addresses by specifying the IP address in the IP field and selecting 255.255.255.255 / 32 in the Subnet Mask setting. That limits access from the internet to only that IP.

To allow IP ranges, set the network address of the range in the IP field and specify the subnet mask of that range.

Management Port Setup

These are the management ports used by the router's management interfaces either locally or remotely.

If Allow management from the Internet is enabled:
Port numbers set here will over-ride NAT port forwards if they are configured to use the same ports i.e. a web server using HTTP on TCP port 80 would conflict with the router's HTTP interface using the same port. The router's HTTP management port would need to be changed for that port forward to work. If the router's HTTP management port is changed, this will take effect for local and remote management access.


If Allow management from the Internet is not enabled:
The port numbers set here will be used for locally administrating the router but will not conflict with NAT port forwards.

Brute Force Protection

When enabled, this locks out IP addresses from accessing the router's management interfaces on LAN & WAN after failing to successfully authenticate with the router.

This is explained in depth in this guide: Brute Force Protection

TLS/SSL Encryption Setup

Routers that display this option are using TLS for HTTPS management and SSL VPN encryption.

The TLS versions (1.2, 1.1 etc) selected here are the HTTPS & SSL VPN encryption types that clients are allowed to connect with.

The Enable SSL 3.0 option enables SSL 3.0 for HTTPS management or SSL VPN. It is recommended to keep this setting disabled so that the more secure TLS protocol is used for SSL connections.

CVM Access Control

This enables the router's Central VPN Management server on the ports specified.

Details on the configuration of Central VPN Management can be found here: Central VPN Management

Device Management

This option controls whether the router will respond to traffic used by DrayTek products for the External Devices menu feature.

Disabling this option will stop the router from showing in the External Devices menu on other DrayTek products and disable Central Switch Management

AP Management

The enables the router's Central AP Management functions

Details on Central AP Management can be found here: Central AP Management - Overview


How do you rate this article?

1 1 1 1 1 1 1 1 1 1

Comments

From: Roland
31/10/2018

Needs to be updated to include in the "Internet Access Control" box the setting adjacent to HTTP Server : "Enforce HTTPS Access" (included in 2862n firmware: 3.8.9.2_BT)