Low Cost Enterprise Security Firewall Router (Draytek Vigor 2950)

Member Name: Deru

Product:	Draytek Vigor 2950
Date:	11/04/09 (149 review reads)
Rating:

Advantages: Powerful, Easy to configure, Good support, Low cost

Disadvantages: Needs extra 'modem' for each broadband Connection, Occasional reboots required

DRAYTEK VIGOR 2950 ENTERPRISE FIREWALL

The Draytek Vigor 2950 Enterprise Firewall is a hardware firewall and router aimed at medium sized to large businesses. I've set up and am using six of these routers at a certain company with offices around London and have been using them for a few years now and was done as an upgrade from the Draytek Vigor 2600 and 2800 routers that were previously in use. The reason for the upgrade to the 2950 was due to the VPN (Virtual Private Network) connection being slow with the previous models. This was probably due to the processor in the router not being powerful enough to encrypt and decrypt the data more quickly. The 2950 has a dedicated co-processor just for the VPN, so performance would be better. It costs around £320 but price varies from supplier to supplier.

SETTING UP

The 2950 comes with mounting brackets and screws (no rack nuts included though) so that you can mount the router in a data cabinet. Once ready, it's just a case of plugging in the power, a patch lead (network cable) to a Vigor 100 (or 110) or a router in a non-NAT configuration from one of the two WAN (Wide Area Network) ports and another patch lead from one of the LAN (Local Area Network) ports to your network. The Vigor 100 (or 110) is like a modem and required to connect the 2950 to an ADSL connection (the phone cable for the broadband connects to the Vigor 100). After all that, you log into the 2950 with the default login details to set up the ADSL settings (broadband account login details), similar to most routers. The 2950 can have two broadband connections plugged into it so one would need to plug in another Vigor 100 (or non-NAT router), for the secondary Internet connection, to WAN2 port. For the 2950 to need the Vigor 100 or non-NAT router to connect to the Internet is a bit of a disadvantage for me as it's an extra cost involved. The Vigor 100/110 costs around £50.

KEY FEATURES (That I use)

It is a requirement at my work place for the offices dotted around London to be networked to each other so that each office can connect to the company Intranet (A website system within a company), hence the choice of Draytek routers, as they all have a built-in VPN function. VPN enables users to connect to a network from anywhere that has an Internet connection (and a computer obviously). A user 'dials in' to a VPN account with a username and password that's set up by the administrator beforehand and the process is similar to how you would dial out using your phone line to your ISP if using a dialup Internet connection. Instead of a telephone number, the user would use a server address such as an IP address where the VPN server is located.

The Draytek routers have a LAN-to-LAN function, which is basically a VPN from router to router, which means users on each network would not need to 'dial in' to use resources on a network at a different office, as the VPN is all done by the router, and this is the main function that I use to link up all the offices. The 2950 allows for 200 VPN accounts to be set up for Remote dial in user and even LAN-to-LAN, which is quite impressive and does suggest that it can handle more connections and data processing than the older Drayteks, and deserving of the title of being an "Enterprise" router.

The router can restrict what sites users can access using several methods. I can restrict sites and even content by category, keyword, file type, etc. At the moment, I have blocked Facebook , YouTube and a bunch of other Social Networking sites *EVIL LAUGH*. (Okay, not my idea. It was boss's orders). This feature is handy when you find that your staff wastes too much time on these sites during office hours and although the functions work, they seem overzealous at times. This is particularly true with the Category Block, which at times, blocks sites that I don't expect it to block.

One problem I've found with using the category blocking is that after I've ticked several of the categories and it blocks a certain website that a member of staff is supposed to be able to access, I struggle to find which category to untick to give them access to that particularly site. As a result, I don't use the category block any more and just do the URL Content filter. Even this can block legitimate sites if they mention a word in the URL or on the web page that's in the filter. For example, a BBC article on 'YouTube' would be blocked and a site with the URL "AbeBooks .com" would be blocked because I have "Bebo" in the filter to block bebo.com (another Social Network site). I would prefer to be able to exempt certain sites from the category blocks as well but it's a minor niggle.

I am able to exempt computers from the blocks but this isn't very flexible and I'm only able to exempt four computers from the blocks. Fine for exempting the boss's computer so that he can go on YouTube in his own office! I have found the Instant Messager (MSN, Yahoo, etc) filter to block the messengers a bit tricky to use and on many occasions of attempting to use it, it blocked all Internet access for everyone, which is no good, so I gave up as it seemed risky. It was much easier to do with the older Draytek routers so not sure why it was so tricky with the 2950 although the newer firmware (the software in the router) I've upgraded to may have resolved this by now.

Port forwarding is critical for certain applications but this is a standard feature of most routers. This is easy to use and I've found that as the number of individual ports that can be forwarded had increased from 10 to 20, which is good that they're making it more flexible for the administrator.

It has other handy features like load balancing, letting you choose which users use which broadband connection if there's more than one, fail-over, email alerts and loads more features I'm not familiar with.

MY EXPERIENCE

When the 2950 was first implemented at my work place, I noticed a dramatic speed increase in page loading for Intranet pages. Everything was all good but a few months down the line, users started to report slow web page loading times for all website, which I would fix by rebooting the router. However, this repeatedly happened on a weekly basis and on some occasions, setting the site restrictions seemed to have caused the same slowness symptom after clicking the Save button so I duly contacted Draytek to see what I could do. They suggested upgrading the firmware, which I did and this resolved the problem. Now, I do not need to reboot the router as often (2-3 months each time at least). I've done a number of firmware updates for the 2950 at the various offices, usually to resolve minor problems or to add new features and added reliability.

It is good that Draytek are providing support for the 2950 and are constantly coming up with firmware upgrades containing new functions and added reliability but I would have had fewer problems in the past if they'd done a better job with the older firmware. I've noticed they aren't releasing further firmware updates for their older routers, which is a shame as I own a Vigor 2600G at home even though I'm not currently using it.

SUPPORT

Draytek can be contacted for support regarding the 2950 and they can be contacted by email or by phone. I've emailed with questions on a number of occasions and have received replies usually within one working day with helpful replies. I've also phoned their premium support number for help and not been put on hold. The support representative knew what they were doing and I did manage to do what I wanted with their help. They also have a 'first time connection' support line, which I've also used when I signed up to Be Pro, an ISP specialising in fast ADSL2+ broadband. Setting up ADSL2+ from Be is very different to setting up a normal ADSL connection in terms of router configuration so I was completely lost. I'd called up Be to help me get connected using the Vigor 2950 and Vigor 110 combination but they were not familiar with Draytek routers so advised me to phone Draytek. Draytek did manage to get me up and running after upgrading the firmware on both the Vigor 2950 and 110 and they even published the information on how to their website now.

SUMMARY

PROS
- Lots of features
- Powerful
- VPN
- New firmware updates being released
- Dual WAN for load balancing and backup
- Good manufacturer support

CONS
- Problems with older firmware so do need to upgrade
- Requires a Draytek Vigor 100/110 or other router set up in a non-NAT configuration

VERDICT

I do not like the fact that you need to purchase a non-NAT router in conjunction with the 2950 for the setup and I could have done without the occasional problems but overall, I feel the 2950 is a very good router/firewall. It's quite cheap for an Enterprise level router, especially when compared to CISCO products in the same price range, which would probably not even have the VPN function as that would most likely require an extra box to be purchased just for the VPN functionality. Otherwise, a much more expensive CISCO router with the function would be required, which would probably cost £1,000+, making the £320 for the 2950 and the £100 for the two Vigor 100s (for use with two ADSL broadband lines) seem like peanuts. However, I see the 2950 as a router with the added bonus of having VPN capabilities but with a CISCO, although considerably more expensive, usually has hardware that is made for the job in particular so I would expect a CISCO to perform better than the Draytek (but I do not know from experience).

A CISCO router would probably require fewer reboots (maybe once a year or even less) so they are more reliable but they would require a CISCO qualified engineer to configure (at cost). Despite this, if the budget allows, I'd also consider CISCO products for the added security and reliability. However for a small to medium business where budget is limited, the Draytek Vigor 2950 can do the job, is easy to configure, is low cost and has good manufacturer support so I'm happy to recommend it.

Thanks for reading!

Summary: Draytek Vigor 2950 Enterprise Firewall Router

Processing/Quality:
Reliability:
Ease of use:
Features: