In our Office Location we have a VDSL100 Business (up to 100 MBit/s downstream with an up to 40 MBit/s upstream) by Deutsche Telekom, with one (1) fixed IPv4 and a big IPv6 network. Before we had a FritzBox attached to the VDSL and used a pfSense behind it. The new setup (due to the issues with double NAT) looks like this: A Draytek Vigor130 as VDSL Modem and an UniFi Security Gateway 3P as Firewall/Router.
We configured the Draytek Vigor130 as a VDSL Modem. That was simple by doing the following in the Web Interface of the Draytek Vigor130, goto Internet Access > General Setup:
The Tag value is the VLAN that our ISP is using: VLAN 7
You can ignore this here and do that on the UniFi Security Gateway, but I like to do that as soon as possible so I decided to do it on the Modem. We tested both, and both configurations seemed to work just fine.
Goto Internet Access > PPPoE / PPPoA and disable PPPoE/PPPoA Client:
Everything will be greyed out then!
Goto Internet Access > MPoA / Static or dynamic IP and enable MPoA (RFC1483/2684) and Bridge Mode:
Remark: We had to set the MTU to 1492 here, I will write about that a bit later.
Goto Internet Access > IPv6 and disable it (might be already the case)
The Draytek Vigor130 reboots and should bring up the connection. Goto Diagnostics > DSL Status and wait until you see SHOWTIME
Please note: Online Status > Physical Connection is another way to see if the Draytek Vigor130 is connected.
However, the WAN Status shows that the Draytek Vigor130 is Offline. That makes sense, cause the Draytek Vigor130 acts as a Modem only now. Nevertheless, the LAN Status and the VDSL2 Information might be still useful for you!
At the moment we use the Draytek Firmware 3.8.4_m7
Now open the UniFi Controller and go to Settings > Networks > WAN
In IPV4 select PPPoE
In IPV6 select Using DHCPv6
We have to use a Prefix Delegation Size of 56 (Our ISP provides an /64 routing network and an /56 network for us).
In the COMMON SETTINGS you can provide the external DNS Servers to use, most people I know use the Google DNS Servers (
18.104.22.168)! I prefer to use the CloudFlare DNS Servers (
22.214.171.124) instead. You might also want to use your ISP’s DNS Server.
If you do not Tag the PPoE VLAN on the Draytek (as we do), you have to select Use VLAN ID and put it in here!
About Smart Queues: I would love to use them, but we found out, that this causes a lot of issues! So we decided to leave them off for now!
After the provisioning of the Controller should show something like this:
You should be able to access the Internet from within your local Network (LAN)! And you might want to run some Speed Tests to check if everything works as it should!
Now you might want to configure your IPv6 networking! In the UniFi Controller and go to Settings > Networks > YOURLAN > EDIT NETWORK
Try Prefix Delegation here, and the UniFi Security Gateway will provide something out of the big range for you.
In our case that doesn’t work! I tried everything but the internal interface never offered an IPv6 lease, and never advertised itself as a Router (IPv6 RA)!!!
I think, that this is caused by the two networks that our ISP routes to us. The UniFi Security Gateway will get an Address on the WAN Interface out of the /64 routing network. And it looks like the UniFi Security Gateway is unable to handle the separated /56 and slice it to smaller chunks.
So I decided to split our /56 IPv6 network into /64 chunks. I know that many other vendors didn’t like IPv6 networks bigger than /64 as well!
Here is an example:
Please note: The IPv6 DHCP range is limited to 2000 entries:
And now all your clients can access the Internet via IPv4 and IPv6.
But now I found the following issue: The CPU load on the UniFi Security Gateway was constantly over 60%, while the connection was idle. All caused by the
With the help of the community Forum and a lot of Web Searches, I figured out how to solve that.
Open a SSH Session to you UniFi Security Gateway and do the following:
Save this snippet somewhere! It will be gone when the UniFi Security Gateway provisions again. However, you will see that immediately (Load might go up very quick).
Another issue that we found: Sometimes the UniFi Security Gateway gets an external IPv6 address, but it stops to advertise them internally! We have some servers that have fixed IPv6 addresses (outside of the DHCP) range, and they will not be able to access the Internet then.
So I did the following (SSH to you UniFi Security Gateway again):
We also had this issue twice in one of our home-office locations where we used prefix delegation. It just stopped working after a few weeks. The Workaround above solved that issue.
Last but not least: As soon as you configure your UniFi Security Gateway as the Internet Gateway, you will not be able to access your Draytek Vigor130 anymore!
Under normal circumstances, this is OK! But if you need to update the Firmware and/or want to check the DSL connection, here is a workaround for you:
What this will do: It assign a private IPv4 address out if the range where your Draytek Vigor130 is. In the example above, the Draytek Vigor130 has
192.168.101.254 and the UniFi Security Gateway has
192.168.101.1. You can use whatever you like, just adopt the example above. The example also creates a NAT Rule, that is needed if you want to access the Webinterface from your clients (from your LAN).
As mentioned above: After provisioning, this might be gone.
Nevertheless, in our office location, the UniFi Security Gateway was never really stable! Sometimes a big download from one client makes the complete gateway unstable, and it dropped all connections.
Because we were never able to solve that, we decided to remove the UniFi Security Gateway 3P and replace it with another solution (from another vendor).
Why did we do that? When we used the Draytek Vigor130 as a router (instead of just a modem) everything worked fine. As soon as we switched back to the UniFi Security Gateway as a router/gateway, it was unstable again.
And we also tried it with an AVM Fritzbox 7590 (with and without the Draytek Vigor130 as Modem in-front) and it just worked smooth and very stable.
The new solution (Cisco) works just fine with the Draytek Vigor130 as a VDSL Modem. Stable and rock-solid!!!