DrayTek Vigor 3900 review
DrayTek’s latest firewall router appliance is designed for businesses that really can’t afford to lose their internet connection. It provides no fewer than six Gigabit WAN ports, five of which can be used for load balancing or failover duties, and can be aggregated together with a sixth single WAN link to be used as a last resort if all else fails. There’s also 3G USB modem support.
This lightweight 1U rack chassis is fanless and completely silent. The three Gigabit LAN ports comprise two copper and one SFP fibre ports, and the five Gigabit WAN port group also includes an SFP port. The web interface is easy to use, and quick-start wizards get you up and running. For the LAN ports, you create profiles that define NAT or routed operations, DHCP services and IPv6 functions.
Profiles for the WAN ports define the internet connection type, IP addressing and VLAN membership. WAN ports can then be grouped together in pools, at which point you decide whether they should be load balanced or provide failover.
For the former, a weighting value can be assigned to each member port to determine how traffic is balanced across them. For failover, just choose a primary member and an associated backup link. Plenty of bandwidth management tools are provided, and these include rate controls and options to apply one of eight QoS priority queues to specific services.
Selected traffic can be controlled with rules that contain source and destination IP addresses and the individual WAN profile or pool that it should use. Rules can also be applied to all protocols, or specific ones such as HTTP, FTP, SMTP or POP3, and the appliance can handle up to 64 rules.
A standard SPI firewall is provided, and you can add a range of rules in groups to further control traffic. It’s worth setting up network objects first, since these are used to represent hosts, IP address ranges, services, protocols, schedules and so on, and simplify firewall rule creation.
Objects are also used in application filters for IM and P2P applications, and up to eight profiles are supported for blocking or allowing file extensions. The 3900 doesn’t offer antivirus or anti-spam services, but the optional Commtouch GlobalView URL-filtering feature costs a modest £65 per year. This provides six main URL categories offering a total of 65 subcategories. Along with time schedules, the URL filter profiles can also apply keyword and file extension checks to web traffic.
SSL VPNs will be available in the next firmware release, so support is currently limited to the IPsec variety. These provide an impressive range of features, with up to 500 tunnels supported, and different WAN links can be used to create high-speed, fault-tolerant VPN trunks between sites.
On the downside, reporting is minimal, since DrayTek’s SmartMonitor won’t be supported until the next firmware release. Syslog data can be downloaded from the web interface in the form of a text file, but it isn’t particularly sophisticated. DrayTek’s Vigor ACS reporting tool is supported, but this is designed to manage multiple devices.
This is only a minor consideration, however, because at this price there’s little to touch the Vigor 3900 for WAN load balancing and failover features.