Release Notes For Draytek Vigor 2960 (Uk/Ireland) : Regular - Upgrade Recommended When Convenient

Release Notes for DrayTek Vigor 2960 (UK/Ireland)
Firmware Version 1.5.1.3 (Formal Release)

Release Type Regular – Upgrade recommended when convenient
Build Date 09th March 2021
Release Date 16th April 2021
Revision 8203
Applicable Models Vigor 2960
Locale UK & Ireland Only
New Features
(none)
Improvements
1. Improved Web GUI security

2. Xauth dial-in username is now recorded to Syslog upon connection/use
3. Updated DNSMASQ for CERT/CC and CISA Reports (VU#434904 / ICSA-21-019-01)
4. Resolved an issue that incorrectly caused the router to send Syslog messages to report
“passwd: Password for x changed by root”, with some specific configuration settings
5. A display error issue after performing the Auto Firmware Upgrade
6. Disabled SNMP was re-enabled after router's system reboot
7. Router did not respond to Let's Encrypt certificate
8. The 2FA authentication via mail through WAN did not work if WAN port was configured as
Static
9. Importing remote certificate for VPN did not work properly
10. IKEv2 EAP did not working when Let's Encrypt certificate was renewed
11. IPsec VPN could not be established for dial-out IKEv2_EAP tunnels with Xauth
12. IPsec VPN could not reconnect after VPN Peer's WAN IP was changed
13. Improved compatibility with IKEv2 EAP clients connecting with passwords longer than 32
characters
Known Issue
1. High Availability - Updating from a firmware version <=1.1.0.2: Due to significant changes to
High Availability functionality, existing HA configuration will be cleared during the update
process and it will be necessary to reconfigure High Availability after the update
2. L2TP Tunnel - Disable "Force IPsec with L2TP" option in [VPN and Remote Access] > [PPP
General Setup] to allow a standard L2TP tunnel, otherwise the L2TP server will allow L2TP
with IPsec only
3. IP Filter - F/W 1.2.0 onwards changes the behaviour of the IP Filter. After upgrade, some IP
Filter rules may need to be reconfigured. Please read the "Filter Rule Actions" segment of
this guide for more information on the changes:
https://www.draytek.co.uk/support/guides/kb-3900-ipfilter-basics
4. Vigor2960 models with MXIC flash memory cannot be downgraded to firmware prior to
1.2.0. Check the flash memory type with the CLI command "status system":
Model : Vigor2960
Hardware Version : 1.0 (M) <----- (M) suffix indicates MXIC Flash memory
Hardware Version : 1.0 <--------- no suffix indicates Samsung Flash memory, can be
downgraded if required
Important Note - Upgrading Firmware
Do not upgrade directly from 1.0.5 (and earlier) to 1.5.1.3.

Due to differences in the Web UI and functionality the router MUST first be upgraded to at least
1.0.7.1 prior to upgrading to 1.5.1.3.
Upgrade your router to Version 1.0.7.1 or later first, and afterwards upgrade the router to Version
1.5.1.
Upgrade Instructions
It is recommended that you take a configuration backup

prior to upgrading the firmware. This can be done from
the router's system maintenance menu.
To upgrade firmware, select 'firmware upgrade' from

the router's system maintenance menu and select the
correct file.
Manual Upgrade
If you cannot access the router's menu, you can put the router into 'TFTP' mode by holding the
RESET whilst turning the unit on and then use the Firmware Utility. That will enable TFTP mode.
TFTP mode is indicated by all LEDs flashing. This mode will also be automatically enabled by the
router if there is a firmware/settings abnormality. Upgrading from the web interface is easier and
recommended – this manual mode is only needed if the web interface is inaccessible.
Build Date 28th August 2020
Release Date 28th September 2020
Revision 8183
New Features
(none)
Improvements
1. The Router’s self-signed certificate will change upon upgrade for compatibility with new
browser certificate requirements.
Starting from September 2020, many client OS & browsers will limit publicly trusted TLS
server certificate lifetime to 398 days or less, and connections will be rejected if certificates
exceed this. This firmware patch will automatically re-sign all self-signed certificate lifetimes
to 395 days (was 2 years or longer in older versions)
2. Improved IPsec VPN stability with multiple WAN interfaces
3. LAN DNS did not work for LAN to LAN VPN
4. Firewall country object mechanism improvements
Known Issue
with IPsec only
3. IP Filter - F/W 1.2.0 onwards changes the behaviour of the IP Filter. After upgrade, some IP
Model : Vigor2960
Release Type Critical – Upgrade recommended immediately
Build Date 3rd June 2020
Release Date 24th June 2020
Revision 8172
New Features
(none)
Improvements
1. Improved WebGUI security

2. Disabled local/remote port forwarding via SSH
3. DNS could not be resolved over VPN for Remote Dial-In VPN users with a local DNS server
4. Improved IPsec VPN stability
5. Resolved a problem with User Profiles caused by special character “ ‘ “ in the Name
6. Fixed an issue that could cause the web interface to stop responding in some conditions
7. Improved NTP time checking behaviour after the router is rebooted
8. In some scenarios, Network Address Translation wasn’t applied to all outgoing TCP packets
9. Bind IP to MAC table did not sort correctly when set to sort alphabetically
10. Reduced time to load initial Dashboard display when logging in to the router’s web interface
11. Let’s Encrypt certificate was not applied to Web UI with management from internet disabled
12. IPsec Xauth username was not displayed correctly in VPN Connection Management
13. Some Firewall Filter Rule settings could not be applied to OpenVPN connections
14. IPsec Aggressive mode Pre-Shared Key could not be saved if Peer ID was empty
15. Dial-In IKEv2 MultiSA VPN connection could not be established with the router behind NAT
16. L2TP over IPsec VPNs could not be terminated correctly from VPN Connection Management
17. In some rare conditions, the router could stop passing LAN-to-LAN IPsec VPN traffic
Known Issue
with IPsec only
3. IP Filter - F/W 1.2.0 onwards changes the behaviour of the IP Filter. After upgrade some IP
Model : Vigor2960
Firmware Version 1.5.1 (Formal Release)
Build Date 5th February 2020
Release Date 7th February 2020
Revision 8136
New Features
(none)
Improvements
1. Improved WebGUI security

2. Changing LDAP server port did not work properly
3. Improved Two-Factor Authentication used for additional web interface security
Known Issue
1. After upgrading Vigor2960/Vigor3900 to the latest firmware version 1.5.0 or 1.5.1,

customers who use their local DNS server may meet a VPN client fails to resolve the DNS
issue. Workaround:
a) Upgrade to the 1.5.1.1 firmware or
b) Specify the local DNS server in Vigor Router's WAN Setup page:
Important Note - Upgrading Firmware
Do not upgrade directly from 1.0.5 (and earlier) to 1.5.1.

Due to differences in the Web UI and functionality the router MUST first be upgraded to at least
1.0.7.1 prior to upgrading to 1.5.1.
Upgrade your router to Version 1.0.7.1 or later first, and afterwards upgrade the router to Version
1.5.1.
Upgrade Instructions
It is recommended that you take a configuration backup

prior to upgrading the firmware. This can be done from
the router's system maintenance menu.
To upgrade firmware, select 'firmware upgrade' from

the router's system maintenance menu and select the
correct file.
Manual Upgrade
If you cannot access the router's menu, you can put the router into 'TFTP' mode by holding the
RESET whilst turning the unit on and then use the Firmware Utility. That will enable TFTP mode.
TFTP mode is indicated by all LEDs flashing. This mode will also be automatically enabled by the
router if there is a firmware/settings abnormality. Upgrading from the web interface is easier and
recommended – this manual mode is only needed if the web interface is inaccessible.
Build Date 10th December 2019
Release Date 16th January 2020
Revision 8124
New Features
1. Two-Factor Authentication is now supported for additional web interface security

2. IKEv2 EAP Dial-Out LAN to LAN tunnel (e.g. NordVPN Server)
3. Support certificate choices for OpenVPN
4. Support ACMEv2 for Let's Encrypt certificate
Improvements
1. Both the SNMPv1 and SNMPv2 can be enabled/disabled

2. Default cipher for OpenVPN is now AES-256-CBC
3. WAN Inbound Load Balance can no longer be enabled without active profiles configured
4. Added support for static IP address assignment to IKEv2 EAP VPN clients
5. APPE signature updated
6. SSH Server version updated
7. IP database for country objects updated
8. Let's Encrypt certificate improvements:
a. Reduced the retry interval
b. Fixed certificate generation when IP ACL was enabled
c. Fixed IKEv2 EAP certificate issue with Windows 10
9. Improved SSL VPN compatibility with Apple devices.
Self-Signed certificate’s Valid To date is now 2 years from date of generation. Regenerate the
router’s Self-Signed Certificate to meet the new trusted certificate requirements of Apple
iOS 13 & macOS 10.15. Longer Valid To periods can be specified by generating a Local
Certificate and self-signing it with the router’s internal Root CA.
10. Route policy with normal priority and disabled failover had higher priority than VPN routing
11. In some cases router would reply to packets for non-open ports on WAN by default
12. Second PPPoE WAN connection could not be established in some scenarios
13. Central AP management for VigorAP920RPD updated
14. Product registration to VigorACS server mechanism improved
15. WCF was only compatible with firewall default policy set to Accept rule
16. SSL VPN legend in PPP General Setup page updated
Known Issue
with IPsec only
Model : Vigor2960
Build Date 7th July 2019
Release Date 29th July 2019
Revision 8057
New Features
(None)
Improvements
1. Switch Management supports VigorSwitch G1280
2. Support Radius authentication for OpenVPN
3. DDNS update would fail in some circumstances
4. Improved CPU usage when running PPPoE server for 100 clients
5. For the web portal, the PC would be directed to a null web page after clicking the OK button
in the Bulletin Board
6. Port Redirection and VPN connection became non-functioning after running the router for a
few days
7. Web portal’s logout function did not work with the Chrome Browser
8. Vigor router did not offer IP for IKEv2 EAP user integrated with RADIUS and DHCP relay
9. OpenVPN VPN tunnel could not authenticate if the password contained “#” or “.” characters
10. [Central Management] > [AP Management] did not list VigorAP903
11. Unified format of [AP Management] / [Switch Management] support list
12. Unable to import IP bind MAC file if login language wasn't English
13. Windows 10 IKEv2 EAP Client had to enter the password twice for creating the VPN
connection to Vigor router
Known Issue
with IPsec only
Model : Vigor2960
Build Date 3rd March 2019
Release Date 13th March 2019
Revision 8012
New Features
(None)
Improvements
1. Additional Web Interface XSS protections

2. Updated MAC object OUI database
3. Support for DHCP option 121 in the router’s WAN DHCP client
4. Support for Comma character ',' in advanced DHCP options
5. A problem with the Open VPN debug log could cause a problem with logging in to the
router’s web interface
6. VPN Syslog was shown in Others tab instead of VPN tab of Syslog Utility
7. VigorACS generated an offline alarm for the Vigor router when the router was configured to
use HTTPS for the VigorACS server URL
8. Authentication via LDAP server failed when the username contained special characters i.e. ‘(‘
Known Issue
with IPsec only
Model : Vigor2960
Build Date 28th January 2019
Revision 7982
New Features
(None)
Improvements
1. In some circumstances, after a period of uptime, the web interface, SSH and Telnet
management interfaces could respond from the Internet when remote management for
these interfaces was disabled
2. Tx/Rx bytes in [Diagnostics] > [Data Flow Monitor] can be reset by disabling & enabling Data
Flow Monitor
3. It was not possible to log into the Web user interface in some specific circumstances
4. Country code setting could not be configured with Google Chrome browser
5. Web Content Filter license information could be displayed incorrectly after loading a
configuration file from a different router
6. Device Name for VigorAP displayed incorrectly in [Central Management] > [AP Management]
> [Dashboard]
7. LDAP Search Button did not work when the Regular DN setting contained space
8. Port Description could not be added on active uplink port in [Central Management] > [Switch
Management] > [Profile]
9. IP configured in Keyword Accept rule was blocked when HTTPS Filter was enabled
10. Router reboot could occur with both URL/WCF and HTTPS Filter were enabled
11. Web Portal now supports Responsive web design for mobile phones
12. An incorrect message displayed in the Web Portal on Android Phones
13. FTP transfers could cause higher than normal CPU usage
14. SNMP OID IfDescr displayed many unknown PPP1500 interfaces
15. SNMP OID of WAN Interface changed each time the WAN interface disconnected and
reconnected
16. Unable to block SNMP from WAN
17. ARP cache could not be cleared
18. Syslog was not sent to remote syslog server after changing WAN IP
19. Router sent multiple mail alerts notifying of WAN disconnection if the WAN did not receive
DHCP response
20. No traffic passed between subnets configured on [LAN] > [General Setup] > [More Subnet]
when HA was working and the master device was down
21. Improved Rogue DHCP server detection and alarm feature
22. WhatsApp could not be blocked when the “Allow non-HTTP Traffic” option was disabled
23. Unable to save WLAN profile on [Central Management] > [AP Management] > [WLAN
profile] when SSID3 was disabled but SSID was enabled
24. WANs allowed for OpenVPN can be selected in [VPN and Remote Access] > [OpenVPN
General Setup]
25. Improved stability of IPsec Multiple SA tunnels
26. Improved stability of IPsec VPNs linked to IP Routed LAN interfaces
27. SSL VPN (SSL dial-in profile) could not be established when using Let's Encrypt Certificate
28. A user profile with static IP address could not establish OpenVPN tunnel
29. OpenVPN tunnel could not be established for LAN interfaces with DHCP disabled and
“Specify Remote Dial-in IP” set
30. LAN DNS addresses were not correctly specified for OpenVPN tunnel clients
31. Static IP could not be assigned for an OpenVPN tunnel if the address was out of LAN DHCP
range
32. Improved interoperability with CheckPoint VPN router by resolving IKE phase1 rekey failure
33. IPsec VPN tunnel to Cisco peer could be established but would not pass data through the
tunnel
Known Issue
with IPsec only
1.2.0.
Check the flash memory type with the CLI command "status system":
Model : Vigor2960
Firmware Version 1.4.2
Release Type Withdrawn (See Known Issues entry #1)
Release Date 23rd January 2019
Revision 7964
New Features
(None)
Improvements
(Same as 1.4.2.1 entries #2 to #33)
Known Issue
1. Remote Management – In some configurations, SSH and Telnet management interfaces

could respond from the Internet when remote management for these interfaces was
disabled
with IPsec only
1.2.0.
Model : Vigor2960
Revision 7815
New Features
1. VigorSwitch P2280 & G2280 can now be managed by the router’s Switch Management
Improvements
1. USB Thermometer was not detected in some configurations

2. Configuration Backup made through VigorACS could not be restored
3. SNMP service stopped working for a period of time and recovered again
4. Removed duplicate OpenVPN service enable setting in [OpenVPN General Setup]
5. Subnets other than /24 were not assigned correctly to OpenVPN clients
6. IPsec LAN to LAN tunnels could not be created through central VPN management
7. Added support for management of VigorAP 920R
8. Central AP Management was unable to manage VigorAPs
9. IPsec VPNs with multiple SA tunnels were unstable
10. After downgrading to v1.3.3.2, Vigor router would upgrade to v1.4.0 automatically
11. Improved IPsec VPN stability
12. LAN packets for DHCP relay could not be routed through the WAN correctly
13. Corrected the functionality of the WAN Bridge to VLAN feature
14. “File System Verify failed” message incorrectly displayed when logging into WUI
15. If disabling a “packet-triggered” VPN IPsec LAN to LAN profile, the profile could not
reconnect the tunnel after the WAN interface dropped & reconnected
16. Improved IPsec VPN stability for profiles configured with a subnet mask of /32
17. IPsec dial-in user VPN failed to connect where the VPN client was behind NAT and IPsec
profile configured with static remote host address
18. Improved stability of the Data Flow Monitor function
Known Issue
with IPsec only
1.2.0.
Model : Vigor2960
Build Date 28th April 2018
Release Date 17th May 2018
Revision 7702
New Features
1. OpenVPN support added as a VPN protocol for Remote Dial-In Users

2. DrayDDNS (DrayTek Dynamic DNS) support added in [Applications] > [Dynamic DNS]
3. Support for Let’s Encrypt HTTPS certificates added in:
[Certificate Management] > [Local Certificate] (click Let’s Encrypt button to configure)
4. Support for Remote Dial-In user IKEv2 connections using Windows 7, 8, 10 VPN client
5. Inter-LAN Routing configuration now supports Route Groups to give detailed control of
connectivity between VLANs
Improvements
1. Support for VigorACS Server version 2.3.0

2. Configuring a backup WAN interface in [Routing]>[Load Balance Pool] now allows the
backup interface to operate as a backup for multiple WAN interfaces, instead of a single
WAN
3. Setting the Load Balance Mode to Session-Based now allows selection of protocols to
exclude from the Session-Based Load Balance mechanism i.e. HTTPS & IPsec
4. Added "Exclude LAN-to-WAN Traffic from DoS Defense" option to ignore outbound traffic
from DoS defense in [Firewall]>[DoS Defense]>[System]
5. Support source NAT for incoming traffic in [NAT]>[Port Redirection] with the Change Source
IP setting, which translates the external IP into the specified internal source IP
6. Improved handling efficiency of IPsec ISAKMP packets
7. Improvements to VPN handling to increase VPN upload & download throughput
8. IKEv2 IPsec VPN now supports FQDN as a Local / Remote ID type
9. Remote Dial-In User IKEv2 VPN now supports LDAP / RADIUS authentication
10. Improved IKEv2 VPN tunnel interoperability with Fortinet VPN endpoints
11. IKEv2 LAN to LAN VPN tunnels can specify these new Proposal options:
a) Diffie-Hellman (DH) Group 19 (256-bit Elliptic Curve)
b) Diffie-Hellman (DH) Group 20 (384-bit Elliptic Curve)
c) Diffie-Hellman (DH) Group 21 (512-bit Elliptic Curve)
12. Improved display of VPN uptime in [VPN and Remote Access] > [Connection Management]
13. Added note to [VPN and Remote Access] > [PPP General Setup] with recommended VPN
types for each client platform
14. Allowed IPsec Dial-In Security methods (DES, 3DES, AES) can now be specified for IPsec
Remote Dial-In Users from [VPN and Remote Access] > [IPsec General Setup]
15. Changing LAN configuration settings (except for the router’s LAN IP) no longer drops active
Internet / VPN connections
16. Improved wording in [VPN and Remote Access] > [PPP General Setup] > L2TP tab
17. Updated OpenSSL for CVE-2018-0739
18. Reduced the time from router restart / power up to activate the router’s LAN and WAN
interfaces
19. Added an import/export button for keyword objects
20. Updated APP Enforcement signatures
21. Update the Cyren URL Category Check Link
22. Added “More log” (more detailed syslogs) option in [Firewall]>[Filter Setup]>[URL/WCF
Category Filter] profiles
23. DrayTek WCF and URL filter log can be displayed on [System Maintenance]>[Syslog/Mail
Alert]>[Syslog File]
24. Support default route and failover function for BGP
25. Added auto configuration backup option in [System Maintenance]>[Configuration Backup]
26. The warning message for changing access port number will be shown only when remote
access is enabled
27. Add an option (for user/guest profile) to log out online device when login number over the
limit
28. Support router's local services (NTP, DNS and so on) via WAN alias IP
29. Improved the interface to add WAN IP Alias entries in [WAN]>[General Setup]
30. Vigor router can intercept the DNS packets to reply or forward the DNS query according to
LAN DNS setting
31. Add an option of “Enable / Disable SMBv1” in [USB Application]>[SAMBA Server]>[General
Setup]
32. Improved the menu layout for AP Management
33. DoS options can no longer be modified when the DoS Defense Enable option is not ticked
34. Support destination IP selections for white list settings on [User Management]>[Web
Portal]>[General Setup]
35. Use System Time instead of Browser Time to display Traffic Graph
36. CSM: Unable to open Yahoo WEB page after applying URL keyword “flickr” for web page
blocking
37. GRE tunnel was not displayed in the connection management after the profile was renamed
38. Renaming the IPsec profile in [VPN and Remote Access]>[VPN Profile]>[IPsec] resulted in
empty MultipleSA settings for that profile
39. IPsec VPN tunnels connecting in NAT mode to WAN Alias IP could not pass traffic correctly
40. Use Alias IP incorrectly displayed on policy route page with USB WAN interface selected
41. SNMP Trap packets could not be sent through WAN Alias IP
42. IPsec VPN was up but no traffic passed through after some time (VPN routes disappeared)
43. When authenticating SSL VPN with MSCHAPv2, authentication could be delayed by 30s
44. Unable to add more than one VPN remote subnet via CLI command “more_remotesubnet”
45. Improved connectivity for LAN clients connecting to Remote Dial-In Users connected via VPN
46. Traffic was unable to pass through IPsec multi-SA tunnel
47. Vigor router did not validate End IP in IP Object range
48. Unable to register to VigorACS 2 successfully in some situations
49. AP management mechanism did not send the provision packet to VigorAP in some scenarios
50. Static route via LAN PPPoE client did not work (LAN client works)
51. Disabling a PPPoE user profile still allowed a user to make PPPoE connection with that profile
52. System time displayed on mobile web interface was 2hrs off from desktop web interface
53. LDAP Search function is no longer available in Simple mode
54. Improved resilience of the router's Mail service
55. When WAN Inbound Load Balance was on, Vigor router would do DNS query from WAN for
other domains outside the configured IP
56. Vigor router could not generate correct amount of user access logs in some conditions i.e.
1000 connections established in 5 seconds
57. Could not use 'space' in defining name of certificate
58. Accessing Vigor router from WAN2 was allowed even only set the Internet Access Control to
WAN1 on [System Maintenance]>[Access Control]
59. End user got 2 email alerts when WAN was down
60. Ping connection detection did not disconnect USB WAN
61. Display error for TTL on [Diagnostics]>[Session Table]>[NAT]
62. DDNS user-defined profile could not upload the IP to the server properly when using HTTPS
63. URL/Web filter couldn't block HTTPS website if HTTPS was accepted in an IP filter profile
with “if no further match”
64. Firewall Syslog could not be disabled when the rule action was “Block If No Further Match＂
65. Syslog could send some unnecessary information for RADIUS authenticated connections
66. Additional TR-069 parameters added for these menus & settings:
a) [VPN and Remote Access]
b) Local ID/Remote ID of [VPN and Remote Access]>[VPN Profiles]>[Basic]
c) [NAT]
d) [Routing] and [LAN/WAN VLAN]
e) [DNS Security]
f) [GVRP]
g) [IGMP Proxy]
h) [High Availability]
i) [Wake on LAN]
j) [SMS/Mail alert service]
k) Local / Remote address of [Bandwidth Management]
l) [Profile Number Limit]
Known Issue
1. Central VPN Management – If Central VPN Management is configured and used to manage
other DrayTek routers, keep using F/W 1.3.3.2 and wait for the next firmware release.
Routers cannot be managed / monitored through Central VPN Management with F/W 1.4.0.
2. Central AP Management – If Central AP Management is configured and used to manage
VigorAP access points, keep using F/W 1.3.3.2 and wait for the next firmware release.
VigorAPs cannot be managed / monitored through Central AP Management with F/W 1.4.0.
with IPsec only
http://www.draytek.co.uk/support/guides/kb-3900-ipfilter-basics
1.2.0.
Model : Vigor2960
Build Date 10th April 2018
Release Date 1st May 2018
Revision 7677
New Features
(None)
Improvements
1. When using the Web Portal to control Internet access, Guest accounts could not log in to the
Web Portal for Internet access
Known Issue
with IPsec only
1.2.0.
Model : Vigor2960
Revision 7657
New Features
(None)
Improvements
1. Improvement related to firmware security

2. Resolved IPsec stability issue that was present in 1.3.3 firmware
3. Remote Dial-In user accounts created in 1.3.3 firmware could not establish a VPN tunnel
after restarting the router
Known Issue
with IPsec only
1.2.0.
Model : Vigor2960
Build Date 22nd March 2018
Release Date 22nd March 2018
Revision 7640
New Features
(None)
Improvements
1. Improvement related to firmware security
Known Issue
with IPsec only
1.2.0.
Model : Vigor2960
Revision 7468
New Features
(None)
Improvements
1. Central AP Management could not display the status information of VigorAP access points
managed by Central AP Management using HTTPS protocol
Known Issue
1. High Availability - Updating from a firmware version <=1.1.0.2: Due to significant

changes to High Availability functionality, existing HA configuration will be cleared
during the update process and it will be necessary to reconfigure High Availability after
the update
General Setup] to allow a standard L2TP tunnel, otherwise the L2TP server will allow
L2TP with IPsec only
3. IP Filter - F/W 1.2.0 onwards Changes the behaviour of the IP Filter. After upgrade some
IP Filter rules may need to be reconfigured. Please read the "Filter Rule Actions"
segment of this guide for more information on the changes:
1.2.0.
Model : Vigor2960
Build Date 28th October 2017
Release Date 23rd November 2017
Revision 7373
New Features
1. Fast NAT functionality added to improve outbound NAT throughput by bypassing firewall
processing for specified local subnet(s) going through selected WAN interfaces.
Configured in [NAT] > [Fast NAT]
Improvements
1. Updated DNSMasq to improve security, for more details please read this security advisory:
https://www.draytek.co.uk/information/our-technology/dnsmasq-vulnerability
2. Firmware Boot loader updated to 1.3.2
3. Configured and functioning URL/Web Category Profiles could display as a blank profile in the
web interface
4. Syslog output would report the rate unit as Kbps when setting the Filtering Rate (Mbps) in
[Firewall] > [DoS Defense] > [Switch Rate Limit] > [Storm Filter]
5. Access Barrier for HTTPS management could potentially block an authenticated HTTPS
management session
6. Corrected a potential error which might result in flooding a WAN interface removed from
the Load Balance Pool
7. The Counter value for URL/Web Category Filter rules could not increment when blocking
HTTPS websites
8. LDAP with Bind Type set to “Regular Mode” – When clicking the Search button for Base DN,
the router would attempt to bind with Root, which caused compatibility issues with
Windows LDAP servers
9. HTTPS filtering behaviour was incorrect when filtering with a keyword of “.”
10. Improved reliability of filtering by File Extension with the Firewall
11. High Availability failover did not occur when all WANs failed on the primary router
12. Multiple subnets available through a VPN Trunk in Backup mode were unavailable when
Primary Interface VPN tunnel dropped and the Backup Interface VPN tunnel became active
13. VPN tunnels were unable to route traffic if a PPPoE WAN was disconnected, remained
offline for over 12 hours and was then reconnected
14. Dial Out IPsec VPN could not establish if VPN server hostname started with a number (0-9)
15. After upgrade from firmware 1.2.2, [VPN and Remote Access] > [Connection Management]
could not display profile names for IPsec VPN tunnels, displaying a “Lack of Ptype” error
16. Web Portal could conflict with IP filter rules
17. Improved [Bandwidth Management] > [Bandwidth Limit] rate limiting algorithm
18. AP Management broadcast packets no longer send through VPN tunnels, this can be enabled
in [AP Management] > [General Setup] by enabling “Pass-Through VPN”
19. Improved Web Portal login page load times
20. QoS profiles and Firewall Filter Rules can now specify up to 200 Service Type Objects
21. IPsec VPN stability improvements
Known Issue
1. APM Management - VigorAPs with firmware 1.2.3 and later cannot be managed with AP
Management using HTTPS. This will be resolved in the next firmware release.
Management is still possible using HTTP (less secure) by disabling the HTTPS Allow
setting and enabling the HTTP Allow setting in [AP Management] > [General Setup]
the update
General Setup] to allow a standard L2TP tunnel, otherwise the L2TP server will allow
L2TP with IPsec only
4. IP Filter - F/W 1.2.0 onwards Changes the behaviour of the IP Filter. After upgrade some
IP Filter rules may need to be reconfigured. Please read the "Filter Rule Actions"
segment of this guide for more information on the changes:
1.2.0.
Model : Vigor2960
Build Date 28th June 2017
Revision 7145
New Features
1. Fast Route functionality added to improve throughput by bypassing firewall processing for
specified routed subnets (VPN tunnels etc.). Located in [Routing] > [Fast Route].
Improvements
1. Resolved an issue that could stop the router from resolving DNS hostnames, this would
affect any services that resolve hostnames to IP addresses, such as Content Filtering, NTP,
Mail Alert, DNS Server etc.
2. Improvements to Samba service to ensure immunity to CVE-2017-7494
3. Updated SSH server
4. Updated App Enforcement signatures to improve handling / blocking of:
a. Hotspot
b. UltraSurf
c. PPstream
d. Google Hangouts
5. [NAT] > [Server Load Balance] can now balance based on “Source IP”
6. Central AP Management can select all managed VigorAPs to apply WLAN Profiles / AP
Maintenance tasks
7. Resolved an issue with [User Management] > [Web Portal] and SMS authentication
8. [User Management] > [User Profile] > Apply All tab could not alter PPTP settings
9. IPsec VPN tunnels could not re-establish VPN connection over specified “Failover to” WAN
10. Resolved an issue with IPv6 when using an IPv6 WAN configured for DHCPv6 PD (IAID)
11. iPad / iPhone devices with iOS 10.3.1 and later could not establish IKEv2 VPN tunnel
12. XAuth VPN tunnel could not authenticate if the password contained “#” or “.” characters
13. The router could not perform DDNS update for “Strato” Dynamic DNS
14. Improved PPPoE server efficiency
15. IPv6 Ping Diagnostics would not display the ping result
16. Resolved a display issue with Switch Management’s Switch Hierarchy view
Known Issue

the update
2. Disable "Force IPsec with L2TP" option in [VPN and Remote Access] > [PPP General
Setup] to allow a standard L2TP tunnel, otherwise the L2TP server will allow L2TP with
IPsec only
3. F/W 1.2.0 onwards Changes the behaviour of the IP Filter. After upgrade some IP Filter
rules may need to be reconfigured. Please read the "Filter Rule Actions" segment of this
guide for more information on the changes:
1.2.0.
Model : Vigor2960
Release Date 28th March 2017
Revision 6930
New Features
1. Support for GRE Tunnel under [VPN and Remote Access] > [VPN Profiles] > [GRE] for
compatibility with Cisco routers
2. Support for IKEv2 IPsec VPN tunnels
3. XAuth authentication support for IPsec Remote Dial-In Teleworker VPN tunnels
4. Central AP Management support – manage up to 50 VigorAP access points
5. Central Switch Management support – manage up to 10 VigorSwitch switches
6. New interface with improved design for mobile devices available through:
https://<router IP>/mobile
7. Support for DNSSEC added in [Applications] > [DNS Security]
8. The Vigor 2960’s own Root CA supports signing certificates generated on other devices /
routers in [Certificate Management] > [Remote Certificate]
9. [NAT] > [Server Load Balance] added
Improvements
1. The router will notify when another DHCP server is detected

2. DHCP options can now specify DHCP Gateway IP Address
3. Support dynamic prefix for IPv6 LAN
4. WAN Interfaces will default to DHCP when enabled
5. High Availability Hot Standby mode can now be switched manually
6. Firewall now has a Guest group in [Filter Setup] to apply rules to Guest Profile users
7. If Firewall – Default Policy is set to Block, option added to “Block All Incoming Traffic”
8. Bandwidth Limit now supports “Auto Adjust to make best use of available bandwidth”
option
9. Bandwidth Limit & Session Limit can now be applied to User Objects, Groups & LDAP
10. Added VPN Disconnect Alert Delay to [Notification Object] > [Advanced Setting]
11. StartTLS Connection Security supported in [Mail Service Object] & Mail Alert
12. Added an option to disable User Login Mail Alert
13. Mail Alerts for WAN Status changes now include the WAN IP
14. HTTPS Management can now be enforced using Enforce HTTPS Management option,
forwards HTTP access attempts to the HTTPS interface
15. SSH interface now supports SHA2 authentication
16. Timezone configured in Time and Date settings now defaults to UK
17. Traffic Graph now displays CPU and Coprocessor usage history graphs
18. Added Apply Settings to VigorAP section to TR-069 configuration
19. Support for scheduled reboot on weekdays only
20. Improvements to the Fail to Ban & Access Barrier functions
21. LAN DNS now supports wildcards
22. LAN DNS profiles can now perform conditional DNS forwarding when the Type of the LAN
DNS profile is set to FORWARD
23. Dynamic DNS now supports HTTPS
24. Dynamic DNS now supports User Defined mode for custom API configuration
25. Google Domains added to Dynamic DNS
26. OpenDNS added to Dynamic DNS
27. Ping & Trace Route diagnostics can now select which WAN IP Alias to send through
28. Added View button to Certificate Management to view loaded certificate details
29. Search functionality added to:
a. IP Objects & Groups
b. Service Type Objects & Groups
c. Keyword / DNS Objects
d. User Profiles
e. VPN Profiles
f. NAT Port Redirection rules
30. Web Portal can now redirect to specified LAN DNS address instead of IP
31. [User Management] > [Web Portal] – Login History added
32. Clean Deadline button added to Guest Profile to renew usage time of selected account(s)
33. Guest Profile accounts can specify max simultaneous logins
34. Added Search Button in LDAP to allow users to view and select the Base DN/Group DN
35. LDAP now supports SSL connection to LDAP Server
36. Improvements to the RADIUS configuration page
37. [NAT] > [Port Redirection] can specify allowed Source IP Objects to allow only specified IPs to
access port forwards without making Firewall Filter Rules
38. Policy Route rules can select Service Type Objects instead of manually specifying ports
39. Policy Route rules can now specify Time Objects to apply rules during specified times only
40. Added a priority graph to Policy Route rules, click “(?)” to view
41. Support for SPF/TXT DNS Records for WAN Inbound Load Balance
42. VPN Profiles can now be renamed
43. VPN Profiles now display Status icon to indicate connection state
44. SSL VPN port can be configured separately from HTTPS management interface
45. SSL VPN can be disabled on individual WAN interfaces in [Access Control] to allow NAT Port
Redirections to be configured with that port, to the WAN interface with SSL VPN disabled
46. Allowed WAN interfaces for PPTP VPN server can be selected in [VPN and Remote Access] >
[PPP General Setup]
47. IPsec VPN can be set as Default Route/Gateway with Apply NAT Policy enabled for that VPN
48. User Profiles can specify allowed VPN Dial-In times by selecting Time Objects
49. IPsec proposal DH Group now defaults to G5 (1536-bit)
50. Multiple SAs (Security Associations) added to IPsec VPN profiles to specify additional Local &
Remote subnets
Known Issue

the update
IPsec only
1.2.0.
Model : Vigor2960
Release Date 24th November 2016
Build Date 1st November 2016
Revision r6620
Locale UK ONLY
New Features
(None)
Improvements
1. FTP connections in Active mode were not passed correctly through NAT
2. When using [Diagnostics] > [Data Flow Monitor] > Packet Monitor, results could not be
filtered by Host
3. Resolved an issue that could cause higher than normal memory usage with some router
configurations
4. When configuring a User Management profile for VPN with MOTP enabled, it could not
be saved without entering a password
5. TTL values were reported incorrectly in the [Diagnostics] > [Session Table]
6. Improved connectivity for Mac OS X SmartVPN clients
Known Issue

the update
IPsec only
1.2.0.
Model : Vigor2960
Release Date 30th August 2016
Revision r6367
Locale UK ONLY
New Features
1. The router's Online Status can display "Remote DSL" information from a Vigor 130 or
Vigor 120v2 modem connected to the router's WAN ports
2. Support WAN Load Balance by Session, configured in [Routing] > [Default Route], the
default is IP-based Load Balancing
3. [Certificate Management] > [Trusted CA Certificate] now supports "Build RootCA" to
self-sign certificates
4. Packet Monitor facility added to [Diagnostics] > [Data Flow Monitor] to capture
WAN/LAN packets and download as a .pcap file
5. Web Content Filter Query Server can now be specified in [Objects Setting] > [Web
Category Object] > [Query Server] tab
Improvements
1. Efficiency improvements to NAT mechanisms

2. SSL VPN supports Idle Timeout and Reconnect
3. APP-Enforcement Signature updated to improve handling of:
a. IM-Google Hangouts
b. Protocol-DNS
c. HTTP
d. SSL/TLS
e. Tunnel-Ultrasurf
f. VoIP-RC
g. WebHD-HTTP_Upload
4. Web interface response time improved when displaying large numbers of Profiles (User
Profile, IP Objects, etc)
5. Improved TCP SYN+FIN filtering mechanism
6. Auto DDoS defense added to reduce CPU load if DDoS occurs
Known Issue

the update
IPsec only
3. F/W 1.2.1 Changes the behaviour of the IP Filter. After upgrade some IP Filter rules may
need to be reconfigured. Please read the "Filter Rule Actions" segment of this guide for
more information on the changes: http://www.draytek.co.uk/support/guides/kb-3900-
ipfilter-basics
1.2.0.
Model : Vigor2960
Release Date 4th December 2015
Build Date 27th November 2015
Revision r5714
Locale UK ONLY
New Features
1. CPU, Memory, Traffic Tx/Rx usage added to [Notification Object], configured under
Advanced Setting tab
2. [Configuration Backup] > [Analysis] displays details of router configuration on one page
3. Auto Firmware Upgrade and Auto Firmware Patch now available to simplify update
process
4. [User Management] > [Web Portal] new features:
a. Can use SMS as an authentication method (requires internet SMS provider
configured)
b. Option to block mobile devices if required
c. Customise login & background images in Portal Page Setup
5. MAC/Vendor Object now supported for use with IP Filter
6. SMB Server now available under [USB Application] menu for file sharing of connected
USB storage
7. Now supports SHA2_256 for IPsec VPN tunnel authentication
8. SSL VPN port can now be configured as a separate port from HTTPS Management under
[System Maintenance] > [Access Control]
9. Service Usage Monitor added to [Diagnostics] > [Data Flow Monitor] to observe data
usage of specified protocols
Improvements
1. Improvements to the design and functionality of [Applications] > [High Availability]

2. Corrected an issue with Port Redirection which could occur after upgrading to 1.1.x
firmware
3. [Firewall] > [Filter Counter] indicates how many sessions have matched each rule
4. General improvements to [Firewall] menus and syslog output
5. Improvements to HTTPS filtering when using Web Content Filtering
6. Specify Remote IP / Host Name to limit Remote Dial-In VPN connections to that WAN IP
/ Hostname only
7. Bandwidth Limit can now apply to PPTP Remote Dial-In VPN clients
8. [Diagnostics] > [ARP Cache Table] now has an option to quickly create an IP Object for
listed IP address
9. Supports Suffix Type in IPv6 Object configuration
10. Time Schedule in Filter Rules can now force sessions to clear when the schedule takes
effect
11. Spotify can now be blocked with the Application Filter
12. Can specify which WAN interfaces can be used for remote management
13. Improvements to Traffic Graph and Data Flow Monitor
14. QoS Class was not displayed in the Session Table
15. Support for "esendex" SMS Provider
16. Custom SMS Provider option to define API settings manually for SMS providers not listed
Known Issue
1. Due to significant changes to High Availability functionality, existing HA configuration

will be cleared during the update process and it will be necessary to reconfigure High
Availability after updating to 1.2.0
1. Vigor2960 models with MXIC flash memory cannot downgrade to previous firmware
versions.
Model : Vigor2960
IPsec only
3. F/W 1.2.0 Changes the behaviour of the IP Filter. After upgrade some IP Filter rules may
need to be reconfigured. Please read the "Filter Rule Actions" segment of this guide for
more information on the changes: http://www.draytek.co.uk/support/guides/kb-3900-
ipfilter-basics
Build Date 29th August 2015
Revision r5461
Locale UK ONLY
New Features
(None)
Improvements
1. Corrected an issue that could cause Port Redirection to not work after upgrading the
firmware from 1.0.9 or earlier
2. Syslog to USB was not writing to USB after restarting the router
3. It was not possible to modify the max failed Telnet Login attempts before the router
bans the IP
4. Netbios names were not displaying in the ARP cache table correctly
5. Improvements to certificate handling for the router's HTTPS interface
6. DNS Suffix (DHCP Option 15) support added for remote dial-in VPN clients
7. Upgraded OpenSSL to 0.9.8zg for security updates
8. Resolves a WAN connectivity issue that could occur after an extended duration
Known Issue
IPsec only
Release Date 31st July 2015
Revision r5291
Locale UK ONLY
New Features
(None)
Improvements
1. Resolved issue that could cause PPTP Remote Dial In throughput reduction
2. Corrected issue that could cause Port Redirection to not work after upgrading the firmware
from 1.0.9 or earlier
3. Corrected NAT Loopback issue for PPTP dial-in user accessing WAN IP alias
4. IPv6 could not get public IP via DHCP IA PD.
5. LAN to LAN for SSL VPN would not re-connect automatically after VPN disconnection
6. Incorrect remote IP address displayed for SSL VPN in connection history
7. SNMP deamon correction
8. Corrected issue that could prevent Policy route via NAT from working
9. Corrected issues that could prevent TR-069 from working in some configurations
10. Change profile number for Policy Route to 120, and for Static Route to 200
Known Issue
1. You need to disable "Force IPsec with L2TP" options for pure L2TP tunnel in [VPN and
Remote Access] > [PPP General Setup].
Revision r5142
Locale UK ONLY
New Features
1. SSL VPN LAN to LAN tunnel (Supported from DrayTek Vigor 2960 / 3900 1.1.0 firmware
and Vigor 2860 / 2925 3.8.x firmware).
2. Internal RADIUS server under [User Management] > [RADIUS].
3. APP Enforcement supported app list added under [Objects Settings] > [APP Support List].
4. Added auto/manual APP Signature Upgrade setting page in [System Maintenance] >
[APP Signature Upgrade]
5. [System Maintenance] > [Access Control] Improvements:
Validation Code in Access Control tab to improve web admin security;
Fail to Ban setting page to automatically block IP addresses after failed login
attempts;
Access Barrier setting page to protect router services (WUI, FTP etc) from brute
force attack.
6. Added Switch Rate Limit setting page in [Firewall] > [Dos Defense].
7. Added [NAT] > [Connection Timeout] to allow altering the session timeout of different
traffic types i.e. TCP, UDP etc
8. Wake on LAN can now operate on a schedule by configuring profiles in [Applications] >
[Wake on LAN] > [Schedule Wake on LAN]
9. [Diagnostics] > [MAC Address Table] added.
10. [Diagnostics] > [User Status] added, to show PPPoE / Web Portal / VPN / SSL Proxy users
in one location.
11. [LAN] > [LAN DNS] now supports wild-card strings and CNAME records for individual
LANs using the Specified LAN option.
12. [Routing] > [Policy Route] Improvements:
Priority options (Normal, High, Top) for more flexible routing.
Country Objects as destination addresses.
Failover options for target IP ping failure.
13. Support for Multicast via VPN.
14. Router's web interface can now notify of new firmware upgrades available.
Improvements
1. Improved DDoS protection.

2. SSL VPN settings now available under [VPN and Remote Access] > [PPP General Setup].
3. PPTP Dial-In VPN Profile (LAN to LAN) now supports multiple remote subnets.
4. LDAP/RADIUS support for the router's SSL Proxy facility.
5. [User Management] > [Web Portal] > [Portal Page Setup] now supports uploading an
HTML file as the bulletin message.
6. Packet Inspection settings added under [Firewall] > [Filter Setup] > [Default Policy]
7. [User Management] > [User Profile] > [Apply All] improved to allow multiple choice.
8. Port Statistics now shown under [Diagnostics] > [Traffic Statistics].
9. Session Information added to [Diagnostics] > [Traffic Graph].
10. Vendor Information added to [Diagnostics] > [ARP Cache Table].
11. Daily / Period timout settings added to Web Portal under [User Management] > [Web
Portal] > [General Setup].
12. Bind IP to MAC can now be applied to specific subnets.
13. Supported added for VPN routing through GRE over IPSec tunnel (VPN Trunk).
14. Keep VPN Setting option added to [Central VPN Management] > [CPE Management].
15. Alert interval of temperature sensor now configurable under [USB Application] >
[Temperature Sensor] > [General Setup].
16. The router could not use a DNS server located on the LAN for DNS queries under some
circumstances.
17. Traffic was unable to pass between LAN and PPPoE server clients.
18. Web Content Filter category selection page improvements.
19. IP Filter now shows a counter display for matched packets.
Known Issue
Remote Access] > [PPP General Setup].
Release Date 16th February 2015
Build Date 30th January 2015
Revision r4763
Locale UK ONLY
New Features
(None)
Improvements
1. The IGMP Proxy feature's compatibility with some ISPs that use PPPoE has been improved.
2. Support for the Bandluxe C330 USB 3G modem.
3. SSL VPN now changes tunnel MTU in relation to the WAN MTU.
4. PPTP Dial-In User VPN connections could not access the internet under some circumstances.
5. Policy Route was not working with return path traffic.
6. The IPsec option "Auto Dial Out if WAN1 Down" was still taking effect after being disabled in
the WUI.
7. The router's memory usage was higher than normal when using the Data Flow Monitor.
8. The Access Control List was not working correctly under some circumstances.
9. Improvements to ensure immunity to Ghost/CVE-2015-0235
Known Issue
1. You need to disable "Force IPsec with L2TP" options for pure L2TP tunnel in VPN and Remote
Access >> PPP General Setup.
Release Date 29th October 2014
Build Date 21st October 2014
Revision r4394
Locale UK ONLY
New Features
1. Improve SSL VPN throughput for SSL VPN tunnel mode with Smart VPN Client 4.3.1 or later.
2. Supports USB 4G/LTE. Check [USB]-[Modem support list] in the router's web interface for
details.
3. Supports USB disk /FTP server.
4. Supports saving Syslog to USB disk.
5. Supports Policy Route (replacing Load Balance Rule and Address Mapping menus).
Improvements
1. Corrected: Connection request notifications from Vigor ACS were not authenticated
2. Corrected: Can't establish IPv6 static connection.
3. Improved: IPSec VPN tunnel can now be configured to pass or block NetBios packets.
4. Improved: Allow downloading/uploading private key (for Host to LAN VPN by X.509).
5. Improved: Show the VPN Type/Form fields on VPN History web page.
6. Improved: Handling for Duplicated Routes (with Static Route Metric). When the static route
metric is <=10, the priority of that static route will be greater than a VPN route.
7. Improved: Support QoS for VoIP traffic from LAN.
8. Improved: Support "Ping to Keep Alive" feature for detecting whether an IPsec tunnel is able
to pass traffic
9. Improved: Support WAN Port and IP Alias options for PPTP Dial Out connection.
10. Improved: Support RFC 4638 (accommodating an MTU/MRU larger than 1492 for PPPoE
protocol WAN connections).
11. Improved: Added STUN server option to TR-069 settings.
12. Improved: Added Jumbo Frame setting under [LAN]-[Switch]-[Jumbo Frame] to edit
Maximum Frame size.
13. Improved: Added a "Clear" button for the DDNS settings page.
14. Improved: Bind IP to MAC can now export or import a list of IP / MAC addresses.
15. Improved: [Sytem Maintenance] - [Access Control] can now be configured to accept pings
from the WAN on specified WAN interfaces.
16. Improved: Added “OVH” as service provider for DDNS setting.
17. Improved: Supports Range-to-many Port Redirection.
18. Improved: Improve login page customization for Web Portal setup.
19. Improved: Change mechanism of deleting objects.
20. Improved: Upgrade OpenSSL to 0.9.8zc for SSLv3 Fallback (CVE-2014-3566) protection.
Revision r3968
Locale UK ONLY
New Features
(None)
Improvements
1. Update OpenSSL to 0.9.8za

2. WCF (Web Content Filter) updated for Service Name from Commtouch to Cyren.
3. Resolved some HA (High Availability) issues
4. Corrected issue with DDNS failover 3G WAN
Known Issue
1. VPN Trunk tunnel doesn't work well when the profile name is more than 15 characters.
2. You need to disable "Force IPsec with L2TP" options for pure L2TP tunnel in VPN and Remote
Access >> PPP General Setup.
Build Date 22th May 2014
Revision r3863
Locale UK ONLY
New Features
(None)
Improvements
1. PPTP connection stability.

2. Web Portal stability.
3. Remove management port setting which may occupy port redirection.
4. Improve the stability of High Availability function.
5. Add telnet timeout if not login in 60 seconds.
6. CPU usage is too high when data flow monitor is enabled.
7. SSL VPN client fixed
8. A problem of WCF license occurred when HA is enabled.
9. CVM can't perform configuration backup.
10. NAT Loopback to LAN More Subnet doesn’t work.
11. DNS for PPTP Remote dial-in is not assigned according to the LAN Profile.
12. Reboot with Customized Configurations bug.
13. When firewall default policy (block) is used, HTTP is still available for access.
14. Web portal still supports URL redirect when login mode is disabled.
15. Packet count error when PPTP acceleration is enabled.
16. mOTP User profile cannot be saved without Password.
17. WAN Priority Bits doesn’t work.
18. An error occurred in time object.
19. An error occurred in WAN >> Switch mode >> double tag.
Revision r3548
Locale UK ONLY
New Features
1. Same WAN VLAN ID can be used in different WAN interfaces. (WAN >> General Setup Mode:
Advance, Switch Mode: Double Tag)
2. QoS for multiple WANs.
3. SNMP v3 Support
4. Support country block for Firewall.
5. Support WCF white list.
6. Support LAN DNS server.
7. BGP routing protocol Support
8. SSL VPN tunnel mode (up to 20 tunnels).
9. Support Web Portal and Hotspot (Guest profile) in User Management.
10. Support PPTP acceleration for PPTP WAN/Remote Dial-in/LAN to LAN (90Mbps with MPPE,
400Mbps without MPPE).
11. Support QoS retag option.
12. Support VPN dial-out failover if WAN disconnected.
13. Support VPN LAN to LAN for overlap/duplicate subnets.
14. High Availability Support.
15. Display the last UP/DOWN log of VPN profile.
16. Add default policy for Firewall and default block policy can be applied.
17. Add IPv6 firewall settings.
18. Add DNS object.
19. Add a remote capture telnet command (rc), for traffic monitor and wireshark remote
capture.
20. Add front panel and VPN status on the dashboard.
Improvements
1. Change the menu item “User Management>>General Setup” into “User Management>>Web
Portal”.
2. Move IP Routing from LAN to Static Route and rename as LAN/WAN Proxy ARP.
3. Move Inter-LAN Route from LAN>>Static Route to LAN>>General Setup.
4. Move status page to the first tab of each function menu.
5. Support RADIUS, LDAP, Local authentication in User Management.
6. Support NAT option for IPsec LAN to LAN.
7. Support LDAP profile in Firewall.
8. Support ratio configuration for VPN Load Balancing.
9. Port number setting for Access Control in WAN IP alias can be passed to LAN by default.
10. Notification object can be recorded on Syslog through the configuration on
11. Applications>>SMS/Mail Alert Service page.
12. 11 Support Local/RADIUS/LDAP authentication for PPTP/L2TP/PPPoE server at the same
time.
13. Change the priority of Inter-LAN route, that IP filter can do further control.
14. Support connection failover for TR-069.
15. Display router name in web page title.
16. IPsec VPN dial-in connection with all WANs is supported in default.
17. Support RFC3021.
18. Combine IM/P2P/Protocol object to App Object for blocking more Apps.
19. The number of Management Access Control List is increased up to 16.
20. Support peer identity for IPsec RSA authentication.
21. Support password encode option for configuration backup.
22. Support more special characters in username for user profile.
23. The number of SSL web proxy/VNC/RDP profile is increased up to 30.
24. Support customized DDNS.
25. Support acceleration of fragmented UDP packets (maximum 1628 bytes).
26. Support DHCP option 95 (LDAP server), 161(FTP server), and 162 (File path) for DHCP server.
27. Support more subnet DHCP servers in Bind IP to MAC.
28. Support DHCP relay over LAN/Non-Direct-Connected LAN.
29. Support DHCP relay settings for PPTP/L2TP/PPPoE.
30. Support open port to the host in remote VPN network.
31. Default route cannot work well when two WAN IPs are in the same IP network.
Release Date 13th November 2013
Build Date 12th November 2013
Revision r3067
Locale UK ONLY
New Features
(None)
Improvements
1. Support USB-WAN for WAN Profile under the Setting tab in Application>> Dynamic DNS.
2. Modify the mechanism for IP filter, "if no further match" action.
3. Add a subnet mask setting, 255.255.255.254, for WAN IP configuration.
4. Added option disable negotiation for Fiber WAN under the Interface tab in WAN>>Switch.
5. QoS IP rule can apply the packets passing through both Local IP and Remote IP.
6. ‘space’ special character can be used in the username for LDAP
7. Improved PPTP service mechanism for multiple simultaneous LAN to LAN dial-ins
8. Corrected: Cannot block / unblock some IPs on Diagnostics>>Data Flow Monitor.
9. Corrected issue with ICMP packets larger than 8138 bytes over IPSec LAN to LAN tunnel.
10. Corrected: The user cannot access Internet when QoS queue weight is set as “0”.
11. Corrected: Lower the priority of Inter-LAN routing function.
12. Corrected: LAN DHCP packets do not respond while LAN DHCP Server is OFF.
13. Corrected: Can’t accept L2TP VPN from (None) default route WAN.
14. Corrected: RADIUS client (Vigor router) sends wrong NAS IP address (127.0.0.1).
15. Corrected traffic status of DHCP over IPsec in VPN Connection Management.
16. ARP detection may fail when WAN TX traffic is full.
17. Corrected: SMS can't be sent out when L2TP over IPsec is up and down.
Known Issue
Remote Access]>[PPP General Setup]
Build r2733
Release Date 2nd Sept 2013
Locale UK ONLY
New Features
1. Support Central VPN Management (CVM). Up to 12 devices can be managed.

2. Support 3G backup/load balance.
3. Support inbound load balance.
4. Support VPN Trunk failover mode.
5. Support PPPoE quota setting and MAC address filter.
6. Support USB temperature sensor. http://www.draytek.co.uk/products/usb-
thermometer.html
7. Support SMS, Email Alert and Notification object profiles for WAN/VPN connection and USB
temperature sensor.
8. Support Bridge VLAN function for LAN/WAN bridging.
Improvements
1. Improved: Support SmartMonitor users up to 200.

2. Improved: VPN Trunk throughput and stability.
3. Improved: By default disable insecure SSL Encryption Key Algorithms
4. Improved: Support DHCP relay on VPN.
5. Improved: QoS redesigned
6. Improved: Username reported to Syslog
7. Improved: Add option 60(Vendor ID), 61(Client ID) for WAN DHCP mode.
8. Improved: Add default maximum session number for Session limit.
9. Improved: Add flow control settings for Switch.
10. Improved: Add user defined options for DHCP server.
11. Improved: Improve DMZ function.
12. Improved: Add log and force update function for DDNS.
13. Improved: Add Force L2TP with IPsec policy option enabled in default.
14. Improved: Corrected causes for high CPU usage being displayed in Web UI
15. Improved: Stability in TR-069.
16. Improved: Firmware upgrade speed.
17. Fixed: Time object cannot work correctly when daylight saving is enabled.
Known Issue
Remote Access]>[PPP General Setup]
Build r2215
Locale UK ONLY
New Features
(None)
Improvements
1. Resolved LAN port inter-operability issue that could cause the Vigor 2960 to disconnect from
the LAN after a period of time
2. WAN re-connection could trigger VPN trunk to disconnect
Locale UK ONLY
New Features
(None)
Improvements
1. Improved the throughput among different VLANs.

2. Add support for VPN on Alias WAN IP and IP Routing IP.
3. Send ARP of WAN Alias IP to WAN Gateway when connected.
4. Configuration Backup menu improved
5. Added more parameters and improved the stability for TR-069.
6. NAT Port Redirection Rule for FTP server didn't work when two WAN connections are up.
7. Customized web content message disappears after rebooting the router.
8. VPN Trunk tunnel didn't work well when the profile name was long.
9. Corrected display error for PPTP connection in VPN Graph on Syslog.
10. Ping to VPN remote network didn't work after clicking WAN DHCP Renew
1. Button via web user interface.
11. Session limit applied the incorrect limit due to error in calculating mask.
12. WAN status was up while WAN cable was unplugged and WAN detection mode was set to
“None”
13. Something wrong with SNMP Set/Get Community.
14. VPN Traffic could not pass anymore while one of the VPN GRE tunnels was disconnected.
15. Corrected DHCP renew interoperability issue with some ISPs.
16. Corrected SIP ALG
17. IPSec tunnel uptime might not reset whene tunnel disconnected and re-established
18. Corrected issue with PPTP control session that could prevent new connections.
19. A PC from remote subnet via PPTP LAN to LAN couldn't access into Internet via VPN
20. Improved handling of certain IPv6 packets.
21. Corrected Load balance error when using multiple PPPoE connection with the same
gateway.
Release Date 12th December 2012
Locale UK ONLY
Improvements
1. Support VPN (IPsec) Routing Acceleration.

2. Support VPN Alarm via E-mail & Syslog.
3. Support VPN Graph for Syslog utility.
4. Support PPPoE server for LAN PC connection.
5. Add QQ account filter.
6. Add LDAP/AD for VPN PPTP, L2TP authentication.
7. URL Content Filter can block HTTPS connection by host keyword.
8. Improved: WCF (Web Content Filter) supports HTTPS block by web category.
Release Date 17th August 2012
Locale UK ONLY
First Firmware Release
[END OF FILE]

Release Notes For Draytek Vigor 2960 (Uk/Ireland) : Regular - Upgrade Recommended When Convenient

Uploaded by

Copyright:

Available Formats

Release Notes For Draytek Vigor 2960 (Uk/Ireland) : Regular - Upgrade Recommended When Convenient

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Release Notes For Draytek Vigor 2960 (Uk/Ireland) : Regular - Upgrade Recommended When Convenient

Uploaded by

Copyright:

Available Formats

Release Notes for DrayTek Vigor 2960 (UK/Ireland)

Firmware Version 1.5.1.3 (Formal Release)

1. Improved Web GUI security

Important Note - Upgrading Firmware

Do not upgrade directly from 1.0.5 (and earlier) to 1.5.1.3.

It is recommended that you take a configuration backup

To upgrade firmware, select 'firmware upgrade' from

1. Improved WebGUI security

1. Improved WebGUI security

1. After upgrading Vigor2960/Vigor3900 to the latest firmware version 1.5.0 or 1.5.1,

Do not upgrade directly from 1.0.5 (and earlier) to 1.5.1.

It is recommended that you take a configuration backup

To upgrade firmware, select 'firmware upgrade' from

1. Two-Factor Authentication is now supported for additional web interface security

1. Both the SNMPv1 and SNMPv2 can be enabled/disabled

1. Additional Web Interface XSS protections

(Same as 1.4.2.1 entries #2 to #33)

1. Remote Management – In some configurations, SSH and Telnet management interfaces

1. USB Thermometer was not detected in some configurations

1. OpenVPN support added as a VPN protocol for Remote Dial-In Users

1. Support for VigorACS Server version 2.3.0

1. Improvement related to firmware security

1. Improvement related to firmware security

1. High Availability - Updating from a firmware version <=1.1.0.2: Due to significant

1. High Availability - Updating from a firmware version <=1.1.0.2: Due to significant

1. The router will notify when another DHCP server is detected

1. High Availability - Updating from a firmware version <=1.1.0.2: Due to significant

5. High Availability - Updating from a firmware version <=1.1.0.2: Due to significant

1. Efficiency improvements to NAT mechanisms

1. High Availability - Updating from a firmware version <=1.1.0.2: Due to significant

1. Improvements to the design and functionality of [Applications] > [High Availability]

1. Due to significant changes to High Availability functionality, existing HA configuration

1. Improved DDoS protection.

1. Update OpenSSL to 0.9.8za

1. PPTP connection stability.

1. Support Central VPN Management (CVM). Up to 12 devices can be managed.

1. Improved: Support SmartMonitor users up to 200.

1. Improved the throughput among different VLANs.

1. Support VPN (IPsec) Routing Acceleration.

First Firmware Release

You might also like