Draytek 2860 and Unifi USG

I normally don’t do networking posts but in this case I think there may be a need as I could not find any solutions for this anywhere else.

This solution uses a Draytek 2860 as a VDSL modem, VPN and LAN-LAN device.

Using a Draytek 2860 as modem and Unifi USG as gateway is not without it’s problems.

Why using Draytek as modem:

  • Draytek is a modem working well with a BT FTTC VDSL connection
  • Draytek is great for client VPN and LAN-LAN connections both using IPsec
  • Draytek and USG can always be reached via the client VPN access – so accidental lock-out is (almost) impossible

Why using Unifi USG as gateway:

  • Unifi USG provides great network management via the Unifi controller

Problems to be solved with the solution below:

  • USG is in a double-NAT situation
    • Solved with DMZ on Draytek
  • Draytek incoming VPN wants to route through itself bypassing the USG
    • Solved with policy route on Draytek forcing USG gateway
  • Draytek has two DMZ modes and only one works:
    • Solved by using “Private IP” DMZ
    • Private IP: semi-NAT mode where some functionality works
      • Works: modem, VPN, LAN-LAN and remote router management
      • Does not work: Port forwarding (makes sense)
    • True IP: bridge mode where Draytek only works as modem
      • Works: modem
      • Does not work: everything else
  • Port forwarding to WordPress Server
    • Solved by using port forward on Unifi USG
  • Route VPN and LAN-LAN around the DMZ
    • Draytek LAN1 to USG LAN direct connection via switch
    • USG WAN2 could have been used but this is better to use for WAN failover

Connection diagram:

Draytek Setup (relevant to this scenario): 

  • WAN: nothing special to do
  • LAN: create two networks: DMZ and LAN1:
    • DMZ network: semi-NAT network to Unifi USG
      • For NAT Usage
      • IP Address: 192.168.7.3
      • DHCP Enable Server
      • Start IP address: 192.168.7.100 (USG WAN)
      • Gateway IP: 192.168.7.3
    • LAN1 network: This is used to route around the DMZ
      • For NAT Usage
      • IP Address: 192.168.1.3 (as the USG is 192.168.1.1)
      • DHCP Enable Relay
      • DHCP Server IP: 192.168.1.1 (USG LAN)
    • VLAN: map your LAN1 to port 2 (port 1 is reserved for DMZ)
  • Routing: create a route policy for LAN1
    • Load-Balance/Route Policy:
      • Protocol: Any
      • Source: IP Subnet: 192.168.1.0/24
      • Destination: Any
      • Destination Port: Any
      • Interface: LAN1
      • Specific Gateway: 192.168.1.1 (USG LAN)
      • Priority: 100
  • NAT:
    • DMZ Host: Private IP
    • Private IP: 192.168.7.100 (USG WAN)
  • Firewall: Disable all (USG is the firewall)
  • VPN and Remote Access:
    • Remote Dial-in User:
      • Allowed Dial-in type: L2TP/IPsec with pre-shared key
      • Subnet: LAN1
    • LAN to LAN:
      • Allowed Dial-in type: IPsec Tunnel
      • Local Network IP: 192.168.1.0/24
      • …and much more

Unifi USG Setup (relevant to this scenario):

  • WAN Networks:
    • WAN:
      • IPV4 Connection Type: Using DHCP
  • LAN Networks:
    • LAN:
      • Gateway IP / Subnet: 192.168.1.1/24
      • DHCP server enabled
  • Gateway:
    • Port Forwarding:
      • Name: http
      • From: Anywhere
      • Port: 80
      • Forward IP: WordPress server IP
      • Forward Port: 80
      • Protocol: Both