Weird issue with Vlan (draytek 2962+Vigor AP+central heating)

I have a Draytek 2962 router. And added 1 normal Wlan and 2 wlan addresses for guests and IOT.
All works perferct, for all devices. Except for the thermotstat of the Central Heating.

The CH is connected to the IOT vlan network with id 10.
Guest to 20.
When ever a laptop or iphone connects to teh IOT vlan, it gets an ip address out of that range, and internet can be accessed, but not the internal network, as planned.
Whenever I connect the CH (Central Heating), it gets an IP address, but no access to the outerworld.
Draytek has been looking into it. and fixed it by changing the MTU.

It worked right afterwards.
Yet it does not work if I detach the ethernetcable, and relocate the AP.
And attach the cable. It cannot find the internet. Eventhough it receives an IPaddress.
If I place the AP back to the original location, it still does not work.

As the iphones and laptops work, I think that the device itself is working though.

Hope somebody can help me into the right direction.


From my understanding when using Jumbo Frames everything needs to be at the same MTU value, the default is 9000.

You might want to test changing the AP to the same packet size. Your problem sounds strange, presumably Draytek did not tell you why your problem was now fixed, doesn’t sound like a good solution IMO.

The Draytek starts at an MTU of 1500 and lowers it by 8.
And everything between 1452 and 1500 was not a good match (I did ping the Google DNS).

Draytek did change 3 items.

  1. DNS setting equal to the Routers IP for the specific range (I experimented with a ton of settings)
  2. Set the IP address as fixed in the the router.
  3. Change the MTU from 1500 to 1452.

You say the same, very strange issue.


I also notice that the connection between the thermostat and the AP refreshes about every 20 seconds.
Infacts it resets the connection, before it can setup a connection to the outside world.
It works without a Vlan.
Or it worked on the older Vigor 2925.

Thanks ahead,


The Draytek2862 can support multiple SSIDs on both 2.4GHz and 5GHz WiFi. My first guess is the link to the thermostat is broken due to loss of signal/excessive noise from the new modem location. If this is the case it would cause the thermostat to continually attempt to establish a connection to the internet via the Draytek. As well as a DrayTek Vigor2862ac I have an earlier Vigor2830Vn-plus that these days is just used to isolate my untrusted IOT network. The unit has multiple antenna connection available and they can be used to connect to an external antenna on the roof. By changing the antenna connection and using the site survey function I’ve found major differences in the receive sensitivity of the unit. At the present time the most sensitive Vigor2830Vn-plus antenna connector has an external antenna connected via low-loss RG-213 cable. The end result is the unit ‘hears’ better than it can transmit. Due to Vigor2830 End-of-Life issues part of my current network disaster (some could generously call it an upgrade) is the plan is to replace the Vigor2830 with a Vigor2860ac. I haven’t tested the Vigor2860 to see if it exhibits similar receive characteristics as the earlier hardware. It may be the DrayTek hardwae still has a more sensitive receiver on one antenna connector. Therefore your DrayTek hears the thermostat and transmit replies while the thermostat can not hear rhe DrayTek replies.

The first two changes that DrayTek performed look to be simplifying the network configuration, I really wonder how the router to thermostat link was configured if the DrayTek did not have a fixed IP address i.e. what was the source of the IP address it received via DHCP and was the device that issued an IP address to the DrayTek also issuing an address to the thermostat. Is the thermostat configured with its own DHPC server, now that sounds too strange to contemplate as how would it detect the appropriate gateway address. If there is another device issuing IP addresses it may be ignored if the thermostat is close to the Vigor2862. Then moving the DrayTek may enable the thermostat to configure with an invalid IP address. Under the LAN settings the DrayTek has the option to enforce it to ignore any unregistered, unknown device that attempts to establish a session. Use of an external DHCP server for thermostat configuration could result in the thermostat being unable to establish a session. I have a Philips Hue bridge that can attach itself with different WiFi access points on different networks and this is the source of some grief on power failures when everything resets. Bad, bad, and again just plain bad network design. I’m no expert but the reduction in MTU size by Draytek might have been to ensure that 1500 bytes was never exceeded. It looks to me like DrayTek unwound your configuration modifications and were just being conservative. That enabled normal operation and your current move is most likely to be causing WiFi RF issues. A test you may be able to perform is to use a WiFi USB dongle on a USB extension cable to measure received signal strength at the thermostats location when you relocate the Vigor2862.

I can follow your story. And it is something I had been considering.
Yet I do not have Vigor 28xx but one from the 29xx series. And my 2962 does not have Wifi, that is why I have the the AccessPoint Vigor 903.

From the cablemodem it is about 10/15 meters (IU think 30/45 ft) on cat 5.
Then the Router (2962) Then another 10-15 meters. Entering the Mikrotik, where all the computers are connected and a linke goes to the Zyxel switch (10 meters).
The accesspoint is 1 meter further.
The older2925m without wifi, was in the same spot as the present 2962.
And I think that the signal strenght to the access point was -63.
As I have relocated the 2962 closer to the access point I could combine the two, and that works for once.

However If I change Vlan ID from 10 the default 0, the connection to the thermostat is there in a few seconds.

The black and blue lines are the normal connections. The red and green are shortcuts that I tried.

But hearing you, you say, put the AP closer to the Thermostat?

Thanks ahead,


Sorry my mistake I misread the 2962 as a 2862. My configuration is a vDSL → Vigor103 → pfSense → Vigor2862ac and Vigor2830 LANS/WiFi networks. With your description it sounds like the problem is limited to the configuration of the VLAN. I have no experience with your switches or the Vigor903 so I would be back to reading manuals and using a PC at the Vigor903 position to confirm correct VLAN and DHCP operation. Then when Vigor903 re-instated using Wireshark if unable to diagnose problems.

I know nothing about your Vigor903 which means I’ll have to RTFM. Hopefully their menus have consistent logic for the VLAN configuration. At least you can confirm basic VLAN operation with a PC at the Vigor903 position.

1 Like

Tried to access the Vigor903 User Guide on our Draytek site but it is throwing 404 errors. Just looking at the product overview I’m expecting major differences between configuration logic of the 903 and the Drayteks I have used.

Without access to the manual I’m wondering what Ethernet header the Thermostat receives i.e. is the VLAN stripped or propagated to the thermostat. The drawing I saw appeared to show the VLAN propagated over the air. If that is the case the Thermostat may not know how to process the VLAN info then shutdown the link.

1 Like

Thanks for helping me.
Here is the manual. I could look into it:
I doubt the Vlan is the issue. But If I use all the same hardware that you find in the drawing, and replace the 2962 with the old 2925, then it works.
So I guess that the 2962 is having the issue, or maybe a combination.

And yes the connection to the Thermostat is over wifi.

I also connected the AP903 directly to the 2962 Router, and did not use the Swtiches, to find out if they where the issue.
That did not help either.


Looks like you are on the right track.

For what little it is worth I found a configuration guide for VLANs on the Vigor903 at I’ve never had anything to do with the Vigor2900 series. I’ve looked at the manuals to see if anything leaps out. I would be monitoring the station lists on the Vigor2925 and Vigor903. It may be the thermostat only connects to the Vigor2925 i.e. it can never establish a connection with the Vigor903.

As I don’t know how the Vigor2925 handles VLAN ids via WiFi I’ve raised the issue in our local Whirlpool forum for DrayTek at

The configuration is Cable Modem <-> Vigor2925 <-> Switch <-> Switch <-> Vigor903 <-Wifi> Thermostat
This configuration uses VLAN10 and VLAN20 to isolate traffic at the site. The Thermostat is on VLAN20

If a Vigor2962 replaces the Vigor2925 the connection to the Thermostat fails. The switches have been bypassed and problem remains the same.

I have had nothing to do with the 2900 series or Vigor903, so I thought I would ask here. My first guess is the Vigor2925 will not transmit a VLAN id while the Vigor903 can transmit the VLAN id.

My first question is how is the VLAN id transmitted over WiFi by the Vigor2925 and the Vigor903?

My best guess is the Vigor2925 does not transmit a VLAN id in its WiFi packets while the Vigor903 can include the VLAN id in its IP header. If the Thermostat does not support a VLAN id then it will only ever work with the Vigor2925 or the Vigor903 with the VLAN disabled.

1 Like

Draytek Australia have offered to assist and could provide a fresh set of eyes on your problem. My knowledge is limited to the Vigor2830 series. 2860 series, 2862 series, plus the Vigor103 which is obviously not your hardware. It is not appropriate for me to position myself between Draytek and yourself as my assumptions would just confuse the situation. Therefore I did not forwarded what you have posted in this forum but just asked a question to improve my knowledge.

Please email your topology, Vigor configurations and results of your testing. Emphasize you have tried bypassing the two switches. While investigating your thermostat problem I would remove both switches and hard wire your Vigor903 directly to the Vigor routers. Only after this simplified network is debugged would I introduce the switches.

I would still like to know the connected WiFi station results for the working and broken configurations, plus the Ethernet connection status of the Vigor903.

1 Like

Thank you for asking around, even in Australia. Really appreciated. I am not sure if I can sent them an email as I am Dutch, but I will try anyways.
To answer your other question regarding the the wifi on my 2925.
I did have the version without the antennas. I always have the router without wifi.

My previous setup with the 2925 + AP902 worked.
And my next version 2925+AP903 worked.

2962+AP903 does not work.
And I have tested 2962+AP902, and that did not work either.
I think the 2962 is the issue.

I will post here what the Australians come up with.
Can I conclude you live down under as well?

Think you will find they will want to solve your problem.

My Vigor2862ac’s configuration menu has WiFi mesh support that was not included in the earlier Vigor28xx series hardware. My experience has been Draytek only has incremental changes in a hardware series which makes it surprising that you have had this upgrade problem.

When you have the 2962+AP902 configuration can you still access the configuration menu of the AP902, and does the IP address of the AP902 change?

The AP902 does not support mesh.
The AP903 does support Mesh though.
So mesh is not functioning here.
The client assist roaming is not something, that I got working.
So I have 2 different accesspoints configured in the house, and that works good enough.

And yes the configpages of both AP902 and AP903 are accessible.
I also give all my network devices a fixed IP address.
And the other devices are also more or the less fixed, because I use Bind IP to lan.

Sorry about the confusion over mesh. I was just trying to illustrate how Draytek tends to do incremental updates with a series. I’ve moved from 2830 to 2860 then 2862 series and most of the menus really have minimal changes, they just tend to add new menu items like WiFi mesh so that old configurations remain viable. I don’t use Drayteks for mesh.

Because of our house and shed layout I had experimented with extending WiFi and settled on the TP-Link Deco units to provide extended coverage. My partner was complaining about the Wifi coverage out the back of the house so I installed a weatherproof 2.5/5GHz access point closer to the area she needed coverage. Add in the WiFi network for the insecure devices, home automation, etc. and it is getting messy…

I had a similar upgrade path.
After 2 Netgear routers (pro-line), which each died after 2 years, I had bought 2x Vigor 2900, in order to setup a site to site VPN to my sisters home, so the backup back and over could go over the line.
My 2900 died, and I had replaced it by a 2820.
When I changed from ADSL to Cable, I did upgrade to the 2925, as the 2820 WAN2 was not fast enough.
And upgraded to the 2962 when the 2925 on my site slowly died after 6 or 7 years.

My wifi wend from unknown to Vigor 800. I bought 2, and one died after 2 years.
I replaced it with the 902, which was a world in difference.
And when the 100mbit switch in the 800 became to small, I changed it out for an 903.

And yes I see the devices get better by the newer models, and they add things in the new ones, while the menu stays the same.
I am not sure if the Draytek stuff is made for businesses, but they are usefull for private and small businesses, as they add a load of stuff, others do not offer.

Yet I have been doubting about a netgate device this time. But went with Draytek, as the support was good.
But Draytek NL, does not have a sollution, and could not find it.
I have the impression, that they lack a bit support as previously.

Many years ago to replace our ISP supplied ADSL modem with something that included WiFi plus other technologies like VOIP, VPN etc for the residential market there were few options. Our ISP used a unique ADSL configuration that forced manufacturers to provide unique firmware for our market.

At the time it was between a Fritz box and Draytek. From the Whirlpool (nothing to do with the white goods manufacturer of the same name) support forums it appeared there were a number of very unhappy Fritz users waiting for fixes to be delivered. As Draytek users were generally much happier I went with the Vigor2830Vn-plus. Cost was not a factor in the choice between these two. Draytek has always had an active presence on the Whirlpool forums supporting users which is very proactive and a little brave considering they can’t hide any issues.

I did have some failures over the years with D-Link DSL series while none of my Draytek devices have ever failed. Means the Draytek has lasted long enough to reach technological obsolescence. I’m in the process to replace the 2830 on my WiFi network of untrusted devices i.e. devices that are outside my control.

As an amateur radio operator I can qualify for IPv4 addresses in 44/8, refer AMPRNet | Amateur Radio Digital Communications for the background. Minimum allocation was 256 IPv4 addresses, BGP and non-commercial traffic. As Draytek is aimed at the business market it supports BGP, IPv4 allocation was fill out the application and wait for the assignment, but my partner worked from home and that failed the non-commercial requirement. Tunneling is probably an option to separate the traffic but I didn’t want future grief over the non-commercial aspect.

I’ve been happy with the features provided through the web interface and never had to dive down to the command line. The Drayteks allow me to play around with configurations at home as long as I don’t break my partner’s internet access. E.g. our current ISP has a 30 minute timeout when your MAC addresses changes with new hardware, only found that out the hard way. Luckily MAC addresses can be programmed, so both Vigors now appear to have the same MAC address. Swapping hardware is simples… Not so good when you go into Vigor103 bridge mode and the ISP then gets the MAC address of the SamKnows monitoring box between the xDSL modem and the pfSense firewall, then removing the monitoring box delivers the firewall’s MAC address to the ISP. I had never needed or recorded the MAC address of the SamKnows box as it was meant to be transparent. The frequent MAC changes had caused the ISP’s system to lock up with multiple MAC addresses captured and the ISP tech support couldn’t clear the deadlock and had to wait for the 30 minute timeout.There was a bit of head scratching trying to locate the unidentified MAC address the ISP’s system reported. Given the lock up they were not confident the address was even real. My partner was mostly oblivious as the Draytek’s support 3G/4G USB dongles as fallback but she did hear some very strange, one sided conversations with tech support. Tech support had expected to reset the line configuration to remove the caputured MAC addresses and that didn’t follow their script.

My Vigor 2900 became issues during the time, that my Draytek switch had suddenly 2 non functioning ethernetports, and my canonprinter suddenly stopped to work.
I think it had to do with lighting in my neigberhood and some induction-electricity.

The issue with my 2925 results in the fact, that it cannot hold speeds up for more then 130mbit, where it should support 400mbit, which it had been supporting previously.

I’ve never received any info on the IP packets transmitted when the VLAN is enabled. I still suspect the VLAN I’d is included in the header and the thermostat can not establish a session or keeps the old session (I.e stays with VLAN 0 config). Therefore in the wrong subnet. I don’t know the capabilities of your 2962 if it can be used to attach to WiFi VLAN 10 as a test to see what is being transmitted over the air.

I bought an old ASUS Android tablet with me and currently locked behind the hospital’s firewall. Phone got through the firewall authentication process but the tablet fails. My partner had this device configured on this firewall when she had her operation. As my partner’s authorisation has lapsed the firewall now spits the dummy and won’t give me access to the page to authenticate my access. Getting old sucks, had an operation today and hope to be thrown out of here this weekend. Nurses don’t know of any IT support which is not a good start on fixing the firewall lockout.