T40 General Setup & help please

Hi, we've currently got a draytek 2860 on with a file server, Windows Server 2019 on, which also does the DNS. The draytek is doing the DHCP.

Tried setting this T40 up with an IP address of When connected, the PCs are getting an IP address, and we can ping, but no internet.

On set up, the T40 wanted to create it's own 10.0 range, but I didn't want to go down this route as it would mean reconfiguring the CCTV, phone system and photocopier 😫.

So question 1, will this draytek work with the T40? Or should we get a VDSL modem and use that.

Question 2, if it does work, am I just being a right plonker and using the wrong settings somewhere?

Thanks in advance


  • Options

    In mixed routing mode, you can't have the same subnet on External and on an internal firewall interface.
    You have several options:
    . switch to Drop-in Mode - that way you can have 192.168.1.x on both external and on internal firewall interfaces.
    . change the Draytek private IP addr to something other than 192.168.1.x, such as 192.168.2.x

    In either case, the Draytek can not provide DHCP for devices behind the firewall, so the firewall will need to be set up to do DHCP.

    Also, if you have internal devices which expect the firewall to provide DNS, then you need to enable DNS forwarding in the firewall.

    About DNS Forwarding

    Do set up a public DNS IP addr on the firewall.

    About DNS on the Firebox

  • Options

    Also, some ISP routers can be put into bridge mode so that the firewall external interface gets a public IP addr.
    Perhaps your model can.

  • Options

    Many thanks! Going back to site to try this later. Do you think the bridge mode is a must, or optional?

  • Options

    Just looking at the Drop-In mode - this might be doable as they don't have VLANs or anything fancy like that. They use laptop VPN connections and have two sites which need connecting in on a VPN too, so I assume I knock off DHCP on the draytek, AND allow the VPN pass through so the T40 handles it?

  • Options

    You don't need to disable DHCP on the Draytek. DHCP broadcasts will not go through the WG from internal to the Draytek which is why DHCP needs to be enabled on the WG.

    Yes, allow VPN pass through the Draytek so the VPNs will terminate on the T40.

    I have used Drop-in mode so I know how it works. I have not used Bridge mode, so I am not sure of the implications of using it.

  • Options

    Wow, I'm really struggling with this :(
    OK so set the watchguard as drop-in, and internally now it all appears to be working fine.
    I haven't set the draytek as bridge mode.

    We've two more sites, with a draytek 2760 at one and a draytek 2762 at the other. I have followed a few guides on the internet, and cannot for the life of me get the site-to-site VPN working.

    I cannot for the life of me connect a PC or laptop to the VPN via either the Windows VPN, or via the mobile VPN SSL software. I have tried via SSL and IKEv2. The mobile software just sits at "contacting server". If I navigate to https://WAN IP:port, nothing.

    I feel like ripping this thing out

  • Options

    For SSLVPN, you need to port forward TCP port 443 (HTTPS) from the Draytek to the WG external IP addr.


    For branch office VPNs, you need to port forward IPSec.


    Make sure that you look at the T40 Traffic Monitor to see what is shown.
    By default, allowed traffic is not shown in Traffic Monitor.
    To see packets allowed by a specific policy, you need to enable Logging on it.

  • Options

    You sir, are a FRIGGING LEGEND.
    Thank you so much

  • Options

    Setting up bridge mode will remove the need for setting up pass through on the Draytek.

    Have you tried setting up a BOVPN on the T40 end for the other 2 Drayteks?

  • Options

    Hi everyone, n00b question again, wondered if you could help.

    It's the same site as in the above thread. They have at HQ a server, a draytek router, and this T40. The DrayTek VPN services have been disabled.

    They have three other buildings in different locations. Before the T40 was installed, they had a few site-to-site VPN tunnels running, but obviously these have stopped now. The remote staff have to dial in via the VPN software.

    Is there a way to get the tunnels back up? Their latest site is going to have staff in there needing access pretty much all the time to the server.


  • Options

    One can create site-to-site BOVPNs using your WG firewall.

    Manual Branch Office VPN Tunnels

Sign In to comment.