DrayTek 2866ac G.fast DSL Ethernet Wifi Router
DrayTek 2866ac G.fast DSL Ethernet Wifi Router
DrayTek Vigor 2866ac G.fast DSL Ethernet router with AC1300 wireless
The DrayTek Vigor 2866ac Dual-WAN VDSL2/ADSL2+ WiFi 5 Router is a G.Fast / VDSL and Ethernet Multi-WAN Firewall VPN router. This router is ideally suited to connect directly to Ultrafast G.Fast broadband and Superfast VDSL. The Vigor 2866ac provides advanced Firewall and Content Filtering, Quality of Service and VPN with Gigabit throughput. This model also provides 802.11ac (WiFi 5) simultaneous dual-band wireless. The Vigor 2866ac provides a reliable, flexible, and secure networking solution, ideal for Home Offices, Small Business and Satellite Offices.
Featuring high throughput with Load Balancing and Failover connectivity, it is suitable for handling Fibre to the Premises (FTTP) and Gigabit internet connections. The router offers up to 950Mbps per-WAN of Hardware Accelerated throughput while retaining its full feature set.
With 802.11ac (WiFi 5) wireless, it provides fast wireless coverage to your network's computers and devices. In addition, the router can connect to wireless networks for internet access, allowing it to make use of Mobile Hotspot wireless connections and nearby wireless networks, where for instance a neighbour's wireless network could provide an emergency backup connection.
Route Policy - Powerful Routing Management
The Vigor 2866ac provides full policy-based control of where and how outbound traffic is routed with Route Policy:
-
VPN Routing
Send all or select traffic through VPN services. -
Hostname Routing
Route access to individual websites, internet domains (i.e. www.bbc.co.uk) and hostnames through a VPN tunnel or a specific WAN. -
Service Routing
Push specific services or ports, such as DNS, through a set WAN, an alternative Gateway or VPN Tunnel. -
Failover & Failback
Extensive control of Failover with multiple Failover rules and paths. Manage how connections are moved back to the primary connection, after a Failover has occurred with Failback settings.
AC1300 Wireless LAN with Mesh
The Vigor 2866ac provides 802.11ac (WiFi 5) simultaneous dual-band wireless for fast and efficient wireless connectivity. Multi-User MIMO allows the router to send to more than one device at a time, with each of its antennas streaming data to different devices at once, improving efficiency over standard 802.11ac (WiFi 5) wireless and allowing the router to effectively serve more wireless clients. With firmware 4.3.0, the Vigor 2866ac wireless router can be used as part of DrayTek's Mesh wireless system which allows the router to work as the Mesh Root, providing internet access and management of Mesh VigorAPs directly.
Ideal VPN router for SMB
A feature central to DrayTek routers is its VPN (Virtual Private Networking) capabilities. A VPN enables you to link remote offices and branch offices back to HQ, or home-based/mobile teleworkers back to your office. The Vigor 2866ac is an ideal VPN router, with 300 Mbps standard IPsec VPN throughput and up to 50 concurrently active VPN tunnels. IPsec Hardware Acceleration boosts performance, up to 800 Mbps for 16 VPN tunnels, allowing securely encrypted tunnels between sites to make full use of high speed internet connections. It supports all common industry standard VPN protocols, for it to connect to VPN services, link remote offices and handle connections from all types of VPN clients.
Supporting IPsec IKEv1 & IKEv2 protocols with EAP and XAuth authentication, DrayTek's SSL VPN and L2TP for both LAN to LAN and Dial-In teleworker VPNs. In addition, teleworkers can connect to the router with OpenVPN. User management for Dial-In Teleworkers is managed through the router's web interface, with mOTP 2-factor authentication available for IPsec, L2TP and SSL VPN Teleworker connections. Alternatively, authentication for Dial-In Teleworker connections can be forwarded to your Active Directory (LDAP) or RADIUS or TACACS+ server.
Connect VPNs from behind NAT with DrayTek's VPN Matcher
A typical requirement for connecting a VPN tunnel between two points is that the VPN server must be directly accessible on the public internet. Sometimes this can be achieved with NAT Port Forwarding if the router is located behind another router, but if the router is connected to 4G Mobile Broadband or is behind Carrier-Grade NAT (CG-NAT), connecting to that VPN server may be impossible. DrayTek's VPN Matcher service helps DrayTek routers behind NAT to allow Dial-In Teleworkers to connect, or connect two DrayTek VPN routers that are behind NAT and could not normally establish a VPN tunnel.
Connecting Remote Sites with LAN to LAN VPN
Supporting up to 32 concurrently active VPN tunnels, the Vigor 2866ac is ideal for connecting multiple sites or home offices together with fast and secure IPsec VPN tunnels. Once connected, they have access to your office/remote resources through a secure encrypted tunnel allowing remote desktop, file sharing and seamless access to other resources and devices.
DrayTek SSL VPN for Dial-In Teleworkers & LAN to LAN
The Vigor 2866ac supports up to 16 active DrayTek SSL VPN tunnel connections. These are encrypted tunnels linking your teleworkers or remote DrayTek Vigor routers back to your main office using SSL/TLS technology - the same encryption that you use for secure web sites such as your bank. Teleworkers can easily create a secure SSL VPN tunnel to the DrayTek Vigor 2866ac using the free DrayTek Smart VPN Client app - available for Windows, macOS, Apple iOS (iPad, iPhone) and Android devices.
5+1 Gigabit LAN Ports with VLANs
The Vigor 2866ac series provides up to 6 Gigabit LAN ports for wired links to Computers, Servers and Network Attached Storage. With 5 dedicated LAN ports and one flexible LAN/WAN port, the Vigor 2866ac can connect up to 6 devices directly with a single Ethernet WAN configuration, or 5 devices with a dual Ethernet WAN configuration. With Multiple LAN subnets and VLANs, the Vigor 2866ac can manage up to 8 separate networks. For instance, an internal network with a separate network for guests to use, completely separate from the private network. Each network with its own Content Filtering, Firewall, Quality of Service and Route Policy applied. The router has full support for 802.1Q VLAN tagging, so that these subnets can be passed to other devices that support VLAN tags, such as the DrayTek VigorSwitch G1080 8-port switch (sold separately), for additional network ports.
The Wireless LAN also links to these VLANs, making the same Guest & Private networks possible simply using different wireless SSIDs. Or connect up a DrayTek VigorAP wireless access point, such as the VigorAP 903 (sold separately, see accessories tab) to do the same, spanning the router's own wireless and any connected wireless APs.
Designed for Central Management
The Vigor 2866ac (along with most other DrayTek routers, Access points and switches, sold separately) can be centrally managed by the VigorACS central management platform. This scalable solution provides visibility, control and reporting of your entire DrayTek product estate, ideal for dealers/SIs managing customers' devices or any user who wants to know what's going on with their devices. VigorACS also provides features like automated/bulk firmware updates, VPN management and alarms for connectivity or other issues.
Robust & Comprehensive IPv4 / IPv6 Firewall
Security is always taken seriously with DrayTek routers. The firewall protects against attacks including DoS (Denial of Service) attacks, IP-based attacks and access by unauthorised remote systems. Wireless, Ethernet and VPN are also protected by various protection systems. The DrayTek object-based firewall enables you to create combinations of Firewall rules and Content Filtering to suit a home or small office environment, applying Content Filtering to the whole network, only specified devices or just the network that guests can connect to. The Vigor 2866ac supports both IPv4 and IPv6 with Dual-Stack IPv4/IPv6. Advanced networking features, such as the object-based Firewall, Quality of Service, Content Filtering and VLANs support both IPv4 and IPv6 networks.
Web Content Filtering with DNS Filter
The content control features of the Vigor 2866ac allow you to set restrictions on web site access, blocking download of certain file or data types, blocking specific web sites with whitelists or blacklists, blocking IM/P2P applications or other potentially harmful or wasteful content. Restrictions can be per user, per PC or universal and according to time schedules. Content filtering can also block sites using HTTPS/SSL where URLs are encrypted (and normal routers cannot block). Using the GlobalView service, you can block whole categories of web sites (e.g. gambling, adult sites etc.), subject to an annual subscription, which is continuously updated with new or changed site categorisations or sites which have become compromised (such as infected with Malware). A free 30-day trial is included with your new router, see accessories tab for compatible GlobalView licences.
High Availability - Hardware Failover
For even greater resilience, the Vigor 2866ac provides High Availability (HA), with both a primary and secondary router (secondary router sold separately) able to provide connectivity to your network and subnets. In the event of the primary unit failing, the secondary unit will take its place on the network, automatically switching over to resume internet, routing and VPN connectivity with no intervention required. This can remove the possibility of a single point of failure within your routers. With Config Sync, the two routers are managed as a single unit, so that any changes made to the primary router will automatically propagate to the secondary router, ensuring it’s ready to take over at any time.
DrayDDNS - DrayTek Dynamic DNS Address
DrayTek provides a free Dynamic DNS address to each Vigor 2866ac router, allowing you to link the router's current IP address to a memorable "drayddns.com" hostname, such as "myrouter.drayddns.com". This address automatically updates whenever the internet connection's IP changes, so if one WAN’s IP address allocation is dynamic, or the IP changes when switching from the primary WAN connection to a backup, you can easily locate and access your Vigor 2866ac router. Just use the hostname to access the router's VPN services, management and any other services you have made accessible through the router. The Vigor 2866ac can also authenticate your DrayDDNS hostname with free SSL/TLS certificates provided by LetsEncrypt, the router manages and automates the certificate process, keeping the certificate up to date and ready for use with SSL VPN and other services.
Manage Guest WiFi with Hotspot Web Portal
DrayTek routers make it easy to manage guest wireless with Hotspot Web Portal. The fully customisable captive portal can be applied to the router's LAN / VLAN interfaces, for use with wireless access points. Authentication can be handled by Google/Facebook or an external web portal service such as Purple WiFi with RADIUS. Upon connecting to the wireless network, users are presented with your company's branding and information. From there, depending on what you've set, they can simply click-through, provide their details or enter a PIN with a voucher generated by the router (voucher printer not included). Once connected, the router can allow access until a user reaches their quota limit of time connected or bandwidth used.
Quality of Service & Bandwidth Control
Prioritise latency-sensitive applications on your network with Quality of Service. App QoS simplifies setting up Quality of Service significantly, simply select which applications or services to prioritise, such as Zoom and Skype. Use 4 separate queues to give priority to servers & PCs (IP address), services such as VoIP or DNS, or packet tagging used by IP phones with 802.1p and DSCP support. Auto Voice VLAN allows the router to automatically prioritise VoIP calls as they pass through the router without additional configuration. Control throughput with Bandwidth Limit, by setting speed limits for all clients individually, groups of IPs, or a shared bandwidth limit for a whole subnet, such as a guest network.
Central AP & Switch Management
The Vigor 2866ac manages DrayTek VigorAP access points and VigorSwitch switches connected locally to the router. This enables you to centrally control, manage and administer multiple AP & Switch devices installed around your building/campus from just the one router.
Central AP Management
The DrayTek router operating as the wireless controller can provision up to 20 DrayTek VigorAP access points with Central AP Management profiles, with an option to Auto Provision - auto configuring newly installed VigorAP access points with the Auto Provisioning profile, upon initial connection to the DrayTek Vigor router's network.
Central Switch Management
DrayTek VigorSwitch switches can be provisioned and managed through the router with DrayTek’s Central Switch Management system, which allows you to:
- Easily provision VLAN configuration and other port settings directly from the router.
- Set bandwidth rate limits and schedules for individual ports.
- Log switch events for alert notifications if network problems occur.
- At a glance see the devices connected on your network with a virtual topology.
Standard Warranty: 2-Years
User Guide - Click Here
Share
Explore Further
Highlights
Key Features
G.Fast and Ethernet Load Balancer
High throughput handles fast internet connections, with Load Balancing and Route Policy.
AC1300 Wireless with Mesh
Supports dual-band 802.11ac WiFi 5. Use the router as the Mesh Root with DrayTek Mesh.
Robust SMB VPN Router
Up to 32 active VPN tunnels, with up to 800Mbps IPsec Hardware Accelerated throughput.
5+1 Gigabit LAN Ports with VLANs
Extensive LAN management features, use VLANs to manage up to 8 networks.
VigorACS Central Management
Easily provision, monitor and manage remote sites without on-site IT or dedicated staff.
Firewall & Content Filtering
Manage internet access with Firewall, App Enforcement & Category-based Web Filtering.
High Availability
Connect a pair of Vigor 2866 series routers to provide a hardware backup solution.
DrayDDNS with LetsEncrypt Certificates
Free DrayDDNS address for each router, with automated LetsEncrypt SSL/TLS Certificates.
Quality of Service with App QoS
Easily prioritise latency-sensitive applications on your network with App QoS.
Hotspot Web Portal
Provide internet access to guests and market your business with captive portal.
Centralised LAN Management
Easily manage and provision DrayTek VigorAP access points and VigorSwitch switches (sold separately).
Dimensions and Weight
Width 241 mm, Depth 165 mm, Height 44 mm,Weight 1.7 kg
Specification
Physical Interfaces
WAN1: G.fast / VDSL2 / VDSL2 35b / ADSL2+, RJ11
WAN2/LAN Switchable Port: 1x Gigabit Ethernet (1G/100M/10M), RJ45
LAN Ports: 5x Gigabit Ethernet (1G/100M/10M), RJ45
2 x USB 2.0 Port for 3G/4G Modem, thermometer or printer (sold separately)
2 x Removable Wireless antennas
Wireless On / Off / WPS button
Recessed Factory Reset button
Antenna Specifications
2 x External Dipole Antennas
5GHz Gain: 4.5 dBi
4GHz Gain: 5 dBi
RP-SMA fitting antenna connectors
Performance
NAT Performance:
1.3Gb/s Max Sync Rate with G.fast (dependant on ISP & Exchange equipment)
100 Mb/s Max Sync Rate with VDSL2
300 Mb/s Max Sync Rate with VDSL2 35b
950 Mb/s NAT Throughput for Ethernet WAN with Hardware Acceleration
1.8Gb/s Total Multi-WAN NAT Throughput
700 Mb/s NAT Throughput per WAN without Hardware Acceleration
60,000 NAT Sessions
8000 Hardware Accelerated NAT Sessions
VPN Performance:
300 Mb/s IPsec (AES256) VPN Performance
800 Mb/s Hardware Accelerated IPsec VPN Performance
130 Mb/s SSL VPN Performance
Max. 32 Concurrent VPN Tunnels
Max. 16 Concurrent SSL VPN / OpenVPN Tunnels
WAN Interfaces
WAN1: G.fast / VDSL2 / VDSL2 35b / ADSL2+
WAN2: Gigabit Ethernet
WAN3: 2.4GHz Wireless WAN
WAN4: 5GHz Wireless WAN
WAN5: 4G/LTE USB Modem (not included)
WAN6: 4G/LTE USB Modem (not included)
Internet Connection
Load Balancing: IP-based, Session-based
Hardware Acceleration
802.1p/q Multi-VLAN Tagging
Multi-VLAN/PVC
2.4GHz & 5GHz Simultaneous Wireless WAN
WAN Active on Demand: Link Failure, Traffic Threshold
Connection Detection: PPP, ARP Detect, Ping Detect
WAN Data Budget
Dynamic DNS
DrayDDNS – with automated LetsEncrypt Certificates
Full Feature-set Hardware Acceleration:
Hardware Accelerated Quality of Service
Multi-WAN Data Budget
Traffic Graph & Data Flow Monitor
Bandwidth Limit
IPv4 Connection Types: PPPoA, PPPoE, MPoA, DHCP, Static IP, PPTP/L2TP (Ethernet WAN only)
IPv6 Connection Types:
Ethernet: PPP, DHCPv6, Static IPv6, TSPC, AICCU, 6rd, 6in4 Static Tunnel
4G/LTE Modem & USB 4G/LTE Modem: TSPC, AICCU
G.fast, VDSL & ADSL Features
BT Infinity Option 1 & Option 2 Compatible
Compliant with Openreach SIN 527 & SIN 498
Auto Detection of G.fast, VDSL and ADSL line modes
Support for G.INP & Vectoring
G.fast Standards:
ITU-T G.9700, G.9701 G.fast
Profile: 212MHz & 106MHz
VDSL Standards:
ITU-T G.993.1 VDSL
ITU-T G.993.2, G.997.1 VDSL2
Band Plan: G.998, G.997
Annex A, Annex B, Annex C
VDSL2 Profile: 8a, 8b, 8c, 8d, 12a, 12b, 17a, 35b
OLR, UPBO, DPBO Supported
US0 Supported
Loop Diagnostic Mode
DSL Forum WT-114
ADSL Standards:
Annex A
ANSI T1.413 Issue2
ITU-T G.992.1 G.dmt (ADSL)
ITU-T G.992.2 G.lite
ITU-T G.992.3 ADSL2
ITU-T G.992.5 ADSL2+
ATM Protocols:
RFC-2684/RFC-1483 Multiple Protocol over AAL5
RFC-2516 PPP over Ethernet
RFC-2364 PPP over AAL5
Support for RFC4638 for MTU up to 1500
Wireless Features
AC1300 - 11ac 'Wave 2' Dual Band Wireless:
802.11ac 2x2 wireless access point
Compatible with 802.11a/b/g/n wireless
Dual-band (2.4/5Ghz) simultaneous wireless
Up to 866Mbps PHY rate at 80MHz with 5GHz
Up to 400Mbps PHY rate at 40MHz with 2.4GHz (256-QAM)
Channel Bandwidth: 20/40MHz for 2.4GHz, 20/40/80MHz for 5GHz
MU-MIMO
Tx Beamforming
Mesh Root support with DrayTek VigorAP Mesh Nodes
Up to 4 SSIDs per radio band
Extended 5Ghz Band - Channels 36-48, 52-64, 100-140
Wireless Optimisation: Airtime Fairness, AP-Assisted Mobility, Band Steering
Bandwidth Management (Per Station / Per SSID)
WMM (Wireless MultiMedia)
WPS - WiFi Protected Setup
Station Control - Time limited wireless connectivity per Station (e.g. 1 hour)
EAPOL Key Retry - Disable EAPOL Key Retry to protect unpatched WLAN clients from KRACK
Wireless Security:
WPA2
WPA3
Pre-Shared Key authentication
Enterprise 802.1x authentication
WEP/WPA for Legacy Clients
Access Control – Blacklist / Whitelist client MAC addresses per SSID
Firewall & Content Filtering
IP-based or User-based Firewall Policy
User-based Time Quota
DoS Attack Defence
Spoofing Defence
Content Filtering:
Application Content Filter
URL Content Filter
DNS Keyword Filter
Web Features
Web Category Filter (requires GlobalView subscription, sold separately)
NAT Features
NAT Port Redirection
Open Ports
Port Triggering
DMZ Host
UPnP
ALG (Application Layer Gateway): SIP, RTSP, FTP, H.323
VPN Pass-Through: PPTP, L2TP, IPsec
LAN Management
802.1q Tag-based, Port-based VLAN
Up to 8 LAN Subnets (NAT or Routing mode selectable per LAN interface)
Up to 16 VLANs
DMZ Port
DHCP Server:
Multiple IP Subnet
Custom DHCP Options
Bind-IP-to-MAC
DHCP Pool Count up to 1022 addresses for LANs 1-3
DHCP Pool Count up to 253 addresses for LANs 4-8
DHCP Relay per LAN
LAN IP Alias
Wired 802.1x Port Authentication
Port Mirroring
Local DNS Server
Conditional DNS Forwarding
Hotspot Web Portal
Hotspot Authentication: Click-Through, Social Login, SMS PIN, Voucher PIN, RADIUS, External Portal Server
Networking Features
Policy-based Routing: Protocol, IP Address, Port, Domain/Hostname, Country
High Availability: Active-Standby, Hot-Standby
DNS Security (DNSSEC)
Local RADIUS server
SMB File Sharing (Requires external storage)
Multicast: IGMP Proxy, IGMP Snooping & Fast Leave, Bonjour
Routing Features: IPv4 & IPv6 Static Routing, Inter-VLAN Routing, RIP v1/v2/ng, BGP
VPN
Up to 32 active VPN tunnels - including up to 16 SSL VPN or OpenVPN Tunnels
Up to 16 Hardware Accelerated 800Mb/s IPsec tunnels
LAN-to-LAN - Dial-In VPN Server & Dial-Out VPN Client
Teleworker-to-LAN – Dial-In VPN Server
User Authentication: Local, RADIUS, LDAP, TACACS+, mOTP
IKE Authentication: Pre-Shared Key and Digital Signature (X.509)
Encryption: MPPE, DES, 3DES, AES (128/192/256)
Authentication: SHA-256, SHA-1
VPN Trunk (Redundancy): Load Balancing, Failover
Dead Peer Detection (DPD)
IPsec NAT-Traversal (NAT-T)
Virtual IP Mapping – Resolve VPN IP subnet/range conflicts
DHCP over IPsec
DrayTek VPN Matcher – Connect to a VPN router that’s behind NAT/CG-NAT
VPN Protocols:
IPsec IKEv1, IKEv2, IKEv2 EAP
IPsec-XAuth
DrayTek SSL VPN
OpenVPN (Remote Dial-In User only)
GRE over IPsec
PPTP
L2TP, L2TP over IPsec
Bandwidth Management
IP-based Bandwidth Limit
IP-based Session Limit
User-based Data Quota
Quality of Service (QoS)
Classify via TOS, DSCP, 802.1p, IP Address, Service Type
4 Priority Queues
App QoS
VoIP Prioritisation
Class-based Outbound Traffic Tagging: DSCP & IP Precedence
Management
Local Service: HTTP, HTTPS, Telnet, SSH, FTP, TR-069
Config File Export & Import
Import Config from Vigor 2862 and Vigor 2860
Auto Backup Config to USB Storage
Firmware Upgrade via TFTP, HTTP, TR-069
2-Level Administration Privilege
Access Control Features: Access List, Brute Force Protection
Syslog
SMS, E-mail Notification Alert
SNMP: v1, v2c, v3
Managed by VigorACS
Router Central Management Features
AP Management: Up to 20 VigorAP access points
Switch Management: Up to 10 VigorSwitch network switches
VPN Management: Up to 8 Vigor routers
DrayTek Mesh: Up to 7 VigorAP access points
Operating Requirements
Rack Mountable (Vigor RM1 mounting bracket required - sold separately)
Wall or Shelf Mountable with included fittings
Temperature Operating: 0°C ~ 45°C
Storage: -25°C ~ 70°C
Humidity: 10% ~ 90% (non-condensing)
Power Consumption: 24 watts maximum
Operating Power: DC 12V (via external PSU, supplied)
Power Requirements: 100-240VAC
Weight: 620 g
Dimensions:
241 mm Width
165 mm Depth
44 mm Height
Package Contents
1 x Vigor 2866ac router
1 x Quick Start Guide
1 x Set of screws & wall plugs for wall mounting
1 x 2m CAT5e RJ45 Network Cable
2 x Detachable Wireless LAN Antennas
1 x DC 12V Power Supply with UK Plug
Warranty Information
Please check the Specification Section for Warranty Information
Extended Warranty
Care for your DrayTek with VigorCare Extended Warranty !
DrayTek Extended Warranty Matrix Support Model
VigorCare Enhanced Warranty Service
Advanced Replacement
If you suspect that your covered DrayTek product has developed a fault, our experienced support technicians will help you to diagnose the problem and determine whether the unit needs to be service or replaced. If it does, a replacement unit will be sent out the same day for delivery on the next working/business day (to most of the UK). If you wish to take the unit yourself to the service centre (currently North of London), replacement or diagnosis/repair can be carried out in person.
3 or 5 Year Warranty
With VigorCare, you also have the benefit of an extension to a full 3 or even 5 years of warranty so that if a fault does develop, you will have no bills for parts, labour or replacement in the event that a warranty fault develops. We're proud of the reliability that DrayTek products achieve but however unlikely a problem might be, if your business depends on your DrayTek product, VigorCare should give you the peace of mind and convenience that you need.
VigorCare membership is subject to the VigorCare Terms & Conditions (see terms tab, above) and should be taken out within 6 months of purchase of your new product
VigorCare Service Packs
VigorCare subscription is available for several categories of product. Determine the correct pack for your product below. NOTE: The subscription must be activated via the link below within 6 months of your router and service pack being purchased.
VigorCare Activation Link
https://www.draytek.co.uk/support/vigorcare-registration
Warranty Terms & Conditions Apply - please see here
https://www.draytek.co.uk/support/vigorcare#terms-and-conditions