This post begins with a rant about Virgin Media ignoring their own contract and cutting us off 17 days before they told us our services would end (just 13 days after we gave the contractual “30 days notice” to leave). It follows with setting up a DrayTek Vigor 130 VDSL2/ADSL modem with a Linux router for Sky’s fibre-to-the-cabinet (FTTC) broadband service.

Background and a rant about Virgin Media

After reviving notice of an over 37% price increase to our in-contract Virgin services, we cancelled on 17th April. In line with our contractual 30-day notice, we were told our services would end on 17th May (confirmed with Virgin’s support staff no less than 4 times, twice over the phone and twice in writing) so when they disconnected us at 0025hrs 1st May, 17 days early, I was not only annoyed but also left in the lurch as our new broadband service (with Sky) was not scheduled to be installed until 5th May.

It took 3 complaints to get them to offer to compensate me for the £10 is cost me to get sufficient mobile data to tide us over until the Sky service was installed, and the promise of £10 (which has not yet arrived) was all I got out of them - despite cutting us off early in breach of their contract with me and me having in writing from them our services would not end until 17th May. They initially tried to claim that a straight refund, issued before the complaints, for services between the 1st May to 2nd June (which we had already been billed and paid for) was compensation for the inconvenience of being cut off early!

Since Virgin Media seem to ignore the contract between us (consumer) and them (supplier), which they wrote, and cut us off 17 days before a date I had repeatedly re-confirmed with them; I do not currently feel we can ever enter into an agreement with them in the future.

Sky settings

DrayTek have a page on configuring their Routers (but it also talks about the Vigor modems) for Sky. Crucially Sky does not require authentication but does expect DHCP with the client identifier (option 61) is set to <username>@skydsl|<password>. However sources online state that the username and password can be anything at all and most people use Anyone or anything for both. One key piece of information that is not immediately obvious is that Sky’s broadband, like most UK broadband services, requires tagging with VLAN 101 (it’s only mentioned for the Vigor 2750 router, the others say to disable VLANs - I presume as it’s the default usually for external modems).

Because the Sky broadband is VLAN tagged, by passing the VLAN through (instead of terminating it at the modem) it is possible to maintain administrative access to the modem. Details for configuring this are on the DrayTek website. I tried to do this but could not get it working - instead I ended up reverting to configuring the modem to terminate the VLAN, however I was still able to access it (even in bridge mode) by adding an IP address to the router’s public interface. The bits I reverted I have left in but crossed out.

It is possible to install a custom certificate for HTTPS, and I should explore adding this to my Let’s Encrypt setup.

Configuring the DrayTek Vigor

I began with a factor reset of the modem - it has been used with previous broadband supplies at my home and I was not sure what settings it had so I thought this was easiest way to start afresh.

The router’s default IP address is 192.168.2.1.

I plugged it directly into my laptop (without the DSL connected) to do the initial configuration, and it handed my laptop an IP via DHCP. I could then login via the web interface at http://http://192.168.2.1/.

As this connection is ethernet, NetworkManager gave it a lower metric (i.e. higher precedence) than the WiFi connection - however this route (via the Vigor modem) has no connectivity to the outside world yet. To workaround this, I told NetworkManager to never use the ethernet connection as a default route and told it to re-raise the connection:

nmcli connection modify "Wired connection 1" ipv4.never-default yes ipv6.never-default yes
nmcli connection up "Wired connection 1"

The default username and password on a Vigor 130 are admin and admin. The firmware was a little out of date (3.8.4.1_BT), so I downloaded and installed the latest (3.8.5.1_BT) firmware.

Even with the latest firmware (dated ), I had to enable defunct key methods and cyphers to login via SSH:

ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss -c 3des-cbc -l admin 192.168.2.1

First thing I did was change the password (obviously not to password1234 - that’s just a placeholder for your password!). The Vigor 130 claims the argument to passwd is <ASCII string (max. 23 characters)> however it crashed with the first password I tried, so I presume not all ASCII characters are supported (I’m not sure which one caused it to die).:

sys passwd password1234

I then disabled all non-encrypted protocols (ftp, http, telnet, tr069) by selecting only https and ssh:

> mngt lanaccess -s HTTPS,SSH

And verified the new setting:

> mngt lanaccess -v
mngt lanaccess -v
Current LAN Access Control Setting: 
* Enable:Yes
* Service:
   - FTP:No
   - HTTP:No
   - HTTPS:Yes
   - TELNET:No
   - SSH:Yes
   - TR069:No
* Subnet:

For passing through the VLAN encapsualtion to the router (and allowing managmeent access via untagged traffic), I enabled VLAN tagging and set the tag to 0 as per the DrayTek documentation. This had to be done via the web UI, as the CLI does not support setting it to 0:

> wan phyvlan wan 1 tag 0 
wan phyvlan wan 1 tag 0
% Tag value must be a 1~4095 number

It can, however, report it correctly once set to 0:

> wan phyvlan stat
wan phyvlan stat
% Interface     Pri      Tag     Enabled
% ======================================
% WAN1 (ADSL)   --       --        --
% WAN1 (VDSL)   0       0        v
% WAN2          --       --        --

I then turned on bridging (MPoA (RFC1483/2684)), which I again had to do through the web interface as the CLI did not work. According to the documentation, this is sufficient to disable DHCP:

Upon restarting in Bridge Mode, the modem will no longer provide an IP address through DHCP

However, despite this also being repeated in the main setup guide, the guide for configuring access in bridge mode says to explicitly disable it. So I did:

> srv dhcp off
> sys reboot

I also set the MTU to 1500, which was suggested as the correct setting for Sky broadband on some forums:

> wan mtu 1500

The Vigor is now configured and ready to be connected to the router, so unplugged it and restored the default behaviour of allowing the ethernet to be a default route on my laptop:

nmcli connection modify "Wired connection 1" ipv4.never-default no ipv6.never-default no

Configuring the router

To get the DHCP client (dhclient) to send the correct identifier, I added the option to /etc/dhcp/dhclient.conf:

interface "enp4s0.101" {
  supersede domain-name-servers localhost;
  supersede domain-name "home.entek.org.uk";
  #supersede domain-search "home.entek.org.uk", "wlan.home.entek.org.uk", "entek.org.uk";
  supersede domain-search "home.entek.org.uk", "entek.org.uk";

  # We don't want the dhcp client to override our dns settings, so don't request that information.
  request subnet-mask, broadcast-address, time-offset, routers,
    interface-mtu, rfc3442-classless-static-routes, ntp-servers;

  # For Sky broadband
  send dhcp-client-identifier "anything@skydsl|anything";

  timeout 600;
}

Changed the existing external interface (enp4s0) from DHCP to static in /etc/network/interfaces.d/enp4s0:

auto enp4s0
iface enp4s0 inet static
  address 192.168.2.250/24

and created ``/etc/network/interfaces.d/enp4s0.101`:

auto enp4s0.101
iface enp4s0.101 inet dhcp

I also updated my firewall script (a bash script that configures iptables, which I really do need to replace…), setting the external interface to enp4s0.101 instead of enp4s0.

As the VLAN method was not working, I set enp4s0 bach to dhcp and added an alias of enp4s0:0, to attach multiple IP addresses to the interface - in /etc/network/interfaces.d/enp4s0:0:

auto enp4s0:0
iface enp4s0:0 inet static
  address 192.168.2.250/24

I would have preferred to pass the VLAN through completely and terminate VLAN 101 on the router - it feels more secure to have the modem’s management interface entirely outside the broadband VLAN however this works for now…

Update 19 May 2023

I had to rip out the DrayTek and use Sky’s router, which won’t let me add static (internal) routes to make it aware of the multiple internal networks so I now have double-NAT. This is because we suddenly had the broadband connection become very unstable after 14 days of flawless working but Sky refused to get OpenReach to investigate unless we used their router and were told in no uncertain terms we cannot use out own equipment with Sky’s service.