Hi all - happy new year.

I turned up logging on my 2865 to troubleshoot an issue and I happened to notice a lot of failed dial in VPN login attempts to the Vigor from the usual global crowd.

I'm aware the Vigor router itself is exempt from its Firewall rules so I was looking at the Brute Force settings in System Maintenance -> Management. I notice there is a setting under Brute Force Protection for "VPN Server". I enabled it and tried to log in to an L2TP account incorrectly multiple times to trigger the time out but it didn't work. Manual is no help whatsoever. It's such a shame you can't use the GeoBlock feature in the Firewall to Whitelist Countries.

Any ideas how the Brute Force Protection works for VPN connections?

GeoLocation protection can be enabled, and the VPN Brute Force Protection settings should be configurable - certainly it is on my 2925.

See: https://www.draytek.com/support/knowledge-base/5982

You're right - tucked away in the DDoS Blacklist/Whitelist settings you can switch to use Country Objects in the pull down. Perfect!

Brute Force Protection VPN Server setting I cannot get to work at all. With the trigger set to 3, after 4 incorrect auth attempts nothing happens

Does it show anything in the logs? I have to confess that I've not actually tried it, but I have just enabled it.

It shows a CHAP authentication failure in the logs….but I think I’ve found a bug. It’s reporting the auth fail for the wrong VPN account. When I dial in to trigger the auth failure it tells me a L2L account has an auth fail, not the Dial-in one I’m trying …but the L2L account hasn’t failed as it’s still connected. So basically what I’m trying to say is according to the logs, the wrong VPN account is called out with an auth failure. I wonder if this has something to do with the Brute Force trap not springing.

Incidentally I’m having problems with the Country Block in the Defense Setup -> Whitelist/Blacklist setting. I tried Country Black Listing “Asia / Pacific” with the Prioritise Blacklist First setting enabled. This prevented my local network accessing the internet effectively knocking everything internal offline. Disabling it restored service. I don’t understand how this feature is supposed to work.

I spent more time playing with this and have a better understanding of how it works now. For the benefit of other users, here's what I found:

• Using FW rules to block / limit who can Remote Dial-In VPN to your Vigor does not work. If I have a single FW rule that blocks all incoming traffic from all Public IPs on all Ports, that should prevent anyone from Dialing in....but I can still Remote Dial-In. FW rules seem to control traffic flowing through the router only. Services running on the Router itself appear exempt.

• I have gotten the Brute Force Protection to work for VPN connections. The attack must be in relative quick succession. If I drip feed an attack with an increased interval (say 20sec gap between attempts), the attack is not detected. Not a deal breaker however. I'm not sure if a PSK attack is detected or not

• The DDoS Defence Whitelist/Blacklist method does work however it not only blocks all incoming traffic to the Router, it blocks all outbound traffic too. For example, if I wanted to use a Country Block to stop VPN connections coming in from the US, India and China, outbound connections to IPs in the same countries are also blocked. Having a continual ping running to IPs in US, India and China is blocked/unblock when adding/removing Countries from the Blacklist.

So I've enabled the last 2 options and hope I never need to access a website or service in the APAC region