OK, as per thread title I recently did a firmware upgrade to the latest version on my main Vigor 2930.

Yes, before anyone asks, I ran a config backup before the upgrade.

Dial-in VPN tunnels all fail spectacularly since the firmware upgrade.

A site-to-site VPN (across BT leased line to a second Vigor 2930) remains up and re-negotiates in seconds if interrupted, so that's all good.

Other, possibly related anomalies include various ports that are explicitly set to be permanently open (think Exchange, OWA et al) are now blocked.

Importing the backup config file taken before the firmware upgrade does not cure the problem.

Deleting and manually recreating the NAT rules for open/forwarded ports does not cure the problem.

Deleting and recreating the individual dial-in VPN tunnels does not cure the problem.

Deleting and manually recreating the firewall filters does not cure the problem.

Disabling any filtering of any kind (service type, port based, even web keywords etc) does not cure the problem.

As you can imagine, I am unimpressed.

I'm asking here since I've exhausted any logical path other than attempting a firmware DOWNGRADE to the previous verison which, incidentally, had never failed me in the last three years. The upgrade was originally done on suggestion from a Draytek engineer in relation to binding this device to Smartmonitor.

As a stop-gap I have shoved a pfsense box in bridged mode in which has at least allowed me to serve VPN tunnels to our field-based staff. I have a lot of bypassing going on at the moment to stop the Draytek from preventing Exchange/OWA from serving our users.

I'm about to order a replacement or leave the pfsense box in.

Anyone got any brainwaves before I bin it ?

Config backups are not 'portable' between different firmware versions - because you get wierd anomalies like this.

Please try flashing with the .rst latest firmware file ( .rst = reset ), and then make all of your configuration from scratch. Best regards, Neal.

Thanks for the comment, however, the anomalies were a result of a firmware upgrade using the .all file, which is at least supposed to make a stab at preserving existing settings. Apologies if I did not make that clear.

I only imported/attempted to import the backup config after the firmware upgrade introduced problems, but it obviously didn't fix anything.

Firmware upgrades on any outer perimeter business-grade device ought not to require manual setup from scratch, IMHO

For a more or less out-of-the-box router that would be OK, but for anyone using their Draytek in a business setting with site-to-site and remote worked VPN tunnels, complex NAT and firewall rules and so on, it is unrealistic to have to set everything up manually, from scratch.

adminx wrote: ...the anomalies were a result of a firmware upgrade using the .all file...

Yes, I can't say I am surprised to hear that.

adminx wrote: I only imported/attempted to import the backup config after the firmware upgrade introduced problems, but it obviously didn't fix anything.

This is because the problems introduced have now been included in the config backups

adminx wrote: Firmware upgrades on any outer perimeter business-grade device ought not to require manual setup from scratch, IMHO...

I totally agree - it is a poor situation.

adminx wrote: ...for anyone using their Draytek in a business setting with site-to-site and remote worked VPN tunnels, complex NAT and firewall rules and so on, it is unrealistic to have to set everything up manually, from scratch.

I agree, it is a pain - but it's the only way for reliable results. The time reconfiguring from scratch should be a lot shorter than time spent troubleshooting all of the side-effect-issues of using .all firmware files.

Best wishes, Neal

With all due respect Neal, the .all firmware update files are obviously made available for a reason and I have used them successfully on other Draytek routers for years, preserving setting during the upgrade. For example, I have 9 Vigor 2600 devices still in service after 8 years of 24/7 use, having undergone firmware updates along the way, several VigorPro 5510 UTM which were also updated during service, and so on and so forth.

I accept that there is always a risk involved in flashing firmware but, by and large, there should be no anomalies introduced otherwise, to the end consumer, there is absolutely no point in an upgrade path that might work.

Similarly there is little point in the ability to create configuration backups that have no value between firmware upgrades. Not working between devices is one thing, but why have a backup facility which has no value to a new firmware version on the same device ?

I have taken the device offline and left the pfesnes box in place for now - it took just over an hour to set up the way I want it, plus some monkeying with dial-in VPN tunnels, and it is quietly getting on with the job in hand.

Next week if I get the time I will do a full firmware flash and reset and set the Draytek up from scratch but this, I feel, is hardly a wise use of my time when a simple upgrade (originally recommended by a Draytek engineer) ought to have just gone in and got on with it, or an upgrade followed by importing settings from a config backup.

This is not a dig at you personally, but rather a general rumble about something that should do what is says on the tin, that doesn't, at least in this case.

I can imagine the hue and cry from my clients if I start having to build in sufficient downtime during upgrades to set their device up from scratch.