Draytek 167 Migration
Migration runbook for replacing the FritzBox/Speedport (which currently terminates PPPoE and hands the VyOS router a private 192.168.178.0/24 address via NAT) with a Draytek Vigor 167 dedicated VDSL2 modem in bridge mode.
Edge Router
Hostname: vyos-edge
Home Router
Hostname: vyos-fw
IPsec VPN (home ↔ VPS)
Route-based IKEv2 IPsec tunnel between the home router (vyos-fw, PPPoE WAN) and the VPS edge (vyos-edge, static 159.195.87.143). Uses VTI for clean route-based forwarding and x509 ECDSA certificate authentication.
LTE Failover (RUT240)
Secondary internet uplink via a Teltonika RUT240 LTE router, with automatic failover when the primary DSL link (pppoe0 over eth1 → Speedport in bridge mode) fails. Implemented on vyos-fw (VyOS 2026.03 circinus) using a custom systemd watchdog after both load-balancing wan and protocols failover route were found broken on this release.
PPPoE Throughput Troubleshooting
After the Draytek 167 migration, download throughput dropped: ~26 MB/s vs. ~32 MB/s previously on the FritzBox (Telekom Super-Vectoring 250/40, line synced at 292/46 Mbit/s). Single-flow downloads from US servers capped near 22 MB/s. Sync, SNR margin (7.7 dB down), attenuation (3.8 dB), and CRC counters were all clean — the line itself was healthy. The bottleneck was the VyOS-on-Proxmox forwarding path, specifically the host's onboard e1000e NIC.