FritzBox → Draytek Vigor 167 Migration

Migration runbook for replacing the FritzBox/Speedport (which currently terminates PPPoE and hands the VyOS router a private 192.168.178.0/24 address via NAT) with a Draytek Vigor 167 dedicated VDSL2 modem in bridge mode.

After cutover, VyOS terminates PPPoE directly on the Telekom VDSL line and receives the real public IPv4 address. Double NAT is eliminated, the home network is reachable on a single public IP, and IPsec to the VPS no longer traverses an upstream NAT.

---

Table of Contents

1. Overview
2. Prerequisites
3. Draytek Vigor 167 — Bridge Mode Setup
4. Physical Recabling
5. VyOS Configuration Changes
6. Verification
7. Post-Migration Cleanup
8. Rollback Procedure
9. Firewall Impact
10. Known Gotchas

---

Overview

Before

DSL line
    │
    │
┌───┴────────────────┐
│ Speedport/FritzBox │  PPPoE termination + NAT
│  192.168.178.1     │  Hands out private DHCP
└───────┬────────────┘
        │ Ethernet
        │
        │ eth1 — 192.168.178.11/24 (private, NATed)
        │ GW:  192.168.178.1
┌───────┴────────────┐
│      vyos-fw       │  Second-stage NAT for the LAN
└────────────────────┘

Two devices NAT outbound traffic. IPsec to the VPS works only because home always initiates and the FritzBox keeps NAT-T mappings open. Inbound port forwarding requires forwarding rules on both the FritzBox and VyOS.

After

DSL line
    │
    │
┌───┴───────────┐
│  Draytek 167  │  Bridge mode — DSL modulation only
│  (no IP, no   │  Passes Ethernet frames untouched
│   routing)    │  VLAN 7 transparent
└───────┬───────┘
        │ Ethernet
        │
        │ eth1 → eth1.7 (VLAN 7) → pppoe0 (PUBLIC IPv4)
┌───────┴────────────┐
│      vyos-fw       │  Single NAT, single firewall
└────────────────────┘

VyOS owns the public IP. One firewall, one NAT, IPsec binds directly to the WAN.

Why migrate

• Single public IPv4 endpoint — no NAT-T fragility.
• Port forwarding configured in one place (VyOS only).
• IPv6 prefix delegation (/56) becomes available on the PPPoE session.
• Removes the FritzBox as a layer-3 dependency for the lab.

---

Prerequisites

Telekom credentials

The PPPoE username for Telekom DSL is built from three numeric blocks plus a suffix:

<Anschlusskennung 12 digits> <Zugangsnummer 12 digits> <Mitbenutzer 4 digits>@t-online.de

002845635912730011139062 0001@t-online.de

• Anschlusskennung: 12-digit line identifier (Auftragsbestätigung).
• Zugangsnummer: 12-digit access number (T-Online welcome letter / Kundencenter).
• Mitbenutzer: typically 0001 for the primary user.
• Personal password: the T-Online persönliches Kennwort.

The blocks are separated by literal spaces. Quote the full string in single quotes when entering it on the VyOS CLI.

Tooling

• Out-of-band access to the VyOS router. Console access via Proxmox (the VM hosting vyos-fw) is the safest fallback if eth1 connectivity is interrupted during cutover. SSH from MGMT (10.69.10.0/24) and TRUSTED (10.69.40.0/24) remains available throughout because the cutover only affects the WAN-facing interface.
• The commit-confirm workflow on VyOS, which auto-rolls back if you don't confirm within the timer. This is the primary safety net for the cutover.
• A laptop on the Draytek's default LAN (192.168.1.0/24) for initial modem configuration.

Save current state

Before touching anything:

configure
save
exit

This snapshots the running config to /config/config.boot so rollback 1 works cleanly.

---

Draytek Vigor 167 — Bridge Mode Setup

The Draytek 167 is a VDSL2/ADSL modem with built-in router functions. For this migration, the router functions must be disabled so the device behaves as a transparent layer-2 bridge between DSL and the LAN Ethernet port.

Initial access

1. Connect a laptop directly to a Draytek LAN port.
2. Browse to http://192.168.1.1.
3. Default credentials are printed on the device label. Change them immediately after first login.

Configure bridge mode

Path: WAN → General Setup → WAN1.

Setting	Value
Active Mode	Bridge Mode
Service Name	(leave blank)
VLAN Tag	7 (Telekom mandatory)
Tag Priority	0
802.1p	enabled if asked

In Bridge Mode, the Draytek does not terminate PPPoE itself — it passes the Ethernet frames (with VLAN 7 tag intact) from the DSL line straight to the LAN port. VyOS will see the tagged frames on eth1 and strip the tag via eth1.7.

DSL profile (if asked)

Setting	Value
Mode	VDSL2 (or Multimode to auto-detect)
Profile	17a (Telekom standard for most lines)

Telekom Glasfaser-Hybrid lines may differ — check the Auftragsbestätigung.

Hardening

• Change the admin password.
• Disable WAN-side admin (only LAN management should be possible).
• Disable any UPnP / DLNA features the Draytek exposes.

Save & reboot

Save configuration and reboot the modem. Wait for the DSL LED to go solid (initial sync on a new modem can take 5–15 minutes — Telekom DSLAMs renegotiate the line profile).

---

Physical Recabling

Plan a 30–60 minute maintenance window. Internet for the entire household is offline during the swap.

1. Shut down VyOS WAN gracefully (optional but tidy):

   configure
   set interfaces ethernet eth1 disable
   commit
   exit

2. Unplug the DSL cable (TAE → RJ11/RJ45) from the Speedport/FritzBox.
3. Plug the DSL cable into the Draytek DSL port.
4. Patch a fresh Ethernet cable from Draytek LAN1 → VyOS host eth1.
5. Power the Draytek; wait for the DSL LED to be solid.
6. The FritzBox can be powered off and stored. Do not plug it back into the DSL line — only one PPPoE client should attempt to authenticate at a time.

---

VyOS Configuration Changes

All edits are made inside configure mode. The block uses commit-confirm 10, which requires a manual confirm within 10 minutes or auto-rolls back.

Replace AAAAAAAAAAAA, BBBBBBBBBBBB, and YOUR_PERSONAL_PASSWORD with the real Telekom values before pasting.

configure

# 1. Remove old WAN static IP + static default route
delete interfaces ethernet eth1 address 192.168.178.11/24
delete protocols static route 0.0.0.0/0

# 2. Telekom requires VLAN 7 on the WAN ethernet
set interfaces ethernet eth1 vif 7 description 'Telekom VLAN 7 carrier'

# 3. PPPoE session rides on eth1.7
set interfaces pppoe pppoe0 source-interface eth1.7
set interfaces pppoe pppoe0 authentication username 'AAAAAAAAAAAA BBBBBBBBBBBB 0001@t-online.de'
set interfaces pppoe pppoe0 authentication password 'YOUR_PERSONAL_PASSWORD'
set interfaces pppoe pppoe0 default-route auto
set interfaces pppoe pppoe0 mtu 1492
set interfaces pppoe pppoe0 description 'Telekom VDSL'

# 4. NAT — swap outbound interface eth1 → pppoe0
delete nat source rule 100 outbound-interface name eth1
set nat source rule 100 outbound-interface name pppoe0

# 5. Firewall zone WAN — swap member eth1 → pppoe0
delete firewall zone WAN interface eth1
set firewall zone WAN interface pppoe0

# 6. IPsec — bind local-address to pppoe0
#    The VPS peer already accepts any source IP for PSK ID 'helix9'
#    (see edge-router.md: Public IP | Dynamic (any) for the home peer).
delete vpn ipsec site-to-site peer 159.195.87.143 local-address
set vpn ipsec site-to-site peer 159.195.87.143 local-address pppoe0

# 7. MSS clamp for PPPoE (1500 - 8 PPPoE - 40 TCP/IP = 1452)
set firewall global-options mss-clamp interface-name pppoe0 mss 1452

# 8. Commit with auto-rollback safety
commit-confirm 10

While the 10-minute timer runs, you can verify (next section). When everything checks out, type confirm to lock in the change. If something is broken or you lose access entirely, the router auto-reverts to the saved config after 10 minutes.

---

Verification

Run these commands from the VyOS CLI (operational mode) before issuing confirm.

PPPoE session

show interfaces pppoe pppoe0

Expect: state up, a public IPv4 from Telekom's pool (e.g. 87.x.y.z or similar), and peer set to a Telekom BNG.

Default route

show ip route 0.0.0.0/0

Expect a single default route via pppoe0.

Outbound reachability (from router)

ping 1.1.1.1 count 4
ping6 2606:4700:4700::1111 count 4    # if IPv6 came up

Outbound reachability (from a TRUSTED client)

From a laptop on the TRUSTED VLAN:

ping 1.1.1.1
curl https://ifconfig.me

ifconfig.me should report your new public IPv4 — confirming masquerade through pppoe0 is working.

CGNAT check

Telekom standard contracts give a real public IPv4 (not CGNAT). Confirm this:

# On VyOS
curl ifconfig.me

Compare the result with the IP shown in show interfaces pppoe pppoe0. They must be identical. If curl ifconfig.me returns a different address, you are behind CGNAT and inbound port forwarding will not work — contact Telekom to switch to a real IP.

IPsec tunnel

show vpn ipsec sa

Expect peer 159.195.87.143 UP with both Phase-1 and Phase-2 SAs established. Tunnel may take 30–60 seconds to come up after PPPoE is online.

ping 10.255.255.1 count 4    # VPS tunnel endpoint
ping 10.69.20.40 source 10.69.10.1   # quick reverse-direction sanity check

Inbound services through VPS

From an external network (mobile hotspot is easiest):

curl -I https://openclaw.helix9.org
curl -I https://traefik.home.helix9.org    # should NOT resolve externally — split-horizon only

The first should return Traefik headers, proving the VPS → VPN → home Traefik path works after the migration.

Lock it in

If everything passes:

configure
confirm
save
exit

If anything fails — wait out the timer, or rollback 1 immediately. See Rollback Procedure.

---

Post-Migration Cleanup

Update home-router.md

The reference doc at Home Router was written against the FritzBox topology. After a successful migration, update the following sections:

Section	Change
Network Overview ASCII diagram	Replace Speedport block with Draytek 167 (bridge), change eth1 line to pppoe0
Physical Interfaces table	eth1 is now WAN-carrier only (no IP); add row for pppoe0 and eth1.7
IP Addressing	Drop 192.168.178.11/24; add pppoe0 (dynamic)
Firewall — Zone Members	WAN zone member is pppoe0 (not eth1)
NAT	Rule 100 outbound is pppoe0
VPN — IPsec	Home Public IP changes to "dynamic via pppoe0"; local-address row updated

Optional follow-ups

• IPv6 prefix delegation: Telekom delegates a /56 over DHCPv6-PD on the same PPPoE session. Configure set interfaces pppoe pppoe0 ipv6 address autoconf and request a prefix for the LAN zones. Out of scope for this migration but worth a separate runbook.
• PSK rotation: since the IPsec path now traverses a different ingress, this is a natural moment to rotate the PSK on both peers.
• Decommission FritzBox: factory-reset before storing or selling.

---

Rollback Procedure

If the cutover fails and you need to revert to the FritzBox topology:

Soft rollback (config still on box)

configure
rollback 1
commit
save
exit

This restores the pre-migration eth1 192.168.178.11/24 config.

Recable

1. Power off the Draytek; unplug the DSL cable.
2. Plug the DSL cable back into the Speedport/FritzBox.
3. Power the FritzBox; wait for DSL sync.
4. Patch FritzBox LAN port → VyOS host eth1.
5. Verify: ping 1.1.1.1 from VyOS; show vpn ipsec sa should re-establish within ~60 seconds.

Hard rollback (if rollback is unavailable)

VyOS keeps 100 config archives at /config/archive/. From operational mode:

show system commit

Find the revision before the migration, then from configure mode:

configure
load /config/archive/config.boot.<N>.gz
commit
save
exit

If even SSH is gone, attach to the VyOS console via Proxmox and repeat the same commands locally.

---

Firewall Impact

The firewall config is almost entirely unaffected by this migration. Only two references change.

Unchanged

• All named firewall policies (ALLOW-ALL, ALLOW-ESTABLISHED, ALLOW-INTERNET, WAN-LOCAL, WAN-DMZ, all zone-to-zone rules).
• All DHCP server scopes.
• All DNS forwarder configuration.
• All VLAN bridges (br10, br30, br40, br50, br60) and zone assignments for non-WAN zones.
• Static host mappings.
• mDNS repeater.
• NTP, SSH, and all other services.

Changed

Object	From	To
firewall zone WAN interface	eth1	pppoe0
nat source rule 100 outbound-interface name	eth1	pppoe0
vpn ipsec site-to-site peer 159.195.87.143 local-address	192.168.178.11	pppoe0
interfaces ethernet eth1 address	192.168.178.11/24	(none — carrier only)
protocols static route 0.0.0.0/0	192.168.178.1	(removed — replaced by pppoe0 default-route auto)
New: interfaces ethernet eth1 vif 7	—	added
New: interfaces pppoe pppoe0	—	added
New: firewall global-options mss-clamp pppoe0 mss 1452	—	added

The WAN-LOCAL policy itself does not change — it still applies to the WAN zone, which now contains pppoe0 instead of eth1. The policy already drops unsolicited inbound and only accepts established/related, which is the correct posture for a real public IP.

---

Known Gotchas

VLAN 7 mandatory for Telekom

Without eth1.7, PPPoE discovery (PADI) fails silently. The Draytek must be in bridge mode with VLAN 7 transparent passthrough, and VyOS must originate PPPoE on the VLAN 7 sub-interface. If show interfaces pppoe pppoe0 stays in down state with no errors visible, double-check the vif 7 line on eth1 and the source-interface eth1.7 line on pppoe0.

MTU and MSS

• PPPoE adds 8 bytes of overhead → MTU 1492 on pppoe0.
• Without MSS clamp, large outbound TCP segments get fragmented or black-holed when path MTU discovery is broken upstream.
• The mss-clamp pppoe0 mss 1452 rule (1492 MTU − 40 TCP/IP) prevents this.
• The existing vti0 MSS clamp at 1360 stays — that one compensates for the IPsec tunnel overhead inside PPPoE.

CGNAT

Telekom standard residential lines hand out real IPv4. CGNAT was tested briefly and rolled back; if you happen to be on a CGNAT trial, inbound IPsec will not work and you'll need to either request a real IP or move IPsec initiation to the VPS side. Verify with the CGNAT Check above before declaring the migration successful.

IPv6

Telekom hands out a /56 via DHCPv6-PD on the same PPPoE session. This migration does not configure IPv6 — it stays on the existing IPv4-only setup. Add set interfaces pppoe pppoe0 ipv6 address autoconf plus DHCPv6-PD in a follow-up if you want to expose IPv6 to LAN zones.

Initial DSL training

A new modem on a Telekom line undergoes line-profile renegotiation on first sync. Expect 5–15 minutes of unstable link before DSL stabilises. Don't troubleshoot PPPoE until the DSL LED is solid.

Dynamic public IP

Telekom rotates the public IPv4 every ~24 hours (forced reconnect) unless you have a business contract. The VPS-side IPsec config already accepts Public IP | Dynamic (any) for the home peer, so the rotation is invisible — IPsec re-establishes within a minute of the new lease. No DDNS is required.

If you publish services directly on the home public IP in the future (instead of via the VPS), DDNS would become necessary; for the current architecture (services proxied via the VPS), it is not.