• Quad-WAN: 4 x Gigabit Ethernet WAN ports

  • 2 x USB ports (1 x USB 2.0, 1 x USB 3.0)

  • Only USB port 2 (USB2) can be used for 3G/4G LTE mobile. USB port 1 (USB1) can be used for external storage, printer or thermometer

  • Multi-WAN Load Balance and Failover

  • 200 x VPN tunnels including 50 x SSL-VPN with Load Balance and Redundancy

  • 1 x Gigabit LAN port with 100,000 NAT sessions

  • 1 x Dedicated Gigabit Ethernet DMZ port for connecting servers

  • 1 x Console port (RS232)

  • IEEE 802.11n Wireless LAN for Vigor3220n

  • Object-based SPI Firewall with Content Security Management (CSM)

  • IPv6 compliant

  • Multi-subnet WAN/LAN through 802.1Q

  • QoS functions

  • Central VPN Management

  • Central AP Management

  • Central Switch Management
  • Supports Smart Monitor Traffic Analyzer (up to 200 nodes)

  • Supports VigorACS 2 Central Management System for remote management

  • 2 years back to base warranty


The Vigor3220 series Quad-WAN security Firewall router is an enterprise level router suitable for any medium-sized business (SMB) that need to provide up to 200 VPN tunnels. The Vigor3220 series router supports 4 x Gigabit Ethernet WAN interfaces and the USB port 2 (USB2) for 3G/4G mobile dongles.

The Vigor3220 series  can connect to the Internet through any of these interfaces, or with a combination of interfaces for Load Balance and/or Failover functions. It supports business features including an object-oriented SPI (Stateful Packet Inspection) firewall, IPv6, 200 x VPN tunnels including 50 x SSL-VPN, tag-based VLAN, multiple subnets, etc.

The dedicated DMZ port can be used to connect servers or computers that need to be exposed to the Internet without compromising internal LAN security.

The centralized network management features provide a convenient console for the network administrator. These features include Central VPN Management, Central Switch Management, and Central AP Management.

The Vigor3220 series router can be rack mounted, using the supplied mounting brackets, into a standard 19” rack or cabinet.

WAN Connectivity

The Vigor3220 series router supports 2 types of WAN Interfaces: 4 x Gigabit Ethernet WAN interfaces, and the USB port 2 (USB2) for 3G/4G mobile dongles.

With between more than 1 WAN interfaces connected, you can configure for Load Balancing or Failover. For example, you can use WAN 1 as your primary Internet connection and have a failover connection over a 4G LTE connection.


The Vigor3220 series router has 1 x Gigabit LAN port supporting 100,000 NAT sessions.

The Vigor3220 series supports both port-based and 802.1q tagged VLANs. Port-based VLANs allow the assignment of a VLAN and IP subnet to each router LAN port. On the other hand, 802.1q tagged VLANs can extend up to 8 VLANs and 8 IP subnets to an attached switch.

Wireless LAN

The Vigor3220n has a built-in 2.4GHz IEEE802.11n wireless Access Point that provides good coverage and excellent Wi-Fi performance. The MIMO technology with diversified antenna arrangement minimises interference effects and ensures good wireless performance.

To match the business level features of Vigor3220 series, Vigor3220n supports all major Wi-Fi encryption protocols: WEP, WPA, WPA2 and 802.1X, plus MAC Address access control, and DHCP Fixing to prevent unauthorized accessing.

The Web-portal setup (log-in) provides four rules along with 4 SSIDs. Each of the 4 SSIDs can be created and assigned to a VLAN and IP subnet with separate security levels. The wireless VLAN function lets you isolate wireless clients from each other or from the “wired” LAN.

When users connect to the Wireless LAN, they can be directed with your customised log-in screen before any Internet access is permitted.

With WPS (Wi-Fi Protected Setup) feature, you can press the WPS button at the front of the router to pass on the security keys to a client PC in the LAN, allowing for easy and secured access to the Wireless LAN.

Quality of Service (QoS)

QoS functions allow the network administrator to set priorities for any traffic type to guarantee the required level of performance for data flow. For example, real-time traffic such as VoIP or Video over IP can be prioritised as these have less tolerance for delays caused by network congestion.

A traffic type can be assigned to each of the three QoS classes and reserved bandwidth allocated.


The Vigor3220 series has powerful firewall features including object-oriented SPI (Stateful Packet Inspection) firewall, DoS (Denial of Services), CSM (Content Security Management) and WCF (Web Content Filter).

Stateful Packet Inspection (SPI) Firewall monitors incoming and outgoing packets at layer 3 (OSI model) and passes or blocks the data packets based on the configuration.

The DoS feature protects the network for unwanted access requests from DoS attackers.

CSM enables network administrators to control and manage IM (Instant Messenger) and P2P (Peer-to-Peer) applications, for instance, to keep network users from accessing inappropriate contents and ensure that network traffic flow efficiently.

WCF classifies all websites into 64 categories and allows network administrators to select categories to protect the users from undesirable website content. DrayTek uses the CYREN WCF database for its Vigor routers, and each router includes a free 30-day trial license.

The object-based firewall provides flexibility by using Objects in the firewall settings. Objects can be created and placed in groups for IP, service type, keyword, file extension, etc.  This allows a filter rule to be applied to many IP addresses, reducing the number of firewall filters required. In addition, these objects and groups can be reused for other firewall settings resulting in reduced amount of work required to create multiple firewall rules.

Firewall rules can be applied according to a Time Schedule to control access to the Internet or network services according to predetermined time slots. Up to 4 time-schedules can be applied to each firewall filter rule. For example, social media can be restricted during work hours and be allowed during off-work hours in a company.


Vigor3220 series supports up to 200 simultaneous hardware based VPN tunnels, providing a throughput up to 40Mbps for each VPN tunnel. It utilises most supported protocols such as IPSec/PPTP/L2TP, including 50 tunnels of SSL VPN protocol. The dedicated VPN co-processor supports hardware encryption including AES/DES/3DES, hardware key hash of SHA-1/MD5, and LDAP authentication, and ensures that VPN traffic is secure and performance is maximised.

The SSL technology allows secure Web encryption such as those used for on-line banking. With Vigor3220 series, you can create SSL VPN in Full Tunnel mode or Proxy mode.

Furthermore, since the Vigor3220 series supports multiple WANS Ethernet and 3G/4G, you can create VPN Trunking for VPN Load Balance and VPN Backup. For instance, you can use a number of connections to a site to increase the bandwidth, or have a backup connection when the primary connection fails.

Central VPN Management

Instead of manual VPN connection through web browsers, Vigor3220 series supports Central VPN Management (CVM) which utilises TR-069 protocol. You can create VPN tunnels with just a few mouse clicks on the icons representing your local network (which may be public places such as a café) and remote locations (e.g. branch or home office), and the router will establish the connection automatically. This takes away the tedious process required for VPN tunnel creation.

Furthermore, CVM also provide a console to monitor multiple CPE devices and VPN tunnels. This includes displaying the CPE devices on a Google Map.

Other features include scheduling of CPE configuration backup/restore tasks as well as scheduled firmware upgrade of the CPE devices. Up to 8 DrayTek CPE devices are supported.

Central AP Management

Vigor3220 series supports Central AP Management (APM) with a console to auto configure and manage up to 20 directly connected (via LAN cables) Draytek wireless Access Points including VigorAP 800, VigorAP 810, VigorAP 900, VigorAP 902 , VigorAP 910C and VigorAP 903.

The Dashboard feature displays the status such as traffic and number of attached stations, of all the attached Access Points.

With Auto Provisioning enabled on the attached Access Points, WLAN profiles can be created and applied to the selected Access Points from the central console.

The AP Maintenance feature allows a number of actions to be programmed, including Configuration Backup and Restore, Firmware Upgrade, Remote Reboot and Factory Reset, for selected Access Points.

The connected Access Points can also be displayed on a map or floor plan showing their locations and basic descriptions. Other features include Traffic Graph, Rogue AP detection, Event Log, Total Traffic, Station number and Access Point load balancing.

Central Switch Management

Central Switch Management provides a convenient and easy way to manage and configure supported VigorSwitches.  Switched networks comprising VigorSwitches can be easily deployed from a single console.  With a few mouse clicks in the graphical user interface, VLANs can be assigned to the switch ports and at the same time update the router configuration. This includes the creation of 802.1q trunk ports.

Another feature is the backup and restore of switch configurations. You can also reboot the switch or reset the switch to factory default settings

The Switch Status menu provides, at a glance, the status of all the attached switches. You can see the switch name, its IP address, the model number and system up time, how many ports are in use in each switch, port status, how many clients are connected, etc.

Central Switch Management simplifies VigorSwitch configuration tasks and reduces troubleshooting efforts.

Remote Access Management

The Vigor3220 series supports a number of management options to control access to the router both locally and remotely.

The TR-069 feature integrates with the VigorACS 2 centralised management system, and allow system integrators or network administrators to configure, monitor and manage the Vigor3220 series remotely from the comfort of their offices or homes. It can also be used to Auto-Provision the Vigor3220 series remotely by sending configuration data to the router.

There are 3 wizards: a Configuration Wizard, a VPN Wizard and a Firmware Upgrade Wizard. These allow network administrators to quickly and easily carry out complex tasks.

Alarm & Log Management features ensure real time notifications and alerts to specified phone numbers or email accounts in relation to faults or status of the connected CPEs.

A number of diagnostic functions, including Data Flow Monitor, Traffic Graph and Syslog Explorer, allow the network administrator to monitor and troubleshoot network conditions remotely.

Like all Vigor routers, Vigor3220 series supports management options include HTTP, HTTPS, FTP, SSH, Telnet and SNMP.

Dedicated DMZ Port

The DMZ port of Vigor3220 series router provides an additional layer of protection to servers, such as Web servers, which need to be exposed to outside networks e.g. the Internet, but need to be kept from compromising the security of internal networks.

You can activate the DMZ by NAT or Physical mode to the chosen server through the user-friendly interface of Vigor3220 series router.


Gigabit WAN44
Gigabit LAN11
DMZ Port11
VPN Tunnels200200
Wireless LAN


WAN Port4x Gigabit Ethernet RJ-45
LAN Port1x Gigabit Ethernet RJ-45
DMZ Port1x Gigabit Ethernet RJ-45
USB Port1x USB 3.0 + 1x USB 2.0
Console Port1x RJ-45
2.4G WLAN300Mbps 802.11n (n model)
NAT Throughput500 Mbps
NAT Throughput w/ Hardware Acceleration900 Mbps
IPsec VPN Performance200 Mbps (AES 256 bits)
SSL VPN Performance60 Mbps
Max. Number of NAT Sessions100,000
Max. Concurrent VPN Tunnels200
Max. Concurrent OpenVPN + SSL VPN50
Internet Connection
IPv6PPP, DHCPv6, Static IP, TSPC, AICCU, 6rd, 6in4 Static Tunnel
3G/4G/LTE WAN with USB modem2
Load BalancingIP-based, Session-based
WAN Active on DemandLink Failure, Traffic Threshold
Connection DetectionARP, Ping
WAN Data Budget
Dynamic DNS
LAN Management
VLAN802.1q Tag-based, Port-based
Max. Number of VLAN8
DHCP ServerMultiple IP Subnet, Custom DHCP Options, Bind-IP-to-MAC
LAN IP Alias
PPPoE Server
Port Mirroring
Local DNS Server
Conditional DNS Forwarding
Hotspot Web Portal
Hotspot AuthenticationClick-Through, Social Login, SMS PIN
RoutingIPv4 Static Routing, IPv6 Static Routing, Inter-VLAN Routing, RIP, BGP
Policy-based RoutingProtocol, IP Address, Port, Domain, Country
High Availability
DNS Security (DNSSEC)
MulticastIGMP Proxy, IGMP Snooping & Fast Leave, Bonjour
Local RADIUS server
SMB File Sharing (Requires external storage)
ProtocolsPPTP, L2TP, IPsec, L2TP over IPsec, SSL, GRE, IKEv2, IKEv2-EAP, OpenVPN
User AuthenticationLocal, RADIUS, LDAP, TACACS+, mOTP
IKE AuthenticationPre-Shared Key, X.509
IPsec AuthenticationSHA1, SHA256, MD5
VPN RedundancyLoad Balancing, Failover
Single-Armed VPN
NAT-Traversal (NAT-T)
Firewall & Content Filtering
NATPort Redirection, Open Ports, Port Triggering, DMZ Host, UPnP
ALG (Application Layer Gateway)SIP, RTSP, FTP, H.323
VPN Pass-ThroughPPTP, L2TP, IPsec
IP-based Firewall Policy
Content FilteringApplication, URL, DNS Keyword, Web Features, Web Category (subscription required)
DoS Attack Defense
Bandwidth Management
IP-based Bandwidth Limit
IP-based Session Limit
QoS (Quality of Service)TOS, DSCP, 802.1p, IP Address, Port, Application
VoIP Prioritization
Wireless LAN (n model)
Number of SSID4 per radio band
SecurityWEP, WPA, WPA2, WPS
AuthenticationPre-Shared Key, 802.1x
AirTime Fairness
WDSBridge, Repeater
Access ControlAccess List, Client Isolation, Hide SSID, Wi-Fi Scheduling
Local ServiceHTTP, HTTPS, Telnet, SSH, TR-069
Config File Export & Import
Config File CompatibilityVigor3200 Series
Firmware UpgradeTFTP, HTTP, TR-069
2-Level Administration Privilege
Access ControlAccess List, Brute Force Protection
Notification AlertSMS, E-mail
SNMPv2, v2c, v3
Managed by VigorACS
Central AP Management30 VigorAP
Central Switch Management10 VigorSwitch
Rack Mountable Mouting Kit Included
Power SupplyAC100-240V @ 1.0A
Max. Power Consumption19 watts
Dimension273mm x 171mm x 45mm
Operating Temperature0 to 45°C
Storage Temperature-25 to 70°C
Operating Humidity (non-condensing)10 to 90%

Multi subnet with VLAN tag – Multi-tenant applications along with FTTx

VPN failover / backup by VPN trunk management

Active Directory/LDAP Group Management for VPN remote dial-in authentication