Hello,

I’m about to try to set up a home office network using a Draytek 2862ac as the router, making use of VLANs to separate various devices from each other. I’m new to VLANs & VPNs and have some questions about how best to make it work.

I’d like it work like this:

VLAN ID 1 Office PCs and laptop access to internet and Synology NAS file server, printer, with all these accessible from the internet (via a VPN?)
VLAN ID 2 for Home users’ phones and laptops that allows access to internet, the same Synology NAS file server, printer and Phillips Hue Bridge
VLAN ID 3 for Media devices TVs, STBs, PS4, gaming PC to access the internet, and 1 port of a second Synology NAS that serves media to the TVs via Plex (the other port)
VLAN ID 4 for Guests that allows internet access and printer
VLAN ID 5 for IP cameras – kept away from the rest of the network, and accessible from the internet via a VPN
VLAN ID 6 for domestic IoT devices (Bosch ovens, dishwasher, washing machine, etc.), no access to anything else or to the internet, but accessible from phone apps via the internet

I was thinking to have corresponding Wifi SSIDs match the VLANs, i.e. something like:
Office – tagged (if that’s the right terminology) with VLAN ID 1
HomeUser - tagged with VLAN ID 2
Media - tagged with VLAN ID 3
Guest - tagged with VLAN ID 4
IoT - tagged with VLAN ID 6
(IP cameras are only connected via ethernet, so don’t need one)

The physical connections to the devices/”hosts?” are made using 3 switches (2 Netgear GS116Ev2 , and a GST110TP for the PoE devices comprising IP Cameras and a TP-Link EAS245 Access Point for the ground floor) as follows:



So the questions:
1. Which VLAN IDs should the router’s ports be tagged with?
a. Should it be just the IDs that are those of the VLANs that the devices/hosts connected to them are “allowed”.
b. If so, how does the administrator access them to set them up if he/she is connected to VLAN 1?
c. If I have to add VLAN 1 to each port, so that the administrator can access the devices, how do stop those devices having access to VLAN 1?
d. If the Printer is accessible from VLAN 1 (Office), 2 (Home users), and 4 (Guests), do I need to do anything to stop Guests or Home Users from getting access to VLAN 1 via Printer’s access to VLAN 1?
e. Do I need to add Firewall rules as well as set up the VLANs?

2. How should the VPN or VPNs be set-up?
a. Should I group the devices/hosts as “Object Groups”
b. Is more than one VPN required/recommended – e.g. one for being able to view cameras from the internet; another for accessing files on VLAN 1; another for remote control of IoT devices, etc?

Any tips/guidance would be very welcome.

Question 1 is covered by Draytek's help guides (there are at least two of them) on using VLANs, but you may need to create an account in order to view them. As I understand it, though, VLANs are containers within the LAN container and therefore prevent any crossover with other LANs, unless such crossover is specifically allowed through the use of Inter-Lan Routing. The router management page can be used to set who has access to what, and firewall rules are discretionary (ie: up to you).

Arlan wrote: Question 1 is covered by Draytek's help guides (there are at least two of them) on using VLAN...

Really, would you care to point me to where in the guides? I read these before posting and couldn't find the answer:
http://www.draytek.co.uk/information/our-technology/vlans?highlight=WyJ2bGFuIiwiJ3ZsYW4nIiwiJ3ZsYW4iXQ==
https://www.draytek.co.uk/support/guides/kb-vigor-8021qvlan?highlight=WyJ2bGFuIiwiJ3ZsYW4nIiwiJ3ZsYW4iXQ==

Arlan wrote: The router management page can be used to set who has access to what, and firewall rules are discretionary (ie: up to you).

So er, you're saying it's in there somewhere. Thanks

Hi can anybody provide more specific help?

Thanks

Sorry for not being more specific, and for failing to provide the links in question. As to your further questions, I am not sure because I am still trying to work out the answer to some of those myself. As to what uses what VLAN, though, the best solution I have found to date involves setting all the IP addresses statically and then assigning individual addresses to different services, etc; although it is not really necessary to separate things out using VLANs unless you are dealing with things that would, traditionally, have been run as separate LANs, eg: guest vs. private (internal) access.

I have done a similar setup, 4 VLAN's with their own DHCP range, with 4 SSID's tagged to a VLAN each, it's the max possible, unless you name the networks differently based on the frequency which may cause you different issues with some of the devices.

Although devices connect and can pickup the correct IP for each VLAN/SSID, i am having issues of devices connected to say SSID1 (full LAN access) to the AP902 in being unable to access any servers connected to the LAN, in fact, 2 servers are connected on the back of the very same AP902 but I cannot access the servers wirelessly, routing issue of some kind, can ping the AP or the router, but not servers.

I am talking to support about this, either a firmware issue or a half baked solution. I will let you know what I find out.