DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Vigor 2925 + AP900 guest WLAN isolation
- dr_t
- Topic Author
- Offline
- New Member
Less
More
- Posts: 3
- Thank you received: 0
30 Sep 2020 03:20 #97294
by dr_t
Vigor 2925 + AP900 guest WLAN isolation was created by dr_t
I'm trying to set up a Vigor 2925 and some AP900s set up as wireless extenders (mode = AP Bridge-WDS) to provide two SSIDs (SSID1 and SSID2), SSID2 being a guest WLAN which can access the Internet but not my LAN. The primary LAN (LAN1, SSID1 + wired clients) has its own DHCP server, so the Vigor 2925 does not provide a DHCP service to LAN1. The Vigor 2925 is set up to provide a DHCP service to LAN2 (SSID2). The two DHCP servers serve entirely separate IP address spaces.
I've followed the instructions onhttps://www.draytek.com/support/knowledge-base/5320 to set up a second guest SSID, two VLANs - VLAN0 (P1,P2,P3,P4,P5, SSID1) and VLAN1 (SSID2), where VLAN1 has the VLAN Tag enabled and set to 1. The Inter-LAN routing is set up so that LAN1 only routes to LAN1 and LAN2 only routes to LAN2.
Each of the AP900's is also set up so that SSID2 traffic is tagged with a VLAN ID of 1. SSID1 traffic is untagged.
I've tried all possible permutations (set up consistently on the Vigor 2925 and all the AP900's) of settings of "Isolate LAN" and "Isolate Member" for SSID2.
The problem I get is that the two LANs end up not being isolated: both clients connecting to SSID1 and clients connecting to SSID2 can connect to the entire LAN, and moreover receive their DHCP settings from the LAN1 DHCP server: Draytek 2925's LAN2 DHCP server looks like it's completely non-existent. So the guest clients exist live in the DHCP1 address space, whereas they should be living in the DHCP2 address space.
Any suggestions as to where to look for the problem would be very much appreciated.
Thank you.
I've followed the instructions on
Each of the AP900's is also set up so that SSID2 traffic is tagged with a VLAN ID of 1. SSID1 traffic is untagged.
I've tried all possible permutations (set up consistently on the Vigor 2925 and all the AP900's) of settings of "Isolate LAN" and "Isolate Member" for SSID2.
The problem I get is that the two LANs end up not being isolated: both clients connecting to SSID1 and clients connecting to SSID2 can connect to the entire LAN, and moreover receive their DHCP settings from the LAN1 DHCP server: Draytek 2925's LAN2 DHCP server looks like it's completely non-existent. So the guest clients exist live in the DHCP1 address space, whereas they should be living in the DHCP2 address space.
Any suggestions as to where to look for the problem would be very much appreciated.
Thank you.
Please Log in or Create an account to join the conversation.
- piste basher
- Offline
- Big Contributor
Less
More
- Posts: 1193
- Thank you received: 7
30 Sep 2020 09:04 #97295
by piste basher
Replied by piste basher on topic Re: Vigor 2925 + AP900 guest WLAN isolation
When you say "Inter-LAN Routing is set up" do you mean you have it enabled in some way? If so, try disabling it.
Please Log in or Create an account to join the conversation.
- cocospm
- Offline
- Member
Less
More
- Posts: 100
- Thank you received: 0
30 Sep 2020 11:55 #97296
by cocospm
Replied by cocospm on topic Re: Vigor 2925 + AP900 guest WLAN isolation
Disclaimer: I use AP903s, not AP900s, but I believe the same applies to both (my apologies if this isn't the case)...
I suggest you first test all is OK when you connect a device to the 2925's SSID2 directly (i.e., when close to the 2925 and not via an AP900) - does the device correctly get an IP address from your 2925 on LAN2? If not, that suggests you might have a setup error on the VLAN page on your 2925 - make sure your VLAN0 is on LAN1 and your VLAN1 is indeed on LAN2.
If this does work, it suggests your AP900s are not tagging the SSID2 traffic (in which case the untagged traffic will cause devices connected to an AP900 on SSID2 to be on VLAN0). Apart from specifying the tag for SSID2 on your AP900s, have you also turned off the "Enable 2 subnet" option and also unticked the "Isolate LAN" option? Keep the "Isolate Member" option turned on for SSID2. Check these settings for both your 2.4GHz and 5GHz SSID2 on your AP900s.
I suggest you first test all is OK when you connect a device to the 2925's SSID2 directly (i.e., when close to the 2925 and not via an AP900) - does the device correctly get an IP address from your 2925 on LAN2? If not, that suggests you might have a setup error on the VLAN page on your 2925 - make sure your VLAN0 is on LAN1 and your VLAN1 is indeed on LAN2.
If this does
Please Log in or Create an account to join the conversation.
- hornbyp
- Offline
- Big Contributor
Less
More
- Posts: 1323
- Thank you received: 0
30 Sep 2020 12:16 #97297
by hornbyp
That would be my suspicion too.
The
AP900 Overview
says:
It doesn't say VLAN is supported in WDS mode. On the AP903, it's not something that's active by default, but can be enabled when in Mesh mode (which the AP900 doesn't support).
Replied by hornbyp on topic Re: Vigor 2925 + AP900 guest WLAN isolation
cocospm wrote:
If this doeswork, it suggests your AP900s are not tagging the SSID2 traffic (in which case the untagged traffic will cause devices connected to an AP900 on SSID2 to be on VLAN0).
That would be my suspicion too.
The
Code:
The Vigor AP-900 supports the 802.1q VLAN protocol so that if it is connected to an 802.1q enabled LAN, it can split tagged data
(whether its different subnets or intended for different users) and broadcast each on its own SSID.
It doesn't say VLAN is supported in WDS mode. On the AP903, it's not something that's active by default, but can be enabled when in Mesh
Please Log in or Create an account to join the conversation.
- cocospm
- Offline
- Member
Less
More
- Posts: 100
- Thank you received: 0
30 Sep 2020 12:33 #97298
by cocospm
On the AP903 it works in AP mode, too, but I haven't tested it in WDS mode. It may be that the wireless back-haul doesn't support VLAN tagging... that'll be one for Draytek to answer, I guess.
Replied by cocospm on topic Re: Vigor 2925 + AP900 guest WLAN isolation
hornbyp wrote:
It doesn't say VLAN is supported in WDS mode. On the AP903, it's not something that's active by default, but can be enabled when in Meshmode (which the AP900 doesn't support).
On the AP903 it works in AP mode, too, but I haven't tested it in WDS mode. It may be that the wireless back-haul doesn't support VLAN tagging... that'll be one for Draytek to answer, I guess.
Please Log in or Create an account to join the conversation.
- dr_t
- Topic Author
- Offline
- New Member
Less
More
- Posts: 3
- Thank you received: 0
30 Sep 2020 14:46 #97303
by dr_t
Replied by dr_t on topic Re: Vigor 2925 + AP900 guest WLAN isolation
Thank you very much for the several very quick and very helpful replies. To answer your questions in turn:
- clients can connect to both SSID1 and SSID2 if they are connecting directly to the 2925, and in that case they also get the correct DHCP settings;
- clients can connect to both SSID1 and SSID2 if they are connecting to an AP900, but in that case, they always get the SSID1 (i.e. the untagged LAN) DHCP settings;
- I don't think I can turn off Inter-LAN routing (I did not turn it on), I can only set up the matrix so that each of the subnets (LAN1, LAN2, LAN3, LAN4, LAN5, DMZ Port - only LAN1 and LAN2 are enabled - routes to itself only)
- I have (and had) the "Enable 2 subnet" off, "Isolate LAN" was off, "Isolate Member" was off, I have now turned it on as per your advice, but the result is the same
So if I understand correctly, it looks like it may be that on a 2925 + AP900's, I can either have:
- just a single router and two isolated WLANs; or,
- multiple routers in a WDS configuration and only one WLAN;
- but not multiple routers in a WDS configuration with two isolated WLANs, because VTAGs are not supported in conjunction with WDS?
This seems to be a bit of a shame.
- clients can connect to both SSID1 and SSID2 if they are connecting directly to the 2925, and in that case they also get the correct DHCP settings;
- clients can connect to both SSID1 and SSID2 if they are connecting to an AP900, but in that case, they always get the SSID1 (i.e. the untagged LAN) DHCP settings;
- I don't think I can turn off Inter-LAN routing (I did not turn it on), I can only set up the matrix so that each of the subnets (LAN1, LAN2, LAN3, LAN4, LAN5, DMZ Port - only LAN1 and LAN2 are enabled - routes to itself only)
- I have (and had) the "Enable 2 subnet" off, "Isolate LAN" was off, "Isolate Member" was off, I have now turned it on as per your advice, but the result is the same
So if I understand correctly, it looks like it may be that on a 2925 + AP900's, I can either have:
- just a single router and two isolated WLANs; or,
- multiple routers in a WDS configuration and only one WLAN;
- but not multiple routers in a WDS configuration with two isolated WLANs, because VTAGs are not supported in conjunction with WDS?
This seems to be a bit of a shame.
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek