Which is why having a "Wizard" which creates separate VLANS for the Guest network, but leaves them on LAN1, the default LAN Management acccess subnet, is a bit crazy?  The Wizard should at least make it clear that the User has to do some additional settings if they don't want Guests to have access to the router itself, surely more of a potential problem than them being able to communicate with each other?

Thanks for the replies guys.
So do you think this setup is actually three totally different VLAN networks but they can each use the same subnet rage because they don't communicate with each other, but its not actually the same subnet? Or is it actually the exact same subnet?
I'm just struggling to get me head around it, with them all using LAN1 as the subnet and not using VLAN tags either, and I really want to understand how its working.
My instincts say I should set both the SSID2 to the LAN2 subnet.

Perhaps this will help your understanding:-

https://www.draytek.com/support/knowledge-base/5457#:~:text=When%20this%20setting%20is%20enabled,to%20discover%20the%20network%20clients.

and then you could look at :-

https://www.draytek.com/support/knowledge-base/5320

 

It is exactly the same subnet, but you have segregated them by VLANing their connection to the network.

The host of the subnet, and the DHCP server on the router, are assigning the IP addresses. Seeing as ALL devices can reach that DHCP server (on LAN1) they can all ask for an IP address and get one.

Now when it comes to them sending and recieving traffic to and from each other, that is where the VLAN steps-in and blocks them from seeing each other's traffic because the router says "no" this packet is marked as being only for members of VLAN2 or 3 or 4 or whatever.

The router routes the traffic, like a policeman directing traffic.

When it comes to VLAN ID TAGged packets, the TAG is a way for external devices (Switches, VoIP Phones etc etc (intellegent devices basically)) to be informed of the traffic's assignment to a VLAN as well. That way it too can use those TAGs to route the traffic on further, until it eventually reaches its associated device destined to be on the same VLAN.

When no TAGging is used and just a VLAN is assigned, every device connected to that interface (Port, or SSID in the case of a Wireless connection) will get the traffic for that VLAN - passively, they have no say in the matter, all the traffic leaving and entering that interface is now part of that VLAN.

The disadvantage (although it could be a good thing too) you can't use the Firewall rules to block/unblock traffic between VLANs when they're using the same subnet LAN; as the FW only routes between subnets, so they must be different.