Draytek 2860, latest firmware.
Under Wireless LAN/Access Control, I have routinely been ticking the Attribute box to 'Isolate the station from LAN'.
My understanding of that option was that such MAC addresses would be able to access the WAN/Internet, but not be able to communicate with any other devices on their SSID (or in fact and SSID), nor wired devices.
I don't want guests, nor IoT devices, sniffing around my network!

That seemed to be what was happening. At least I have a smart thermostat set up like that and I am able to access it when out-and-about.

Today I was trying to diagnose why my PVR was unable to access the Internet.
Discovered that if I remove the 's' attribute, it can access the Internet. If I restore the 's' attribute, it can't.
As a further test, I set the attribute for my iPad. No Internet access.

Finally, the penny dropped. I have recenly introduced a Raspberry Pi running pi-hole as a DNS ad blocker.
So I guess isolated stations are unable to access the Pi, as it is a device on my wired LAN.
Hence no DNS and so effectively no Internet access.
Sound right?

Anyone think of a solution to allow me to keep using isolation?

TIA
Mark

Just use a different LAN for the Guest Network? Works for me.

I'm encouraged that it is possible, as it works for you. Thanks
Not quite following you though...

I currently have LAN1 (only) active, comprising a couple of desktops and the Pi. I understand LAN1 to refer to the ethernet ports, but perhaps that incorrect...
I have SSID1 for trusted clients.
I have SSID2 for guests and IoT clients.

Do I need to use VLAN? perhaps putting all the ethernet ports and SSID1 into VLAN0 and guest SSID2 into VLAN1?


Are you saying that 'Isolate from LAN' means isolate from other clients of the LAN I am a member of, but allow access to other LANs? (seems a strange way to apply a limitation)
TVMIA

Yes you have to enable VLANs. Have a look here for some guidance http://www.i-helpdesk.com.au/index.php?/Knowledgebase/Article/View/572/0/configuring-draytek-vigor2830-for-limited-guest-wi-fi-access

Once you have enabled VLAN you can decide which physical ports and which SSIDs are in each of your LANs.

e.g. I have 4 physical ports on my 2926. I have all 4 in VLAN0 (LAN1). I have SSIDs 1,2 and 4 in LAN1 and SSID 3 (Guests) assigned to LAN 2 (VLAN1). Because I have an external switch connected to port 1 and wireless APs connected via cable to that switch I have also placed port 1 in LAN2 so that the Guest LAN is also connected to the APs.

Make sure that "Inter LAN routing" is not enabled between your LANs.

Guests connected wirelessly to LAN2 will have access to the internet but not to the network on LAN1.

Ahhhh, got it.

Basically, I enable VLANs and then add the port to which the Pi is connected to both my main VLAN and the guest VLAN.

It'll be a bit more complicated in practice (isn't it always), but I completely get it.

Many thanks.