DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Isolate the station from LAN - pi-hole

  • markvoip
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
19 Jun 2019 10:50 #94644 by markvoip
Isolate the station from LAN - pi-hole was created by markvoip
Draytek 2860, latest firmware.
Under Wireless LAN/Access Control, I have routinely been ticking the Attribute box to 'Isolate the station from LAN'.
My understanding of that option was that such MAC addresses would be able to access the WAN/Internet, but not be able to communicate with any other devices on their SSID (or in fact and SSID), nor wired devices.
I don't want guests, nor IoT devices, sniffing around my network!

That seemed to be what was happening. At least I have a smart thermostat set up like that and I am able to access it when out-and-about.

Today I was trying to diagnose why my PVR was unable to access the Internet.
Discovered that if I remove the 's' attribute, it can access the Internet. If I restore the 's' attribute, it can't.
As a further test, I set the attribute for my iPad. No Internet access.

Finally, the penny dropped. I have recenly introduced a Raspberry Pi running pi-hole as a DNS ad blocker.
So I guess isolated stations are unable to access the Pi, as it is a device on my wired LAN.
Hence no DNS and so effectively no Internet access.
Sound right?

Anyone think of a solution to allow me to keep using isolation?

TIA
Mark

Please Log in or Create an account to join the conversation.

More
19 Jun 2019 14:24 #94645 by piste basher
Replied by piste basher on topic Re: Isolate the station from LAN - pi-hole
Just use a different LAN for the Guest Network? Works for me.

Please Log in or Create an account to join the conversation.

  • markvoip
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
19 Jun 2019 15:44 #94646 by markvoip
Replied by markvoip on topic Re: Isolate the station from LAN - pi-hole
I'm encouraged that it is possible, as it works for you. Thanks :-)
Not quite following you though...

I currently have LAN1 (only) active, comprising a couple of desktops and the Pi. I understand LAN1 to refer to the ethernet ports, but perhaps that incorrect...
I have SSID1 for trusted clients.
I have SSID2 for guests and IoT clients.

Do I need to use VLAN? perhaps putting all the ethernet ports and SSID1 into VLAN0 and guest SSID2 into VLAN1?


Are you saying that 'Isolate from LAN' means isolate from other clients of the LAN I am a member of, but allow access to other LANs? (seems a strange way to apply a limitation)
TVMIA

Please Log in or Create an account to join the conversation.

More
20 Jun 2019 08:57 #94647 by piste basher
Replied by piste basher on topic Re: Isolate the station from LAN - pi-hole
Yes you have to enable VLANs. Have a look here for some guidance http://www.i-helpdesk.com.au/index.php?/Knowledgebase/Article/View/572/0/configuring-draytek-vigor2830-for-limited-guest-wi-fi-access

Once you have enabled VLAN you can decide which physical ports and which SSIDs are in each of your LANs.

e.g. I have 4 physical ports on my 2926. I have all 4 in VLAN0 (LAN1). I have SSIDs 1,2 and 4 in LAN1 and SSID 3 (Guests) assigned to LAN 2 (VLAN1). Because I have an external switch connected to port 1 and wireless APs connected via cable to that switch I have also placed port 1 in LAN2 so that the Guest LAN is also connected to the APs.

Make sure that "Inter LAN routing" is not enabled between your LANs.

Guests connected wirelessly to LAN2 will have access to the internet but not to the network on LAN1.

Please Log in or Create an account to join the conversation.

  • markvoip
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
20 Jun 2019 17:20 #94650 by markvoip
Replied by markvoip on topic Re: Isolate the station from LAN - pi-hole
Ahhhh, got it.

Basically, I enable VLANs and then add the port to which the Pi is connected to both my main VLAN and the guest VLAN.

It'll be a bit more complicated in practice (isn't it always), but I completely get it.

Many thanks.

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami