Most of the current DrayTek UK routers support two or more LANs. Segmenting a local network may improve network efficiency and security. By default, hosts from a separate VLAN (subnet) cannot reach devices located on another LAN segment. If you need to enable communication between different subnets, activate Inter-LAN routing on the router.

This article demonstrates how to add a second LAN subnet, enable Inter-LAN routing, and restrict access to the new network for a selected device via firewall setup. There are three main parts of which last one is optional:

A. Enable VLANs and add more LAN subnets

B. Configure Inter-LAN routing

C. Restrict inter-LAN traffic to pre-defined devices (optional)

Enable VLANs and add more LAN subnets

1. Navigate to [LAN] > [VLAN Configuration] and enable the feature. Select LAN and Wireless LAN interfaces that should belong to the LAN1 subnet and/or LAN2.
For port trunk setup enable VLAN Tag. Make sure that your switch connected to that port supports this. Alternatively, just leave VLAN Tag disabled and don't let the same interface (such as P3 illustrated below) to be part of two or more subnets. Press OK to save the settings.

2. To make sure that the new subnets are active (if selected) press OK to reboot your router.

Configure Inter-LAN routing

3. Go to [LAN] > [General Setup]. You should see that both LAN1 and LAN2 are enabled. The bottom section of the page allows the Inter-LAN Routing configuration. Just check the box on the intersection of the LAN subnets you want the router to forward the traffic. For example, the configuration below will allow subnet LAN1 and LAN2 to communicate with each other.

Restrict inter-LAN traffic to pre-defined devices (optional)

4. For the purpose of this article we presumed that only one computer on e.g. LAN1 should have access to LAN2 network.  We need to apply two firewall rules to achieve that. Go to [Firewall] > [General Setup] and make sure that Data Filter is enabled. Take a note of the Start Filter Set if available on your router.

5. Then go to [Firewall] > [Filter Setup] and open the Default Data Filter set. Select an unoccupied profile (2) and a new page should appear. The below rule allows traffic from a device (192.168.1.5) to the whole LAN2 subnet (192.168.2.0/24). Make sure that:
a) The firewall profile is Enabled.
b) Add a name in the Comments section.
c) Set Direction to LAN/DMZ/RT/VPN -> LAN/DMZ/RT/VPN.
d) Source IP is set here to single IP - 192.168.1.5, and the Destination IP covers whole LAN2 subnet range of 192.168.2.0/255.255.255.0.
e) Leave the Filter action in its default Pass Immediately state.

6. Now we need a second firewall rule that will disallow remaining devices on LAN1 from accessing our new LAN2 subnet.
Open next available firewall profile in [Firewall] > [Filter Setup], and set it as depicted below:
a) The firewall profile is Enabled.
b) Add a name in the Comments section.
c) Set Direction to LAN/DMZ/RT/VPN -> LAN/DMZ/RT/VPN.
d) Traffic from LAN1 subnet, here 192.168.1.0/255.255.255.0 is set as Source IP. They should not have access to LAN2 - Destination IP (192.168.2.0/255.255.255.0) unless permitted in previous firewall rule.
e) Change the Filter action to Block Immediately state.

The firewall will check each profile in numerical order, so it is important that the allow rule is configured first. If not matched, then the second (in this case our block) rule will be processed. And again, if the second rule will or will not match our criterias, it will be executed or skipped. Note that this part was optional and needs to be configured only if some inter-LAN traffic restrictions are required.