Creating VLAN for IoT and Guests but purely for wireless.

Hello all.

I have bought a new DrayTek Vigor 2767ax router.

I've decided to setup a respective VLAN for IoT devices and guests to use - but only for wireless connections.

Happy to leave the LAN ports untagged at the moment although it's easy to change those.

I setup 2 new LANs using 192.168.2.1/24 and 192.168.3.1/24 respectively, which are now in addition to the default 192.168.1.1/24 range.

I created 2 VLANs (VLAN 10 and VLAN 20) using the IP ranges above respectively.

I created 2 additional SSIDs for IoT and Guests and assigned VLAN 10 and VLAN 20 respectively.

But despite not assigned anything to the main untagged SSID, I am forced onto the 192.168.2.1 range even though I am connecting to that main SSID, and not the IoT SSID.

So then I have to connect on 192.168.2.1 and login to change it back.

When assigning a VLAN to a SSID, it prompts you specify a VLAN i.e. you can't leave it blank as the text in the drop-down implies you have to specify a VLAN.

If I create 3 VLANs and assign 192.168.1.1/24 to that, and assign that to the main untagged SSID, everything works as it should.

Searching this, apparently these routers can support untagged LANs with a VLAN for IoT etc.

Has anyone successfully achieve this?

I can live with 3 VLANs but it seems a bit strange.

Thank you!

John

Hi Jonny IT,

If I am understanding your situation correctly, then yes, you would always need to create a VLAN for each LAN once you start using VLANs. If you’re just using one LAN and no VLANs then the first main LAN can stay as you find it, but once you started adding VLANs (or rather ‘Enable VLAN’) then every LAN needs to be in a VLAN, either assigned a VLAN tag or untagged, it still needs to be in a VLAN.

So placing the main LAN into a VLAN (tagged or untagged) is expected. Then all other VLANs can be assigned separately from that main VLAN(LAN).

The newer DrayOS on your router is quite different from the older version and so takes a bit of fiddling to get your head around it; unless you’re new to DrayTek OS, then it is what it is…


Hope that helps.

I am in a similar situation in that I too have bought a 2767ax and wanted to create a separate VLAN for IoT and guests. So I did pretty much the same as JohnnyIT and created an extra LAN along with 2 VLANS and an extra SSID. I associated everything as I wanted and it all works as intended.

Under the previous DrayOS there was an option on the WLAN settings page to 'isolate member' to prevent items on a lesser trusted WLAN from talking to anything else. In DrayOS 5 there is an 'Isolate Client from Wireless' option which 'If enabled, it disallows communication between wireless clients (stations) on the same SSID' so I assume this would be the same sort of thing.

Perhaps it would have been nicer to go one step further in isolating devices on the lesser trusted network from each other but perhaps this is unnecessary. At the end of the day I have achieved what I wanted in that my main computer is on its own VLAN and everything else (smart TV's, various satellite boxes and guest Wi-Fi access etc) is on another VLAN.

I had a quick look at IAM and I am sure that something could be done with that but it seems a bit overkill for what I was after. So I may just enable the 'Isolate Client from Wireless' option on the untrusted VLAN and leave it at that.

Does anyone agree or have any suggestions?

Thanks.