III. Wireless LAN
ExpiredHow to setup a wireless Mesh network with multi-subnets
VLANs serve as a useful tool for providing security to Wi-Fi clients by isolating traffic from the different users based on which SSID they connect to. This kind of setup is very common when you want to have a guest network which is completely separate from the company's private network. DrayTek Mesh supports
Additionally, the LAN ports on the VigorAP can make use of VLAN tags across the Mesh Wireless bridge. This means that if a VLAN supporting switch, such as the VigorSwitch G1080, is connected to the VigorAP LAN port, that switch could be configured so that some ports on the switch are in one VLAN and others are in the other VLAN.
The following guide demonstrates how to configure multiple wireless SSIDs on an access point, each with its own VLAN and subnet on a mesh network.
Network Configuration
| Network segment | Network | VLAN Name | VLAN Tag | IP Range |
| Private network | LAN1 | VLAN0 | Untagged | 192.168.1.0/24 |
| Guest network | LAN2 | VLAN1 | 10 | 192.168.2.1/24 |
This configuration requires a DrayTek router from the Vigor 2862 series onwards, which supports multiple subnets and VLAN tags.
This makes it possible to configure a guest network which is separate from the main, internal network segment / subnet and a DrayTek access point that supports wireless mesh such as the AP903 and AP802.
A general guide on how to configure mesh wireless can be found here
Firmware Requirements*
| VigorAP Model | Firmware Version |
| VigorAP 903 | 1.3.4 (or later) |
| VigorAP 802 | 1.3.2 (or later) |
Step 1. Configure VLAN tags on the DrayTek router
Go to [LAN] > [VLAN] tick Enable and specify a trunk port. In the example below, we create two VLANs in the router and specify P2 as trunk port for the AP to connect.
If the mesh root AP is connected to the router through a network switch, check whether the switch is Managed or Unmanaged. An Unmanaged switch will typically be able to pass tagged and untagged packets with no configuration required. A Managed switch may have default VLAN configuration settings that could cause the switch to drop packets with VLAN tags. It may be necessary to reconfigure the switch to pass through untagged and VLAN tagged packets. Check the managed switch's documentation for information. There are no specific settings recommended in this guide because of variation in usage of terms between manufacturers.
Step 2. Configure each SSID on mesh root with VLAN tag
Connect the AP to the router's trunk port as configured in step 1.
In the AP Web UI, navigate to [Wireless LAN(2.4G/5G)] > [General Setup] to configure each of the SSIDs
- Create two SSIDs.
- Specify VLAN ID for each SSID. The VLAN ID should correspond to the VLAN settings in the router.
- VLAN 0 is LAN1; VLAN 10 is LAN2.
- Click OK to apply.
Then go to [Wireless LAN] > [Security] to set up authentication for each SSID.
- Select an SSID.
- Select the authentication mode.
- Select WPA2 algorithm.
- Enter passphrase.
- Click OK to save.
Step 3. Enable Bridge VLANs in Mesh
Click OK to apply that change on the Mesh Root AP.
To sync the same settings from the Mesh Root to the other Mesh nodes, go to [Mesh] > [Advanced Config Sync] then enable Bridge VLAN to Mesh and click apply. Every node in the same Mesh group will enable Bridge VLAN to Mesh.
Step 4. Sync settings from the mesh root to the mesh nodes
Then, enable Basic Configuration Sync for Wireless LAN 2.4G and Wireless LAN 5G. The SSIDs and VLAN IDs will then apply to all the devices in the Mesh group.
After the above configuration, the devices in the Mesh group will have two SSIDs:
- SSID1 will be "Staff" linked to LAN1
- SSID2 will be "Guests" linking to LAN2
* - Please visit the DrayTek Mesh Model Compatibility page for details.
How do you rate this article?
- First Published: 10/01/2020
- Last Updated: 28/06/2023