Hi folks,

I have a 2830n currently configured with both NAT (on LAN1) and IP routed subnet (I have a block of 8 IP addresses from my ISP).

I've been trying to use VLANs to separate out public/private networks, and I'm looking to configure 3 subnets in total:

• VLAN1: Public IP range - controlled incoming & outgoing traffic via firewall, should not be able to access other subnets


• VLAN2: Private network & SSID1 - NAT'ed behind 2830 "main" public IP address, should be able to fully access other subnets and the internet, and will need port-forwarding to allow controlled access to internal services/devices


• VLAN3: SSID2 - NAT'ed behind 2830 "main" IP address, access only to Internet (including public IP range in VLAN1)

The documentation on VLAN setup is not clear to me, and everything I've tried so far has resulted in me losing connectivity to the device and having to do a factory reset! I've now enabled remote management of the router and can at least access it from the outside (I use a 3G data card on my laptop!) to revert any changes I make whenever I mess it up...

I haven't had any luck getting the VLANs configured the way I want them, and I'm not even sure if it's possible, so I thought I'd reach out to people with a little more experience on this device than I have!

Any help would be greatly appreciated!

Thanks,
-Alex

I have experienced the same issue. Whenever I create a VLAN I lose all connectivity to my 2850n. Did you find the solution? I have submitted a query to Draytek and will let you know the response.

Draytek response below worked for me:

Thanks for your email. It seems that you have enabled VLAN tagging. This option should only be used if your devices are Tagging compatible, if they are not you will not be able to gain access to the web interface.

You only need to enable the VLAN not VLAN TAG. The only box that needs to have a tick in it is the one at the top left of the screen. Please see attached screenshot.

This will enable VLAN and also allow you to gain access to the routers web interface.

Thanks Dave... not sure why, but I thought I had to check the first box or the VLAN wouldn't be active... I guess I should RTFM next time! ;)

So I've got the VLANs working now, but it still seems that the IP routed subnet is available on all VLANs, I can't specify which VLAN(s) this will be available on. Any device in my private network can be manually configured with an unused public IP address in my range, and "bypass" NAT and port forwarding rules I have altogether...

I tried disabling the IP routed subnet altogether, and configured the same public range on one of the LAN configurations, which was then specified on the VLAN, but the routed addresses were still accessible to all 4 ports on the device...

I think there may be a bug (or missing feature) here, I might get in touch with DrayTek support for this one...

Do let me know if you get anything from Draytek Support as I feel we are both trying similar things. I am currently still trying to get my eternal public IP range working. Are you saying you set this in the IP Routed Subnet? If so, are you using a dynamic or fixed IP for you WAN connection and what settings are you putting in the IP routed Subnet? I am using a dynamic IP and then setting IP Routed as below:

ISP Fixed IP Range: 0.0.0.33 – 0.0.0.37
Subnet: 255.255.255.248
Network Address: 0.0.0.32
Gateway: 0.0.0.38

IP Address: Using the gateway my ISP gave me - 0.0.0.38
Subnet: Again, as given by ISP. 255.255.255.248

DHCP: Start IP Address: 0.0.0.33
IP Pool Counts: 5
Use LAN Port left unticked. P1 and P2 left ticked. Use MAC Address left ticked.

To get the public IP range working is relatively simple, first you configure it for NAT, and then you enable the public IP range. Have a look at this article for more info: http://support.zen.co.uk/kb/Knowledgebase/Vigor-2800-Series-Routed-IP-setup

Once I did this, in the LAN "General Setup" screen I see the 4 LAN options and an "IP Routed Subnet" appears as a 5th LAN.

Mind you, I'm not using DHCP on the public subnet - I have the same subnet as you (8 IP addresses) and DHCP isn't really useful for the public IPs in my case...

Hope this helps...

Once I got the VLAN stuff to work, I configured the same IP range on LAN 2, and disabled the "IP Routed Subnet" LAN. This is where I was hoping to use the VLAN setup to separate the public IP range on ports 2-4 of the switch and keep port 1 just for the NAT'ed private subnet (192.168.x.x); but I still see the public range is available on port 1 as well (if a device is manually configured with one of my public IP addresses)...