Hi all,

To explain my setup:

> Draytek 3900 multi-wan gateway
> Windows SBS 2011 Standard (handles DHCP, DNS, etc...)
> Draytek is using first LAN port as 192.168.1.254 / 255.255.255.0
> SBS 2011 server is at 192.168.1.200
> Everything on the network at present passes through LAN1 on the Draytek and is issued an IP by our server... standard stuff


What I'm trying to achieve:

> Enable the second LAN port on the 3900 as a VLAN
> For now, run a wireless AP on this VLAN
> LAN1/VLAN10 is the master and can see and access devices on LAN2/VLAN20
> LAN2/VLAN20 cannot access devices on LAN1/VLAN10 but needs to be able to see the DHCP server there (192.168.1.200)
> I don't want the requirement of devices on LAN2 (VLAN20) to have to tag themselves as VLAN20... maybe this doesn't apply?


Where I'm at:

> LAN1 & LAN2 ports are enabled on the 3900
> LAN1 is 192.168.1.254 and LAN2 is 192.168.2.254 - both on the 255.255.255.0 subnet
> VLAN's are setup for each port (LAN1 = 10 and LAN2 = 20)
> LAN1 is a member of VLAN10 and untagged in VLAN10
> LAN2 is a member of VLAN20, no untagging
> 2 scopes are setup on SBS server (192.168.1.x and 192.168.2.x - both on the 255.255.255.0 subnet)
> Each DHCP scope is programmed to the relevant Router IP (LAN1 scope is pointing to ...1.254 and LAN2 scope to ...2.254)
> Devices on LAN1/VLAN10 can access and pint LAN2 (192.168.2.254)


What's the problem:

Simply, plugging into LAN2 and I cannot get an IP address from the SBS server

If I plug my laptop directly into the LAN2 port, it is not issued an IP address in the 2.x range as I hoped. If I manually assign an 2.x range IP to my laptops adapter, I can ping the LAN2 gateway (...2.254)- but no more

Following the (largely non-existent) guides for similar Draytek equipment... some settings that seem to apply are:

> Inter-LAN Routing (LAN > Static Route > Inter-LAN Route) is enabled
> DHCP Relay (LAN > General Setup > DHCP Relay) is/was enabled for LAN2. I'm asked first for a port to select, which happens to only show WAN and USB ports (no LAN1) but I can skip this and enter the 192.168.1.200 IP of the SBS server. Enabling /disabling this makes no difference

I'm beat at this stage. I'm at possibly the lowest level of VLAN implementation (bear in mind, there's no switches to configure... simply one device on LAN2)... yet I cannot seem to get it working

Can anyone advise. I'm hoping in the settings and config I've posted above that I've made a blatantly obvious mistake. If not, I can post screen-shots if required


Many thanks,

Conor J
Ireland

I don't think you can do it like that, I'm not sure that broadcast packets go between vlans which you kind of need to enable dhcp. You may have two adapters in different ranges on your sbs server but different ip range doesn't mean different vlan. You may need to tag your 192.168.2.x adapter on your sbs server as vlan 20 so that it is broadcasting along with the vlan 20 devices. Alternatively just plug a switch into lan2 on the 3900 and connect the sbs 192.168.2.x network card to the switch along with the ap.

Another point to question is whether you really need the sbs server to give out the ip addresses for vlan 20? If you do then you definitely need to either setup a virtual interface tagged to vlan 20 or plug the physical network interface into a switch that is using vlan 20 as untagged. I would probably just get the 3900 to be the dhcp server for vlan 20 and have inter lan routing enabled. I'm not too sure how to enable one way vlan access on the 3900 though.

Thanks for the replies redmonkey,

AFAIK, SBS only supports one NIC. Further, the particular server handling DHCP is one of 3 VM's on our physical server which might limit me somewhat

I had the understanding that if a "DHCP request" came up through LAN2 (.2.x) to the SBS server, that a 2.x IP would be issued from the 2.x pool on the server. This meaning there was no requirement to manage VLAN tagging / ID's on the DHCP server. However, I could never see a method for pointing LAN2 towards the SBS DHCP server on 192.168.1.200 (DHCP relay as mentioned in OP seems a bit... broken/unsuitable)

Re. your second post, I've been mulling for a while about moving DHCP, DNS, etc... off the server and onto the 3900. Another VM server handles VPN connections and this caused me issues in the past. The only benefit I can see with having VPN management on the server is AD integration... but I can't actually see any benefits of having DHCP or DNS on the server. I'm sure others will say there are plenty of benefits of having these components handled by the server, but my limited knowledge and small requirements don't reveal any just yet

One issue I see with having the 3900 handle DHCP for LAN2 - I've seen SBS shutdown it's DHCP service previously when another DHCP server was detected on the network. I'm told this is standard behaviour

The last part about controlling cross LAN access (LAN1 can see LAN2... LAN2 cannot see LAN1) - I guess this managed through VLAN membership feature

I'm both confused and amused!

Ok well firstly ip range is not relevant to a vlan in this sense. They are different layers in the tcp stack. Imagine two roads parallel to each other (or those american roads that have layers of roads on top of each other) they might both be going north but you can't see the cars on the other road (the road is the vlan the cars are the devices / ip addresses). So your 2.x interface in the sbs server unless it is tagged as vlan 20 is actually on vlan 10 (the default). So devices requesting addresses on the vlan 20 don't have a dhcp server on their vlan (road). I think it is quite easy to tag the interface with vlan 20 on the sbs server (configure adapter properties, advanced, vlan id), although I am more familiar with linux setups. Once you have tagged the interface as vlan 20 your vlan 20 devices should be able to see the dhcp server and get an address. In the other direction if you enable the dhcp server on the 3900 for vlan 20, if the sbs server does not have an interface tagged or untagged as vlan 20 it won't see the broadcast packets / 3900 dhcp server.
With regards to one way access to the vlans, I don't think it works just in a membership kind of way, what actually happens is that the 3900 routes the connections. So your 1.x nic on the server wants to ping 2.20, the ping travels to the gateway (the router) which realises that that device exists on vlan 20 and tags the ping request with vlan 20 and sends it to the device on vlan 20, the same in reverse. To stop direction in one way you need some firewall settings I would have thought.
Which is the reason why broadcast packets are dropped between the vlans, because the router is routing between vlans, and broadcast packets are really meant to be broadcast until the first hop or route. Imagine every router in the world broadcasting all broadcast packets from every network, the internet would be rather slow.