DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Default VLAN config after the wireless wizard
- 13977
- Topic Author
- Offline
- New Member
Less
More
- Posts: 6
- Thank you received: 0
20 Aug 2024 12:08 - 20 Aug 2024 15:43 #103622
by 13977
Default VLAN config after the wireless wizard was created by 13977
I've recently setup a Vigor 2763ac and am just trying to understand the default VLAN configuration, which I've included a screensnip of below:
Default VLAN Config
The SSID's on the 2.4GHz and 5GHz bands are set to VLAN1 and VLAN2 respectively, everything else is on VLAN0. Now I assume this is because 'Isolate Member' is enabled on both 2.4GHz and 5GHz guest networks. But the subnet's for all three VLAN's are set to LAN1 so are all using the default IP range of 192.168.1.0/24.
Its probably my lack of understanding, but I would have expected them to use different subnets, so am just trying to understand how this is working. Is it three totally different isolated VLAN networks but they can each use the same subnet rage because they don't communicate with each other, but its not actually the same subnet?
Many thanks.
Default VLAN Config
The SSID's on the 2.4GHz and 5GHz bands are set to VLAN1 and VLAN2 respectively, everything else is on VLAN0. Now I assume this is because 'Isolate Member' is enabled on both 2.4GHz and 5GHz guest networks. But the subnet's for all three VLAN's are set to LAN1 so are all using the default IP range of 192.168.1.0/24.
Its probably my lack of understanding, but I would have expected them to use different subnets, so am just trying to understand how this is working. Is it three totally different isolated VLAN networks but they can each use the same subnet rage because they don't communicate with each other, but its not actually the same subnet?
Many thanks.
Last edit: 20 Aug 2024 15:43 by 13977.
Please Log in or Create an account to join the conversation.
- piste basher
- Offline
- Big Contributor
Less
More
- Posts: 1193
- Thank you received: 7
20 Aug 2024 14:24 #103625
by piste basher
Replied by piste basher on topic Default VLAN config question
As far as I'm aware the Default VLAN config would show all ports and all SSID's to be in VLAN0 and subnet LAN1, so it seems as if what you show there is not the Default config
Also, as far as I'm aware, ticking "Isolate Member" on an SSID just stops people on that SSID from communicating with each other, I didn't think that it put them on a different subnet - if you had lots of guests you'd soon run out of subnets!
Also, as far as I'm aware, ticking "Isolate Member" on an SSID just stops people on that SSID from communicating with each other, I didn't think that it put them on a different subnet - if you had lots of guests you'd soon run out of subnets!
Please Log in or Create an account to join the conversation.
- ianfretwell
- Offline
- Member
Less
More
- Posts: 113
- Thank you received: 3
20 Aug 2024 14:47 #103626
by ianfretwell
Replied by ianfretwell on topic Default VLAN config question
The 'default' VLAN configuration is to NOT be enabled in the first place. So I'm with piste basher on this - you've already made changes. And also the 'isolate member' - this has nothing to do with VLANs - it's just disallowing traffic from different SSID's to talk to each other.
Please Log in or Create an account to join the conversation.
- 13977
- Topic Author
- Offline
- New Member
Less
More
- Posts: 6
- Thank you received: 0
20 Aug 2024 15:42 #103627
by 13977
Replied by 13977 on topic Default VLAN config question
Sorry, maybe I shouldn't have used the word 'default'.
All that I've done is run through the Wireless Wizard, leaving all the settings at default, just setting the SSID names and security keys, and this is how the wizard has configured the VLAN's.
Its tells you during the wizard on the 'Guest AP Configuration' step that "The configured guest AP will not be able to access the LAN network, VPN connections, or communicate with wireless devices connecting to the router's other APs. This AP interface shall be used for Internet access only."
If I then go the wireless network setting I can see that its ticked 'Isolate Member' and 'Isolate VPN', which is why I was speculating this VALN setup from the wizard was how it had achieved he isolation. So I'm just trying to understand this VLAN configuration that it has given me.
Thanks.
All that I've done is run through the Wireless Wizard, leaving all the settings at default, just setting the SSID names and security keys, and this is how the wizard has configured the VLAN's.
Its tells you during the wizard on the 'Guest AP Configuration' step that "The configured guest AP will not be able to access the LAN network, VPN connections, or communicate with wireless devices connecting to the router's other APs. This AP interface shall be used for Internet access only."
If I then go the wireless network setting I can see that its ticked 'Isolate Member' and 'Isolate VPN', which is why I was speculating this VALN setup from the wizard was how it had achieved he isolation. So I'm just trying to understand this VLAN configuration that it has given me.
Thanks.
Please Log in or Create an account to join the conversation.
- piste basher
- Offline
- Big Contributor
Less
More
- Posts: 1193
- Thank you received: 7
20 Aug 2024 17:46 - 20 Aug 2024 17:48 #103628
by piste basher
Replied by piste basher on topic Default VLAN config question
I've just dug out an old 2926 and tried setting it up as you have with the wireless wizard (not something I've ever done before as I prefer to know what all my settings are). It does indeed create the guest network SSID's on VLAN1 and VLAN2 as you have found, but with them still on subnet LAN1.
I then connected my iPhone to the "guest" network and was able to access the router login page on 192.168.1.1 with admin credentials.........
So much for the "Guest" network not having access to anything !!!
I suggest that you forget the Wizard and set up your VLANS, SSIDs and subnets manually, so you know what's what.
I then connected my iPhone to the "guest" network and was able to access the router login page on 192.168.1.1 with admin credentials.........
So much for the "Guest" network not having access to anything !!!
I suggest that you forget the Wizard and set up your VLANS, SSIDs and subnets manually, so you know what's what.
Last edit: 20 Aug 2024 17:48 by piste basher.
The following user(s) said Thank You: 13977
Please Log in or Create an account to join the conversation.
- HodgesanDY
- Away
- Member
Less
More
- Posts: 203
- Thank you received: 16
20 Aug 2024 19:34 #103629
by HodgesanDY
Replied by HodgesanDY on topic Default VLAN config question
Hi, as odd as it may seem:
You’ll always be able to get to the router login page, at any of the subnet gateway/router IP addresses under different VLAN subnets, as the router is the central point for them all.
But If you try to access another node from one subnet to another, that you won’t be able to get through to.
The only way to block access to the router’s login page is to configure the ‘LAN Access’ tab in the ‘Management’ section.
If you had 8 subnets, say 192.168.10.0, 192.168.20.0 etc up to 192.168.80.0 and the router is always .1 of each subnet, then a node with the IP address 192.168.40.170 will always be able to access 192.168.80.1 (the router/gateway for a different subnet) or 192.168.30.1, or 192.168.50.1, and so on.
But you won’t be able to access any other node on those different subnets unless you have inter-LAN routing enabled, and no firewall rules blocking the inter-LAN routing.
You’ll always be able to get to the router login page, at any of the subnet gateway/router IP addresses under different VLAN subnets, as the router is the central point for them all.
But If you try to access another node from one subnet to another, that you won’t be able to get through to.
The only way to block access to the router’s login page is to configure the ‘LAN Access’ tab in the ‘Management’ section.
If you had 8 subnets, say 192.168.10.0, 192.168.20.0 etc up to 192.168.80.0 and the router is always .1 of each subnet, then a node with the IP address 192.168.40.170 will always be able to access 192.168.80.1 (the router/gateway for a different subnet) or 192.168.30.1, or 192.168.50.1, and so on.
But you won’t be able to access any other node on those different subnets unless you have inter-LAN routing enabled, and no firewall rules blocking the inter-LAN routing.
The following user(s) said Thank You: 13977
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek