I have a Vigor 2866 router that I have started using as a wifi access point. 
Basically I wanted to setup a guest wifi SSID with a seperate LAN subnet to my main systems (192.168.1.XX). 

On access points there is option to add VLAN ID tags for each wireless SSID in the general settings menu but this is not present on the router version.  Is there any way to get this 2866 router to read VLAN IDs (that have been configured on the primary internet router) so that the appropriate LAN subnet is assigned.

Thanks! 

Hi Parpin ,

Yes. Go to the 'LAN >> VLAN Configuration' page and assign the check-box(es) corrosponding to the local SSID of 2.4GHz and 5GHz, respectively, and the VLAN you would like that SSID to be a member of.



 

Hi The router does not have this selection option - only an access point does. So unfortunately had to purchase an AP.

Hi Parpin ,

You got me curious, so I pulled out an old 2925n (older than the 2866) and started configuring it to do what you want, my only real question is, what is your “…primary internet router…”, is it a DrayTek router?

Either way, this should still work; using the 2866 as an 'Access Point':

Go to ‘WAN >> General Setup’ and disable all WANs, then go to ‘LAN >> General Setup’ and configure LAN1 by first disabling the DHCP Server option and setting the IP of the 2866 router ('Network Configuration' section) to a static IP and mask somewhere in the range of your “Primary” router’s main LAN subnet (the non guest LAN), tick the ‘Enable’ box and click ‘OK’; it will most likely ask to reboot, so 'OK' that and reboot.

Log back in to the 2866 at its new LAN1 IP you just gave it, and go to ‘LAN >> General Setup’ again but this time click on the settings for LAN2 instead. Same again, disable the DHCP Server option and set the 2866 router ('Network Configuration' section) to a static IP and mask somewhere in the range of your “Primary” router’s guest LAN subnet, ‘Enable’ that too and click ‘OK’ and it should ask to reboot again.

Log in again, and now go to the ‘LAN >> VLAN Configuration’ page, ‘Enable’ it, and tick all the VLAN0 P1-P5 tick boxes then only tick the SSID1 of 2.4GHz and SSID1 of 5GHz boxes, set the ‘Subnet’ to LAN1 and do not tick the VLAN ID tick box, leave it un-ticked.
Now on VLAN1, tick only the P1 tick box and also SSID2 of 2.4GHz and SSID2 of 5GHz tick boxes, set the ‘Subnet’ to LAN2 and this time tick the VLAN ID box and enter the ID TAG for your guest LAN used on your “Primary” router. Now ‘OK’ this page; and it may ask to reboot again. (Note: If it warns you about ticking any un-ticked Port boxes on VLAN0, then you'll need to have them all ticked to enable the VLAN functionality, so do that and click 'OK' again)

You can now configure your 'Wireless LAN >> General Setup' SSID1 & SSID2 (2.4GHz & 5GHz respectively) to match how you have it set on your other APs, minus the VLAN IDs as these are already setup, as above.

All that’s left to do now is to configure the ‘Primary’ router, or your managed switch attached to your ‘Primary’ router, so that you can connect Port 1 of the 2866 to that device’s VLAN configured port.

If it’s another DrayTek router, then in the ‘LAN >> VLAN Configuration’ page, tick whichever port will be connected to the 2866’s Port 1 on the VLAN of your main LAN, if you don’t have a VLAN ID set for that VLAN, then great, you only need to tick the port you’re connecting to the 2866 and set the 'Subnet' to the correct one if it isn't already set correctly. For the next VLAN, the guest LAN VLAN, tick the same port that connects to the 2866 and hopefully this VLAN does have an ID TAG set, which should match the one you’ve setup already on the 2866 for VLAN1 LAN2, and also the correct 'Subnet' that is your guest LAN subnet.
(Note, if your main LAN does have a VLAN ID TAG set against it, then you’ll need to go back to the 2866 and enable the ID TAG option and enter that same matching ID number there too.)

If it’s a managed switch your 2866 is connecting to, then setup the switch port as an ‘Access Port’ assigning your main LAN VLAN to it, and also add a Tagged ID to it of your guest VLAN as well; sometimes causing the port to become a "Hybrid" port rather than an 'Access Port', but you get the idea, un-tagged = main LAN, tagged = guest LAN.

With all that done, your 2866 should now be a working AP like the rest you have in-play.


I have just tested this using a 2862ac connected directly to the 2925n, using both the Tagged and Un-Tagged methods, tested separately, and both work fine with the main LAN VLAN.

Thanks -
That's strange, my main router is draytek (3912) where I configure the VLAN configuration including tags, as I want to keep work related network and general access totally separate.

On my 2866 (which now using as AP) it does no allow the VLAN tag IDs to be entered. (But you can on a proper access point).
I called Draytek support and they said an AP allows a common gateway IP for all VLANs (which makes sense as you need one common gateway for traffic) but the router does not have this.

I can see how your method could work, seems you are mirroring the VLAN config on the main router on the 2866 being used as an AP? But how does this work with hard wired equipment on main router (on 192.168.1.XX subnet via primary router) and wifi connected devices (on 192.168.1..XX via AP[2866]) - can they communicate?

This is not something I tried - I must admin gave up and just got a draytek AP and it works straight away.

Hi  Parpin ,

Yes, of course, you can just buy a new AP for the ease of setup, and I have many APs with this very option - all of which are using VLAN IDs for their individual SSIDs. I got the impression though, that you wanted to know how to setup a 2866 as an access point using VLAN IDs:

 Is there any way to get this 2866 router to read VLAN IDs (that have been configured on the primary internet router) so that the appropriate LAN subnet is assigned.

With regards to the gateway factor of an AP, when it comes to a Vigor router being used as an AP it's a little more complicated - mainly because the router is tailored more towards routing traffic rather than just being an access point. Either way, the VLAN traffic can still be routed to the 2866 and it can forward that traffic to wherever it needs to go with a bit of configuration factored in, in this case it just needs to go to the individual SSID(s).

In the same way that an unmanaged switch can pass VLAN traffic through itself (an unmanaged switch has no gateway address setting), the 2866 acting as an AP doesn't need to know about gateway addresses and can also pass traffic through itself. As long as you enable a separate LAN on the 2866 for each VLAN to be assigned to, you can then assign that traffic's path to the SSID(s). 

VLAN ID tagging is designed to be used across various pieces of network hardware. As long as the hardware is intelligent enough to understand how to read the tagged packet and process it, it can be used to maintain the segregated traffic; obviously if it is passing straight through an unmanaged switch, then it doesn't need to be read, it simply gets forwarded on as-is.

When you say my configuration mirrors the main router, well yes, it has to, so that the traffic can be routed to the correct SSID on the 2925n. There are a total of four SSIDs on your 2866, if using both 2.4GHz & 5GHz paired together, or eight if using them individually. So you could ultimately setup a trunk port from your 3912 to the 2866 to route a total of eight separate subnets using eight individual VLAN IDs. When the 2866 receives all those VLAN tagged packets it can read them and forward the relevant traffic to wherever you configure it to be routed on to.

The main router (your 3912) is still reachable by the device(s) connecting to the SSID(s) on the 2866 because you can configure a path for their traffic to be routed through the 2866 using the VLAN ID tags and the 8x local LANs, all via the VLAN configuration page. Once that wireless device's traffic is flowing through to the 3912 along the correctly configured VLAN path, it will find the DHCP server (unless you're only using static addresses which I doubt) and be given an IP address and gateway address relevant to that subnet.

 But how does this work with hard wired equipment on main router (on 192.168.1.XX subnet via primary router) and wifi connected devices (on 192.168.1..XX via AP[2866]) - can they communicate?

The flow path would be like this: The wireless device communicates with the SSID using untagged packets, the SSID receives those untagged packets and immediately tags the packets with the relevant VLAN ID number and routes the packets out of the 2866's Port 1 onwards to your 3912's port, where the 3912 reads (and removes) the VLAN ID tag contained in the packet and internally routes the packet where it needs to go, either to an internal DHCP server (on the 3912) or onwards to an external DHCP server for example, or possibly routes it to another one of the local VLAN subnets or even straight out onto the internet via a WAN port. If the packet were intended for another VLAN subnet then it would be re-tagged with that relevant subnet's ID tag and forwarded on its merry way out of another port or even the same port it came in on. Tagging happens on the egress, and reading & removing happens on the ingress.