DrayTek How To – Create Guest WLAN/Wireless SSID with VLAN Tagging

In this guide, we will be creating a guest WLAN/WiFi network and isolate it from your existing network by creating a guest VLAN and putting all devices on this VLAN on a operate subnet. This can be scaled to create numerous VLANs but we’ll just be creating two (your own network, and a guest network).

We’ll be using LAN1 for your internal network, and LAN2 for your guest network. If your router has WiFi enabled, we’ll also be using SSID1 for the internal network and SSID2 for the guest network. This can be tweaked but make sure you do it properly.

1. Configure VLAN Tagging

The first step here is to create the new VLAN Tag on your central router. To do this, head to VLAN (LAN > VLAN).

Ensure Enable is ticked in the top left, and then enter the following details:

VLAN0: tick all of the ports on the LAN segment (for my router, there are only 4 ports so P1 though 4 are all ticked – a Vigor 2925 for example will have 5 though – tick all of them). If your router does WiFi, tick SSID1. Then select LAN1 from the Subnet dropdown menu. For the VLAN Tag section, make sure Enable is unticked and VID is set to 0.

VLAN1: As before, tick all of the ports on the LAN segment. If your router does WiFi, tick SSID2. Then select LAN2 from the Subnet dropdown menu. For the VLAN Tag section, make sure Enable is ticked and VID is set to 2.

Scroll down and click OK and reboot the router.

2. Configure LAN2

The next step is to configure LAN2 to your needs. head to General Setup (LAN > General Setup) and click on Details Page on the LAN 2 row.

Enter the following details (if you tweak them, make sure you use a different IP range to your other LANs.

Network Configuration:
Enable: Selected
For NAT Usage: Selected
IP Address: enter an IP for your DrayTek router on this LAN – I’m using 10.0.0.253
Subnet Mask: 255.255.255.0 (tweak if needed)

DHCP Server Configuration:
Enable Server: Selected
Start IP Address: 10.0.0.50 (tweak if needed)
IP Pool Counts: 100 (tweak if needed)
Gateway IP Address: Make this the same as the IP address you set earlier (again, I’ve used 10.0.0.253)

Click OK and reboot your router.

3. Wireless Configuration

If you use the built in WiFi on your DrayTek router, follow step 3a. For DrayTek VigorAPs (such as the VigorAP 902), follow step 3b. You can also push these settings out via an AP Profile if you push config out to your DrayTek VigorAPs by just associating the correct VLAN tag in the SSID configurations during the profile wizard (read the steps on 3b to know what to enter and which boxes to tick if you’re unsure).

For other access point brands, follow their own documentation – this guide is only for DrayTek gear.

3a. Built in wireless on DrayTek Router

The DrayTek router will use the settings configured in the VLAN section for defining which VLAN tag each SSID will use, so tweak the configuration below if you associated different a different SSID for the guest VLAN tag. Repeat these steps if your DrayTek router supports 5GHz networks too if needed.

Head to General Setting  IEEE 802.11 (Wireless LAN > General Setup) and ensure Enable Wireless LAN is ticked.

For SSID 1 set the SSID name and make sure Isolate Member and Isolate VPN are both unticked.

Then for SSID2, tick Enable and enter the network name and tick Isolate Member.

Click OK.

You’ll need to configure security and WiFi network passwords separately.

3b. DrayTek VigorAPs

Ensure your DrayTek Vigor AP is plugged into your network and head to its user interface. Then head to the Wireless LAN config settings (Wireless LAN 2.4GHz > General Setup) – my guest network is only on the 2.4GHz spectrum as I want 5GHz to be only for the internal network but tweak/repeat if you want to have the guest network be on both spectrums or just 5GHz (all this depends on whether your AP supports this).

Make sure Enable Wireless LAN is ticked.

For SSID1, enter the SSID name and make sure Isolate Member is unticked if necessary and leave VLAN ID as 0 (untagged).

For SSID2, make sure Enable is ticked and enter the SSID. Then, tick Isolate Member and enter 2 in the VLAN Tag box.

Click OK.

You’ll need to configure the password separately under the Security section of each Wireless LAN section (if your router supports 2.4GHz and 5GHz).

All done! Test connecting to your guest WiFi network, and check you have been given an IP address from the LAN2 subnet.

DrayTek How To – Block Access to ISP Router

This guide will walk through the steps required to block devices on your network from accessing your ISP provided router. This guide will specifically walk through the steps required to block a guest LAN from accessing the user interface of the Virgin SuperHub cable modem/router but it can be tweaked to your own requirements.

Specific Virgin Media Notes:

Once Modem Mode is enabled on the Virgin SuperHub, the IP address that it’s accessible by changes to 192.168.100.1 which can still be accessed by anybody on your network.

1. Create IP Objects

The first step is to create the IP Objects for the IP range you wish to prevent accessing the ISP router, and the ISP router itself.

To do this, head to the IP Object page on your DrayTek router (Objects Settings > IP Object). Then, click the number next to a blank unused IP Object (if you’ve never added any before, you can use 1).

Then enter the details for your guest LAN. Mine are as follows:

Name: LAN2 (Guest)
Interface Any
Address Type: Range Address
Start IP Address: 10.0.0.0
End IP Address: 10.0.0.255

Then click OK

Next, create another IP Object (you would typically use the next available IP Object number for this) and enter the following details – tweak them for the details for the router you want to block access to but I will be using the details required to block the Virgin Media SuperHub.

NameSuperHub
Interface: Any
Address Type: Single Address
Start IP Address: 192.168.100.1

Click OK.

2. Create a Routing Policy

This next step is slightly odd. Attempting to block this via the DrayTek firewall doesn’t appear to work, so we are going to instead create a routing policy to route traffic from the IP range you wish to block access to the ISP modem/router out via a virtual WAN (wide area network) interface (in this case, WAN7). This means instead of the traffic being blocked per se, it is instead sent out via a different WAN interface that the ISP modem/router is not accessible on.

Head to Load-Balance/Route Policy (Routing >  Load-Balance/Route Policy) and click the number next to the next available routing policy (in my case, 1).

Tick Enable and enter the following details (tweak for your own setup though):

Comment: LAN2 > SuperHub

Criteria:
Protocol: 
Any
Source: IP Object (and then select the IP Object for the LAN range you wish to restrict – in my case LAN2 (Guest))
Destination: IP Object (then select the IP Object for the router – in my case SuperHub)
Destination Port: Any

Send via if Criteria Matched:
Interface: WAN/LAN (and then select an unused WAN interface from the list, I picked WAN7).

Click OK and then click OK again once the list of routing policies appears again.

Now, connect to the LAN you wish to restrict and try and access the router you’re blocking access too – the router’s webpage should now refuse to load (and any other traffic such as FTP, SSH, Telnet, DNS etc) will be blocked – this will not usually block internet access via this modem/router.

DrayTek How To – Force Manual DNS

Occasionally even though you have specified your own name servers on your DrayTek router, the router does not reflect this change everywhere (for example on the DNS Security section) and instead forces you to use the DNS servers provided by your Internet Service Provider.

This is, however, very easy to fix. First you’ll need to ensure your computer has Telnet installed (both Microsoft and Apple have stopped including Telnet by default in recent versions of Windows and macOS) so you’ll need to check (Telnet can be enabled on Windows within the Add/Remove Windows Features utility and can be enabled on a Mac by installing it via Homebrew with brew install telnet).

Once you’re sure you have Telnet installed, open up either Command Prompt (Start+R type CMD and press enter) on Windows, or Terminal on macOS (CMD+Space and search for Terminal). Then, type the following command (replacing my router’s IP with that of your DrayTek router).

telnet 172.16.1.253

You’ll then be asked for the username and password of your router, simply type them in (the default username on a DrayTek router is admin).

Once you’re connected, type the following command in:

srv dhcp frcdnsmanl on

Then reboot your router with:

sys reboot

All done! The new forced DNS servers should be reflected both in the DNS Security (Applications > DNS Security) and the Online Status panel (Online Status > Physical Connections).

Notes:

  • This has been tested on a DrayTek Vigor 2925, DrayTek Vigor 2860, and a DrayTek Vigor 2862.
  • To disable this, simply reconnect over Telnet and run the following command and then reboot:
    srv dhcp frcdnsmanl off
  • If you are unable to connect over Telnet to your router, ensure Telnet is enabled within System Maintenance > Management > LAN Access Setup: