I want to achieve exactly the same configuration described under "Port Based VLANs" on http://www.draytek.co.uk/information/our-technology/vlans where there are 2 VLANs with different subnets but one of the physical ports is common to both VLANs.

The article shows a 2860 series router and specifically states:

"See how Port 4 is in both VLANs, so the device (PC) connected to port 4 will be able to communicate with all devices in VLAN0 and VLAN1 but all other devices will be restricted to devices within their own VLAN... If a port is common to more than one VLAN, your router will automatically route between the VLANs if they are in different subnets so your PC does not have to have multiple IP addresses."

However, when I try to do the same thing:



the PC attached to P1 can't communicate with the device attached to P6.

Is there some additional configuration required or is the article just lying about this capability? :?

Hi,

Think I get what you are doing.

If you goto 'LAN' - 'General Setup' and review the bottom part 'Inter-LAN routing'

I would be checking that LAN1(VLAN0) and LAN2(VLAN1) are routable.

Cheers

I did actually try that, but enabling Inter-LAN Routing means any device on LAN1 can communicate with LAN2; not just the PC connected to P1.

I need the device attached to P6 to only be accessible by the PC connected to P1. Any other devices on LAN1 (ports 2 through 5) should not be able to access LAN2.

That's exactly the scenario the article describes, yet I came across this thread which suggests it's neither possible on a 2860, nor recommended on other models...

How does the PC on port 1 decide which subnet to belong to?

Not sure if that's supposed to be a rhetorical question or not...

Anyway, the PC is using DHCP and is getting put into the LAN1 subnet, but again, the article I linked states: "If a port is common to more than one VLAN, your router will automatically route between the VLANs if they are in different subnets so your PC does not have to have multiple IP addresses."

Ok - this is a bit of a tough one without knowing exactly what you are trying to achieve.

But for a worked example (think this is pretty much what you have)
(LAN - VLAN)
P1 - access to VLAN0 & VLAN1
P2 - access to VLAN0 only
P3 - access to VLAN0 only
P4 - access to VLAN0 only
P6 - access to VLAN1 only

on P1 we have a server, this deals with file shares for general office users and hosts an intranet site.
P2, P3, P4 all go to downstream switches or computers that we consider trusted.
P6 has a public terminal for internet browsing and access to the intranet, we may expand this in the future with a downstream switch.

(LAN - General Setup, Details page of LAN)
We give LAN1 (VLAN0) IP address range of 192.168.10.0/24 (gateway 192.168.10.1) DHCP 192.168.10.20-120 (or whatever)
We give LAN2 (VLAN1) IP address range of 192.168.50.0/24 (gateway 192.168.50.1) DHCP 192.168.50.20-120 (or whatever)

We assign the server on P1 with a static IP address (belt and braces.... on router by MAC binding (LAN- Bind IP to MAC) and locally on NIC config) 192.168.10.2

We enable inter-lan routing LAN1 & LAN2 (LAN - General Setup)

We now create 2 firewall/filter rules in an active chain. (Firewall - Filter) (so somewhere in the chain following default data filter)

Direction: LAN/DMZ/RT/VPN -> LAN/DMZ/RT/VPN
Source: Type 'Subnet' 192.168.50.1, 255.255.255.0
Destination: Type 'Single Address' 192.168.10.2
Filter: Pass immeadiately
(in the real world we'd specify the specific ports allowed to secure smb etc, but for this example we'll give blanket access)

Direction: LAN/DMZ/RT/VPN -> LAN/DMZ/RT/VPN
Source: Type 'Subnet' 192.168.50.1, 255.255.255.0
Destination: Type 'Subnet' 192.168.10.1, 255.255.255.0
Filter: Block immeadiately

So in summary we need to setup routing between the LANS, then we use access control lists/firewall to restrict who/what can use them. Importantly we pass before we block! The pass rule must be higher in the chain / filter list.

Cheers
Adam