Thanks Adam.

This is just a small home network, but the situation is that I've got a Synology NAS attached to P6 which I want to keep segregated from the rest of the network, hence the VLANs. Nothing should be able to access the NAS except for the PC on P1, but I also want the PC to be able to access other devices on VLAN0, e.g. a DVR, an Android phone, a printer, etc. The NAS also needs internet access to download automatic updates.

I guess I can use firewall rules as you suggest, but then doesn't that make the VLANs a bit pointless? Presumably I could just give the PC and the NAS static IP addresses on the same subnet and still firewall the NAS off from other devices as you described, not even bothering with VLANs?

What I'm really trying to ascertain is whether the article I linked in my OP is factually inaccurate, because if so, Draytek should really amend it and stop providing false information...

My question was supposed to prompt thoughts about what might be happening here

You don't say whether or not you have DHCP running on LAN2 but if so then running multiple untagged VLANS on a single port is bound to cause problems because of DHCP clashes, even though the tick-boxes in the config allow you to do it.

Use tags to ID the VLANS or use fixed IP's on devices as suggested above.

Disclaimer - I know very little :lol:

Hehe, fair enough.

Yes, I do have DHCP enabled on LAN2 but I could certainly disable it since the NAS is the only device on that subnet and it can be configured with a static IP. If I tagged the VLANs wouldn't the PC need to somehow switch tags depending on which VLAN it was talking to? (I know practically nothing about tag-based VLANs).

Anyway, I'd still like to find out whether this mystical "automatic routing" that the website describes is actually complete bull**** or not. I've now sent a tech support request to Draytek asking the question, but I'm not sure I hold out much hope! :lol:

I think they are probably right but have omitted to mention the need to avoid dhcp conflicts, still let's see what they say.

I would disable dhcp on LAN2. Can you also give the PC a fixed IP on LAN1? No need to disable dhcp there, just use IP/MAC binding.

If you do that I don't see any reason why your setup shouldn't work

As it happens, I had already bound the PC to an IP on LAN1.

Disabling DHCP on LAN2 and configuring the NAS with a static IP hasn't made any difference though I'm afraid.

Anyway, I've now been given a reference number for my support ticket so hopefully I'll have an answer from Draytek soon enough. I'll post back when I hear something, but any further suggestions are still welcome in the meantime.

Well, according to Draytek tech support this is just not possible the way their website describes.

First of all they advised me to enable Inter-LAN Routing and use firewall rules to achieve what I want, just as gilbad's post suggested.

Then I asked, "So what's the point in being able to assign a single port to more than one VLAN?"

Their response was that for ports shared by two VLANs, the VLANs need to be in the same subnet for the shared port to be of any particular use.

I pointed out how this contradicts the website's statement that "If a port is common to more than one VLAN, your router will automatically route between the VLANs if they are in different subnets" and they said they would look into amending the website if necessary.

So there you have it! The website is wrong and the router can't route between different subnets on the same port. At least we know for definite now.