I'm trying to set up a Vigor 2925 and some AP900s set up as wireless extenders (mode = AP Bridge-WDS) to provide two SSIDs (SSID1 and SSID2), SSID2 being a guest WLAN which can access the Internet but not my LAN. The primary LAN (LAN1, SSID1 + wired clients) has its own DHCP server, so the Vigor 2925 does not provide a DHCP service to LAN1. The Vigor 2925 is set up to provide a DHCP service to LAN2 (SSID2). The two DHCP servers serve entirely separate IP address spaces.

I've followed the instructions on https://www.draytek.com/support/knowledge-base/5320 to set up a second guest SSID, two VLANs - VLAN0 (P1,P2,P3,P4,P5, SSID1) and VLAN1 (SSID2), where VLAN1 has the VLAN Tag enabled and set to 1. The Inter-LAN routing is set up so that LAN1 only routes to LAN1 and LAN2 only routes to LAN2.

Each of the AP900's is also set up so that SSID2 traffic is tagged with a VLAN ID of 1. SSID1 traffic is untagged.

I've tried all possible permutations (set up consistently on the Vigor 2925 and all the AP900's) of settings of "Isolate LAN" and "Isolate Member" for SSID2.

The problem I get is that the two LANs end up not being isolated: both clients connecting to SSID1 and clients connecting to SSID2 can connect to the entire LAN, and moreover receive their DHCP settings from the LAN1 DHCP server: Draytek 2925's LAN2 DHCP server looks like it's completely non-existent. So the guest clients exist live in the DHCP1 address space, whereas they should be living in the DHCP2 address space.

Any suggestions as to where to look for the problem would be very much appreciated.

Thank you.

When you say "Inter-LAN Routing is set up" do you mean you have it enabled in some way? If so, try disabling it.

Disclaimer: I use AP903s, not AP900s, but I believe the same applies to both (my apologies if this isn't the case)...

I suggest you first test all is OK when you connect a device to the 2925's SSID2 directly (i.e., when close to the 2925 and not via an AP900) - does the device correctly get an IP address from your 2925 on LAN2? If not, that suggests you might have a setup error on the VLAN page on your 2925 - make sure your VLAN0 is on LAN1 and your VLAN1 is indeed on LAN2.

If this does work, it suggests your AP900s are not tagging the SSID2 traffic (in which case the untagged traffic will cause devices connected to an AP900 on SSID2 to be on VLAN0). Apart from specifying the tag for SSID2 on your AP900s, have you also turned off the "Enable 2 subnet" option and also unticked the "Isolate LAN" option? Keep the "Isolate Member" option turned on for SSID2. Check these settings for both your 2.4GHz and 5GHz SSID2 on your AP900s.

cocospm wrote:
If this does work, it suggests your AP900s are not tagging the SSID2 traffic (in which case the untagged traffic will cause devices connected to an AP900 on SSID2 to be on VLAN0).

That would be my suspicion too.

The AP900 Overview says:

Code:

The Vigor AP-900 supports the 802.1q VLAN protocol so that if it is connected to an 802.1q enabled LAN, it can split tagged data (whether its different subnets or intended for different users) and broadcast each on its own SSID.

It doesn't say VLAN is supported in WDS mode. On the AP903, it's not something that's active by default, but can be enabled when in Mesh mode (which the AP900 doesn't support).

hornbyp wrote:
It doesn't say VLAN is supported in WDS mode. On the AP903, it's not something that's active by default, but can be enabled when in Mesh mode (which the AP900 doesn't support).

On the AP903 it works in AP mode, too, but I haven't tested it in WDS mode. It may be that the wireless back-haul doesn't support VLAN tagging... that'll be one for Draytek to answer, I guess.

Thank you very much for the several very quick and very helpful replies. To answer your questions in turn:

- clients can connect to both SSID1 and SSID2 if they are connecting directly to the 2925, and in that case they also get the correct DHCP settings;
- clients can connect to both SSID1 and SSID2 if they are connecting to an AP900, but in that case, they always get the SSID1 (i.e. the untagged LAN) DHCP settings;
- I don't think I can turn off Inter-LAN routing (I did not turn it on), I can only set up the matrix so that each of the subnets (LAN1, LAN2, LAN3, LAN4, LAN5, DMZ Port - only LAN1 and LAN2 are enabled - routes to itself only)
- I have (and had) the "Enable 2 subnet" off, "Isolate LAN" was off, "Isolate Member" was off, I have now turned it on as per your advice, but the result is the same

So if I understand correctly, it looks like it may be that on a 2925 + AP900's, I can either have:
- just a single router and two isolated WLANs; or,
- multiple routers in a WDS configuration and only one WLAN;
- but not multiple routers in a WDS configuration with two isolated WLANs, because VTAGs are not supported in conjunction with WDS?

This seems to be a bit of a shame.