Cheers for your reply, I've probably not been clear enough on what I'm trying to achieve...

I want to use the 2860 as a Travel Router abroad which will proxy traffic back through my 2860 here at home using a LAN to LAN VPN. The WAN gateway for this will use the WLAN 'Wireless WAN2' option so needs to connect to a WLAN within the hotel or place I'll be staying. As far as all the VPN side of things goes that's all configured and working however my issue is going to be connecting the WLAN side of things and authentication through Captive Portals etc.

As an example; on any other device such as a laptop or phone etc I would connect to the hotel or establishment's WLAN SSID then be presented with the Captive Portal/Landing Page which after accepting will then have WLAN access to the wider internet with my device(s) MAC whitelisted for a period of time. If however I use the Draytek's WLAN WAN feature by doing an AP scan and connecting to the same SSID etc (for acting as the WAN gateway) I'm going to need to somehow get past the same Captive Portal which would then whitelist the MAC address of the Draytek's WLAN radio itself, if all that makes sense? I can knock up a quick diagram if that's easier?

In your example and my actual address I'm testing this with as the WAN 2 IP (assigned by the WLAN the Draytek is connected to) of 192.168.1.11, then would I simply need to browse to 192.168.1.11:8843 or just 192.168.1.11 behind the Router - if the DNS server on the WLAN redirects this without clicking through the Portal? The Router Gateway on my device is 192.168.10.1 so a totally different subnet to that of the WAN 2 IP subnet.

Ok - so there are a couple of details that could do with clarifying...

What is the significance of ports 8843 and/or 8880 :?: Is this some sort of commonly used method of communicating with hotel Captive Portals (that's passed me by )

Also, to be clear - this must be a 2860n or similar (i.e. it is a Wi-Fi version) :?:
The AP900 is intended to provide access to the 2860(n)'s LAN from devices in the hotel room :?:

To check I've understood your example ...
The 2860(n) LAN is set to 192.168.10.0/24 and the router itself has an address of 192.168.10.1 on that network. The router uses DHCP to obtain a WAN2 IP address from the hotel's Wi-Fi network (in the example it was given 192.168.1.11).

Do you have experimental results, to show what happens, if you try and access the outside world (https://google.com for example) - from a 2860 LAN client, once the 2860(n) has obtained its WAN IP address and its VPN is trying to connect?

I would expect the browser on the LAN connected device to show you the Captive Portal, which once completed, would allow the VPN to connect.

Does something else happen?


Actually, another question ...

What sort of VPN is this :?:

If it is SSL, then changing its port number from the default of 443 might be advantageous (because the Captive Portal wouldn't think it was Browser traffic - and try and have a conversation with it!...). Of course, the Hotel system might be picky about which ports it does allow you to use...

[It's tempting to suggest using the 2860(n)'s Wi-fi to provide LAN access and use the AP900 (in STA mode) to provide the WAN link. The reason for this thought, is that the AP900's MAC address can be cloned to be the same as your mobile phone - so you would complete the Captive Portal handshake on the phone, then plug in the AP900. The difficulty would be, in reconfiguring the AP900 at each hotel (since it would be on the 'far' side of the Draytek and would need Route Policy or similar mechanism to access it. Not impossible, but another level of complexity...)]

The 8843/8880 ports appear to the the usual commonly used by Captive Portals (HTTPS 0n 8443, HTTP on 8880) although I believe there are others in the 80xx range, my other Draytek I'm using here (which is assigning the 192.168.1.11 DHCP WAN2 address) appears to be using 8001 when I active the Hotspot Web Portal feature.

Confirmed on the Router type, definitely a 2860n with WLAN capabilites and the AP900 is, as you say, just providing the LAN access in the hotel room. Obviously when using WAN 2 in Wireless Mode it can't be simultaneously used for normal WLAN which the AP900 is providing as a substitute. All confirmed on the LAN IP assignments too.

When I try and connect to the outside world behind the Router I'm seeing nothing, I would have expected as you say the Router to forward me to the Captive Portal but am wondering now whether this is because all the traffic on the LAN subnet (192.168.10.0/24) is being proxied via the LAN to LAN VPN tunnel which isn't up? The VPN is IPSec I've configured.

I like your suggestion on the AP900 as the WAN interface and didn't realise the unit's MAC address could be changed on this... interesting. I had thought about Rooting my old Samsung S8 and cloning the MAC address on that to match that of the 2860s WLAN Radio but there's a fair bit of complexity in doing that on the device and in all honesty the AP900 route sounds easier if I can get the Route Policy protocol set up.

Neil201 wrote:
The 8843/8880 ports appear to the the usual commonly used by Captive Portals (HTTPS 0n 8443, HTTP on 8880) although I believe there are others in the 80xx range, my other Draytek I'm using here (which is assigning the 192.168.1.11 DHCP WAN2 address) appears to be using 8001 when I active the Hotspot Web Portal feature.

Interesting...

So you're saying, that in response to an initial outbound request to (say) http://bbc.co.uk:80, you receive a reply from the Hotel Portal (but from port 8880 instead) :?:
That would definitely not be allowed back in by the 2860n (there being no corresponding entry in the outbound NAT Session list, for it to marry it up to). You would definitely need a static NAT mapping for that.
(I'm still a little sceptical :wink: , because wouldn't this scenario be an issue for a default Windows firewall, as well?)

and he wrote:
...but am wondering now whether this is because all the traffic on the LAN subnet (192.168.10.0/24) is being proxied via the LAN to LAN VPN tunnel which isn't up? The VPN is IPSec I've configured.

You could well be right there. You could prove it by manually dialling the VPN, or having it initially disabled. There could be an additional issue, in getting IPSec to traverse the Hotel's NAT implementation.

later, he also wrote:
I like your suggestion on the AP900 as the WAN interface and didn't realise the unit's MAC address could be changed on this...

From the manual, it looks like it's only applicable to the 2.4GHz radio.

You could try to set this up as follows :-

2. Set the AP900 to "Station" mode and give it a LAN address of (say) 192.168.100.1 (You're looking for something that isn't likely to be used by the Captive Portal - 192.168.100.1 is commonly 'reserved' for DOCSIS Cable Modems.)


4. Add WAN IP Alias of 192.168.100.254 [ ] Do NOT add to NAT Pool
   


6. Add Route Policy entry to send 192.168.100.1 traffic via WAN2, but using 192.168.100.254 interface, with specific gateway of 192.168.100.1 (Not sure why this is required - you'd think it would be implicit)


8. Set Gateway to "Specific Gateway" - i.e. 192.168.100.254 in this example

(These instructions are from this thread: https://forum.draytek.co.uk/viewtopic.php?p=88963#p88963 )

Cheers for this, been working away over the last few days so not had chance to have a go at this. Bit of bad news, looks like my AP900 isn't working and has some sort of issue as the LAN ports keep falling to sleep and aren't showing when a device is connected. Once I get my hands on a new one I'll give this a go. Out of curiosity where is the option on the AP900 to change the MAC address?

Neil201 wrote:
Out of curiosity where is the option on the AP900 to change the MAC address?

From the "Vigor AP900 Concurrent Dual Band AP" User Guide V2.0 (downloaded from somewhere on the Draytek website) :-