Hi,

I have a DrayTek Vigor 2866. I am wanting to setup VLANs to separate my main network from my guest network. I have a Ubiquiti Unifi Switch and APs. I am wanting all the VLANS to go through port 1 on the Draytek router as thats what the switch connects to. I want all wired clients to automatically connect to the main network. But by them all being on the same port I still want the two networks not to be able to see each other.

For another VLAN I would like to setup to work from home I would want my printer to be able to communicate on all the VLANs so people can print. Is this possible?

yeah its possible with ports or tags - have a look at this. https://www.draytek.co.uk/information/our-technology/vlans

And then it would be up to the managed switch to designate the correct VLAN?

if you are only using port 1 on the draytek for facilitating the WAN connection then you can do all the VLAN work on the managed switch. This is one of those things in IT that you can end with a very thin cat at the end of it as there are numerous ways of doing it. I am moving a client to tagged vlans that will be done on a smart switch and leave all the vlan stuff there and let the draytek just do its thing.

But at present primarily as I have a live network that I do not have a lot of time to work with I am using port based vlans to move things about so

• VLAN 1 / Port 1 to Dumb switch and managed switch below it 192.168.9.0/24 (stupid reason for the managed switch being used like this)

• VLAN 2 / Port 2 to WIFI AP / Mesh 192.168.20.0/24

• VLAN 3 / Port 3 to Smart switch 192.168.30.0/24

Draytek doing DHCP and inter vlan routing between 1 and 2 as there are sonos on there that people need!!!!

Will be moving this to tags and taking DrayTek out of it but its a process.

Right ok. And if I want my printer to communicate across the VLANs and how would I go about doing that? An exception on the firewall??

with tags its port would be tagged with all ports so it appears in all or you have it in a separate one that then has inter vlan routing. My example above means the VLANS are physically separate LANS apart from allowing routing for machines to control sonos. I may move them out into another one so they are ok to be connected to but there is nothing else in there that I am concerned about.

If you are allowing routing between vlans then you could use the firewall to deny. Our plan is to move servers including print server to their own vlan and then the vlan would be accessible to all devices but we would not typically want a guest network device to print. I could see you end up allowing IPP printing over firewall for guest and standard windows "inside" but again there are different ways of attacking this sort of issue.