Hello

Just wanted to check my topology here:

I have a home wlan (one SSID, lots of folders shared between 3 machines, 2820n).

Sometimes I do disinfection work for friends' machines and would like to be able to isolate these from my own machines when I connect them to the network/internet.

So, I've done the following:

-created a second SSID (SSID2)
-set up a Vlan such that SSID2 is segregated to port 2, as below



When I connect an 'infected' machine to the wlan/internet via SSID2, it cannot see any of the other networked machines and they cannot see it - this is good

My question is whether this is adequate in terms of preventing infection passing from an infected machine to either the other boxes or the 2820n itself???

I don't want to falsely assume that machines on SSID are completely isolated from those on SSID2, but maybe they are and I'm just over-thinking this???

Thanks in advance.

Mark

Using WAN2 on UK firmware 3.3.4_232201, I decided to try the same config as you did, and was pleased to find that i could not access my devices on the other VLAN whilst on the same physical Local area network.

However, i also have point-point VPN tunnels setup to my remote offices, and i nearly fell off my chair when i saw that the 'isolated' VLAN device could happily access my remote subnets even though the LOCAL subnet was isolated from it. This is not the expected behaviour, as it is no use being locally isolated if the majority of the remote-but-private subnets are wide open.

Oh dear...

I think there are plans to fix that vpn / vlan problem with some firmware in future, going by this guide: http://draytek.com/user/SupportAppnotesDetail.php?ID=898
I'm not sure when or if it would be coming to something like the 2820 but it would certainly be useful

Actually, the current method is logical default behaviour. The VLAN is at the Ethernet layer (L2), done by the Ethernet chip so the router's CPU doesn't control the data (that would be a lot of work, to process all LAN traffic). The VPN, on the other hand is a L3 IP thing, so just as members of isolated VLANs all have Internet access (routes), they also have access to VPN routes. You can't set up an IP filter relating to a hardware VLAN for the same reason you can't isolate it from a VPN.
That doesn't mean they couldn't develop integration in future.

I have a 2820n (firmware 3.3.0.1) but the VLAN configuration doesn't give the option to include SSIDs in the various VLANs as shown in the partial screenshot posted by the OP. I think I might have to upgrade the firmware but I'm reluctant to do so unless it's absolutely necessary, given the problems identified by several users.

Thanks in advance.