Expired

III. Wireless LAN

Expired

Central AP Management Setup Example - Office WiFi with Guest network

Products:
Vigor 2620Ln
Vigor 2762
Vigor 2763
Vigor 2765
Show all

Keywords:
AP Management
Wireless management
central management
guest network
Show all

Many organisations offer access to the internet for their staff. This may be for business reasons, allowing the user to operate and carry out company functions.  There may also be a requirement to allow access to the internet for people who visit the company. As visitors are guests to the organisation, they are usually restricted and cannot access any of the company’s resources such as printers or stored files. This keeps the organisation's internal network private from the visitor and helps to maintain security. This is achieved by creating a separate wireless network which is isolated from the main network, in effect setting up multiple SSIDs which can’t access each other.

This setup guide demonstrates how to use the Central AP Management feature in combination with the router's VLAN facility to create a wireless network for both internal and guest users, on multiple VigorAP Access Points through the DrayTek Vigor router.

This guide is written for firmware versions 3.8.4.x and later firmware, the features shown may not be present or may behave differently with prior firmware versions.


Managing VigorAP Access Points with a DrayTek Vigor Router

The Central AP Management facility available on DrayTek Vigor routers, allows the router to control multiple access points (number varies by model, check product specification) for configuration, monitoring and management such as firmware upgrades.

With Central AP Management, a single profile can be applied to a group of VigorAP Access Points, greatly reducing the time required to configure a number of access points on a network.


VLAN Configuration - The changes required on the Vigor router to separate the Internal network from the new Guest network

Central AP Management - Configure a number of VigorAP Access Points through a single profile

VLAN Configuration

The VigorAP Access Points on the network must be connected to the router with a wired network connection to use VLAN tags required for a guest wireless network; wireless links such as WDS or Universal Repeater cannot pass VLAN tags that are required for a guest wireless network to operate.

Network Configuration

Network SegmentNetworkVLAN NameVLAN TagIP Range
Internal Network LAN1 VLAN0 Untagged 192.168.1.0 / 24
Guest Network LAN2 VLAN1 10 192.168.2.0 / 24

The wireless guest network is configured as a separate network on the DrayTek router using a VLAN tag of "10". This VLAN tag is not used by the internal network so the existing network setup will not be affected. The VigorAP Access Point's guest wireless network SSID would be configured to tag traffic on that SSID with the VLAN tag of "10", which would then be processed by the router as part of the guest network, keeping it separate from the internal network.

The VigorAP Access Point's management interface remains on the LAN1 subnet.


Configure VLANs on the DrayTek router

Access the DrayTek Vigor router's web interface and go to [LAN] > [VLAN] – on that page, tick Enable.

On the VLAN1 row, tick Enable in the VLAN Tag column and set the VID to 10, this means that any traffic received by the router with a VLAN tag of 10, will be assigned to the VLAN1 (Guest) network.

Tick the LAN Port VLAN settings as shown, with all LAN ports P1 to P6 being a member of both VLAN0 and VLAN1. This is to simplify the network configuration, any VigorAP will need to have access to the Internal (untagged) and Guest (VLAN tag 10) network segments; making each port a member of both VLANs effectively makes it operate as a "Trunk" port. The VigorAPs can then be connected to the router directly or through a switch.

If the router is a wireless model, make sure that the SSID entries are each a member of a VLAN, as shown below, otherwise the router will not be able to save the setting changes.

Note - Network Configuration

If the VigorAP access points are connected to the router through a network switch, check whether the switch is Managed or Unmanaged.
An Unmanaged switch will typically be able to pass tagged and untagged packets with no configuration required.

A Managed switch may have default VLAN configuration settings that could cause the switch to drop packets with VLAN tags. It may be necessary to reconfigure the switch to pass through untagged and VLAN tagged packets. Check the managed switch's documentation for information. There are no specific settings recommended in this guide because of variation in usage of terms between manufacturers.

You may have noticed that P1,P2,P3,P4,P5,P6 are in both LAN1 and LAN2. The LAN that the router places traffic in depends on the tag received. If it recevies as a packet that has ID 10 then it treats it as LAN 2 and if it receives packets without a tag then it would treat it as LAN 1. For example if a simple PC is connected it wouldn't have the VID 10 tag and so would be allocated DHCP from LAN 1.

Click OK to apply the new VLAN configuration.


The router will prompt with this message if LAN2 / VLAN1 has not been configured previously:

The tickbox shown for "LAN 2" will enable the LAN2 subnet with it default IP settings of:

IP Address 192.168.2.1
Subnet Mask 255.255.255.0
DHCP Range 192.168.2.10 to
192.168.2.110

Clicking OK on this warning page will reboot the router to apply the setting changes.

If the LAN 2 IP settings need to be changed, they can be configured in the [LAN] > [General Setup] section once the router has restarted.


When the router has restarted, access the web interface and go to [LAN] > [General Setup].

This has the different LAN interfaces listed for the router, with the Inter-LAN Routing Table below it; which controls whether LAN interfaces can access each-other:
 


In this example, the Guest network which will use the LAN 2 interface, should not have access to the Internal / LAN 1 network, therefore the tickbox for LAN 2 to access LAN 1 is not checked in the Inter-LAN Routing table.


In instances where communication should be allowed between the networks connecting through the router's multiple LAN interfaces, tick the check box in the Inter-LAN Routing table and click OK to apply the change.


How do you rate this article?

1 1 1 1 1 1 1 1 1 1