III. Wireless LAN

How to set up a Guest Wireless Network with Vigor Access Points

Products:
Vigor 2620Ln
Vigor 2762
Vigor 2765
Vigor 2832
Show all

Keywords:
802.1q
VLAN
VLAN tag
access point
Show all

Many organisations offer access to the internet for their staff. This may be for business reasons, allowing the company to operate and carry out company functions. There may also be a requirement to allow access to the Internet for people who visit the company. As visitors are guests to the organisation, they are usually restricted and cannot access any of the company’s resources such as printers or stored files.

This keeps the organisations internal network private from the visitor and helps to provide a level of security. This is achieved by creating a separate wireless network which is isolated from the main network, in effect setting up multiple SSIDs which can’t access each other.

Network Topology

This setup guide will demonstrate how to configure a DrayTek Vigor router with Wireless and a DrayTek VigorAP Wireless access point to provide both an "Internal" and "Guest" wireless network, with the Guest network able to access the Internet, without being able to access internal company resources.

This configuration requires a DrayTek router from the Vigor 2830 series onwards, which support multiple subnets and VLAN tags, this makes it possible to configure a guest network which is separate from the main, internal network segment / subnet.

The Vigor access points on the network must be connected to the router with a wired network connection to use VLAN tags required for a guest wireless network; wireless links such as WDS or Universal Repeater cannot pass VLAN tags that are required for a guest wireless network to operate.

 

Example Setup

  • Vigor 2830n Router.
    Applicable to all DrayTek Vigor routers with or without built-in Wireless, from the 2830 onwards (2830, 2832, 2850, 2860, 2920, 2925, 2952, 3200, 3220, BX2000)

  • VigorAP 810 wireless access point.
    Applicable to all DrayTek VigorAP access points from the VigorAP 710 upwards (710, 800, 810, 900, 902, 910C)

Network Configuration

Network SegmentNetworkVLAN NameVLAN TagIP Range
Internal Network LAN1 VLAN0 Untagged 192.168.1.0 / 24
Guest Network LAN2 VLAN1 10 192.168.2.0 / 24

The wireless guest network is set up as a separate network on the DrayTek router by linking its SSID2 to LAN2. Communicating this across a network cable to a wireless access point or switch will use a VLAN tag of "10". This VLAN tag is not used by the internal network so the existing network setup will not be affected.

The VigorAP access point's guest wireless network SSID would be configured to tag traffic on that SSID with the VLAN tag of "10", which would then be processed by the router as part of the guest network, keeping it separate from the internal network.

The VigorAP access point's management interface will be accessible the LAN1 subnet only.

Step 1: Setting up the Guest wireless network on the DrayTek Vigor router

To set up the router's own Wireless networks with a separate "Guest" network, it will be necessary to set up a secondary Wireless SSID for the router's own Wireless interface. This will be linked to the "LAN 2" Subnet in the next section.

Go to [Wireless LAN] – [General Setup] - on there, enable a second SSID and give it a suitable name:

If it’s a guest network, it’s useful to enable Isolate Member so that wireless clients connecting to that SSID cannot connect to each other (more secure). Click OK on that page to save those settings.

Set the security and pre-shared key for SSID2 under the [Wireless LAN] > [Security] menu, it is recommended to use WPA2/PSK security where possible for the best overall speed and security. Click OK on that page to save those settings.

Step 2: Configure VLAN tags on the DrayTek router

Go to [LAN] > [VLAN] – on that page, tick Enable.

Tick the LAN Port VLAN settings as shown, with all LAN ports being a member of both VLAN0 and VLAN1. If the router is a wireless model, make sure that the SSID entries are each a member of a VLAN, as shown below, otherwise the router will not be able to save the setting changes.

On the VLAN1 row, tick Enable in the VLAN Tag column and set the VID to 10, this means that any traffic received by the router with a VLAN tag of 10, will be assigned to the VLAN1 (Guest) network.

Untick the "Permit untagged device in P1 to access router" option.

Note - Network Configuration
If the VigorAP access points are connected to the router through a network switch, check whether the switch is Managed or Unmanaged.
An Unmanaged switch will typically be able to pass tagged and untagged packets with no configuration required.
A Managed switch may have default VLAN configuration settings that could cause the switch to drop packets with VLAN tags. It may be necessary to reconfigure the switch to pass through untagged and VLAN tagged packets. Check the managed switch's documentation for information. There are no specific settings recommended in this guide because of variation in usage of terms between manufacturers.

Click OK to apply the changes. The router will then ask to restart, which can be ignored at this stage.

Step 3: Enable and configure the LAN2 Subnet on the DrayTek router

Go to [LAN] > [General Setup] – on there, configure the guest network by clicking on [Details Page] for LAN2. This will need to be enabled and should have DHCP enabled so that the network assigns IP addresses to clients automatically on the guest network.


If the guest network could potentially have enough users to exhaust the DHCP pool, tick Retrieve IPs from inactive clients periodically which will clear the DHCP lease for clients that are no longer connected to the wireless guest network and free up that DHCP lease for re-use.


Click OK on this page once all of those changes have been made.

The router will prompt to reboot, click OK to restart and apply those changes.

This example shows how the LANs should look from the [LAN] > [General Setup] page once configured.

The Inter-LAN Routing table does not have LAN2 set to access LAN1 in this example because the Guest network should have no access to LAN1’s resources but will still have access to the Internet.

Step 4: Configure the VigorAP access point

With the setup of the DrayTek router, the Vigor access point can be plugged into any of the LAN ports on the router or a separate switch to provide internal and guest wireless.

Access the Vigor access point web interface and go to [Operation Mode], the operating mode needs to be set to AP mode for the access point to be able to provide internal and guest wireless networks:

Click OK to apply that change.

Once that has finished applying the changes, go to [Wireless LAN] > [General Setup].

Untick the Enable 2 Subnet option so that the Vigor access point can use VLAN tags.

Enter the internal and guest SSID details and set the VLAN ID of the Guest SSID to 10 to match the VLAN tag set on the DrayTek router.

Click OK to apply the changes and wait for that to complete.

Once that has completed, go to [Wireless LAN] > [Security] to set the security for the Internal and Guest networks, it is recommended to use WPA2/PSK for the best security and wireless throughput.

When using WPA2/PSK, select the AES WPA Algorithm. If using WPA/PSK, select TKIP. Please note that using WEP or WPA/PSK will limit wireless throughput to 54mbps.

When clicking OK on this page, the Vigor access point will display this warning message to indicate that wireless connectivity will be unavailable while the AP makes these changes, click OK for this message:

It will then display a warning message regarding WPA2/PSK security, click OK to continue:

Once these changes have applied, wireless connections to the "Guest" SSID will receive an IP in the LAN2 IP range, which separates those wireless clients from the internal network.


How do you rate this article?

1 1 1 1 1 1 1 1 1 1

Comments

From: Tightpants
10/12/2017

I could not get the VLANs to work until I followed the steps in this article, particularly as I was confusing the VLAN name with the VLAN tags (VID). Also I thought ticking all wired port checkboxes would make the guest network accessible to all other networks. Good article with clear instructions and descriptions.