Many organisations offer access to the internet for their staff. This may be for business reasons, allowing the company to operate and carry out company functions. There may also be a requirement to allow access to the internet for people who visit the company. As visitors are guests to the organisation, they are usually restricted and cannot access any of the company’s resources such as printers or stored files. This keeps the organisations internal network private from the visitor and helps to provide a level of security. This is achieved by creating a separate wireless network which is isolated from the main network, in effect setting up multiple SSIDs which can’t access each other.
DrayTek routers from the Vigor 2830 series onwards support multiple subnets, this makes it possible for the wireless models (i.e. Vigor 2830n) to use the multiple SSIDs available to link a wireless guest network to a different network segment / subnet than the main, internal network segment / subnet.
This example will be using 192.168.10.1 for the Internal network and 192.168.11.1 for the Guest network using the router’s internal wireless.
- SSID1 is the Internal WirelessNetwork and will continue to link to the LAN1 subnet
- SSID2 is the Guest WirelessNetwork and will link to the LAN2 subnet, which will be separate from the LAN1 network
Step 1: Setting up the guest wireless network
Go to [Wireless LAN] – [General Setup] – on there, enable a second SSID and give it a suitable name:
If it’s a guest network, it’s useful to enable Isolate Member so that wireless clients connecting to that SSID cannot connect to each other (more secure). Click OK on that page to save those settings.
If required, set the security and pre-shared key for SSID2 under the [Wireless LAN] > [Security] menu, it is recommended to use WPA2/PSK security where possible for the best overall speed and security. Click OK on that page to save those settings.
Step 2: Configuring the Guest SSID to link to a different VLAN
Go to [LAN] – [VLAN] – on that page, tick Enable, put the LAN ports and SSID1 into VLAN0 and put SSIDs 2, 3 and 4 into VLAN1. SetVLAN1 to link to the LAN2 Subnet.
It is not necessary to tick Enable under the VLAN Tag column for this network configuration.
Click OK on that page and the router will prompt to restart itself; ignore that for now and move on to the next step.
Step 3: Enable and configure the LAN2 Subnet
Go to [LAN] – [General Setup] – on there, configure the two networks by clicking on [Details Page] for each; the LAN2 subnet will need to be enabled and should have DHCP enabled:
If the guest network could potentially have enough users to exhaust the DHCP pool, tick Retrieve IPs from inactive clients periodicallywhich will clear the DHCP lease for clients that are no longer connected to the wireless guest network and free up that DHCP lease for re-use.
This example shows how the LANs should look from the General Setup page once configured.
The Inter-LAN Routing table does not have LAN2 set to access LAN1 in this example because the Guest network should have no access to LAN1’s resources but will still have access to the Internet.
Click OK on this page once all of those changes have been made and the router will prompt to reboot, click OK to restart and apply those changes.
Once the router has rebooted, the Guest and Internal wireless networks should both work and will each be able to access the internet but the Guest network will not be able to access resources on the Internal network.