Draytek VLAN's - Allow access from single IP headache!

Smokes · 27 Sep 2021 at 15:33

Okay, simple home setup and here's what I have and what I want to do...

I have a simple home network but I want to split one section to a different IP range and only allow access to it from one IP address in another range. So two networks with one router for internet that both need to access. Initially I used a basic managed to switch and created 2 vlans; great but they needed to be on the same IP range to access the internet.

I had an old asus router so I used that to go inbetween the BT home hub and switch. That worked but I was able to access both ranges from each other, I'm guessing because the asus is forwarding on any dns requests it can't do itself to the home hub and that's replying because it knows where everything else is.

Now I also have a Draytek 2830n router.....I used this instead of the asus and this works perfect. My 10.0.0.0/24 (LAN1) range and 192.168.1.0/24 (LAN2) from the draytek both access the internet fine through the home hub (192.168.3.100) but can't interact with each other. My issue is, I want one address, 192.168.3.50 to be able to access 10.0.0.0/24. 192.168.3.0/24 is the main home subnet run off the BT home hub.

I assumed it was just a firewall rule allowing said address from the WAN port to anything on the LAN but anything I try I hit a brick wall with.

the-evaluator · 27 Sep 2021 at 16:12

Are you using the WAN port on the Draytek to connect it to the BT Home Hub?

The problem is that the Draytek is doing NAT so if you want to reach something in 10.0.0.0/24, say 10.0.0.1 from 192.168.3.0 then you'll need to setup port forwarding on the Draytek and then rather than connecting to 10.0.0.1 directly you'd need to connect to the WAN interface on the Draytek, so whatever IP address it has in 192.168.3.0/24.

It's a very, very messy way of doing it and depending what you need to access LAN side on the Draytek it may not work. You really need a single device that'll do all your layer 3 and inter-VLAN routing.

Multiple VLAN's with ACL's in place makes this NOT a simple home network.

Smokes · 27 Sep 2021 at 17:04

Yeah using the WAN port on the Draytek. It does seem overly complicated I admit, but I just thought it would be easy. I guess I forgot that the Draytek essentially think it's facing the internet even though it's inside the home network. I'll have another mess but will probably ditch it. I just want to easily VNC some machines instead of using teamviewer when at home.

the-evaluator · 27 Sep 2021 at 17:10

Smokes said:
will probably ditch it.

Sounds like the best idea to me.

visibleman · 28 Sep 2021 at 16:18

If understand the setup correctly, either the options "IP Routed Subnet" or "Routing Usage" (Draytek offer help pages on both) will allow you to route a specified address from the home hub to a specific (v)LAN Draytek-side.
As mentioned though, it's a complicated setup and arguably replacing the Home Hub with the Draytek would massively simplify it (it would handle all three LANs if need be).

Edit - Just to add, i believe the "General" firewall rule is setup to block WAN routing packets (can specify either/both IPv4 or 6), so that will need to be disabled for it to work.