WiFi Isolation in a block of apartments

[Cooners]

Hi
I just wondered if anyone could help my with this:
We have just taken over a block of apartments, they have a Draytek Vigor 2820 router, Cisco SG200-18 switch and AP800 access points in each apartment.
They are complaining that they can see each others equipment and want each flat isolated. We thought about wireless isolation however this would stop there own equipment talking (e.g. SONOS, DLNA, SMB or wireless printers). I thought about VLAN's (along with a new router that supports them) but been told it's too much hassle and will cause too many support issue's.
This is how I would have done it (Never actually set-up VLAN's before):
Router plugged into the switch via Cat5 and all Access Points plugged into the switch, tag the port connecting the router and the switch as to have all tags and then tag each of the 14 access point ports as 100 for access point 1,200 for access point 2,300 for access point etc so each access point has a different VLAN tag, I don't think that would cause many issues.
So would that work (and if I've made a mistake can you please correct me) and is there a better way to do this?

Many Thanks

 

[Caged]

Depends how many VLANs the DrayTek can support as to whether you'll run out.

I've not used their APs, do they have any sort of firewall built in?

 

[#Chri5#]

Spec sheet says they support 4 SSIDs/VLANs.

How many apartments are there?

 

[matthab]

Vlan each apartment would be the best solution. It wouldn't take much looking after once set up, anything else is not going to fit the requirements exactly.

Vlans are designed for exactly this.

 

[Quartz]

Doesn't each apartment have a separate SSID and password?

 

[bremen1874]

Doesn't each apartment have a separate SSID and password?

That isn't going to be the issue. Even if people are only connecting to their own access point they all become a single network when they hit the switch.

 

[Cooners]

There is 14 apartments, I was thinking of setting the VLAN's up on the switch rather than setting up multiple SSID's and VLANing those as the AP's are in their flats so they don't need to connect to anyone else's but there own:
For Example Flat 1's AP is plugged into port 1 of the switch and that port is tagged 100 (I seem to recall an issue using 1,2,3 etc as VLAN tags), the router will be in port 48 and tagged with all 14 VLAN tags and the same tagged on the port on the router, so if I'm right (which I may not be) they won't see each other but will see the router for internet access, DHCP etc.
Currently they have their own SSID's but they are completely open! I'll be sorting that ASAP regardless of anything else and yes it all shows like one big network as you would expect with the current setup.

 

[Caged]

Right, but as stated above the DrayTek doesn't support more than 4 VLANs.

 

[Deleted member 138126]

Replace the Draytek with a Ubiquiti EdgeRouter Lite.