Draytek VLAN and Wi-Fi isolation

I wish to share my ADSL connection with several neighbours. However, I
do not wish them to share my Draytek router's wireless network, so I
intend to give them access via ethernet cable to one of my Draytek
router's ethernet ports.

My own and my girlfriend's laptops will connect to the Draytek's
wireless network, but I want to ensure that our network traffic is
isolated from the neighbours, both for reasons of security against worm
attack, and for reasons of privacy against having our communications
sniffed.

How do I set this up?

Well, here's what I've tried so far:

I thought this would be a simple matter of configuring the neighbour's
ethernet port to be in a VLAN, and that this would isolate them from the
Draytek's other interfaces including the wireless side. Unfortunately,
this only isolates them from the other wired ethernet ports and does
*not* isolate them from the wireless network. In fact I've tested this
with Ethereal and can see the wireless traffic being repeated on *all*
the wired ports regardless. The VLAN feature does not seem to do what I
want. Have I misunderstood something?

I also noticed a feature which sounded promising in the Draytek's
Wireless LAN Access Control page in the pop-up menu at the top. It says
"Isolate WLAN from LAN". However, when I choose this setting, our
laptops are kicked off the wireless network, and are rejected when they
try to reconnect. I have not yet been able to diagnose the reason for
this because my Apple laptop gives no indication of what the error is.
It just says "There was an error joining the network" or similar, and I
can't find the logs that might clarify the reason for this.

On that same Access Control page, you can instead choose to isolate
individual wireless clients from the LAN by their MAC address. I tried
this too, and although we could now join the network successfully, the
expected isolation again fails to stop wireless traffic leaking onto the
wired LAN.

So three different ways of approaching this have failed miserably. Has
anyone else managed to get a Draytek router to properly isolate the
wired and wireless networks?

Can anyone give me any clue as to what I'm doing wrong? Can anyone even
point me in approximately the right direction? Any help or moral support
would be much appreciated as I've already torn most of my hair out.

--
James Taylor

HavJames Taylor wrote:
> I wish to share my ADSL connection with several neighbours. However, I
> do not wish them to share my Draytek router's wireless network, so I
> intend to give them access via ethernet cable to one of my Draytek
> router's ethernet ports.
>
> My own and my girlfriend's laptops will connect to the Draytek's
> wireless network, but I want to ensure that our network traffic is
> isolated from the neighbours, both for reasons of security against worm
> attack, and for reasons of privacy against having our communications
> sniffed.
>
> How do I set this up?
>
> Well, here's what I've tried so far:
>
> I thought this would be a simple matter of configuring the neighbour's
> ethernet port to be in a VLAN, and that this would isolate them from the
> Draytek's other interfaces including the wireless side. Unfortunately,
> this only isolates them from the other wired ethernet ports and does
> *not* isolate them from the wireless network. In fact I've tested this
> with Ethereal and can see the wireless traffic being repeated on *all*
> the wired ports regardless. The VLAN feature does not seem to do what I
> want. Have I misunderstood something?
>
> I also noticed a feature which sounded promising in the Draytek's
> Wireless LAN Access Control page in the pop-up menu at the top. It says
> "Isolate WLAN from LAN". However, when I choose this setting, our
> laptops are kicked off the wireless network, and are rejected when they
> try to reconnect. I have not yet been able to diagnose the reason for
> this because my Apple laptop gives no indication of what the error is.
> It just says "There was an error joining the network" or similar, and I
> can't find the logs that might clarify the reason for this.
>
> On that same Access Control page, you can instead choose to isolate
> individual wireless clients from the LAN by their MAC address. I tried
> this too, and although we could now join the network successfully, the
> expected isolation again fails to stop wireless traffic leaking onto the
> wired LAN.
>
> So three different ways of approaching this have failed miserably. Has
> anyone else managed to get a Draytek router to properly isolate the
> wired and wireless networks?
>
> Can anyone give me any clue as to what I'm doing wrong? Can anyone even
> point me in approximately the right direction? Any help or moral support
> would be much appreciated as I've already torn most of my hair out.
>
Haven't thought this through (too late at night) and dunno if it would
work - but how about:

Install Zonealarm firewall on your PCs and setup a LAN including your
machines and the Draytek. Setup Zonealarm to trust your subnet.

Give neighbours IP addresses on a separate subnet and setup this address
as the second subnet on the Draytek (or assign them by DHCP).