A client required isolated networks for factory hardware but their infrastructure, many basic NetGear switches, did not support VLAN separation (my original hope was to use the DrayTek default gateway for inter-VLAN routing). This required some ‘thinking outside of the box’ and resulted in a design that made use of a DrayTek to isolate the factory network while staying within a single VLAN.
The DrayTek would bridge two networks, the LAN and factory, and impose firewall rules between them. Configuration is simple, setup a LAN2 interface with what will become the default gateway of the factory network, and LAN1 with a spare IP on your LAN. Then, on the main LAN default gateway you’ll need a static route (unless you run RIP) back to the factory network via the LAN1 IP you just configured.
Ensure that you enable Inter-LAN routing, but be warned that this allows all communication. You then need to apply firewall rules using the default data filter and LAN/DMZ/RT/VPN to LAN/DMZ/RT/VPN drop down.
In theory that should be all that is needed, but given the lack of investment at the client much of the infrastructure is old or poorly setup and resolving this is a low priority sadly. This setup didn’t work as expected due to the EnGenius point to point wireless links not being in WDS mode. The APs would translate the MAC address of the devices behind to it’s own in order to reduce layer 2 broadcast traffic but any communication initiated by the remote side would be blocked if a valid MAC lookup didn’t exist or the service (e.g. HTTP) conflicted with a service running on the AP itself.
The above screenshot shows pings to the factory device at 10.2.0.254 from the office LAN being replied to as unreachable not by the DrayTek (the pings never get that far) and instead by the ENH500 bridge.
Luckily the client chose to invest in a set of Ubiquiti NanoStation LocoM5’s which support a mode called WDS Transparent. This allows the MAC to remain in-tact as it traverses the bridge and is recommended by Ubiquiti to be ran as default.
Another issue encountered was that after a short period of time, for some unknown reason, the DrayTek would spam out on the LAN side a ton of MAC CTRL Pause message, overwhelming the LAN switch and killing network for anything on the same L2 segment. I did a Wireshark capture with my laptop connected directly to the DrayTek and nothing else in the loop but unfortunately didn’t save this, but the issue only happened twice and resolved after a reboot of the DrayTek. The DrayTek was running the latest “v2832_3882” firmware so it may be an issue in there?