October 1, 2025

To set up a VLAN on a Zyxel Flex router that connects to a Zyxel GS switch and passes the VLAN to a UniFi access point’s SSID, follow this general process:

admin014 mins

1. Set up VLAN on the Zyxel GS Switch

1.1 Access the Switch Web GUI:

  • Enter the switch’s IP address in your browser to access the web interface.
  • Go to Switching > VLAN > VLAN Setup > Static VLAN.

1.2 Create VLANs:

  • For each VLAN (e.g., VLAN 10 for guests, VLAN 20 for staff), click “Add/Edit” and configure the following:
    • VLAN ID: Specify the VLAN ID (e.g., 10, 20).
    • VLAN Name: Give each VLAN a descriptive name (e.g., “Guest” or “Staff”).
    • Tagged/untagged Ports:
      • For the trunk port connecting to the access point, check the Tx Tagging box for each VLAN ID (so the traffic for each VLAN will be tagged).
      • For the ports connected to untagged devices (e.g., a PC or non-VLAN-aware device), leave them as untagged.

1.3 Set the PVID:

  • Go to VLAN Port Setup and configure the PVID (Port VLAN ID) for each port:
    • For trunk ports (ports that will carry multiple VLANs to the access points), leave the PVID as the default or set it as the management VLAN if required.
    • For access ports (ports that will carry a single VLAN), set the PVID to the VLAN ID of the device.

1.4 Configure Trunking:

  • For the ports connected to the UniFi APs, set them to trunk mode:
    • Go to Switching > VLAN > VLAN Port Setup.
    • Set the ports connected to the APs to Tagged for all VLANs that need to be passed (e.g., VLAN 10, VLAN 20).
    • Ensure the switch port that connects to the Zyxel router is also set as a trunk port so it can carry multiple VLANs​(Zyxel Support)​(Zyxel Support).

2. Configure VLAN on the Zyxel Flex Router

2.1 VLAN Setup:

  • Access the Zyxel Flex router web GUI and navigate to Network > VLAN > VLAN Configuration.
  • Create VLANs (e.g., VLAN 10, VLAN 20) that match the VLAN IDs used on the switch.
  • if you need DHCP also See below
  • Setting Up the VLAN and DHCP on the Zyxel Flex Router
  • Log in to the Zyxel Flex Router
    • Open your web browser and navigate to the router’s IP address (e.g., 192.168.1.1).
    • Enter your login credentials.
  • Create a New VLAN
    • Navigate to Configuration > Network > VLAN.
    • Click Add to create a new VLAN.
    • Enter a VLAN ID (e.g., 10 for Guest VLAN).
    • Assign a name (e.g., “Guest VLAN”).
  • Set Up IP Addressing (Including /24 Subnet)
    • Assign an IP address to the VLAN interface, for example: 192.168.10.1/24.
      • The /24 subnet gives a range of IP addresses from 192.168.10.1 to 192.168.10.254, with 192.168.10.1 being the default gateway for devices on this VLAN.
    • Make sure the subnet mask is set to 255.255.255.0.
  • Enable DHCP for the VLAN
    • Still in the VLAN Configuration, locate the DHCP Setup section.
    • Enable DHCP for the VLAN:
      • DHCP Range: Set a range for your DHCP addresses within the VLAN’s subnet, e.g., from 192.168.10.100 to 192.168.10.200.
      • Lease Time: Set the lease time for how long devices can retain their IP address (e.g., 24 hours).
    • Configure DNS Settings (e.g., pointing to your router IP 192.168.10.1 as the DNS server or use external DNS like 8.8.8.8).
  • Save the Configuration
    • Click Save to apply the VLAN and DHCP settings.

2.2 Trunking Configuration:

  • Configure the LAN interface that connects to the GS switch to trunk mode:
    • Go to the LAN interface settings on the router and allow it to carry multiple VLANs. Ensure all VLANs (e.g., VLAN 10, VLAN 20) are tagged appropriately.
    • Ensure routing between VLANs is disabled if isolation is required (for example, if you don’t want guest VLAN traffic to mix with staff VLAN traffic).

3. Configure the UniFi Access Point

3.1 Assign VLANs to SSIDs:

  • In the UniFi Controller, go to Settings > Wireless Networks > Create New Wireless Network.
  • For each SSID:
    • Assign the corresponding VLAN ID. For example, assign VLAN 10 to the “Guest” SSID and VLAN 20 to the “Staff” SSID.
    • This ensures that traffic from different SSIDs is tagged and carried over the network correctly.

3.2 Ensure Trunking on the UniFi AP:

  • The port on the GS switch that connects to the UniFi AP should be set to trunk mode and tagged for all necessary VLANs. This allows the AP to receive traffic for multiple VLANs and assign it to the appropriate SSID​(Zyxel Support)​(Zyxel Support).

4. Testing and Verification

  • After configuring the VLANs and trunking, test the setup:
    • Connect devices to the SSIDs assigned to different VLANs and ensure they receive IP addresses from the correct subnet.
    • Check that devices on different VLANs (e.g., Guest and Staff) are isolated as required, meaning they should not be able to communicate with each other unless specified.

Following this configuration, your Zyxel GS switch will be correctly passing multiple VLANs to the UniFi access points through trunk ports, ensuring proper traffic segmentation based on SSIDs. This setup isolates traffic across VLANs while allowing tagged VLAN communication between the devices

​(Zyxel Support)

Set Up Firewall Rules on the Zyxel Flex Router

1.1 Create Rules for Internet Access:

To allow devices on each VLAN to access the internet, you need to set up firewall rules that enable outbound traffic from each VLAN to the WAN interface.

  1. Access the Firewall Settings:
    • Log into your Zyxel Flex router’s web interface and go to Security > Firewall > Add New Rule.
  2. Add Outbound Rules for VLANs:
    • For each VLAN, create a rule that allows traffic to the internet (WAN):
      • Source: Set the source as the specific VLAN (e.g., VLAN 10 for Guest).
      • Destination: Set the destination as the WAN or Any (depending on your router’s options).
      • Action: Set the action to Allow.
      • Protocol: Set this to All, or specify HTTP/HTTPS if you only want to allow web traffic.
      • Schedule: If needed, you can also schedule this rule to be active only during certain times.
    • Repeat this step for each VLAN (e.g., VLAN 10, VLAN 20).

This ensures that devices in different VLANs can access the internet but are isolated from one another unless further rules are configured.

1.2 Blocking Inter-VLAN Traffic (Optional):

If you want to prevent devices in one VLAN (e.g., guests) from accessing devices in another VLAN (e.g., staff), you’ll need to create deny rules.

  1. Create Deny Rules Between VLANs:
    • Go to Security > Firewall > Add New Rule.
    • Configure the rule as follows:
      • Source: Specify the source VLAN (e.g., VLAN 10 – Guest).
      • Destination: Specify the target VLAN (e.g., VLAN 20 – Staff).
      • Action: Set this to Deny.
      • Protocol: Choose All if you want to block all types of traffic.
    • Repeat this process for other VLANs that need to be isolated from each other.

1.3 Allowing Limited Traffic Between VLANs (Optional):

If you want to allow specific traffic between VLANs, such as allowing communication between staff and a server in another VLAN, follow these steps:

  1. Create Allow Rules Between VLANs:
    • Go to Security > Firewall > Add New Rule.
    • Configure as follows:
      • Source: Set this to the source VLAN (e.g., VLAN 20 – Staff).
      • Destination: Set this to the destination VLAN (e.g., VLAN 30 – Server).
      • Service: If you want to restrict the communication to specific services (e.g., file sharing or specific ports), specify this here.
      • Action: Set to Allow.
  2. Fine-Tuning Rules:
    • Ensure that the allow rule is placed above any deny rules so it can take precedence.

2. Testing and Verification:

  • Test Internet Access: After setting the rules, connect devices to the different VLANs and verify they can access the internet.
  • Test VLAN Isolation: Test to ensure devices in separate VLANs cannot communicate (if you’ve blocked inter-VLAN traffic).
  • Test Allowed Communication: If you’ve allowed specific traffic between VLANs, ensure only the permitted services can communicate.

3. Optional Enhancements:

3.1. Use Zone-Based Firewall (Zyxel Flex Routers):

Some Zyxel Flex routers support zone-based firewall configuration, where you can assign VLANs to different security zones and create policies that dictate how these zones interact. This provides more granular control over inter-VLAN traffic.

3.2. Use DHCP for VLANs:

Ensure that DHCP is correctly configured on the router for each VLAN so devices receive proper IP addressing.

3.3. Enable Logging:

Enable logging for the firewall rules to monitor any traffic that is being blocked or allowed. This can help in troubleshooting and ensuring that the rules are working as intended.

By following these steps, you can ensure that your VLANs have proper internet access while controlling traffic between VLANs and enhancing the security of your network ​(Zyxel Support)