Difference between LAN and VLAN - AirPlay?

Is there a qualitative difference between a “normal” user LAN, i.e., the first account you set up when starting the Pepwave Surf, and subsequent VLANs? In my case, I have three “accounts” set up - the Main LAN, a Guest VLAN, and an IoT (Internet of Things) VLAN.

I cannot stream music from my iPhone to my Yamaha Audio Video Receiver on either of the two VLANs; it must be on the Main LAN. Since I’ve separated the LANs on purpose, I don’t wish to have IoT music streaming on my Main LAN.

Is there anything I can do without reducing security?

Hey home user here SURF MK3.

You would stream to it via Bluetooth or get a chromecast if you wish to maintain the integrity of your VLANs.


If the Yamaha receiver supports peer to peer WiFi connections you could do it that way…

Hopefully the newer receivers aren’t still using insecure WEP!!! Don’t use WEP.


You could also temporarily join the WiFi network (or VLAN) the receiver’s on using your phone/tablet and check if the Yamaha APP can talk to it. Most phones/tablets allow you to enter multiple WiFi networks to connect to.


If the receiver is wired up with a network cable you would have to login to the SURF and navigate to
Network>Port Settings>VLAN and set the port its on to the same VLAN as your entertainment devices on WiFi are using.


I believe you can also enable inter-VLAN routing (Network>Network Settings>select a VLAN> select Inter-VLAN Routing) but that defeats the purpose of using VLAN’s to isolate client devices. Although you could do this temporarily. I think my other solutions are the simple ones that are easy to do and preserve VLAN isolation of devices.

:speaking_head: Hope that helps!

1 Like

Nope. I also have the surf soho and it doesn’t support “bonjour” forwarding.

Airplay broadcasts using proprietary protocol called Bonjour. Devices need to “see” these broadcasts in order to connect.

I may sell my surf soho to a family member and upgrade to a Balance One which offers this feature. So you could create a VLAN with Airplay devices and enable bonjour forwarding to your mainLAN. Something like that.


I don’t know if you could achieve the same with the Surf Soho by creating intervlan rules specific to Bonjour. Not sure if anyone has done it, but it should be feasible I would think.

1 Like

FYI. I have a Marantz receiver with built in AirPlay.

I hardwired to mainLAN but created a firewall rule to block any outgoing to WAN.

So I can still use Airplay but know it’s not connecting out to the internet somewhere.

As for Apple ports, here’s a list


See footnote 15 but that’s for audio. I can’t believe there is no easy way to do this. Maybe get a hold of an old APPLE airport (or other?) and LAN it up to the SURF? Can you ADHOC these idevices? Maybe dedicate an old idevice to the receiver and mirror to it? Sorry if there was a way stego would know.

More stuff…



1 Like

Thought about the simplest way - swap the Main LAN to IoT and use the VLAN for our personal traffic, allowing only that VLAN to access the router admin page. That’s the main reason I asked if there were differences in quality between the LAN and VLAN. Still, that seems excessive. Yep, it should be easier.

I actually do have an old AirPort router, but I’m insufficiently advanced to avoid the double-NAT problems I’m pretty sure I’d encounter.

Great list, stego, thanks. I only wish I were capable of using it effectively.

Absent a router fix, I’m planning a Raspberry Pi-based digital music player, and connecting it to the Yamaha AVR with digital coax or HDMI.

1 Like

Try making a test network with the old airport and a few of your idevices? Don’t disturb your main network until you can prove that it works.

Other stuff…

Your old airport should be fairly easy to configure: “The airport utility allows users to easily attach the airport to existing routers and extend or join networks…” according to one recent amazon reviewer. You may still have to forward the apple/bonjour related ports on the SURF though and/or related firewall settings.

Then later you can get a Balance One.


1 Like

For a test you could try plugging the airport’s LAN or WAN into LAN port 4 on the SURF…

…and see if it the bonjour / zero configuration protocol works without further tweaking.

Airplay also expects all iDevices to be on the same subnet so you should configure LAN port 4 on the SURF onto the iDevice VLAN…

Network>Port Settings>LAN Port 4>select a VLAN

If everything is on the same VLAN then no ports should have to be opened. Again YMMV - I am not a network engineer. Also stego has worked on this a lot more than I have. I use apple products but not AIRPLAY. I use other cheap widely adopted off the shelf solutions that “just work”. Although BLUETOOTH is not great for high end audio - when it drops out it could pop your tweeters/ear drums.

You could also try enabling NAT-PMP and UPnP on the SURF…

Advanced>Port Forwarding>NAT-PMP/UPnP

and try enabling IGMP snooping…

AP>Wireless SSID>select your iDevice wireless network>click the question mark for advanced settings>IGMP Snooping

Tweaking these settings may help an airport connected to the SURF. But that’s up to you to test.

It’s worth noting that some of these airport’s firmwares may have received their last updates in 2012-2013 and this may present a security risk. If I am to understand correctly, airports are no longer built or supported by apple. Updating the firmware on your client iDevices may improve network functionality.

This article by Steve Gibson shows me that adding a single additional router to the network can expose the network to Man in the Middle attacks Steve Gibson's Three Router Solution to IOT Insecurity - PC Perspective , so I think I’d best avoid it until I buy the Balance and then have two additional routers.

Yes, my AirPort’s circa 2011, replacing another one killed in a power surge. I don’t know when Apple stopped updating them, but I did read they’d reassigned their engineers some time ago, so updates are unlikely. I suspect I should recycle it.

Why not use VLANs in your Surf SOHO or Balance One (if/when you get it) instead of using additional routers and dealing with double-NAT configurations and multiple points of failure? You also have to maintain firmware updates on 3 routers instead of one.

Using additional routers doesn’t solve the AirPlay issue across subnets. If your iPhone is on the secured lan and your Airplay receiver or AppleTV is on the IoT lan, the iPhone still wont see them. You’d have to connect your iPhone to your IoT lan.

I also enable L2 isolation in my IoT vlan so that each device doesn’t see any other device in the subnet.

True. I’m using VLANs and AirPlay (or Yamaha MusicCast) will not work on a VLAN - it works only on the main (secured) LAN. I supposed that if I could get AirPlay to work on a VLAN I could always buy an older iPhone without SIM card to serve as a controller on the IoT VLAN, but I haven’t had any success and am about to give it up. Security is more important to me than music streaming.

The following distinction between lan and wan is explanatory enough.The informations are illustrative and brief.I have tried out that .I have following two queries in this trail that I have setup my router to create a OpenVPN connection and I have installed the OpenVPN app on my Samsung Android phone. Uptil this it worked out fine.
Now I just want to view my cameras using the iVMS-4500 app on my phone, while I’m on the OpenVPN connection. But I don’t know anything about what information I have to enter into the app.I have thought that I can choose between HiDDNS - IP/Domain - IP Server, but I think I have to use IP/Domain.
But,when I selecting the IP/Domain, I entered the IP of my camera ( in the adresse field, and the portnumber in the port field, and then username and password. But it does not work.And secondly,I am unable to setup VPN server In my Arlo pro 2.Suggest us what to do regarding these arlo app for pc ?

@natasha67 If your OpenVPN operation is creating a tunnel into the subnet where the NVR is located the address you should enter into iVMS-4500 is that of the NVR, not the camera. You’re not trying to view a camera directly, right?

Just FWIW, we have found HikVision’s software to be rather “unrefined” and good help is seldom available getting things to work.

1 Like

Creating a new admin VLAN on the SURF MK3 so you can dedicate the Untagged LAN to Airplay devices

I successfully tested moving the admin subnet to a different VLAN and gave the Untagged LAN a new IP range / subnet as well. It’s easy to get locked out of admin when you change these settings. So the order in which the changes are made is important. Make a configuration save before commencing.

Step 1

System>Admin Security>LAN Connection Access Settings

Select Any. Click save and Apply Changes .

Step 2

Go to Network>Network Settings

Assign the Untagged LAN a new IP range / subnet.

Click save - but do not Apply Changes yet .

Create a new VLAN (I called mine PORT1 - which is where my admin computer is plugged in) and use the original Untagged LAN IP range / subnet settings (, - so your admin computer can log in.

Click save - but do not Apply Changes yet .

Step 3

Go to Network>Port Settings and assign the newly created VLAN named PORT1 to LAN Port 1

Now Click Save and Apply Changes

Step 5

Go back to System>Admin Security>LAN Connection Access Settings and select the new VLAN you assigned to manage from PORT1 (12)

Click Save and Apply Changes

Step 6

Now the Untagged LAN is available for Airplay devices exclusively.

1 Like