RT6600ax and Sky Q on a VLAN problem

Currently reading
RT6600ax and Sky Q on a VLAN problem

DS920+, DS215j
Operating system
  1. Windows
Mobile operating system
  1. Android
I've just upgraded to a RT6600ax and so far I'm delighted with it. SRM 1.3.1 is great, and so familiar after using DSM for years. I'm eagerly anticipating receiving a WRX560 tomorrow so I can mesh up my home :)

I have a Sky Q 2TB box connected by ethernet to a VLAN on the RT6600ax, and the Sky Q box home screen says I have no internet connection so "on demand", "apps" etc are all empty except for the warning. The network settings are all good and the network setup screens on the Sky Q say everything is correctly connected. The Sky Q ethernet cable is plugged into a socket on the RT6600ax tagged to the VLAN. I can connect the Sky Q box to the VLAN WiFi SSID on either 5GHz or 2.4GHz with the same result. However if I connect it to the main/default network ( everything functions normally.

The VLAN is, and the main/default network is The VLAN gives as its default gateway and DNS server. DCHP is working fine.

Despite the Sky Q home screen saying I have no internet connection I actually do, because if I use voice commands via the remote control and ask for, say, BBC iPlayer, it opens up normally.

I've tried removing network isolation, IGMP snooping on and off, IGMP proxy on and off, firewall rules to allow the VLAN access to the main network - no joy. I even tried a firewall rule giving every device on the VLAN access to every device on the main network and even that didn't work (and undermines the whole point of the VLAN anyway!)

The whole idea of course is to use VLANs to isolate Sky, Sonos, IoT devices etc from the main network that hosts PCs, NASs, phones, and tablets.

Someone on the Sky forum suggested Sky Q boxes need IGMP access to the default gateway on the router. I'm not sure what this means or how to implement it on a RT6600ax and even if that's possible.

Any thoughts or suggestions greatly appreciated as this is driving me crazy! TIA.
Could it be there's a network testing utility that the Sky Q uses to determine if it can access the Internet. If you have installed Threat Prevention have a look to see if there are any dropped connections, may be for STUN signatures. But why would this be allowed on the main LAN?

I would compare the firewall rules that permit the main LAN to access (and be accessed from) the Internet. There may be more permissive rules that you haven't replicated to the private VLAN.

Can you manually configure the network setting in Sky Q?
Could it be there's a network testing utility that the Sky Q uses to determine if it can access the Internet.
Yes - when the network is configured the box tests it and says it's all good and connected to the router and the internet. The fact that voice control through the remote control device opens up internet streaming services shows the connection to the internet is working. It seems there is a part of the Sky Q interface that connects by a different route and that's what doesn't work when it's on the VLAN. Logs show that there is an additional MAC address inside the Sky Q box not matched to an IP address and someone on Reddit said this needed some kind of multicast thing going on and that IGMP was important but gave no more info than that and at that point my brain exploded.
If you have installed Threat Prevention
I've not installed that yet.
I would compare the firewall rules that permit the main LAN to access (and be accessed from) the Internet.
I can't find any. The RT6600ax goes straight to Sky through a Draytek Vigor 130 VDSL2 modem. There's no access to any firewall within the Sky box.
Can you manually configure the network setting in Sky Q?
Yes. You can set the usual stuff by hand. I've tried changing the default gateway to the primary LAN but that didn't work. I've also tried changing the DNS server from the VLAN default ( to NextDNS and that had no effect.
The default gateway is the router’s IP address on the VLAN. So is right. The DNS server can be whatever you want but it’s common to use the router’s IP again, they usually relay DNS.

It could be the SRM firewall. Or Safe Access if you have that enabled: it has a different default profile per LAN.
It could be the SRM firewall.
The only settings in the SRM firewall are uPnP port forwarding - ports 80 amd 443 to my DS920+
Or Safe Access if you have that enabled: it has a different default profile per LAN.
It was installed and on by default but I've turned it off now - no change :-(
Thanks for thinking this through. There's something weird about the Sky Q box I suspect.

I'll admit to not really understanding IGMP and multicast settings, and how the RT6600ax handles things between VLANs. I suspect the problem lies in that direction judging by what little I've been able to harvest from other forums.
AFAIK the IGMP snooping aids unicast/multicast packets being targeted to just those devices that want them. It seems to be LAN-side. While IGMP proxy is to span these packets across the firewall.

It may be that you need IGMP proxy enabled, but it's not clear if this only applies firewall rules for the primary LAN or includes rules for all others.

The IGMP snooping settings are available in the IPTV & VoIP page and also each local network's settings too. But the IGMP proxy is only on the IPTV & VoIP. Hence it's unclear to what proxy applies. I would open a Synology Support ticket to ask them.
Did a web search...

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.

View: https://www.reddit.com/r/Ubiquiti/comments/byhgle/help_troubleshooting_skyq_on_vlan/

Turns out my problem was my firewall rules. I had a rule for my IoT network that drops all traffic to the router interface except DNS and DHCP. SkyQ seems to need icmp to work.The fix was to add another accept rule:

In the SRM firewall the rules are created for different protocols: UDP; TCP; UDP & TCP; ICMP. When you do a ping it comprises two ICMP message types: echo request; echo reply. So maybe you can try and see if allowing ICPM from the VLAN to router helps.
I saw that thread so one of the first things I tried was setting firewall rules fro ICMP with no luck. I've set rules up like this now:


It's still not working.

I've discovered that the MAC address linked to the Sky box IP address is different from the MAC address listed for the ethernet port in the Sky box's system info page. It's also different from the two wifi interface MACs. I made the sky box a reservation, deleted it from the DHCP client list, changed the MAC to the one Sky lists, rebooted everything and nothing's changed. The Reddit thread you found discusses this MAC address situation.

BTW I can ping addresses on the Media VLAN from the primary network, but the Sky box doesn't respond to pings.
Your third rule blocks IoT source and destination VLAN, I think the destination VLAN should be Primary. Not that this probably makes any difference. Are you 100% sure the Sky box is on the Media VLAN? I would try connecting a Mac/PC/mobile to the Media LAN (wired or wireless) and scanning the subnet to see what is found.

The bottom four default rules I guess are all Deny too.

I know what you are trying to achieve and that was my aim to for my Denon amps and other media devices. But I did struggle to have a mobile phone with the corresponding companion app on my main primary LAN and it reliably talk /find the main devices. Most assume everything is on the same subnet and fail when they are not, even when the discovery services can support cross-subnet (with router and switch help).

Synology Support may be able to help. We can hope!

Once this is all working...

I would also disable UPnP features of the router, they allow LAN clients to modify the perimeter security policy however they like: if a device doesn't know what it's doing or is acting maliciously then it can open up the policy and you won't know until you next check it. My preference is to create port forwarding rules myself and SRM will create corresponding firewall rules... or, I also prefer to, disable that automated feature and manually create the matching firewall rule since I can then limit the source IPs/regions that are permitted to use the port forwarder.
Your third rule blocks IoT source and destination VLAN, I think the destination VLAN should be Primary.
Good call thanks - my bad! I've corrected that now.
Are you 100% sure the Sky box is on the Media VLAN?
Yes. The IP settings are correctly dished out by the Media VLAN DHCP server, and are correct either on ethernet or over wi-fi. Attaching a PC to the same port as the Sky box picks up correct IP info and the PC functions completely normally on the internet. The Sky box shows up in SRM, listed in DHCP clients.
Synology Support may be able to help. We can hope!
I've just raised a ticket. I'll let you know what happens.
I would also disable UPnP features of the router
Thanks for the advice - I've done that now and manually created the 80 and 443 port forwarding to my DS920+. I don't need any others.

I'm really grateful for the time you've taken to consider this for me. Sky has some great products but the technical side is often weird and a bit parochial - Sky forums are full of people wanting to discard Sky routers (because they're pretty basic and can't be switched to modem mode) but doing so isn't easy as you have to buy a modem and then get a router with DHCP option 61 available as a setting which restricts choice quite a lot. I was delighted to discover Synology routers, as I've been very happy with Synology NASs for years. SRM is the easiest to use router interface I've ever seen, and I've had a lot of routers!
The only thing I would suggest to check is that Network Center's Local Network settings for the primary and other VLANs are the same (or similar). There are IGMP snooping setting for each network and IPv6 etc. Here's what mine look like for all networks:

Since my ISP doesn't IPv6 all my local networks have IPv6 disabled.

If you really cannot get the Sky Q issue fixed then there could be the alternative: use the primary LAN for Media; use one of the other VLANs for your main use. It would require a little reconfiguration of the WIFi (SSID and authentication), LAN subnets changed over, firewall rules to be checked for the right internal network interface, router port assignment (they default to trunk ports so devices would be on the default ID 0 VLAN).

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
Do Synology routers have a temperature monitor? I'm looking all over SRM and am not finding one. I'm...
Just sharing my experience here. I was getting a little jumpy after having my 2nd Synology router the...
I have a UPS so power out isn't and issue. I dont reboot my router that much so not much of an issue...
How are you testing? The best way is via ethernet cable, if you are testing using wifi, you introduce lots...
I misspoke. I should have said "limited to 5 Vlans". I'm not sure why Synology limits the number of Vlans...

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads