Hi.
I have a Qotom firewall that has 6 ethernet ports but its not a switch.
I also have an unmanaged switch, a TP Link TL-SG1005D.
I currently have the following on my network:
1- NAS hardwired with several Docker containers.
2- 1 PC hardwired, but I am planning in moving it to wireless.
3- Omada EAP670 Access Point, controlled from a Docker container.
4- Wireless door bell.
5- Indoor wireless camera.
6- Multiple smart plugs by Tapo.
7- Phones and tablets.
8- TV and Streamer.
9- Wireguard server in the OPNSense firewall.
Besides the NAS, I will be moving to wireless since my needs allows it.
I want to eliminate the switch (if possible) and also, have the IoT devices separated from the rest of the network devices.
In the future, I will replace the firewall with another PC that will have 2.5Gb NICs but thats an upcoming project.
Suggestions as to how I can proceed?
Thanks.
PS Sorry but I am not a network expert so will definitely need some handholding in here.
I can give you the highlights, from memory. Hopefully my memory will get you started.
It's easy to create a 2nd subnet. Personally I would save the switch and connect the 2nd subnet to it. Then you know without thinking what is LAN and what is IOT. Also, I have no idea how to associate more ports with either subnet.
1) Create an interface for a spare port
2) Associate the interface with a subnet
3) Copy the 2 default rules from LAN to IOT and edit accordingly
4) Create a rule on IOT to keep it out of LAN
5) create a rule on LAN to keep it out of IOT
hopefully I did not forget a step.
done - No need to mess with VLANs. Don't even think about them.
If you are using Adguard Home on OPNsense and want it to patrol both subnets, you have to edit AdguardHome.yaml to service both subnets, then reboot the router. I don't recall the exact section. It took me days to figure this out, btw. Rules have no affect on this.
Most people seem to have 'special situations' that make it difficult to answer questions like this. This answer is the best I can provide.
Thank you, that provides some guidance.
Remember that I only have one AP and both the IoT and regular devices are using it.
So sadly, I'm not sure how to proceed with your steps 2 and 3.
Quote from: neomorpheus on December 12, 2025, 07:34:38 PMThank you, that provides some guidance.
Remember that I only have one AP and both the IoT and regular devices are using it.
So sadly, I'm not sure how to proceed with your steps 2 and 3.
What you want to do is not possible with 1 access point if each subnet needs wireless. You need a different ssid for each network. This is true even if you want to use a switch controlled VLAN.
Routers are cheap. Tapo doorbells and whatnot do not need the latest and greatest. Best wishes.
I believe that I can create multiple SSIDs on this AP.
What I really dont know how to do is attach the AP physically to my Qotom, configure it in a way that it handles both subnets and allow my mobile devices to those IoT for monitoring.
Quote from: neomorpheus on December 12, 2025, 07:55:18 PMI believe that I can create multiple SSIDs on this AP.
What I really dont know how to do is attach the AP physically to my Qotom, configure it in a way that it handles both subnets and allow my mobile devices to those IoT for monitoring.
Access points are in the same broadcast zone. It won't work. Even some routers in router mode are iffy with 'guest networks'. I will wave my hand in the air and think good thoughts but that's the best anyone can do for you. There may be an access point somewhere that can automagically do a vlan on an access point, but I doubt it.
If the access point idea worked, then you would not need OPNsense to assist.
Something just occurred to me, the applications that need to talk to these IoTs should be able to continue working via web access.
But to keep this simple, lets forget the VLAN and Iot, how about replacing the switch by using the ports that already exist in my Router?
As mentioned, I only really need 2 ports, the NAS and the AP, the rest can use my wifi network.
How do I set those two ports?
Quote from: neomorpheus on December 12, 2025, 08:34:58 PMSomething just occurred to me, the applications that need to talk to these IoTs should be able to continue working via web access.
But to keep this simple, lets forget the VLAN and Iot, how about replacing the switch by using the ports that already exist in my Router?
As mentioned, I only really need 2 ports, the NAS and the AP, the rest can use my wifi network.
How do I set those two ports?
1) If the NAS is on a different subnet, then no other subnet can talk to it, defeating the purpose of a NAS
2) If the AP is on an isolated subnet, then LAN and NAS can not use it
3) If you do some workaround to fix that, you end up where you began
4) Best wishes. You need to think this through again.
5) I'm out of ideas. Perhaps someone else has a better idea outside my range of experience.
Quote from: coffeecup25 on December 12, 2025, 09:13:50 PM4) Best wishes. You need to think this through again.
Wait, did I upset or disrespected or offended you somehow?
I'm only looking for a simple solution to an issue which would help me remove extra hardware from the network and perhaps learn how to secure my network a bit more.
Quote from: neomorpheus on December 12, 2025, 09:41:50 PMQuote from: coffeecup25 on December 12, 2025, 09:13:50 PM4) Best wishes. You need to think this through again.
Wait, did I upset or disrespected or offended you somehow?
I'm only looking for a simple solution to an issue which would help me remove extra hardware from the network and perhaps learn how to secure my network a bit more.
No, I replied factually to the best of my ability. Things work as they do. You can't negotiate how an access point works. I suspect I simply should have not answered at all. Perhaps you should google networks and add some background knowledge next. As we all did. I gave you an instant answer at the top of this thread.
Get another AP. Attach one to each of the two LAN ports, configured as described by Coffeecup25. Run the IoT one on the 2.4 GHz band as a completely separate network from your primary LAN devices on a 5 GHz band. Usually IoT devices do not need much data so bandwidth is unlikely to be an issue. You can find APs with a few ethernet ports at low cost.
It is possible to run multiple wireless networks off a single AP but that does not solve your upstream problems as easily as whacking on another AP on a distinct network.
Thanks for the replies.
Since the solution involves spending money and reading other people guides, I will simply bite the bullet and go with a Unify Gateway.
Quote from: neomorpheus on December 13, 2025, 02:55:07 PMThanks for the replies.
Since the solution involves spending money and reading other people guides, I will simply bite the bullet and go with a Unify Gateway.
It almost physically hurts to listen to your plans to waste money.
Seriously, read something. It's not a punishment and it saves money.
As passeri stated, IOT on 2.4GHz in the form of a 2nd AP on the new port is all you need. Amazon Resale offers them as returns for pennies on the dollar. Or, just but a new older AC model. Lots of IOT devices use 2.4 GHz only. Range extenders also help, depending on your situation. People seem to return new ones because they get confused setting them up. Very cheap sometimes.