OPNsense Forum

Hey there,
As my name suggests, I'm a newbie in networking.
I have a specific problem on my network, which led me to VLANs:
I have two Access Points TP-Link M4R in my LAN and they served my home well for about now 2 years.
Recently, I've set up OpnSense and came to the conclusion that both of my TP-Link Access Points are responsible for more than 10% of my entire internet traffic:
As you can tell from the uploaded image, this orange line is all the telemetry those access points share with google, live.com, reddit, amazon, linkedin etc...
I want to put an end to this.

I've thought about some possible solutions and came to the conclusion that I can create multiple VLANs and then restrict those specific VLANs how I like.
Here is how I imagine how in the end the interfaces in OpnSense should look like:
LAN (10.0.0.0) - unrestricted access only for me, the admin
VPN (10.0.1.0) - access to selfhosted service + internet (homeserver as Exit Node) through TailScale plugin, also only for me
FAMILY (10.0.2.0) - access to devices on interface IOT + internet
UNTRUSTED (10.0.3.0) - access to internet
IOT (10.0.4.0) - no access to internet, neither to any other devices on home network

As far as I understand it, because OpnSense is by default a stateful firewall any requests from "higher" VLANs such as FAMILY to IoT devices won't be blocked by the firewall unless IoT devices "request first". So I should be able to safely put in there my printer, the access points etc... without loosing functionality because devices in FAMILY can get replies back from my IoTs.
Please let me know if my assumption is correct.

I'm looking forward to assign the interfaces FAMILY, UNTRUSTED and IOT each a different wireless SSID.
So to differentiate connected devices through WLAN by their corresponding VLANs, I'd need VLAN tagging, which needs to be supported by my switch as well as my access points, am I right?

THE ISSUE - This is the point where I'm having trouble understanding how to apply my network in the way I have described and envisioned:
My family runs most of their devices through WLAN provided by the TP-Link access points.
Then there are also the devices, which I'd rather have under the UNTRUSTED VLAN: Two LAN connected devices at home and the rest of them will be guest devices also connected through WLAN.
Assuming the access point delivers the switch with connections of 3 separate VLAN tags, which are inherited by the origin of their corresponding WLAN network (SSID), I'd still have to figure out a way to assign my access points to the IOT VLAN. Is there such possibility (maybe in their software settings)? They run through ethernet cables so I won't be able to distinguish by the SSID like I'd do for the devices on WLAN. The two devices that are also connected through ethernet, which I want to have on UNTRUSTED, strike me with this similar problem. One of them runs through its own NIC so AFAIK it should be possible to tag a specific NIC on my switch to UNTRUSTED and that should do it (correct me if I'm wrong please). The other device - let's call it Benny from now on for the sake of ease - is connected by ethernet through the same NIC of one of the access points (there is no way for me to put it in a different NIC).
So there you have the problem in conclusion:
There is an access point connected to the only NIC in the room. That access point has to be in IOT. Then there is Benny (the other device), which needs to run through the same NIC as that access point does, but Benny has to go to UNTRUSTED. How am I supposed to differentiate that in software? The only solution I currently see is to distinguish by Bennys MAC address - since its unusual for ethernet-connected devices to spoof their MAC address this should work - but seems for me a bit unreliable. Isn't there something I'm missing out?

What do you suggest?
Am I misunderstanding anything wrong or would you do something different than I've imagined?
Do you have recommendations for products (access points + switch) / brand that could help me best with my needs? I really don't want to break my bank, just something reliable that does the job.
Sorry for the long text, I just thought it's important to tell the whole story so that I don't appear confusing.

Thanks in advance!

Quote from: bloodyNetworker on April 11, 2026, 11:15:27 PMI have a specific problem on my network, which led me to VLANs:

I have two Access Points TP-Link M4R in my LAN and they served my home well for about now 2 years.

Recently, I've set up OpnSense and came to the conclusion that both of my TP-Link Access Points are responsible for more than 10% of my entire
internet traffic:
As you can tell from the uploaded image, this orange line is all the telemetry those access points share with google, live.com, reddit, amazon, linkedin etc...
I want to put an end to this.

I don't think your Accesspoints can do that by themselves to be honest : You should look at the connected Clients !!

QuoteI've thought about some possible solutions and came to the conclusion that I can create multiple VLANs and then restrict those specific VLANs how I like.
Here is how I imagine how in the end the interfaces in OpnSense should look like:
LAN (10.0.0.0) - unrestricted access only for me, the admin
VPN (10.0.1.0) - access to selfhosted service + internet (homeserver as Exit Node) through TailScale plugin, also only for me
FAMILY (10.0.2.0) - access to devices on interface IOT + internet
UNTRUSTED (10.0.3.0) - access to internet
IOT (10.0.4.0) - no access to internet, neither to any other devices on home network

Cool plan, but your Accesspoints don't support VLANs for multiple SSIDs : https://www.tp-link.com/us/deco-mesh-wifi/product-family/deco-m4/#specifications

QuoteAs far as I understand it, because OpnSense is by default a stateful firewall any requests from "higher" VLANs such as FAMILY to IoT devices won't be blocked by the firewall unless IoT devices "request first".
So I should be able to safely put in there my printer, the access points etc... without loosing functionality because devices in FAMILY can get replies back from my IoTs.
Please let me know if my assumption is correct.

Printer : Yes!
Accesspoints : No!
The reason is that your SSID would be "talking from the IoT VLAN" so to speak and then the traffic is blocked !!

QuoteI'm looking forward to assign the interfaces FAMILY, UNTRUSTED and IOT each a different wireless SSID.
So to differentiate connected devices through WLAN by their corresponding VLANs, I'd need VLAN tagging, which needs to be supported by my switch as well as my access points, am I right?

Yes!

QuoteI'd still have to figure out a way to assign my access points to the IOT VLAN.

Is there such possibility (maybe in their software settings)?

With the right Managed Switched and better Advanced Accesspoints you can do that, but not with a super basic Mesh set like the TP-Link M4 that you have now!

QuoteThey run through ethernet cables so I won't be able to distinguish by the SSID like I'd do for the devices on WLAN. The two devices that are also connected through ethernet, which I want to have on UNTRUSTED, strike me with this similar problem. One of them runs through its own NIC so AFAIK it should be possible to tag a specific NIC on my switch to UNTRUSTED and that should do it (correct me if I'm wrong please). The other device - let's call it Benny from now on for the sake of ease - is connected by ethernet through the same NIC of one of the access points (there is no way for me to put it in a different NIC).

If you want an Advanced Accesspoint that also has a built-in Managed Switch then look at one of these :
- TP-Link Omada Wall Accesspoints
- Ubiquiti UniFi In-Wall Accesspoints

QuoteHow am I supposed to differentiate that in software?

With the right networking equipment everything is possible! ;)

Just please don't do this kind of crap :

Quotespoof their MAC address

Stupid and unnecessary !!

QuoteDo you have recommendations for products (access points + switch) / brand that could help me best with my needs?

I really don't want to break my bank, just something reliable that does the job.

If you want to keep things cheap then I would consider something like this :
- A couple of TP-Link 108E Switches.
- The earlier mentioned TP-Link Omada Wall Accesspoints.

But please double check the following :
- AFAIK the 108E Switches can't be controlled by a Omada Controller, but I am not sure if this is still the case...
This is not a big deal, but make sure you are aware of this before you start buying everything !!
- AFAIK the Wall Accesspoints are not sold with a PoE+/PoE Injector so you need to either buy those too or consider a Managed Switch with enough PoE+/PoE power instead of the PoE+/PoE Injectors !!

QuoteSorry for the long text

Long text is OK, but just make it a bit more readable the next time ;)



Good luck! :)

Quote from: bloodyNetworker on April 11, 2026, 11:15:27 PM[...]Here is how I imagine how in the end the interfaces in OpnSense should look like:[...]

I use something similar, with four bridges (I run everything through the firewall, and bridges make for convenient addressing; also, my Internet service is bridged): EDGE (static IPs), TRUST, GUEST, and JAIL. (I haven't used a VPN in a while.)

I only have one wireless access point (I own... uh... five, but I barely use one) (running OpenWRT), and I break it down into (surprise) two bridges: "management" and "access", segregated by physical interface (I didn't bother with VLANs). The "access" bridge has no IP address, so no communication from the AP itself, and is plugged into the guest bridge; the management side is jailed (and gets an IP from the firewall via DHCP). I used bridges in case I want to plug something else into them (temporarily), as the AP is handy and has 5 ports. Anyway, it's likely too simple for your needs. I suppose if I wanted different access levels I could just plug in a couple more APs, but I only use wi-fi to update my phone.

I do use VLANs, but only to aggregate interfaces onto the firewall. That is, I assign a unique VLAN (untagged) to each access port on my switches, and all (tagged) to the uplink to the firewall, turning the switches into port expanders. I then assign each port (physical or VLAN) on the firewall to the appropriate bridge. Positive separation for (effectively) unlimited ports with three DCHP pools.

QuoteI don't think your Accesspoints can do that by themselves to be honest : You should look at the connected Clients !!

I checked again just to be sure:
I have two TP-Link M4Rs and the "main" AP makes ALL the domain requests, aside from that both do some IP requests to those same sites and even... the University of Colorado????????????

QuoteCool plan, but your Accesspoints don't support VLANs for multiple SSIDs : https://www.tp-link.com/us/deco-mesh-wifi/product-family/deco-m4/#specifications

Thanks! I'm aware of that, which is why I've been asking about setup recommendations or products in general.

QuotePrinter : Yes!
Accesspoints : No!
The reason is that your SSID would be "talking from the IoT VLAN" so to speak and then the traffic is blocked !!

That is good to know, thanks for the important information!
Then I should be placing the APs at least in FAMILY, if that is configurable through their software.
So I'll have to buy a managed switch and access points with VLAN-tagging support.

QuoteIf you want an Advanced Accesspoint that also has a built-in Managed Switch then look at one of these :
- TP-Link Omada Wall Accesspoints
- Ubiquiti UniFi In-Wall Accesspoints

Is that how you suggest it must be done in my case or just a recommendation? I've looked at the concept and I must say I not a big fan of it. I'd like to keep AP and Managed Switch separated. AFAIK for my needs there shouldn't be a compatibility issue as long as both support VLAN-tagging?

QuoteJust please don't do this kind of crap :

Quotespoof their MAC address

Stupid and unnecessary !!

I've stated that it seems unreliable to depend on a MAC address not to change. I'm thinking I should install another switch (this one can be a port-based) infront of the NIC that the AP is connected to and so I'll be able to tag the traffic from that one ethernet-connected device to join UNTRUSTED.

QuoteDo you have recommendations for products (access points + switch) / brand that could help me best with my needs?

QuoteI really don't want to break my bank, just something reliable that does the job.

If you want to keep things cheap then I would consider something like this :
- A couple of TP-Link 108E Switches.
- The earlier mentioned TP-Link Omada Wall Accesspoints.

The TP-Link 108E seems to be a good choice, cheap and has everything I need: Port- and tag-based VLAN!
I'd only need a good AP, I'm assuming you should buy from the same brand?
It seems to me I won't be able to place the TP-Link devices into IOT. The main switch, which is directly connected to my home server, has to be on the LAN interface as I'm assuming the switch needs to talk to the other devices. The other switch in front of the AP must be at least in UNTRUSTED.
I'm thinking so thoroughly about in which interfaces to place the TP-Link devices  because I obviously want them controlled: Ideally, I don't want them to send telemetry, but it seems like I cannot really stop that unless I assign them static IP addresses and make for those IP addresses firewall rules to block internet traffic.
EDIT: I think I just came up with a much better approach, please refer to this short post (https://forum.opnsense.org/index.php?msg=264979) where I'm presenting this other solution.

QuoteBut please double check the following :
- AFAIK the 108E Switches can't be controlled by a Omada Controller, but I am not sure if this is still the case...
This is not a big deal, but make sure you are aware of this before you start buying everything !!
- AFAIK the Wall Accesspoints are not sold with a PoE+/PoE Injector so you need to either buy those too or consider a Managed Switch with enough PoE+/PoE power instead of the PoE+/PoE Injectors !!

Two things:

• What is the difference between TP-Link Smart Managed Switch (f.e. SG108E) and Easy Managed Switch (f.e. Omada ES200)
• I see a lot of people speaking about PoE. I don't get it. Is it just because it makes the wire setup cleaner?

Quote

QuoteSorry for the long text

Long text is OK, but just make it a bit more readable the next time ;)

I'm not a native english speaker, I'm trying my best to make my text understandable :)

Truly an interesting setup! Might be simple, but yet effective! I've always been told that bridges are a thing of the past? Anyways, I totally get your intentions: Modern devices are bloated. Based on my needs, I'm kinda stuck with those modern tools. They help me solve my problems, but also create own issues such as telemetry, which I want to restrict as well.

Here are two solutions I came up with:

• Assign those devices static IPs and then restrict through the firewall their internet access (seems not very clean if you ask me)
• Make a totally different VLAN - NETDEV - which has access to LAN, but not to WAN. That way they won't have issues to communicate with the device in my home network, but cannot send out telemetry

I just came up with the latter solution. Please let me know if that could work out or whether I'm missing out on something.

Quote from: bloodyNetworker on April 12, 2026, 02:45:08 PM[...]Here are two solutions I came up with:[...]

For the first, you could use DHCP reservations. For me, I don't mind looking up a particular lease in the relatively rare instances when I want to manage a device.

For the second, I figured your IOT segment covered that, but, of course, the choice is yours. As you stated:

Quote[...]As far as I understand it, because OpnSense is by default a stateful firewall any requests from "higher" VLANs such as FAMILY to IoT devices won't be blocked by the firewall unless IoT devices "request first".[...]

Sort of. Stateful rules are applied to the session initiator, and subsequent packets (assuming successful setup) are matched and passed by the session/flow. (You have direction and statekeeping options; I generally stick with inbound, stateful rules. Block rules are intrinsically stateless, but hey.) So for my "jail", devices are isolated (most communication explicitly blocked), but rules applied to my "edge" and "trust" bridges allow access from those segments. You have to decide what level of segregation you want and are willing to configure. On my network each device is segregated from all others (not just those in different segments) via the firewall. Most folks do not wish to drive every packet through their firewall, but I use a big firewall, with the expense that entails.

QuoteFor the first, you could use DHCP reservations. For me, I don't mind looking up a particular lease in the relatively rare instances when I want to manage a device.

That's what I actually meant! Sorry for the confusion with "static IP address". Considering some IoT devices depend on DHCP...

QuoteFor the second, I figured your IOT segment covered that, but, of course, the choice is yours. [...]

IOT interface should have absolutely no access to anything. Connections from "higher" VLANs should be able to talk to IoTs, but not the other way around. I thought that the firewall as it has been set up by default is already correctly set up for this purpose.

Quote from: bloodyNetworker on April 12, 2026, 02:18:18 PM

QuoteI don't think your Accesspoints can do that by themselves to be honest : You should look at the connected Clients !!

I checked again just to be sure:
I have two TP-Link M4Rs and the "main" AP makes ALL the domain requests, aside from that both do some IP requests to those same sites and even... the University of Colorado????????????

Sounds like the unit that is in Router mode (And all other units are connected to!) does all the DNS Requests from it's WAN Interface to your DNS Server ?!

QuoteThen I should be placing the APs at least in FAMILY, if that is configurable through their software.
So I'll have to buy a managed switch and access points with VLAN-tagging support.

The thing is : You don't place them in a certain VLAN or Network at all.

Most Accesspoints are setup something like this :
- Main Interface connected to the network so you can reach the device to manage it.
This interface is usually connected to your Management Network.
It can be Tagged or Untagged. UniFi and Omada use Untagged by default.
There can be a SSID active for this network or not. Usually there is none.

- Then you have the SSID's your devices connected to.
These are Tagged and connected to one or more VLANs that you are using.

So think about all of this as "Linking SSIDs to Networks/VLANS" instead of placing your Accesspoint into a Network/VLAN ;)

Quote

QuoteIf you want an Advanced Accesspoint that also has a built-in Managed Switch then look at one of these :
- TP-Link Omada Wall Accesspoints
- Ubiquiti UniFi In-Wall Accesspoints

Is that how you suggest it must be done in my case or just a recommendation?

If I understood you correctly (And maybe I did not!) you were talking about connecting devices directly to your Accesspoint ?!
The above mentioned type of Accesspoint is AFAIK the only type of model that can do that for you.

QuoteI've looked at the concept and I must say I not a big fan of it.

In my opinion the "Wall type of Accesspoints" are the best for Home Setups and the "UFO type of Accesspoints" are outdated now.

My favorite places to use them :
- Instead of any old telephone outlet.
These are usually connected with nice CAT5e cabling you can re-use after adding a RJ45 connector on them.
- Near the TV and Gaming Consoles in the Living Room : You get both WiFi and Wired Connectivity there in one go!
- Behind objects that don't block the WiFi signal too much, usually made of wood : Stealth WiFi !!! :P

QuoteI'd like to keep AP and Managed Switch separated.

I am not saying you should get the one or the other : You can use both!

Also there is the option to connect these Wall type Accesspoints via PoE+ and then another Managed Switch to their PoE Out Port too.
Whatever you feel like doing I guess...

QuoteAFAIK for my needs there shouldn't be a compatibility issue as long as both support VLAN-tagging?

Everything needs to be VLAN Aware indeed :)

QuoteI'm thinking I should install another switch (this one can be a port-based) infront of the NIC that the AP is connected to and so I'll be able to tag the traffic from that one ethernet-connected device to join UNTRUSTED.

I assume you are talking about one of the OPNsense NICs ?

If so, then YES!

QuoteThe TP-Link 108E seems to be a good choice, cheap and has everything I need: Port- and tag-based VLAN!
I'd only need a good AP, I'm assuming you should buy from the same brand?

You can mix and match brands and as long as everything is VLAN Aware and works nice and stable there should be no problems at all.

QuoteIt seems to me I won't be able to place the TP-Link devices into IOT.

The main switch, which is directly connected to my home server, has to be on the LAN interface as I'm assuming the switch needs to talk to the other devices.
The other switch in front of the AP must be at least in UNTRUSTED.

I'm thinking so thoroughly about in which interfaces to place the TP-Link devices  because I obviously want them controlled:

Like I said above : Try to think a bit different about Interfaces/VLANs and the Networks that this will create.

QuoteIdeally, I don't want them to send telemetry, but it seems like I cannot really stop that unless I assign them static IP addresses and make for those IP addresses firewall rules to block internet traffic.

Telemetry can usually be disabled for a great part in various ways...

But in general you will always have to :
- Configure Static IP Address on the Network Devices.
- Configure Static DHCP Mapping IP Addresses too for the devices in case something goes wrong with their software so you can connect to them easily and fix whatever needs fixing.

This is simply good practice for all important devices or Servers on your network !!

QuoteEDIT: I think I just came up with a much better approach, please refer to this short post (https://forum.opnsense.org/index.php?msg=264979) where I'm presenting this other solution.

There is no need to do this at all IMHO.

QuoteWhat is the difference between TP-Link Smart Managed Switch (f.e. SG108E) and Easy Managed Switch (f.e. Omada ES200)

Like I mentioned earlier : TP-Link has both regular Managed Switches and Omada Managed Switches.
The Omada ones can also be configured via one central Omada Controller.

I suggest you read a lot about both options and decide what you would rather have.

QuoteI see a lot of people speaking about PoE. I don't get it. Is it just because it makes the wire setup cleaner?

That too, but it's also very common for Managed Accesspoints these days and some Switches too.

Imagine needing the following :
- 1 x Main a.k.a. Core Switch
- 3 x Accesspoint
- 3 x Client Switch

When working with PoE+ and/or PoE you only need to provide power to the Core Switch and maybe the Client Switches too.
When working without PoE+ and/or PoE you need to provide power to ALL of them : That's a lot of PoE+/PoE Injectors and Power Adapters laying around and needing a Power Outlet !!!

QuoteI'm not a native english speaker, I'm trying my best to make my text understandable :)

Was talking more about putting an additional Enter here and there ;)

Quote

QuoteThen I should be placing the APs at least in FAMILY, if that is configurable through their software.
So I'll have to buy a managed switch and access points with VLAN-tagging support.

The thing is : You don't place them in a certain VLAN or Network at all.

Most Accesspoints are setup something like this :
- Main Interface connected to the network so you can reach the device to manage it.
This interface is usually connected to your Management Network.
It can be Tagged or Untagged. UniFi and Omada use Untagged by default.
There can be a SSID active for this network or not. Usually there is none.

- Then you have the SSID's your devices connected to.
These are Tagged and connected to one or more VLANs that you are using.

So think about all of this as "Linking SSIDs to Networks/VLANS" instead of placing your Accesspoint into a Network/VLAN ;)

I'm struggling to understand your explanation how access points are set up. I understand that you can tag SSIDs with specific VLANs. I thought that because my access points act as network devices as well (and surely have their own IP), I should be able to put them in a VLAN as well.
I'm now giving up this idea, I'll just block their Static DHCP Leased IPs from accessing the internet and that's it.

QuoteIf I understood you correctly (And maybe I did not!) you were talking about connecting devices directly to your Accesspoint ?!
The above mentioned type of Accesspoint is AFAIK the only type of model that can do that for you.

Well I don't necessarily need an access point with NICs. Remember that one ethernet-connected device that needs to be in UNTRUSTED? Currently, it's connected to the NIC my TP-Link M4R offers, but it would be cleaner if I just use a Managed Switch and connect both of them to it.

Quote

QuoteI've looked at the concept and I must say I not a big fan of it.

QuoteI'd like to keep AP and Managed Switch separated.

I am not saying you should get the one or the other : You can use both!

Nevermind that, I misunderstood something.

QuoteAlso there is the option to connect these Wall type Accesspoints via PoE+ and then another Managed Switch to their PoE Out Port too.

Assuming I'm already connecting AP and ethernet-connected device in UNTRUSTED to a switch, I won't need additional NICs that are on the AP. Especially if the switch also offers PoE.
As I've said, I don't really specifically need Wall-Type APs. If there is another AP that is cheaper and offers VLAN-tagging on SSID as well, i'd rather take that one.

Quote

QuoteI'm thinking I should install another switch (this one can be a port-based) infront of the NIC that the AP is connected to and so I'll be able to tag the traffic from that one ethernet-connected device to join UNTRUSTED.

I assume you are talking about one of the OPNsense NICs ?
If so, then YES!

I guess your understanding me correctly, refer to the paragraph from before.

Quote

QuoteWhat is the difference between TP-Link Smart Managed Switch (f.e. SG108E) and Easy Managed Switch (f.e. Omada ES200)

Like I mentioned earlier : TP-Link has both regular Managed Switches and Omada Managed Switches.
The Omada ones can also be configured via one central Omada Controller.
I suggest you read a lot about both options and decide what you would rather have.

It seems to me that Omada products require the products to know / contact each other over my home network. As of right now I can't tell whether (based on my future firewall rules / VLAN configs) this feature could break regarding what I'm trying to achieve.
I'm giving up the idea of "putting AP / switches in VLANs to regulare their telemetry", it seems irritating and complex. I'd rather just assign them Static DHCP Leases and then block those IPs from accessing the internet. I won't bother with on which interface they're chilling or not.

Quote

QuoteI see a lot of people speaking about PoE. I don't get it. Is it just because it makes the wire setup cleaner?

That too, but it's also very common for Managed Accesspoints these days and some Switches too.

I see the potential... Tangled cables? BEGONE!

---
EDIT:
I've now picked Omada. I want to see how convenient it is:

2x TP-Link Omada ES200 Desktop Gigabit Managed Switch, 8x RJ-45, 64W PoE+
2x TP-Link Omada EAP225

My price comparision site tells me that only EAP225 supports Mesh, which is a MUST in my household.
The other ones - those "Wall" thingies you praise - don't??

https://geizhals.de/tp-link-omada-eap230-wall-a2419233.html
https://geizhals.de/tp-link-omada-eap235-wall-a2451515.html
https://geizhals.de/tp-link-omada-eap225-a1501193.html

I hope it's ok to post links from other sides here. This is not an ad. I only want to show what I mean so please don't ban or delete this message mods if this is against the rules. I'm sorry if it is against the guidelines.

Quote from: bloodyNetworker on April 12, 2026, 09:59:23 PMI'm now giving up this idea, I'll just block their Static DHCP Leased IPs from accessing the internet and that's it.

Why do you want to block your device from accessing the Internet? You want it to be able to pull firmware updates in a timely manner, don't you?

Quote from: Patrick M. Hausen on April 12, 2026, 10:11:30 PM

Quote from: bloodyNetworker on April 12, 2026, 09:59:23 PMI'm now giving up this idea, I'll just block their Static DHCP Leased IPs from accessing the internet and that's it.

Why do you want to block your device from accessing the Internet? You want it to be able to pull firmware updates in a timely manner, don't you?

Good point! I actually didn't think about that one.
Mh... well I know that you can load firmware-images onto TP-Link products via their Web interface.
The other solution would probably be to analyze their internet traffic and only block the telemetry.

Thanks for pointing that out!

If the vendor uses telemetry and you cannot opt out, I'd switch vendors. Seriously. You need to build your network from trustworthy components.

The telemetry you talk about isn't originating from the AP itself but from the clients connected to that AP (laptop, phone, pc etc.), as already pointed out. If you want to limit such telemetry then you can use Unbound DNSBLs or Adguard Home plugin on the main OPNsense machine (things may break and you'll need to unbreak them if you're aggressive in your blocking). You have a lot of plans with regards to your network but I think it's best to start with the easy stuff. Understand what an AP does. It's just a bridge to your opnsense. Make sure it's in AP Mode and not Router Mode. Unbound/Adguard for telemetry blocking. These are things you can do right now before you get your managed switch. :)

Quote from: bloodyNetworker on April 12, 2026, 09:59:23 PMI'm struggling to understand your explanation how access points are set up.

I understand that you can tag SSIDs with specific VLANs. I thought that because my access points act as network devices as well (and surely have their own IP), I should be able to put them in a VLAN as well.

I'm now giving up this idea, I'll just block their Static DHCP Leased IPs from accessing the internet and that's it.

For any Accesspoint to function it does not need any kind of IP Address at all : It's all Layer 2 communication based on the Hardware Address a.k.a. the MAC Address.
It's basically a Switch with Wireless Ports and Cables : The SSIDs :)

I am sure you can find some good documentation about this that explains everything you need to know!

QuoteWell I don't necessarily need an access point with NICs. Remember that one ethernet-connected device that needs to be in UNTRUSTED? Currently, it's connected to the NIC my TP-Link M4R offers, but it would be cleaner if I just use a Managed Switch and connect both of them to it.

True! :)

QuoteAssuming I'm already connecting AP and ethernet-connected device in UNTRUSTED to a switch, I won't need additional NICs that are on the AP. Especially if the switch also offers PoE.
As I've said, I don't really specifically need Wall-Type APs. If there is another AP that is cheaper and offers VLAN-tagging on SSID as well, i'd rather take that one.

You can ofcourse!

QuoteIt seems to me that Omada products require the products to know / contact each other over my home network. As of right now I can't tell whether (based on my future firewall rules / VLAN configs) this feature could break regarding what I'm trying to achieve.
I'm giving up the idea of "putting AP / switches in VLANs to regulare their telemetry", it seems irritating and complex. I'd rather just assign them Static DHCP Leases and then block those IPs from accessing the internet. I won't bother with on which interface they're chilling or not.

OK, but it's not that hard really :
- Leave their Network Interface in the Default LAN that OPNsense comes with.
This will be your Management Network and connected as Untagged on the Switchport.
- All other VLANs will be transported to the Accesspoint as Tagged on the same Switchport.
- Then you configure a SSID that is Tagged with a VLAN of your choice.
Usually you can create between 4 to 8 SSIDs on one Accesspoint.

QuoteI see the potential... Tangled cables? BEGONE!

That too! :)

QuoteEDIT:
I've now picked Omada. I want to see how convenient it is:

2x TP-Link Omada ES200 Desktop Gigabit Managed Switch, 8x RJ-45, 64W PoE+
2x TP-Link Omada EAP225

My price comparision site tells me that only EAP225 supports Mesh, which is a MUST in my household.
The other ones - those "Wall" thingies you praise - don't??

https://geizhals.de/tp-link-omada-eap230-wall-a2419233.html
https://geizhals.de/tp-link-omada-eap235-wall-a2451515.html
https://geizhals.de/tp-link-omada-eap225-a1501193.html

Are you saying you can not connect each Accesspoint via it's own UTP cable ?

Always look at the Specifications on the website of the manufacturer :
- https://www.omadanetworks.com/us/business-networking/omada-wifi-ceiling-mount/eap225/ - EAP225 without Mesh.
- https://www.tp-link.com/us/business-networking/omada-sdn-access-point/eap225-outdoor/v1/ - EAP225 Outdoor with Mesh.
- https://www.omadanetworks.com/us/business-networking/omada-wifi-wall-plate/eap235-wall/ - EAP235 Wall without Mesh.

Also sometimes the specifications can change between the different Revisions of a product so watch out for those changes!

QuoteI hope it's ok to post links from other sides here. This is not an ad. I only want to show what I mean so please don't ban or delete this message mods if this is against the rules. I'm sorry if it is against the guidelines.

Don´t worry about that : It's OK! :)

Quote from: nero355 on April 13, 2026, 12:05:27 AMFor any Accesspoint to function it does need any kind of IP Address at all

It does *not* need ... 🙂

Quote from: Patrick M. Hausen on April 13, 2026, 12:13:01 AM

Quote from: nero355 on April 13, 2026, 12:05:27 AMFor any Accesspoint to function it does need any kind of IP Address at all

It does *not* need ... 🙂

Thnx! :)

Quote from: Boxer on April 12, 2026, 11:18:00 PMThe telemetry you talk about isn't originating from the AP itself but from the clients connected to that AP (laptop, phone, pc etc.), as already pointed out. [...] Understand what an AP does. It's just a bridge to your opnsense. Make sure it's in AP Mode and not Router Mode. [...]

This goes to nero355, Patrick M. Hausen and Boxer:
It is in AP mode. I also first thought, that the AP only sets up the "bridge" and do not require IPs, but if you take a closer look at my logs you'll see I'm not lying when I'm saying that my TP-Link APs have their own IPs and THEY THEMSELVES send out telemetry. Please refer to all the pictures.
In the DNS timeline you can clearly see the orange line, which has the IP 10.0.0.48: This is the "main" TP-Link AP.
The red box marks a certain time when I was totally home alone. No devices from my family connected, only my Linux machine.
Green is localhost.
On one of the Unbound DNS report you can even see tplink domain requests coming from 10.0.0.48, I marked those with a red box as well.
Take a look on the DHCP Leases and you'll see that 10.0.0.48 is infact my TP-Link AP and both of my APs have IP addresses assigned. The main one does domain / IP telemetry requests and the second (10.0.0.56) only some IP requests.
The devices we use are infact connected to those APs, yes I get that. However each of those devices ALSO have their own IPs I can see that in DHCP Lease. My linux machine didn't make any of such requests, I checked. Those requests solely come from the APs, I can see in Unbound DNS Reports how devices, which are connected to the AP, don't make those requests at all.

Quote from: Patrick M. Hausen on April 12, 2026, 11:11:24 PMIf the vendor uses telemetry and you cannot opt out, I'd switch vendors. Seriously. You need to build your network from trustworthy components.

Do you have an alternative brand / products to suggest?

EDIT: I had to compress the DNS timeline (output1.png) with ffmpeg to fit it into the max. upload size of 256kb, which decreased the quality, but I think you can still see that the orange line infact represents requests from 10.0.0.48.

Quote from: bloodyNetworker on April 13, 2026, 07:21:04 PMDo you have an alternative brand / products to suggest?

Mikrotik.

QuoteAre you saying you can not connect each Accesspoint via it's own UTP cable ?

Always look at the Specifications on the website of the manufacturer :
- https://www.omadanetworks.com/us/business-networking/omada-wifi-ceiling-mount/eap225/ - EAP225 without Mesh.
- https://www.tp-link.com/us/business-networking/omada-sdn-access-point/eap225-outdoor/v1/ - EAP225 Outdoor with Mesh.
- https://www.omadanetworks.com/us/business-networking/omada-wifi-wall-plate/eap235-wall/ - EAP235 Wall without Mesh.

Also sometimes the specifications can change between the different Revisions of a product so watch out for those changes!

The APs are connected through the network cables that are in our walls. They don't have to be directly connected.
I'm assuming I'm misunderstanding you wrong?

Either TP-Links specifications are not very clear or idk...
Here is a list (https://www.omadanetworks.com/us/omada-mesh/product-list/) of all "Omada Mesh" supported devices on their own website.
The "ceiling" EAP225 is advertised with Omada Mesh support, same as it's outdoor variant.
I'm starting to dislike this company... they do all that telemetry goof, force you into cloud accounts to manage your devices and are just so incredibly confusing with their marketing and specifications IMO.

You could try to connect the APs to the "AP VLAN" which offers IP addresses via DHCP but no Internet access by simply not adding the firewall rules that would be necessary for that. But with an IP address the APs should be manageable.

Then create an SSID per VLAN and connect SSID and tagged VLAN at the AP(s). So devices connected to SSID "LAN" will be in VLAN "LAN" and get those 10.0.0.0/24 IP addresses etc.

Where do those network cables in your walls lead? What is at the opposite end of each AP?

First, let me apologise. The Tapo AP's ping those servers (reddit, netflix etc) to check the connection is still up. So sorry about questioning that. I still think that's absurd if they're in AP Mode. But it is a ping only, there's no data telemetry. You can block those pings on opnsense but the AP will show a constant red light as if network is down, even when it's up.

Quote from: Boxer on April 13, 2026, 10:03:56 PMFirst, let me apologise. The Tapo AP's ping those servers (reddit, netflix etc) to check the connection is still up. So sorry about questioning that. I still think that's absurd if they're in AP Mode. But it is a ping only, there's no data telemetry. You can block those pings on opnsense but the AP will show a constant red light as if network is down, even when it's up.

They are in AP mode I can tell you that. How are you so sure that those are only pings? I only know what sites they connect to, whether they really send telemetry is just my speculation. Especially since they just connect with Big Data sites I doubt that those are just pings. I mean why not just ping the upstream DNS server?
In my household that is Quad9 and I'd be totally fine with that.

EDIT: I just found a big forum post on TP-Links official website, where their customers report the same: The TP-Link APs do infact send out telemetry.
https://community.tp-link.com/en/business/forum/topic/525328
They are too sorry to make firmware updates for their cheaper product lines to opt-out.

Post #5 https://community.tp-link.com/en/home/forum/topic/214828
Apparently it's a built-in mechanism that cannot be turned off

Quote from: Patrick M. Hausen on April 13, 2026, 08:07:12 PMYou could try to connect the APs to the "AP VLAN" which offers IP addresses via DHCP but no Internet access by simply not adding the firewall rules that would be necessary for that. But with an IP address the APs should be manageable.

Then create an SSID per VLAN and connect SSID and tagged VLAN at the AP(s). So devices connected to SSID "LAN" will be in VLAN "LAN" and get those 10.0.0.0/24 IP addresses etc.

Where do those network cables in your walls lead? What is at the opposite end of each AP?

This was my original idea, but nero355 told me (https://forum.opnsense.org/index.php?msg=264937) this could go wrong if I were to put them in IOT VLAN. You've said it yourself: Without internet connectivity, I cannot conveniently update their firmware via their user interfaces. So I guess my best shot would be to just give them a static DHCP Lease and only block those addresses they constantly connect to.

The cables in the walls lead to every NIC in the household. They're coming together in a room where I have them connected to my "main" switch.
So basically it doesn't matter to which NIC in the wall the APs are connected to since the switch makes sure that they can all speak to each other.

Quote from: Boxer on April 13, 2026, 11:26:10 PMPost #5 https://community.tp-link.com/en/home/forum/topic/214828
Apparently it's a built-in mechanism that cannot be turned off

I'd rather not buy from them again. They're lying that it is needed to check for connectivity. Being so nontransparent and non-cooperative with the communities demands to remove 24/7 connections with Big Data and telemetry to their own cloud infrastructure can only mean they're trying to hide their shadiness (probably data selling)
Spread the word to the folks buying from TP-Link. Warn them about TP-Links lack of trustworthiness.

Quote from: Patrick M. Hausen on April 13, 2026, 07:30:14 PM

Quote from: bloodyNetworker on April 13, 2026, 07:21:04 PMDo you have an alternative brand / products to suggest?

Mikrotik.

We are dealing here with a "Beginner" and despite the fact that MikroTik does have such a thing as their WinBox GUI for setting up everything I am not sure if that's a good idea ?

Quote from: Boxer on April 13, 2026, 10:03:56 PMFirst, let me apologise. The Tapo AP's ping those servers (reddit, netflix etc) to check the connection is still up. So sorry about questioning that. I still think that's absurd if they're in AP Mode.

Tapo ?! Are you talking about TP-Link M4 Mesh Sets or something else ?!

Quote from: bloodyNetworker on April 13, 2026, 07:21:04 PMIt is in AP mode. I also first thought, that the AP only sets up the "bridge" and do not require IPs, but if you take a closer look at my logs you'll see I'm not lying when I'm saying that my TP-Link APs have their own IPs and THEY THEMSELVES send out telemetry.

I think you have misunderstood my reply about Accesspoints and IP Addresses...

What you are describing is pretty much as expected because you need a way to manage them via their webGUI or some kind of app on your Phone/Tablet :)

Quote from: bloodyNetworker on April 13, 2026, 07:41:29 PMThe APs are connected through the network cables that are in our walls. They don't have to be directly connected.
I'm assuming I'm misunderstanding you wrong?

I think it's time to post a schematic picture of your network setup before we have a lot more misunderstandings...

QuoteEither TP-Links specifications are not very clear or idk...
Here is a list (https://www.omadanetworks.com/us/omada-mesh/product-list/) of all "Omada Mesh" supported devices on their own website.
The "ceiling" EAP225 is advertised with Omada Mesh support, same as it's outdoor variant.
I'm starting to dislike this company... they do all that telemetry goof, force you into cloud accounts to manage your devices and are just so incredibly confusing with their marketing and specifications IMO.

Everyone does it these days and a lot of it can be disable in a lot of cases...

Take for example the more expensive alternative to the TP-Link Omada system : Ubiquiti UniFi
You need multiple steps to disable everything :
- Two different places in the webGUI of the UniFi Controller.
- And another additional file with the right content in the right directory on your UniFi Controller.
After that you need to manually trigger so called 'Provisioning' for all your devices to apply the changes in that file !!

And don't get me started about TV's and Mobile Devices and all the adware/spyware and horrible EULA's you have to accept so you can use them even tho you have paid a lot of money for them...

Quote from: bloodyNetworker on April 13, 2026, 11:19:45 PMEDIT: I just found a big forum post on TP-Links official website, where their customers report the same: The TP-Link APs do infact send out telemetry.
https://community.tp-link.com/en/business/forum/topic/525328
They are too sorry to make firmware updates for their cheaper product lines to opt-out.

That's really a shame...

The M4 units are one of, if not THE cheapest option to have Accesspoints everywhere in the house :)

Quote from: bloodyNetworker on April 13, 2026, 11:38:51 PMThis was my original idea, but nero355 told me (https://forum.opnsense.org/index.php?msg=264937) this could go wrong if I were to put them in IOT VLAN.

Please note :
That was based on my understanding at the time that you were going to put one of the M4 units in a certain VLAN and not in combination with Advanced (VLAN Aware) Accesspoints !!

QuoteThe cables in the walls lead to every NIC in the household. They're coming together in a room where I have them connected to my "main" switch.
So basically it doesn't matter to which NIC in the wall the APs are connected to since the switch makes sure that they can all speak to each other.

Everytime you mention a NIC and Accesspoint it sounds like you are using the Accesspoint as an extension of the NIC in a PC ?!

So like I said above : Please make a scheme/drawing of your network setup!

Quote from: bloodyNetworker on April 13, 2026, 11:38:51 PMThe cables in the walls lead to every NIC in the household. They're coming together in a room where I have them connected to my "main" switch.
So basically it doesn't matter to which NIC in the wall the APs are connected to since the switch makes sure that they can all speak to each other.

So the APs are connected to a cable in the wall on one end and the other end of that cable is connected to a ... NIC? That does not make much sense to me.

In a previous post you wrote:

Quote from: bloodyNetworkerThere is an access point connected to the only NIC in the room.

Maybe we need to start over with the terminology. A NIC is a Network Interface Card. The thing you find inside a PC. So all the time you are saying that your APs are connected to some PC? If you mean a wall outlet - that is not called a NIC.

So what is it?

If I guess, all your APs as well as some wired devices (PCs?) and at least the LAN interface of OPNsense are connected to your switch? Is that the case? Whether there is a cable in the wall with outlets or a simple patch cable providing that connection is entirely irrelevant. The only interesting thing is which device is connected to which.

If that is the case - everything connected to switch - and if that switch is not managed and VLAN capable you cannot use VLANs. Hence your confusion or at least part of it. All devices from your APs to the switch and finally OPNsense must be VLAN capable and configured accordingly.

HTH,
Patrick

First of all: Sorry for the confusion I've caused, especially with my terminology. Yes, Patrick M. Hausen I meant wall outlets and not NICs, sorry for that. I've made sketches so it is easier to follow me. sketch_currently.png is my current network setup, pretty basic with no VLANs. Those wires in the walls lead to wall outlets where I plug in my ethernet cables. Every room only has a single one of them. They are all connected to my "Main" Switch, but I didn't sketch all wires, just the ones that are relevant to this topic. My "Main" AP is directly connected to my "Main" Switch whereas anything else has to go through the wires / wall outlets in the walls. Hence, the office is arguably the most "complex" rooms of all to configure. My "Other" TP-Link M4R is connected to the wall outlet, but as you know the M4R has a NIC (yes this time I mean NIC as in NIC, not a wall outlet) to which my TV is connected to.

Going forward I'd like to define my terminology so that there are no more communication barriers, which is also necessary to explain my plan:
As I understand it, Managed Switches are configurable to have access/untagged ports (every packet that goes through a specific port is tagged the same way, the tag disappears once it leaves the switch) or trunk/tagged ports (packets going through a NIC can have multiple tags assigned to them, which can be relayed to a different trunk port on a different managed switch).
I'm assuming that in my case I'd be only working with tagged ports as everything is supposed to run through by Opnsense, which controls through the firewall rules the VLAN-access, am I right?
---
Now continuing with my planned network upgrade (sketch_planned.png): I've colored the wires based on the following:
Red means trunk connection.
Yellow means connection of IOT interface.
Purple means connection of UNTRUSTED interface.
I hope you guys aren't colorblind.
---
Because the AP's do SSID to VLAN Mapping and you guys made it clear that APs can infact be set on a VLAN as well, I have a specific question in mind:
When the VLAN-aware AP receives a connection from a specific device from a specific SSID, it'll tag it accordingly. Then the AP would relay the tagged packets through the trunk port. But now that those are tagged I also want to make sure that the packages of the AP are tagged as well so that I can get them to be placed in IOT. How can I achieve this or isn't this possible after all? I'm assuming I'd have to configure the switch-software in a way that the specific trunk port tags packages with IOT, but this theory leaves me with another question: Would the VLAN tags from the SSIDs be overwritten in this setup, or does the software distinguish between the ethernet-connected device and those connected through other means? Specifically, does it only tag packets from the IP address it knows is associated with the Ethernet connection?
This theory is why I've colored the connections to the APs so that they are to be placed in IOT.
But as I've also made clear: I could also live without them being in a seperate VLAN, because after all I can just deny any telemetry based off their IPs.

Quote from: nero355 on April 14, 2026, 01:13:54 AM

Quote from: bloodyNetworker on April 13, 2026, 11:38:51 PMThis was my original idea, but nero355 told me (https://forum.opnsense.org/index.php?msg=264937) this could go wrong if I were to put them in IOT VLAN.

Please note :
That was based on my understanding at the time that you were going to put one of the M4 units in a certain VLAN and not in combination with Advanced (VLAN Aware) Accesspoints !!

So my "theory" that the APs would join IOT is realizable?

Quote from: bloodyNetworker on April 14, 2026, 06:17:23 PMHence, the office is arguably the most "complex" rooms of all to configure.

Not really : The way you did it on your drawing is just fine! :)

QuoteMy "Other" TP-Link M4R is connected to the wall outlet, but as you know the M4R has a NIC (yes this time I mean NIC as in NIC, not a wall outlet) to which my TV is connected to.

AFAIK that "NIC" is simply a Switchport that is part of a very small integrated Switch ;)

QuoteAs I understand it, Managed Switches are configurable to have access/untagged ports (every packet that goes through a specific port is tagged the same way, the tag disappears once it leaves the switch) or trunk/tagged ports (packets going through a NIC Switchport can have multiple tags assigned to them, which can be relayed to a different trunk port on a different managed switch).

;)

QuoteI'm assuming that in my case I'd be only working with tagged ports as everything is supposed to run through by Opnsense, which controls through the firewall rules the VLAN-access, am I right?

It depends how you like to setup things :

Let's say you use the Default LAN NIC Port as it is.
This would be considered as an Untagged/Access Mode Port.

But then you need to add more networks and have the following options :
- Use another LAN NIC Port without configuring any IP Address and Assign VLAN Interfaces to it.
This would be considered as a Tagged/Trunk Mode Port.
- Use all other LAN NIC Ports with their own IP Address configured for each network.
These would all be considered as Untagged/Access Mode Ports.

QuoteNow continuing with my planned network upgrade (sketch_planned.png): I've colored the wires based on the following:
Red means trunk connection.
Yellow means connection of IOT interface.
Purple means connection of UNTRUSTED interface.

&

QuoteBecause the AP's do SSID to VLAN Mapping and you guys made it clear that APs can infact be set on a VLAN as well, I have a specific question in mind:

When the VLAN-aware AP receives a connection from a specific device from a specific SSID, it'll tag it accordingly.
Then the AP would relay the tagged packets through the trunk port.
But now that those are tagged I also want to make sure that the packages of the AP are tagged as well so that I can get them to be placed in IOT.

How can I achieve this or isn't this possible after all?

By using Untagged/Tagged settings of the Switchport correctly :
- The VLAN that carries the Network you want the Accesspoint to get/use the IP Address from = Untagged.
- Everything else = Tagged.

QuoteI'm assuming I'd have to configure the switch-software in a way that the specific trunk port tags Untagged packages with IOT

;)

Quotebut this theory leaves me with another question:
Would the VLAN tags from the SSIDs be overwritten in this setup, or does the software distinguish between the ethernet-connected device and those connected through other means? Specifically, does it only tag packets from the IP address it knows is associated with the Ethernet connection?

See above!

QuoteThis theory is why I've colored the connections to the APs so that they are to be placed in IOT.
But as I've also made clear: I could also live without them being in a seperate VLAN, because after all I can just deny any telemetry based off their IPs.

Now that I see the drawing I feel like we should have started with that, because it looks like a very straightforward setup that you can achieve very easily!

Oh well... Oops! ^_^

QuoteSo my "theory" that the APs would join IOT is realizable?

Yes, you can put their Management Interface Untagged in IoT and all other Networks would be Tagged for regular useage.

QuoteI hope you guys aren't colorblind.

LOL! Good thinking!

I often forget that there are people out there with that issue :)

Quote from: nero355 on April 14, 2026, 07:26:11 PM

QuoteI'm assuming that in my case I'd be only working with tagged ports as everything is supposed to run through by Opnsense, which controls through the firewall rules the VLAN-access, am I right?

It depends how you like to setup things :

Let's say you use the Default LAN NIC Port as it is.
This would be considered as an Untagged/Access Mode Port.

But then you need to add more networks and have the following options :
- Use another LAN NIC Port without configuring any IP Address and Assign VLAN Interfaces to it.
This would be considered as a Tagged/Trunk Mode Port.
- Use all other LAN NIC Ports with their own IP Address configured for each network.
These would all be considered as Untagged/Access Mode Ports.

I'm guessing you mean the NIC on my homeserver? If thats the case: I only have one NIC and I'd like it to stay that way: This is the reason why I'm proposing that every packet has to arrive as tagged so that the firewall rules triggers as intended. It's what I've been wrapping my head around all the time whether OpnSense can react to tagged packets (and whether it does so automatically if an assigned VLAN tag in OpnSense matches with the incoming tagged packet).
If you meant something else, please let me know.

Quote from: nero355 on April 14, 2026, 07:26:11 PMBy using Untagged/Tagged settings of the Switchport correctly :
- The VLAN that carries the Network you want the Accesspoint to get/use the IP Address from = Untagged.
- Everything else = Tagged.

As far as I understand it you want IOT devices to be untagged. That way they can only communicate if another untagged device within the "internal" VLAN of the switch is also connected to the same switch. Because this isn't happening on my household any untagged devices will be left alone, is that right?
---
I know I'm constantly changing my mind, but I've now come to the conclusion that the IOT interface, as I've intended it, is a terrible idea:
Simply because I fear that way I'll break the Mesh functionality.
Hence, I'll let them have complete LAN access and only let them contact their vendor cloud servers for firmware updates.
Let's not forget that I also have different IOT devices - like my printer - which requires a WLAN connection and its packets need be mapped to IOT VLAN tag as well.

Quote from: nero355 on April 14, 2026, 07:26:11 PM[You'd] have to configure the switch-software in a way that the specific trunk port [untags] packages with IOT

If I got your idea wrong, please let me know!

Quote from: bloodyNetworker on April 14, 2026, 09:58:53 PMI'm guessing you mean the NIC on my homeserver?

I am talking about your OPNsense Router :
- It needs at least two NICs for WAN and LAN.
- If possible let's say 4 of them like common on many Intel N100 boxes.

QuoteI only have one NIC and I'd like it to stay that way: This is the reason why I'm proposing that every packet has to arrive as tagged so that the firewall rules triggers as intended. It's what I've been wrapping my head around all the time whether OpnSense can react to tagged packets (and whether it does so automatically if an assigned VLAN tag in OpnSense matches with the incoming tagged packet).

OPNsense can handle Tagged traffic : That's not the issue here.

QuoteIf you meant something else, please let me know.

See above : You can't do everything with just one NIC !!

Quote

Quote from: nero355 on April 14, 2026, 07:26:11 PMBy using Untagged/Tagged settings of the Switchport correctly :
- The VLAN that carries the Network you want the Accesspoint to get/use the IP Address from = Untagged.
- Everything else = Tagged.

As far as I understand it you want IOT devices to be untagged. That way they can only communicate if another untagged device within the "internal" VLAN of the switch is also connected to the same switch. Because this isn't happening on my household any untagged devices will be left alone, is that right?

I have no idea what you are talking about to be honest, but I just posted how you can keep your future Advanced Accesspoint in the IoT VLAN with it's Managment Interface : That's all!

QuoteI know I'm constantly changing my mind, but I've now come to the conclusion that the IOT interface, as I've intended it, is a terrible idea:
Simply because I fear that way I'll break the Mesh functionality.

Why do you think you need Mesh at all ?!

According to your network drawing there is zero need for it : Everything is connected via the wired network!

QuoteHence, I'll let them have complete LAN access and only let them contact their vendor cloud servers for firmware updates.
Let's not forget that I also have different IOT devices - like my printer - which requires a WLAN connection and its packets need be mapped to IOT VLAN tag as well.

Your Printer can be connected to a Untagged Switchport or via WiFi and the Printer won't know how the rest of the network works like any other Client ;)

9 out of 10 chance the Printer doesn't even have VLAN Tag Settings !!

Quote

Quote from: nero355 on April 14, 2026, 07:26:11 PM[You'd] have to configure the switch-software in a way that the specific trunk port [untags] packages with IOT

If I got your idea wrong, please let me know!

I have no idea why you quoted that, but all in all I think you are overthinking everything : Just get some hardware you can afford and think looks reasonably good and start building and learning about your future network! :)