Messages

I'm assuming that in my case I'd be only working with tagged ports as everything is supposed to run through by Opnsense, which controls through the firewall rules the VLAN-access, am I right?

It depends how you like to setup things :

Let's say you use the Default LAN NIC Port as it is.
This would be considered as an Untagged/Access Mode Port.

But then you need to add more networks and have the following options :
- Use another LAN NIC Port without configuring any IP Address and Assign VLAN Interfaces to it.
This would be considered as a Tagged/Trunk Mode Port.
- Use all other LAN NIC Ports with their own IP Address configured for each network.
These would all be considered as Untagged/Access Mode Ports.

I'm guessing you mean the NIC on my homeserver? If thats the case: I only have one NIC and I'd like it to stay that way: This is the reason why I'm proposing that every packet has to arrive as tagged so that the firewall rules triggers as intended. It's what I've been wrapping my head around all the time whether OpnSense can react to tagged packets (and whether it does so automatically if an assigned VLAN tag in OpnSense matches with the incoming tagged packet).
If you meant something else, please let me know.

By using Untagged/Tagged settings of the Switchport correctly :
- The VLAN that carries the Network you want the Accesspoint to get/use the IP Address from = Untagged.
- Everything else = Tagged.

As far as I understand it you want IOT devices to be untagged. That way they can only communicate if another untagged device within the "internal" VLAN of the switch is also connected to the same switch. Because this isn't happening on my household any untagged devices will be left alone, is that right?
---
I know I'm constantly changing my mind, but I've now come to the conclusion that the IOT interface, as I've intended it, is a terrible idea:
Simply because I fear that way I'll break the Mesh functionality.
Hence, I'll let them have complete LAN access and only let them contact their vendor cloud servers for firmware updates.
Let's not forget that I also have different IOT devices - like my printer - which requires a WLAN connection and its packets need be mapped to IOT VLAN tag as well.

[You'd] have to configure the switch-software in a way that the specific trunk port [untags] packages with IOT

If I got your idea wrong, please let me know!

First of all: Sorry for the confusion I've caused, especially with my terminology. Yes, Patrick M. Hausen I meant wall outlets and not NICs, sorry for that. I've made sketches so it is easier to follow me. sketch_currently.png is my current network setup, pretty basic with no VLANs. Those wires in the walls lead to wall outlets where I plug in my ethernet cables. Every room only has a single one of them. They are all connected to my "Main" Switch, but I didn't sketch all wires, just the ones that are relevant to this topic. My "Main" AP is directly connected to my "Main" Switch whereas anything else has to go through the wires / wall outlets in the walls. Hence, the office is arguably the most "complex" rooms of all to configure. My "Other" TP-Link M4R is connected to the wall outlet, but as you know the M4R has a NIC (yes this time I mean NIC as in NIC, not a wall outlet) to which my TV is connected to.

Going forward I'd like to define my terminology so that there are no more communication barriers, which is also necessary to explain my plan:
As I understand it, Managed Switches are configurable to have access/untagged ports (every packet that goes through a specific port is tagged the same way, the tag disappears once it leaves the switch) or trunk/tagged ports (packets going through a NIC can have multiple tags assigned to them, which can be relayed to a different trunk port on a different managed switch).
I'm assuming that in my case I'd be only working with tagged ports as everything is supposed to run through by Opnsense, which controls through the firewall rules the VLAN-access, am I right?
---
Now continuing with my planned network upgrade (sketch_planned.png): I've colored the wires based on the following:
Red means trunk connection.
Yellow means connection of IOT interface.
Purple means connection of UNTRUSTED interface.
I hope you guys aren't colorblind.
---
Because the AP's do SSID to VLAN Mapping and you guys made it clear that APs can infact be set on a VLAN as well, I have a specific question in mind:
When the VLAN-aware AP receives a connection from a specific device from a specific SSID, it'll tag it accordingly. Then the AP would relay the tagged packets through the trunk port. But now that those are tagged I also want to make sure that the packages of the AP are tagged as well so that I can get them to be placed in IOT. How can I achieve this or isn't this possible after all? I'm assuming I'd have to configure the switch-software in a way that the specific trunk port tags packages with IOT, but this theory leaves me with another question: Would the VLAN tags from the SSIDs be overwritten in this setup, or does the software distinguish between the ethernet-connected device and those connected through other means? Specifically, does it only tag packets from the IP address it knows is associated with the Ethernet connection?
This theory is why I've colored the connections to the APs so that they are to be placed in IOT.
But as I've also made clear: I could also live without them being in a seperate VLAN, because after all I can just deny any telemetry based off their IPs.

This was my original idea, but nero355 told me this could go wrong if I were to put them in IOT VLAN.

Please note :
That was based on my understanding at the time that you were going to put one of the M4 units in a certain VLAN and not in combination with Advanced (VLAN Aware) Accesspoints !!

So my "theory" that the APs would join IOT is realizable?

Post #5 https://community.tp-link.com/en/home/forum/topic/214828
Apparently it's a built-in mechanism that cannot be turned off

I'd rather not buy from them again. They're lying that it is needed to check for connectivity. Being so nontransparent and non-cooperative with the communities demands to remove 24/7 connections with Big Data and telemetry to their own cloud infrastructure can only mean they're trying to hide their shadiness (probably data selling)
Spread the word to the folks buying from TP-Link. Warn them about TP-Links lack of trustworthiness.

You could try to connect the APs to the "AP VLAN" which offers IP addresses via DHCP but no Internet access by simply not adding the firewall rules that would be necessary for that. But with an IP address the APs should be manageable.

Then create an SSID per VLAN and connect SSID and tagged VLAN at the AP(s). So devices connected to SSID "LAN" will be in VLAN "LAN" and get those 10.0.0.0/24 IP addresses etc.

Where do those network cables in your walls lead? What is at the opposite end of each AP?

This was my original idea, but nero355 told me this could go wrong if I were to put them in IOT VLAN. You've said it yourself: Without internet connectivity, I cannot conveniently update their firmware via their user interfaces. So I guess my best shot would be to just give them a static DHCP Lease and only block those addresses they constantly connect to.

The cables in the walls lead to every NIC in the household. They're coming together in a room where I have them connected to my "main" switch.
So basically it doesn't matter to which NIC in the wall the APs are connected to since the switch makes sure that they can all speak to each other.

First, let me apologise. The Tapo AP's ping those servers (reddit, netflix etc) to check the connection is still up. So sorry about questioning that. I still think that's absurd if they're in AP Mode. But it is a ping only, there's no data telemetry. You can block those pings on opnsense but the AP will show a constant red light as if network is down, even when it's up.

They are in AP mode I can tell you that. How are you so sure that those are only pings? I only know what sites they connect to, whether they really send telemetry is just my speculation. Especially since they just connect with Big Data sites I doubt that those are just pings. I mean why not just ping the upstream DNS server?
In my household that is Quad9 and I'd be totally fine with that.

EDIT: I just found a big forum post on TP-Links official website, where their customers report the same: The TP-Link APs do infact send out telemetry.
https://community.tp-link.com/en/business/forum/topic/525328
They are too sorry to make firmware updates for their cheaper product lines to opt-out.

[Mesh]

Are you saying you can not connect each Accesspoint via it's own UTP cable ?

Always look at the Specifications on the website of the manufacturer :
- https://www.omadanetworks.com/us/business-networking/omada-wifi-ceiling-mount/eap225/ - EAP225 without Mesh.
- https://www.tp-link.com/us/business-networking/omada-sdn-access-point/eap225-outdoor/v1/ - EAP225 Outdoor with Mesh.
- https://www.omadanetworks.com/us/business-networking/omada-wifi-wall-plate/eap235-wall/ - EAP235 Wall without Mesh.

Also sometimes the specifications can change between the different Revisions of a product so watch out for those changes!

The APs are connected through the network cables that are in our walls. They don't have to be directly connected.
I'm assuming I'm misunderstanding you wrong?

Either TP-Links specifications are not very clear or idk...
Here is a list of all "Omada Mesh" supported devices on their own website.
The "ceiling" EAP225 is advertised with Omada Mesh support, same as it's outdoor variant.
I'm starting to dislike this company... they do all that telemetry goof, force you into cloud accounts to manage your devices and are just so incredibly confusing with their marketing and specifications IMO.

[The devices we use are infact connected to those APs, yes I get that. However each of those devices ALSO have their own IPs I can see that in DHCP Lease. My linux machine didn't make any of such requests, I checked. Those requests solely come from the APs, I can see in Unbound DNS Reports how devices, which are connected to the AP, don't make those requests at all.]

The telemetry you talk about isn't originating from the AP itself but from the clients connected to that AP (laptop, phone, pc etc.), as already pointed out. [...] Understand what an AP does. It's just a bridge to your opnsense. Make sure it's in AP Mode and not Router Mode. [...]

This goes to nero355, Patrick M. Hausen and Boxer:
It is in AP mode. I also first thought, that the AP only sets up the "bridge" and do not require IPs, but if you take a closer look at my logs you'll see I'm not lying when I'm saying that my TP-Link APs have their own IPs and THEY THEMSELVES send out telemetry. Please refer to all the pictures.
In the DNS timeline you can clearly see the orange line, which has the IP 10.0.0.48: This is the "main" TP-Link AP.
The red box marks a certain time when I was totally home alone. No devices from my family connected, only my Linux machine.
Green is localhost.
On one of the Unbound DNS report you can even see tplink domain requests coming from 10.0.0.48, I marked those with a red box as well.
Take a look on the DHCP Leases and you'll see that 10.0.0.48 is infact my TP-Link AP and both of my APs have IP addresses assigned. The main one does domain / IP telemetry requests and the second (10.0.0.56) only some IP requests.
The devices we use are infact connected to those APs, yes I get that. However each of those devices ALSO have their own IPs I can see that in DHCP Lease. My linux machine didn't make any of such requests, I checked. Those requests solely come from the APs, I can see in Unbound DNS Reports how devices, which are connected to the AP, don't make those requests at all.

If the vendor uses telemetry and you cannot opt out, I'd switch vendors. Seriously. You need to build your network from trustworthy components.

Do you have an alternative brand / products to suggest?

EDIT: I had to compress the DNS timeline (output1.png) with ffmpeg to fit it into the max. upload size of 256kb, which decreased the quality, but I think you can still see that the orange line infact represents requests from 10.0.0.48.

I'm now giving up this idea, I'll just block their Static DHCP Leased IPs from accessing the internet and that's it.

Why do you want to block your device from accessing the Internet? You want it to be able to pull firmware updates in a timely manner, don't you?

Good point! I actually didn't think about that one.
Mh... well I know that you can load firmware-images onto TP-Link products via their Web interface.
The other solution would probably be to analyze their internet traffic and only block the telemetry.

Thanks for pointing that out!

[EDIT:]

Then I should be placing the APs at least in FAMILY, if that is configurable through their software.
So I'll have to buy a managed switch and access points with VLAN-tagging support.

The thing is : You don't place them in a certain VLAN or Network at all.

Most Accesspoints are setup something like this :
- Main Interface connected to the network so you can reach the device to manage it.
This interface is usually connected to your Management Network.
It can be Tagged or Untagged. UniFi and Omada use Untagged by default.
There can be a SSID active for this network or not. Usually there is none.

- Then you have the SSID's your devices connected to.
These are Tagged and connected to one or more VLANs that you are using.

So think about all of this as "Linking SSIDs to Networks/VLANS" instead of placing your Accesspoint into a Network/VLAN ;)

I'm struggling to understand your explanation how access points are set up. I understand that you can tag SSIDs with specific VLANs. I thought that because my access points act as network devices as well (and surely have their own IP), I should be able to put them in a VLAN as well.
I'm now giving up this idea, I'll just block their Static DHCP Leased IPs from accessing the internet and that's it.

If I understood you correctly (And maybe I did not!) you were talking about connecting devices directly to your Accesspoint ?!
The above mentioned type of Accesspoint is AFAIK the only type of model that can do that for you.

Well I don't necessarily need an access point with NICs. Remember that one ethernet-connected device that needs to be in UNTRUSTED? Currently, it's connected to the NIC my TP-Link M4R offers, but it would be cleaner if I just use a Managed Switch and connect both of them to it.

I've looked at the concept and I must say I not a big fan of it.

I'd like to keep AP and Managed Switch separated.

I am not saying you should get the one or the other : You can use both!

Nevermind that, I misunderstood something.

Also there is the option to connect these Wall type Accesspoints via PoE+ and then another Managed Switch to their PoE Out Port too.

Assuming I'm already connecting AP and ethernet-connected device in UNTRUSTED to a switch, I won't need additional NICs that are on the AP. Especially if the switch also offers PoE.
As I've said, I don't really specifically need Wall-Type APs. If there is another AP that is cheaper and offers VLAN-tagging on SSID as well, i'd rather take that one.

I'm thinking I should install another switch (this one can be a port-based) infront of the NIC that the AP is connected to and so I'll be able to tag the traffic from that one ethernet-connected device to join UNTRUSTED.

I assume you are talking about one of the OPNsense NICs ?
If so, then YES!

I guess your understanding me correctly, refer to the paragraph from before.

What is the difference between TP-Link Smart Managed Switch (f.e. SG108E) and Easy Managed Switch (f.e. Omada ES200)

Like I mentioned earlier : TP-Link has both regular Managed Switches and Omada Managed Switches.
The Omada ones can also be configured via one central Omada Controller.
I suggest you read a lot about both options and decide what you would rather have.

It seems to me that Omada products require the products to know / contact each other over my home network. As of right now I can't tell whether (based on my future firewall rules / VLAN configs) this feature could break regarding what I'm trying to achieve.
I'm giving up the idea of "putting AP / switches in VLANs to regulare their telemetry", it seems irritating and complex. I'd rather just assign them Static DHCP Leases and then block those IPs from accessing the internet. I won't bother with on which interface they're chilling or not.

I see a lot of people speaking about PoE. I don't get it. Is it just because it makes the wire setup cleaner?

That too, but it's also very common for Managed Accesspoints these days and some Switches too.

I see the potential... Tangled cables? BEGONE!

---
EDIT:
I've now picked Omada. I want to see how convenient it is:

2x TP-Link Omada ES200 Desktop Gigabit Managed Switch, 8x RJ-45, 64W PoE+
2x TP-Link Omada EAP225

My price comparision site tells me that only EAP225 supports Mesh, which is a MUST in my household.
The other ones - those "Wall" thingies you praise - don't??

https://geizhals.de/tp-link-omada-eap230-wall-a2419233.html
https://geizhals.de/tp-link-omada-eap235-wall-a2451515.html
https://geizhals.de/tp-link-omada-eap225-a1501193.html

I hope it's ok to post links from other sides here. This is not an ad. I only want to show what I mean so please don't ban or delete this message mods if this is against the rules. I'm sorry if it is against the guidelines.

For the first, you could use DHCP reservations. For me, I don't mind looking up a particular lease in the relatively rare instances when I want to manage a device.

That's what I actually meant! Sorry for the confusion with "static IP address". Considering some IoT devices depend on DHCP...

For the second, I figured your IOT segment covered that, but, of course, the choice is yours. [...]

IOT interface should have absolutely no access to anything. Connections from "higher" VLANs should be able to talk to IoTs, but not the other way around. I thought that the firewall as it has been set up by default is already correctly set up for this purpose.

Truly an interesting setup! Might be simple, but yet effective! I've always been told that bridges are a thing of the past? Anyways, I totally get your intentions: Modern devices are bloated. Based on my needs, I'm kinda stuck with those modern tools. They help me solve my problems, but also create own issues such as telemetry, which I want to restrict as well.

Here are two solutions I came up with:

• Assign those devices static IPs and then restrict through the firewall their internet access (seems not very clean if you ask me)
• Make a totally different VLAN - NETDEV - which has access to LAN, but not to WAN. That way they won't have issues to communicate with the device in my home network, but cannot send out telemetry

I just came up with the latter solution. Please let me know if that could work out or whether I'm missing out on something.

[EDIT:]

I don't think your Accesspoints can do that by themselves to be honest : You should look at the connected Clients !!

I checked again just to be sure:
I have two TP-Link M4Rs and the "main" AP makes ALL the domain requests, aside from that both do some IP requests to those same sites and even... the University of Colorado????????????

Cool plan, but your Accesspoints don't support VLANs for multiple SSIDs : https://www.tp-link.com/us/deco-mesh-wifi/product-family/deco-m4/#specifications

Thanks! I'm aware of that, which is why I've been asking about setup recommendations or products in general.

Printer : Yes!
Accesspoints : No!
The reason is that your SSID would be "talking from the IoT VLAN" so to speak and then the traffic is blocked !!

That is good to know, thanks for the important information!
Then I should be placing the APs at least in FAMILY, if that is configurable through their software.
So I'll have to buy a managed switch and access points with VLAN-tagging support.

If you want an Advanced Accesspoint that also has a built-in Managed Switch then look at one of these :
- TP-Link Omada Wall Accesspoints
- Ubiquiti UniFi In-Wall Accesspoints

Is that how you suggest it must be done in my case or just a recommendation? I've looked at the concept and I must say I not a big fan of it. I'd like to keep AP and Managed Switch separated. AFAIK for my needs there shouldn't be a compatibility issue as long as both support VLAN-tagging?

Just please don't do this kind of crap :

spoof their MAC address

Stupid and unnecessary !!

I've stated that it seems unreliable to depend on a MAC address not to change. I'm thinking I should install another switch (this one can be a port-based) infront of the NIC that the AP is connected to and so I'll be able to tag the traffic from that one ethernet-connected device to join UNTRUSTED.

Do you have recommendations for products (access points + switch) / brand that could help me best with my needs?

I really don't want to break my bank, just something reliable that does the job.

If you want to keep things cheap then I would consider something like this :
- A couple of TP-Link 108E Switches.
- The earlier mentioned TP-Link Omada Wall Accesspoints.

The TP-Link 108E seems to be a good choice, cheap and has everything I need: Port- and tag-based VLAN!
I'd only need a good AP, I'm assuming you should buy from the same brand?
It seems to me I won't be able to place the TP-Link devices into IOT. The main switch, which is directly connected to my home server, has to be on the LAN interface as I'm assuming the switch needs to talk to the other devices. The other switch in front of the AP must be at least in UNTRUSTED.
I'm thinking so thoroughly about in which interfaces to place the TP-Link devices  because I obviously want them controlled: Ideally, I don't want them to send telemetry, but it seems like I cannot really stop that unless I assign them static IP addresses and make for those IP addresses firewall rules to block internet traffic.
EDIT: I think I just came up with a much better approach, please refer to this short post where I'm presenting this other solution.

But please double check the following :
- AFAIK the 108E Switches can't be controlled by a Omada Controller, but I am not sure if this is still the case...
This is not a big deal, but make sure you are aware of this before you start buying everything !!
- AFAIK the Wall Accesspoints are not sold with a PoE+/PoE Injector so you need to either buy those too or consider a Managed Switch with enough PoE+/PoE power instead of the PoE+/PoE Injectors !!

Two things:

• What is the difference between TP-Link Smart Managed Switch (f.e. SG108E) and Easy Managed Switch (f.e. Omada ES200)
• I see a lot of people speaking about PoE. I don't get it. Is it just because it makes the wire setup cleaner?

Sorry for the long text

Long text is OK, but just make it a bit more readable the next time ;)

I'm not a native english speaker, I'm trying my best to make my text understandable :)

[THE ISSUE]

Hey there,
As my name suggests, I'm a newbie in networking.
I have a specific problem on my network, which led me to VLANs:
I have two Access Points TP-Link M4R in my LAN and they served my home well for about now 2 years.
Recently, I've set up OpnSense and came to the conclusion that both of my TP-Link Access Points are responsible for more than 10% of my entire internet traffic:
As you can tell from the uploaded image, this orange line is all the telemetry those access points share with google, live.com, reddit, amazon, linkedin etc...
I want to put an end to this.

I've thought about some possible solutions and came to the conclusion that I can create multiple VLANs and then restrict those specific VLANs how I like.
Here is how I imagine how in the end the interfaces in OpnSense should look like:
LAN (10.0.0.0) - unrestricted access only for me, the admin
VPN (10.0.1.0) - access to selfhosted service + internet (homeserver as Exit Node) through TailScale plugin, also only for me
FAMILY (10.0.2.0) - access to devices on interface IOT + internet
UNTRUSTED (10.0.3.0) - access to internet
IOT (10.0.4.0) - no access to internet, neither to any other devices on home network

As far as I understand it, because OpnSense is by default a stateful firewall any requests from "higher" VLANs such as FAMILY to IoT devices won't be blocked by the firewall unless IoT devices "request first". So I should be able to safely put in there my printer, the access points etc... without loosing functionality because devices in FAMILY can get replies back from my IoTs.
Please let me know if my assumption is correct.

I'm looking forward to assign the interfaces FAMILY, UNTRUSTED and IOT each a different wireless SSID.
So to differentiate connected devices through WLAN by their corresponding VLANs, I'd need VLAN tagging, which needs to be supported by my switch as well as my access points, am I right?

THE ISSUE - This is the point where I'm having trouble understanding how to apply my network in the way I have described and envisioned:
My family runs most of their devices through WLAN provided by the TP-Link access points.
Then there are also the devices, which I'd rather have under the UNTRUSTED VLAN: Two LAN connected devices at home and the rest of them will be guest devices also connected through WLAN.
Assuming the access point delivers the switch with connections of 3 separate VLAN tags, which are inherited by the origin of their corresponding WLAN network (SSID), I'd still have to figure out a way to assign my access points to the IOT VLAN. Is there such possibility (maybe in their software settings)? They run through ethernet cables so I won't be able to distinguish by the SSID like I'd do for the devices on WLAN. The two devices that are also connected through ethernet, which I want to have on UNTRUSTED, strike me with this similar problem. One of them runs through its own NIC so AFAIK it should be possible to tag a specific NIC on my switch to UNTRUSTED and that should do it (correct me if I'm wrong please). The other device - let's call it Benny from now on for the sake of ease - is connected by ethernet through the same NIC of one of the access points (there is no way for me to put it in a different NIC).
So there you have the problem in conclusion:
There is an access point connected to the only NIC in the room. That access point has to be in IOT. Then there is Benny (the other device), which needs to run through the same NIC as that access point does, but Benny has to go to UNTRUSTED. How am I supposed to differentiate that in software? The only solution I currently see is to distinguish by Bennys MAC address - since its unusual for ethernet-connected devices to spoof their MAC address this should work - but seems for me a bit unreliable. Isn't there something I'm missing out?

What do you suggest?
Am I misunderstanding anything wrong or would you do something different than I've imagined?
Do you have recommendations for products (access points + switch) / brand that could help me best with my needs? I really don't want to break my bank, just something reliable that does the job.
Sorry for the long text, I just thought it's important to tell the whole story so that I don't appear confusing.

Thanks in advance!