How to set up my network

[mernst]

I need some suggestions.

First, my desired outcome. I want three subnets as follows:

1) I woulld like to have a WiFi network that also has wired capability for my IoT network. It needs to have WAN connectivity, so it can be secured from hacking.
2) I would like to have a Guest network that is WiFi only, and has access to WAN, but nothing on any other network
3) I would like to have a LAN network that has access to the WAN. It also needs access to the IoT network (but the IoT cannot get back to the LAN). It needs to be both WiFi and wired. If I must, I could eliminate the need for WiFI, since the only WiFi device would be my smartphone.

Now fo rmy hardware:

1) I have a Netgear Orbi RBR750 mesh network. It has a router and 2 satellites and prvides full coverage for my house and the lake in back which also has a number of IoT devices. It can have 3 different networks as described above. But it does not do vlan tagging of anything. And there is no firewall capability. I think its best use would be for the IoT network only and put it into Access Point mode?
2) I have a Mikrotik RouterBoard RB951Ui-2nD hAP.
3) I have a Mikrotik RB941-2nD-TC hAP Lite.
4) I have a TP-Link TL-SG108E managed switch.

I'd like a recommendation on how best to set this equpment up to achieve my desired outcome. How do I connect thes edevices and how do I setup OPNsense to manage it?

Thanks in advance for all your help.
Mike

I feel

[EricPerl]

That looks reasonably straightforward with VLANs.

My VLAN capable AP works by exposing 1 SSID per VLAN and matching SSID to VLAN tags on the Ethernet port.
You can replicate that with one AP per VLAN and tagging/untagging at the switch level (i.e. configure the switch port as an access port for that VLAN).
Obviously, the switch uplink port needs to be a trunk port (all VLANs tagged).

That switch is a smart easy switch. Its VLAN management is reasonable. I've used it a few years ago for that purpose but have since then migrated to the Omada grade devices.
The easiest way would be to keep the LAN as the "native" network and have Guest and IoT as VLANs.
By default, Guest and IoT won't have access to anything. You will need to add firewall rules to give them Internet access (I personally do it with 1 DNS rule to the VLAN gateway and 1 rule with destination NOT (alias for private ranges)).

[mernst]

I think you missed the part that tells you my AP does not support tagging.

[EricPerl]

I think you missed the part where I wrote that you can replicate this behavior with your 3 APs.
The only difference would be that traffic between the switch and the APs wouldn't be tagged.

Edit:
IOW, I'd have 3 virtual APs (on my physical AP) with tagged traffic to the switch.
You'd have 3 physical APs (LAN, Guest  IoT) with untagged traffic to the switch. 2 more switch ports consumed.
The rest of the configuration would be similar (if not identical).

[mernst]

OK, I guess I am lost then.  If my Orbi router is in Access Point mode, it does not have the abilty to create vlans, or to set ip addresses. It has the ability to setup a LAN SSID, an IoT SSID and a Guest SSID. However, I have no control over the IP that gets assigned to each of the networks. And once I turn on Access Mode, it still broadcasts all 3 of the SSID's. Crazy as it seems if I connect to the Guest network it is still assigning an IP of 192.168.2.xxx on the Guest SSID, even with DHCP turned off. But all I can to OPNsense is the IP range of the LAN SSID. So can you help me understand what you are trying to tell me?

[EricPerl]

I'm not familiar with Orbi routers. I assume you can set it up as a straightforward AP with 1 SSID.
Ditto for the Microtik APs.

Add a VLAN for IOT and another for Guest in OPN.

Code Select Expand


OPN - switch - AP for LAN
                   - LAN devices
                   - AP for IoT
                   - AP for Guest

The port going to AP for IOT needs to be marked as an access port for IOT (PVID = IOT-VLAN, untagged IOT-VLAN).
Ditto for the Guest AP.
The switch port going to OPN needs to allow tagged IOT and Guest traffic.

Devices attached to the IoT AP will get IP from the IOT VLAN subnet (from ISC hosted within OPN).
Ditto with Guest.
They will also reach the Internet (and nothing else on your internal network unless you allow it) via their respective VLAN gateway, also hosted on OPN.

If you had 4 ports on you OPN appliance, you could also dedicate a port to each network.
VLAN allow you to do the same logically and reuse physical ports...