Complex VLAN/Bridge Setup?

[syndac]

I want to separate my network devices into two networks: one for my regular devices (LAN) and one for devices that really have no business on the LAN (ISO). I'd also like any guests connecting to the network to be DHCP'd onto the ISO network. I have wired and wireless connections for both device categories. For example:

Desktop: wired (LAN)
Phone: wireless (LAN)
TV: wired (ISO)
Alexa: wireless (ISO)
Guests: wireless (ISO)

LAN: 192.168.1.0/24
ISO: 192.168.2.0/24

I'm having trouble wrapping my head around how to set up VLANs and bridging to make this possible. So far, I've tried:

1. Connect AP and wired devices to switch
2. Connect switch to firewall port 1
3. Create VLAN off port 1
4. Static-assign all IPs as necessary between the networks
5. Turn DHCP off of LAN and on for ISO

The issue that I run into is that anything that comes onto the network later ends up getting an address on the LAN network (192.168.1.x) instead of the ISO network as intended. Additionally, even though devices are statically assigned IP address on the ISO network, the devices--themselves--show that their IP address is on the LAN network (for some devices, this causes connection issues).

I'm not sure what's causing this. Am I going about this the wrong way?

[Ren]

I want to separate my network devices into two networks: one for my regular devices (LAN) and one for devices that really have no business on the LAN (ISO). I'd also like any guests connecting to the network to be DHCP'd onto the ISO network. I have wired and wireless connections for both device categories. For example:

Desktop: wired (LAN)
Phone: wireless (LAN)
TV: wired (ISO)
Alexa: wireless (ISO)
Guests: wireless (ISO)

LAN: 192.168.1.0/24
ISO: 192.168.2.0/24

I'm having trouble wrapping my head around how to set up VLANs and bridging to make this possible. So far, I've tried:

1. Connect AP and wired devices to switch
2. Connect switch to firewall port 1
3. Create VLAN off port 1
4. Static-assign all IPs as necessary between the networks
5. Turn DHCP off of LAN and on for ISO

The issue that I run into is that anything that comes onto the network later ends up getting an address on the LAN network (192.168.1.x) instead of the ISO network as intended. Additionally, even though devices are statically assigned IP address on the ISO network, the devices--themselves--show that their IP address is on the LAN network (for some devices, this causes connection issues).

I'm not sure what's causing this. Am I going about this the wrong way?

What access point and switch do you have ?

[syndac]

What access point and switch do you have ?

AP is an Asus RT-N66U in AP mode. The switch is just a dumb switch, but I've also tried removing the switch and plugging into the 4 ports of the NIC, too.

[Ren]

I don't recall being able to tag SSID to VLANS on AsusWRT. Since its a dumb switch all VLANS should be available on all ports.

In any event to test the VLAN from your PC do the following

To open Device Manager:

Press Windows key + R
   Type devmgmt.msc
   Click OK.
       In Device Manager, open Network adapters.
       Right-click on the NIC and choose Properties.
       Click the Advanced tab.
       Scroll down to VLAN ID.
       Set the ID that to ISO VLAN.



If your VLAN is configured correctly your firewall should assign an IP

[Pocket_Sevens]

I've set up something like this using OpenWRT and OPNSense. 

This is my "go-to" guide for setting up VLANs for different networks (with different SSID's).  While it references PFSense, the idea is still the same:  https://forum.netgate.com/topic/104277/tutorial-pfsense-openwrt-multiple-ssids-and-vlans

[syndac]

Thank you both for the help/insight. I'm pretty new to all of this and it looks like my issues were multi-fold:

1. My unmanaged switch doesn't support VLAN tags
2. My AP doesn't support VLAN tags without 3rd-party firmware and even then, it was suspect
3. Something wasn't letting me run multiple VLAN tags through the same port (I wanted a guest and IoT VLAN). Not sure what.

Overall, looks like I need to upgrade my equipment