Generic VLAN question(s)

[andre2000]

Hi all,

(This is only in part about OPNSense, sorry for that, but I hope this community has the best knowledge about the topic.)

I am thinking about setting up VLANs in order to separate some traffic in my home network (family, home office, guests, IoT, VoIP, VMs, ...) . WLAN is being used by all kinds of devices, having different SSIDs per purpose if that makes sense.

My goal is to separate the traffic for each of these groups, and later to create some firewall rules to define which devices are allowed to see each other. For example create a guest WLAN that only can access the internet, without seeing any of the other devices.

My setup is this:

1. OPNSense
   -> 2.1 Managed Switch (D-Link DGS-1100-16)
    --> 3.1 OpenWRT AP 1
    --> 3.2 OpenWRT AP 2
    --> 3.3 Unmanaged Switch (would that break VLAN?)
      ---> 4.1 OpenWRT AP 3

OPNSense and OpenWRT are running on the latest versions.

All devices using the network are connected to one of the above devices. Reading through several articles I am getting confused, what I understand is: For example I would assign a VLAN tag to a port on the managed switch and the APs. But would this dedicate this port to only VLAN traffic? This seems to be true for a so called static VLAN, so I guess what I want to use is a dynamic VLAN.

OpenWRT now asks me to assign a Device when creating a VLAN there. Which looks like a static VLAN to me? Can I set up a dynamic VLAN across an unmanaged switch? What else do I need to consider beside creating the interfaces, FW rules and DHCP?

Thanks for helping me with that!