Need some guidance in how to se my network with IoT devices.

[neomorpheus]

Hi.

I have a Qotom firewall that has 6 ethernet ports but its not a switch.

I also have an unmanaged switch, a TP Link TL-SG1005D.

I currently have the following on my network:

1- NAS hardwired with several Docker containers.
2- 1 PC hardwired, but I am planning in moving it to wireless.
3- Omada EAP670 Access Point, controlled from a Docker container.
4- Wireless door bell.
5- Indoor wireless camera.
6- Multiple smart plugs by Tapo.
7- Phones and tablets.
8- TV and Streamer.
9- Wireguard server in the OPNSense firewall.

Besides the NAS, I will be moving to wireless since my needs allows it.

I want to eliminate the switch (if possible) and also, have the IoT devices separated from the rest of the network devices.

In the future, I will replace the firewall with another PC that will have 2.5Gb NICs but thats an upcoming project.

Suggestions as to how I can proceed?

Thanks.

PS Sorry but I am not a network expert so will definitely need some handholding in here.

[coffeecup25]

I can give you the highlights, from memory. Hopefully my memory will get you started.

It's easy to create a 2nd subnet. Personally I would save the switch and connect the 2nd subnet to it. Then you know without thinking what is LAN and what is IOT. Also, I have no idea how to associate more ports with either subnet.

1) Create an interface for a spare port
2) Associate the interface with a subnet
3) Copy the 2 default rules from LAN to IOT and edit accordingly
4) Create a rule on IOT to keep it out of LAN
5) create a rule on LAN to keep it out of IOT

hopefully I did not forget a step.

done - No need to mess with VLANs. Don't even think about them.

If you are using Adguard Home on OPNsense and want it to patrol both subnets, you have to edit AdguardHome.yaml to service both subnets, then reboot the router. I don't recall the exact section. It took me days to figure this out, btw. Rules have no affect on this.

Most people seem to have 'special situations' that make it difficult to answer questions like this. This answer is the best I can provide.

[neomorpheus]

Thank you, that provides some guidance.

Remember that I only have one AP and both the IoT and regular devices are using it.

So sadly, I'm not sure how to proceed with your steps 2 and 3.

[coffeecup25]

Thank you, that provides some guidance.

Remember that I only have one AP and both the IoT and regular devices are using it.

So sadly, I'm not sure how to proceed with your steps 2 and 3.

What you want to do is not possible with 1 access point if each subnet needs wireless. You need a different ssid for each network. This is true even if you want to use a switch controlled VLAN.

Routers are cheap. Tapo doorbells and whatnot do not need the latest and greatest. Best wishes.

[neomorpheus]

I believe that I can create multiple SSIDs on this AP.

What I really dont know how to do is attach the AP physically to my Qotom, configure it in a way that it handles both subnets and allow my mobile devices to those IoT for monitoring.

[coffeecup25]

I believe that I can create multiple SSIDs on this AP.

What I really dont know how to do is attach the AP physically to my Qotom, configure it in a way that it handles both subnets and allow my mobile devices to those IoT for monitoring.

Access points are in the same broadcast zone. It won't work. Even some routers in router mode are iffy with 'guest networks'. I will wave my hand in the air and think good thoughts but that's the best anyone can do for you. There may be an access point somewhere that can automagically do a vlan on an access point, but I doubt it.

If the access point idea worked, then you would not need OPNsense to assist.

[neomorpheus]

Something just occurred to me, the applications that need to talk to these IoTs should be able to continue working via web access.

But to keep this simple, lets forget the VLAN and Iot, how about replacing the switch by using the ports that already exist in my Router?

As mentioned, I only really need 2 ports, the NAS and the AP, the rest can use my wifi network.

How do I set those two ports?

[coffeecup25]

Something just occurred to me, the applications that need to talk to these IoTs should be able to continue working via web access.

But to keep this simple, lets forget the VLAN and Iot, how about replacing the switch by using the ports that already exist in my Router?

As mentioned, I only really need 2 ports, the NAS and the AP, the rest can use my wifi network.

How do I set those two ports?

1) If the NAS is on a different subnet, then no other subnet can talk to it, defeating the purpose of a NAS

2) If the AP is on an isolated subnet, then LAN and NAS can not use it

3) If you do some workaround to fix that, you end up where you began

4) Best wishes. You need to think this through again.

5) I'm out of ideas. Perhaps someone else has a better idea outside my range of experience.

[neomorpheus]

4) Best wishes. You need to think this through again.

Wait, did I upset or disrespected or offended you somehow?

I'm only looking for a simple solution to an issue which would help me remove extra hardware from the network and perhaps learn how to secure my network a bit more.

[coffeecup25]

4) Best wishes. You need to think this through again.

Wait, did I upset or disrespected or offended you somehow?

I'm only looking for a simple solution to an issue which would help me remove extra hardware from the network and perhaps learn how to secure my network a bit more.

No, I replied factually to the best of my ability. Things work as they do. You can't negotiate how an access point works. I suspect I simply should have not answered at all. Perhaps you should google networks and add some background knowledge next. As we all did. I gave you an instant answer at the top of this thread.