Trouble understanding VLANs

[nero355]

I'm guessing you mean the NIC on my homeserver?

I am talking about your OPNsense Router :
- It needs at least two NICs for WAN and LAN.
- If possible let's say 4 of them like common on many Intel N100 boxes.

I only have one NIC and I'd like it to stay that way: This is the reason why I'm proposing that every packet has to arrive as tagged so that the firewall rules triggers as intended. It's what I've been wrapping my head around all the time whether OpnSense can react to tagged packets (and whether it does so automatically if an assigned VLAN tag in OpnSense matches with the incoming tagged packet).

OPNsense can handle Tagged traffic : That's not the issue here.

If you meant something else, please let me know.

See above : You can't do everything with just one NIC !!

By using Untagged/Tagged settings of the Switchport correctly :
- The VLAN that carries the Network you want the Accesspoint to get/use the IP Address from = Untagged.
- Everything else = Tagged.

As far as I understand it you want IOT devices to be untagged. That way they can only communicate if another untagged device within the "internal" VLAN of the switch is also connected to the same switch. Because this isn't happening on my household any untagged devices will be left alone, is that right?

I have no idea what you are talking about to be honest, but I just posted how you can keep your future Advanced Accesspoint in the IoT VLAN with it's Managment Interface : That's all!

I know I'm constantly changing my mind, but I've now come to the conclusion that the IOT interface, as I've intended it, is a terrible idea:
Simply because I fear that way I'll break the Mesh functionality.

Why do you think you need Mesh at all ?!

According to your network drawing there is zero need for it : Everything is connected via the wired network!

Hence, I'll let them have complete LAN access and only let them contact their vendor cloud servers for firmware updates.
Let's not forget that I also have different IOT devices - like my printer - which requires a WLAN connection and its packets need be mapped to IOT VLAN tag as well.

Your Printer can be connected to a Untagged Switchport or via WiFi and the Printer won't know how the rest of the network works like any other Client ;)

9 out of 10 chance the Printer doesn't even have VLAN Tag Settings !!

[You'd] have to configure the switch-software in a way that the specific trunk port [untags] packages with IOT

If I got your idea wrong, please let me know!

I have no idea why you quoted that, but all in all I think you are overthinking everything : Just get some hardware you can afford and think looks reasonably good and start building and learning about your future network! :)