Trouble understanding VLANs

[bloodyNetworker]

Hey there,
As my name suggests, I'm a newbie in networking.
I have a specific problem on my network, which led me to VLANs:
I have two Access Points TP-Link M4R in my LAN and they served my home well for about now 2 years.
Recently, I've set up OpnSense and came to the conclusion that both of my TP-Link Access Points are responsible for more than 10% of my entire internet traffic:
As you can tell from the uploaded image, this orange line is all the telemetry those access points share with google, live.com, reddit, amazon, linkedin etc...
I want to put an end to this.

I've thought about some possible solutions and came to the conclusion that I can create multiple VLANs and then restrict those specific VLANs how I like.
Here is how I imagine how in the end the interfaces in OpnSense should look like:
LAN (10.0.0.0) - unrestricted access only for me, the admin
VPN (10.0.1.0) - access to selfhosted service + internet (homeserver as Exit Node) through TailScale plugin, also only for me
FAMILY (10.0.2.0) - access to devices on interface IOT + internet
UNTRUSTED (10.0.3.0) - access to internet
IOT (10.0.4.0) - no access to internet, neither to any other devices on home network

As far as I understand it, because OpnSense is by default a stateful firewall any requests from "higher" VLANs such as FAMILY to IoT devices won't be blocked by the firewall unless IoT devices "request first". So I should be able to safely put in there my printer, the access points etc... without loosing functionality because devices in FAMILY can get replies back from my IoTs.
Please let me know if my assumption is correct.

I'm looking forward to assign the interfaces FAMILY, UNTRUSTED and IOT each a different wireless SSID.
So to differentiate connected devices through WLAN by their corresponding VLANs, I'd need VLAN tagging, which needs to be supported by my switch as well as my access points, am I right?

THE ISSUE - This is the point where I'm having trouble understanding how to apply my network in the way I have described and envisioned:
My family runs most of their devices through WLAN provided by the TP-Link access points.
Then there are also the devices, which I'd rather have under the UNTRUSTED VLAN: Two LAN connected devices at home and the rest of them will be guest devices also connected through WLAN.
Assuming the access point delivers the switch with connections of 3 separate VLAN tags, which are inherited by the origin of their corresponding WLAN network (SSID), I'd still have to figure out a way to assign my access points to the IOT VLAN. Is there such possibility (maybe in their software settings)? They run through ethernet cables so I won't be able to distinguish by the SSID like I'd do for the devices on WLAN. The two devices that are also connected through ethernet, which I want to have on UNTRUSTED, strike me with this similar problem. One of them runs through its own NIC so AFAIK it should be possible to tag a specific NIC on my switch to UNTRUSTED and that should do it (correct me if I'm wrong please). The other device - let's call it Benny from now on for the sake of ease - is connected by ethernet through the same NIC of one of the access points (there is no way for me to put it in a different NIC).
So there you have the problem in conclusion:
There is an access point connected to the only NIC in the room. That access point has to be in IOT. Then there is Benny (the other device), which needs to run through the same NIC as that access point does, but Benny has to go to UNTRUSTED. How am I supposed to differentiate that in software? The only solution I currently see is to distinguish by Bennys MAC address - since its unusual for ethernet-connected devices to spoof their MAC address this should work - but seems for me a bit unreliable. Isn't there something I'm missing out?

What do you suggest?
Am I misunderstanding anything wrong or would you do something different than I've imagined?
Do you have recommendations for products (access points + switch) / brand that could help me best with my needs? I really don't want to break my bank, just something reliable that does the job.
Sorry for the long text, I just thought it's important to tell the whole story so that I don't appear confusing.

Thanks in advance!

[nero355]

I have a specific problem on my network, which led me to VLANs:

I have two Access Points TP-Link M4R in my LAN and they served my home well for about now 2 years.

Recently, I've set up OpnSense and came to the conclusion that both of my TP-Link Access Points are responsible for more than 10% of my entire
internet traffic:
As you can tell from the uploaded image, this orange line is all the telemetry those access points share with google, live.com, reddit, amazon, linkedin etc...
I want to put an end to this.

I don't think your Accesspoints can do that by themselves to be honest : You should look at the connected Clients !!

I've thought about some possible solutions and came to the conclusion that I can create multiple VLANs and then restrict those specific VLANs how I like.
Here is how I imagine how in the end the interfaces in OpnSense should look like:
LAN (10.0.0.0) - unrestricted access only for me, the admin
VPN (10.0.1.0) - access to selfhosted service + internet (homeserver as Exit Node) through TailScale plugin, also only for me
FAMILY (10.0.2.0) - access to devices on interface IOT + internet
UNTRUSTED (10.0.3.0) - access to internet
IOT (10.0.4.0) - no access to internet, neither to any other devices on home network

Cool plan, but your Accesspoints don't support VLANs for multiple SSIDs : https://www.tp-link.com/us/deco-mesh-wifi/product-family/deco-m4/#specifications

As far as I understand it, because OpnSense is by default a stateful firewall any requests from "higher" VLANs such as FAMILY to IoT devices won't be blocked by the firewall unless IoT devices "request first".
So I should be able to safely put in there my printer, the access points etc... without loosing functionality because devices in FAMILY can get replies back from my IoTs.
Please let me know if my assumption is correct.

Printer : Yes!
Accesspoints : No!
The reason is that your SSID would be "talking from the IoT VLAN" so to speak and then the traffic is blocked !!

I'm looking forward to assign the interfaces FAMILY, UNTRUSTED and IOT each a different wireless SSID.
So to differentiate connected devices through WLAN by their corresponding VLANs, I'd need VLAN tagging, which needs to be supported by my switch as well as my access points, am I right?

Yes!

I'd still have to figure out a way to assign my access points to the IOT VLAN.

Is there such possibility (maybe in their software settings)?

With the right Managed Switched and better Advanced Accesspoints you can do that, but not with a super basic Mesh set like the TP-Link M4 that you have now!

They run through ethernet cables so I won't be able to distinguish by the SSID like I'd do for the devices on WLAN. The two devices that are also connected through ethernet, which I want to have on UNTRUSTED, strike me with this similar problem. One of them runs through its own NIC so AFAIK it should be possible to tag a specific NIC on my switch to UNTRUSTED and that should do it (correct me if I'm wrong please). The other device - let's call it Benny from now on for the sake of ease - is connected by ethernet through the same NIC of one of the access points (there is no way for me to put it in a different NIC).

If you want an Advanced Accesspoint that also has a built-in Managed Switch then look at one of these :
- TP-Link Omada Wall Accesspoints
- Ubiquiti UniFi In-Wall Accesspoints

How am I supposed to differentiate that in software?

With the right networking equipment everything is possible! ;)

Just please don't do this kind of crap :

spoof their MAC address

Stupid and unnecessary !!

Do you have recommendations for products (access points + switch) / brand that could help me best with my needs?

I really don't want to break my bank, just something reliable that does the job.

If you want to keep things cheap then I would consider something like this :
- A couple of TP-Link 108E Switches.
- The earlier mentioned TP-Link Omada Wall Accesspoints.

But please double check the following :
- AFAIK the 108E Switches can't be controlled by a Omada Controller, but I am not sure if this is still the case...
This is not a big deal, but make sure you are aware of this before you start buying everything !!
- AFAIK the Wall Accesspoints are not sold with a PoE+/PoE Injector so you need to either buy those too or consider a Managed Switch with enough PoE+/PoE power instead of the PoE+/PoE Injectors !!

Sorry for the long text

Long text is OK, but just make it a bit more readable the next time ;)



Good luck! :)

[pfry]

[...]Here is how I imagine how in the end the interfaces in OpnSense should look like:[...]

I use something similar, with four bridges (I run everything through the firewall, and bridges make for convenient addressing; also, my Internet service is bridged): EDGE (static IPs), TRUST, GUEST, and JAIL. (I haven't used a VPN in a while.)

I only have one wireless access point (I own... uh... five, but I barely use one) (running OpenWRT), and I break it down into (surprise) two bridges: "management" and "access", segregated by physical interface (I didn't bother with VLANs). The "access" bridge has no IP address, so no communication from the AP itself, and is plugged into the guest bridge; the management side is jailed (and gets an IP from the firewall via DHCP). I used bridges in case I want to plug something else into them (temporarily), as the AP is handy and has 5 ports. Anyway, it's likely too simple for your needs. I suppose if I wanted different access levels I could just plug in a couple more APs, but I only use wi-fi to update my phone.

I do use VLANs, but only to aggregate interfaces onto the firewall. That is, I assign a unique VLAN (untagged) to each access port on my switches, and all (tagged) to the uplink to the firewall, turning the switches into port expanders. I then assign each port (physical or VLAN) on the firewall to the appropriate bridge. Positive separation for (effectively) unlimited ports with three DCHP pools.