Trouble understanding VLANs

[bloodyNetworker]

Hey there,
As my name suggests, I'm a newbie in networking.
I have a specific problem on my network, which led me to VLANs:
I have two Access Points TP-Link M4R in my LAN and they served my home well for about now 2 years.
Recently, I've set up OpnSense and came to the conclusion that both of my TP-Link Access Points are responsible for more than 10% of my entire internet traffic:
As you can tell from the uploaded image, this orange line is all the telemetry those access points share with google, live.com, reddit, amazon, linkedin etc...
I want to put an end to this.

I've thought about some possible solutions and came to the conclusion that I can create multiple VLANs and then restrict those specific VLANs how I like.
Here is how I imagine how in the end the interfaces in OpnSense should look like:
LAN (10.0.0.0) - unrestricted access only for me, the admin
VPN (10.0.1.0) - access to selfhosted service + internet (homeserver as Exit Node) through TailScale plugin, also only for me
FAMILY (10.0.2.0) - access to devices on interface IOT + internet
UNTRUSTED (10.0.3.0) - access to internet
IOT (10.0.4.0) - no access to internet, neither to any other devices on home network

As far as I understand it, because OpnSense is by default a stateful firewall any requests from "higher" VLANs such as FAMILY to IoT devices won't be blocked by the firewall unless IoT devices "request first". So I should be able to safely put in there my printer, the access points etc... without loosing functionality because devices in FAMILY can get replies back from my IoTs.
Please let me know if my assumption is correct.

I'm looking forward to assign the interfaces FAMILY, UNTRUSTED and IOT each a different wireless SSID.
So to differentiate connected devices through WLAN by their corresponding VLANs, I'd need VLAN tagging, which needs to be supported by my switch as well as my access points, am I right?

THE ISSUE - This is the point where I'm having trouble understanding how to apply my network in the way I have described and envisioned:
My family runs most of their devices through WLAN provided by the TP-Link access points.
Then there are also the devices, which I'd rather have under the UNTRUSTED VLAN: Two LAN connected devices at home and the rest of them will be guest devices also connected through WLAN.
Assuming the access point delivers the switch with connections of 3 separate VLAN tags, which are inherited by the origin of their corresponding WLAN network (SSID), I'd still have to figure out a way to assign my access points to the IOT VLAN. Is there such possibility (maybe in their software settings)? They run through ethernet cables so I won't be able to distinguish by the SSID like I'd do for the devices on WLAN. The two devices that are also connected through ethernet, which I want to have on UNTRUSTED, strike me with this similar problem. One of them runs through its own NIC so AFAIK it should be possible to tag a specific NIC on my switch to UNTRUSTED and that should do it (correct me if I'm wrong please). The other device - let's call it Benny from now on for the sake of ease - is connected by ethernet through the same NIC of one of the access points (there is no way for me to put it in a different NIC).
So there you have the problem in conclusion:
There is an access point connected to the only NIC in the room. That access point has to be in IOT. Then there is Benny (the other device), which needs to run through the same NIC as that access point does, but Benny has to go to UNTRUSTED. How am I supposed to differentiate that in software? The only solution I currently see is to distinguish by Bennys MAC address - since its unusual for ethernet-connected devices to spoof their MAC address this should work - but seems for me a bit unreliable. Isn't there something I'm missing out?

What do you suggest?
Am I misunderstanding anything wrong or would you do something different than I've imagined?
Do you have recommendations for products (access points + switch) / brand that could help me best with my needs? I really don't want to break my bank, just something reliable that does the job.
Sorry for the long text, I just thought it's important to tell the whole story so that I don't appear confusing.

Thanks in advance!

[nero355]

I have a specific problem on my network, which led me to VLANs:

I have two Access Points TP-Link M4R in my LAN and they served my home well for about now 2 years.

Recently, I've set up OpnSense and came to the conclusion that both of my TP-Link Access Points are responsible for more than 10% of my entire
internet traffic:
As you can tell from the uploaded image, this orange line is all the telemetry those access points share with google, live.com, reddit, amazon, linkedin etc...
I want to put an end to this.

I don't think your Accesspoints can do that by themselves to be honest : You should look at the connected Clients !!

I've thought about some possible solutions and came to the conclusion that I can create multiple VLANs and then restrict those specific VLANs how I like.
Here is how I imagine how in the end the interfaces in OpnSense should look like:
LAN (10.0.0.0) - unrestricted access only for me, the admin
VPN (10.0.1.0) - access to selfhosted service + internet (homeserver as Exit Node) through TailScale plugin, also only for me
FAMILY (10.0.2.0) - access to devices on interface IOT + internet
UNTRUSTED (10.0.3.0) - access to internet
IOT (10.0.4.0) - no access to internet, neither to any other devices on home network

Cool plan, but your Accesspoints don't support VLANs for multiple SSIDs : https://www.tp-link.com/us/deco-mesh-wifi/product-family/deco-m4/#specifications

As far as I understand it, because OpnSense is by default a stateful firewall any requests from "higher" VLANs such as FAMILY to IoT devices won't be blocked by the firewall unless IoT devices "request first".
So I should be able to safely put in there my printer, the access points etc... without loosing functionality because devices in FAMILY can get replies back from my IoTs.
Please let me know if my assumption is correct.

Printer : Yes!
Accesspoints : No!
The reason is that your SSID would be "talking from the IoT VLAN" so to speak and then the traffic is blocked !!

I'm looking forward to assign the interfaces FAMILY, UNTRUSTED and IOT each a different wireless SSID.
So to differentiate connected devices through WLAN by their corresponding VLANs, I'd need VLAN tagging, which needs to be supported by my switch as well as my access points, am I right?

Yes!

I'd still have to figure out a way to assign my access points to the IOT VLAN.

Is there such possibility (maybe in their software settings)?

With the right Managed Switched and better Advanced Accesspoints you can do that, but not with a super basic Mesh set like the TP-Link M4 that you have now!

They run through ethernet cables so I won't be able to distinguish by the SSID like I'd do for the devices on WLAN. The two devices that are also connected through ethernet, which I want to have on UNTRUSTED, strike me with this similar problem. One of them runs through its own NIC so AFAIK it should be possible to tag a specific NIC on my switch to UNTRUSTED and that should do it (correct me if I'm wrong please). The other device - let's call it Benny from now on for the sake of ease - is connected by ethernet through the same NIC of one of the access points (there is no way for me to put it in a different NIC).

If you want an Advanced Accesspoint that also has a built-in Managed Switch then look at one of these :
- TP-Link Omada Wall Accesspoints
- Ubiquiti UniFi In-Wall Accesspoints

How am I supposed to differentiate that in software?

With the right networking equipment everything is possible! ;)

Just please don't do this kind of crap :

spoof their MAC address

Stupid and unnecessary !!

Do you have recommendations for products (access points + switch) / brand that could help me best with my needs?

I really don't want to break my bank, just something reliable that does the job.

If you want to keep things cheap then I would consider something like this :
- A couple of TP-Link 108E Switches.
- The earlier mentioned TP-Link Omada Wall Accesspoints.

But please double check the following :
- AFAIK the 108E Switches can't be controlled by a Omada Controller, but I am not sure if this is still the case...
This is not a big deal, but make sure you are aware of this before you start buying everything !!
- AFAIK the Wall Accesspoints are not sold with a PoE+/PoE Injector so you need to either buy those too or consider a Managed Switch with enough PoE+/PoE power instead of the PoE+/PoE Injectors !!

Sorry for the long text

Long text is OK, but just make it a bit more readable the next time ;)



Good luck! :)

[pfry]

[...]Here is how I imagine how in the end the interfaces in OpnSense should look like:[...]

I use something similar, with four bridges (I run everything through the firewall, and bridges make for convenient addressing; also, my Internet service is bridged): EDGE (static IPs), TRUST, GUEST, and JAIL. (I haven't used a VPN in a while.)

I only have one wireless access point (I own... uh... five, but I barely use one) (running OpenWRT), and I break it down into (surprise) two bridges: "management" and "access", segregated by physical interface (I didn't bother with VLANs). The "access" bridge has no IP address, so no communication from the AP itself, and is plugged into the guest bridge; the management side is jailed (and gets an IP from the firewall via DHCP). I used bridges in case I want to plug something else into them (temporarily), as the AP is handy and has 5 ports. Anyway, it's likely too simple for your needs. I suppose if I wanted different access levels I could just plug in a couple more APs, but I only use wi-fi to update my phone.

I do use VLANs, but only to aggregate interfaces onto the firewall. That is, I assign a unique VLAN (untagged) to each access port on my switches, and all (tagged) to the uplink to the firewall, turning the switches into port expanders. I then assign each port (physical or VLAN) on the firewall to the appropriate bridge. Positive separation for (effectively) unlimited ports with three DCHP pools.

[bloodyNetworker]

I don't think your Accesspoints can do that by themselves to be honest : You should look at the connected Clients !!

I checked again just to be sure:
I have two TP-Link M4Rs and the "main" AP makes ALL the domain requests, aside from that both do some IP requests to those same sites and even... the University of Colorado????????????

Cool plan, but your Accesspoints don't support VLANs for multiple SSIDs : https://www.tp-link.com/us/deco-mesh-wifi/product-family/deco-m4/#specifications

Thanks! I'm aware of that, which is why I've been asking about setup recommendations or products in general.

Printer : Yes!
Accesspoints : No!
The reason is that your SSID would be "talking from the IoT VLAN" so to speak and then the traffic is blocked !!

That is good to know, thanks for the important information!
Then I should be placing the APs at least in FAMILY, if that is configurable through their software.
So I'll have to buy a managed switch and access points with VLAN-tagging support.

If you want an Advanced Accesspoint that also has a built-in Managed Switch then look at one of these :
- TP-Link Omada Wall Accesspoints
- Ubiquiti UniFi In-Wall Accesspoints

Is that how you suggest it must be done in my case or just a recommendation? I've looked at the concept and I must say I not a big fan of it. I'd like to keep AP and Managed Switch separated. AFAIK for my needs there shouldn't be a compatibility issue as long as both support VLAN-tagging?

Just please don't do this kind of crap :

spoof their MAC address

Stupid and unnecessary !!

I've stated that it seems unreliable to depend on a MAC address not to change. I'm thinking I should install another switch (this one can be a port-based) infront of the NIC that the AP is connected to and so I'll be able to tag the traffic from that one ethernet-connected device to join UNTRUSTED.

Do you have recommendations for products (access points + switch) / brand that could help me best with my needs?

I really don't want to break my bank, just something reliable that does the job.

If you want to keep things cheap then I would consider something like this :
- A couple of TP-Link 108E Switches.
- The earlier mentioned TP-Link Omada Wall Accesspoints.

The TP-Link 108E seems to be a good choice, cheap and has everything I need: Port- and tag-based VLAN!
I'd only need a good AP, I'm assuming you should buy from the same brand?
It seems to me I won't be able to place the TP-Link devices into IOT. The main switch, which is directly connected to my home server, has to be on the LAN interface as I'm assuming the switch needs to talk to the other devices. The other switch in front of the AP must be at least in UNTRUSTED.
I'm thinking so thoroughly about in which interfaces to place the TP-Link devices  because I obviously want them controlled: Ideally, I don't want them to send telemetry, but it seems like I cannot really stop that unless I assign them static IP addresses and make for those IP addresses firewall rules to block internet traffic.
EDIT: I think I just came up with a much better approach, please refer to this short post where I'm presenting this other solution.

But please double check the following :
- AFAIK the 108E Switches can't be controlled by a Omada Controller, but I am not sure if this is still the case...
This is not a big deal, but make sure you are aware of this before you start buying everything !!
- AFAIK the Wall Accesspoints are not sold with a PoE+/PoE Injector so you need to either buy those too or consider a Managed Switch with enough PoE+/PoE power instead of the PoE+/PoE Injectors !!

Two things:

• What is the difference between TP-Link Smart Managed Switch (f.e. SG108E) and Easy Managed Switch (f.e. Omada ES200)
• I see a lot of people speaking about PoE. I don't get it. Is it just because it makes the wire setup cleaner?

Sorry for the long text

Long text is OK, but just make it a bit more readable the next time ;)

I'm not a native english speaker, I'm trying my best to make my text understandable :)

[bloodyNetworker]

Truly an interesting setup! Might be simple, but yet effective! I've always been told that bridges are a thing of the past? Anyways, I totally get your intentions: Modern devices are bloated. Based on my needs, I'm kinda stuck with those modern tools. They help me solve my problems, but also create own issues such as telemetry, which I want to restrict as well.

Here are two solutions I came up with:

• Assign those devices static IPs and then restrict through the firewall their internet access (seems not very clean if you ask me)
• Make a totally different VLAN - NETDEV - which has access to LAN, but not to WAN. That way they won't have issues to communicate with the device in my home network, but cannot send out telemetry

I just came up with the latter solution. Please let me know if that could work out or whether I'm missing out on something.

[pfry]

[...]Here are two solutions I came up with:[...]

For the first, you could use DHCP reservations. For me, I don't mind looking up a particular lease in the relatively rare instances when I want to manage a device.

For the second, I figured your IOT segment covered that, but, of course, the choice is yours. As you stated:

[...]As far as I understand it, because OpnSense is by default a stateful firewall any requests from "higher" VLANs such as FAMILY to IoT devices won't be blocked by the firewall unless IoT devices "request first".[...]

Sort of. Stateful rules are applied to the session initiator, and subsequent packets (assuming successful setup) are matched and passed by the session/flow. (You have direction and statekeeping options; I generally stick with inbound, stateful rules. Block rules are intrinsically stateless, but hey.) So for my "jail", devices are isolated (most communication explicitly blocked), but rules applied to my "edge" and "trust" bridges allow access from those segments. You have to decide what level of segregation you want and are willing to configure. On my network each device is segregated from all others (not just those in different segments) via the firewall. Most folks do not wish to drive every packet through their firewall, but I use a big firewall, with the expense that entails.

[bloodyNetworker]

For the first, you could use DHCP reservations. For me, I don't mind looking up a particular lease in the relatively rare instances when I want to manage a device.

That's what I actually meant! Sorry for the confusion with "static IP address". Considering some IoT devices depend on DHCP...

For the second, I figured your IOT segment covered that, but, of course, the choice is yours. [...]

IOT interface should have absolutely no access to anything. Connections from "higher" VLANs should be able to talk to IoTs, but not the other way around. I thought that the firewall as it has been set up by default is already correctly set up for this purpose.

[nero355]

I don't think your Accesspoints can do that by themselves to be honest : You should look at the connected Clients !!

I checked again just to be sure:
I have two TP-Link M4Rs and the "main" AP makes ALL the domain requests, aside from that both do some IP requests to those same sites and even... the University of Colorado????????????

Sounds like the unit that is in Router mode (And all other units are connected to!) does all the DNS Requests from it's WAN Interface to your DNS Server ?!

Then I should be placing the APs at least in FAMILY, if that is configurable through their software.
So I'll have to buy a managed switch and access points with VLAN-tagging support.

The thing is : You don't place them in a certain VLAN or Network at all.

Most Accesspoints are setup something like this :
- Main Interface connected to the network so you can reach the device to manage it.
This interface is usually connected to your Management Network.
It can be Tagged or Untagged. UniFi and Omada use Untagged by default.
There can be a SSID active for this network or not. Usually there is none.

- Then you have the SSID's your devices connected to.
These are Tagged and connected to one or more VLANs that you are using.

So think about all of this as "Linking SSIDs to Networks/VLANS" instead of placing your Accesspoint into a Network/VLAN ;)

If you want an Advanced Accesspoint that also has a built-in Managed Switch then look at one of these :
- TP-Link Omada Wall Accesspoints
- Ubiquiti UniFi In-Wall Accesspoints

Is that how you suggest it must be done in my case or just a recommendation?

If I understood you correctly (And maybe I did not!) you were talking about connecting devices directly to your Accesspoint ?!
The above mentioned type of Accesspoint is AFAIK the only type of model that can do that for you.

I've looked at the concept and I must say I not a big fan of it.

In my opinion the "Wall type of Accesspoints" are the best for Home Setups and the "UFO type of Accesspoints" are outdated now.

My favorite places to use them :
- Instead of any old telephone outlet.
These are usually connected with nice CAT5e cabling you can re-use after adding a RJ45 connector on them.
- Near the TV and Gaming Consoles in the Living Room : You get both WiFi and Wired Connectivity there in one go!
- Behind objects that don't block the WiFi signal too much, usually made of wood : Stealth WiFi !!! :P

I'd like to keep AP and Managed Switch separated.

I am not saying you should get the one or the other : You can use both!

Also there is the option to connect these Wall type Accesspoints via PoE+ and then another Managed Switch to their PoE Out Port too.
Whatever you feel like doing I guess...

AFAIK for my needs there shouldn't be a compatibility issue as long as both support VLAN-tagging?

Everything needs to be VLAN Aware indeed :)

I'm thinking I should install another switch (this one can be a port-based) infront of the NIC that the AP is connected to and so I'll be able to tag the traffic from that one ethernet-connected device to join UNTRUSTED.

I assume you are talking about one of the OPNsense NICs ?

If so, then YES!

The TP-Link 108E seems to be a good choice, cheap and has everything I need: Port- and tag-based VLAN!
I'd only need a good AP, I'm assuming you should buy from the same brand?

You can mix and match brands and as long as everything is VLAN Aware and works nice and stable there should be no problems at all.

It seems to me I won't be able to place the TP-Link devices into IOT.

The main switch, which is directly connected to my home server, has to be on the LAN interface as I'm assuming the switch needs to talk to the other devices.
The other switch in front of the AP must be at least in UNTRUSTED.

I'm thinking so thoroughly about in which interfaces to place the TP-Link devices  because I obviously want them controlled:

Like I said above : Try to think a bit different about Interfaces/VLANs and the Networks that this will create.

Ideally, I don't want them to send telemetry, but it seems like I cannot really stop that unless I assign them static IP addresses and make for those IP addresses firewall rules to block internet traffic.

Telemetry can usually be disabled for a great part in various ways...

But in general you will always have to :
- Configure Static IP Address on the Network Devices.
- Configure Static DHCP Mapping IP Addresses too for the devices in case something goes wrong with their software so you can connect to them easily and fix whatever needs fixing.

This is simply good practice for all important devices or Servers on your network !!

EDIT: I think I just came up with a much better approach, please refer to this short post where I'm presenting this other solution.

There is no need to do this at all IMHO.

What is the difference between TP-Link Smart Managed Switch (f.e. SG108E) and Easy Managed Switch (f.e. Omada ES200)

Like I mentioned earlier : TP-Link has both regular Managed Switches and Omada Managed Switches.
The Omada ones can also be configured via one central Omada Controller.

I suggest you read a lot about both options and decide what you would rather have.

I see a lot of people speaking about PoE. I don't get it. Is it just because it makes the wire setup cleaner?

That too, but it's also very common for Managed Accesspoints these days and some Switches too.

Imagine needing the following :
- 1 x Main a.k.a. Core Switch
- 3 x Accesspoint
- 3 x Client Switch

When working with PoE+ and/or PoE you only need to provide power to the Core Switch and maybe the Client Switches too.
When working without PoE+ and/or PoE you need to provide power to ALL of them : That's a lot of PoE+/PoE Injectors and Power Adapters laying around and needing a Power Outlet !!!

I'm not a native english speaker, I'm trying my best to make my text understandable :)

Was talking more about putting an additional Enter here and there ;)

[bloodyNetworker]

Then I should be placing the APs at least in FAMILY, if that is configurable through their software.
So I'll have to buy a managed switch and access points with VLAN-tagging support.

The thing is : You don't place them in a certain VLAN or Network at all.

Most Accesspoints are setup something like this :
- Main Interface connected to the network so you can reach the device to manage it.
This interface is usually connected to your Management Network.
It can be Tagged or Untagged. UniFi and Omada use Untagged by default.
There can be a SSID active for this network or not. Usually there is none.

- Then you have the SSID's your devices connected to.
These are Tagged and connected to one or more VLANs that you are using.

So think about all of this as "Linking SSIDs to Networks/VLANS" instead of placing your Accesspoint into a Network/VLAN ;)

I'm struggling to understand your explanation how access points are set up. I understand that you can tag SSIDs with specific VLANs. I thought that because my access points act as network devices as well (and surely have their own IP), I should be able to put them in a VLAN as well.
I'm now giving up this idea, I'll just block their Static DHCP Leased IPs from accessing the internet and that's it.

If I understood you correctly (And maybe I did not!) you were talking about connecting devices directly to your Accesspoint ?!
The above mentioned type of Accesspoint is AFAIK the only type of model that can do that for you.

Well I don't necessarily need an access point with NICs. Remember that one ethernet-connected device that needs to be in UNTRUSTED? Currently, it's connected to the NIC my TP-Link M4R offers, but it would be cleaner if I just use a Managed Switch and connect both of them to it.

I've looked at the concept and I must say I not a big fan of it.

I'd like to keep AP and Managed Switch separated.

I am not saying you should get the one or the other : You can use both!

Nevermind that, I misunderstood something.

Also there is the option to connect these Wall type Accesspoints via PoE+ and then another Managed Switch to their PoE Out Port too.

Assuming I'm already connecting AP and ethernet-connected device in UNTRUSTED to a switch, I won't need additional NICs that are on the AP. Especially if the switch also offers PoE.
As I've said, I don't really specifically need Wall-Type APs. If there is another AP that is cheaper and offers VLAN-tagging on SSID as well, i'd rather take that one.

I'm thinking I should install another switch (this one can be a port-based) infront of the NIC that the AP is connected to and so I'll be able to tag the traffic from that one ethernet-connected device to join UNTRUSTED.

I assume you are talking about one of the OPNsense NICs ?
If so, then YES!

I guess your understanding me correctly, refer to the paragraph from before.

What is the difference between TP-Link Smart Managed Switch (f.e. SG108E) and Easy Managed Switch (f.e. Omada ES200)

Like I mentioned earlier : TP-Link has both regular Managed Switches and Omada Managed Switches.
The Omada ones can also be configured via one central Omada Controller.
I suggest you read a lot about both options and decide what you would rather have.

It seems to me that Omada products require the products to know / contact each other over my home network. As of right now I can't tell whether (based on my future firewall rules / VLAN configs) this feature could break regarding what I'm trying to achieve.
I'm giving up the idea of "putting AP / switches in VLANs to regulare their telemetry", it seems irritating and complex. I'd rather just assign them Static DHCP Leases and then block those IPs from accessing the internet. I won't bother with on which interface they're chilling or not.

I see a lot of people speaking about PoE. I don't get it. Is it just because it makes the wire setup cleaner?

That too, but it's also very common for Managed Accesspoints these days and some Switches too.

I see the potential... Tangled cables? BEGONE!

---
EDIT:
I've now picked Omada. I want to see how convenient it is:

2x TP-Link Omada ES200 Desktop Gigabit Managed Switch, 8x RJ-45, 64W PoE+
2x TP-Link Omada EAP225

My price comparision site tells me that only EAP225 supports Mesh, which is a MUST in my household.
The other ones - those "Wall" thingies you praise - don't??

https://geizhals.de/tp-link-omada-eap230-wall-a2419233.html
https://geizhals.de/tp-link-omada-eap235-wall-a2451515.html
https://geizhals.de/tp-link-omada-eap225-a1501193.html

I hope it's ok to post links from other sides here. This is not an ad. I only want to show what I mean so please don't ban or delete this message mods if this is against the rules. I'm sorry if it is against the guidelines.

[Patrick M. Hausen]

I'm now giving up this idea, I'll just block their Static DHCP Leased IPs from accessing the internet and that's it.

Why do you want to block your device from accessing the Internet? You want it to be able to pull firmware updates in a timely manner, don't you?

[bloodyNetworker]

I'm now giving up this idea, I'll just block their Static DHCP Leased IPs from accessing the internet and that's it.

Why do you want to block your device from accessing the Internet? You want it to be able to pull firmware updates in a timely manner, don't you?

Good point! I actually didn't think about that one.
Mh... well I know that you can load firmware-images onto TP-Link products via their Web interface.
The other solution would probably be to analyze their internet traffic and only block the telemetry.

Thanks for pointing that out!

[Patrick M. Hausen]

If the vendor uses telemetry and you cannot opt out, I'd switch vendors. Seriously. You need to build your network from trustworthy components.

[Boxer]

The telemetry you talk about isn't originating from the AP itself but from the clients connected to that AP (laptop, phone, pc etc.), as already pointed out. If you want to limit such telemetry then you can use Unbound DNSBLs or Adguard Home plugin on the main OPNsense machine (things may break and you'll need to unbreak them if you're aggressive in your blocking). You have a lot of plans with regards to your network but I think it's best to start with the easy stuff. Understand what an AP does. It's just a bridge to your opnsense. Make sure it's in AP Mode and not Router Mode. Unbound/Adguard for telemetry blocking. These are things you can do right now before you get your managed switch. :)

[nero355]

I'm struggling to understand your explanation how access points are set up.

I understand that you can tag SSIDs with specific VLANs. I thought that because my access points act as network devices as well (and surely have their own IP), I should be able to put them in a VLAN as well.

I'm now giving up this idea, I'll just block their Static DHCP Leased IPs from accessing the internet and that's it.

For any Accesspoint to function it does not need any kind of IP Address at all : It's all Layer 2 communication based on the Hardware Address a.k.a. the MAC Address.
It's basically a Switch with Wireless Ports and Cables : The SSIDs :)

I am sure you can find some good documentation about this that explains everything you need to know!

Well I don't necessarily need an access point with NICs. Remember that one ethernet-connected device that needs to be in UNTRUSTED? Currently, it's connected to the NIC my TP-Link M4R offers, but it would be cleaner if I just use a Managed Switch and connect both of them to it.

True! :)

Assuming I'm already connecting AP and ethernet-connected device in UNTRUSTED to a switch, I won't need additional NICs that are on the AP. Especially if the switch also offers PoE.
As I've said, I don't really specifically need Wall-Type APs. If there is another AP that is cheaper and offers VLAN-tagging on SSID as well, i'd rather take that one.

You can ofcourse!

It seems to me that Omada products require the products to know / contact each other over my home network. As of right now I can't tell whether (based on my future firewall rules / VLAN configs) this feature could break regarding what I'm trying to achieve.
I'm giving up the idea of "putting AP / switches in VLANs to regulare their telemetry", it seems irritating and complex. I'd rather just assign them Static DHCP Leases and then block those IPs from accessing the internet. I won't bother with on which interface they're chilling or not.

OK, but it's not that hard really :
- Leave their Network Interface in the Default LAN that OPNsense comes with.
This will be your Management Network and connected as Untagged on the Switchport.
- All other VLANs will be transported to the Accesspoint as Tagged on the same Switchport.
- Then you configure a SSID that is Tagged with a VLAN of your choice.
Usually you can create between 4 to 8 SSIDs on one Accesspoint.

I see the potential... Tangled cables? BEGONE!

That too! :)

EDIT:
I've now picked Omada. I want to see how convenient it is:

2x TP-Link Omada ES200 Desktop Gigabit Managed Switch, 8x RJ-45, 64W PoE+
2x TP-Link Omada EAP225

My price comparision site tells me that only EAP225 supports Mesh, which is a MUST in my household.
The other ones - those "Wall" thingies you praise - don't??

https://geizhals.de/tp-link-omada-eap230-wall-a2419233.html
https://geizhals.de/tp-link-omada-eap235-wall-a2451515.html
https://geizhals.de/tp-link-omada-eap225-a1501193.html

Are you saying you can not connect each Accesspoint via it's own UTP cable ?

Always look at the Specifications on the website of the manufacturer :
- https://www.omadanetworks.com/us/business-networking/omada-wifi-ceiling-mount/eap225/ - EAP225 without Mesh.
- https://www.tp-link.com/us/business-networking/omada-sdn-access-point/eap225-outdoor/v1/ - EAP225 Outdoor with Mesh.
- https://www.omadanetworks.com/us/business-networking/omada-wifi-wall-plate/eap235-wall/ - EAP235 Wall without Mesh.

Also sometimes the specifications can change between the different Revisions of a product so watch out for those changes!

I hope it's ok to post links from other sides here. This is not an ad. I only want to show what I mean so please don't ban or delete this message mods if this is against the rules. I'm sorry if it is against the guidelines.

Don´t worry about that : It's OK! :)

[Patrick M. Hausen]

For any Accesspoint to function it does need any kind of IP Address at all

It does *not* need ... 🙂