Trouble understanding VLANs

[nero355]

For any Accesspoint to function it does need any kind of IP Address at all

It does *not* need ... 🙂

Thnx! :)

[bloodyNetworker]

The telemetry you talk about isn't originating from the AP itself but from the clients connected to that AP (laptop, phone, pc etc.), as already pointed out. [...] Understand what an AP does. It's just a bridge to your opnsense. Make sure it's in AP Mode and not Router Mode. [...]

This goes to nero355, Patrick M. Hausen and Boxer:
It is in AP mode. I also first thought, that the AP only sets up the "bridge" and do not require IPs, but if you take a closer look at my logs you'll see I'm not lying when I'm saying that my TP-Link APs have their own IPs and THEY THEMSELVES send out telemetry. Please refer to all the pictures.
In the DNS timeline you can clearly see the orange line, which has the IP 10.0.0.48: This is the "main" TP-Link AP.
The red box marks a certain time when I was totally home alone. No devices from my family connected, only my Linux machine.
Green is localhost.
On one of the Unbound DNS report you can even see tplink domain requests coming from 10.0.0.48, I marked those with a red box as well.
Take a look on the DHCP Leases and you'll see that 10.0.0.48 is infact my TP-Link AP and both of my APs have IP addresses assigned. The main one does domain / IP telemetry requests and the second (10.0.0.56) only some IP requests.
The devices we use are infact connected to those APs, yes I get that. However each of those devices ALSO have their own IPs I can see that in DHCP Lease. My linux machine didn't make any of such requests, I checked. Those requests solely come from the APs, I can see in Unbound DNS Reports how devices, which are connected to the AP, don't make those requests at all.

If the vendor uses telemetry and you cannot opt out, I'd switch vendors. Seriously. You need to build your network from trustworthy components.

Do you have an alternative brand / products to suggest?

EDIT: I had to compress the DNS timeline (output1.png) with ffmpeg to fit it into the max. upload size of 256kb, which decreased the quality, but I think you can still see that the orange line infact represents requests from 10.0.0.48.

[Patrick M. Hausen]

Do you have an alternative brand / products to suggest?

Mikrotik.

[bloodyNetworker]

Are you saying you can not connect each Accesspoint via it's own UTP cable ?

Always look at the Specifications on the website of the manufacturer :
- https://www.omadanetworks.com/us/business-networking/omada-wifi-ceiling-mount/eap225/ - EAP225 without Mesh.
- https://www.tp-link.com/us/business-networking/omada-sdn-access-point/eap225-outdoor/v1/ - EAP225 Outdoor with Mesh.
- https://www.omadanetworks.com/us/business-networking/omada-wifi-wall-plate/eap235-wall/ - EAP235 Wall without Mesh.

Also sometimes the specifications can change between the different Revisions of a product so watch out for those changes!

The APs are connected through the network cables that are in our walls. They don't have to be directly connected.
I'm assuming I'm misunderstanding you wrong?

Either TP-Links specifications are not very clear or idk...
Here is a list of all "Omada Mesh" supported devices on their own website.
The "ceiling" EAP225 is advertised with Omada Mesh support, same as it's outdoor variant.
I'm starting to dislike this company... they do all that telemetry goof, force you into cloud accounts to manage your devices and are just so incredibly confusing with their marketing and specifications IMO.

[Patrick M. Hausen]

You could try to connect the APs to the "AP VLAN" which offers IP addresses via DHCP but no Internet access by simply not adding the firewall rules that would be necessary for that. But with an IP address the APs should be manageable.

Then create an SSID per VLAN and connect SSID and tagged VLAN at the AP(s). So devices connected to SSID "LAN" will be in VLAN "LAN" and get those 10.0.0.0/24 IP addresses etc.

Where do those network cables in your walls lead? What is at the opposite end of each AP?

[Boxer]

First, let me apologise. The Tapo AP's ping those servers (reddit, netflix etc) to check the connection is still up. So sorry about questioning that. I still think that's absurd if they're in AP Mode. But it is a ping only, there's no data telemetry. You can block those pings on opnsense but the AP will show a constant red light as if network is down, even when it's up.

[bloodyNetworker]

First, let me apologise. The Tapo AP's ping those servers (reddit, netflix etc) to check the connection is still up. So sorry about questioning that. I still think that's absurd if they're in AP Mode. But it is a ping only, there's no data telemetry. You can block those pings on opnsense but the AP will show a constant red light as if network is down, even when it's up.

They are in AP mode I can tell you that. How are you so sure that those are only pings? I only know what sites they connect to, whether they really send telemetry is just my speculation. Especially since they just connect with Big Data sites I doubt that those are just pings. I mean why not just ping the upstream DNS server?
In my household that is Quad9 and I'd be totally fine with that.

EDIT: I just found a big forum post on TP-Links official website, where their customers report the same: The TP-Link APs do infact send out telemetry.
https://community.tp-link.com/en/business/forum/topic/525328
They are too sorry to make firmware updates for their cheaper product lines to opt-out.

[Boxer]

Post #5 https://community.tp-link.com/en/home/forum/topic/214828
Apparently it's a built-in mechanism that cannot be turned off

[bloodyNetworker]

You could try to connect the APs to the "AP VLAN" which offers IP addresses via DHCP but no Internet access by simply not adding the firewall rules that would be necessary for that. But with an IP address the APs should be manageable.

Then create an SSID per VLAN and connect SSID and tagged VLAN at the AP(s). So devices connected to SSID "LAN" will be in VLAN "LAN" and get those 10.0.0.0/24 IP addresses etc.

Where do those network cables in your walls lead? What is at the opposite end of each AP?

This was my original idea, but nero355 told me this could go wrong if I were to put them in IOT VLAN. You've said it yourself: Without internet connectivity, I cannot conveniently update their firmware via their user interfaces. So I guess my best shot would be to just give them a static DHCP Lease and only block those addresses they constantly connect to.

The cables in the walls lead to every NIC in the household. They're coming together in a room where I have them connected to my "main" switch.
So basically it doesn't matter to which NIC in the wall the APs are connected to since the switch makes sure that they can all speak to each other.

[bloodyNetworker]

Post #5 https://community.tp-link.com/en/home/forum/topic/214828
Apparently it's a built-in mechanism that cannot be turned off

I'd rather not buy from them again. They're lying that it is needed to check for connectivity. Being so nontransparent and non-cooperative with the communities demands to remove 24/7 connections with Big Data and telemetry to their own cloud infrastructure can only mean they're trying to hide their shadiness (probably data selling)
Spread the word to the folks buying from TP-Link. Warn them about TP-Links lack of trustworthiness.

[nero355]

Do you have an alternative brand / products to suggest?

Mikrotik.

We are dealing here with a "Beginner" and despite the fact that MikroTik does have such a thing as their WinBox GUI for setting up everything I am not sure if that's a good idea ?

First, let me apologise. The Tapo AP's ping those servers (reddit, netflix etc) to check the connection is still up. So sorry about questioning that. I still think that's absurd if they're in AP Mode.

Tapo ?! Are you talking about TP-Link M4 Mesh Sets or something else ?!

It is in AP mode. I also first thought, that the AP only sets up the "bridge" and do not require IPs, but if you take a closer look at my logs you'll see I'm not lying when I'm saying that my TP-Link APs have their own IPs and THEY THEMSELVES send out telemetry.

I think you have misunderstood my reply about Accesspoints and IP Addresses...

What you are describing is pretty much as expected because you need a way to manage them via their webGUI or some kind of app on your Phone/Tablet :)

The APs are connected through the network cables that are in our walls. They don't have to be directly connected.
I'm assuming I'm misunderstanding you wrong?

I think it's time to post a schematic picture of your network setup before we have a lot more misunderstandings...

Either TP-Links specifications are not very clear or idk...
Here is a list of all "Omada Mesh" supported devices on their own website.
The "ceiling" EAP225 is advertised with Omada Mesh support, same as it's outdoor variant.
I'm starting to dislike this company... they do all that telemetry goof, force you into cloud accounts to manage your devices and are just so incredibly confusing with their marketing and specifications IMO.

Everyone does it these days and a lot of it can be disable in a lot of cases...

Take for example the more expensive alternative to the TP-Link Omada system : Ubiquiti UniFi
You need multiple steps to disable everything :
- Two different places in the webGUI of the UniFi Controller.
- And another additional file with the right content in the right directory on your UniFi Controller.
After that you need to manually trigger so called 'Provisioning' for all your devices to apply the changes in that file !!

And don't get me started about TV's and Mobile Devices and all the adware/spyware and horrible EULA's you have to accept so you can use them even tho you have paid a lot of money for them...

EDIT: I just found a big forum post on TP-Links official website, where their customers report the same: The TP-Link APs do infact send out telemetry.
https://community.tp-link.com/en/business/forum/topic/525328
They are too sorry to make firmware updates for their cheaper product lines to opt-out.

That's really a shame...

The M4 units are one of, if not THE cheapest option to have Accesspoints everywhere in the house :)

This was my original idea, but nero355 told me this could go wrong if I were to put them in IOT VLAN.

Please note :
That was based on my understanding at the time that you were going to put one of the M4 units in a certain VLAN and not in combination with Advanced (VLAN Aware) Accesspoints !!

The cables in the walls lead to every NIC in the household. They're coming together in a room where I have them connected to my "main" switch.
So basically it doesn't matter to which NIC in the wall the APs are connected to since the switch makes sure that they can all speak to each other.

Everytime you mention a NIC and Accesspoint it sounds like you are using the Accesspoint as an extension of the NIC in a PC ?!

So like I said above : Please make a scheme/drawing of your network setup!

[Patrick M. Hausen]

The cables in the walls lead to every NIC in the household. They're coming together in a room where I have them connected to my "main" switch.
So basically it doesn't matter to which NIC in the wall the APs are connected to since the switch makes sure that they can all speak to each other.

So the APs are connected to a cable in the wall on one end and the other end of that cable is connected to a ... NIC? That does not make much sense to me.

In a previous post you wrote:

There is an access point connected to the only NIC in the room.

Maybe we need to start over with the terminology. A NIC is a Network Interface Card. The thing you find inside a PC. So all the time you are saying that your APs are connected to some PC? If you mean a wall outlet - that is not called a NIC.

So what is it?

If I guess, all your APs as well as some wired devices (PCs?) and at least the LAN interface of OPNsense are connected to your switch? Is that the case? Whether there is a cable in the wall with outlets or a simple patch cable providing that connection is entirely irrelevant. The only interesting thing is which device is connected to which.

If that is the case - everything connected to switch - and if that switch is not managed and VLAN capable you cannot use VLANs. Hence your confusion or at least part of it. All devices from your APs to the switch and finally OPNsense must be VLAN capable and configured accordingly.

HTH,
Patrick