Trouble understanding VLANs

[nero355]

For any Accesspoint to function it does need any kind of IP Address at all

It does *not* need ... 🙂

Thnx! :)

[bloodyNetworker]

The telemetry you talk about isn't originating from the AP itself but from the clients connected to that AP (laptop, phone, pc etc.), as already pointed out. [...] Understand what an AP does. It's just a bridge to your opnsense. Make sure it's in AP Mode and not Router Mode. [...]

This goes to nero355, Patrick M. Hausen and Boxer:
It is in AP mode. I also first thought, that the AP only sets up the "bridge" and do not require IPs, but if you take a closer look at my logs you'll see I'm not lying when I'm saying that my TP-Link APs have their own IPs and THEY THEMSELVES send out telemetry. Please refer to all the pictures.
In the DNS timeline you can clearly see the orange line, which has the IP 10.0.0.48: This is the "main" TP-Link AP.
The red box marks a certain time when I was totally home alone. No devices from my family connected, only my Linux machine.
Green is localhost.
On one of the Unbound DNS report you can even see tplink domain requests coming from 10.0.0.48, I marked those with a red box as well.
Take a look on the DHCP Leases and you'll see that 10.0.0.48 is infact my TP-Link AP and both of my APs have IP addresses assigned. The main one does domain / IP telemetry requests and the second (10.0.0.56) only some IP requests.
The devices we use are infact connected to those APs, yes I get that. However each of those devices ALSO have their own IPs I can see that in DHCP Lease. My linux machine didn't make any of such requests, I checked. Those requests solely come from the APs, I can see in Unbound DNS Reports how devices, which are connected to the AP, don't make those requests at all.

If the vendor uses telemetry and you cannot opt out, I'd switch vendors. Seriously. You need to build your network from trustworthy components.

Do you have an alternative brand / products to suggest?

EDIT: I had to compress the DNS timeline (output1.png) with ffmpeg to fit it into the max. upload size of 256kb, which decreased the quality, but I think you can still see that the orange line infact represents requests from 10.0.0.48.

[Patrick M. Hausen]

Do you have an alternative brand / products to suggest?

Mikrotik.

[bloodyNetworker]

Are you saying you can not connect each Accesspoint via it's own UTP cable ?

Always look at the Specifications on the website of the manufacturer :
- https://www.omadanetworks.com/us/business-networking/omada-wifi-ceiling-mount/eap225/ - EAP225 without Mesh.
- https://www.tp-link.com/us/business-networking/omada-sdn-access-point/eap225-outdoor/v1/ - EAP225 Outdoor with Mesh.
- https://www.omadanetworks.com/us/business-networking/omada-wifi-wall-plate/eap235-wall/ - EAP235 Wall without Mesh.

Also sometimes the specifications can change between the different Revisions of a product so watch out for those changes!

The APs are connected through the network cables that are in our walls. They don't have to be directly connected.
I'm assuming I'm misunderstanding you wrong?

Either TP-Links specifications are not very clear or idk...
Here is a list of all "Omada Mesh" supported devices on their own website.
The "ceiling" EAP225 is advertised with Omada Mesh support, same as it's outdoor variant.
I'm starting to dislike this company... they do all that telemetry goof, force you into cloud accounts to manage your devices and are just so incredibly confusing with their marketing and specifications IMO.

[Patrick M. Hausen]

You could try to connect the APs to the "AP VLAN" which offers IP addresses via DHCP but no Internet access by simply not adding the firewall rules that would be necessary for that. But with an IP address the APs should be manageable.

Then create an SSID per VLAN and connect SSID and tagged VLAN at the AP(s). So devices connected to SSID "LAN" will be in VLAN "LAN" and get those 10.0.0.0/24 IP addresses etc.

Where do those network cables in your walls lead? What is at the opposite end of each AP?

[Boxer]

First, let me apologise. The Tapo AP's ping those servers (reddit, netflix etc) to check the connection is still up. So sorry about questioning that. I still think that's absurd if they're in AP Mode. But it is a ping only, there's no data telemetry. You can block those pings on opnsense but the AP will show a constant red light as if network is down, even when it's up.

[bloodyNetworker]

First, let me apologise. The Tapo AP's ping those servers (reddit, netflix etc) to check the connection is still up. So sorry about questioning that. I still think that's absurd if they're in AP Mode. But it is a ping only, there's no data telemetry. You can block those pings on opnsense but the AP will show a constant red light as if network is down, even when it's up.

They are in AP mode I can tell you that. How are you so sure that those are only pings? I only know what sites they connect to, whether they really send telemetry is just my speculation. Especially since they just connect with Big Data sites I doubt that those are just pings. I mean why not just ping the upstream DNS server?
In my household that is Quad9 and I'd be totally fine with that.

EDIT: I just found a big forum post on TP-Links official website, where their customers report the same: The TP-Link APs do infact send out telemetry.
https://community.tp-link.com/en/business/forum/topic/525328
They are too sorry to make firmware updates for their cheaper product lines to opt-out.

[Boxer]

Post #5 https://community.tp-link.com/en/home/forum/topic/214828
Apparently it's a built-in mechanism that cannot be turned off

[bloodyNetworker]

You could try to connect the APs to the "AP VLAN" which offers IP addresses via DHCP but no Internet access by simply not adding the firewall rules that would be necessary for that. But with an IP address the APs should be manageable.

Then create an SSID per VLAN and connect SSID and tagged VLAN at the AP(s). So devices connected to SSID "LAN" will be in VLAN "LAN" and get those 10.0.0.0/24 IP addresses etc.

Where do those network cables in your walls lead? What is at the opposite end of each AP?

This was my original idea, but nero355 told me this could go wrong if I were to put them in IOT VLAN. You've said it yourself: Without internet connectivity, I cannot conveniently update their firmware via their user interfaces. So I guess my best shot would be to just give them a static DHCP Lease and only block those addresses they constantly connect to.

The cables in the walls lead to every NIC in the household. They're coming together in a room where I have them connected to my "main" switch.
So basically it doesn't matter to which NIC in the wall the APs are connected to since the switch makes sure that they can all speak to each other.

[bloodyNetworker]

Post #5 https://community.tp-link.com/en/home/forum/topic/214828
Apparently it's a built-in mechanism that cannot be turned off

I'd rather not buy from them again. They're lying that it is needed to check for connectivity. Being so nontransparent and non-cooperative with the communities demands to remove 24/7 connections with Big Data and telemetry to their own cloud infrastructure can only mean they're trying to hide their shadiness (probably data selling)
Spread the word to the folks buying from TP-Link. Warn them about TP-Links lack of trustworthiness.

[nero355]

Do you have an alternative brand / products to suggest?

Mikrotik.

We are dealing here with a "Beginner" and despite the fact that MikroTik does have such a thing as their WinBox GUI for setting up everything I am not sure if that's a good idea ?

First, let me apologise. The Tapo AP's ping those servers (reddit, netflix etc) to check the connection is still up. So sorry about questioning that. I still think that's absurd if they're in AP Mode.

Tapo ?! Are you talking about TP-Link M4 Mesh Sets or something else ?!

It is in AP mode. I also first thought, that the AP only sets up the "bridge" and do not require IPs, but if you take a closer look at my logs you'll see I'm not lying when I'm saying that my TP-Link APs have their own IPs and THEY THEMSELVES send out telemetry.

I think you have misunderstood my reply about Accesspoints and IP Addresses...

What you are describing is pretty much as expected because you need a way to manage them via their webGUI or some kind of app on your Phone/Tablet :)

The APs are connected through the network cables that are in our walls. They don't have to be directly connected.
I'm assuming I'm misunderstanding you wrong?

I think it's time to post a schematic picture of your network setup before we have a lot more misunderstandings...

Either TP-Links specifications are not very clear or idk...
Here is a list of all "Omada Mesh" supported devices on their own website.
The "ceiling" EAP225 is advertised with Omada Mesh support, same as it's outdoor variant.
I'm starting to dislike this company... they do all that telemetry goof, force you into cloud accounts to manage your devices and are just so incredibly confusing with their marketing and specifications IMO.

Everyone does it these days and a lot of it can be disable in a lot of cases...

Take for example the more expensive alternative to the TP-Link Omada system : Ubiquiti UniFi
You need multiple steps to disable everything :
- Two different places in the webGUI of the UniFi Controller.
- And another additional file with the right content in the right directory on your UniFi Controller.
After that you need to manually trigger so called 'Provisioning' for all your devices to apply the changes in that file !!

And don't get me started about TV's and Mobile Devices and all the adware/spyware and horrible EULA's you have to accept so you can use them even tho you have paid a lot of money for them...

EDIT: I just found a big forum post on TP-Links official website, where their customers report the same: The TP-Link APs do infact send out telemetry.
https://community.tp-link.com/en/business/forum/topic/525328
They are too sorry to make firmware updates for their cheaper product lines to opt-out.

That's really a shame...

The M4 units are one of, if not THE cheapest option to have Accesspoints everywhere in the house :)

This was my original idea, but nero355 told me this could go wrong if I were to put them in IOT VLAN.

Please note :
That was based on my understanding at the time that you were going to put one of the M4 units in a certain VLAN and not in combination with Advanced (VLAN Aware) Accesspoints !!

The cables in the walls lead to every NIC in the household. They're coming together in a room where I have them connected to my "main" switch.
So basically it doesn't matter to which NIC in the wall the APs are connected to since the switch makes sure that they can all speak to each other.

Everytime you mention a NIC and Accesspoint it sounds like you are using the Accesspoint as an extension of the NIC in a PC ?!

So like I said above : Please make a scheme/drawing of your network setup!

[Patrick M. Hausen]

The cables in the walls lead to every NIC in the household. They're coming together in a room where I have them connected to my "main" switch.
So basically it doesn't matter to which NIC in the wall the APs are connected to since the switch makes sure that they can all speak to each other.

So the APs are connected to a cable in the wall on one end and the other end of that cable is connected to a ... NIC? That does not make much sense to me.

In a previous post you wrote:

There is an access point connected to the only NIC in the room.

Maybe we need to start over with the terminology. A NIC is a Network Interface Card. The thing you find inside a PC. So all the time you are saying that your APs are connected to some PC? If you mean a wall outlet - that is not called a NIC.

So what is it?

If I guess, all your APs as well as some wired devices (PCs?) and at least the LAN interface of OPNsense are connected to your switch? Is that the case? Whether there is a cable in the wall with outlets or a simple patch cable providing that connection is entirely irrelevant. The only interesting thing is which device is connected to which.

If that is the case - everything connected to switch - and if that switch is not managed and VLAN capable you cannot use VLANs. Hence your confusion or at least part of it. All devices from your APs to the switch and finally OPNsense must be VLAN capable and configured accordingly.

HTH,
Patrick

[bloodyNetworker]

First of all: Sorry for the confusion I've caused, especially with my terminology. Yes, Patrick M. Hausen I meant wall outlets and not NICs, sorry for that. I've made sketches so it is easier to follow me. sketch_currently.png is my current network setup, pretty basic with no VLANs. Those wires in the walls lead to wall outlets where I plug in my ethernet cables. Every room only has a single one of them. They are all connected to my "Main" Switch, but I didn't sketch all wires, just the ones that are relevant to this topic. My "Main" AP is directly connected to my "Main" Switch whereas anything else has to go through the wires / wall outlets in the walls. Hence, the office is arguably the most "complex" rooms of all to configure. My "Other" TP-Link M4R is connected to the wall outlet, but as you know the M4R has a NIC (yes this time I mean NIC as in NIC, not a wall outlet) to which my TV is connected to.

Going forward I'd like to define my terminology so that there are no more communication barriers, which is also necessary to explain my plan:
As I understand it, Managed Switches are configurable to have access/untagged ports (every packet that goes through a specific port is tagged the same way, the tag disappears once it leaves the switch) or trunk/tagged ports (packets going through a NIC can have multiple tags assigned to them, which can be relayed to a different trunk port on a different managed switch).
I'm assuming that in my case I'd be only working with tagged ports as everything is supposed to run through by Opnsense, which controls through the firewall rules the VLAN-access, am I right?
---
Now continuing with my planned network upgrade (sketch_planned.png): I've colored the wires based on the following:
Red means trunk connection.
Yellow means connection of IOT interface.
Purple means connection of UNTRUSTED interface.
I hope you guys aren't colorblind.
---
Because the AP's do SSID to VLAN Mapping and you guys made it clear that APs can infact be set on a VLAN as well, I have a specific question in mind:
When the VLAN-aware AP receives a connection from a specific device from a specific SSID, it'll tag it accordingly. Then the AP would relay the tagged packets through the trunk port. But now that those are tagged I also want to make sure that the packages of the AP are tagged as well so that I can get them to be placed in IOT. How can I achieve this or isn't this possible after all? I'm assuming I'd have to configure the switch-software in a way that the specific trunk port tags packages with IOT, but this theory leaves me with another question: Would the VLAN tags from the SSIDs be overwritten in this setup, or does the software distinguish between the ethernet-connected device and those connected through other means? Specifically, does it only tag packets from the IP address it knows is associated with the Ethernet connection?
This theory is why I've colored the connections to the APs so that they are to be placed in IOT.
But as I've also made clear: I could also live without them being in a seperate VLAN, because after all I can just deny any telemetry based off their IPs.

This was my original idea, but nero355 told me this could go wrong if I were to put them in IOT VLAN.

Please note :
That was based on my understanding at the time that you were going to put one of the M4 units in a certain VLAN and not in combination with Advanced (VLAN Aware) Accesspoints !!

So my "theory" that the APs would join IOT is realizable?

[nero355]

Hence, the office is arguably the most "complex" rooms of all to configure.

Not really : The way you did it on your drawing is just fine! :)

My "Other" TP-Link M4R is connected to the wall outlet, but as you know the M4R has a NIC (yes this time I mean NIC as in NIC, not a wall outlet) to which my TV is connected to.

AFAIK that "NIC" is simply a Switchport that is part of a very small integrated Switch ;)

As I understand it, Managed Switches are configurable to have access/untagged ports (every packet that goes through a specific port is tagged the same way, the tag disappears once it leaves the switch) or trunk/tagged ports (packets going through a NIC Switchport can have multiple tags assigned to them, which can be relayed to a different trunk port on a different managed switch).

;)

I'm assuming that in my case I'd be only working with tagged ports as everything is supposed to run through by Opnsense, which controls through the firewall rules the VLAN-access, am I right?

It depends how you like to setup things :

Let's say you use the Default LAN NIC Port as it is.
This would be considered as an Untagged/Access Mode Port.

But then you need to add more networks and have the following options :
- Use another LAN NIC Port without configuring any IP Address and Assign VLAN Interfaces to it.
This would be considered as a Tagged/Trunk Mode Port.
- Use all other LAN NIC Ports with their own IP Address configured for each network.
These would all be considered as Untagged/Access Mode Ports.

Now continuing with my planned network upgrade (sketch_planned.png): I've colored the wires based on the following:
Red means trunk connection.
Yellow means connection of IOT interface.
Purple means connection of UNTRUSTED interface.

&

Because the AP's do SSID to VLAN Mapping and you guys made it clear that APs can infact be set on a VLAN as well, I have a specific question in mind:

When the VLAN-aware AP receives a connection from a specific device from a specific SSID, it'll tag it accordingly.
Then the AP would relay the tagged packets through the trunk port.
But now that those are tagged I also want to make sure that the packages of the AP are tagged as well so that I can get them to be placed in IOT.

How can I achieve this or isn't this possible after all?

By using Untagged/Tagged settings of the Switchport correctly :
- The VLAN that carries the Network you want the Accesspoint to get/use the IP Address from = Untagged.
- Everything else = Tagged.

I'm assuming I'd have to configure the switch-software in a way that the specific trunk port tags Untagged packages with IOT

;)

but this theory leaves me with another question:
Would the VLAN tags from the SSIDs be overwritten in this setup, or does the software distinguish between the ethernet-connected device and those connected through other means? Specifically, does it only tag packets from the IP address it knows is associated with the Ethernet connection?

See above!

This theory is why I've colored the connections to the APs so that they are to be placed in IOT.
But as I've also made clear: I could also live without them being in a seperate VLAN, because after all I can just deny any telemetry based off their IPs.

Now that I see the drawing I feel like we should have started with that, because it looks like a very straightforward setup that you can achieve very easily!

Oh well... Oops! ^_^

So my "theory" that the APs would join IOT is realizable?

Yes, you can put their Management Interface Untagged in IoT and all other Networks would be Tagged for regular useage.

I hope you guys aren't colorblind.

LOL! Good thinking!

I often forget that there are people out there with that issue :)

[bloodyNetworker]

I'm assuming that in my case I'd be only working with tagged ports as everything is supposed to run through by Opnsense, which controls through the firewall rules the VLAN-access, am I right?

It depends how you like to setup things :

Let's say you use the Default LAN NIC Port as it is.
This would be considered as an Untagged/Access Mode Port.

But then you need to add more networks and have the following options :
- Use another LAN NIC Port without configuring any IP Address and Assign VLAN Interfaces to it.
This would be considered as a Tagged/Trunk Mode Port.
- Use all other LAN NIC Ports with their own IP Address configured for each network.
These would all be considered as Untagged/Access Mode Ports.

I'm guessing you mean the NIC on my homeserver? If thats the case: I only have one NIC and I'd like it to stay that way: This is the reason why I'm proposing that every packet has to arrive as tagged so that the firewall rules triggers as intended. It's what I've been wrapping my head around all the time whether OpnSense can react to tagged packets (and whether it does so automatically if an assigned VLAN tag in OpnSense matches with the incoming tagged packet).
If you meant something else, please let me know.

By using Untagged/Tagged settings of the Switchport correctly :
- The VLAN that carries the Network you want the Accesspoint to get/use the IP Address from = Untagged.
- Everything else = Tagged.

As far as I understand it you want IOT devices to be untagged. That way they can only communicate if another untagged device within the "internal" VLAN of the switch is also connected to the same switch. Because this isn't happening on my household any untagged devices will be left alone, is that right?
---
I know I'm constantly changing my mind, but I've now come to the conclusion that the IOT interface, as I've intended it, is a terrible idea:
Simply because I fear that way I'll break the Mesh functionality.
Hence, I'll let them have complete LAN access and only let them contact their vendor cloud servers for firmware updates.
Let's not forget that I also have different IOT devices - like my printer - which requires a WLAN connection and its packets need be mapped to IOT VLAN tag as well.

[You'd] have to configure the switch-software in a way that the specific trunk port [untags] packages with IOT

If I got your idea wrong, please let me know!