I'm struggling to understand/manage my network as I want and I just ask for a way to configure it, not how to do, just how to configure it and then I'll make it alone.
Basically I have a router (R4S SW), to this is connect a managed switch (Netgear), and then an Access Point (Netgear WAX206 DSA). Now I'm using 3 subnets and the firewall and DHCP on the AP to separated them, in this way:
But I would like to extend my main lan from the router to the AP and then add 2 vlan for the iot and guest zones.
And now I don't know what/how to do this. Is better to use two cables from the switch to AP and use one for the main lan and one for the other vlans? Or create them on the router?
And in both cases, how to use the tagged and untagged? Because every time I tried I ended or to lock out my pc from the router or to don't have access from the guest/iot zones.
For your network design, I would have your R4S handle all networks, VLANs, their DHCP service and DNS. Keep all that on one device to keep things simple.
Tag all the VLANs exiting your lan port on the R4S and send them to your switch, also configured to recognize the incoming tagged VLANs. At a minimum you need to tag IOT and Guest. You can leave main untagged if you like (most will probably say tag them all, but I leave one VLAN untagged in my set up), but here is the rule: only one vlan can be untagged - otherwise there is no way to tell the different VLANs apart.
Configure the switch to receive all the different tagged VLANs and, depending on how you handle main, untagged or tagged main, on the incoming switch port connected to your R4S lan port. Then route different VLANs to other switch ports as desired. The switch port that your AP is connected to should be configured to have tagged VLANs for IOT and guest at a minimum, and how you deal with main will dictate if main is tagged or untagged on this port.
Configure your AP to receive all the different tagged VLANs (and if untagged, untagged main) on the incoming port connected to your switch port. You'll need to define bridges for all your VLANs to attach them to your SSID's connected to each VLAN, the network file for which is a bit less streamlined on swconfig devices. Do NOT configure DHCP service on the dumb AP (or DNS for that matter) - leave that job for your R4S.
I set up the firewall on my R4S, switch and AP's to recognize all the vlan zones and allow them DNS and DHCP service. Probably just to have that configured as a template on all my devices, but to be honest, I have never removed them to see if things still work. I recognize the firewall on the R4S sold handle it, and a managed switch and dumb AP should not need duplicate firewalls.
I'm so enamored with the streamlined DSA configuration network file syntax, I forgot a "config-bridge-vlan" and "config interface" section in the network file are still entered for each vlan.
@giuliomagnificothis example for an all-in-one router is not exactly what you are after, but the general setup in the files may be helpful nonetheless.
EDIT: got also Apple HomeKit/Home working on the separate VLANs.
Now if I join the iot/guest WLAN I'm unable to see open a 192.168.1.x page but I'm able to browse internet and the 'iot' WLAN is able to update the Homekit device, also Alexa devices are working fine obviously.
I'm a bit unsure of two thing, one is about the Netgear switch configuration, since with this firmware and only the GUI interface, is hard to understand...
The router/r4s is on the port 3 of the switch, and the AP/wax206 on the port 4, now I have tagged the port 3-4 with the vlan 1, 20, 50 (the 10 is one more vlan, just in case I will need), is this correct?
That looks about right. The Netgear OEM UI shows VLAN 1 untagged by default, and the ports that are in the other VLANs as well are presumably tagged (going on your screenshot for VLAN 20), so should be okay.
Yes of course, I posted only one VLAN, others (10, 20 and 50) are the same, tagged on port 3 and 4. The Netgear UI is terrible
I also disabled the firewall and dnsmaq on the WAX206/Access Point. All is working, this setup is way easier than have different subnets, it's only a bit harder to "understand mentally" before start to build it!
^^^ That may be a statement that it is as you planned but if not...
I'm no firewall expert but if you expect to see a 192.168.1.x page from iot and guest networks based on your firewall rules then you could look at rule hit counters in nft (assuming that you are on firewall 4 on your R4S).
CLI: nft list ruleset
Luci: https://192.168.1.2/cgi-bin/luci/admin/status/nftables
Follow the chain. If a rule you expected to be used for the access has counter '0' then figure out why. Unfortunately with multiple devices in the source network, the counter may be going up if those other devices make use of the rule but that is a clue as well.
Also, I see in your WAX206 screen shot that you have IP addresses on the guest and iot interfaces. That is not needed for forwarding Ethernet frames through the WAX206.
If you don't want potential malware on iot or guest devices to bypass your firewall by setting their own gateway to the IP on the WAX206, then remove the IP config from those interfaces.
In luci, set "Protocol" to "Unmanaged" for interfaces "guest" and "iot".
In cli, it should look something like these:
config interface 'guest'
option proto 'none'
option device 'br-lan.20'
config interface 'iot'
option proto 'none'
option device 'br-lan.50'
Access from networks other than 'lan' to manage the WAX206 via its lan interface IP address is then controlled by the firewall.
I agree that the netgear switch VLAN setup looks correct.
I went crazy to understand why the exporter wasn't working anymore with the "new layout" of the interfaces, so I tried br-lan, br-lan.1, eth0/1, etcc... but nothing, the only solution that I found to have the node-exporter to correct write the metrics on localhost:9100/metrics is... put an asterisk on /etc/config/prometheus-node-exporter-lua. This worked for both R4S and WAX206. Probably the exporter "doesn't understand" the VLANs as interfaces.