The idea of auto-assigning a VLAN is very much an advanced feature. This is typically done with 802.1x authentication methods -- the 'authorized' computers will authenticate themselves as they join the network and will be steered to the appropriate network. The rest of the devices that do not have authentication will be mapped to another network (in this case, a guest network). But make no mistake -- this is a complicated thing to setup, especially for novices, and it is seriously overkill for any home network as it requires not only per-device authentication, it also requires a RADIUS server and quite a bit of complex configuration.
https://openwrt.org/docs/guide-user/network/wifi/wireless.security.8021x
Ok... so in this case, word primary is in used with PVID. I've actually always known that is a "Port VLAN ID," but that's a minor terminology difference.
That addresses ingress traffic, as pointed out by @mk24. Egress traffic is handled by the U(ntagged) or T(agged) setting. It is highly unusual to have t*
as usually you want the ingress and egress to both be untagged or both be tagged. This would cause an asymmetry which is extremely uncommon and only valuable in an extreme edge case.
When setting a port to have an untagged network, I always recommend explicitly using u*
so that ingress traffic will always be assigned to the correct VLAN and the egress is that same VLAN. It's true that the *
may not be necessary, but I think it is a good idea to include it (it will not harm anything).
Based on your diagram ports lan2 and lan3 should be on the same vlan with both set to u*
. It is highly unlikely that either of those machines will understand 802.1q tags unless you have done some advanced configuration (within the Windows and Ubuntu OS's). Most normal user equipment (i.e. computers, phones, tablets, STBs, game consoles, etc.) will not have VLAN aware capabilities out of the box, and lots of devices have no means by which a user could setup VLANs. They normally rely on the ethernet connection being untagged.
Yeah, as I described, this setup is (typically considered) invalid. But regardless of the potential edge-case validity of it, it's certainly not going to help you achieve you goals.
You need it set as u*
(or u
) not t*
.
Back to this goal...
For wifi, it's pretty straight forward - you can either:
- setup an SSID per VLAN (so lan, guest, iot, etc.)
or
- setup a single SSID with multiple passphrases, where the passphrase used will determine the VLAN that is joined. This is more advanced than the SSID per VLAN option, but is possible to do.
(I'm not including 802.1x here because it's like carpet bombing a city to kill a single kitchen rat).
Ethernet is different, though, as you typically set the port-VLAN membership such that that you have either trunks (which carry multiple networks where both ends are VLAN aware devices such as routers, managed switches, and APs), or you have access ports which are intended for normal end-user equipment (one network only, untagged + PVID). These are typically specified on a port-by-port basis on the VLAN aware routers or switches, so it's preset. You can change the settings, but it's not dynamic/automatic based on the device that is connected.
To make use of an automatic method, you'll usually be looking at 802.1x authentication. There is another option -- MAC-VLAN, where the MAC address of the connecting device is used to determine the VLAN that is joined). This is also a bit of a complex setup, and is not really ideal for the scenario at hand.
Really, unless you expect people to randomly connect guest/iot devices to random ports in your home, it's really not a big deal to pre-set the specific ports used for those purposes. So if you have an ethernet port in your guest room, set it as the guest network. If you have an ethernet port into which an iot device (maybe a lighting control bridge) will be connected, set that to your iot network as an access port.