[thrwawy74]

2 things come to mind here:

1) I don't trust devices to respect VLANs. I trust the switches to respect VLANs, but not devices. When the VLAN-tagged traffic hits WiFi the VLAN is lost. When it's received at the AP the AP can choose to tag it again before entering the switch. I think I'd still do multiple SSID's + VLAN's so wifi clients intended for different VLANs are not communicating on the same "virtual AP"? I worry my Google IOT devices could be in promiscuous mode looking at everything. Multiple SSID's would separate them from other devices by encryption.

2) I've read a couple articles saying rate-limiting IOT and Guest networks results in more service interruption than one would expect. Simply prioritizing the main network traffic over Guest & IOT is a better setup. How do we do this in OpenWRT?

[giuliomagnifico]

1) is safe to trust VLANs, especially for this home stuff… otherwise you will need separated LANs and cables! Overkilled.

2) I’m not rate limiting the IoT devices, I’m monitoring them and they make really few traffic, you can limit a device by MAC address in OpenWrt anyway: https://forum.openwrt.org/t/bandwidth-limit-per-ip-mac/35943

[candiddevmike]

RE: 1, you can push wifi clients to separate VLANs either by host or per SSID depending on the gear. It's enforced on the AP, clients can't breakout.

[andix]

By host is rather useless, because you can spoof hostnames and MAC addresses.

[justsomehnguy]

> 1)

This is not Area 51 and a client which doesn't respect VLAN tagging should somehow send packets to a different gateway IP. I don't see a way for a device to know where to send packets if it did break out from VLAN