My home network is so small I just use MAC VLAN policies on my managed switch. Same SSID and PSK for all devices makes it easy and they all go off onto the untrusted VLAN by default.
That's an interesting idea, but it seems (without having played around with it or knowing you specific setup) like it comes with some security tradeoffs. In particular, MAC spoofing would be an effective way to VLAN hop, if not necessarily a threat you're worried about. It also seems like there is a possibility that devices connected to the same AP could talk to each other without having to go through the switch, bypassing the VLAN tagging entirely.
I'm honestly not sure if the second attack would work or if it would be AP specific, but I imagine most Wifi to wifi traffic through the same AP does not make a round trip through the Ethernet port. This wouldn't be an issue if the AP itself was applying and enforcing VLAN tags, but the MAC spoofing problem would still be an issue.
I'm honestly not sure if the second attack would work or if it would be AP specific, but I imagine most Wifi to wifi traffic through the same AP does not make a round trip through the Ethernet port. This wouldn't be an issue if the AP itself was applying and enforcing VLAN tags, but the MAC spoofing problem would still be an issue.