We have bought a TP-Link Deco M4 mesh to improve our wireless connection inside our office building.
Our connection is as follows: there´s one internet router (the one supplied by our internet provider), then the RB2011 is hooked to it and a switch afterwards. All our wired devices are hooked to this switch and the network address is 192.168.30.xxx. We have some static addresses for some PCs and the network printers but the rest of the PCs are given a DHCP address starting from 192.168.30.100.
We connected the main (master ?) Deco device hooked to the switch. The default ip range for the mesh is in the 192.168.68.xxx range. This gives us internet for our smart phones and works fine but if we want to use a network printer form a laptop which is not connected wired but using the Deco mesh, these printers are not visible.
I would also like to restrict the available bandwidth for the smartphones, privileging the wired devices and (if possible) some wireless laptops connected to the mesh. Also I would like to improve our network security in terms of who can log in wireless.
I made a network diagram which I attach. I maybe missing the right terminology but I guess the idea is clear enough.
I have some “more than average” knowledge of how a network works but I am by no means a network admin… Some terminology like i.e. VLAN buzz in my head but I really do not get that deep.
What is the right way to do it ? What would you recommend me to implement ? I am willing to learn if you could point me to the right direction.
Configure the TP-Link in Access Point mode, not the default WiFi Router mode, e.g. https://www.tp-link.com/uk/support/faq/1842/. Where possible connect the Deco units with ethernet cables as meshing reduces capacity - each device has to receive each packet and then transmit onwards. I seem to recall there can be issues using some third-party switches as TP-Link use IEEE 1905.1 to establish ethernet backhaul links, there are various threads if you search for tp-link deco wired switch issue or similar.
You can use queues on the Mikrotik to limit bandwidth - you could apply a limit to the address pool assigned by DHCP and have a greater, or no, limit to some static addresses (either set directly on devices or with static DHCP reservations). Obviously people could set static addresses on their devices to bypass this but there is little you can do about that unless you have a fully managed network with 802.1x for wired and WPA2-Enterprise for wireless connections.
If you partition the network with VLANs and have separate subnets for wired and wireless devices you will have the same issue with printer discovery as each VLAN is a separate layer2 entity - broadcast and multicast discovery mechanisms will not propagate between VLANs.
As the Deco only supports pre-shared key (PSK) authentication you only have a single secret shared by everyone for access. Larger companies and organisations use WPA-Enterprise where every users has their own set of credentials for network access, but you require infrastructure to support this - both access points (e.g. TP-Link Omada, Aruba, Ubiquiti Unifi, etc.), a RADIUS server (on premises or cloud-based) and credentials (e.g. Windows Active Directory or third-party database).
Note the RB2011 is an old device and be a bottleneck if you have a high speed (>100Mbps) internet connection.
It´s easier than I thought though wiring will require some extra work. I do not get the chance to use our existing network cabling for this to work properly, right ? I mean, I need to send a wire from each deco to the other directly and not connecting each one to the switch. It this latter option is possible, It would make the move easier.
Do you know if it´s necessary to have connections on a certain specific way ? Deco´s RJ45 connectors are labeled 1 and 2.
For anyone else with my same original question, it does work connected to the switch, rather than the way it is shown in the tp-link information. I guess it is only a graphic to show cabling instead of wifi connection, or maybe as tdw says, shown like this to take the guess of knowing if the switch will allow the packets.
