So far I haven't found a YT video that covers the network I am creating - hopefully my missing links in understanding will appear here from the Gurus.
Network structure:
RB4011 as ROAS
CRS328 as central switch
Several hAPacLite as switch + dual WLAN with multiple SSIDs - hAPacLites are connected to the CRS and managed by CAPsMAN on the RB4011
Various direct connected devices to other CRS ports
Aim:
Separation by VLAN/Firewall rules of WiFi traffic and other devices (direct connected to CRS)
Method:
VLANs for 'simple' devices on CRS ports, PC's, cameras, NAS, printers etc. - these should be 'straightforward' from what I have learned so far.
However I am starting with the 'hardest bits' first - assigning VLANs to the SSIDs off the hAPacLite devices.
Progress:
From the YT material, the CRS328 is THE place to set 'VLAN filtering' to 'On'.
Similarly, the VLAN table is needed for the CRS.
For ports with downstream hAPacLite, I see that the CRS only needs 'Tagged' ports.
However the hAPacLites need 'Tagged' on the Uplink to the CRS, and 'Untagged' on the WLAN or Virtual WLAN ports.
Challenge:
Big question is whether 'VLAN filtering' is needed to be "set=Yes" on the hAPacLites - I suspect not.
Grateful for any real world experiences/advice/configuration data.
Thank you.
Edit:
It looks like I did need to set 'VLAN filtering=On' in the hAPacLite.
Also, in CAPsMAN on the RB4011 router, I have to set 'VLAN Mode=use tag' for every 'CAP Interface' i.e. including all the virtual interfaces created for the multiple SSIDs.
I had already set the 'VLAN ID' appropriately for all these CAP Interfaces.