Hello there,
I think there's some misunderstanding. I'm not using the AP as a switch, my topology in this regard is (RB4011/eth10)--(Time Capsule/Wan) . . . (Airport Extreme/WDS).
I don't know that Apple stuff, but do you really mean WAN, or did you misspell WLAN/WiFi?...assuming you meant WiFi
Time Capsule is in Bridge Mode, 5GHz and 2.4GHz Wifi serve regular WiFi clients and Guest WiFi serves guest clients. The Airport Extreme doesn't support a guest WiFi so it's just extending the regular WiFi's range.
I have 2 switches hooked to 2 ports on the RB4011 and they serve wired LAN clients and an additional small WiFi AP, but that's a separate SSID.
So the time Capsule is the only AP that serves more than one SSID (guest + regular)?
What I managed so far.
I have the Time Capsule tag guest WiFi traffic with VLAN 1003 which is handled by the RB4011 and there is no connection to the LAN from there. Traffic on the guest WiFi is limited to 20/5Mbps in the RB4011.
Just to confirm:
You managed to define a *tagged* VLAN 1003 in the RB4011 according to the documentation given earlier in that link above?
When opening your Interface List, do you see the VLAN-1003 attached to the bridge and, when doing a speedtest with a guest client, do you see traffic flowing in the RX/TX columns of than VLAN 1003?
What I would still need is to have the rest of the traffic from the Time Capsule handled separately while keeping the traffic tagged with VLAN 1003 unchanged. In other words, tag the rest of the traffic from the Time Capsule with some other VLAN by the RB4011.
If that SSID is the only other, besides guest, on that AP and guest is a tagged VLAN, the traffic from the regular SSID will be untagged and, if defined correctly, will be identified by the VLAN filter in the bridge.
You then can define another VLAN-ID (ie.10) and then use this as PVID for untagged traffic in the bridge-port of the physical port, where your time-Capsule is connected (ether10 it was in your case) and the RB4011 (bridge-)port will tag it for you.
Also my other issue is with IoT devices which are more-or-less scattered around the house. I'd like to have them on the same VLAN, but there's no port I can single out for most of them as some access via WiFi, some via ethernet. I know their Mac addresses, but I don't feel that's a real secure solution (If at all I can separate them via mac address).
As your Switches are L2 capable, define port based VLANs / access ports for the ethernet connected IoT devices (fan-out with more ports/switches, until you are 1:1). Also, if the AP serving them is not VLAN capable, use one or more dedicated APs with IoT-SSID and connect these to an access port on a switch.
Also, I would need to access them from the LAN, but not the other way around. Does it sound silly to have them on a IoT dedicated VLAN or should I treat them one-by-one with firewall rules
Ones you have them in a dedicated VLAN, just define a filter rule in the forward chain, dropping all traffic *initiated* (new) from than IoT VLAN, where destination is your regular LAN/VLAN or not equal to WAN.
The connection from inside your LAN/regular VLAN should still work, as you normally would allow forward for already related / established connections that are response-traffic from IoT to LAN (previously newly initiated from LAN to IoT, which is what you want).
Remark1: it definitely is a good practice to put your IoT Devices in a separate VLAN. Many of these, not with open firmware, are "phoning home" and you never know, what they are doing.
For example, I do have a power converter from my solar array that establishes a permanent connection to the manufacturer, so some maintenance guy can log into it, if need be.
With the "right", bogus firmware, this device would allow for more in my LAN...so I have this little thing in a dedicated VLAN/DMZ, even separated from other IoT devices.
I also only use IoT devices controllable/connected via mqtt and have a dedicated mqtt broker in another VLAN, with a mqtt-bridge to the mqtt broker in the IoT VLAN, controlling mqtt access from inside LAN to outside IoT VLAN only.
Remark2: instead of going through the hassle, fiddling with your SSIDs and VLANs, just ditch that Apple consumer stuff and get some decent APs...you'd be surprised that they are a lot cheaper than you think. Look into TP-Link Omada series, for example....of course MT APs will also do fine in this regard, but their WiFi performance is below par.