Help with Basic VLAN Setup to Segment Wired and Wireless Network

Adding a Guest wireless network is a good idea.

Not sure that you need to replace the unmanaged 24-port switch.  Let us know if that was necessary.

I don't think you can selectively activate IPv6 only on one interface.  The UTM only supplies IPv4 IPs with it's DHCP service.  You can selectively allow only the LAN to reach an IPv6 DHCP server.

Cheers - Bob

The guest wireless should be able to have its own VLAN, so I can use "Bridge to VLAN" rather than using "Separate zone" with its MTU issues. That is my plan. 

With the small managed switches in every room, I believe that I will be able isolate mixed wireless and Ethernet-wired devices into their appropriate VLANs wherever they are. I assume that the AP 100C access points will properly tag VLAN and non-VLAN packets on the Ethernet according to their SSIDs, and the new switches will pass them to the next switch accordingly. 

Does all that make sense to you? 

You are on the right track. I would leave the VLAN ID 1 (default VLAN) for administrative purposes and use only the iD above 2 for my segments.

You would need to have trunk ports defined from the main switch to the 5 port switches in the different rooms, all others have to be access ports. Only trunk are capable to transport multiple VLANs at once. Most "unmanaged" switches are confgured like having all ports as a "trunk" and therefore seem to pass through all kind of VLANs. The problem is, if you "untag" a VLAN at a certain port, it stays like it was tagged when entering the "unmanaged" switch.

I bought some cheap managed switches. There are TP-Link model TP-SG105E smart switches in each room. The room switches connect to a similar TP-SG108E in the office. The switches all support 802.1Q VLANs. Configuring them is not easy and not intuitive. Advice there would be appreciated, too.

At the moment, everything is working on the 192.168.10.x network, the LAN. I have not yet configured VLANs in the Sophos UTM or the switches. They are operating the same as unmanaged switches. I gave each switch a fixed IP address on the 192.168.10.x LAN. 

The LAN would stay at 192.168.10.x, with VLANs configured with 192.168.20.x, 192.168.30.x, 192.168.40.x, etc.

Now I am scratching my head over how the AP-100C access points handle both LAN and VLAN SSID traffic to the room's switch and how the room's switch passes both types of traffic to the office switch and through it to the UTM. That might include WiFi traffic on a VLAN where there is no corresponding wired room device on the same VLAN on that room's switch. How do I configure a port on the room's switch to pass both VLAN tagged 802.1Q ethernet packets as well as ordinary LAN ethernet packets without alteration?  

I am also scratching my head over how to configure the room switches to handle devices that should be in a VLAN (e.g., streaming devices) and those on the regular LAN (say, a laptop computer or printer). 

The goal is to isolate devices to the LAN or the appropriate VLAN. Devices may be in different rooms, but on the same VLAN to communicate with each other. The DVRs can share programs with each other over the network, for example. Some devices on a given VLAN may be on the Ethernet, while others on the same VLAN may be wireless. 

-> How do I configure the room switches and office switch to pass the traffic to the UTM. ... and how do I configure the UTM? Here is a simple network diagram. (Oops, I forgot to label the UTM.) Hopefully it will put us all on the same page:

Hello,

this link to the TP-Link "FAQ" may help a little: https://www.tp-link.com/us/support/faq/788/

To be honest, I find that TP-Link guide a bit confusing: I will try to simplify here:

If you use a normal "access-port" on a switch that is capable of managing VLAN-tagging, then there ist always one VLAN-ID which is transported "untagged". This is sometimes called the PVID (private VLAN ID or just private VLAN). This is only possible with ONE of your VLANs per port.

Then there are the other, "non-private" VLAN-ID, which are transported as well, if you assign them to that port as "tagged" VLAN.

So there is one "untagged" VLAN and multiple "tagged" VLANs sharing the same physical port.

Now what happens, if a device on that port is not recognizing that there are VLAN-tags? Then this device "sees" only the "untagged" packets.

If the device attached to that port is able to decode VLAN tags, then you can define to which of possibly several "tagged" VLANs should be detected by that device.

Back to your setup: you have VLAN-IDs: 1, 2, 10, 20 and 30

You have the port going to your AP100C with VLAN1 untagged, VLAN 10 tagged and VLAN 20 tagged.

On the Sophos UTM you have the LAN port with default VLAN 1 untagged (normal default), you then add VLAN 10 tagged (Ethernet VLAN with VLAN Tag 10 to the same physical LAN port) and with VLAN 20 you do the same with VLAN Tag 20.

For port eth0 (internal LAN) this would look like this:

And then you have two interfaces:

But you could do yourself a favour when you number your VLAN similar to the IP-networks.This is mauch easier to read.

My suggestion would be:

VLAN 30 = 192.168.30.0 /24 name = home

VLAN 40 = 192.168.40.0 /24 name = stream

VLAN 50 = 192.168.50.0 /24 name = cameras

Personally, I would define a VLAN for the Guest Network as well:

VLAN 20 = 192.168.20.0 /24 name = guest