Thank you for all the replies. Christian right, I didn't familiar with VLANs before my conceptual question about IoT isolation, so I have no knowledge how do VLANs work before his answer.
Thanks to documentation, articles, and vlan(4), in OpenBSD for any of physical Ethernet device can be attached multiple VLANs but L3 switch with IEEE 802.1Q protocol supported must be present. Hopefully, GS110TP has L3 compatibility but requires to point "Tagged" & "Untagged" for each of VLAN port during VLANs allocation. If I understand the concepts right, I should _tag_ each /etc/hostname.vlan1xx outgoing traffic and connect physical Ethernet cable to specially allocated port on L3 switch for "Tagged" VLAN traffic. I'd like to call it as "Uplink" port on L3 switch to connect to OBSD box physical Ethernet port. Any group of ports intended for IoT connection (L3 switch ports 1-3 in my case) should be marked as "Untagged" to connect IoT devices. Please correct me if I've been mistaken. As for "access point", it works well and actively use for a long time. Second SSID is a good idea to make some isolation for untrusted and filter in PF by some indication but I don't know which indication for now. I think it will be the next step forward to wireless IoT isolation. Denis On 2/5/2020 5:53 PM, Christian Weisgerber wrote: > On 2020-02-05, Janne Johansson <icepic...@gmail.com> wrote: > >>> # /etc/hostname.vlan101 >>> description 'WLAN attached untrusted hosts' >>> inet 192.168.156.0/24 255.255.255.0 vlandev run0 >> >> VLANs and wifi sounds like a non-starter. > > Yep, if you're building your access point with OpenBSD. > > More generally, though, any AP in the business segment has support > for multiple SSIDs that can be assigned to different VLANs on the > Ethernet side. >
