I'm trying to use VLANs to separate areas of my home LAN, mostly for security by, for example, keeping guest/Windows WiFi connections isolated from the rest of the system.
It appears that just about every manufacturers' idea of what VLAN means is different!
I have VLAN ability offered by my TP-Link VDSL router, by my Draytek Vigor 2820n router and by a TP-Link TL-SG108E managed switch. They all seem very different!
On the TP-Link router (TD-W9980) the VLAN facility is closely connected with what it calls LAN groups. You can create groups and put the physical LAN ports and WiFi SSIDs into specific groups. Each group has its own DHCP server and thus a different IP range. You can't put anything (LAN port or SSID) into more than one group. In reality there seems to be little real separation between groups as, if you put (say) LAN port 2 into a group by itself any device connected to LAN port 2 will still get replies DHCP requests it sends from any/all the other LAN ports. A different subnet will run on LAN port 2 but if you configure a device connected to that port with a different subnet address it will happily talk to devices on the other ports.
The 2820n is quite different. If you set up VLANs on that they all have the same DHCP server (in the 2820n) and are thus on the same subnet, but they are separated and unable to communicate with each other. Devices can be assigned to multiple ports. Thus it's possible to have one VLAN (to which everyone can belong) that has access to the internet and not much else and another VLAN which is the more secure internal VLAN.
Finally the TL-SG108E offers three sorts of VLAN - Port based, tagged and MTU (confusing abbreviation that last one, it doesn't mean Maximum Transmission Unit). The manual isn't very helpful, it does the usual TP-Link thing of repeating what the words on the GUI confuguration tell you with no indication of *why* you would want to do anything. Port based VLANs are a bit like the 2820n ones described above except that they seem to expect different subnets, the others I'm not really sure about (as in I don't really understand them) but looking around the internet I gather that the descriptions confuse others too because they don't use the same terms for the same things as others (mostly Cisco) do.
Help! :-)
I just need a simple explanation of how to split up my LAN such that I can separate a 'Guest WiFi' part (more than one WiFi device), an area that all local users can access (with printer, DNS, etc.) and a more private area (my desktop, backup system, etc.) that only I can access. All users need access to the internet of course.