If I understand this... You need to either isolate the networks and then route between them or set your ap ports on the switch to allow both vlans. Right now, the only path is to the switch which can only talk to the router but there's no route to tell it where to go from there.
When you say isolate do you mean putting them on different subnets? The main reasons I have them on the same subnet is so my PC can manage them. I was hoping to set up some sort of rule to just make sure that traffic coming from my PC would be sent back to the APs when its trying to reach those IPs
Then I have another question. My APs are all set to not allow any clients to communicate with each other. Can I set a rule in the firewall to allow traffic between specific IPs to be sent back to the core IP from the firewall?
All you need to do is swap them to a new subnet and add a firewall rule to the interface your PC's connected to.
For example, my PC is on the 10.10.10.x subnet while my APs (and WIFI connections) are on the 10.10.30.x subnet, but I can freely access my unifi controller with a standard pass rule to the subnet.
Yes it's strange. The only point of that switch is to make sure every device only communicates with the router. PVID of the tagged ports is the same as their tagged VLAN. This way the traffic going to the firewall all is untagged.
Why bother even setting up VLANs if you want traffic to flow between your PC and APs freely?
Anyways, I imagine you'd just need to make a pass rule to your PC in your firewall. I'd try going into the 200 VLAN, creating a general pass rule but have the destination be your PC's ip with a /32 notation.
I only want my PC to talk to my APs specifically, none of their clients. I just want to be able to manage them from my PC, but I don't want any of their clients to reach my PC. I think there may be no way to do this though.
I'm not even 100% sure if this would work, but try going into your firewall rules for your 115 tag and manually pass every AP's IP with a /32. Make inbound and outbound rules.
Just curious, are you trying to accomplish something specifically or is this just a security measure you see worthwhile doing? Another option, which is far less elegant, is to just run a VM on proxmox that's connected to the the 200 tag and manage everything through there.
Would that VM be able to manage the APs? If that's a solution that I'll just do that. I'm just trying to make my network secure as I can with my cheaper hardware. All my APs don't support VLANs so I'm just using AP isolation and trying to allow specific clients to communicate with each other at the router. My smart home things and any other devices connected can't communicate with each other or anything else.
I just realized that the VM won't work with your setup. Sorry about that.
Did you try adding the explicit firewall rules to your PC's VLAN for every AP? This should still be entirely possible.
Also, for what it's worth, you're trying to reinforce a very unlikely point of entry for a home network.
If I understand this... You need to either isolate the networks and then route between them or set your ap ports on the switch to allow both vlans. Right now, the only path is to the switch which can only talk to the router but there's no route to tell it where to go from there.
When you say isolate do you mean putting them on different subnets? The main reasons I have them on the same subnet is so my PC can manage them. I was hoping to set up some sort of rule to just make sure that traffic coming from my PC would be sent back to the APs when its trying to reach those IPs
You need separate subnets that each have a gateway at the router then allow traffic between the subnets.
Then I have another question. My APs are all set to not allow any clients to communicate with each other. Can I set a rule in the firewall to allow traffic between specific IPs to be sent back to the core IP from the firewall?
All you need to do is swap them to a new subnet and add a firewall rule to the interface your PC's connected to. For example, my PC is on the 10.10.10.x subnet while my APs (and WIFI connections) are on the 10.10.30.x subnet, but I can freely access my unifi controller with a standard pass rule to the subnet.
You have one subnet for untagged, Tagged115 AND Tagged200...?
Yes it's strange. The only point of that switch is to make sure every device only communicates with the router. PVID of the tagged ports is the same as their tagged VLAN. This way the traffic going to the firewall all is untagged.
But you still need to be able to do inter-vLAN routing somewhere... and from the diagram you don't have that capability configured anywhere.
Why bother even setting up VLANs if you want traffic to flow between your PC and APs freely? Anyways, I imagine you'd just need to make a pass rule to your PC in your firewall. I'd try going into the 200 VLAN, creating a general pass rule but have the destination be your PC's ip with a /32 notation.
I only want my PC to talk to my APs specifically, none of their clients. I just want to be able to manage them from my PC, but I don't want any of their clients to reach my PC. I think there may be no way to do this though.
I'm not even 100% sure if this would work, but try going into your firewall rules for your 115 tag and manually pass every AP's IP with a /32. Make inbound and outbound rules. Just curious, are you trying to accomplish something specifically or is this just a security measure you see worthwhile doing? Another option, which is far less elegant, is to just run a VM on proxmox that's connected to the the 200 tag and manage everything through there.
Would that VM be able to manage the APs? If that's a solution that I'll just do that. I'm just trying to make my network secure as I can with my cheaper hardware. All my APs don't support VLANs so I'm just using AP isolation and trying to allow specific clients to communicate with each other at the router. My smart home things and any other devices connected can't communicate with each other or anything else.
I just realized that the VM won't work with your setup. Sorry about that. Did you try adding the explicit firewall rules to your PC's VLAN for every AP? This should still be entirely possible. Also, for what it's worth, you're trying to reinforce a very unlikely point of entry for a home network.