I've tried to find something similar to my situation on exisiting posts, but not quite.
What I'm trying to do (I think) should be quite simple, but I can't get the configuration quite right.
We have a small hotel and cottages with lots of TP-Link WA901N wifi access points for guests and staff to connect to.
We have 3x TL-SG108PE switches linking the buldings and the various wifi points.
I wanted to use VLANs to lock Guests out of anything but internet access, but still allow Staff to access everything.
So I have set up a Guest VLAN 2 and VLAN 1 is Staff. All of the switches and wifi points support VLANs so I have set up 2 SSID's Guests for VLAN 2 and Staff VLAN 1.
The ports that link the 3 switches I have tagged VLAN1 and 2.
The ports with the wifi access points I have tagged VLAN1 and 2.
The port for the internet router (with DHCP) is untagged - it's an ASUS AC68U.
All other ports are "untagged" for VLAN1 or "not member" for VLAN2
All the PVID's are 1 as you can only have one VLAN to a port for the ingress.
With this config VLAN2 won't even authenticate the wifi. Everything is fine for VLAN1.
So I'm confused - this seems to be the correct config looking at the 802.1q scenarios in the documentation for the switches and the wifi access points, but I must be doing something wrong.
Can anyone help?