Setting up isolated guest WiFi using VLAN
We want to provide internet access via WiFi for guests at our office. But we want to ensure that guest devices cannot see and connect to our company devices. The approach we think we need to take is by putting all of the guest devices on one VLAN, and all of the company devices on a second VLAN. All of our network equipment (1x router, 2x switch, 4x access points) is TP-Link, but we are struggling to configure the two VLANs on all of the network equipment.
We have a TL-R600VPN v4.0 router, with port 1 (WAN) connected to our ISP's modem, and ports 4 and 5 (LAN) connected to two TL-SG1016PE v1.0 switches on their port 16. The router is the DHCP server for the network, but all of the network equipment is set to static IP addresses. One of the TL-SG1016PE switches has two EAP245 v1.0 access points connected to it, and the second TL-SG1016PE has two EAP330 v2.0 access points connected to it. This second switch has two Link Aggregation Groups (LAG) set up, so that each EAP330 can use both Ethernet links to the switch. All of the access points have two SSIDs (guest and company) on both 2.4GHz and 5GHz bands. All of the other ports on both switches are patched into wall sockets, for wired company devices to connect to the internet and each other.
On the access points we've set a VLAN id for each SSID, i.e. if a device connects via the guest SSID then it's traffic is tagged with VLAN 100, and if a device connects via the company SSID then it's traffic is tagged with VLAN 200. (We have also enabled SSID isolation on the guest SSID, so that two guest devices connected to the same access point cannot see each other.) This should mean that all traffic coming out of the access points is tagged, with either VLAN 100 or VLAN 200.
On the switches we've enabled 802.11Q VLAN, and set the Port VLAN Id (PVID) for all of the ports to VLAN 200. Any untagged packet arriving at the switch, for example from a wired company device connected to a wall socket, will then be tagged with VLAN 200. It is the egress rules that have us confused.
We would expect to set the egress rules for the guest VLAN to only include the access point ports (tagged) and the router port (untagged). The company VLAN would include all of the switch ports, with the wall socket ports (tagged), the access point ports (tagged) and the router port (untagged). Essentially the switch will remove the VLAN id from packets heading to the router. Is this correct? Or should the router port egress rule also be tagged for both VLANs?
Finally there is the VLAN configuration of the router. For starters our router already has two VLANs defined (336 and 436), but we're not sure what they relate to. Any pointers? The second confusing configuration is that when creating a VLAN we can only include either the WAN port, or the LAN ports, but not both. Our assumption is that we need to set up both VLANs with both LAN ports as tagged. Is that correct?
Any advice on setting up the VLANs in our network would be gratefully received. Thanks in advance.