I'm having trouble getting this device to play nice with my network, but I wanted to see if anyone could spot a mistake I've made before I try to return it.

I have a Linksys router loaded with LEDE that has VLAN tagging enabled. I also have a Ubiquiti wireless access point setup to connect wireless devices to one of the 4 VLANs I have setup for the network.

The WAP seems to require an untagged connection, so I had that connected directly to the back of the router, with the VLAN ID for my LAN untagged. That worked fine.

My goal in purchasing the switch from tp-link was to consolidate some of the things in my networking rack (PoE injector, unmanaged switch) while also expanding my possibilities (e.g. add more Ethernet runs for VoIP lines or security cameras).

Here's the rub. I have two PCs that I want to be on a VLAN I've created for devices I don't fully trust with my LAN traffic (think things like media players or thermastats).

The way this used to be handled was that I had Port1 of the router connected to my WAP with tagging as follows:

VL1 - untagged (LAN)

VL2 - tagged

VL3 - tagged

VL4 - tagged

Then I had a 5-port switch plugged into Port2 that the PCs were connected to, with tagging as follows:

VL1 - off

VL2 - off

VL3 - untagged (untrusted devices)

VL4 - off

When I went to setup the tp-link, I didn't exactly know what to do, especially with tagging for the port on the switch that would become the "uplink" to the router. I also didn't know what to do to the tagging for the port on the router that connected to the switch.

Given these requirements, what might you recommend I do with the tagging of these two ports?

I am using Port1 on the switch to connect to Port1 of the router, Port8 on the switch to connect to the WAP, and Port15-16 to connect the two PCs. I've never managed to get the PCs to connect to the right VLAN, they always get addressed an IP from the LAN VLAN.

Any help is appreciated!