*Partial Solution and Remaining Challenge below, Full Solution at bottom*
I have upgraded TL-R470T+ to TL-R605 and am experiencing difficulty with VLAN connectivity. It's either too connective or not connective enough, like an IT version of Goldilocks.
Attached pic shows my topology. The 470T+ is not Omada-compatible, so was managed in standalone, TL-R605 is managed by OC200.
The other devices were managed by the OC200. Client ports were set to their applicable profiles (VLAN3 / 'Auto' with PVID as VLAN3/'Auto' and VLAN3/'Auto' UNTAGGED, nothing else TAGGED or UNTAGGED). Ports that ran switch-switch, switch-router, switch-EAP had the default 'ALL' port profile, with PVID as VLAN1/'LAN', VLAN1/'LAN' UNTAGGED, all other VLANs TAGGED.
This configuration allowed all clients on all VLANs to connect to internet while preventing them from communicating with each other. Devices on one VLAN were unable to ping devices on another, which was my intention and desire.
I am having trouble duplicating that success with the R605. In order to have my devices connect to the internet, I'm forced to create VLAN's as 'Interface' rather than VLANs, but this enables inter-VLAN routing. That allows devices to communicate across VLANs which defeats my purpose of using VLANs to achieve network segmentation.
I would appreciate advice on how to accomplish my objective of segmenting my VLANs from each other while allowing them to connect to internet. Thank you.
*Partial Solution: ethernet clients are now connected to internet, same-VLAN clients can connect to each other, different-VLAN clients cannot. This is what I want for ethernet clients.*
This took some back-and-forth with TP Link support, and the settings I had to configure to get this working with the R605 were opposite/non-intuitive compared to how I had with the R470T+.
1. Router port connected to T1600: Omada SDN does not allow for adjusting the router port profiles, just the switch port profiles. This seems like a step back, but I've noticed that other functionalities are lost when switching from standalone to Omada Management. With the TL-R470T+, I had its port that was connected to the T1600 set as VLAN1/LAN UNTAGGED, all other VLANs TAGGED.
2. T1600 port connected to R605: Profile set to VLAN1/LAN as Native VLAN/PVID, all other VLANS set UNTAGGED. With the R470T+, all other VLANs were TAGGED.
3. T1600 port connected to T1500: I was able to leave this as the default profile ALL (VLAN1/LAN as Native VLAN/PVID, all other VLANs TAGGED)
4. Ethernet client ports: Profile set to its appropriate VLANx as Native VLAN/PVID, VLAN1/LAN and VLANx set UNTAGGED. With 470T+, I was able to have VLANx as PVID and UNTAGGED, did not need VLAN1/LAN UNTAGGED as well.
*Remaining Challenge: My wifi clients can not connect to internet. With TL-R470T+ as router, port profile of T1600 connected to EAP225 had VLAN1/LAN as Native VLAN/PVID and UNTAGGED, all other wifi VLANs TAGGED. With TL-R605, I have tried with VLAN1/LAN as Native VLAN/PVID and UNTAGGED with all other wifi VLANs UNTAGGED and TAGGED, neither seems to allow wifi clients to connect to internet.
*Full Solution*: I had to configure the VLANs as Interfaces with all different subnets (VLAN2/Guest as 192.168.2.1/24, VLAN3/Auto as 192.168.3.1/24, etc), then set Access Control List rules in order to stop inter-VLAN routing. TP Link tutorial is on youtube here ( https://www.youtube.com/watch?v=Xv5d-wYs2Yk&feature=youtu.be ).
I must say, this whole upgrade from R470T+ to R605 was a bit of a pain. I was expecting the config settings that worked while using the R470T+ would work while using the R605 while allowing better functionality (Omada control, VPN use, gigabit ethernet ports), but this was not the case. Well, at least I have Omada control and gigabit ethernet ports now. I have yet to be able to configure NordVPN on my R605, as the Omada interface for configuring OpenVPN lacks the login and config file fields that are required. I'll follow this thread ( https://community.tp-link.com/en/business/forum/topic/240802 ) for further updates.