I am relatively new to using Omada hardware and also learning network setup in parallel.  I have been trying to leverage articles and posts out there but not exactly finding what I am looking for.  This isn't a business set-up but a reasonably advanced home set-up.  Here is the hardware I have:

 

- TL-SG2428P v1.0 (main managed switch in my basement)

- TL-SG2008P v1.0 (a remote managed switch in my attic connected to the switch above)

- EAP245(US) v3.0 (2nd floor access point)

- EAP225(US) v3.0 (main floor access point)

- OC200 controller connected to the TL-SG2428P directly

- I don't have an Omada gateway/ router yet, using another TP-Link Archer router assigning most of the IP addresses

 

Additional Context:

- I have ~15 devices connected to the switches via cat5e cables (e.g. desktop, NAS, cameras) and about 20 devices that regularly connect to my Wi-Fi (non-guest) (e.g. iPads, phones, echos)

- I have a guest network enabled for devices that come to our home but aren't ours so they can get internet but can't access other network devices

 

The set-up and software are generally pretty good so far to work with but now trying to do a few more advanced things for security/ efficieny reasons on the network.  The main thing I am trying to do is largely separate away wired and wireless devices that basically just need the internet and prevent them being a future vulnerability on the network and thought VLANs would be a good idea.

 

What I was thinking was that I would basically create 2-3 VLANs:

- VLAN MGMT - basically my desktop to protect away from other devices that should never access it as it probably has the most sensitive info

- VLAN 1 - basically devices that need to reach the internet but nothing else internally (e.g. Amazon Echo)

- VLAN 2 - devices that need the internet but also other internal network devices (e.g. NAS, xBox, cameras)

- VLAN 3 - Our work laptops, not sure if this is needed but likely a good idea to keep them on their own

 

I am assuming if I want to have certain wi-fi devices to fit into these then I need to create a SSID to match the need (e.g. one that would have devices similar to VLAN 1 and one that would have devices similar to VLAN 2 and so on).  Is that correct?

 

Some of the questions I am trying to figure out are:

- Should all switch ports be assigned to one of those 3 VLANs above?  What if I want a port/ wired devices to belong to 2+ (e.g. my NAS)?

- Can I have devices not connect to my desk top but I can reach all the devices from my desktop (e.g. update firmware/ settings) for would I need to many change VLAN on Omada when I want to do that?

- For the SSID to be in the VLAN do I just check the box and use the VLAN number from when I setup the wired VLAN (e.g. 4010)?

- Is it good practice to essentially disable the ports on the switches I'm not using?

- For the switch port to the router I assume I would all that to All so all of the VLANs can get internet access and a DHCP address?

 

Any other suggestions/ things I am missing in terms of the settings.  As I mentioned I am new and didn't find a great tutorial for what I was trying to do.  Thanks in advance for your help!