@surfer1 A couple clarification questions.

1. Your VLAN setup on the switch as you've written them is in the table, is this correct?

2. "DHCP gatway is connected to port 24 (not vlan aware)".  Are you saying the DHCP does not do VLAN assignment?

First, generally your PVID and untagged VLAN should match on a port, so ports 5&7 should have a PVID of 3.  This will make them a fully isolated network since they have no link to the gateway on port 24.  Said another way, currently you have a subdivision in the switch on ports 5&7 to make a small 2 port switch.  For VLAN 3 to get access to the gateway, add VLAN 3 to the tagged VLANs on port 24.

Second, could you clearify the statement about the DHCP "(not vlan aware)", as you need your gateway and DHCP both to be VLAN aware, if you are doing this function outside the switch.  This switch is capable of doing the DHCP job, but you still need a gateway that is VLAN capable since the switch won't do interface routing.

  @JoeSea 

oo thx, so it is not possible to seperate the ports without a vlan aware router, maybe i install dd-wrt on the router which is vlan aware.

tou statement about the ports are correct but when i put port 5 and 7 pcid 3 they do not get an ipadres from the router.

now i understand it the switch cannot tag the ports that is the router does not understand this, when i pit ports 5 and 7 in vlan 1 also they will be tahhed in the default vlan according to the router.

  @surfer1 I'm sorry it is difficult to understand what you have written, but I think you are saying:

"tou statement about the ports are correct but when i put port 5 and 7 pcid 3 they do not get an ipadres from the router."

I think you are saying that - when you put port 5&7's PVID to 3 they don't get an IP address from the router.  This is correct, PVID and VLAN are related.  PVID is the "default" VLAN network for that port and tells the switch which DHCP to ask for a network address.  Since VLAN 1 and 2 are connected to the router, only ports with a PVID of 1&2 will get an IP address.

The untagged VLAN setting tells the switch what VLAN to apply to any packets that come into the switch without a tag.  So the PVID tells the switch which network is the default out going network on the port, and the untagged tells the switch which network is the default incoming network on that port.  This is why generally the PVID and untagged VLAN on a port will match, there are very sophisticated cases when they won't, but this is not that case.

"switch cannot tag the ports that is the router does not understand this, when i pit ports 5 and 7 in vlan 1 also they will be tahhed in the default vlan according to the router"

The router needs to be able to see all three VLANs to apply the routing to the internet.  When your router also provides DHCP, then the subnet will be allocated to the VLANs when they are set up in the router.  If your router currently does not do VLANs, it will typically ignore the VLAN tagging and apply the single DHCP network address to all clients, this is why you get an IP address on ports 5&7 when the PVID is set to 1 or 2, but you don't get internet out because of the Untagged VLAN mismatch.

  @KJK Yes the SG3428 has those abilities, but I interpreted surfer1's intent to have VLAN 3 access the internet and be isolated from the other VLANs which is not what this switch can do.

  @surfer1 

Did you check port 5,7 PVID? They should be 3

And all ports should be untag.

Note: VLAN1 should contains all ports including port 5,7

  @JoeSea 

Yes the SG3428 has those abilities, but I interpreted surfer1's intent to have VLAN 3 access the internet and be isolated from the other VLANs which is not what this switch can do.

When i look at your answers it is not clear to me if it is possible what i want or not without a capable vlan router.

The only thing that i want is that IoT devices like camera's or a gateway of a smarthome cannot reach my computers in the LAN. I have a computer which monitors all devices so that must be possible that that computer can reach ALL devices.

pc connected to sg-3428 port 1

tp link router connected to port 24

laptop connected to wifi en wifi tplink deco connected to port 3

camera connected to port 5

gateway smarthome connected to port 7.

The smarthome does not need access to the LAN so not to pc or laptops. the other way around it must be possible to monitor the IoT devices.

Like i have now: some IoT devices are connected to a guest wifi and cannot connect to the devices in the other wifi or lan but when i connect a IoT device to a switchport the device can reach the pc for example and thats not what i prefer, when something is hacked it is to easy to hack my pc for example.

When i put ports 5 and 7 into pvid 3 it will make no difference but i will try it the coming days when i find the time.

I understand Cisco logiq not the pvid logiq, but the question is, is above possible without a vlan aware router. All devices are connected to the switch not the router. Before the router is also a modem / router connected but on that first router DHCP is disabled and nothing is attached only the 2e router which does DHCP to all devices.

  @surfer1 Ahh so some terms that will help.  Cisco "access port" is a TPLink port with a single PVID and untagged VLAN ID matching.  Cisco "trunk port", is a TPLink port with "access port" like settings, plus one or more tagged VLANs on the port.  Use the 802.1Q VLAN configuration pages for best interaction with other devices.

To make things easy, it would be best to use a router for the VLAN-to-VLAN interface, because the router can do statefull Access Control Lists (ACL) and firewall control.  The router would also be easiest for Layer 3 routing to the internet, if the IoT network needs it.

Use of the SG3428 for VLAN-to-VLAN routing can be done with IP groups, but it is not statefull (many very-explicit ACL rulles are needed) and there is no firewall.  Any traffic from the IoT LAN would need to transfer to the Main LAN to access the internet, and would defeat the purpose of the VLAN control.

If you chose to use a router for VLAN interface, the IoT VLAN needs to be trunked between the router and the switch.  Any port for IoT only will be set like an access port.  This is to provide DHCP service.

If the IoT LAN does not need internet access, the SG3428 can be set to provide DHCP service for the IoT LAN by making a Layer 3 Interface, and ACLs will be needed in the switch to grant and block access between the IoT LAN and other LANs.

  @JoeSea 

Hi thx for your answer this is clear to me.

That is: set the same vlan's on the router and dhcp on the router for each different vlan. Then the uplink port lets say this is 24 on the switch where the router is connected to must be a trunk port or a port which allowes all vlans (that is the vlans which are set) and the port on the switch with the IoT devices (which needs internet) must be configured into the vlan for the internet, lets say 3 is Internet vlan then the port with the IoT device needs to be set on vlan 3 and pvid 3 but also vlan 1 because of the routering thing.

  @surfer1 One small correction, IoT access ports do not need VLAN1, that would make it a trunk port.  The router will provide internet to VLAN3.  The router trunk port will tag VLAN3 to switch trunk port 24. The switch will connect the IoT access port to trunk port 24.