Vlans (again)
Hi everyone,
I currently have a network comprising a VM controller, two SG2008 and an EAP653 serving around 25 clients. The whole network is connected to my ISP through a pfsense box.
The network is segmented in five vlans with various rules set at the router level (pfsense), along with Radius authentication (either pfsense radius package or Omada Build-in one).
The vlans are replicated in Omada (Vlan with "purpose" set to Vlan).
Everything is working perfectly. mDNS is working, vlan isolation is working with granular access as required.
For various reasons, i am getting tired of my pfsense box (WAF, energy bill, ease of management, 2.7ce support, ...), and want to replace it by an Omada Router. I read a lot of threads and watch YT videos, all relating either horror stories or beautiful ones.
I found no real answer to Vlan isolation and routing. However, I understood that the recommended way is to change the "purpose" of my Vlans to "interface" and add ACLs to replicate both Vlan isolation and firewall rules. I understand the need for the later, but not for the former. If all the network is working within 802.1Q vlan framework, why have i to destroy everything because i change router. Resorting to ACLs to emulate Vlan isolation seems more of a workaround than a design choice.
From my understanding, and from comparing specs of Omada routers and L2+ aggregation switches, i have the feeling that each and every router lacks L2+/L3 routing capability. This would explain why DHCP server and ACLs are not possible for Vlans configured with "vlan" purpose but are possible with Vlans configured with "interface" purpose.
1) Can someone confirm that assumption or explain me why it works that way ?
From spec sheets, L2+/L3 aggregation switches like TL-SX3008F seems to have L2+/L3 capabilities that are not present in the routers.
2) Would such switches, once adopted in Omada, be able of intervlan routing between other Omada switches and an Omada router ?
3) Depending of the answers to 1) and 2), can a Tplink representative tell us when and if a true Vlan segregation according to 802.1Q is to be expected in Omada ?
Thank you for your assistance and for taking the time to reply to that recurring question. (please don't flame me 
)
Hi @Yttra
Thanks for posting in our business forum.
1. If you have used the pfsense, I don't think you find the Omada router loveable. I assume you are an advanced user, so pfsense would give you a lot of options to tweak and change. So my first reaction to your idea would be no.
This is my heads-up for you.
2. If you are not that picky, and you can probably try the router.
Aside from the judgment above, here are the comments to your descriptions:
3. VLAN interface is different from 802.3Q VLAN. You can go around the VLAN interface and set up the DHCP on the switch. Router just routes and NATs.
4. L3 switch, we just released them. https://www.tp-link.com/en/business-networking/omada-switch-l3-l2-managed/?filterby=6384
The basic L3 model is around 2K USD or 1.3K Euros(price varies on different retailers).
What kind of L3 feature do you look for on the router? VRRP? It's only available on the new SG(X)6000 (L3) series. 3008F does not have it either or any SG(X)3000 series.
5. In controller mode, you don't have the same parameters as the standalone. Or put them in standalone to use everything.
And it routes. I don't know why you say it does not route. Do you have a specific case or example for me?
6. There is.
Lastly, avoid the expectation to be answered by an official member. If you expect to be assigned a specific rep, please contact the technical support team for a specific question and always expect an answer. The forum does not guarantee you are answered. Even if we have available official members, but are not bound to answer every single question or post.