Help Needed: Apple Devices Communicating Across VLANs - Novice Learning VLAN Setup
Hey
I'm a novice in networking, and I've been trying to set up a home network using TP-Link Omada equipment. My setup includes a Router (ER605), a Switch (SG2016P), 2 Access Points (EAP653), and a Controller (OC200). I've created several VLANs to segment my network for different types of devices, but I'm running into an issue where things work, but not as I expected, and I'm trying to understand why 
VLAN Configuration (Wired Networks > LAN):
- Default (VLAN 10): 192.168.10.1/24 (Interface)
- IoT (VLAN 20): 192.168.20.1/24 (Interface)
- NoT (VLAN 30): 192.168.30.1/24 (Interface)
WiFi (Wireless Networks > WLAN):
- EA: WPA-Personal, 5 GHz & 6 GHz, VLAN 10
- EA_IoT: WPA-Personal, 2.4 GHz, VLAN 20
- EA_NoT: WPA-Personal, 2.4 GHz, VLAN 30
The "Issue":
When I connect my Apple iPhone 15 Pro to any of these wireless networks (VLANs), it can still see and connect to my Apple TV for screen mirroring, even though the Apple TV is on a different VLAN. This happens with the iPhone is connected to EA (VLAN 10), EA_IoT (VLAN 20), and EA_NoT (VLAN 30). I expected the screen mirroring to only work when both devices are on the same VLAN (When my iPhone is on EA - VLAN 10).
I have confirmed that the iPhone is receiving IP addresses in the correct subnets, when connected to the different SSID's:
- EA: 192.168.10.x
- EA_IoT: 192.168.20.x
- EA_NoT: 192.168.30.x
And that the AppleTV is on the Default VLAN 10.
From my understanding, different VLANs should be isolated, and devices on separate VLANs should not be able to communicate unless specific rules or configurations are set to allow this. I haven't set up mDNS or Bonjour forwarding explicitly, nor have I created any custom firewall rules that might allow this traffic. I do plan to create specific firewall rules to manage traffic in general, but I haven't done so yet.
mDNS/Bonjour Services:
I admit that I have experimented with some settings in mDNS, before I figured this out, but have since disabled them. For example, I created a "HomeKit" Bonjour Service with these settings: _hap._tcp.local, _homekit._tcp.local to try to understand how HomeKit and Home Assistant can add HomeKit devices on other VLANS. But again the rule using that has been, disabled.
Questions:
- Is my understanding of VLAN isolation correct? Should devices on different VLANs be able to see each other by default?
- Could there be a default configuration in the Omada system that allows mDNS or Bonjour traffic across VLANs?
- What steps should I take to ensure proper VLAN isolation, or what might I be missing in my current setup?
I'm eager to learn and understand where I might be going wrong, or where I have miscnfigured my network. Any insights or guidance from more experienced users would be greatly appreciated!
I will share screenshots if needed.
Thanks in advance for any help, and sorry for the long post 
TrekkieDK
Denmark
Thanks for the reply.
I already updated all my devices to latest firmware :
| Router (ER605) |
192.168.10.1 |
CONNECTED |
ER605 v2.0 |
2.2.4 |
| Switch (SG2016P) |
192.168.10.3 |
CONNECTED |
SG2016P v1.20 |
1.20.1 |
| Living Room AP (EAP653) |
192.168.10.5 |
CONNECTED |
EAP653(EU) v1.0 |
1.0.14 |
| Stairwell AP (EAP653) |
192.168.10.6 |
CONNECTED |
EAP653(EU) v1.0 |
1.0.14 |
At least I don't get any notice any longer when I click the "Check for updates" icon on the device list.
My Controller:
Controller Version: 5.14.26.23
Firmware Version: 1.31.3 Build 20240620 Rel.80383
I read through it and followed the setup guide also. Maybe I'm wrong, but I think I did it like it's described in that guide. But I'm by far an expert. Here are some screenshots at least:
Maybe I'm just wrong in my assumption that, different VLANs should be isolated by default, and devices on separate VLANs should not be able to communicate unless specific rules or configurations are set to allow this. Or I'm doing something wrong. Again, I haven’t setup any rules to for example block Internet from certain VLANs etc., yet. But I plan to. I'm just in the beginning of setting all this up.
TrekkieDK
Denmark
Hi @TrekkieDK
Thanks for posting in our business forum.
TrekkieDK wrote
Thanks for the reply.
I already updated all my devices to latest firmware
Router (ER605)
192.168.10.1
CONNECTED
ER605 v2.0
2.2.4
Switch (SG2016P)
192.168.10.3
CONNECTED
SG2016P v1.20
1.20.1
Living Room AP (EAP653)
192.168.10.5
CONNECTED
EAP653(EU) v1.0
1.0.14
Stairwell AP (EAP653)
192.168.10.6
CONNECTED
EAP653(EU) v1.0
1.0.14
At least I don't get any notice any longer when I click the "Check for updates" icon on the device list.
My Controller:
Controller Version: 5.14.26.23
Firmware Version: 1.31.3 Build 20240620 Rel.80383
I read through it and followed the setup guide also. Maybe I'm wrong, but I think I did it like it's described in that guide. But I'm by far an expert. Here are some screenshots at least:
Maybe I'm just wrong in my assumption that, different VLANs should be isolated by default, and devices on separate VLANs should not be able to communicate unless specific rules or configurations are set to allow this. Or I'm doing something wrong. Again, I haven’t setup any rules to for example block Internet from certain VLANs etc., yet. But I plan to. I'm just in the beginning of setting all this up.
TrekkieDK
Denmark
The provided configs look okay to me if you did not change other stuff.
802.1Q VLAN is isolated by default. That's a whole different story. It does not involve NAT and routing which you should already know about because the guides I wrote have explained this.
802.1Q VLAN was originally supposed to isolate stuff.
VLAN is not easy to start with. Follow the guide and configure it as the guide says would be easy. But when you want to improvise, that could take a little more learning.
But you learn something every day. Isn't t?