maddinla wrote

The VLAN-configuration in the switch is:
Port 1: VLAN-ID 1 untagged, VLAN-ID 100 untagged (PVID 1, 100)
Port 2: VLAN-ID 1 untagged
Port 3: VLAN-ID 1 untagged
Port 4: VLAN-ID 1 untagged
Port 5: VLAN-ID 1 untagged, VLAN-ID 100 tagged, VLAN-ID 200 tagged (PVID 1,100,200)
Port 6: VLAN-ID 1 untagged, VLAN-ID 100 tagged, VLAN-ID 200 tagged (PVID 1,100,200)
Port 7: VLAN-ID 1 untagged, VLAN-ID 100 tagged, VLAN-ID 200 tagged (PVID 1,100,200)
Port 8: VLAN-ID 1 untagged, VLAN-ID 200 tagged
Port 9/Port 10 (SFP): VLAN-ID 1 untagged

Every VLAN can have only one Primary VLAN ID (PVID), not three of them.

What's more, VLAN 1 is the Default VLAN on TP-Link switches and as long as you don't need it, don't use it. If you choose to use it, see it as an isolated VLAN (such as the LAN for the family, similar to your choice of VLAN ID 100), which implies that you remove all other ports not members of the family LAN from this isolated VLAN 1.

Setup for your layout above is:

- Access ports 1 and 7 (FritzBox LAN) should be member of VLAN 100 only, PVID 100.

- Access port 8 (FritzBox GUEST) should be member of VLAN 200 only, PVID 200.

- Trunk ports 2-4 need to be tagged ports and members of VLAN 100 and 200. PVID can be left at 1, meaning untagged frames arriving on the trunk ports will be assigned to (unused) VLAN 1. Keep in mind that untagged Ethernet frames arriving on a trunk port will be tagged with the port's PVID, but will have the tag removed on egress on other trunk ports if their PVID match the frame's tag (that's what makes the Default VLAN somewhat special, but some TP-Link switches allow to specify this handling in a more fine-grained detail).

Thus, guest WiFi is assigned to VLAN 200 (FritzBox GUEST), family WiFi to VLAN 100 (FritzBox LAN) and house LAN also to VLAN 100.

Beware that the switch itself will be accessible only on VLAN 1 as long as you don't assign a dedicated VLAN and IP address for management purposes. How to do this depends on the switch - some have an input box to specify the MGMT VLAN (could be 100 in your case to access the switch from devices within the family VLAN), others need a virtual interface for the MGMT VLAN, so you would need to assign a virtual interface with an IP from the family LAN to VLAN 100 if you want to be able to still reach the switch from within your LAN.

Or do i have to „tell“ the switch, to route VLAN-ID200-packets to Port 8 and VLAN-ID100-packets to Port 1 in another way?

No, routed ports make no sense for such a setup.

Next idea is, that in this guest-net only allowes http, https and WhatsApp.

Do i have to create ACL’s (Extend-IP ACL) and bind them to the VLAN’s? Or can this be solved in another way?

The FritzBox guest network can be set to allow mail and http/https only, but not Whats App. So, yes, you need to use ACLs to achieve this, since the FritzBox doesn't allow access to its (proprietary) firewall.

Does anyone exactly knows, what ports WhatsApp will use??? I searched and found port 5222 and port 5223.

Whats App messenger uses TCP ports 80, 443, 4244, 5222, 5223, 5228, 5242, 50318, 59234 and UDP ports 34784, 45395, 50318, 59234 depending on traffic (data and/or voice). But they may change or extend port ranges without further notice and did so in the past.

For my understanding: will all other ports be rejected, that have no ACL defined???

The default policy is to permit all traffic if no ACL is defined. As soon as you define an ACL and bind it to a port, the default policy is changed for this port to deny traffic not explicitly permitted. If you want to define different levels of access for different users (for examples, banning bad guys abusing the guest network), you might want to configure ACLs that consist of explicit deny entries, then add an entry to permit all access to the end of each ACL just like in firewalls. Depending on the switch you could also find an option to explicitly set a default policy.

maddinla wrote

Thanks for your suggestions. But this won't work.

For me it works perfectly; I have similar setup with Fritzbox, UBNT EdgeRouter, T-1600G and several EAPs with even more VLANs.

As you mentioned, i changed Port 1 (to the FritzBox) and Port 7 (to my EAP330) to VLAN100 with PVID100 and Port 8 to VLAN200 with PVID200. There was no further information of tagging/untagging these ports so i decided to set them up as untagged ports. ....mistake????

No. You wrote that you configured port 1 to VLAN 1 untagged, VLAN 100 tagged, which makes it a trunk port. Likewise, port 8 is member of VLAN 1 untagged and VLAN 200 tagged, also a trunk port. Yes, that's a mistake if you want to have those as pure access ports.

Access ports may be member of only one VLAN and they need to be untagged. If one of the two conditions isn't met (either member of more than one VLAN or using a tagged port), the port becomes a trunk port.

You would set up Port2-4 as "trunk ports". Why???

Sorry, meant ports 5-7. T1500G has the opposite order in port numbering than most other smart switches from TP-Link.

maddinla wrote

But i can't reach my EAP330 anymore

Of course you can't reach it anymore if you did not create a VLAN for management. Either assign the port as a member of an untagged VLAN or use a dedicated tagged VLAN for management (recommended). In the latter case, set this VLAN ID in EAP330's Management setting. To do so, use untagged frames when configuring it.