Hi, since 2 weeks i have setup an omada network, with oc200 controller,  7206 vpn gateway, 2218 and 2008p managed switches.

so far all good working. With a lot of reading from this forum and youtube. I have now 4 vlans, vlan1 for management, vlan 10 for my own computers, vlan 20 for IoT, and vlan 30 for guests.

acl switch rules prevent acces from every vlan into the other vlan, and also made some rules preventing opening the webpage of the vlan gateways.

i got the oc200 on poe from 2008p switch, vlan 1.

got an ip camera for testing on vlan 20 on poe from 2008p switch.

gateway, controller and switches have fixed ip in vlan 1

ddns setup (running as service on my windows server, so not setup in 7206)

also the internet optic fibre is now still connected via the genexis router, provided by my isp.

so the 7206 is connected to one of the lan ports of the genexis, but in a few weeks will be connected directly to the optic fibre network. Genexis wil be taken down.

for now i also got my vpn l2tp/ipsec working, with some portforwardings in the genexis.

now the question(s):

i want a vpn setup, and have to give in an ip adres or range in a vlan i guess.

when i do so, and connect via the vpn, i indeed get that ip adress in my laptop, and can see this in the controller.

is it now possible , or necessary to make an extra vlan, with an ip range, and set the vpn in this vlan. So i can make acl switch rule that from there i can get into every vlan? This vpn vlan (as i would call it) would not be attached to any switch ports, but jus an existing vlan in the gateway. And then allow acl switch rule that this vlan can get into all other vlans, if needed to download data from vlan 10, or adjust settings in my IoT vlan 20.

management vlan i can get in also via tplink cloud.

or should i just make a vpn setup for each vlan?  What would people with more experience then me advice me.

again, a lot of interesting items found on this site/forum, which helped me to setup my network as it is now quite fast.

rgds

patrick