Vlan + Mesh using FGW + DLink DGS-1100-05V2 switch + TP-Link EAP610 x2 + TP-Link OC200

I just spent the last few hours setting up my network. I would like to share my experience in case others are interested.

I have been a happy user of Google Wifi for a long time. Recently, I decided to upgrade my network for several reasons:

1. I want to segment my network into 5-6 VLANs because I am increasingly worried about the security of IoT devices and casual Internet activities. 
2. I want some parental control functions.

My house is pretty big with no possibility of laying out cables, so mesh network is needed.

Setting up Firewalla

This step is super straightforward. I follow the official guide and create my VLANs. Note that one VLAN is for network management. I associate all the VLANs to port 1 and set the default LAN to port 3 so all traffic on port 1 is tagged. I am no5 sure if I can remove LAN completely.

Setting up DLink DGS-1100-05V2 switch

I need three ports. Port 1 for connecting with FWG. Port 2 for connecting with an AP, and port 3 for connecting with the OC200 controller. 

• Port 1 and 2 (connection to the switch and AP): I configure it to be a trunk port that is a member of every of my VLAN
• Port 3 is to be connected with OC200, which only communicates in untagged traffic. So I set port 3 to be an access port for the management VLAN, i.e. untagged management VLAN with the same PVID. 
• Port 4 (temporary port): I configure it to be a tagged port for every VLAN except the management VLAN. Then I make it a member of untagged management VLAN with the same PVID. So untagged traffic is supposed to be on the management VLAN.
• Enable the switch's management VLAN. When you do this, make sure the computer is connected to port 3 or 4. 

Note: At this point, if I connect some laptop on either port 3 or 4, they will be allocated an IP on the management VLAN. 

Setting up TP-Link EAP610 x2 + TP-Link OC200

I spent most time figuring out configuration settings by trial and error in this step. By the way, the reason I need OC200 is that a controller is needed for the mesh to work. One can  also run a software controller on some small computer, but it needs to be run 24x7.

1. Connect FWG (port 1) to port 1 of the switch, OC200 to port 3, and one AP to port 4.  Power up the other AP without connecting it to anything. Register TP-Link account and get cloud access. At this point, I see that OC200 and the AP are both allocated an IP in the management VLAN range. Omada will automatically create a mesh. 
2. In the cloud, turn on management VLAN for both APs. You need to turn it on for the satellite AP first and then for the wired AP. You will see both are no longer able to connect to the network, because the management traffic is now tagged. Move the wired AP from port 4 to port 3 on the switch and now they will reconnect. 
3. I use the one SSID, multiple VLAN set up following this video. Basically, there will be a single SSID, and which VLAN a device connects to is determined by which WIFI password to use. It doesn't support Wifi 6, though.

Final thoughts:

1. It's important to set the management VLAN om Omada as late as possible. Once management VLAN is set in the APs, they can no longer adopt new APs into the mesh. One would then have to factory reset every AP (which is not a big deal). Also, having management VLAN as untagged traffic just makes initial configuration way easier. Therefore I used the port swapping trick in step 1 an 2 above.
2. It took me a while to figure out that the OC200 can only communicate in untagged traffic.
3. I bought a 5-port switch. In retrospect, it would be much better to have at least 8 ports.
4. Note on "Layer 3 accessibility" in the Omada AP: In this set up, the OC200 and the APs will be on the same VLAN and so "Layer 3 accessibility" will not be needed.