Hi there,

I've tried to find something similar to my situation on exisiting posts, but not quite.

What I'm trying to do (I think) should be quite simple, but I can't get the configuration quite right.

We have a small hotel and cottages with lots of TP-Link WA901N wifi access points for guests and staff to connect to.

We have 3x TL-SG108PE switches linking the buldings and the various wifi points.

I wanted to use VLANs to lock Guests out of anything but internet access, but still allow Staff to access everything.

So I have set up a Guest VLAN 2 and VLAN 1 is Staff. All of the switches and wifi points support VLANs so I have set up 2 SSID's Guests for VLAN 2 and Staff VLAN 1.

The ports that link the 3 switches I have tagged VLAN1 and 2.

The ports with the wifi access points I have tagged VLAN1 and 2.

The port for the internet router (with DHCP) is untagged  - it's an ASUS AC68U.

All other ports are "untagged" for VLAN1 or "not member" for VLAN2

All the PVID's are 1 as you can only have one VLAN to a port for the ingress.

With this config VLAN2 won't even authenticate the wifi. Everything is fine for VLAN1.

So I'm confused - this seems to be the correct config looking at the 802.1q scenarios in the documentation for the switches and the wifi access points, but I must be doing something wrong.

Can anyone help?