@AmonNascaroth 

There is no "port access control" so actually you still need to use VLAN. However all these settings can be done on the router side, no need the residents' devices to support VLAN.

And actually you also need an Omada managed switch.

See this example:

How to configure Multi-Networks & Multi-SSIDs on Omada SDN Controller

The reason you need an Omada switch is because only switch supports rule 4 access control:

" Allow traffic from device IP#.#.#.# behind port 1 and port 2 (if I want to provide access to certain devices, for example a wallbox) "

  @Somnus 

Good Morning,

I know that link, I found it myself and also TPLink provided it to me. And I guess I understood one thing wrong: I don't need the IP addresses of the apartments, in the link they are there because they were also setup in Omada and not some other router. Am I Right that only a switch and a OC200 is needed but no ER7206? 

  @AmonNascaroth 

ER7206(or ER605 a cheaper one) is needed, if you only have a home router.

Not all routers support multi-net NAT. If you only have the switch, even though you can create VLANs and subnets, but the main router may only allow one VLAN/subnet to get the Internet. 

I hope you all had great holidays!

Internet access is not the issue. It should only be possible to reach devices in a different subnet without the need to make adjustments in one of the networks.

I did some reasearch and trial and error the last days and I think I figured out that the functionality I am looking for is sometimes called "Network Bridge" or "Edge Switch". I tried to follow the multi-nets-nat tutorial from TP-Link but without the router and internet part. What I have now:

• A standalone jetstream switch
• L2
  • Port 1 = VLAN2 "Wohnung 1", VLAN1
  • Port 9-16 VLAN3 "Hausnetz", VLAN1
• L3
  • Interface "Wohnung 1": tried bootp and dhcp with the idea to obtain the IP from the according subnet inside "Wohnung 1"
  • Interface "Hausnetz" with the static IP 192.168.1.0
  • DHCP Server with pool1 for IP range beginning with 192.168.1.1

Devices connected in Port 9 to 16 get the correct IP address and the switch obtains a IP address from the dhcp server in "Wohnung 1". However, I cannot reach the switch via the IP address assigned by the dhcp server in wohnng 1 (while beeing in the network Wohnung 1). And I do not know how to reach a device through the switch... Moreover, I guess I am missing a static route from VLAN2 to VLAN3 and vice versa. But I have no idea how to setup the route because the IP address from Port 1 is unknown (because it's obtained from the according DHCP server...). I tried port isolation to have  a L2 route from Port 1 to 9-16 but that didn't work.

Any ideas?

  @AmonNascaroth 

I did some more research and trial and error. I could manage to access the switch from the other network but I could not manage to see the device connected to the switch that is assigned to the other VLAN/the switch internal DHCP. I also tried with a static route from the IP the switch has been assigned to from the other network to the other vlan but with no success either ... 

Any ideas ?

According to my research my intention shouldn't be impossible but I cannot get it to work...

  @AmonNascaroth 

Thanks. Yeah my next guess is using the router. I spent some time this evening but couldn't achieve anything unfortunately - but I am not also surprised because I haven't had the devices in factory settings :D. I will give it another try tomorrow.

By the way I got an order for a two family home now where I actually need a solution :D