I recently got a decent switch so I decided to setup a VLAN to separate the Wifi traffic from the rest of my network. I setup all packets coming to the port connected to the Access Point to join VLAN 10, which only allows access to the router port. All good, all wireless devices now cannot access the rest of my network.
Then I remembered, my printer is wireless. So I setup a MAC VLAN which gives my printer VLAN 1 when seen. This lets my whole network see the printer.
But both the VLAN ID and the MAC address are ethernet level information. This means that any Wifi client could possibly spoof the MAC address, and gain access to the rest of the network. Are MAC VLANs not intended to be used this way or I am missing something?
Btw, as you do note, your use case may not still be reliable, if you cannot enforce MAC-client mapping.
For a secure setup I suggest you set up another WiFi SSID for only the printer and other similar class devices. You can then put that complete WiFi network to its own VLAN and configure other rules as you wish. Your WiFi AP should support multiple SSIDs and distinct VLANs for them and then your WiFi AP would be connected via a trunk link (or possibly a hybrid one).
Yeah, my AP is not so advanced so until I get a new one which has that capability I’ll just plug my printer to the wired network for now. Good tip to keep in mind though.