I recently got a decent switch so I decided to setup a VLAN to separate the Wifi traffic from the rest of my network. I setup all packets coming to the port connected to the Access Point to join VLAN 10, which only allows access to the router port. All good, all wireless devices now cannot access the rest of my network.
Then I remembered, my printer is wireless. So I setup a MAC VLAN which gives my printer VLAN 1 when seen. This lets my whole network see the printer.
But both the VLAN ID and the MAC address are ethernet level information. This means that any Wifi client could possibly spoof the MAC address, and gain access to the rest of the network. Are MAC VLANs not intended to be used this way or I am missing something?
Yeah, my AP is not so advanced so until I get a new one which has that capability I’ll just plug my printer to the wired network for now. Good tip to keep in mind though.