I understand what you are saying when it comes to the devices plugged directly into various ports on the managed switch using RJ45 cables. The problem I’m trying to solve is the mixture of devices coming in over the eero mesh which would be plugged into a single physical port on the new switch.
Some of the devices coming in on the eero have no easy way of setting their IP address statically, like the Ring camera, the Rainbird water sprinkler controller, the refrigerator, etc. I need to be able to put those types of IOT devices in a separate VLAN to restrict their access and assign an appropriate IP address to them via DHCP. Other things coming in over the eero, such as my wife’s PC, her iPad, our iPhones, and her printer need to be able to traverse the LAN. I can assign a static IP to the PC and the printer, but I don’t know that this is possible with the phones or iPad. Since I know the MAC address of everything on my network, I thought a MAC-based VLAN would be the best approach with DHCP servers running on each subnet/VLAN.
Then there is the matter of the guest network. While the eero has two SSIDs (privileged and guest), I don’t know how the switch would know whether a device was connected as privileged or as a guest. When I have friends over that want to jump on the WiFi, I don’t know their MAC addresses and need an easy way to restrict their traffic. Here are my use cases:
- I need to be able to have trusted devices on the LAN that come in through hard wired connections to the switch and others that come in over the eero WiFi mesh.
- I need to be able to restrict untrusted IOT type devices that come in over the eero WiFi mesh.
- I need a separate guest network where devices come in over the eero WiFi mesh.
I am open to suggestions at this point with respect to the design. What is the best way to configure the network given the above use cases given the Fortigate, smart managed switch, and simple wireless access point attached to the switch?