Ok, thank you! Not only for the help, but for posting that guide. I guess I have a few questions.
1. Can i just disable Yazfi on all the guest networks, or does it need removed completely? Not sure if it does something internally to mess this up.
That I'm not positive on, to be safe I'd uninstall it. Yazfi disables isolation on the stock guest wireless meaning the VLANs do not get created. I'm not sure if disabling it clears all that out. Honestly, I'd say just factory reset the router and set it up from scratch without Yazfi, as Yazfi also puts in a bunch of firewall rules, virtual interfaces, and other customizations.
2. Essentially i will have 3 VLANS right. 1, 501, and 502. Lets say i have an 8 port switch plugged into my router on LAN port 1, and the router is plugged into port 1 on the switch. On that switch the only thing i want to separate is port #4. I would assign the PVID 501 to port 4, and would set that part up like this:
VLAN ID | VLAN Name | Member Ports | Tagged Ports | Untagged Ports | Delete |
1 | Default | 1-8 | | 1-8 | |
501 | 501 | 1,4 | 1 | 4 | |
is that correct, or am i missing something?
Remove port 4 from VLAN 1, it should say 1-3,5-8 under both member and untagged ports for VLAN 1 in that case. Your VLAN 501 looks correct
Having 2 VLANs untagged on a port will mix the traffic and you don't know which subnet/VLAN you'll end up in. In theory the PVID will set it straight but it can still cause problems especially with DHCP (which you're seeing). So basically only ever have 1 untagged vlan on a port, and that untagged vlan should match the PVID (whether it is a trunk port with VLAN 1 untagged or an access port with any vlan untagged).
Under PVID port 1 should be 1, and port 4 should be 501. The other ports can stay at 1 to match, just make sure to change them if/when you assign other ports to 501 or 502.
Note that 501 is associated with 2.4Ghz guest wireless 1 and 502 is associated with 5ghz guest wireless 1. So in a way they're associated with the same guest network, but you can still use both for wired devices since they will be isolated from wireless devices (just not other wired devices). Up to you how you want to divide stuff up, my 2.4Ghz guest 1 is all untrusted devices so I use that if I need to fix someone's PC and don't trust it to not have a virus. VLAN 502 is "semi-trusted" guests so I have my work laptop in there. But in reality, wireless guests are isolated from wired ones anyway, so not a big deal, that was just my way of giving it some "order". Two wired devices in the same VLAN will be able to access each other so if you don't want that, put one in 501 and one in 502.
If you want to add a bit of security for unused ports you can create a dummy vlan like 999 and put unused ports into that untagged under both VLAN and PVID. Those ports will be non-functional (other than being able to see each other) until you assign them into one of the valid VLANs.
3. I guess im a little confused on what to do for the IP of the machine on port 4. Your post says there's no reservations for DHCP, so i didn't want to assign a static ip of 192.168.101.20 for example, and have DHCP accidentally asign that same ip on a different device in the future (if it works like that). When i leave it on auto assign it basically just breaks and gives a weird network tho.
Unfortunately the default DHCP range for those subnets, at least on my router with 386 code, is 2 through 254 so there are no "free" IPs for static assignments. Technically if the device is always online and pingable, it won't be a problem, DHCP pings an IP before handing it out so it won't give it out if it is pingable.
But that is all moot - the reason you're getting a weird IP is due to the dual untagged VLANs above. Fix that, and you're all set. DHCP will give it a 192.168.101.x IP. There is really not much reason to set a static IP in the guest VLANs since they are isolated and can't be accessed except by another wired device in that VLAN, and in that case you can just use hostname to access it.