Newbie out of my depth - VLANs

I have some basic networking knowledge and I'm setting up a network to provide internet access to my tenants across 3 buildings with five apartments each. Building 1 is about 100m up the street and buildings 2 and 3 are right next to each other.


I've connected building 1 (with internet connection) to building 2 via an AirMax link. Buildings 2 and 3 are connected via underground Cat6 cable.


I would like to give each apartment internet access with the following requirements:


  1. Limit each apartment's internet speed (both and up and down)
  2. Do not limit the speed that each apartment's devices communicates with each other
  3. Ability to isolate each apartment's network from the rest of the network

After looking at the Unifi switches and the way the USG router does QoS, it seems that if I will be limiting their internet speed, I will have to use a switch that has both ingress and egress rate limiting (Unifi switch only does egress). I found a TP-Link switch that does this perfectly. That solves 1. and kind of solves 2.


So my problem now is to create a whole bunch of VLANs so that each apartment has its own network isolated from everything else.


And this is where I'm lost. I know I can create VLANs in the Unifi controller but I cant figure out how I would have to configure tagged and untagged ports on the switch in order to make it all work. 


Also, I don't know if by rate limiting the port assigned to each AP, I'll also be slowing down the internal traffic, or does each AP act like a little switch/router, therefore devices connected to it will talk to each other at full wireless speed?


Finally, the reason I've created unique SSIDs for each apartment is so I can control the internet speed for each apartment at the port level.


To summarize, here are my questions:


  1. How do I configure the VLANs for each unit both at the Unifi controller and at the switch?
  2. Does rate limiting the port an AP is connected to slow down internal traffic connected to that AP?


Re: Newbie out of my depth - VLANs

Bump for some help

Re: Newbie out of my depth - VLANs

I have not done this on unifi, and most of the work you need to do is on the switches, so you probably need to review the tp-link docs.  


But in a nutshell, each port with an AP on the switch needs to be a member of its own vlan. The ports connecting switches or carrying traffic from multiple vlans need to be a trunk. Rate limiting the switch port should not affect clients  on the same ap.