AP VLAN Tagging

Hi all,
I'm fairly new to OpenWRT, but am finding thagt it works well for me. I've got some Meraki MR16 APs that I no longer want to pay Cisco large sums of money to use every year, so I've flashed OpenWRT on one and am setting it up to mirror the config I had on the Meraki.
I've got Radius authentication working and multiple SSIDs, with different authentication methods. There are 2 things I can't quite get my head round though.

1. VLA1. N Tagging. I've read the Wiki page, but still can't quite work it out. All I want to do is tag traffic on a specific SSID with a particular VLAN ID, some SSIDs remain untagged. The downstream equipment then handles LAN segregation, DHCP, etc. It feels as if it should be simple, and I'm just being a bit slow, any help appreciated.
2. Simultaneous 2.4 & 5GHz support. On the Meraki it appeared that the AP was running 2.4 & 5GHz simultaneously on a single SSID. From doing some reading, this may not really be true/possible. Is that what 802.11ac is about? If someone can set me straight on this I would again be grateful.

Thanks in advance to all those in the community who take the time to even read posts from clowns like me

My two cents:

1. I do not think you want to tag the wireless traffic, but bridge the wireless interface to an ethernet interface that tags external traffic.

2. Just use the same SSIDs on both the 2.4 and 5 GHz radios, and bridge them to the same network.

Thanks very much, but I need to tag traffic differently depending on the SSID they are connected to. You're correct in that it's the traffic going through the ethernet that needs to be tagged, as it's the downstream router/firewall that will make decisions based on the tag.

Thanks for the tip on frequencies, I'll give it a go.

Each SSID on each physical radio will get its own virtual interface. It’s just a matter of deciding what bridge they join when they come up and what else is in that bridge, such as a VLAN-tagged sub-interface of the SoC’s Ethernet

Edit:

Here's a tangible example, bridging traffic on "My Restricted SSID" to eth0.1234 (appropriate switch configuration required past this)

config interface 'vlan1234'  # A readable name; the VLAN comes from eth0.1234, not this name
        option type 'bridge'
        option stp '1'
        option ifname 'eth0.1234'
        option proto 'none'
        option auto '1'
        option delegate '0'

config wifi-iface '5Gap'
        option device 'radio5'
        option mode 'ap'
        option ssid 'My Restricted SSID'
        option key 'The pass phrase for this SSID'
        option encryption 'psk2+ccmp'
        option network 'vlan1234'

Tagged and untagged traffic on the same cable is not recommended. Configure your switch port that will be connected to the MR16 so all the VLANs are tagged.

The MR16 has a single Ethernet port with no switch, so to send / receive tagged packets on the Ethernet cable it is only necessary to use eth0.X as the ifname. Change the LAN from eth0 to eth0.1 as is conventional to have VLAN 1 as an internal "management" network.

As @jeff said, you need a separate software bridge in the kernel for each VLAN you want to bridge from wired to wireless. Use eth0.X as the ifname when defining the bridge in /etc/config/network. Then refer to the same bridge in /etc/config/wireless to connect the AP to it. Proto 'none' is typically used here since you don't want the router OS to respond to any packets on the bridge, only to convert from wireless to wired at layer 2.

RADIUS authentication will occur on the LAN network, not the one the AP users will eventually be on.

Thanks very much for the detailed explanation, I think I understand now. I'm travelling for work at the moment, but will try and make it work when I'm back in front of the device!

Thanks for the tip on RADIUS, I hadn't considered that, but authentication happens before tagging is applied by the sounds of things, so nothing to catch me out there luckily.