Assigning Guest WiFi AP to a VLAN using DSA

I recently bought a D-Link 2640 which is a MT7621 device using DSA instead of swconfig. I'm having trouble migrating my VLAN config to my new router.

VLAN 3 was just used for mwan but that's not needed anymore so I'm fine without it. VLAN 4 is the one that had tagged packets for the Guest WiFi coming in.

| VLAN ID | LAN1 | LAN2 | LAN3 | LAN4 | WAN |
|---------|------|------|------|------|-----|
| 1       | off  | unt  | unt  | unt  | off |
| 2       | off  | off  | off  | off  | unt |
| 3       | unt  | off  | off  | off  | off |
| 4       | off  | off  | tag  | off  | off |

This is the relevant output of /etc/config/network

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 1 2 3'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '0t 2t'
	option vid '4'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option ports '0t 5'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '6'
	option ports '0t 4'
	option vid '3'

Should I create VLAN 1 and 2 in the new DSA config? If not, should I just create VLAN 4 with LAN3 as tagged and keep other ports as 'do not participate'? Do I need to set Primary VLAN ID on any of the ports?
I'd be happy to refer to a comprehensive guide or a documentation but I wasn't able to find much on migrating VLAN configs from swconfig to DSA.

Ok, here's some information about my setup.

The router has 4 LAN ports and dual band WiFi. I'm trying to create two wireless APs - personal and guest. The guest AP will be on VLAN 10 and it will only run on 2.4 Ghz.

I also have an EAP225 hardware AP connected to LAN4. It also creates a 5Ghz personal and 2.4Ghz guest AP with the guest AP on VLAN10.

I tried using this config

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'xxx:xxx:xxx::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-lan.1'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option hostname 'sun'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option device 'br-lan.10'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan4:t'
/etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option htmode 'HT20'
        option country 'IN'
        option cell_density '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option htmode 'VHT80'
        option country 'IN'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'personal-ap'
        option encryption 'sae-mixed'
        option key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        option ieee80211w '1'
        option wpa_disable_eapol_key_retries '1'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'guest-ap'
        option encryption 'sae-mixed'
        option key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        option ieee80211w '1'
        option wpa_disable_eapol_key_retries '1'
        option network 'guest'

However, using this config makes the trusted clients in my personal AP stop connecting. My android phone shows an error saying IP Configuration Failure.

Can someone help me out?

Maybe it helps you, but I recently did something very similar and have all the steps I took here.

@cybrnook I tried following your post but I wasn't successful in configuring what I want.

I'll configure my guest WiFi as mentioned here but it's hardly what I want. I've been unable to solve this issue. The absence of documentation also doesn't help.

tutorial

Edit:

what version of OpenWrt

I read that post. Sorry, that didn't help me. I was unable to configure VLAN 10 for my Guest AP. I mean, it was working but then the Personal AP stopped working as I've mentioned before.

That post doesn't explain what I need to do if I want to use wireless APs as well.

If it helps, this is how I want the setup to look like and work.

what version of OpenWrt

OpenWrt 21.03-rc3 on D-Link 2640 (MT7621 + MT7615N)

While different to what you describe above, I had a similar issue with WLANx AP config for onboard radios for a master build until I added commit and commit to my build, after which network configs that I had set aside just started working for wireless, one example:

Summary
OpenWrt SNAPSHOT, r16966-940c196be1
 -----------------------------------------------------
Linux mamba 5.10.45 #0 SMP Fri Jun 18 12:33:30 2021 armv7l GNU/Linux
root@mamba:/# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix ''

config device
	option name 'wan'
	option macaddr ''

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config device
	option name 'lan1'
	option macaddr ''

config device
	option name 'lan2'
	option macaddr ''

config device
	option name 'lan3'
	option macaddr ''

config device
	option name 'lan4'
	option macaddr ''

config device
	option name 'itch0'
	option type 'bridge'
	list ports 'lan4'
	list ports 'lan3'
	list ports 'lan2'
	list ports 'lan1'
	option vlan_filtering '1'
#	option igmp_snooping '1'
#	option stp '1'

config bridge-vlan
	option device 'itch0'
	option vlan '10'
	list ports 'lan4:*'
	list ports 'lan3'
#	list ports 'lan2'
#	list ports 'lan1'
	option alias 'lan'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
#	option ip6assign '56'
#	option ip6hint '10'
	option device 'itch0.lan'

config bridge-vlan
	option device 'itch0'
	option vlan '20'
	list ports 'lan2:t'
	list ports 'lan1:t'
	option alias 'ap'

config interface 'ap'
	option proto 'static'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option device 'itch0.ap'

config bridge-vlan
	option device 'itch0'
	option vlan '30'
	list ports 'lan2:t'
	list ports 'lan1:u*'
	option alias 'iot'

config interface 'iot'
	option proto 'static'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option device 'itch0.iot'

config bridge-vlan
	option device 'itch0'
	option vlan '4094'
	list ports 'lan2:t*'
	option alias 'sink'

config interface 'windscribevpn'
	option proto 'none'
	option device 'tun0'

root@mamba:/# netifd-netinfo.sh -d
           DEVICE     UP    CARRIER    PRESENT   EXTERNAL  TYPE             
=============================================================================
             eth0      x          x          x             Network device   
            itch0      x          x          x             bridge           
         itch0_10      x          x          x             VLAN             
         itch0_20      x          x          x             VLAN             
         itch0_30      x          x          x             VLAN             
             lan1      x                     x             Network device   
             lan2      x                     x             Network device   
             lan3      x                     x             Network device   
             lan4      x          x          x             Network device   
               lo      x          x          x             Network device   
              wan      x          x          x             Network device   
            wiot0      x          x          x          x  Network device   
            wiot1      x          x          x          x  Network device   
            wlan0      x          x          x          x  Network device   
            wlan1      x          x          x          x  Network device   
root@mamba:/# bridge vlan
port              vlan-id  
lan4              10 PVID Egress Untagged
lan3              10 PVID Egress Untagged
lan2              20
                  30
                  4094 PVID
lan1              20
                  30 PVID Egress Untagged
itch0             10
                  20
                  30
                  4094
wlan0             10 PVID Egress Untagged
wlan1             10 PVID Egress Untagged
wiot0             30 PVID Egress Untagged
wiot1             30 PVID Egress Untagged

did not work, then did. Checking the commit log those are still not in 21.x, which I guess means somehow people are making things work, I could not. So, I suggest it is probably worthwhile to try a master image to see if things change; as an aside there were some recent mac80211 commits pushed to master which I think you would find useful given your device and WPA3 in play.