Best way to setup two openwrt wifi routers?

Hi. I have one openwrt wifi router configured with three internal interfaces, isolated wired LAN, a WIFI for trusted devices, and a WIFIGUEST for guest devices, and a WAN interface.
WIFIGUEST is isolated from all other interfaces and only connects to internet.
From LAN you can connect to any LAN or WIFI devices and to internet.
From WIFI you can't see LAN, only other devices in WIFI and internet.
This setup works fine.

Now I want to setup a new openwrt wifi router, configure it as the main router, and use the old one as secondary, as access point and also as a switch, and keep the isolation. Both routers are connected by ethernet. If I plug a wired computer to the secondary router it works fine. The problem is with the wireless.

As I'm writing this i was trying to make a new setup, adding two tagged vlan interfaces in each router, so in the ethernet cable there will be three isolated streams, one for the lan switch, one for conecting/bridging WIFI and another to connect/bridge WIFIGUEST between the two routers. Would this work?

Any ideas? or a good tutorial for the kind of setup I want to do?

Thanks in advance.

Yes, this will work. The details depend very much on the specific devices you are using.

This one will be useful for at least the initial configuration of the AP/switch device, but it doesn't include VLANs:

For the VLAN configuration, I would suggest that you post the configs here so that we can a) review them, and b) recommend the right path/resources (or directly suggest changes) for the trunk configuration to work as expected.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Thanks. This guide will help for sure. I saw that i needed to setup the three interfaces in the secondary router, and each one with their respective gateway ip.

e.g. Primary Router:
3 interfaces ( + WAN & WAN6 omitted here)
LAN: 192.168.22.254/24
WIFI: 192.168.23.254/24
WIFIGUEST: 192.168.24.254/24
(none of them with default gateway, so it takes it from WAN)
(3 devices):
br-lan: vlan eth0.1 + eth1 + eth2
br-wifi: vlan eth0.2 + MyWIFI radios
br-wifiguest: vlan eth0.3 + MyGuestWIFI radios

Secondary router
(3 interfaces)
LAN: 192.168.22.1/24 gw 192.168.22.254
WIFI: 192.168.23.1/24 gw 192.168.23.254
WIFIGUEST: 192.168.24.1/24 gw 192.168.24.254
(3 devices)
br-lan: vlan eth0.1 + eth1 + eth2 + eth3
br-wifi: vlan eth0.2 + MyWIFI radios
br-wifiguest: vlan eth0.3 + MyGuestWIFI radios

Will try some configuration like this tomorrow as soon as i can. I need to remember to backup the config of the secondary router (now my one and only), just in case I need to revert again. (Learned that yesterday the painful way).

These two can be unmanaged on the secondary router. That is recommended since the 2nd router only needs a single address and that will be the address/network that is used to manage the device itself.

The strategy otherwise looks fine, although there may be considerations regarding how the bridges are setup if you're on DSA vs swconfig.

Thank you Peter.

Now i have the setup partially working with your suggestion of unmanaged interfaces.

The primary router (Mercusys MR90x) is connecting OK to my ISP. Devices are connecting to their wifi and guest wifi and using internet as usual. Only exposing new SSIDs here to help me debug and check that all is working. SQM seems to work well and better than the old linksys MR8300.

For now, the secondary router (the linksys) is exposing the same old SSID wifis, they are bridged (or "trunked") via the ethernet connection to the primary router. WIFI devices connects via the old SSIDs and get the DHCP from the primary router, and connected to internet as usual.

With my PC, connected to any of the old or new SSID i can connect and manage simultaneously both routers via https/443 or ssh/22.

In the secondary router (which was the unique one until now) I have since years ago connected a HDD drive (the Mercusys doesnt have USB port). This drive was and is exposed via NFS to the network. The primary router now also backup the config and the vnstat files to a NFS share (has yet to solve how to make this mount survive reboots). This NFS share should also be accesible from the private wifi.

The secondary router reaches internet ok, opkg update works, and pings other servers like 8.8.8.8 or by name www.google.com.

But, when i connect a PC via wired ethernet to the switch port of the secondary router (one of the ones that are not tagged), the PC does not receive an IP address. if i manually assign an IP address to the PC, it reaches 192.168.22.1 (the 22 or 443 to manage openwrt, and even I can mount the NFS share or access transmision deamon in port 9091), but it cannot reach internet, not even the new primary router 192.168.22.254.

Here are the configs of the primary router

root@OpenWrt:/etc/config# ubus call system board
{
        "kernel": "6.6.93",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "MERCUSYS MR90X v1",
        "board_name": "mercusys,mr90x-v1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.2",
                "revision": "r28739-d9340319c6",
                "target": "mediatek/filogic",
                "description": "OpenWrt 24.10.2 r28739-d9340319c6",
                "builddate": "1750711236"
        }
}
root@OpenWrt:/etc/config# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan0.1'
        list ports 'lan1'
        list ports 'lan2'

config device
        option name 'lan0'
        option macaddr '11:22:33:44:55:66'

config device
        option name 'lan1'
        option macaddr '11:22:33:44:55:66'

config device
        option name 'lan2'
        option macaddr '11:22:33:44:55:66'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.22.254'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'pppoe'
        option username 'isp.user'
        option password 'isp.password'
        option ipv6 'auto'
        option mtu '1492'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config interface 'wifi'
        option proto 'static'
        option device 'br-wifi'
        option ipaddr '192.168.23.254'
        option netmask '255.255.255.0'

config interface 'wifiguest'
        option proto 'static'
        option device 'br-wifiguest'
        option ipaddr '192.168.24.254'
        option netmask '255.255.255.0'

config device
        option type 'bridge'
        option name 'br-wifi'
        list ports 'lan0.2'

config device
        option type 'bridge'
        option name 'br-wifiguest'
        list ports 'lan0.3'

config device
        option type '8021q'
        option ifname 'lan0'
        option vid '1'
        option name 'lan0.1'

config device
        option type '8021q'
        option ifname 'lan0'
        option vid '2'
        option name 'lan0.2'

config device
        option type '8021q'
        option ifname 'lan0'
        option vid '3'
        option name 'lan0.3'

root@OpenWrt:/etc/config# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option band '2g'
        option channel '13'
        option htmode 'HE20'
        option txpower '20'
        option cell_density '0'
        option country 'JP'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option band '5g'
        option channel '112'
        option htmode 'HE160'
        option cell_density '0'
        option country 'JP'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'MyNewSSID'
        option encryption 'sae'
        option key 'a.goog.password'
        option ieee80211r '1'
        option ft_over_ds '0'
        option ocv '0'
        option network 'wifi'
        option nasid 'mercusys'
        option mobility_domain 'caca'
        list maclist '11:22:33:44:55:66'

config wifi-iface 'wifinet1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'MyNewSSID'
        option encryption 'sae'
        option key 'a.goog.password'
        option ieee80211r '1'
        option ft_over_ds '0'
        option ocv '0'
        option network 'wifi'
        option nasid 'mercusys'
        option mobility_domain 'caca'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'MyNewSSIDL'
        option encryption 'psk2'
        option key 'a.good.password'
        option ieee80211r '1'
        option nasid 'linksys'
        option mobility_domain 'caca'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option network 'wifi'

root@OpenWrt:/etc/config# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option doh_backup_noresolv '-1'
        option noresolv '1'
        list doh_backup_server ''
        list doh_backup_server '/mask.icloud.com/'
        list doh_backup_server '/mask-h2.icloud.com/'
        list doh_backup_server '/use-application-dns.net/'
        list doh_backup_server '127.0.0.1#5053'
        list doh_backup_server '127.0.0.1#5054'
        list server '/mask.icloud.com/'
        list server '/mask-h2.icloud.com/'
        list server '/use-application-dns.net/'
        list server '127.0.0.1#5053'
        list server '127.0.0.1#5054'
        list server '127.0.0.1#5055'
        list doh_server '127.0.0.1#5053'
        list doh_server '127.0.0.1#5054'
        list doh_server '127.0.0.1#5055'
        list address '/choice.microsoft.com/127.0.0.3'
        list address '/settings-win.data.microsoft.com/127.0.0.3'
        list address '/dnstesting.data.microsoft.com/127.0.0.3'
        list address '/vortex.data.microsoft.com/127.0.0.3'
        list address '/telemetry.microsoft.com/127.0.0.3'
        list address '/vortex-win.data.microsoft.com/127.0.0.3'
        list address '/vortex-sandbox.data.microsoft.com/127.0.0.3'
        list address '/telemetry.urs.microsoft.com/127.0.0.3'
        list address '/sqm.telemetry.microsoft.com/127.0.0.3'
        list address '/df.telemetry.microsoft.com/127.0.0.3'
        list address '/feedback.search.microsoft.com/127.0.0.3'
        list address '/feedback.windows.com/127.0.0.3'
        list address '/oca.telemetry.microsoft.com/127.0.0.3'
        list address '/sqm.df.telemetry.microsoft.com/127.0.0.3'
        list address '/telecommand.telemetry.microsoft.com/127.0.0.3'
        list address '/telemetry.appex.bing.net/127.0.0.3'
        list address '/oca.microsoft.com/127.0.0.3'
        list address '/kmwatsonc.telemetry.microsoft.com/127.0.0.3'
        list address '/v10.events.data.microsoft.com/127.0.0.3'
        list address '/v10c.events.data.microsoft.com/127.0.0.3'
        list address '/v10.vortex-win.data.microsoft.com/127.0.0.3'
        list address '/watson.telemetry.microsoft.com/127.0.0.3'
        list address '/watson.microsoft.com/127.0.0.3'
        list address '/umwatsonc.telemetry.microsoft.com/127.0.0.3'
        list address '/umwatsonc.events.data.microsoft.com/127.0.0.3'
        list address '/ceuswatcab01.blob.core.windows.net/127.0.0.3'
        list address '/ceuswatcab02.blob.core.windows.net/127.0.0.3'
        list address '/eaus2watcab01.blob.core.windows.net/127.0.0.3'
        list address '/eaus2watcab02.blob.core.windows.net/127.0.0.3'
        list address '/weus2watcab01.blob.core.windows.net/127.0.0.3'
        list address '/weus2watcab02.blob.core.windows.net/127.0.0.3'
        list address '/kmwatsonc.events.data.microsoft.com/127.0.0.3'
        list address '/watson.live.com/127.0.0.3'
        list address '/wns.notify.windows.com.akadns.net/127.0.0.3'
        list address '/v10-win.vortex.data.microsoft.com.akadns.net/127.0.0.3'
        list address '/us.vortex-win.data.microsoft.com/127.0.0.3/'
        list address '/us-v10.events.data.microsoft.com/127.0.0.3'
        list address '/watson.ppe.telemetry.microsoft.com/127.0.0.3'
        list address '/telemetry.remoteapp.windowsazure.com/127.0.0.3'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'wifi'
        option interface 'wifi'
        option start '100'
        option limit '150'
        option leasetime '12h'

config host
        option name 'host1'
        option ip '192.168.23.167'
        list mac '11:22:33:44:55:66'

root@OpenWrt:/etc/config# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'


config rule
        option name 'Kodi Remote http-8080'
        option src 'wifi'
        option dest 'lan'
        option dest_port '8080'
        option target 'ACCEPT'
        list proto 'tcp'
        list dest_ip '192.168.22.2'

config rule
        option name 'Allow-NFS-RPC'
        option proto 'tcp udp'
        option dest_port '111'
        option target 'ACCEPT'
        option src 'wifi'

config rule
        option name 'Allow-NFS'
        option proto 'tcp udp'
        option dest_port '2049'
        option target 'ACCEPT'
        option src 'wifi'

config rule
        option name 'Allow-NFS-Lock'
        option proto 'tcp udp'
        option target 'ACCEPT'
        option dest_port '32777-32780'
        option src 'wifi'

config rule
        option name 'Allow-Transmission-UI'
        list proto 'tcp'
        option src 'wifi'
        list dest_ip '192.168.22.1'
        option dest_port '9091'
        option target 'ACCEPT'

config rule
        option name 'Allow DHCP from WIFIG'
        list proto 'udp'
        option src 'wifiguest'
        option src_port '68'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option name 'Allow DNS from WIFIG'
        option src 'wifiguest'
        list dest_ip '192.168.24.1'
        option dest_port '53'
        option target 'ACCEPT'

config zone
        option name 'wifi'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wifi'

config zone
        option name 'wifiguest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wifiguest'

config forwarding
        option src 'wifi'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'wifi'

config rule
        option src 'wifi'
        option dest 'lan'
        list dest_ip '192.168.22.1'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'
        list proto 'icmp'

and here the config of the secondary one

root@linksys:~# ubus call system board
{
        "kernel": "6.6.93",
        "hostname": "linksys",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "Linksys MR8300 (Dallas)",
        "board_name": "linksys,mr8300",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.2",
                "revision": "r28739-d9340319c6",
                "target": "ipq40xx/generic",
                "description": "OpenWrt 24.10.2 r28739-d9340319c6",
                "builddate": "1750711236"
        }
}
root@linksys:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '::/48'
        option packet_steering '2'
        option steering_flows '128'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1.1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'lan1'
        option macaddr '11:22:33:44:55:66'

config device
        option name 'lan2'
        option macaddr '11:22:33:44:55:66'

config device
        option name 'lan3'
        option macaddr '11:22:33:44:55:66'

config device
        option name 'lan4'
        option macaddr '11:22:33:44:55:66'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.22.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.22.254'
        list dns '192.168.22.254'

config device
        option name 'wan'
        option macaddr '11:22:33:44:55:66'

config device
        option type 'bridge'
        option name 'br-wifi'
        list ports 'lan1.2'

config interface 'wifi'
        option proto 'none'
        option device 'br-wifi'

config device
        option type 'bridge'
        option name 'br-wifiguest'
        list ports 'lan1.3'

config interface 'wifiguest'
        option proto 'none'
        option device 'br-wifiguest'

config device
        option type '8021q'
        option ifname 'lan1'
        option vid '1'
        option name 'lan1.1'

config device
        option type '8021q'
        option ifname 'lan1'
        option vid '2'
        option name 'lan1.2'

config device
        option type '8021q'
        option ifname 'lan1'
        option vid '3'
        option name 'lan1.3'

root@linksys:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel 'auto'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'MyOldSSID'
        option encryption 'sae'
        option key 'a.good.password'
        option network 'wifi'
        option macfilter 'allow'
        option skip_inactivity_poll '1'
        option ieee80211r '1'
        option mobility_domain 'caca'
        option ft_over_ds '0'
        option disassoc_low_ack '0'
        option ocv '0'
        list maclist '11:22:33:44:55:66'
        option nasid 'openwrt2'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/a000000.wifi'
        option channel 'auto'
        option band '2g'
        option htmode 'HT40'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'wifi'
        option mode 'ap'
        option ssid 'MyOldSSID'
        option encryption 'sae'
        option key 'a.good.password'
        option macfilter 'allow'
        option skip_inactivity_poll '1' 
        option ieee80211r '1'
        option mobility_domain 'caca'
        option ft_over_ds '0'
        option disassoc_low_ack '0'
        option ocv '0'
        list maclist '11:22:33:44:55:66'

config wifi-device 'radio2'
        option type 'mac80211'
        option path 'platform/soc/a800000.wifi'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'
        option channel 'auto'

config wifi-iface 'default_radio2'
        option device 'radio2'
        option mode 'ap'
        option ssid 'MyOldSSID'
        option encryption 'sae'
        option key 'a.good.password'
        option network 'wifi'
        option macfilter 'allow'
        option skip_inactivity_poll '1'
        option ieee80211r '1'
        option mobility_domain 'caca'
        option ft_over_ds '0'
        option disassoc_low_ack '0'
        option ocv '0'
        list maclist '11:22:33:44:55:66'

config wifi-iface 'wifinet6'
        option device 'radio0'
        option mode 'ap'
        option ssid 'MyOldSSIDL'
        option encryption 'psk2+ccmp'
        option macfilter 'allow'
        option key 'another.password'
        option ieee80211w '1'
        option network 'wifi'
        list maclist '11:22:33:44:55:66'
        option ocv '0'

config wifi-iface 'wifinet7'
        option device 'radio1'
        option mode 'ap'
        option ssid 'MyOldSSIDL'
        option encryption 'psk2'
        option macfilter 'allow'
        option key 'another.password'
        option network 'wifi'
        list maclist '11:22:33:44:55:66'

config wifi-iface 'wifinet8'
        option device 'radio2'
        option mode 'ap'
        option ssid 'MyOldSSIDL'
        option encryption 'psk2'
        option macfilter 'allow'
        option network 'wifi'
        option key 'another.password'

config wifi-iface 'wifinet9'
        option device 'radio1'
        option mode 'ap'
        option ssid 'MyOldSSIDG'
        option encryption 'sae-mixed'
        option isolate '1'
        option key 'guest.password'
        option network 'wifiguest'
        option ocv '0'

root@linksys:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '2000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        list interface 'lan'
        list interface 'wifi'
        list interface 'wifiguest'
        list server '127.0.0.1#5054'
        list server '/use-application-dns.net/'
        list server '/mask.icloud.com/'
        list server '/mask-h2.icloud.com/'
        list server '127.0.0.1#5053'

config dhcp 'lan'
        option interface 'lan'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ignore '1'
        option start '100'
        option limit '150'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'wifi'
        option interface 'wifi'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ignore '1'

config dhcp 'wifiguest'
        option interface 'wifiguest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ignore '1'

config host
        option name 'host1'
        option dns '1'
        option mac '11:22:33:44:55:66'
        option ip '192.168.23.114'

root@linksys:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        option mtu_fix '1'

config rule
        option name 'Allow-NFS-RPC'
        option proto 'tcp udp'
        option dest_port '111'
        option target 'ACCEPT'
        option src 'wifi'

config rule
        option name 'Allow-NFS'
        option proto 'tcp udp'
        option dest_port '2049'
        option target 'ACCEPT'
        option src 'wifi'

config rule
        option name 'Allow-NFS-Lock'
        option proto 'tcp udp'
        option target 'ACCEPT'
        option dest_port '32777-32780'
        option src 'wifi'

config rule
        option name 'Allow-Transmission-UI'
        list proto 'tcp'
        option src 'wifi'
        list dest_ip '192.168.22.1'
        option dest_port '9091'
        option target 'ACCEPT'

config rule
        option name 'Allow DHCP from WIFIG'
        list proto 'udp'
        option src 'wifiguest'
        option src_port '68'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option name 'Allow DNS from WIFIG'
        option src 'wifiguest'
        list dest_ip '192.168.24.1'
        option dest_port '53'
        option target 'ACCEPT'

config zone
        option name 'wifi'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wifi'

config zone
        option name 'wifiguest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wifiguest'

config forwarding
        option src 'wifi'
        option dest 'wan'

config forwarding
        option src 'wifiguest'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'wifi'

Both of these routers are configured incorrectly with respect to the VLANs.

You need to be using bridge-vlan syntax for DSA

I can guide you through the process, but I need to know what your port-vlan memberships are. In other words, for each port, tell me what VLANs should be present. For example:

• lan0: lan VLAN22 only, untagged+PVID
• lan1: wifi VLAN2 23 only, untagged + PVID
• lan2: trunk VLANs 22, 23, 24 all tagged.

Those are just made up, but I need you to provide your goals for each port.

There are also numerous other issues, but I will address those later.

I want to have 3 networks. LAN, WIFI and WIFIGUEST.

For the primary router (Mercusys WAN+3 ports):

• WAN Port for PPPOE.
• lan0 (trunk to lan1 in Linksys, so all three networks LAN, WIFI and WIFIGUEST send traffic through it, that was intended with the three VLANs)
• lan1 and lan2 (LAN network, untagged)
• this router is the only that will route layer 3 so some services in LAN can be accesed from WIFI

For the secondary router

• WAN port (not used for now)
• lan1 (trunk to lan0 in Mercusys, all three networks...)
• lan2, lan3 and lan4 (LAN network, untagged)

So, according my understanding of the DSA Mini Tutorial the resulting configurations will be something like this:
Primary router

config device 'switch'
	option name 'switch'
	option type 'bridge'
	option macaddr 'REDACTED'
	list ports 'lan0'
	list ports 'lan1'
	list ports 'lan2'

config bridge-vlan 'lan_vlan'
	option device 'switch'
	option vlan '11'
	list ports 'lan0:t'
	list ports 'lan1:u*'
	list ports 'lan2:u*'

config bridge-vlan
	option device 'switch'
	option vlan '22'
	list ports 'lan0:t'
	 
config bridge-vlan
	option device 'switch'
	option vlan '33'
	list ports 'lan0:t'

config interface 'lan'
	option device 'switch.11'
	option proto 'static'
	option ipaddr '192.168.22.254'
	option netmask '255.255.255.0'
	option ip6assign '60'
	
config interface 'wifi'
	option device 'switch.22'
	option proto 'static'
	option ipaddr '192.168.23.254'
	option netmask '255.255.255.0'

config interface 'wifiguest'
	option device 'switch.33'
	option proto 'static'
	option ipaddr '192.168.24.254'
	option netmask '255.255.255.0'

and the configuration for the secondary would be:

config device 'switch'
	option name 'switch'
	option type 'bridge'
	option macaddr 'REDACTED'
	list ports 'lan1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan4'

config bridge-vlan 'lan_vlan'
	option device 'switch'
	option vlan '11'
	list ports 'lan1:t'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'switch'
	option vlan '22'
	list ports 'lan1:t'
	
config bridge-vlan
	option device 'switch'
	option vlan '33'
	list ports 'lan1:t'

config interface 'lan'
	option device 'switch.11'
	option proto 'static'
	option ipaddr '192.168.22.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.22.254'
	list dns '192.168.22.254'
	
config interface 'wifi'
	option device 'switch.22'
	option proto 'none'

config interface 'wifiguest'
	option device 'switch.33'
	option proto 'none'

Am I in the right path?

Yes... that looks much better!

Hi Peter.

This is the current configuration of primary router (Mercusys MR90X)

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'REDACTED-IPv6::/48'
        option packet_steering '1'
        option steering_flows '128'

config device
        option name 'lan0'
        option macaddr 'REDACTED-MAC'

config device
        option name 'lan1'
        option macaddr 'REDACTED-MAC'

config device
        option name 'lan2'
        option macaddr 'REDACTED-MAC'

config interface 'lan'
        option device 'bridge.11'
        option proto 'static'
        option ipaddr '192.168.22.254'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'pppoe'
        option username 'isp.user'
        option password 'isp.pass'
        option ipv6 'auto'
        option mtu '1492'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config interface 'wifi'
        option proto 'static'
        option device 'bridge.22'
        option ipaddr '192.168.23.254'
        option netmask '255.255.255.0'

config interface 'wifiguest'
        option proto 'static'
        option device 'bridge.33'
        option ipaddr '192.168.24.254'
        option netmask '255.255.255.0'

config device
        option type 'bridge'
        option name 'bridge'
        list ports 'lan0'
        list ports 'lan1'
        list ports 'lan2'

config bridge-vlan
        option device 'bridge'
        option vlan '11'
        list ports 'lan0:t'
        list ports 'lan1:u*'
        list ports 'lan2:u*'

config bridge-vlan
        option device 'bridge'
        option vlan '22'
        list ports 'lan0:t'

config bridge-vlan
        option device 'bridge'
        option vlan '33'
        list ports 'lan0:t'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option band '2g'
        option channel '13'
        option htmode 'HE40'
        option txpower '20'
        option cell_density '0'
        option country 'JP'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option band '5g'
        option channel 'auto'
        option htmode 'HE80'
        option cell_density '0'
        option country 'JP'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'MyWIFI'
        option encryption 'sae'
        option key 'a.good.password'
        option ieee80211r '1'
        option ft_over_ds '0'
        option ocv '0'
        option network 'wifi'
        option nasid 'mercusys'
        option mobility_domain 'caca'
        list maclist 'REDACTED'

config wifi-iface 'wifinet1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'MyWIFI-5Ghz'
        option encryption 'sae'
        option key 'a.good.password'
        option ieee80211r '1'
        option ft_over_ds '0'
        option ocv '1'
        option network 'wifi'
        option nasid 'mercusys'
        option mobility_domain 'caca'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'MyWIFIG'
        option encryption 'sae-mixed'
        option key 'another.password'
        option ocv '0'
        option network 'wifiguest'

config wifi-iface 'wifinet3'
        option device 'radio0'
        option mode 'ap'
        option ssid 'MyWIFIL'
        option encryption 'psk2'
        option key 'a.good.password'
        option network 'wifi'
        option macfilter 'allow'
        list maclist 'REDACTED'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        list interface 'lan'
        list interface 'wifi'
        list interface 'wifiguest'
        list server '127.0.0.1#5054'
        list server '/mask.icloud.com/'
        list server '/mask-h2.icloud.com/'
        list server '/use-application-dns.net/'
        list server '127.0.0.1#5053'
        list server '127.0.0.1#5055'
        list address '/choice.microsoft.com/127.0.0.3'
        list address '/settings-win.data.microsoft.com/127.0.0.3'
        list address '/dnstesting.data.microsoft.com/127.0.0.3'
        list address '/vortex.data.microsoft.com/127.0.0.3'
        list address '/telemetry.microsoft.com/127.0.0.3'
        list address '/vortex-win.data.microsoft.com/127.0.0.3'
        list address '/vortex-sandbox.data.microsoft.com/127.0.0.3'
        list address '/telemetry.urs.microsoft.com/127.0.0.3'
        list address '/sqm.telemetry.microsoft.com/127.0.0.3'
        list address '/df.telemetry.microsoft.com/127.0.0.3'
        list address '/feedback.search.microsoft.com/127.0.0.3'
        list address '/feedback.windows.com/127.0.0.3'
        list address '/oca.telemetry.microsoft.com/127.0.0.3'
        list address '/sqm.df.telemetry.microsoft.com/127.0.0.3'
        list address '/telecommand.telemetry.microsoft.com/127.0.0.3'
        list address '/telemetry.appex.bing.net/127.0.0.3'
        list address '/oca.microsoft.com/127.0.0.3'
        list address '/kmwatsonc.telemetry.microsoft.com/127.0.0.3'
        list address '/v10.events.data.microsoft.com/127.0.0.3'
        list address '/v10c.events.data.microsoft.com/127.0.0.3'
        list address '/v10.vortex-win.data.microsoft.com/127.0.0.3'
        list address '/watson.telemetry.microsoft.com/127.0.0.3'
        list address '/watson.microsoft.com/127.0.0.3'
        list address '/umwatsonc.telemetry.microsoft.com/127.0.0.3'
        list address '/umwatsonc.events.data.microsoft.com/127.0.0.3'
        list address '/ceuswatcab01.blob.core.windows.net/127.0.0.3'
        list address '/ceuswatcab02.blob.core.windows.net/127.0.0.3'
        list address '/eaus2watcab01.blob.core.windows.net/127.0.0.3'
        list address '/eaus2watcab02.blob.core.windows.net/127.0.0.3'
        list address '/weus2watcab01.blob.core.windows.net/127.0.0.3'
        list address '/weus2watcab02.blob.core.windows.net/127.0.0.3'
        list address '/kmwatsonc.events.data.microsoft.com/127.0.0.3'
        list address '/watson.live.com/127.0.0.3'
        list address '/wns.notify.windows.com.akadns.net/127.0.0.3'
        list address '/v10-win.vortex.data.microsoft.com.akadns.net/127.0.0.3'
        list address '/us.vortex-win.data.microsoft.com/127.0.0.3/'
        list address '/us-v10.events.data.microsoft.com/127.0.0.3'
        list address '/watson.ppe.telemetry.microsoft.com/127.0.0.3'
        list address '/telemetry.remoteapp.windowsazure.com/127.0.0.3'
        list address '/router.local/router.lan/192.168.22.254'
        option doh_backup_noresolv '-1'
        option noresolv '1'
        list doh_backup_server '127.0.0.1#5054'
        list doh_backup_server '/mask.icloud.com/'
        list doh_backup_server '/mask-h2.icloud.com/'
        list doh_backup_server '/use-application-dns.net/'
        list doh_backup_server '127.0.0.1#5053'
        list doh_server '127.0.0.1#5053'
        list doh_server '127.0.0.1#5055'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'wifi'
        option interface 'wifi'
        option start '100'
        option limit '150'
        option leasetime '12h'

config host
        option name 'oneofseveral'
        option ip '192.168.23.167'
        list mac 'REDACTED'



config dhcp 'wifiguest'
        option interface 'wifiguest'
        option start '100'
        option limit '150'
        option leasetime '12h'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
        option enabled '0'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Kodi Remote http-8080'
        option src 'wifi'
        option dest 'lan'
        option dest_port '8080'
        option target 'ACCEPT'
        list proto 'tcp'
        list dest_ip '192.168.22.2'

config rule
        option name 'Allow-NFS-RPC'
        option proto 'tcp udp'
        option dest_port '111'
        option target 'ACCEPT'
        option src 'wifi'
        option dest 'lan'
        list dest_ip '192.168.22.1'

config rule
        option name 'Allow-NFS'
        option proto 'tcp udp'
        option dest_port '2049'
        option target 'ACCEPT'
        option src 'wifi'
        option dest 'lan'
        list dest_ip '192.168.22.1'

config rule
        option name 'Allow-NFS-Lock'
        option proto 'tcp udp'
        option target 'ACCEPT'
        option dest_port '32777-32780'
        option src 'wifi'
        option dest 'lan'
        list dest_ip '192.168.22.1'

config rule
        option name 'Allow-Transmission-UI'
        list proto 'tcp'
        option src 'wifi'
        list dest_ip '192.168.22.1'
        option dest_port '9091'
        option target 'ACCEPT'
        option dest 'lan'

config rule
        option name 'Allow DHCP from WIFIGUEST'
        list proto 'udp'
        option src 'wifiguest'
        option src_port '68'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option name 'Allow DNS from WIFIGUEST'
        option src 'wifiguest'
        list dest_ip '192.168.24.1'
        option dest_port '53'
        option target 'ACCEPT'

config zone
        option name 'wifi'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wifi'

config zone
        option name 'wifiguest'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wifiguest'

config forwarding
        option src 'wifi'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'wifi'

config forwarding
        option src 'wifiguest'
        option dest 'wan'

config rule
        option src 'wifi'
        option name 'Allow DHCP from WIFI'
        list proto 'udp'
        option src_port '68'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option src 'wifi'
        option name 'Allow DNS from WIFI'
        option dest_port '53'
        option target 'ACCEPT'

This is the current configuration of the secondary openwrt (Linksys MR8300) now functioning only as AP and bridge.

root@linksys:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'REDACTED-IPv6::/48'
        option packet_steering '2'
        option steering_flows '128'

config device
        option name 'lan1'
        option macaddr 'REDACTED-MAC'

config device
        option name 'lan2'
        option macaddr 'REDACTED-MAC'

config device
        option name 'lan3'
        option macaddr 'REDACTED-MAC'

config device
        option name 'lan4'
        option macaddr 'REDACTED-MAC'

config interface 'lan'
        option device 'bridge.11'
        option proto 'static'
        option ipaddr '192.168.22.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.22.254'
        list dns '192.168.22.254'

config device
        option name 'wan'
        option macaddr 'REDACTED-MAC2'

config interface 'wifi'
        option proto 'none'
        option device 'bridge.22'

config interface 'wifiguest'
        option proto 'none'
        option device 'bridge.33'

config device
        option type 'bridge'
        option name 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config bridge-vlan
        option device 'bridge'
        option vlan '11'
        list ports 'lan1:t'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'

config bridge-vlan
        option device 'bridge'
        option vlan '22'
        list ports 'lan1:t'

config bridge-vlan
        option device 'bridge'
        option vlan '33'
        list ports 'lan1:t'

root@linksys:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel 'auto'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'MyWIFI'
        option encryption 'sae'
        option key 'a.good.password'
        option network 'wifi'
        option macfilter 'allow'
        option skip_inactivity_poll '1'
        option ieee80211r '1'
        option mobility_domain 'caca'
        option ft_over_ds '0'
        option disassoc_low_ack '0'
        option ocv '0'
        list maclist 'REDACTED'
        option nasid 'openwrt2'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/a000000.wifi'
        option channel '1'
        option band '2g'
        option htmode 'HT40'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'wifi'
        option mode 'ap'
        option ssid 'MyWIFI'
        option encryption 'sae'
        option key 'a.good.password'
        option macfilter 'allow'
        option skip_inactivity_poll '1'
        option ieee80211r '1'
        option mobility_domain 'caca'
        option ft_over_ds '0'
        option disassoc_low_ack '0'
        option ocv '0'
        list maclist 'REDACTED'

config wifi-device 'radio2'
        option type 'mac80211'
        option path 'platform/soc/a800000.wifi'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'
        option channel 'auto'

config wifi-iface 'default_radio2'
        option device 'radio2'
        option mode 'ap'
        option ssid 'MyWIFI'
        option encryption 'sae'
        option key 'a.good.password'
        option network 'wifi'
        option macfilter 'allow'
        option skip_inactivity_poll '1'
        option ieee80211r '1'
        option mobility_domain 'caca'
        option ft_over_ds '0'
        option disassoc_low_ack '0'
        option ocv '0'
        list maclist 'REDACTED'

config wifi-iface 'wifinet6'
        option device 'radio0'
        option mode 'ap'
        option ssid 'MyWIFIL'
        option encryption 'psk2+ccmp'
        option macfilter 'allow'
        option key 'a.good.password'
        option ieee80211w '1'
        option network 'wifi'
        option ocv '0'
        list maclist 'REDACTED'

config wifi-iface 'wifinet7'
        option device 'radio1'
        option mode 'ap'
        option ssid 'MyWIFIL'
        option encryption 'psk2'
        option macfilter 'allow'
        option key 'a.good.password'
        option network 'wifi'
        list maclist 'REDACTED'

config wifi-iface 'wifinet8'
        option device 'radio2'
        option mode 'ap'
        option ssid 'MyWIFIL'
        option encryption 'psk2'
        option macfilter 'allow'
        option network 'wifi'
        option key 'a.good.password'
        list maclist 'REDACTED'

config wifi-iface 'wifinet9'
        option device 'radio1'
        option mode 'ap'
        option ssid 'MyWIFIG'
        option encryption 'sae-mixed'
        option isolate '1'
        option key 'another.password'
        option network 'wifiguest'
        option ocv '0'

root@linksys:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '2000'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        list interface 'lan'
        list interface 'wifi'
        list interface 'wifiguest'
        list server '127.0.0.1#5054'
        list server '/use-application-dns.net/'
        list server '/mask.icloud.com/'
        list server '/mask-h2.icloud.com/'
        list server '127.0.0.1#5053'

config dhcp 'lan'
        option interface 'lan'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ignore '1'
        option start '100'
        option limit '150'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'wifi'
        option interface 'wifi'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ignore '1'

config dhcp 'wifiguest'
        option interface 'wifiguest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ignore '1'

config host
        option name 'somehost'
        option dns '1'
        option mac 'REDACTED'
        option ip '192.168.23.184'



root@linksys:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

Thanks for your help. Now the configuration is worked more or less as desired but with a few questions that still remains.

First of all I want to tell some of the problems I faced, so it’s easier for others.

1. For the configuration of the secondary router (former primary and only), I started from the working configuration and tried to migrate to the new role. This complicate the things, from interfaces/devices defined but not used anymore, obsolete firewall rules, problems with the DHCP not binding to all interfaces (my fault because of me adding and deleting interfaces in both routers. It would be better starting from a blank configuration.
2. netstat and tcpdump help me degub some problems, like the wifi authenticating, but the phone/pc not getting an IP configuration. Also seeing the trafic through the bridges and other interfaces to understand were the problem was.
3. The bridge configuration was easy at the end, but on the first try I configured just like i was used to do it more or less with brctl, create the 3 or 4 vlans, and then using a bridge to join them. This previous mindset get me wrong. Somehow i didn’t need the DSA mini tutorial until now.

Now some of the problems that I see still remains, and please also let me know of the numerous other issues you mentioned earlier.

1. I didn’t want the firewall to be opened (ACCEPT) from wifiguest, but if I configured in DROP, only devices connecting to the wifis exposed in the primary router get their DHCP response. Devices connecting from wifis in the secondary router does’nt get an IP if i didn’t ACCEPT input in the firewall. Note that with the previous configuration of only one router, the proper rules “Allow DHCP from WIFIGUEST” and “Allow DNS from WIFIGUEST” were enough to have it working. Now I also have to add rules “Allow DHCP from WIFI” and “Allow DNS from WIFI” which they weren’t needed before, and now are needed by devices connected in the secondary router. I don’t understand why, since I have option input “ACCEPT”…
2. Since now traffic between LAN and WIFI are routed by the primary router, e.g. some phone connected to the secondary router and seen a movie served by NFS share in the secondary router (the only one that has USB port) are doubled by the link between routers. This still happens, but until now i had some powerline that now hasn’t enough bandwidth (already solved by a provisional direct CAT6E ethernet cable). Anyway, one improvement I would like to do, is to also make this secondary router a router, so only the necesary traffic are sent to the network.
3. I still haven fully checked but, can be that all traffic sent by a PC connected via WIFI to the primary router are also bridged to the secondary router? i did a speedtest and the values get significantly worse when the trunk between both routers is connected, and I almost get the ISP advertised speed when the ethernet between both routers are disconnected.

Hi @psherman , could you be so kind as to check my settings ant tell me what issues persists and what improvements could be made? Thanks!!

Sorry... I didn't realize you still had questions.

General recommendations:

• Do not use 802.11r unless you have a demonstrable need to add it. Generally speaking, this can cause more problems than it solves. (same is true with 802.11k and 802.11v).
• Make sure your country codes are set (I'm not seeing that on the MR8300)
• Set your channels manually and make sure they're non-overlapping between the two devices. (your 2G is fine, 5G is set to auto on both).
• Do not use sae-mixed -- use only WPA2 (psk2) or WPA3 (sae). Mixed mode tends to cause problems.

On the AP, the following is entirely unnecessary and can be removed:

You don't need to set the interfaces, nor do you need anything with respect to DoH/DoT:

Also remove this:

The rest of the AP config looks fine (except for my wifi notes above).

On the router:

First, a nit-pick as it's not really a technical thing:

If you look at the above, the VLAN associated with wifi is VLAN ID 22, but the 3rd octet of the subnet is 23. A nice (but entirely optional) construct is to use the same value for the 3rd octet as the VLAN ID... this is just easier for human readability. So by that logic, you'd make the IP address for VLAN 22 192.168.22.254. (and adjust accordingly for the others). This isn't required, though.

I recommend removing the interface lines in the DHCP files... it's not necessary and may cause you headaches later:

For the firewall, it's generally accepted that REJECT is preferred on the wan (instead of DROP). The security is the same, but REJECT is the default:

You can remove the source port:

If the wifiguest network is untrusted, you probably want to set the input rule to REJECT:

These are unnecessary because the wifi network has input set to ACCEPT:

Try again after the changes above.

I don't understand what you mean here.

I'm still not sure what this is about... what are you trying to change here? Is the issue that inter-VLAN traffic over wifi needs to go from the AP to the router and back to the AP to get to the device connected by wifi? That shouldn't really be an issue unless you're dealing with very high bandwidth streams.

This is only relevant if the PC is connected to wifi on the primary router and then communicating with a device that it connected to the AP. Otherwise, the traffic will simply flow from the PC to the main router and out to the internet.

This doesn't make a lot of sense, but it would be helpful to see the method you used to test, the test results, and to understand if the trunk is carrying a lot of traffic that might be relevant during your test.