At this point, basically long time listener, first time caller.
My desired setup is relatively simple, and I thought I had gathered enough information to implement it, but it continues to elude me.
My desired network setup (simplified) is as shown
Pretty straightforward. I have an ISP router (that will eventually be set to pure bridge mode once I get this all sorted out) and I would like to have 4 vlans/subnets, one each for Lab (MGMT), Home, Guest, and Web facing servers.
I am familiar and comfortable with linux, but I am unfamiliar with router technology and a beginner in OpenWRT, so I prefer to use Luci, but if it takes mucking about with uci to fix this, then please say so.
First off, a note about my router. OpenWRT Docs for it. It actually has 2 real physical network interfaces, eth0 (CPU) and eth1 (dedicated WAN port interface). This breaks from the example hardware used in the docs and other forum posts (single network interface, WAN on eth0.2, LAN on eth0.1, which is one reason why I have struggled to reach this point. I am using the latest OpenWRT (19.07)
Following the docs, and many other forum posts on this topic, I created 4 interfaces, one for each VLAN (eth0.VLAN_ID) with a Static IP (10.0.VLAN_ID.1) and DHCP enabled. I create dedicated firewall zones for each of these interfaces and setup WAN forwarding enabled for each. I then open firewall routes for DHCP and DNS traffic on each interface (Firewall Zone -> Device). I disable DHCP on the LAN interface.
This is the part where I get confused. The default on the router is all switch ports set as untagged VLAN 1. To me, the correct config for my goal would be to tag the CPU (eth0) with all VLANS, and then Port 4 (going to the Lab Switch) as tagged on all VLANs as well. Set Port 1 as untagged VLAN 1 (so that I can manage the router if need be) and setting Port 2 as untagged VLAN 2 for a Home AP and Port 3 as untagged VLAN 3 for a Guest AP.
When do this, I lose access to the router. From my host connected directly on Port 1, I cannot access Luci by static IP, and no DHCP lease is given. If I plugin to ports 2 or 3 directly, I get a DHCP lease successfully, and I still cannot access Luci (No surprise as it is locked to VLAN 1 according to the docs). I have to factory reset or flip the firmwares (bless for dual firmware) and reupload to a clean OpenWRT install to try all over again.
So, what am I missing? I feel there is some critical step absent from this setup which would magically solve all of my problems. I have tried additional things not listing here; the above describes the steps which I am confident are correct. It seems like there is something special about VLAN 1 which is causing these problems. My guess would be conflicting settings somewhere that I am unaware of, which prevents devices on VLAN 1 from working as I hope. Should I just config Port 1 as off and rely on the LAN interface to pick up my traffic?
I tried messing with the LAN interface settings. Removing bridging entirely; explicitly bridging across the eth0.1-4; bridging the eth0 device.
I tried tagging the CPU with all VLANS except VLAN 1. This seems to work, but if the CPU is not being tagged with VLAN 1, then VLAN 1 devices are effectively blocked from interacting with other VLANs' devices (right?)
Sorry for the wall of text, but I am just at my wits end. I have spent weeks reading forum post after forum post. Hours and hours banging my head against the wall for what should be simple! Any help is appreciated.