Configure vlan on single physical port - Mikrotik hAP AC2

I want to use a physical port to differentiate between two streams of traffic. The traffic comes from proxmox and I understand I can use VLAN to acomplish this.
The router is the main router attached to the internet.

The problem is that the moment I add a VLAN id on the Switch tab I loose internet access.

Currently on OpenWRT I have a vlan id 1 with all CPU (eth0),LAN 1,LAN 2,LAN 3,LAN 4 marked untagged. Furthermore the lan interface has the eth0 as device (which I find weird, I thought it should have been br-lan) and br-lan has only eth0 assigned (I do not have lan1,lan2, etc. devices here. From my understanding it's because they are not exposed to the CPU, only the port from the switch chip).

I tried at first just to change the vlan id for the lan interface but I loose access to the router.
I have trouble applying the tutorials I've seen because there are many differences, especially the missing lan1,lan2, etc. devices.

Is this even possible on this router?

Let's start with this:

  • Have you already configured the VLAN(s) in your main router?
  • Is your main router directly connected to the hAP AC2? (if not, is there a switch between them? if so, is it a managed switch)?
  • What VLAN(s) do you want to add? (specific VLAN IDs)
  • What port(s) will carry the VLAN(s)?

Then, let's look at your config:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

It somehow works with this config but I want to make sure it makes sense so I leave it here.
The problem I have now is that it seems I can't ping proxmox but I can connect to the web interface.
The br-lan bridge has two vlans because I wanted to see if I can make it bridge between these two considering DSA doesn't work like the tutorials show.

Does it make sense in this configuration to use the Bridge VLAN Filtering? From what I understand, if configured, it will send the packets to the cpu to be filtered based on vlan instead of all being done in the switch chip...or not?

{
        "kernel": "5.10.176",
        "hostname": "Home2",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "MikroTik hAP ac2",
        "board_name": "mikrotik,hap-ac2",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.5",
                "revision": "r20134-5f15225c1e",
                "target": "ipq40xx/mikrotik",
                "description": "OpenWrt 22.03.5 r20134-5f15225c1e"
        }
}

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd8d:5cfb:570e::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.10'
        list ports 'eth0.20'

config device
        option name 'eth0'
        option macaddr '43:49:1f:90:6c:99'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option device 'br-lan'

config device
        option name 'eth1'
        option macaddr '68:12:36:ad:25:64'

config interface 'wan'
        option device 'eth1'
        option proto 'pppoe'
        option username ''
        option password ''
        option ipv6 'auto'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '10'
        option vid '10'
        option ports '0t 1 2 3 4'

config switch_vlan
        option device 'switch0'
        option vlan '20'
        option vid '20'
        option ports '0t'

config switch_vlan
        option device 'switch0'
        option vlan '30'
        option vid '30'
        option ports '0t'

config interface 'transit_proxmox'
        option proto 'static'
        option device 'eth0.30'
        option ipaddr '10.200.200.1'
        option netmask '255.255.255.254'

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/a000000.wifi'
        option channel '1'
        option band '2g'
        option htmode 'HT40'
        option country 'US'
        option cell_density '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/a800000.wifi'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'
        option country 'US'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'Test5g'
        option encryption 'sae-mixed'
        option key ''

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Test'
        option key ''
        option network 'lan'
        option encryption 'sae-mixed'
config dnsmasq
        option domainneeded '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option ednspacket_max '1232'
        option sequential_ip '1'
        option filterwin2k '1'
        option localservice '1'
        option localise_queries '1'
        list server '/pve.lan/192.168.1.161'
        list rebind_domain 'pve.lan'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option leasetime '12h'
        option dhcpv4 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ra 'hybrid'
        option dhcpv6 'hybrid'
        option limit '149'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config domain
        option name 'pve.lan'
        option ip '192.168.1.150'

config domain
        option name 'pve.lan'
        option ip 'fe80::aaa1:59ff:fee8:1e5e'
config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading '1'
        option flow_offloading_hw '1'
        option synflood_protect '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'WG0'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

Bridging VLANs in defeats the entire purpose of using them in the first place and will cause unexpected results. Remove eth0.20.

And what are these VLANs for? They don't do anything at all because they are only present on the CPU (except for the fact that you bridged eth0.10 and eth0.20, which as I stated above is not the correct method of handling this).

Yes this was only the result I got so far in configuring the network (I was just doing a test to see if two vlans can be bridged...just for fun).

What I am trying to do is separate the proxmox management traffic from a transit network (10.200.200.0/30) that I will create between the router and pfsense running inside a vm (a 2 host subnet).

I almost got it but something is off. Now I have to route between the main network 192.168.1.0 to this transit one to get to pfsense (which will have another separate network on the lan). It still seems to defeat the purpose of vlan because on the main router (mikrotik hap) I will have to connect those two vlans somehow...

Now I have the transit (eth.20) and management vlans (on eth0.10 because it should be on 192.168.1.0/24) configured but I can't ping the vm at the other end (10.200.200.2) from 192.168.1.100 which is on main network or viceversa.
No static routes, with the newly created interface transit_proxmox assigned to eth.20 and static ip and lan firewall zone.

Oh I just got it...I removed eth0.20 from br-lan. But this raises the question: I have two vlans with only configured interfaces. I thought they were supposed to be isolated, how come I can ping across? Who is doing the connection? If any vlan could be reached just by routing I imagine that would defeat the purpose of it.

Where do the VLANs "originate" -- i.e. what router(s) are responsible for each of the networks? That is where the inter-vlan routing is happening, and your router is responsible for routing (or blocking) those connections, based on the way the firewall on that device is configured.

Can you show us a system topoolgy diagram? (a photo of a sketch on paper is sufficient)