Different modes of operation quick switch + sanity check

I got myself a mercusys mr80x v3.0 decent CPU, heaps of ram for the weight class. I had envisioned 3 modes of operation for it

1- during normal operation, port 1 would be connected to a main router/firewall, port 2 and 3 (and maybe 4) would be ports dedicated to VLANs. Since the devices downstream are not necessarily Vlan aware, each port would have to look like a completely normal distinct network, no VLAN tags after leaving the mr80x. At least 2 SSIDs would also be related to those VLANs with the same restriction of no VLAN tags leave the mr80x. In this mode, the radios should also be listening to a specific SSID, if it connects sucesfully the mr80x becames a WAN source for the main firewall, either through the 4th port or through a single cable solution Gemini suggesteded that I will list later.

2- firewall failure backup mode. If my main firewall fails, for whatever reason, it should be able to switch modes and become a proper router such that I can just connect the cable coming from the ISP box in bridge mode to it, and it maintains the same VLANs structure as the main firewall had dictated before failure to all the devices downstream from it (with exception of some SSIDs whose associated VLANs are routed through a VPN (like proton) by the main firewall). It should still keep listening to that SSID from the first mode, and use the network as a secondary WAN source.

3-travel router mode. When I'm not gonna be home for a bit and most VLANs become unecessary, I can just connect my main firewall to a dumb switch and take the mr80x with me. In this mode it will act as a tunnel via wireguard back to the main firewa for any device connected to it. Port 1 will always be the WAN port, and configuring an external wireless network as a wan source should be easy enough.

That's quite a bit to take in, but Gemini gave 2 main suggestion to make it work.

1 - tag the backup ssid from mode 1 with a VLAN, and have the main firewall use that VLAN as a WAN source. That way only a single cable is needed between the mr80x and the firewall (no clue if this is a good idea reliability or security wise).

2- have the WPS button act as the mode change switch. When pressed, either long pressed, or after a succession of presses, idk, a script will swap config files and reload/restart the necessary componentes. LED would also reflect in some way the current mode of operation.

The porpuse of the thread is really just to get this sanity checked and/or receive suggestions. It will be my first time experiencing openWRT and VLAN aware equipment, so hopes and dreams are high but may not be feasible, idk.

An experienced user wouldn't consider this as an option. You're introducing a lot volatility and potential for really nasty breakage into something that should just work, 24/7. Neither your primary router/ firewall nor the mr80x should fail, and if they do, you can still deal with the fallout (and repurpose hardware accordingly) if it does. You're spending more on the potential failure, without a real assurance that your mode-switch will actually work 2-3 sysupgrades into the future, which should never happen.

Maybe mode 2 is not needed, but the whole premise in making the investment was to get a travel router with good wireguard performance. Or rather, the idea has been brewing in the back of my mind for a while and when I noticed the same device could be my gateway to VLANs I got excited and went for it. But the mr80x is way overkill for VLAN switching. I even considered just retiring my pfsense box entirely in favor of it, but decided against it. So I expect to at least have a way to change between mode 1 and 3. How that's done is totally open for debate. The WPS button script seemed cool cause it wouldn't require messing with the web UI on something like a phone, but if it's a bad idea, so be it.

My advice mirrors that of @slh -- keep it simple.

Get an inexpensive managed switch or an all-in-one wifi router that can run OpenWrt to use as your VLAN aware switch (the latter doesn't need to have a particularly powerful or fast CPU since it will simply be operating at L2, but do make sure that you get one that has at least 16MB flash / 128MB RAM so that it can run future versions of OpenWrt). This device will serve only as your VLAN aware switch and/or wifi AP.

With the travel router part of the equation... the MR80x is not a small device. There are much smaller, purpose built devices that you can consider (most of them use USB for their power source, too).

Regardless of the actual chosen device for the travel router,

You could always make a configuration that replicates/replaces your main router and then make a backup of that config, reset, and then configure as a travel router. Keep that travel router config on it so that it is ready to use whenever you are traveling, but do not try to make it a multi-purpose device with some "universal" configuration. With that 'main router' backup file in your back pocket, should you ever find yourself in a bind with your main router broken, you can always restore that config to the travel router device and be up and running in a matter of minutes.

I'll take all that into consideration regarding travel router mode.

But I won't be travelling for a while, and I'd like to try out that mode 1 VLAN switch/wireless backup LAN source config. Does the structure I laid out for that mode seem reasonable?