I have OpenWRT devices across my network all on version 23.05 (x86 router, two managed switches and three access points). I have several VLANs running on the wired part of the network flawlessly, allowing me to isolate cameras, IoT devices etc, managed through configuring tagging on the port switches then firewalling by VLAN on the x86 router.
My next step is to create additional SSIDs on the dumb APs, which I can then pass on to the wired network with the appropriate VLAN tags, which will then be filtered by the firewall on the router. I've tried various methods but I either end up locked out of the AP (unable to access the management interface even over wired) or when I connect to my new SSID on a separate VLAN it's not getting a DHCP IP from the router and setting a static ID doesn't help. Connecting to the 'main' SSID which is linked to 'lan' works fine.
My router is configured to give DHCP leases on the relevant VLAN subnets, eg 192.168.1.x for VLAN1 and 192.168.30.x for VLAN30.
Config as below.
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd6b:e2f1:2863::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.11'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.1.254'
list dns '192.168.1.254'
config device
option name 'br-management'
option type 'bridge'
list ports 'eth0.100'
config interface 'VLAN100'
option device 'br-management'
option proto 'none'
config device
option name 'br-iot'
option type 'bridge'
list ports 'eth0.30'
config interface 'VLAN30'
option device 'br-iot'
option proto 'none'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'ffe0a000.pcie/pcia000:02/a000:02:00.0/a000:03:00.0'
option channel '48'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'main'
option encryption 'sae-mixed'
option key ''
config wifi-device 'radio1'
option type 'mac80211'
option path 'ffe09000.pcie/pci9000:00/9000:00:00.0/9000:01:00.0'
option channel '11'
option band '2g'
option htmode 'HT20'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'main'
option encryption 'sae-mixed'
option key ''
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'IOT'
option encryption 'psk2+ccmp'
option key ''
option network 'VLAN30'