Extending Guest Network to dumb APs for guest WiFi

I managed to setup Guest WLANS on my main router (all my routers and dumb APs are Cudy AX3000 routers) pretty much correctly I believe, now i want to extend it to the dumb APs that go through my garden and Garage.
Diagram:

Main Router settings:




any tips? i tried doing stuff with vlans but to no avail, devices don't get dhcp through dumb APs from main router, and i don't know how to link these into the guest interface on my Dumb APs

Is your intent to send only a single network (the guest network) to the garage and garden, or will you be sending your lan as well?

If the latter, you must use a managed switch. The unmanaged switch is not designed for VLANs and may cause problems. With a managed switch, you will be able to send VLANs to the remote APs.

If the former, you can simply set a physical port on the main router to be dedicated to the guest network, and that will feed the remote APs accordingly.

unfortunately i don't have port left on the main router, is there some hacky way i can send both normal LAN and Guest dhcp from one port?

Yes, you will need a managed switch.

i only need it for guest WiFi, not guest LAN though*

my whole LAN is trusted

Guest lan and guest wifi should be the same, no??

let's back up a bit, though... your diagram shows the router connecting to an unmanaged switch, and that switch with 2 remote APs.

In your desired state, does that switch carry lan only, guest only, or both?

LAN only, all i need is that the APs send both main WLAN and Guest WLAN. I need to get DHCP for devices to get from Guest WLAN, Main WLAN works fine.

i don't need Guest LAN really. just Guest WiFi/WLANs

this contradicts the following:

Are the lan and the guest lan the same network? From your screenshot, they're different networks. Please explain.

So to go into detail.

I have built a fully trusted network, but now i want to make secondary open (passwordless) wifi around my place with limited speeds for guests or whoever so that i don't need to give out password to my main trusted WiFi and that people won't go digging around my network.

To do this i believe i have to make Guest isolated WLANs with guest interfaces on each AP that's not connected to the Main LAN. each AP is connected through one Ethernet cable to the unmanaged switch.

I managed to setup guest WiFi on my main router which does both DHCP and DNS. now i believe i have to send this dhcp to the APs as well to give for devices dependent which WLAN/SSID they connect to

Good.

No. You need to use VLANs which will allow the networks to be kept separate despite the fact that they are travelling over the same physical link.

Configuring VLANs on the router and APs is a relatively simple process. However, you must use a managed switch. A managed switch is designed to handle VLANs, whereas an unmanaged switch expects only a single network.

so unmanaged switches can't send VLAN packets whatever they are?

If so, are there some recommendations for cheap managed small switches?

Generally, yes, that's correct.

There are two major issues with unmanaged switches.

  1. They are not designed for VLANs (802.1q tagging, specifically). Therefore, the behavior of VLANs through the switch is undefined. Some unmanaged switches will actually pass the tags without issue, while others may introduce minor problems that are tricky to identify. There are also some switches that will completely barf with VLANs -- not passing traffic or worse stripping the tags and effectively merging all the networks together causing major issues.
  2. There is no control over the port-vlan membership on an unmanaged switch. That is to say that it is impossible to specifiy which ports should have a given VLAN vs which should not, and you cannot specify the tag status either.

With all that said, an unmanaged switch should never be used to carry VLANs.

As far as inexpensive ones, I can recommend against the TP-Link TL-SG1xxE series, and I think the same is true for the Netgear entry level switches. From what I understand, the ZyXel entry level managed switches are actually pretty good. As you go up to the next level, pretty much all the brands are reasonable and have firmware that works pretty well (a limited number of switches are even supported by OpenWrt).

i found this ZyXEL GS1200-5 switch, is this reasonable just for VLANs?

Yes, that one would be fine.

alright, thanks for the help, will send a message here again once i have the switch up and running

also may i ask. is there a discord server for openwrt?