Guest access from a Dumb AP

I apologize ahead of time and I know this topic has been addressed several times but I am using 22.03.2 with DSA networking and I don't seem to be able to find 22.03.2 DSA related discussion and I have no successful experience with vlans.

My setup is:
Internet into cable modem.
cable modem out to wan port on a Linksys WRT3200ASM 192.168.1.1 .

Lan1 to Desktop 192.168.101
Lan2 to Desktop 192.168.1.102
Lan3 to Dumb AP Linksys WRT1900v2 Lan1 192.168.1.2
Lan4 to Dumb AP Belkin RT3200 Lan1 192.168.1.5

All are running on Openwrt 22.03.2 utilizing DSA networking
Everything is running super fantastic!

For the holidays I wanted to setup the WRT1900 with a guest wireless access point utilizing vlans and continue to be a regular Dumb AP.

So....
logged into the wrt1900 and
created bridge device named "VLANS" and then created vlan "VLANS.10"

Bridged "lan1" and "VLANS.10" to bridge device "VLANS"
(Should I include eth0 in the bridge list??)

Created Interface "VLAN10" attaching the bridge device "VLANS" as the device for the Interface. (Is that the correct device or should I select "Software VLAN.10 ??)

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fde9:dd97:dfce::/48'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'
	option ipaddr '192.168.1.2'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config device
	option name 'wlan0'

config device
	option type 'bridge'
	option name 'VLANS'
	list ports 'VLANS.10'
	list ports 'lan1'
	option bridge_empty '1'

config bridge-vlan
	option device 'VLANS'
	option vlan '10'
	list ports 'VLANS.10:t'
	list ports 'lan1:t'

config interface 'vlan10'
	option proto 'static'
	option device 'VLANS'
	option ipaddr '192.168.10.10'
	option netmask '255.255.255.0'
	list dns '192.168.1.1'

And then (still in the Dumb AP wrt1900) I created a radio1 wireless interface GT10 connecting to network vlan10 which is a second interface on radio1.

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option htmode 'VHT80'
	option country 'US'
	option cell_density '0'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option macaddr '14:91:82:xx:xx:xx'
	option encryption 'psk2'
	option key 'xxxxxxxx'
	option network 'lan'
	option ssid 'wrt1950'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option htmode 'HT20'
	option country 'US'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option macaddr '14:91:82:xx:xx:xx'
	option encryption 'psk2'
	option key 'xxxxxxxx'
	option ssid 'wrt1924'
	option disabled '1'

config wifi-iface 'wifinet2'
	option device 'radio1'
	option mode 'ap'
	option encryption 'psk2'
	option wmm '0'
	option key 'xxxxxxxx'
	option ssid 'GT10'
	option network 'vlan10'

Before I start trying to configure the main WRT3200 router (which I don't know how to do just yet, could I ask for some critique on these dumb AP configuration settings?

Thanks so much for any guidance. This is my first try at vlans.

I could just be projecting my personal preference, but you may actually want to start with your main router for this. Once you have your lan and guest network defined on the WRT3200, with your WRT3200 providing DHCP and DNS to same, it will be easier to "hook them up" to your dumb AP's. While you are at it, you might as well add an IOT network on its own vlan too by cutting and pasting your guest network setup.

On your WRT3200, /etc/onfig/network should look something like:

.
.
.
config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
#send lan vlan 1 untagged to all ports
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
# put the lan on vlan id 1
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config bridge-vlan
	option device 'br-lan.10'
#send Guest vlan 10 tagged to both dumb AP's plugged into lan3 and lan4 ports
	list ports 'lan3:t'
	list ports 'lan4:t'

config interface 'GST'
	option proto 'static'
	option device 'br-lan.10'
# Guest vlan needs to be on its own sub-net (192.168.10.x) to be segregated
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'

config bridge-vlan
	option device 'br-lan.20'
#send IOT vlan 20 tagged to both dumb AP's plugged into lan3 and lan4 ports
	list ports 'lan3:t'
	list ports 'lan4:t'

config interface 'IOT'
	option proto 'static'
	option device 'br-lan.20'
# IOT vlan needs to be on its own sub-net (192.168.20.x) to be segregated
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

Give your guest and IOT networks DHCP service in the WRT3200 /etc/config/dhcp file by adding:

config dhcp 'GST'
	option interface 'GST'
	option start '100'
	option limit '150'
	option leasetime '24h'
	list ra_flags 'none'

config dhcp 'IOT'
	option interface 'IOT'
	option start '100'
	option limit '150'
	option leasetime '24h'
	list ra_flags 'none'

And let the guest and IOT networks have access to DNS and DHCP provided by your WRT3200 by adding the following to /etc/config/firewall on your WRT3200:

config zone
	option name 'gst'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'GST'
	option input 'REJECT'

config zone
	option name 'iot'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'IOT'
	option input 'REJECT'

config forwarding
	option src 'iot'
	option dest 'wan'

config forwarding
	option src 'gst'
	option dest 'wan'

config rule
	option name 'Allow-gst-DNS'
	option src 'gst'
	option dest_port '53'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name 'Allow-gst-DHCP'
	option src 'gst'
	option dest_port '67-68'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option name 'Allow-iot-DNS'
	option src 'iot'
	option dest_port '53'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name 'Allow-iot-DHCP'
	option target 'ACCEPT'
	list proto 'udp'
	option src 'iot'
	option dest_port '67-68'

At this point, you should be able to add easily add new vlan segregated wifi interfaces on your WRT3200 from luci. Under the luci wireless menus, add a new interface (SSID MyWifi-Guest for example) and select "GST" from the network drop down box for the network you want that wifi interface to be attached to. Because these network interfaces are already setup on separate vlans, on separate sub-nets, with DHCP and DNS access already managed by your WRT3200, it's simple. Put the wifi interface on the network you want, and done. The really good news? It will be just as simple on your dumb AP's now (after you figure out receiving the untagged lan and tagged vlans on the dumb AP ports plugged into lan3 and lan4 on the WRT32000). In fact simpler - they are dumb AP's after all.

On the dumb AP's, disable your WAN interfaces of course. Do not add DHCP servers for the vlans on the dumb AP's (that is already being done on the WRT3200!). Set up the network file configuration on your dumb AP's to define the same lan, GST and IOT interfaces and receive the untagged lan vlan 1 and tagged guest and IOT vlans 10 and 20 from whatever port to which you connect WRT3200 lan3 (or WRT3200 lan 4 in the case of your RT3200).

On your dumb AP's, give the lan interface different static IP's on your lan subnect (e.g., 192.168.1.2 for the WRT1900 and 192.168.1.3 for the RT3200) so you can reach these devices on your lan at those addresses. But instead of "option proto 'static' " on the GST and IOT interfaces, make them dhcp clients with "option proto 'dhcp' " and, of course, no need to give them IP addresses - your WRT3200 will handle that.

Thanks so much for the blueprint!

I had a couple of lockouts and needed to boot back to stock. My faults. I'm going to make a fresh imagebuilder image and flash it so recovery does not include reloading so many upgrades one by one after reboot. After that I will continue with the reconfigure.

Thanks again for showing the path*. I will be back..........*

You're welcome. I just caught and corrected a couple careless mistakes in my blueprint, so be sure to recopy if you copied them them already.

I hope it is not inappropriate to post this much data but I not sure what is important and what is not .....

Any how, this is my main router WRT3200 config files and my guest WiFi seems to work properly meaning I can connect and access wan internet and not able to access any local network endpoints.

If I disable the firewall I then can not even get an ip address when attempting to connect.

etc/config/network.....

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd45:bf9f:13b6::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config bridge-vlan
	option device 'br-lan.10'
	list ports 'lan3:t'
	list ports 'lan4:t'

config interface 'GST'
	option proto 'static'
	option device 'br-lan.10'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	list dns '192.168.1.1'
	list dns '1.1.1.1'

config bridge-vlan
	option device 'br-lan.20'
	list ports 'lan3:t'
	list ports 'lan4:t'

config interface 'IOT'
	option proto 'static'
	option device 'br-lan.20'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option proto 'dhcp'
	option type 'bridge'
	option peerdns '0'
	option device 'wan'

config interface 'wan6'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option device 'wan'

####################
etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option noresolv '1'
	option doh_backup_noresolv '-1'
	list doh_backup_server ''
	list server '127.0.0.1#54'
	list server '1.1.1.1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'GST'
	option interface 'GST'
	option start '100'
	option limit '150'
	option leasetime '24h'

config dhcp 'IOT'
	option interface 'IOT'
	option start '100'
	option limit '150'
	option leasetime '24h'
	list ra_flags 'none'

############################

etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'gst'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'GST'

config forwarding
	option src 'gst'
	option dest 'wan'

config rule
	option name 'Allow-gst-DNS'
	option src 'gst'
	option dest_port '53'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name 'Allow-gst-DHCP'
	option src 'gst'
	option dest_port '67-68'
	option target 'ACCEPT'
	list proto 'udp'

config zone
	option name 'iot'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'IOT'
	option input 'REJECT'

config forwarding
	option src 'iot'
	option dest 'wan'

config rule
	option name 'Allow-iot-DNS'
	option src 'iot'
	option dest_port '53'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name 'Allow-iot-DHCP'
	option target 'ACCEPT'
	list proto 'udp'
	option src 'iot'
	option dest_port '67-68'

Now getting my dumb AP to connect......that is a problem..
I think I have tried every combination of tagging there is with no joy.
On the "Interfaces" page The Dumb AP shows not started and will not start and will not RX.

When pinging "192.168.10.1" from WRT1900 dumb AP "Diagnostics" page I get......

PING 192.168.10.1 (192.168.10.1): 56 data bytes
ping: sendto: Network unreachable

I can ping "192.168.1.1"

WRT1900 Dumb AP /etc/config/network

No DHCP No Firewall.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fde9:dd97:dfce::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'
	option ip6assign '60'

config bridge-vlan
	option device 'br-lan.10'
	list ports 'lan1:t'
	

config interface 'GST'
	option device 'br-lan.10'
	option proto 'dhcp'

config bridge-vlan
	option device 'br-lan.20'
	list ports 'lan1:t'
	

config interface 'IOT'
	option device 'br-lan.20'
	option proto 'dhcp'

Any tips on how to trouble shot will be greatly appreciated

This has been a great VLAN learning experience for me! Thanks for everything.

Make VLAN 1 also tagged on the trunk cables at both ends. Don't mix tagged and untagged on the same port.

So on the main router you have bridge-vlan1 is lan1:u lan2:u lan3:t and lan4:t. bridge-vlans 10 and 20 have ports 3 and 4 tagged but don't include lan1 or lan2 at all since those are your LAN PCs.

On the APs, the extra network interfaces can be proto none. They don't need IP addresses, really should not have IP addresses to deter any IP based hacking attempts by IOTs or guests.

I'm missing something or not getting something but I'm real close thanks to you all.
My main WRT3200 router seems to to be performing exactly as you drew it up for me.
I believe the vlans are up and talking to the APs.

Connecting to the GST network thru a main router wireless interface produces a login and an internet connection while blocking out all access to local network endpoints. As designed.

What I can't make happen is creating a wireless inteface on an AP that will present a login and a connection.

I can ssh into the AP's and ping the vlan addresses and they respond back from WRT3200.

ifconfig shows vlans without errors.

I'm stumped...

WRT3200 Main Router
192.168.1.1/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd45:bf9f:13b6::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u'
	list ports 'lan2:u'
	list ports 'lan3:t'
	list ports 'lan4:t'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config bridge-vlan
	option device 'br-lan.10'
	list ports 'lan3:t'
	list ports 'lan4:t'

config interface 'GST'
	option proto 'static'
	option device 'br-lan.10'
	option netmask '255.255.255.0'
	list dns '192.168.1.1'
	list dns '1.1.1.1'
	option ipaddr '192.168.10.1'

config bridge-vlan
	option device 'br-lan.20'
	list ports 'lan3:t'
	list ports 'lan4:t'

config interface 'IOT'
	option device 'br-lan.20'
	option proto 'static'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'
	list dns '192.168.1.1'

config interface 'wan'
	option proto 'dhcp'
	option type 'bridge'
	option peerdns '0'
	option device 'wan'

config interface 'wan6'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option device 'wan'

192.168.1.1/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option ednspacket_max '1232'
	option noresolv '1'
	option doh_backup_noresolv '-1'
	list doh_backup_server ''
	option localservice '0'
	list server '8.8.8.8'
	list server '1.1.1.1'
	list server '1.0.0.1'
	list server '8.8.4.4'
	list server '208.67.220.220'
	list server '208.67.222.222'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'GST'
	option interface 'GST'
	option leasetime '24h'
	option start '100'
	option limit '150'

config dhcp 'IOT'
	option interface 'IOT'
	option leasetime '24h'
	option start '100'
	option limit '150'

192.168.1.1/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'gst'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'GST'
	option input 'REJECT'
	option masq '1'

config zone
	option name 'iot'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'IOT'
	option input 'REJECT'

config forwarding
	option src 'iot'
	option dest 'wan'

config forwarding
	option src 'gst'
	option dest 'wan'

config rule
	option name 'Allow-gst-DNS'
	option src 'gst'
	option dest_port '53'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name 'Allow-gst-DHCP'
	option src 'gst'
	option dest_port '67-68'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option name 'Allow-iot-DNS'
	option src 'iot'
	option dest_port '53'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name 'Allow-iot-DHCP'
	option target 'ACCEPT'
	list proto 'udp'
	option src 'iot'
	option dest_port '67-68'

192.168.1.1/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option country 'US'
	option cell_density '0'
	option txpower '23'
	option htmode 'VHT80'
	option channel '36'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'U25150'
	option key 'xxxxxxxx'
	option encryption 'psk2'
	option disassoc_low_ack '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option htmode 'HT20'
	option country 'US'
	option cell_density '0'
	option channel '6'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'U25124'
	option key 'xxxxxxxx'
	option encryption 'psk2'
	option disassoc_low_ack '0'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option wmm '0'
	option encryption 'psk2'
	option key 'xxxxxxxx'
	option ssid 'IOT24'
	option network 'lan'
	option hidden '1'

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
	option channel '34'
	option band '5g'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'wifinet4'
	option device 'radio0'
	option mode 'ap'
	option ssid 'GST'
	option encryption 'psk2'
	option key 'xxxxxxxx'
	option network 'GST'

AP WRT1900 with dhcp and firewall DISABLED

192.168.1.2/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fde9:dd97:dfce::/48'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'
	option ipaddr '192.168.1.2'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:t'
	list ports 'lan2:u'
	list ports 'lan3:u'
	list ports 'lan4:u'

config bridge-vlan
	option device 'br-lan.10'
	list ports 'lan1:t'

config interface 'GST'
	option device 'br-lan.10'
	option proto 'none'

config bridge-vlan
	option device 'br-lan.20'
	list ports 'lan1:t'

config interface 'IOT'
	option proto 'none'
	option device 'br-lan.20'

192.168.1.2/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option htmode 'VHT80'
	option country 'US'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option encryption 'psk2'
	option key 'Lane1952'
	option ssid 'WRT1950'
	option network 'lan'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option htmode 'HT20'
	option country 'US'
	option cell_density '0'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'WRT1924'
	option encryption 'psk2'
	option key 'Lane1952'
	option disabled '1'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'GST'
	option encryption 'psk2'
	option key 'Lane1952'
	option network 'GST'

ifconfig From 192.168.1.2 wrt1900 AP

root@WRT1900:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr 14:91:82:xx:xx:xx 
          inet6 addr: fe80::1691:82ff:fe26:283d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:28256 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11666 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:5012346 (4.7 MiB)  TX bytes:5829022 (5.5 MiB)

br-lan.1  Link encap:Ethernet  HWaddr 14:91:82:xx:xx:xx  
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::1691:82ff:fe26:283d/64 Scope:Link
          inet6 addr: fde9:dd97:dfce::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:28168 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11602 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:4998047 (4.7 MiB)  TX bytes:5816846 (5.5 MiB)

br-lan.10 Link encap:Ethernet  HWaddr 14:91:82:xx:xx:xx  
          inet6 addr: fe80::1691:82ff:fe26:283d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:88 errors:0 dropped:0 overruns:0 frame:0
          TX packets:23 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:14299 (13.9 KiB)  TX bytes:4325 (4.2 KiB)

br-lan.20 Link encap:Ethernet  HWaddr 14:91:82:xx:xx:xx 
          inet6 addr: fe80::1691:82ff:fe26:283d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:21 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:3965 (3.8 KiB)

eth0      Link encap:Ethernet  HWaddr 14:91:82:xx:xx:xx  
          inet6 addr: fe80::1691:82ff:fe26:283d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1508  Metric:1
          RX packets:28425 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12708 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1024 
          RX bytes:5645835 (5.3 MiB)  TX bytes:5991925 (5.7 MiB)
          Interrupt:45 

lan1      Link encap:Ethernet  HWaddr 14:91:82:xx:xx:xx  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:28425 errors:0 dropped:3 overruns:0 frame:0
          TX packets:11592 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:5134157 (4.8 MiB)  TX bytes:5862774 (5.5 MiB)

lan2      Link encap:Ethernet  HWaddr 14:91:82:xx:xx:xx  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lan3      Link encap:Ethernet  HWaddr 14:91:82:xx:xx:xx 
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lan4      Link encap:Ethernet  HWaddr 14:91:82:xx:xx:xx 
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:1127 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1127 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:131262 (128.1 KiB)  TX bytes:131262 (128.1 KiB)

wlan0     Link encap:Ethernet  HWaddr 00:25:9C:xx:xx:xx  
          inet6 addr: fe80::225:9cff:fe13:b7f6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:15 errors:0 dropped:0 overruns:0 frame:0
          TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2720 (2.6 KiB)  TX bytes:7001 (6.8 KiB)

root@WRT1900:~#

I wonder if you need an "option vlan '10'" here, and also for vlan 20 in the parallel section for the 20 vlan, on both WRT3200 and WRT1900? Perhaps it's implicit and unneeded, but it should not hurt to try.

Just to check the obvious, lan1 on your wrt1900 is plugged into lan3 or lan4 of your wrt3200, right?

Finally, this falls under the category of "works for me," but I also know it is not strictly correct, wastes CPU cycles on a dumb AP and I just shouldn't do it. I replicate my firewall configuration on my dumb AP's to keep the template there, and leave the firewall process and dhcp server processes running on my dumb AP's - with no servers defined in /etc/config/dhcp on the dumb AP of course.

I didn't compare your firewall rules line for line to what I provided a post or two up in this thread, but nothing jumped out at me skimming over them.

Hopefully someone else can spot something for you. Good luck with it.

MISSION ACCOMPLISHED!

I can only say that this works on vlan capable routers all running 22.03.2 in ""DSA"" network configurations.

Main Router
192.168.1.1/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd45:bf9f:13b6::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option bridge_empty '1'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u'
	list ports 'lan2:u'
	list ports 'lan3:t'
	list ports 'lan4:t'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option proto 'dhcp'
	option type 'bridge'
	option peerdns '0'
	option device 'wan'

config interface 'wan6'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option device 'wan'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3:t'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option local '0'

config interface 'GST'
	option proto 'static'
	option device 'br-lan.10'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'

192.168.1.1/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'gst'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'GST'
	option input 'REJECT'
	option masq '1'

config zone
	option name 'iot'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'IOT'
	option input 'REJECT'
	list device 'br-lan.20'
	option masq '1'

config forwarding
	option src 'iot'
	option dest 'wan'

config forwarding
	option src 'gst'
	option dest 'wan'

config rule
	option name 'Allow-gst-DNS'
	option src 'gst'
	option dest_port '53'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name 'Allow-gst-DHCP'
	option src 'gst'
	option dest_port '67-68'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option name 'Allow-iot-DNS'
	option src 'iot'
	option dest_port '53'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name 'Allow-iot-DHCP'
	option target 'ACCEPT'
	list proto 'udp'
	option src 'iot'
	option dest_port '67-68'

Enable dhcp for the br-lan.10 and br-lan.20 interfaces on the main router only. Activate firewalls on main router interfaces only.

Network config for any dumb AP is below.
Change IP. Disable or remove firewall and dhcp.
Create a wireless interface pointing to whatever you named this "unmanaged" interface.
I named this GST2. It does not have to match the interface name from the main router.

I even did a little bit of stupid. I grabbed another Dumb AP with this config and cabled it into an active Dumb AP, configured a wireless access point and the AP to AP to Main will carry a wireless guest AP.

Main Router <-------->Dumb AP<-------->Dumb AP.
192.168.1.2/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fde9:dd97:dfce::/48'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'
	option ipaddr '192.168.1.2'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:t'
	list ports 'lan2:u'
	list ports 'lan3:u'
	list ports 'lan4:u'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1:t'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option local '0'

config interface 'GST2'
	option device 'br-lan.10'
	option proto 'none'

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.