I'm missing something or not getting something but I'm real close thanks to you all.
My main WRT3200 router seems to to be performing exactly as you drew it up for me.
I believe the vlans are up and talking to the APs.
Connecting to the GST network thru a main router wireless interface produces a login and an internet connection while blocking out all access to local network endpoints. As designed.
What I can't make happen is creating a wireless inteface on an AP that will present a login and a connection.
I can ssh into the AP's and ping the vlan addresses and they respond back from WRT3200.
ifconfig shows vlans without errors.
I'm stumped...
WRT3200 Main Router
192.168.1.1/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd45:bf9f:13b6::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u'
list ports 'lan2:u'
list ports 'lan3:t'
list ports 'lan4:t'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config bridge-vlan
option device 'br-lan.10'
list ports 'lan3:t'
list ports 'lan4:t'
config interface 'GST'
option proto 'static'
option device 'br-lan.10'
option netmask '255.255.255.0'
list dns '192.168.1.1'
list dns '1.1.1.1'
option ipaddr '192.168.10.1'
config bridge-vlan
option device 'br-lan.20'
list ports 'lan3:t'
list ports 'lan4:t'
config interface 'IOT'
option device 'br-lan.20'
option proto 'static'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
list dns '192.168.1.1'
config interface 'wan'
option proto 'dhcp'
option type 'bridge'
option peerdns '0'
option device 'wan'
config interface 'wan6'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option device 'wan'
192.168.1.1/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option ednspacket_max '1232'
option noresolv '1'
option doh_backup_noresolv '-1'
list doh_backup_server ''
option localservice '0'
list server '8.8.8.8'
list server '1.1.1.1'
list server '1.0.0.1'
list server '8.8.4.4'
list server '208.67.220.220'
list server '208.67.222.222'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'GST'
option interface 'GST'
option leasetime '24h'
option start '100'
option limit '150'
config dhcp 'IOT'
option interface 'IOT'
option leasetime '24h'
option start '100'
option limit '150'
192.168.1.1/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option name 'gst'
option output 'ACCEPT'
option forward 'REJECT'
list network 'GST'
option input 'REJECT'
option masq '1'
config zone
option name 'iot'
option output 'ACCEPT'
option forward 'REJECT'
list network 'IOT'
option input 'REJECT'
config forwarding
option src 'iot'
option dest 'wan'
config forwarding
option src 'gst'
option dest 'wan'
config rule
option name 'Allow-gst-DNS'
option src 'gst'
option dest_port '53'
option target 'ACCEPT'
list proto 'tcp'
list proto 'udp'
config rule
option name 'Allow-gst-DHCP'
option src 'gst'
option dest_port '67-68'
option target 'ACCEPT'
list proto 'udp'
config rule
option name 'Allow-iot-DNS'
option src 'iot'
option dest_port '53'
option target 'ACCEPT'
list proto 'tcp'
list proto 'udp'
config rule
option name 'Allow-iot-DHCP'
option target 'ACCEPT'
list proto 'udp'
option src 'iot'
option dest_port '67-68'
192.168.1.1/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11a'
option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
option country 'US'
option cell_density '0'
option txpower '23'
option htmode 'VHT80'
option channel '36'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'U25150'
option key 'xxxxxxxx'
option encryption 'psk2'
option disassoc_low_ack '0'
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11g'
option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
option htmode 'HT20'
option country 'US'
option cell_density '0'
option channel '6'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'U25124'
option key 'xxxxxxxx'
option encryption 'psk2'
option disassoc_low_ack '0'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option wmm '0'
option encryption 'psk2'
option key 'xxxxxxxx'
option ssid 'IOT24'
option network 'lan'
option hidden '1'
config wifi-device 'radio2'
option type 'mac80211'
option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
option channel '34'
option band '5g'
option htmode 'VHT80'
option disabled '1'
config wifi-iface 'wifinet4'
option device 'radio0'
option mode 'ap'
option ssid 'GST'
option encryption 'psk2'
option key 'xxxxxxxx'
option network 'GST'
AP WRT1900 with dhcp and firewall DISABLED
192.168.1.2/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fde9:dd97:dfce::/48'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.1.1'
list dns '192.168.1.1'
option ipaddr '192.168.1.2'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:t'
list ports 'lan2:u'
list ports 'lan3:u'
list ports 'lan4:u'
config bridge-vlan
option device 'br-lan.10'
list ports 'lan1:t'
config interface 'GST'
option device 'br-lan.10'
option proto 'none'
config bridge-vlan
option device 'br-lan.20'
list ports 'lan1:t'
config interface 'IOT'
option proto 'none'
option device 'br-lan.20'
192.168.1.2/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
option htmode 'VHT80'
option country 'US'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option encryption 'psk2'
option key 'Lane1952'
option ssid 'WRT1950'
option network 'lan'
option disabled '1'
config wifi-device 'radio1'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
option htmode 'HT20'
option country 'US'
option cell_density '0'
option disabled '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'WRT1924'
option encryption 'psk2'
option key 'Lane1952'
option disabled '1'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'GST'
option encryption 'psk2'
option key 'Lane1952'
option network 'GST'
ifconfig From 192.168.1.2 wrt1900 AP
root@WRT1900:~# ifconfig
br-lan Link encap:Ethernet HWaddr 14:91:82:xx:xx:xx
inet6 addr: fe80::1691:82ff:fe26:283d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:28256 errors:0 dropped:0 overruns:0 frame:0
TX packets:11666 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5012346 (4.7 MiB) TX bytes:5829022 (5.5 MiB)
br-lan.1 Link encap:Ethernet HWaddr 14:91:82:xx:xx:xx
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::1691:82ff:fe26:283d/64 Scope:Link
inet6 addr: fde9:dd97:dfce::1/60 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:28168 errors:0 dropped:0 overruns:0 frame:0
TX packets:11602 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4998047 (4.7 MiB) TX bytes:5816846 (5.5 MiB)
br-lan.10 Link encap:Ethernet HWaddr 14:91:82:xx:xx:xx
inet6 addr: fe80::1691:82ff:fe26:283d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:88 errors:0 dropped:0 overruns:0 frame:0
TX packets:23 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:14299 (13.9 KiB) TX bytes:4325 (4.2 KiB)
br-lan.20 Link encap:Ethernet HWaddr 14:91:82:xx:xx:xx
inet6 addr: fe80::1691:82ff:fe26:283d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:21 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:3965 (3.8 KiB)
eth0 Link encap:Ethernet HWaddr 14:91:82:xx:xx:xx
inet6 addr: fe80::1691:82ff:fe26:283d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1508 Metric:1
RX packets:28425 errors:0 dropped:0 overruns:0 frame:0
TX packets:12708 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1024
RX bytes:5645835 (5.3 MiB) TX bytes:5991925 (5.7 MiB)
Interrupt:45
lan1 Link encap:Ethernet HWaddr 14:91:82:xx:xx:xx
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:28425 errors:0 dropped:3 overruns:0 frame:0
TX packets:11592 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5134157 (4.8 MiB) TX bytes:5862774 (5.5 MiB)
lan2 Link encap:Ethernet HWaddr 14:91:82:xx:xx:xx
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
lan3 Link encap:Ethernet HWaddr 14:91:82:xx:xx:xx
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
lan4 Link encap:Ethernet HWaddr 14:91:82:xx:xx:xx
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:1127 errors:0 dropped:0 overruns:0 frame:0
TX packets:1127 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:131262 (128.1 KiB) TX bytes:131262 (128.1 KiB)
wlan0 Link encap:Ethernet HWaddr 00:25:9C:xx:xx:xx
inet6 addr: fe80::225:9cff:fe13:b7f6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15 errors:0 dropped:0 overruns:0 frame:0
TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2720 (2.6 KiB) TX bytes:7001 (6.8 KiB)
root@WRT1900:~#