Guest accounts on Dumb APs using DSA (part 2?)

As I mentioned in my first post, I'm new to OpenWRT but have been a DD-WRT user for 20 some years. So far, it seems to be the right solution to my issues with current DD-WRT direction. I'm still trying to grasp the LuCI in regards to config... especially devices/interfaces. But overall it is working well.

My primary router is pfSense on a Netgate appliance. I have a long house/garage strung out across a mountain side, 4 dumb APs (WRT3200ACM). All the WAPs are setup with back-haul connections to the primary router. With some help here, a bit of digging and a video or two I have the primary access via dumb APs with fast switching working extremely well.

But I'm still trying to setup a Guest network using VLAN IDs and VLAN filtering. I'm fairly certain I have the Guest network configured/working correctly on pfSense and the back-haul connection as I borrowed a UniFy AP (much easier config, for me) and was able to get wireless devices working on the Guest network and pulling configured DHCP addresses for the Guest network. I did read and even built a backup dumb AP with the "Guest Wi-FI" and "Guest Wi-Fi on a dumb wireless AP" sections on the website. But those configs weren't using VLAN IDs. I'm missing something. It's not clicking.

As mentioned, no router/firewall/DHCP functions on the WAPs. WAN/WAN6 were deleted. WAN port was assigned to the br-lan bridge and used as the back-haul for the Dumb APs. Guest wireless interface put on the 2.4Ghz band (radio1 on WRT3200ACM), purely for range considerations.

After toying with this off and on for the last month, I'm sure I'm just missing some concept. At the suggestion of someone on another forum I did drop back to 19.07 and was able to get the guest account working with the VLAN 10 as configured coming from pfSense... but that negated some of the issues that 21.02 had corrected (over DD-WRT) with the WRT3200ACMs that I use. Plus, I wanted to be able to move forward with future releases that will have DSA. I'm just missing some concept as I can get the vlan configured as an 802.1q device, assign the wireless account but if I attempt to set any vlan filtering off the main bridge, I get into a lockout failure and have to revert. Likewise, if I go without the vlan filtering I can build the guest wireless and vlan I can see packets moving but any attempt to log onto the wireless guest account passes security but never completes the connection.

Unfortunately, the wiki documentation I could find on this site is all based on pre-DSA builds.

I'm not sure how you folks like to do bounties here, but if there is someone here who really feels they have a handle on DSA and are willing to help, I'm certainly willing to pay for your time. It would help if you have a WRT3200ACM to work with, but if not, I could provide some other options depending on where you are.

Please send a direct message of some sort and I'll reply with an email to make this easier and provide any detail needed. At one point many years ago, I was a technical writer. I'd be happy to document the fix and post it here.

Thanks,
Cosmo

Have you seen:

I've not, Thanks!

So after working on this for days with various people on various platforms, this seems to be boiling down to Marvell drivers just not being happy with multiple SSIDs on a single radio under version 21.02.x. I've tried all the releases under 21.02 that are available. I'm only assuming they are the same drivers as used in 19.07. I can make this setup work on 19.07.10 so I'm not sure why it isn't working on 21. It was recommended I bring this up to Eduardo Perez, but I'm new here and not sure how to get this to him. If someone can forward this to him or show me how, I'll be glad to.

It's a really too bad, I had seven items I needed to get working and got the first 6 working without issue under 21.02.x. This GUEST account via VLAN has been a pain. I was hopeful OpenWRT was the right solution. Maybe it is fixable.

Thank you.