I have configured a guest wlan, but I want to put it onto a VLAN and trunk it over the network to the router that connects me to the Internet. I see how to do that if I dedicate a LAN port to the VLAN - for example:
Add the physical LAN 2 port on the router to VLAN 3, 'untagged'
Add eth0 to VLAN 3, 'Tagged'
Add the WAN port on the router to VLAN 3, 'Tagged'. This is the trunk connection back to the primary router.
I could do that and it would work, but now I can't use Port 2 for any other purpose, and I don't need a wired Guest network; all the guests will be wireless.
The switch (Marvell 88E6176) supports more VLANs than the router has ports - is it possible to assign the guest wireless to a VLAN that is not associated with a LAN port? If so, how do you do that? I can use Luci or edit the config files. There are plenty of tutorials explaining how to create a guest wireless network, and plenty explaining how to create a VLAN, but I haven't found one explaining what I want to do.
Both of my routers are Linksys WRT1900ACS, running OpenWrt 18.06.1 r7258-5eb055306f / LuCI openwrt-18.06 branch (git-18.228.31946-f64b152) .
You don't have to change anything with the LAN ports or eth1.
Create a new VLAN 3 in the switch. Make the eth0 switch port and the WAN cable port both tagged in both VLANs 2 and 3. This makes it so that when a 2 or 3 tagged packet arrives on the cable, it passes to eth0 with the tag intact. The CPU can pass the packet to the proper network by using the notation eth0.2 or eth0.3
Change the WAN physical setting from plain eth0 to eth0.2 Your configuration should no longer have anything attached to plain eth0.
Create a new network bridge for guests connected to eth0.3 and a wifi AP. This bridge should be proto "Unmanaged" because it is simply passing guest traffic which is of no interest to the OS. Deliberately not setting an IP address on the network makes it impossible for guests to log into your router.
If you need a wired guest port for an ordinary device (that doesn't tag packets), change one of the LAN ports from VLAN 1 to VLAN 3. It would still be untagged. Turn it off in VLAN 1 and untagged in VLAN 3.
The device at the other end of the "trunk" cable needs to tag the WAN packets with 2 and the guest network with 3.
That makes sense; thank you. So eth0.3 means 'VLAN3 on eth0'; it has nothing to do with physical port 3. That also means that my Steps 2 and 3 above are correct, but I don't need Step 1. What I didn't have was adding a bridge between the WiFi and the VLAN.
That raises another question; if you create a guest WiFi on both radios, OpenWRT would normally bridge those together, and Luci doesn't allow me to add a third interface to the bridge. Can I bridge VLAN 3 to Radio 0 Guest, and then bridge Radio 1 Guest to Radio 0 Guest, and will that work?
The alternative of course is to keep the two Guest wireless networks separate all the way back to the modem - separate VLANs. That would certainly work, but seems a bit less elegant.