Hello,
I'm looking for help to setup my 2 OpenWRT APs.
Because a picture explains a lot better than words, let's start with what my target is :
I am fairly competent when it comes to networking, not so much with wireless standards though.
The opnSense part is already sorted out : I do have a captive portal running on VLAN20, devices there are being restricted to the captive portal until sucessful login, works all fine, now I need to bring it wirelessly closer to my client devices 
As you can see, I can't sadly bring an ethernet cable near enough to set my AP near my clients, I will need 2 APs to bridge over the wall(s).
I'm thinking about setting the newifiD2 (the AP without a cable) to repeater mode, but I'm conflicted, between relayd and wds not realy sure what/how to do , I think not all that I'd wish is possible...
In fact, my NeWifi D2 behaves in such a way that if I setup a wireless network on the 2.5Ghz radio in client mode, it is then not broadcasting any other wireless config that I add as AP: seems it cannot be both client and AP on the same radio, and it has a single 2.5G radio.
My clients also do need 2.5GHz (as there will also be some walls sometimes between AP#2 and clients wher 5GHz will not be possible), so backhaul using 2.5Ghz and clients on 5GHz to dedicate 1 radio to each task is sadly not an option for me 
For VLAN20 the APs need to broadcast an open SSID, no password, no WPAx... That's why I have the captive portal
I would like to keep a secure management channel to both APs from my router (that gives me remote management).
But I'd be willing for the AP#2 to sit only on VLAN20, with it's own IP there and being managed over a 192.168.20.0/24 IP, it can probably firewall itself from any client anyway and keep access to it's management only from my router 192.168.20.1/24 that I could setup to NAT me or reverse-proxy for me anyway for any management operation I'd need to do. Ideally the APs would not even exist on VLAN20, only broadcast the associated network and pass packets between clients and the AP#1 up to the router, but I'm not seeing it as a possibility with a single radio
If you know of a way, please guide me there
Not knowing better, my current plan is this :
(see picture in the next post as new users can only post 1 media per post, sorry)
If you have any idea how I could get it closer to my original picture (my target), that is mainly keeping AP#2 both broadcasting the SSID for clients to access VLAN20 through it AND at the same time itself not being present on VLAN20, and remain remotely managable.
Last option I could see is maybe setup WDS on the radios and let the AP have an IP only on it's cabled ports, so management would require to plug myself physically into it, but at least there is no way to get at it from the wireless that it broadcasts...
And finally, as I'm new in the world of repeater, I'm not even sure it is possible for AP#2 to broadcast on 5Ghz in repeater mode if it is itslf not in reach of the 5GHz radio of AP#1. Is is possible for a client to connect using 5GHz to AP#2 and have it "backhaul"/repeat traffic over the 2.5GHz band for AP#1 to pick it up and ultimately reach my router ?
Any help would be very appreciated, thanks in advance !
