I've been tearing my hair out trying to transition from a TP-Link Archer C7 2.0 to a split setup with an Edgerouter X and one Ubiquiti UAP-AC-Lite. For some reason everytime I use my hardwired Roku 3 it crashes all connectivity with the Edgerouter X, so I'm rolling back to the Archer C7 for routing until I can get some help with the ER-X from Ubiquiti.
With the ER-X I was setting up a VLAN and subnet for the guest Wifi using instructions from here:
I can't get my head around how to replicate this on LEDE. For now I'm using the simple Guest Wifi setup from the UAP-AC-Lite which uses client isolation on the same subnet as my main WiFi, but ideally I want to try and have a separate VLAN and subnet as I was able to do with the ER-X.
No, if you're not using the C7's radios, then you don't need to deal with the wireless configuration.
I did miss that you'll likely need to set up DHCP on the guest VLAN if you don't have DHCP already running on that VLAN.
Before going further, a diagram of what you want would be helpful. If your AP isn't capable of running multiple SSIDs and bridging them over VLANs to the router, things could get rather complicated.
This is a quick network diagram I knocked up with draw.io, I think that makes sense. It's where I can get to using the Ubiquiti instructions from my first post.
What I want to achieve is a separate DHCP server on the C7 in the 192.168.2.x subnet that takes the VLAN tagged traffic from the AP. I also want it to run on OpenDNS DNS servers. Basically, all the steps in the first link for the Edgerouter X up to the Unifi controller are what I want to transfer to the C7. I'm still running the Unifi Controller so the rest is the same.
The way I'd set it up would be with a separate management VLAN, assuming that the UAP-AC-Lite supports it. That way only the device(s) you have configured with an IP address in the proper range with the right VLAN tag can reach the AP. Not really a strong security mechanism, but easy enough to do and get the benefits of not being "obvious" to someone on your networks.
I show VLAN tags that make sense to me. Pick ones that make sense to you!
The switch driver in the Archer C7 only supports 128 distinct VLANs, as I recall. I explicitly supply a vid and pvid to get the proper tag, no matter the "VLAN-table number" in use.
VLAN 1 -- "standard, internal-only, OpenWRT" usage to tie the WAN port to the SoC
eth0 -- untagged (or eth0.1 -- tagged)
DHCP client of modem
WAN port -- untagged
VLAN 100 -- management
eth1.100 -- tagged
static IP 192.168.100.1/24
no services supplied except perhaps NTP
LAN 4 -- tagged
LAN 1-3 -- tagged (called out separately as for your "desktop" device(s) to manage the AP)
VLAN 150 -- private LAN
eth1.150 -- tagged
static IP 192.168.150.1/24
Supplies DHCP, DNS, NTP
LAN 1-3 -- untagged
LAN 4 -- tagged
VLAN 200 -- guest LAN
eth1.200 -- tagged
static IP 192.168.200.1/24
Supplies DHCP, DNS, NTP
LAN 4 -- tagged
You can restrict ssh, uhttp to only listen on 192.168.100.1 so that only hosts on that subnet with VLAN tag 100 can have access to them
On the AP:
The management interface adjusted to operate on 192.168.100.2/24 over VLAN 100
Two virtual APs (2.4 and 5) are bridged to VLAN 150 for "private" wireless
Two virtual APs (2.4 and 5) are bridged to VLAN 200 for guest wireless
No DHCP, DNS supplied by the AP
I'd suggest the same SSID and keying (wpa2+ccmp) for the two bands to allow clients to "pick the best band", unless you want to explicitly segregate the bands. Disabling legacy rates may be necessary to enable 802.11ac rates; check the AP manual for details.
I think I've managed to figure out the problem with my ER-X so I've redeployed that, but this VLAN project on the Archer C7 will be resurrected on a rainy day in my homelab...