The LAN "ports" do not have a static IP on them... it is actually the OpenWrt device itself that has an address on the network. The ports are simply physical ports on a switch. If your router is plugged into the upstream router via one of the LAN ports now, the other ports will behave just as a simple switch on the network -- i.e. giving you more ports on the same network.
The change I am telling you to do with respect to port 0 is very simple -- port 0 is the logical assignment for the physical WAN port on your device. By moving it into the other section (with VLAN1), it becomes just another port on the LAN. This will allow you to physically plug your upstream router into that port and everything should work as you have requested.
I wonder why this approach is required.
Do you want that every device can see all others?
I don't like that. A guest with a mobile and even my business computer should not see my internal LAN.
I have simply a LAN cable from the main router to the OpenWRT WAN Port as mentioned above. The OpenWRT operates his own subnet, provides DHCP, WLAN and has the gateway to the internet.
What is the disadvantage? Double firewall and NAT? I don't see any issue. The bottleneck is the speed of the internet connection, not the small delay from a second router.
Depends on the speed of your internet connection, doesn't it ?
If you're routing 1+ Gbit, you'll suddenly need two devices capable of routing at those speeds.
I can't speak for the OP, but based on the diagram provided at the beginning of the thread, yes, that is the intent.
This is a different approach than the OP seems to want. However, it is possible that your network isn't actually doing what you think it is, depending on how you have configured things. For example, based on your description, it sounds like you have set up a standard double-NAT. But, unless you have configured firewall rules appropriately, the devices that are directly connected to the main router would actually still be accessible to the clients behind the OpenWrt router, just not the other way around. So your security all depends on where the "trusted" LAN really exists in your infrastructure, and how you've configured your firewall rules.
There are many different ways to configure a network -- yours sounds like it is necessarily different than the OP's based on the differences in the goals.
That's correct. But I assume the question was related to a private environment. I don't know any admin who is allowed to work with OpenWRT. These guys simply order a powerful CISCO device. LOL
I am happy with a speed of 200 Mbps and it makes no difference whether the traffic goes through 1, 2 or 3 routers. Latency is between 10 and 20 ms and I cannot measure the impact from an additional device.
And I like to have the first network as some kind of DMZ. Only non-critical devices and WPA2 without MAC-restriction is ok and simple to use.
Access to the internal LAN is allowed only for my own devices and the WLAN runs WPA3 only.
Your analysis is correct. This design is intended.
In the first network I have printer, public NAS and some other non-critical things. They can be accessed from both networks and I can simply grant access for guests. But they cannot see my internal network.
What you are describing is a network that meets goals that you have set for your environment. This doesn't fit the requirements of the OP, though, who wants just a single contiguous network.
Multiple layers of NAT are not required to protect networks, and in fact, it is the firewalls that do the protection, not NAT.
I personally prefer to run VLANs on a single router and craft firewall rules to protect the networks as required. This makes the whole network easier to administer and more consistent in terms of a security model.
I am not sure that the requirements are really clear.
Anyhow, the solution with a dumb AP will work.
How is this configured regarding WLAN?
The same SSID and different channels?
Really? The requirements seem perfectly clear to me... Per the diagram and descriptions, the OP wants:
all devices to be on the same network (they will all be on the 192.168.1.0/24 network with gateway/DNS at 192.168.1.1)
to have the OpenWrt C20i use the address 192.168.1.2
to connect the second device to the main router via a wire
to make the wired connection between the LAN port of the primary router and the physical WAN port of the C20i (secondary device).
That's it. And that is what the dumbAP configuration enables, with the modification simply being to add the physical WAN port to the logical LAN.
That has not been discussed here. Thus far, the OP appeared to be primarily interested in the basic network/device configuration to enable the goals stated above. But ideally, the device should have the same SSID and password, and should be on a different channel. Power should also be tuned to encourage client roaming.