There is a TP-Link TL-WR740N router with OpenWrt 18.06.9 installed. The setup is: 1 SSID, bridged with switch and WAN port, so the router acts like an AP (DHCP disabled, just "converting ethernet to wifi").
With Unifi APs you can add another SSID with VLAN (so 1 SSID will be wihtout VLAN and 1 SSID will be with VLAN). How to do the same with OpenWRT?
Create a new interface and use tagging on the physical interface port, e.g eth0.10
Then create the ssid and assign it to the network of the interface you just created.
For example:
config interface 'iot'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '172.30.30.1'
option ifname 'eth0.3'
config interface 'guest'
option proto 'static'
option ifname 'eth0.2'
list ipaddr '172.17.17.1/24'
...
then assign the new ssids to guest and iot.Thank you. I've figured out creating interfaces and assigning them, but I have an issue with VLANs.
By default there are no VLANs, for Unifi and for this OpenWRT. Then I add just VLAN 12, in Unifi I create a new SSID and assign VLAN 12 there. Now in Unifi I have the main network (without VLAN) and guest network (VLAN 12).
In OpenWRT I add VLAN 12 - by default it's off for all ports. I've tried all combinations, but I cannot figure out which combination allows 2 networks to work. I cannot set "untagged" for the other VLAN. If I set "tagged" for VLAN 12, it works, but the main network is down.
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export wireless
{
"kernel": "4.9.243",
"hostname": "OpenWrt",
"system": "Atheros AR9330 rev 1",
"model": "TP-Link TL-WR740N\/ND v4",
"board_name": "tl-wr741nd-v4",
"release": {
"distribution": "OpenWrt",
"version": "18.06.9",
"revision": "r8077-7cbbab7246",
"target": "ar71xx\/tiny",
"description": "OpenWrt 18.06.9 r8077-7cbbab7246"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd9a:debb:74ed::/48'
config interface 'lan'
option type 'bridge'
option proto 'dhcp'
option ifname 'eth0.1 eth1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 1 2 3 4'
option vid '1'
config interface 'guest'
option proto 'static'
list ipaddr '192.168.12.4/24'
option type 'bridge'
option ifname 'eth0.12'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '12'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11g'
option path 'platform/ar933x_wmac'
option htmode 'HT20'
option legacy_rates '1'
option channel 'auto'
option country 'UA'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option network 'lan'
option ssid 'REDACTED'
option encryption 'psk2+ccmp'
option key 'REDACTED'
config wifi-iface
option device 'radio0'
option mode 'ap'
option ssid 'REDACTED'
option encryption 'psk2+ccmp'
option key 'REDACTED'
option network 'guest'
root@OpenWrt:~#
You need to tag vlan12 on the CPU port (should be 0) and the port going to the UAP.
When I do this, the main network goes down and in 30 seconds changes revert.
The rollback of the configuration is a sign that communication was lost between the browser and the device. Maybe you are tagging the wrong port?
Take a look at this note.
There is only 1 cable connected, thus only one port used. If I have VLANs by default (VLAN 1 0t 1 2 3 4) - main network works. If I add VLAN 12 and set it tagged, VLAN 12 (guest network) works, but main network is down.
Did a little research and experiment:
Everything works OK using eth1 (WAN port), but in eth0 (switch) works only guest (eth0.12). Is there any possibility I can make this work with eth0? In case someone smart enough switches cable from WAN port to any of switch ports.
Reading this, your problem seems to be, that port 1 is an untagged port belonging to vlan1 and at the same time a tagged port for vlan 12, which is not possible.
It is easy and straight forward to assign untagged ports to your guest vlan. You could e.g. assign port 1, 2 to lan and 3, 4 to guest, ...
But if you want to have a port belonging to both, lan and guest, it should be tagged on both. So your lan ports should be 0t 1t 2 3 4, your guest ports 0t 1t, your lan vlan1, your guest vlan12.
But normally port tagging is NOT exposed to end devices, it is just used between switches. So a switch connected to tagged port 1 could then expose lan and guest on different untagged ports.
If I set the port both tagged in VLAN 1 and VLAN 12, the main network goes down (I cannot access the router from main network, and I cannot access main network from main radio).
But, as I said, even with VLANs deleted from "Switch", it works with eth1 (WAN), but not with eth0 (switch). So is it possible to make it work with eth0? Or should I just put a sticker on eth0 ports with "do not use" label? 
When you add tagging on vlan1, does the other end also add tagging?
Generally you need to have the switch configured to assign vlans to each port. However if you are trying to connect to the router with a pc the moment you tag vlan1 it will become unreachable. So you'd need to tag on the pc or whatever is connected to that port too.
Another solution is to create an SSID and assing it to an interface without attaching it to any physical ports. Then connect to that SSID and do your changes on both OpenWrt and the uplink router.
Example:
config interface 'lan'
option type 'bridge'
option proto 'dhcp'
option ifname 'eth0.1 eth1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 1 2 3 4'
option vid '1'
config interface 'guest'
option proto 'static'
list ipaddr '192.168.12.4/24'
option type 'bridge'
option ifname 'eth0.12'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 1t 2t 3t 4t'
option vid '12'
config interface 'mgmt'
option proto 'static'
list ipaddr '192.168.100.1/24'
...
config wifi-iface
option device 'radio0'
option mode 'ap'
option ssid 'mgmt'
option encryption 'psk2+ccmp'
option key 'mgmt'
option network 'mgmt'There is an ption to have a port untagged and tagged at the same time, in that case you have to add the default vlan ID for the untagged one:
config switch_port
option port '1'
option pvid '1'
But you should do this only for the port the unify ap is connected to, all other ports should NOT be tagged and NOT be used for your guest net.
So your network confog ports for lan would look like 0t 1 2 3 4
for guest 0t 1t
and you would need the above mentioned switch_port config. See https://serverfault.com/questions/507176/openwrt-configuring-tagged-and-untagged-vlan-on-the-same-port
and
https://help.ui.com/hc/en-us/articles/204962144-UniFi-VLAN-Traffic-Tagging
There is a whole network connected to that port. 
So I cannot tag vlan 1 on all devices.
It doesn't matter where from I make these changes. Either vlan 1 or vlan 12 can work at 1 time with eth0 (switch).
Unifi is somewhere in the network. I have only 1 cable connected to this TP-Link with OpenWrt.
If you don't give all the details it's kinda hard to help you.
As a rule of thumb, if you tag on one side you'll have to tag on the other side too. Or use a managed switch to remove the tags on the devices that don't use vlan tagging.
What is connected on this port? Is it your pc? Is it a switch, managed or unmanaged?
Let's put it like this:
At first there is only 1 network (192.168.88.0/24) and 1 SSID on Unifi AP and OpenWRT AP.
Then there is a requierement of a separate guest network. On Mikrotik I create a vlan12 interface, with 192.168.12.0/24 network and DHCP server. Then on Unifi controller I create second SSID and assign vlan 12 to it. Everything works perfectly.
Then I need to replicate the same functionality with OpenWrt (create second SSID and make it work only with vlan 12). It works with cable connected to eth1 (wan port): I just create a bridge of eth1.5 and wlan0-1 and it just works. However it does not work with cable connected to any port of eth0 (switch). If I add eth0.5 to the bridge with wlan0-1 - it just doesn't work. If I add vlan 12 to Switch - VLAN list tagged on eth0 ports, main network on OpenWrt is down.
The behavior of unmanaged switch with tagged frames is unpredictable. We have cases here where vlans were not propagated correctly over unmanaged switches.
What is the output of uci export network; swconfig dev eth0 show; brctl show
OK, but Unifi AP works with those switches. eth1 of OpenWrt also works. So...
With this config everything works OK when uplink cable goes to eth1 and only vlan12 (guest network) works if uplink cable goes to eth0 (any switch (yellow) port of router):
root@OpenWrt:~# uci export network; swconfig dev eth0 show; brctl show
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd9a:debb:74ed::/48'
config interface 'lan'
option type 'bridge'
option proto 'dhcp'
option ifname 'eth0.1 eth1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config interface 'guest'
option proto 'static'
list ipaddr '192.168.12.4/24'
option type 'bridge'
option ifname 'eth0.12 eth1.12'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t 1 2 3 4'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '12'
option ports '0t 1t 2t 3t 4t'
Global attributes:
enable_vlan: 1
mirror_monitor_port: 15
Port 0:
enable_mirror_rx: 0
enable_mirror_tx: 0
pvid: 0
link: port:0 link:up speed:1000baseT full-duplex txflow rxflow
Port 1:
enable_mirror_rx: 0
enable_mirror_tx: 0
pvid: 1
link: port:1 link:down
Port 2:
enable_mirror_rx: 0
enable_mirror_tx: 0
pvid: 1
link: port:2 link:down
Port 3:
enable_mirror_rx: 0
enable_mirror_tx: 0
pvid: 1
link: port:3 link:down
Port 4:
enable_mirror_rx: 0
enable_mirror_tx: 0
pvid: 1
link: port:4 link:down
VLAN 0:
vid: 0
ports: 0t
VLAN 1:
vid: 1
ports: 0t 1t 2t 3t 4t
VLAN 2:
vid: 12
ports: 0t 1t 2t 3t 4t
bridge name bridge id STP enabled interfaces
br-guest 7fff.6466b31246bb no eth0.12
eth1.12
wlan0-1
br-lan 7fff.6466b31246bb no eth0.1
eth1
wlan0
root@OpenWrt:~#