Multiple Isolated LAN (eth + wifi) segments, with both IPPassThrough & priority?

Hi all,

I just set up a TP-Link Archer A7 + OpenWRT

	Model            TP-Link Archer A7 v5
	Architecture     Qualcomm Atheros QCA956X ver 1 rev 0
	Firmware Version OpenWrt 21.02.0 r16279-5cc0535800 / LuCI openwrt-21.02 branch git-21.231.26241-422c175
	Kernel Version   5.4.143

For simple config, out-of-the-box, getting a couple of machines on one lan connected it was incredibly easy to setup.

Next, though, I want to get it setup for my 'real world' scenaro below. It's quite a bit more complicated for my skills so far. I'm doing a good job getting one piece but not the other working.

Good thing there's a RESET for OpenWRT! ;-/

     ^
     |
     |
[ internet ]
     |
     |
     | IPv4 (A.A.A.1/22) & IPv6 (AAAA:...:1/128), via DHCP(6) from ISP
[ Cable MODEM ]
     |
     | WAN
     |
[ OpenWRT/ArcherA7 ]---------|
     | intfc eth0      |  |  |------ intfc eth1 ----- [ VoIP ATA, static IP = 192.168.1.20 ]
     |                 |  |
     |                 |  |------ WiFi AP 2.4+5G, SSID "WLAN_PRIO",
     |                 |                         |
     |                 |                         |-- (WiFi client, DHCP(6)d-provided addr, 10.1.1.0/24)
     |                 |
     |                 |
     |                 |--------- WiFi AP 2.4+5G, SSID "WLAN_GUEST"
     |                 |                         |
     |                                           |-- (WiFi client, DHCP(6)d-provided addr, 10.2.2.0/24)
     |
     |
     | IPv4 (A.A.A.1/22) & IPv6 (AAAA:...:1/128) "Bridge/PassThrough" from MODEM
[ Linux Router ]
     |  (172.16.1.1/24)
     |
[ Ethernet Switch ]
     |
     |- [ LAN0, machine #1, static IP = 172.16.1.101 ]
     |- [ LAN0, machine #2, static IP = 172.16.1.102 ]
     |- [ etc ]

I want to make sure that I can

(1) serve up the different LAN segments
(2) control each segment with its own, different set of firewall access rules
(3) keep each segment completely isolated from one another
(4) assign a priority/minimum bandwidth to "WLAN_PRIO", so that it can never get choked off by traffic in/out of any of the other segments.

Do I need VLANs do do all that?
Can I set 'highest' priority/bandwith up for that one "WLAN_PRIO" link?

I'm pretty sure this is all doable with OpenWRT, and that the problem is "me".

I'd appreciate any help getting my head wrapped around this.

Cheers!

Dave L.

Yes, you need to define VLANs to segment your networks. You can then have your firewall forward traffic of each segment to the WAN but not to each other. I recommend using sqm-qos to reserve some bandwidth for your priority network.