Unless utilising a radius backend or having a switch that features a Wlan port 802.1q tag management is not possible with Wlan.
However as mentioned [1]
When you bridge non-VLAN and VLAN interfaces together, the system takes care about adding VLAN ID when sending packet from non-VLAN to VLAN interface, and it automatically removes the VLAN ID when sending packet from VLAN interface to non-VLAN one.
This is an extension of a dumb AP configuration. Get the single network AP working first then add more.
A dumb AP has only one network, the lan, and no firewall. It has an IP address on the lan so that you can log in to administer it.
This remains true as you add some dumb bridged guest networks. The guest networks should be bridges with protocol none (or Unmanaged in the GUI). They bridge from a wired interface e.g. eth0.10 to a wireless AP. That is the kernel's only interaction with those packets. Since the kernel holds no IP address on these interfaces, it is inherently impossible for guests to hack into the OS. There is no need for a firewall.
Set up the switch with one tagged external port and some untagged. Tagged ports only work if the device on the other end of the cable is also configured for VLANs. Until you have that you can use the untagged ports as part of the LAN.
I hope this will help. This is on a Ubiquiti AC Pro running OpenWrt 21.02.1.
This worked for me, but I'm no expert, so if something I
say contradicts the official documentation, then I'm wrong
and I apologize.
Setup: the Ubiquiti AC Pro's main ethernet port is plugged
into one of my router's interfaces (call the router interface
vio0 with IP 192.168.1.254/24). The router has interface vlan0
configured with vlan id 4, and vio0 as the parent interface.
The IP for the router's vlan0 is 192.168.4.254/24.
This way we haven't changed the OpenWrt device's default
lan IP of 192.168.1.1/24.
Just to be clear, the OpenWrt's device's LAN is on the same
network as the router's physical vio0 interface, and the
OpenWrt's devices VLAN that we create below will be on
the same network as the router's vlan0 interface.
To add more VLANs, we could create vlan1, vlan2, etc
on the router, and corresponding VLANs on the OpenWrt
device.
The rest of the steps are all on the OpenWrt device:
Add vlan device
network -> interfaces
add device from devices tab
device type vlan 802.1q
base device eth0
choose vlan id e.g. 4 but using X below in the rest of
this document
hit save
Add bridge device
siill in devies, do another Add device configuration
device type bridge
bridge port: select Software VLAN: "eth0.X"
hit save
Add vlan interface
then on interfaces tab add new interface
name vlanX
protocol static address
device is bridgeX
Create interface
set the static IP for the access point (e.g. 192.168.4.1/24)
note that dhcp server will be on by default
Save and Apply
Setup wireless
In Network->Wireless menu
edit the desired wireless network
Under Device Configuation, Advanced Settings, choose country code
Under Interface Confguration, General Setup
for Network choose vlanX
uncheck "lan"
Save and Apply
Network-Switch
Add VLAN
port status: X, description switchX, eth0 tagged
and LAN1 tagged.
NOTE: I could access the vlan once eth0 was tagged,
but needed to also have LAN1 tagged to get out to
the Internet.
Also make sure:
port status: 1, description is blank, eth0 tagged
(if not, you won't be able to access the device via
ethernet)
Save and Apply