To describe a bit what I want to do:
So:
- There is a firewall, which has DHCP, DNS, ... and regulates all traffic between VLAN's
- There is a managed switch in between, which is connected to the firewall and a wireless access point running openwrt via trunks carrying all necessary VLAN's
- This top wireless access point is a dumb AP
I am pretty confident from the openwrt documentation that I can make this work, where each VLAN is linked to a separate SSID.
So far, so good, I think 
Now however, I also want to add a second AP (again a dumb AP) and potentially in the future even a third AP.
It should be able to act as an extender and carry over all those separate SSID-per-vlan from the initial dumb AP.
What would be the best approach to implement this?
I was thinking: keep it simple, use WDS and basically connect that second dumb AP as an "extending client" in each of those separate SSID's from dumb AP 1.
However, am I correct in reading the openwrt forums that this would only be possible for one SSID, not multiple?
What would be the best way to achieve this then?
Maybe some additional information, because I'm not sure if I understand correctly that WDS with multiple SSID could be depending on the underlying hardware?
I'm looking at 3 devices:
All of these will be running the latest version of Openwrt.
Are you wanting to just have two VLAN-aware, dumb access points? If so, setup them up identically each trunked out of the switch on their own port and manage their VLAN-SSID association within the respective AP's config. Maybe I am missing something?
You cannot texted multiple SSIDs, but you can extend a trunk SSID that carries the traffic for all the other SSIDs, then use the second device to separate them again.
First, create this trunk SSID, only between the main router and the repeater. Then create a VXLAN tunnel for each network, and bridge them to their corresponding SSIDs at each end.
The second dumb AP will be on another floor of the building, where there is no cabled access, so it will only be able to connect via wireless to the first dumb ap.
So basically the top half of the drawing, the firewall, managed switch and first dumb ap are on the ground floor of the building next to each other and are indeed interconnected via trunk ports on that managed switch.
However the second dumb ap will be on the first floor of the building, to extend those vlan's via wireless there.
Then probably also another ap on the second floor afterwards to extend even further.
On the first and second floor there are no network cables present.
I'm not exactly sure how that would work?
So there would still be separate ssid's on dumbap1, one per vlan, plus an additional one which trunks ALL the vlan's?
Also: how do you connect both dumb AP's then?
Still via WDS or rather classic client-accesspoint?
Yes, exactly: normal clients will connect to SSID1 to SSID2, and only dumbap2 will connect to the trunk SSID (besides, dumbap2 will only connect to the trunk SSID).
You can use WDS, but you do not need it.
