Nothing on the smart switch is configured, so my assumption, is that everything is "untagged"
I have 1 SSID setup on both aps.
What I would like to do is:
Leave everything currently untagged (so what's working stays working)
Create a new SSID for guests tagged to 10
Create a new SSID for smart/iot crap tagged to 20
I dont want the guests or the iot's talking to each other but the only thing that they need to be able to reach is my server on the untagged vlan I am currently running my dns on it for adblocking.
My understanding is that I need a firewall rule in my router to basically allow the guest and iot network devices to talk.
On my smart switch, this is what I think i need to configure
port for router tagged with everything (or trunk?)
port for ap1 tagged with untagged, 10, 20
port for ap2 tagged with untagged, 10, 20
Then I need to configure the aps so that the ssids get attached to their respected tags
I guess I am not really sure how to achieve this in the ui (using LuCI).
I can create a new device for an existing port and there are 3 different vlan options (VLAN 802.1q, 802.1ad, MAC VLAN?)
But on the bridge devices they have their own ui called "Bridge vlan filtering" which seems to be able to do the same stuff? Do I just use that instead?
What is the relationship between interfaces and devices? (or I guess what their purposes?)
I would start simple and create just one additional network. Then, once you've proven out all of the functionality you need (general connectivity, isolation, etc.), you can create another network using the same general recipe.
Some tips:
EdgeOS is a bit of a different animal than OpenWrt in terms of the routing and VLAN configurations. It took me a while to get used to it.
Importantly, it will route between subnets by default, you need to use firewall rules to restrict it (and there are nuances for how to allow 'one way' or limited access).
If you're using an ER-X model, it has a built-in switch and the configuration of that switch can be tricky. But it also allows you to easily setup trunks (which carry multiple networks) as well as access ports (which are just one, untagged network). This is really useful as it allows you to verify the configuration of the router itself.
EdgeOS configuration is out of scope for this forum. The UI community is a good resource for help on this part.
Once you've setup the trunk on the ER, you'll setup a matching trunk port on your OpenWrt switch.
I would highly recommend setting up access ports for each of the networks on the OpenWrt switch as the next step. This is so that you can verify that the configs are correct at the switch and that the trunk is working as expected.
Everything is proven at the switch, you can setup a trunk port for the AP(s) which will largely mirror the trunk that goes to the router.
Next, setup one of your APs with the trunk. The specific method depends on the AP model.
If your AP also has a built in switch, you may want also to repeat the access port process that you did on the upstream switch. This again allows you to easily prove that the configuration at the AP is correct.
Finally, you can connect the network to a new SSID and then test wireless connectivity.
You won't use these. Instead, you'll be using either bridge-VLANs or swconfig, depending on your hardware.
Bridge-vlans are the method by which you'll be setting up your VLANs if your devices use DSA (otherwise it will be swconfig). The two methods are not compatible with each other (referring to the configuration on a given device). The resulting VLANs from both methods (when properly configured) adheres to the 802.1q standards and therefore will be compatible with each other as well as VLANs on other platforms.
OpenWrt's Interfaces are at Layer 3 and devices are L2 when looking at the OSI model. Devices in OpenWrt terminology are related to the physical or virtual ports/bridges. You'll see that the interfaces use a device in their configuration stanzas.
