Pass VLANs from OpenWrt router to OpenWrt AP

Hi @psherman!

By your suggestion in my last thread, I share the problem and some relevant information:

Main router:
Device: TP-Link Archer C6 v3
OpenWrt version: 25.12.2

Dumb AP:
Device: TP-Link Archer C60 v3
OpenWrt version: 25.12.2

So, my goal is to pass the VLAN with ID 24, coming from the LAN3 port of my main router to a “dumb” AP. I would also like to have access to the AP’s LuCI web interface (and SSH) in order to make updates and whatnot.

Here is the config for the main router:

root@OpenWrt:~# ubus call system board
{
        "kernel": "6.12.74",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "TP-Link Archer C6 v3",
        "board_name": "tplink,archer-c6-v3",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "25.12.2",
                "firmware_url": "https://downloads.openwrt.org/",                "revision": "r32802-f505120278",
                "target": "ramips/mt7621",
                "description": "OpenWrt 25.12.2 r32802-f505120278",
                "builddate": "1774469393"
        }
}


root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
config globals 'globals'
        option ula_prefix 'fdd0:37d3:e148::/48'
        option packet_steering '1'
        option dhcp_default_duid '0004a3d55cf9e50743feac5626605958cfdb'
config device
        option name 'br-lan'
        option type 'bridge'
        option bridge_empty '1'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
config interface 'lan'
        option device 'br-lan.20'
        option proto 'static'
        option ipaddr '10.12.20.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option multipath 'off'
config interface 'wan'
        option device 'wan'
        option proto 'pppoe'
        option username 'xxx'
        option password 'xxx'
        option ipv6 'auto'
        option peerdns '0'
config interface 'guests'
        option proto 'static'
        option device 'br-lan.21'
        option ipaddr '10.12.21.1'
        option netmask '255.255.255.0'
        option multipath 'off'
config interface 'depts'
        option proto 'static'
        option device 'br-lan.22'
        option ipaddr '10.12.22.1'
        option netmask '255.255.255.0'
        option multipath 'off'
config interface 'iot'
        option proto 'static'
        option device 'br-lan.23'
        option ipaddr '10.12.23.1'
        option netmask '255.255.255.0'
        option multipath 'off'
config interface 'ext'
        option proto 'static'
        option device 'br-lan.24'
        option ipaddr '10.12.24.1'
        option netmask '255.255.255.0'
        option multipath 'off'
config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan1:u*'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'lan4:u*'
config bridge-vlan
        option device 'br-lan'
        option vlan '21'
        list ports 'lan2:t'
config bridge-vlan
        option device 'br-lan'
        option vlan '22'
        list ports 'lan2:t'
config bridge-vlan
        option device 'br-lan'
        option vlan '23'
        list ports 'lan2:t'
config bridge-vlan
        option device 'br-lan'
        option vlan '24'
        list ports 'lan3:t'


root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option band '2g'
        option channel '1'
        option htmode 'HT20'
        option cell_density '0'
        option disabled '1'
config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option band '5g'
        option channel '36'
        option htmode 'VHT80'
        option cell_density '0'
        option disabled '1'


root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option noresolv '1'
        option port '0'
config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,10.12.20.1'
        option ra_preference 'medium'
config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
config odhcpd 'odhcpd'
        option leasefile '/tmp/odhcpd.leases'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piodir '/tmp/odhcpd-piodir'
        option hostsdir '/tmp/hosts'
config dhcp 'guests'
        option interface 'guests'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,10.12.21.1'
config dhcp 'depts'
        option interface 'depts'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,10.12.22.1'
config host
        option name 'server'
        option ip '10.12.20.10'
        option leasetime 'infinite'
        list mac 'xx:xx:xx:xx:xx:xx'
config host
        option name 'printer-epson-l3150'
        list mac 'xx:xx:xx:xx:xx:xx'
        option ip '10.12.20.20'
        option leasetime 'infinite'
config host
        option name 'poe-switch'
        list mac 'xx:xx:xx:xx:xx:xx'
        option ip '10.12.20.30'
        option leasetime 'infinite'
config dhcp 'iot'
        option interface 'iot'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dynamicdhcp '0'
config host
        option name 'omada'
        list mac 'xx:xx:xx:xx:xx:xx'
        option ip '10.12.20.40'
        option leasetime 'infinite'
# DHCP reservation for the "dumb" AP
config host
        option name 'archer-c60'
        list mac 'xx:xx:xx:xx:xx:xx'
        option leasetime 'infinite'
        option ip '10.12.20.50'
config host
        option name 'cam-entrance'
        list mac 'xx:xx:xx:xx:xx:xx'
        option ip '10.12.23.10'
        option leasetime 'infinite'
config host
        option name 'cam-garage'
        list mac 'xx:xx:xx:xx:xx:xx'
        option ip '10.12.23.20'
        option leasetime 'infinite'
# Interface for the "dumb" AP
config dhcp 'ext'
        option interface 'ext'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,10.12.24.1'
config host
        option name 'cam-reception'
        list mac 'xx:xx:xx:xx:xx:xx'
        option ip '10.12.23.30'
        option leasetime 'infinite'


root@OpenWrt:~# cat /etc/config/firewall
config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
config forwarding
        option src 'lan'
        option dest 'wan'
config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'
config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
config zone
        option name 'guests'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guests'
config forwarding
        option src 'guests'
        option dest 'wan'
config zone
        option name 'depts'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'depts'
config forwarding
        option src 'depts'
        option dest 'wan'
config zone
        option name 'iot'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'iot'
config forwarding
        option src 'lan'
        option dest 'iot'
config rule
        option name 'Allow-DHCP-Guests'
        list proto 'udp'
        option src 'guests'
        option dest_port '67-68'
        option target 'ACCEPT'
config rule
        option name 'Allow-DNS-Guests'
        option src 'guests'
        option dest_port '53'
        option target 'ACCEPT'
config rule
        option name 'Allow-DHCP-Depts'
        list proto 'udp'
        option src 'depts'
        option dest_port '67-68'
        option target 'ACCEPT'
config rule
        option name 'Allow-DNS-Depts'
        option src 'depts'
        option dest_port '53'
        option target 'ACCEPT'
config rule
        option name 'Allow-DHCP-Iot'
        list proto 'udp'
        option src 'iot'
        option dest_port '67-68'
        option target 'ACCEPT'
config rule
        option name 'Allow-DNS-Iot'
        option src 'iot'
        option dest_port '53'
        option target 'ACCEPT'
        option enabled '0'
config rule
        option name 'Allow-NTP-Iot'
        option src 'iot'
        option dest_port '123'
        option target 'ACCEPT'
        list proto 'udp'
config rule
        option name 'Allow-DHCP-Ext'
        list proto 'udp'
        option src 'ext'
        option dest_port '67-68'
        option target 'ACCEPT'
config rule
        option name 'Allow-DNS-Ext'
        option src 'ext'
        option dest_port '53'
        option target 'ACCEPT'
config zone
        option name 'ext'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'ext'
config forwarding
        option src 'ext'
        option dest 'wan'
config forwarding
        option src 'iot'
        option dest 'lan'

The “dumb” AP router is with the default values because I had to reset it. But, the first thing I did before was assign the 10.12.20.50/24 static IP address. Then I basically did what I commented before:

The Archer C60 works with “switch”, not DSA. So what I did was create two VLANs, 20 for access to the router, and 24 for normal traffic. Then, I created a new bridge device with port Ethernet Switch: “eth0”. Finally, I created two new interfaces, one for VLAN 20 and other for VLAN 24, both with protocol Unmanaged and the corresponding devices.

After doing that, LuCI was working fine but then it got disconnected. So the device became unreachable.

Here’s my network topology and desired dumb AP:

image956×571 50.5 KB

I hope that the information is useful. I appreciate your valuable help!

The main router looks good.

Let's see the bridged AP's config (even if it's default) so that I can make in-line suggestions for changes.

Sure, here they are:

root@OpenWrt:~# ubus call system board
{
        "kernel": "6.12.74",
        "hostname": "OpenWrt",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "TP-Link Archer C60 v3",
        "board_name": "tplink,archer-c60-v3",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "25.12.2",
                "firmware_url": "https://downloads.openwrt.org/",
                "revision": "r32802-f505120278",
                "target": "ath79/generic",
                "description": "OpenWrt 25.12.2 r32802-f505120278",
                "builddate": "1774469393"
        }
}


root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        list ipaddr '127.0.0.1/8'

config globals 'globals'
        option dhcp_default_duid '0004a954d4b16ef54fb4b5b91b7b123b96f6'
        option ula_prefix 'fd07:af6a:56f9::/48'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        list ipaddr '192.168.1.1/24'
        option ip6assign '60'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0t'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option band '2g'
        option channel '1'
        option htmode 'HT20'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'
        option disabled '1'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/odhcpd.leases'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piodir '/tmp/odhcpd-piodir'
        option hostsdir '/tmp/hosts'

root@OpenWrt:~# cat /etc/config/firewall
config defaults
        option syn_flood        1
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          DROP
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

config rule
        option name             Allow-ISAKMP
        option src              wan
        option dest             lan
        option dest_port        500
        option proto            udp
        option target           ACCEPT


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option dest             wan
#       option proto    tcp
#       option target   REJECT

# block a specific mac on wan
#config rule
#       option dest             wan
#       option src_mac  00:11:22:33:44:66
#       option target   REJECT

# block incoming ICMP traffic on a zone
#config rule
#       option src              lan
#       option proto    ICMP
#       option target   DROP

# port redirect port coming in on wan to lan
#config redirect
#       option src                      wan
#       option src_dport        80
#       option dest                     lan
#       option dest_ip          192.168.16.235
#       option dest_port        80
#       option proto            tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#       option src              wan
#       option src_dport        22001
#       option dest             lan
#       option dest_port        22
#       option proto            tcp

### FULL CONFIG SECTIONS
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port 80
#       option dest             wan
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
#       option target   REJECT

#config redirect
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port         1024
#       option src_dport        80
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp

Ok... thanks.

Let's use logical port 1 for the setup. This may or may not actually map to physical port lan1, but if not, we can adjust later.

We'll start by editing the swconfig stanza for the lan. Edit this section:

so that it looks like this:

config switch_vlan
        option device 'switch0'
        option vlan '20'
        option ports '1t 2 3 4 0t'

Next, we'll edit br-lan to use eth0.20:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.20'

And we'll edit the lan interface to use the desired address (10.12.20.50):

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        list ipaddr '10.12.20.50/24'
        option ip6assign '60'

Now we can add VLAN 24 on the switch, the related bridge, and an unmanaged network interface:

config switch_vlan
        option device 'switch0'
        option vlan '24'
        option ports '1t 0t'

config device
        option name 'br-ext'
        option type 'bridge'
        list ports 'eth0.24'

config interface 'ext'
        option device 'br-ext'
        option proto 'none'

Don't forget to disable the DHCP server on the lan... edit that to look like this:

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

Now you can add the wireless network on the AP and attach it to the ext network.

Okay, as I'm changing the config I realize that the VLAN 1 will be deleted, right?

I just want to be sure because my understanding is that the VLAN 1 is actually the switch?

Yes, VLAN 1 will be deleted, but the specific VLANs are arbitrary (as long as they're in the valid range).

Okay, thanks!

I made the changes and I can access LuCI on 10.12.20.50, nice!
But the wifi network is giving a 10.12.20.x IP instead of 10.12.24.x. I made sure to select the ext network under wifi configuration.

let's see the updated network and wireless config files.

Sure thing. By the way, I used all 4 LAN ports to be tagged, just in case anyone try to mess with the router:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        list ipaddr '127.0.0.1/8'

config globals 'globals'
        option dhcp_default_duid '0004a954d4b16ef54fb4b5b91b7b123b96f6'
        option ula_prefix 'fd07:af6a:56f9::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.20'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        list ipaddr '10.12.20.50/24'
        option multipath 'off'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '20'
        option ports '0t 1t 2t 3t 4t'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0t 1t 2t 3t 4t'
        option vid '24'

config device
        option type 'bridge'
        option name 'br-ext'
        list ports 'eth0.24'

config interface 'ext'
        option proto 'none'
        option device 'br-ext'
        option multipath 'off'


root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option band '2g'
        option channel '1'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'ext'
        option mode 'ap'
        option ssid 'ext'
        option encryption 'psk2'
        option key 'xxx'

Also, this router has a 5G radio, but for some reason it doesn’t show…

I don't see anything wrong here.

As a sanity check, try making one of the other ports untagged on VLAN 24 so that you can plug in an Ethernet device. You can do the same with VLAN 20 (on a different port). For example:

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '20'
        option ports '0t 1t 2t 3 4t'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0t 1t 2t 3t 4'
        option vid '24'

In the above, I removed the t on port 3 for VLAN 20 and on port 4 for VLAN 24. You can connect a regular computer to each port and you should get an address on the respective network. (keep in mind that the logical port numbers may or may not match the physical numbers).

Just before I rebooted both devices and now it’s giving a 10.12.24.x IP.

Thanks a lot legend!

PS: If I want to control download speeds, should I use sqm (or any other method) in the main router or the AP?

Glad it's working now!

SQM would be done in the main router.

Sorry, although everything is working, I can access the main router (10.12.20.1) from a 10.12.24.x IP. I thought my firewall rule blocks that:

root@OpenWrt:~# cat /etc/config/firewall
config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
config forwarding
        option src 'lan'
        option dest 'wan'
config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'
config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
config zone
        option name 'guests'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guests'
config forwarding
        option src 'guests'
        option dest 'wan'
config zone
        option name 'depts'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'depts'
config forwarding
        option src 'depts'
        option dest 'wan'
config zone
        option name 'iot'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'iot'
config forwarding
        option src 'lan'
        option dest 'iot'
config rule
        option name 'Allow-DHCP-Guests'
        list proto 'udp'
        option src 'guests'
        option dest_port '67-68'
        option target 'ACCEPT'
config rule
        option name 'Allow-DNS-Guests'
        option src 'guests'
        option dest_port '53'
        option target 'ACCEPT'
config rule
        option name 'Allow-DHCP-Depts'
        list proto 'udp'
        option src 'depts'
        option dest_port '67-68'
        option target 'ACCEPT'
config rule
        option name 'Allow-DNS-Depts'
        option src 'depts'
        option dest_port '53'
        option target 'ACCEPT'
config rule
        option name 'Allow-DHCP-Iot'
        list proto 'udp'
        option src 'iot'
        option dest_port '67-68'
        option target 'ACCEPT'
config rule
        option name 'Allow-DNS-Iot'
        option src 'iot'
        option dest_port '53'
        option target 'ACCEPT'
        option enabled '0'
config rule
        option name 'Allow-NTP-Iot'
        option src 'iot'
        option dest_port '123'
        option target 'ACCEPT'
        list proto 'udp'
config rule
        option name 'Allow-DHCP-Ext'
        list proto 'udp'
        option src 'ext'
        option dest_port '67-68'
        option target 'ACCEPT'
config rule
        option name 'Allow-DNS-Ext'
        option src 'ext'
        option dest_port '53'
        option target 'ACCEPT'
config zone
        option name 'ext'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'ext'
config forwarding
        option src 'ext'
        option dest 'wan'
config forwarding
        option src 'iot'
        option dest 'lan'

If needed I can make another thread.

Thank you.

Based on the firewall config, you should not be able to access the router's admin surfaces (ssh, LuCI) from the ext network.

Double check that your computer has one and only one network connection and address. You could, for example, be connected via wifi to one of the networks and ethernet to the other...

I tested it with my phone connected only to the wifi of the dumb AP router. I can even go to 10.12.24.1 and access LuCI. I can also access the dumb AP itself at 10.12.20.50.

I forgot the network and connected again, but nothing changed. Seems odd, I can't even access the switch or the Omada, although they're working fine.

EDIT: There's an active firewall rule in the br-lan interface of thw dumb AP. Could that be the cause? Should I delete that firewall rule or leave the br-lan interface with no firewall?

Double check the IP that you are getting on your phone. And while I didn't see any VPN in your config, if you have a road-warrior type setup, make sure that you are not connected on the VPN.

The assigned IP is 10.12.24.120.

An about the VPN, I run Tailscale on the server with 10.12.20.10 IP. Turning the VPN off cut all the access! But is that how is supposed to work?

As expected.

Yes... your phone was getting internet access via the ext network, but all of the traffic was being tunneled through the TS server on the trusted lan. Thus, your apparent IP address was really on that trusted lan -- just like if you are away from home, you can access all of your lan resources (including the router).

Turning the VPN off fixed the problem because now the phone's actual IP address and apparent IP address were the same -- on the ext network. That network doesn't allow access to the router, ap, or other lan resources, so the firewall actions behaved as expected.

Okay, got it!

What about the default firewall rule for lan on the AP? Should I delete it or disable it?

And why I can't access the switch or the Omada? The VLAN 20 is tagged so it should work?

Leave it as is... the current AP firewall allows input from the lan network (i.e. your trusted network) which is necessary for administering the device. Since it doesn't have an address on the ext network, there is no way that the clients on that network can access the AP.

From where (which subnet, and where is it physically connected)?