Problems assigning a VLAN for Guest network

Ok, so the device Im trying to setup is a Netgear WNDR3800 I have created a Guest network by creating the following script on /tmp folder:

#!/bin/sh

# Configure network
uci -q delete network.guest_dev
uci set network.guest_dev="device"
uci set network.guest_dev.type="bridge"
uci set network.guest_dev.name="br-guest"
uci -q delete network.guest
uci set network.guest="interface"
uci set network.guest.proto="static"
uci set network.guest.device="br-guest"
uci set network.guest.ipaddr="192.168.3.1"
uci set network.guest.netmask="255.255.255.0"
uci commit network

# Configure wireless
WIFI_DEV="$(uci get wireless.@wifi-iface[0].device)"
uci -q delete wireless.guest
uci set wireless.guest="wifi-iface"
uci set wireless.guest.device="${WIFI_DEV}"
uci set wireless.guest.mode="ap"
uci set wireless.guest.network="guest"
uci set wireless.guest.ssid="Guest-Network"
# uci set wireless.guest.encryption="none"
uci set wireless.guest.encryption="psk2"
uci set wireless.guest.key="guestpassword"
uci set wireless.guest.isolate="1"
uci commit wireless
wifi reload

# Configure DHCP
uci -q delete dhcp.guest
uci set dhcp.guest="dhcp"
uci set dhcp.guest.interface="guest"
uci set dhcp.guest.start="100"
uci set dhcp.guest.limit="150"
uci set dhcp.guest.leasetime="1h"
uci set dhcp.guest.netmask="255.255.255.0"
uci commit dhcp

# Configure firewall
uci -q delete firewall.guest
uci set firewall.guest="zone"
uci set firewall.guest.name="guest"
uci set firewall.guest.network="guest"
uci set firewall.guest.input="REJECT"
uci set firewall.guest.output="ACCEPT"
uci set firewall.guest.forward="REJECT"
uci -q delete firewall.guest_wan
uci set firewall.guest_wan="forwarding"
uci set firewall.guest_wan.src="guest"
uci set firewall.guest_wan.dest="wan"
uci -q delete firewall.guest_dns
uci set firewall.guest_dns="rule"
uci set firewall.guest_dns.name="Allow-DNS-Guest"
uci set firewall.guest_dns.src="guest"
uci set firewall.guest_dns.dest_port="53"
uci set firewall.guest_dns.proto="tcp udp"
uci set firewall.guest_dns.target="ACCEPT"
uci -q delete firewall.guest_dhcp
uci set firewall.guest_dhcp="rule"
uci set firewall.guest_dhcp.name="Allow-DHCP-Guest"
uci set firewall.guest_dhcp.src="guest"
uci set firewall.guest_dhcp.src_port="68"
uci set firewall.guest_dhcp.dest_port="67"
uci set firewall.guest_dhcp.proto="udp"
uci set firewall.guest_dhcp.family="ipv4"
uci set firewall.guest_dhcp.target="ACCEPT"
uci set firewall.guest_limit="rule"
uci set firewall.guest_limit.name="Limit-Guest-Speed"
uci set firewall.guest_limit.src="guest"
uci set firewall.guest_limit.proto="all"
uci set firewall.guest_limit.target="ACCEPT"
uci set firewall.guest_limit.extra="-m hashlimit --hashlimit-mode srcip,dstip --hashlimit-upto 3000kbps --hashlimit-burst 32kb --hashlimit-name Limit-Guest-Speed -j RETURN"
uci set firewall.guest_drop="rule"
uci set firewall.guest_drop.name="Limit-Guest-Drop"
uci set firewall.guest_drop.src="guest"
uci set firewall.guest_drop.proto="all"
uci set firewall.guest_drop.target="DROP"
uci commit firewall

/etc/init.d/network restart
/etc/init.d/firewall restart
/etc/init.d/dnsmasq restart

Also I have installed the package the packages iptables-mod-hashlimit and iptables-mod-ipopt so the rule on "Limit-Guest-Speed" works as supposed too.

So wifi guest work great with this, but after that I really needed to expand the Guest wifi to a totally different location using a network cable and a AP, so I though on reassigning a LAN port to a separate VLAN and the asking that VLAN to the guest network but traffic doesn't appears to go through nor even I can receive an assignation of IP address by connecting a PC or the AP.

Here are my config files if someone could help me out (by the way, the separated port is LAN2 and is assigned the VLAN 3 aka eth0.3):

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdXX:XXXX:XXXX::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ifname 'eth0'
        option igmp_snooping '1'
        option ipaddr '192.168.1.1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'
        option blinkrate '2'
        option enable_vlan4k '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '3'

config switch_port
        option device 'switch0'
        option port '1'
        option led '6'

config switch_port
        option device 'switch0'
        option port '2'
        option led '9'

config switch_port
        option device 'switch0'
        option port '5'
        option led '2'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 5'

config interface 'wan'
        option ifname 'eth0.2 eth1'
        option type 'bridge'
        option proto 'static'
        list dns 'XXX.XXX.XXX.XXX'
        list dns 'XXX.XXX.XXX.XXX'
        option netmask '255.XXX.XXX.XXX'
        option gateway 'XXX.XXX.XXX.XXX'
        option ipaddr 'XXX.XXX.XXX.XXX'

config interface 'wan6'
        option proto 'dhcpv6'           
        option reqprefix 'auto'         
        option reqaddress 'try'         
        option peerdns '0'              
        list dns 'XXXX:XXXX:XXXX::XX'      
        list dns 'XXXX:XXXX:XXXX::XX'      
        option ifname 'br-wan'          
                                        
config interface 'vpn'                  
        option ifname 'ppp0'            
        option proto 'none'             
                                        
config interface 'openvpn'              
        option ifname 'tun0'            
        option proto 'none'             
                                        
config device 'guest_dev'               
        option type 'bridge'            
        option name 'br-guest'          
                                        
config interface 'guest'                
        option proto 'static'           
        option device 'br-guest'        
        option ipaddr '192.168.3.1'     
        option netmask '255.255.255.0'  
        option type 'bridge'            
        option ifname 'eth0.3'          
                                        
config switch_vlan                      
        option device 'switch0'       
        option ports '2'              
        option vlan '3'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'               
        option proto 'icmp'            
        option src_ip 'fe80::/10'      
        list icmp_type '130/0'         
        list icmp_type '131/0'         
        list icmp_type '132/0'         
        list icmp_type '143/0'         
        option family 'ipv6'           
        option target 'ACCEPT'         
                                       
config rule                             
        option name 'Allow-ICMPv6-Input'
        option src 'wan'                
        option proto 'icmp'             
        list icmp_type 'echo-request'   
        list icmp_type 'echo-reply'             
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'         
        list icmp_type 'time-exceeded'          
        list icmp_type 'bad-header'             
        list icmp_type 'unknown-header-type'    
        list icmp_type 'router-solicitation'    
        list icmp_type 'neighbour-solicitation' 
        list icmp_type 'router-advertisement'   
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'                 
        option family 'ipv6'                    
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-ICMPv6-Forward'      
        option src 'wan'                        
        option dest '*'                         
        option proto 'icmp'                     
        list icmp_type 'echo-request'           
        list icmp_type 'echo-reply'             
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'         
        list icmp_type 'time-exceeded'          
        list icmp_type 'bad-header'             
        list icmp_type 'unknown-header-type'    
        option limit '1000/sec'                 
        option family 'ipv6'                    
        option target 'ACCEPT'                  
                                                
config include                                  
        option path '/etc/firewall.user'        
                                                
config rule                                     
        option name 'Allow-IPSec-ESP'           
        option src 'wan'                        
        option dest 'lan'                       
        option proto 'esp'                      
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-ISAKMP'              
        option src 'wan'                        
        option dest 'lan'                       
        option dest_port '500'                  
        option proto 'udp'
        option target 'ACCEPT'                  
                                                
config rule                                     
        option src_port '5353'                  
        option name 'Allow-mDNS'                
        option target 'ACCEPT'                  
        list dest_ip '224.0.0.251'              
        option dest_port '5353'                 
        list proto 'udp'                        
        option src 'lan'                        
                                                
config rule                                     
        option dest '*'                         
        list dest_ip '239.255.255.250'          
        option target 'ACCEPT'                  
        list proto 'udp'                        
        option name 'Allow-LLMNR'               
        option src 'lan'                        
                                                
config zone                                     
        option name 'vpn'                       
        option network 'vpn'                    
        option input 'ACCEPT'                   
        option forward 'REJECT'                 
        option masq '1'                         
        option output 'ACCEPT'                  
                                                
config forwarding                               
        option dest 'vpn'                       
        option src 'lan'                        
                                                
config forwarding                               
        option dest 'vpn'                       
        option src 'wan'                        
                                                
config redirect                                 
        option target 'DNAT'                    
        option src 'lan'                        
        option name 'Intercept-DNS'             
        option src_dport '53'                   
        option enabled '0'                      
                                                
config zone                                     
        option name 'openvpn'                   
        option input 'ACCEPT'                   
        option forward 'ACCEPT'                 
        option network 'openvpn'                
        option output 'ACCEPT'                  
                                                
config forwarding                               
        option dest 'lan'                       
        option src 'openvpn'                    
                                                
config forwarding                               
        option dest 'wan'                       
        option src 'openvpn'                    
                                                
config rule                                     
        option dest_port 'XXXX'                 
        option src 'wan'                        
        option name 'Allow-OpenVPN'
        option target 'ACCEPT'                  
                                                
config redirect                                 
        option src 'lan'                        
        option name 'Intercept-mDNS'            
        option src_dport '5353'                 
        option target 'DNAT'                    
        list proto 'udp'                        
        option enabled '0'                      
                                                
config include 'miniupnpd'                      
        option type 'script'                    
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'                                
        option reload '1'                                                         
                                                           
config zone 'guest'                                        
        option name 'guest'                                
        option network 'guest'                             
        option input 'REJECT'                              
        option output 'ACCEPT'                             
        option forward 'REJECT'                            
                                                           
config forwarding 'guest_wan'                              
        option src 'guest'                                 
        option dest 'wan'                                  
                                                           
config rule 'guest_dns'                                    
        option name 'Allow-DNS-Guest'                      
        option src 'guest'                                 
        option dest_port '53'                              
        option proto 'tcp udp'                             
        option target 'ACCEPT'                             
                                                           
config rule 'guest_dhcp'                                   
        option name 'Allow-DHCP-Guest'                     
        option src 'guest'                                 
        option src_port '68'                               
        option dest_port '67'                              
        option proto 'udp'                                 
        option family 'ipv4'                               
        option target 'ACCEPT'                             
                                                           
config rule 'guest_limit'
        option name 'Limit-Guest-Speed'                    
        option src 'guest'                                 
        option proto 'all'                                 
        option target 'ACCEPT'                             
        option extra '-m hashlimit --hashlimit-mode srcip,dstip --hashlimit-upto 3000kbps --hashlimit-burst 32kb --hashlimit-name Limit-Guest-Speed -j RETURN'
                                                                                                                                                              
config rule 'guest_drop'                                                                                                                                      
        option name 'Limit-Guest-Drop'                                                                                                                        
        option src 'guest'                                                                                                                                    
        option proto 'all'                                                                                                                                    
        option target 'DROP'

/etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:11.0'
        option htmode 'HT40'
        option channel 'auto'
        option disabled '0'
        option country 'PA'
        option noscan '1'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option key 'mainpassword'
        option ssid 'Main-Network'
        option encryption 'psk2'
        option disassoc_low_ack '0'
        option dtim_period '3'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:12.0'
        option htmode 'HT40'
        option channel 'auto'
        option country 'PA'

config wifi-iface 'wifinet1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option key 'mainpassword'
        option ssid 'Main-Network'
        option dtim_period '3'
        option encryption 'psk2'
        option disassoc_low_ack '0'

config wifi-iface 'guest'
        option device 'radio0'
        option mode 'ap'
        option network 'guest'
        option ssid 'Guest-Network'
        option encryption 'psk2'
        option isolate '1'
        option key 'guestpassword'

config wifi-iface 'wifinet3'
        option network 'guest'
        option dtim_period '3'
        option ssid 'Guest-Network'
        option encryption 'psk2'
        option device 'radio1'
        option mode 'ap'
        option isolate '1'
        option key 'guestpassword'
        option disassoc_low_ack '0'

Also is important to mention, there is a VLAN 2 aka eth0.2 that is bridged to the WAN port aka eth1, there is ppp0 network interfaces given that there is a L2TP VPN remote access and also tun0 interface because OpenWrt is also acting as a OpenVPN server.

What version of OpenWrt are you running?

ubus call system board

On your main router you basically just need to UNTAG the lanport, that the AP is connected to, with the VLAN ID, then bridge that VLAN device to the guest bridge (or interface). Done.

To set up switch_vlans, first you need to know, for your hardware, which switch port is connected to the CPU. This port should be included as tagged in every VLAN. Attach the VLANs to networks or bridges with the notation eth0.N, this will emit tagged packets on the internal connection from eth0 to the switch, and the switch will direct them to the proper switch VLAN based on the tag number. Do not have plain eth0 anywhere in the configuration. Traditionally (and in most default configurations) the lan network is VLAN 1, thus eth0.1 is in br-lan.

The ports connected to end devices such as laptops or a fully dumb AP (one not using VLANs) need to be untagged in one VLAN and out of all the others. A switch_vlan containing only one port doesn't do anything. It needs two or more ports to switch a packet in and out.

Maybe theres more to it: From the toh page it says:
Please remember: Port 5 in tagged mode should be included into each VLAN. Otherwise such VLAN can't be routed (will be isolated from router).

I have read everyone's comments and I really appreciate everyone for trying to help me out.
First of all, what "ubus call system board" says:

{
	"kernel": "5.4.215",
	"hostname": "WNDR3800",
	"system": "Atheros AR7161 REV 2",
	"model": "NETGEAR WNDR3800",
	"board_name": "wndr3700",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02.5",
		"revision": "r16688-fa9a932fdb",
		"target": "ar71xx/generic",
		"description": "OpenWrt 21.02.5 r16688-fa9a932fdb"
	}
}

Then, I have done exactly what @theMan said, and I have no connection at all on that port. That's why I copied the config.
What say over the switch config is VLANs on "switch0" (RTL8366S), and CPU (eth0) then LAN 1, LAN 2, LAN 3, LAN 4, each indicated port is exactly as what is physical (not the other way around as in other routers that I have configured, referring to for example that LAN 1 is physically port 4). But strangely in VLAN 1 (the one configured by default by OpenWrt), the CPU port (eth0) is as "untagged". something completely strange for me since I check all the other routers (including that special case that I mentioned), they all have the CPU as "tagged".
Because of this, I have preferred for now to leave the configuration as it is and post the case again, waiting for advice on what I can do. Something tells me that I should change all the settings and put the CPU in all as "tagged".

In 21.02, the bridge should never be part of the network interface stanza, an the physical interfaces are defined as device or ports (depending on the context), ifname is no longer valid.

So there are some isues here with your configuration -- it's probably going to be easier to simpy start fresh.

Further, you should consider upgrading to 22.03.3. This involves a transition from ar71xx to ath79, which requires a reset to defaults because there are differences in the way the hardware is addressed. Your old configs will not be compatible (take a backup to use as a human-readable reference, if you want, but don't restore the backup after the upgrade). Note -- you will get a warning that the image type is not compatible or not supported (I can't remember the exact words)... this is expected and you can force the ugprade (just make sure the checksum matches and that you downloaded the correct image).

https://firmware-selector.openwrt.org/?version=22.03.3&target=ath79%2Fgeneric&id=netgear_wndr3800

So... backup, install the upgrade (which requires resetting to defaults), and then configure from scratch (and of course, we're here to help).

Come to think of it, in your case you don't even need a vlan? Just remove the port from the br-lan bridge, then add it to the guest interface.

For what @psherman said, I could clearly see my mistake. I did a firmware upgrade from 19.07.7 to 21.02.5 and I cant remeber if I never cleared out the config or if I uploaded again the old one. Nevertheless the router seemed to be stable and I continued using it and since I never had to manipulate the switch configuration didnt notice any problems at this far. Now from whot I know, this is why some tags and/or parts were really messed up when checking the config.
I cleared out the old config and started from scratch and now everythng works as expected.

Great! Glad I was able to help.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.