Router on a Stick Configuration

I have been unsuccessfully been trying to configure ROAS on an openwrt switch and openwrt router using DSA with static addresses on the interfaces (no dhcp needed as IOT devices). The trunk port is lan1 and I have a separate physical connection on lan4 for management of the switch. I have tried troubleshooting steps such as making all the firewall default ACCEPT for everything. According to the documentation, this is the correct way to configure it but I cannot get it too work. Any help is appreciated!

Switch Network Config:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device 'switch'
	option name 'switch'
	option type 'bridge'
	option macaddr 'REDACTED'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan 'lan_vlan'
	option device 'switch'
	option vlan '1'
	list ports 'lan1:t'
	
config bridge-vlan 'lan2_vlan'
	option device 'switch'
	option vlan '2'
	list ports 'lan2:u* lan1:t'
 
config bridge-vlan 'lan3_vlan'
	option device 'switch'
	option vlan '3'
	list ports 'lan3:u* lan1:t'

config bridge-vlan 'lan4_vlan'
	option device 'switch'
	option vlan '4'
	list ports 'lan4'

config device
	option name 'switch.1'
	option macaddr 'REDACTED'

config device
	option name 'switch.2'
	option macaddr 'REDACTED'
	
config device
	option name 'switch.3'
	option macaddr 'REDACTED'
	
config device
	option name 'switch.4'
	option macaddr 'REDACTED'

config interface 'lan'
	option device 'switch.1'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'
	option ip6assign '0'

config interface 'lan2'
	option proto 'static'
	option device 'switch.2'
	option ipaddr '192.168.2.2'
	option netmask '255.255.255.0'
        option ip6assign '0'
        option gateway '192.168.2.1' # I tried this on all of them with router ip but it did not seem to help

config interface 'lan3'
	option proto 'static'
	option device 'switch.3'
	option ipaddr '192.168.3.2'
	option netmask '255.255.255.0'

config interface 'lan4'
	option proto 'static'
	option device 'switch.4'
	option ipaddr '192.168.4.2'
	option netmask '255.255.255.0'


==
Switch Firewall Config
config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'lan2'
	list network 'lan3'
	list network 'lan4'

Router Network Config:

I have omitted parts of the config for brevity such as wan which is correctly configured already.

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'lan4'

config interface 'lan'
	option proto 'static'
	option device 'br-lan.1'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

config interface 'lan2'
	option proto 'static'
	option device 'br-lan.2'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config interface 'lan3'
	option proto 'static'
	option device 'br-lan.3'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config interface 'lan4'
	option proto 'static'
	option device 'br-lan.4'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'

==
Router firewall:

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lan'
	list network 'lan2'
	list network 'lan3'
	list network 'lan4'
	list network 'lan5'

config forwarding
	option src 'lan'
	option dest 'wan'

Any help is appreciated.

TIA

A few initial comments....

1. it is best for us to see the complete configs so that we have the full context (even with things like the wan) to ensure that we can identify any and all potential issues or interactions.
2. with respect to the switch, it is not necessary (and usually not best practice) for the switch to have addresses on any VLAN except the one that is used to manage the switch itself.
3. You mention that you have an additional physical connection (lan 4) for managing the switch. This is also not necessary and is typically best included on the same trunk as all the other networks.
4. the bridge-vlans may be best specified with the ports on individual lines and without the name/description. For example:

The above would be better formed as:

config bridge-vlan
	option device 'switch'
	option vlan '3'
	list ports 'lan1:t'
	list ports 'lan3:u*'

With all of that said, let's see the complete configs of both devices (I assume the switch doesn't have wireless, but I don't know about the router):

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Hi Peter,

Thank you for kindly looking at the configs, I appreciate you taking the time to help!

I had to reset the firmware on my switch this afternoon to fix an issue with some of the physical ports not being recognized so I took the opportunity to take onboard some of your suggestions and rewrite the configs and see if the new firmware made any difference (it did not). Please note that I am now using a snapshot for my switch firmware but I was previously using the stable release.

ubus call system board output:

{
	"kernel": "6.12.58",
	"hostname": "OpenWrt",
	"system": "Realtek RTL9302B rev B (6487)",
	"model": "Zyxel XGS1250-12 B1 Switch",
	"board_name": "zyxel,xgs1250-12-b1",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"firmware_url": "https://downloads.openwrt.org/",
		"revision": "r32017-4dab2a9405",
		"target": "realtek/rtl930x",
		"description": "OpenWrt SNAPSHOT r32017-4dab2a9405",
		"builddate": "1764002583"
	}
}

Please see my switch configurations here:

(switch) /etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.2'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option dhcp_default_duid 'REDACTED' #This is new in snapshot!

config device 'br_switch'
	option name 'switch'
	option type 'bridge'
	option bridge_empty '1'
	option ipv6 '0'
	option mtu '1500'
	option macaddr 'REDACTED'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	
*#I am using UCI scripts to configure openwrt so I find it easier to add these headers ('vlan10' etc) for readability. Please let me know if this is likely to break configs now or down the line and should be avoided!?*

config interface 'vlan10' 
	option device 'switch.10'
	option vlan '10'
	list ports 'lan1:t'
	option proto 'static'
	option ipaddr '192.168.10.2'
	option netmask '255.255.255.0'
	option gateway '192.168.10.1'

config interface 'vlan20'
	option device 'switch.20'
	option vlan '20'
	list ports 'lan2:u*'
	list ports 'lan1:t'
	option proto 'static'
	option ipaddr '192.168.20.2'
	option netmask '255.255.255.0'
	option gateway '192.168.20.1'

config interface 'vlan30'
	option device 'switch.30'
	option vlan '30'
	list ports 'lan3:u*'
	list ports 'lan1:t'
	option proto 'static'
	option ipaddr '192.168.30.2'
	option netmask '255.255.255.0'
	option gateway '192.168.30.1'

config interface 'vlan40'
	option device 'switch.40'
	option vlan '40'
	list ports 'lan4:u*'
	list ports 'lan1:t'
	option proto 'static'
	option ipaddr '192.168.40.2'
	option netmask '255.255.255.0'
	option gateway '192.168.40.1'

(switch) /etc/config/firewall:

config defaults 'defaults'
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option disable_ipv6 '1'

config zone 'vlan10'
	option name 'vlan10'
	list network 'vlan10'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'vlan20'
	option name 'vlan20'
	list network 'vlan20'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'vlan30'
	option name 'vlan30'
	list network 'vlan30'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'vlan40'
	option name 'vlan40'
	list network 'vlan40'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'


config rule
	option name 'Allow-DHCP-Renew-vlan10'
	option src 'vlan10'
	option proto 'udp'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'Allow-DNS-vlan10'
	option src 'vlan10'
	option proto 'udp'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCP-Renew-vlan20'
	option src 'vlan20'
	option proto 'udp'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'Allow-DNS-vlan20'
	option src 'vlan20'
	option proto 'udp'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCP-Renew-vlan30'
	option src 'vlan30'
	option proto 'udp'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'Allow-DNS-vlan30'
	option src 'vlan30'
	option proto 'udp'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCP-Renew-vlan40'
	option src 'vlan40'
	option proto 'udp'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'Allow-DNS-vlan40'
	option src 'vlan40'
	option proto 'udp'
	option dest_port '53'
	option target 'ACCEPT'


config rule
	option name 'Allow-to-Router-LuCI-vlan10'
	option src 'vlan10'
	option proto 'tcp'
	option dest_port '443'
	option target 'ACCEPT'

config rule
	option name 'Allow-to-Router-SSH-vlan10'
	option src 'vlan10'
	option proto 'tcp'
	option dest_port '22'
	option target 'ACCEPT'

config rule
	option name 'Allow-to-Router-LuCI-vlan20'
	option src 'vlan20'
	option proto 'tcp'
	option dest_port '443'
	option target 'ACCEPT'

config rule
	option name 'Allow-to-Router-SSH-vlan20'
	option src 'vlan20'
	option proto 'tcp'
	option dest_port '22'
	option target 'ACCEPT'

config rule
	option name 'Allow-to-Router-LuCI-vlan30'
	option src 'vlan30'
	option proto 'tcp'
	option dest_port '443'
	option target 'ACCEPT'

config rule
	option name 'Allow-to-Router-SSH-vlan30'
	option src 'vlan30'
	option proto 'tcp'
	option dest_port '22'
	option target 'ACCEPT'

config rule
	option name 'Allow-to-Router-LuCI-vlan40'
	option src 'vlan40'
	option proto 'tcp'
	option dest_port '443'
	option target 'ACCEPT'

config rule
	option name 'Allow-to-Router-SSH-vlan40'
	option src 'vlan40'
	option proto 'tcp'
	option dest_port '22'
	option target 'ACCEPT'

At this time, everything that will plug into an access port will have static IP's so I have no dhcp config for the switch!

Router Configs:
/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'REDACTED'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan0'
	list ports 'lan2'
	list ports 'lan3'

config device
	option name 'lan0'
	option macaddr 'REDACTED'

config device
	option name 'lan1'
	option macaddr 'REDACTED'

config device
	option name 'lan2'
	option macaddr 'REDACTED'

config device
	option name 'lan3'
	option macaddr 'REDACTED'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '0'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option macaddr 'REDACTED'

config device
	option type 'bridge'
	option name 'switch'
	list ports 'lan1'
	option bridge_empty '1'
	option ipv6 '0'
	option mtu '1500'

config bridge-vlan
	option device 'switch'
	option vlan '10'
	list ports 'lan1:t'

config bridge-vlan
	option device 'switch'
	option vlan '20'
	list ports 'lan1:t'

config bridge-vlan
	option device 'switch'
	option vlan '30'
	list ports 'lan1:t'

config bridge-vlan
	option device 'switch'
	option vlan '40'
	list ports 'lan1:t'

config interface 'vlan10'
	option proto 'static'
	option device 'switch.10'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
        option ip6assign '0'

config interface 'vlan20'
	option proto 'static'
	option device 'switch.20'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'
        option ip6assign '0'

config interface 'vlan30'
	option proto 'static'
	option device 'switch.30'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'
        option ip6assign '0'

config interface 'vlan40'
	option proto 'static'
	option device 'switch.40'
	option ipaddr '192.168.40.1'
	option netmask '255.255.255.0'
        option ip6assign '0'

/etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config zone
	option name 'vlan10'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'vlan10'

config forwarding
	option src 'vlan10'
	option dest 'wan'

config zone
	option name 'vlan20'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option src 'vlan20'
	option dest 'wan'

config zone
	option name 'vlan30'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'vlan30'

config forwarding
	option src 'vlan30'
	option dest 'wan'

config zone
	option name 'vlan40'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'vlan40'

config forwarding
	option src 'vlan40'
	option dest 'wan'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option band '2g'
	option channel '1'
	option htmode 'HE20'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'REDACTED'
	option encryption 'sae-mixed'
        option key 'REDACTED'

Thanks for your time

Starting on the switch...

These is incorrectly configured:

You need to setup bridge-VLANs where you define the port-vlan membership and then the interfaces use the resulting bridge-vlans as their devices.

This is true for all of your network interfaces on the switch. But additionally, you didn't follow another key part of my advice:

Likewise, the firewall on the switch needs just a single zone (usually lan -- although it could be another zone with input = accept, this is used for managing the switch, and that is all it does). You don't need any of those other rules.

I'm not surprised since the entire switch is misconfigured.

Your router is also not quite right....
you need to use a single bridge and then bridge-VLANs to define the port-vlan memberships.

Here's my recommendation.... reset everything to defaults and post the default configs here. This will be much faster and less error-prone relative to trying to clean up the current config.

From there, I'll show you how to add one VLAN and then you can use that as a template for adding the others.

• We'll start with the standard lan network
• and we'll add a management VLAN (from what I can tell, your plan is to use VLAN 40 with 192.168.40.2 as the switch address).
• they'll be trunked on port lan1 for each of the devices (so router port lan1 to switch port lan1)
• we'll setup access ports on both the router and the switch for each of the 2 active VLANs so that you can test that both VLANs are working properly.

Thanks Peter, very helpful. I have been struggling to get my head around this so a correct example will really help.

Router Network Config

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'REDACTED'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config device
	option name 'lan0'
	option macaddr 'REDACTED'

config device
	option name 'lan1'
	option macaddr 'REDACTED'

config device
	option name 'lan2'
	option macaddr 'REDACTED'

config device
	option name 'lan3'
	option macaddr 'REDACTED'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

Router Firewall Config

config defaults
	option syn_flood	1
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT

Here are the Switches Default Configs:

Network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	list ipaddr '127.0.0.1/8'

config globals 'globals'
	option dhcp_default_duid 'REDACTED'
	option ula_prefix 'REDACTED'

config device 'switch'
	option name 'switch'
	option type 'bridge'
	option macaddr 'REDACTED'

config bridge-vlan 'lan_vlan'
	option device 'switch'
	option vlan '1'
	option ports 'lan1 lan2 lan3 lan4 lan5 lan6 lan7 lan8 lan9 lan10 lan11 lan12'

config device
	option name 'switch.1'
	option macaddr 'REDACTED'

config interface 'lan'
	option device 'switch.1'
	option proto 'static'
	list ipaddr '192.168.1.1/24'
	option ip6assign '60'

The switch firewall config:

config defaults
	option syn_flood	1
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		DROP
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT

Thank you, appreciate your help.

Starting with the router...

Create bridge-vlans for VLANs 1 and 40 (these can be other VLAN IDs, but this will be the example):

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan0:u*'
	list ports 'lan1:t'
	list ports 'lan2:u*'
	list ports 'lan3:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '40'
	list ports 'lan1:t'
	list ports 'lan3:u*'

Edit the lan network interface to use br-lan.1:

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

Create VLAN40 using br-lan.40:

config interface 'vlan40'
	option device 'br-lan.40'
	option proto 'static'
	option ipaddr '192.168.40.1'
	option netmask '255.255.255.0'

Add the vlan40 network interface to the lan firewall zone:

config zone
	option name		'lan'
	list   network		'lan'
	list   network		'vlan40'
	option input		'ACCEPT'
	option output		'ACCEPT'
	option forward		'ACCEPT'

You may also want to add a DHCP server to VLAN 40, but that's not required.

Now, on the switch... it is odd that the switch bridge definition doesn't have all the ports. I'm pretty sure it should look like this:

config device 'switch'
	option name 'switch'
	option type 'bridge'
	option macaddr 'REDACTED'
	list ports 'lan1' 
	list ports 'lan2'
	list ports 'lan3' 
	list ports 'lan4'
	list ports 'lan5' 
	list ports 'lan6'
	list ports 'lan7' 
	list ports 'lan8'
	list ports 'lan9' 
	list ports 'lan10'
	list ports 'lan11' 
	list ports 'lan12'

Delete the existing bridge-vlan that is there:

Now we can make bridge-VLANs:

config bridge-vlan
	option device 'switch'
	option vlan '1'
	list ports 'lan1:t' 
	list ports 'lan2:u*'
	list ports 'lan4:u*'
	list ports 'lan5:u*' 
	list ports 'lan6:u*'
	list ports 'lan7:u*' 
	list ports 'lan8:u*'
	list ports 'lan9:u*' 
	list ports 'lan10:u*'
	list ports 'lan11:u*' 
	list ports 'lan12:u*'

config bridge-vlan
	option device 'switch'
	option vlan '40'
	list ports 'lan1:t' 
	list ports 'lan3:u*' 

We'll add VLAN 40 by editing the lan interface:

config interface 'lan'
	option device 'switch.40'
	option proto 'static'
	list ipaddr '192.168.40.2/24'

And we can finally make vlan1 unmanaged:

config interface 'vlan1'
	option device 'switch.1'
	option proto 'none'

Restart both devices, connect lan1 to lan1 and you should be good.

Thanks Peter, appreciate your help with this!