Same port, wan+lan vlan tagged traffic

i have a tplink tl-wr1043n v5 , and i used it mostly as a dumb switch + 2.4ghz backup WIFI for the entire house. it's running openwrt 19 (i tried v21 but i got lost in the new devices page and didn't know how to setup what i wanted).
recently i bought 3 new aruba APs that will cover the house with dual band ax wifi, plus a separated guest wifi, and to do this (and separate the home network from guest network) i have setup a bit of a weird setup.

aps will be connected to the same switch where everything else in the house is connected, i can't connect them anywhere else because of cabling already done.

to that same switch is connected the tl-wr1043 with one cable. i have other things connected to the tplink and i need those gigabit ports for other stuff , and i can't run another cable back to the main switch.

so anyway i did what you can see on the photos.
i have wan interface setup with all phisical lan and wan ports on the device.
lan interface is just the wifi + vlan0.167.
then i added the same vlan0.167 to the wan interface.
then i connected the tplink router back to the network.
the WAN ip is 192.168.2.5, LAN ip is 192.167.0.1
i can access the tplink from any house device on it's wan ip normally.
but if i do a vlan tag on a laptop for example, and specify vlan 167, i will get ip from the lan interface of the tplink router.
so it works OK.

i didn't try to do that on the aruba aps because it's a bit complicated, it'll take me some time to do it.

are there any important drawbacks to this? i don't plan to update my network any more than this. in fact i'd gladly do this on a cheap tplink 841, just not sure it can handle it.

i understand that, by using just 1 cable, my max speed will be reduced by 50% , maximum 500mbit (traffic is coming in and going out on the same port, which is just 1gbit to the cpu) but this is still plenty fast -my main internet line is 200mbit , one day upgrade-able to 500, and my secondary internet line is ~50mbits. this vlan network will use that secondary line, and tl-wr1043 will be routing just that 50mbit anyway.

vlan11033×370 13.8 KB

vlan2711×372 10.9 KB

You do not want to bridge the WAN interface. This will be a security liability as well as cause potential issues across your entire network.

Could you please draw a diagram of your network topology? That will help clarify how things are connected.

Also, this is not a valid RFC1918 address. I don't know if this is a typo, but you should stick to RFC1918 ranges.

did a change, even if it was working before, i noticed phones had trouble connecting (not getting ip).
i removed the vlan0.167 from wan interface, and left it just on lan interface. now the APs at home forward well tagged traffic and phones connect normally.

for subnet 192.167.0.0/24, i thought i could use any subnet for private network, but i changed to another non-public subnet.

192.167.0.0/24 is not a private subnet. You can use anything in the 192.168.0.0/16 range, or 172.16.0.0/12, or 10.0.0.0/8 -- these are the 3 RFC1918 ranges.