4 "dumb" APs running OpenWRT. Each AP has 3 SSIDs - 2 (2.4 GHz, 5 GHz) with full access to the WAN and LAN, and 1 guest SSID. Each AP is connected via a single ethernet cable to an unmanaged switch.
1 router w/out any radios running openwrt. Router has 2 ports (1 WAN, 1 LAN). Router is connected to the same unmanaged switch as the APs.
I'd like to setup a DHCP server for both the primary SSIDs (which function as 1 network) and the guest network/SSID. I'd like to have this DHCP server only running on the router with the guest network and primary network in sep subnets. The guest network shouldn't be able to communicate with the primary network clients (or the router, other than for DHCP/DNS). I would potentially like the guest network clients to be able to communicate w/ each other though (w/ any client on their subnet). I would also like the primary network to be able to communicate w/ the guest network.
What are some ways I can make all of this happen? What are my options?
I can think of the simplest option where I run a DHCP server for the guest network on each AP. That means my "dumb" APs aren't so dumb anymore though. Ideally my router will handle all DHCP leases for all subnets and i can segregate clients appropriately via router firewall rules. VLAN seems like it's off the table because i don't have a managed switch and i only have 1 ethernet cable running between the APs and the switch. Also, my router only have 2 total ports.
You should either setup a direct connection between the OpenWrt devices (i.e. not through the unmanaged switch), or you should get a managed switch. Unmanaged switches are not intended for use with VLANs/tagged Ethernet.
Are either of the two options possible in your situation?
Running a cable between each of the APs is probably a no-go at this point. I gather from your response that leaning on VLANs is the only other way to do this, which means I need to swap out my unmanaged switch for a managed switch. That is at least doable.
Are VLANs the only other option here?
If I get a managed switch, do you have any recs that are not expensive and can also run OpenWRT? I guess it's not important they run OpenWRT, but why not.
I assume it isn't a problem that my router only has 2 ports (1 LAN, 1 WAN) and that I can only run one Ethernet cable between each AP/router and the managed switch.
Generally, yes. I mean, if you only need one of the APs to broadcast the guest network, you could setup a guest wifi on a bridged AP and avoid VLANS entirely. But I would recommend using VLANs and setting up all the routing on the main router.
If you don't require it to run OpenWrt, your choices open up considerably. I specifically recommend against the entry level TP-Link managed switches (I think they call them "unmanaged pro" or something) such as the TL-SG1xxE series, as they have some firmware quirks that are just problematic in many cases. I haven't used the entry level Netgear switches, but I'm pretty certain people have had the same issues with those. The next level up in both brands are pretty good, as are ZyXel. I think the Linksys managed switches are also supposed to be just fine.
Not a problem at all. The VLANs will be implemented on the lan port as a trunk (i.e. a port/cable carrying multiple networks), and your managed switch will handle them from there.