Set up only Wi-Fi network to be managed by upstream gateway with LAN ports still managed by OpenWrt

I have a Buffalo WZR-600DHP updated to 23.05.3 that I want to use as an AP with devices on a Wi-Fi network to be managed by the upstream gateway (pfSense) with LAN ports on the device still managed by OpenWrt on their own subnet.

I can't seem to make sense of the various settings in OpenWrt for achieving this configuration, and it doesn't help that I don't quite understand configuring the Wireless interface, other interfaces, and firewall, assuming even that this is where I should be configuring.

The dumb AP guide should have all the information you need. Have you tried following this guide? Did you run into issues?
https://openwrt.org/docs/guide-user/network/wifi/dumbap

Ideally, the LAN ports would be on their own subnet managed by OpenWrt, and that guide sets the LAN to the same subnet and disables DHCP.

In that case, you want to use standard routed mode with a wireless uplink.

https://openwrt.org/docs/guide-user/network/wifi/connect_client_wifi

In that guide, the Wi-Fi device is connecting to another Wi-Fi network. However, in my case I am connecting the WAN port to a switch.

I don't know if this matters, but I initially thought I could use VLANs through the WAN port, but on the Network->Switch page, VLANs on "switch0" only permits setting VLAN ID on CPU (eth0), LAN 1, LAN 2, LAN3, and LAN 4.

Let's put it in specific terms... please correct this if it is wrong:

  • OpenWrt device connects to the upstream network via ethernet
  • The upstream network connection is via the wan port
  • Wifi should be on the same subnet as the upstream network
  • OpenWrt device's lan ports should be a different subnet.

Is that correct?

Yes, that is correct.

Ok... there are a few ways to do this, but I think the easiest is to start with a default configuration, and make the wan into a bridge that can then be associated with wifi. The ethernet ports will be routed via OpenWrt and therefore on a different subnet.

What is the subnet of the upstream network (or the address of the upstream router)?

Please post the default /etc/config/network file from your OpenWrt router.

I have probably flipped too many switches, so I just reset the device:

# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd8e:18bf:4649::/48'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0t'

Also, I won't be using IPv6 and after getting an initial working configuration here I will go in and disable those.

Create a bridge for wan:

config device
	option name 'br-wan'
	option type 'bridge'
	list ports 'eth1'

Edit the wan and wan6 interfaces to use the bridge (optionally, you may delete wan6, but it must either be edited or deleted):

config interface 'wan'
	option device 'br-wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'br-wan'
	option proto 'dhcpv6'

If your upstream network uses the 192.168.1.0/24 network, you'll need to change the lan to another subnet (for example, change the address to 192.168.5.1)... but if it doesn't currently conflict, you can leave it as is:

Create an SSID (or edit the current ones) to use the wan network instead of lan.

Reboot and then test. It should do what you want.