Setup new router AP using WAN port also as LAN port bridge issues

I have a dump AP (disabled firewall DHCP and dns services on it) and want the WAN port to also be part of the LAN (so I have an additional 2.5 gbit port available; Zyxel EX5601-T0 ubootmod). Below is the network of my main router and then the network of the AP. All physical ports should be part of the lan network but on the AP. The Guest and IoT network are only accessible via wifi. However, I think I am doing something wrong in the bridging and tagging. The lan wifi works fine but the guest and iot does not (cannot connect). The main router and AP are connected via LAN1 on main router into WAN port of AP.

# Main Router /etc/config/network

config interface 'loopback'
    option device   'lo'
    option proto    'static'
    option ipaddr   '127.0.0.1'
    option netmask  '255.0.0.0'

config globals 'globals'
    option ula_prefix        'fd33:2b80:e1aa::/48'
    option packet_steering   '1'

# 1) Create the LAN bridge with VLAN filtering
config device
    option name           'br-lan'
    option type           'bridge'
    option vlan_filtering '1'
    list ports            'lan1'
    list ports            'lan2'
    list ports            'lan3'
    list ports            'lan4'

# 2) Define VLANs on br-lan

# VLAN 1 = default LAN
config bridge-vlan
    option device 'br-lan'
    option vlan   '1'
    list ports    'lan1'      # untagged PVID on all LAN jacks
    list ports    'lan2'
    list ports    'lan3'
    list ports    'lan4'
    list ports    'eth0.1'    # CPU port, carries untagged VLAN 1

# VLAN 2 = Guest (Wi-Fi only)
config bridge-vlan
    option device 'br-lan'
    option vlan   '2'
    list ports    'eth0.2t'   # CPU port tagged for VLAN 2
    list ports    'lan1t'

# VLAN 3 = IoT  (Wi-Fi only)
config bridge-vlan
    option device 'br-lan'
    option vlan   '3'
    list ports    'eth0.3t'   # CPU port tagged for VLAN 3
    list ports    'lan1t'

# 3) Bind interfaces to VLAN sub-interfaces

# LAN on VLAN 1
config interface 'lan'
    option device   'br-lan.1'
    option proto    'static'
    option ipaddr   '192.168.1.1'
    option netmask  '255.255.255.0'
    option ip6assign '60'

# WAN unchanged (PPPoE on eth1 VLAN 6)
config interface 'wan'
    option device   'eth1.6'
    option proto    'pppoe'
    option username '6C-BA-B8-7A-8-D-E0@internet'
    option password 'kpn'
    option mtu      '1508'
    option ipv6     'auto'

# Guest on VLAN 2
config interface 'Guest'
    option device   'br-lan.2'
    option proto    'static'
    option ipaddr   '10.20.30.40'
    option netmask  '255.255.255.0'

# IoT on VLAN 3
config interface 'IoT'
    option device   'br-lan.3'
    option proto    'static'
    option ipaddr   '172.16.0.1'
    option netmask  '255.255.255.0'

# AP /etc/config/network

config interface 'loopback'
    option device   'lo'
    option proto    'static'
    option ipaddr   '127.0.0.1'
    option netmask  '255.0.0.0'

#  Bridge all 5 ports (1 2.5Gb + 3 1Gb + 2.5Gb WAN) with VLAN filtering
config device
    option name           'br-lan'
    option type           'bridge'
    option vlan_filtering '1'
    list ports            'lan1'
    list ports            'lan2'
    list ports            'lan3'
    list ports            'lan4'
    list ports            'eth0'
    list ports            'eth1'           # formerly WAN port

# VLAN 1 = management + main LAN (untagged everywhere)
config bridge-vlan
    option device 'br-lan'
    option vlan   '1'
    list ports    'lan1'
    list ports    'lan2'
    list ports    'lan3'
    list ports    'lan4'
    list ports    'eth1'           # untagged on eth1 (WAN port as LAN)
    list ports    'eth0.1'         # CPU port, carries untagged VLAN 1

# VLAN 2 = Guest (tagged only on uplink)
config bridge-vlan
    option device 'br-lan'
    option vlan   '2'
    list ports    'eth0.2t'        # CPU port tagged for VLAN 2
    list ports    'eth1t'          # tagged on eth1 (WAN port as LAN)


# VLAN 3 = IoT (tagged only on uplink)
config bridge-vlan
    option device 'br-lan'
    option vlan   '3'
    list ports    'eth0.3t'
    list ports    'eth1t'          # tagged on eth1 (WAN port as LAN)

# AP management on VLAN 1
config interface 'lan'
    option device   'br-lan.1'
    option proto    'static'
    option ipaddr   '192.168.1.2'
    option netmask '255.255.255.0'

# AP management on VLAN 2
config interface 'Guest'
    option device 'br-lan.2'
    option proto  'static'
    option ipaddr '10.20.30.41'
    option netmask '255.255.255.0'

config interface 'IoT'
    option device 'br-lan.3'
    option proto  'static'
    option ipaddr '172.16.0.2'
    option netmask '255.255.255.0'

before changing your configurations I suggest you understand if the devices you are using are DSA or not ...

How to understand if the devices used are using DSA or not:

this device should be ported to DSA can you confirm this?

I saw your post:

What model is the main router? and has it been ported to DSA?

both my main-router and my dump-ap are DSA based what is your situation ?

This is your main-router but the configuration of a tagged port should look similar to this (if DSA)

ps: on my main-router (DSA) I only have the tagged port no reference to the cpu are you sure of this configuration, did you edit it by hand by chance?

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan1:t'

This is your dump-ap but the configuration of a tagged port should look similar to this (if DSA) so modify your configuration accordingly (from the "luci" GUI if possible)

ps: on my dump-ap (DSA) I only have the tagged port no reference to the cpu are you sure of this configuration, did you edit it by hand by chance?

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'eth1:t'

ps: obviously if the traffic is tagged it must also be tagged on the main router...

can you show a screenshot of how your dump-ap / main-router looks like in the tab (if DSA):

network --> devices --> br-lan (configure) --> Bridge VLAN filtering

It should look something like this (whit DSA on main-router):

immagine898×491 37 KB

It should look something like this (whit DSA on dump-ap):

immagine898×491 41.1 KB

general documentation what is DSA what is it for:

Sorry that I was not clear about this. I replaced both my routers with Zyxel EX5601-T0 devices. Both are on the latest openwrt firmware so DSA enabled. I've edited quite a bit by hand to try and get things working. I thought I had to add the correct CPU to the bridges as well (and does the ":" in 'lan1:t" matter? I've tried removing the CPU reference in the bridge-vlans as well but it didn't make a difference.

Bridge VLAN filtering on main router:

image1768×766 62.9 KB

Bridge VLAN filtering on AP:

image1762×746 65.6 KB

image714×750 24.6 KB

Do you by any chance have a backup of the /etc/config/network file without the changes made?

I assume that by defining "eth1t", "lan1t" you created something non-existent...

yes the ":" is necessary see:

you can try (by making a backup of the current configuration) to try this on your dump-ap:

# VLAN 2 = Guest (tagged only on uplink)
config bridge-vlan
    option device 'br-lan'
    option vlan   '2'
    #list ports    'eth0.2t'        # CPU port tagged for VLAN 2
    list ports    'eth1:t'          # tagged on eth1 (WAN port as LAN)

you can try (by making a backup of the current configuration) to try this on your main-router:

# VLAN 2 = Guest (Wi-Fi only)
config bridge-vlan
    option device 'br-lan'
    option vlan   '2'
    #list ports    'eth0.2t'   # CPU port tagged for VLAN 2
    list ports    'lan1:t'

I assume this will be correct (but you can expect unforeseen cases)...

you should get this (on dump-ap):

immagine690×292 71.5 KB

you should get this (on main-router):

immagine690×292 68.7 KB

There are more issues with the existing config than have been specifically noted at this point. Both the main router and the AP have serious issues.

Please describe:

• your desired port-VLAN membership for each port on each device
• the VLAN used for managing the AP (I'm guessing VLAN 1, lan)
• The address the AP should use on that management network (I'm guessing 192.168.1.2)

Reset both devices to defaults and post the network config files from each.