Setup second router as access point with many VLANs

Hello all!

I've got two Asus AX-53U routers with newest (23.x) OpenWRT.

First of them (let's say router1) has configured multiple interfaces (list some of them):

  • 192.168.10.0/25 (local devices)
  • 99.99.99.0/26 (guest devices)
  • 10.10.10.0/26 (iot devices)

Every subnet has own wireless configuration (both 2.4 and 5Ghz) attached. Also every subnet has DHCP server configured.

My problem:
I want to add second router (let's name it router 2) to extend wireless networks (all of them) on second floor in house. Of course I've got wires between floors in wall so I can connect them by wire. Second router also has some lan ports so I want to use them to extend main interfaces (again, all of them) in router2.

Can someone help me with that? Router1 is working fine but my problems appears with second one.

  • I'm kindly new to OpenWRT and all network topics so, for now I'm using LuCi interface.

Thanks for all answers!

You should always stick with RFC1918 addresses. This may cause problems for you because you've specified a public IP range.

Yes.

First, let's review the config of the main router to make sure it's setup properly. Also, what port on the main router will be used to connect to the secondary device?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
3 Likes

Thank you! I forgot about that. Ranges for subnets will be adjusted at the end for invalid ranges. Let's focus now on proper configuration.

I can use LAN or WAN - which should be better?

Command ubus call system board

{
	"kernel": "5.15.150",
	"hostname": "AX1800_main_router",
	"system": "MediaTek MT7621 ver:1 eco:4",
	"model": "ASUS RT-AX53U",
	"board_name": "asus,rt-ax53u",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23809-234f1a2efa",
		"target": "ramips/mt7621",
		"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
	}
}

Command cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd3a:86a6:48bc::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'wan'
	option device 'wan'
	option proto 'static'
	option ipaddr 'xx'
	option netmask '255.255.255.0'
	option gateway 'xx.1'
	list dns 'xx'
	list dns 'xx'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option disabled '1'
	option reqaddress 'try'
	option reqprefix 'auto'

config interface 'lan_dynamic'
	option proto 'static'
	option device 'br-dyn'
	list ipaddr '10.10.10.1/27'
	option gateway 'xx.1'

config interface 'lan_iot'
	option proto 'static'
	option device 'br-iot'
	list ipaddr '192.168.20.1/25'
	option gateway 'xx.1'

config interface 'lan_not'
	option proto 'static'
	option device 'br-not'
	list ipaddr '192.168.30.1/25'

config interface 'lan_mixed'
	option proto 'static'
	option device 'br-mix'
	list ipaddr '192.168.10.1/26'
	option force_link '0'
	option gateway 'xx.1'

config interface 'lan_guest'
	option proto 'static'
	option device 'br-guest'
	list ipaddr '99.99.99.1/27' <- will be changed
	option gateway 'xx.1'

config device
	option name 'wan'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-guest'
	option bridge_empty '1'

config device
	option type 'bridge'
	option name 'br-dyn'
	option bridge_empty '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config device
	option type 'bridge'
	option name 'br-iot'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	option bridge_empty '1'

config device
	option type 'bridge'
	option name 'br-not'
	option bridge_empty '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config device
	option type 'bridge'
	option name 'br-mix'
	option bridge_empty '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'lan_test'
	option proto 'static'
	option ipaddr '192.168.99.1'
	option netmask '255.255.255.0'
	option device 'br-dyn'

Command cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option band '2g'
	option htmode 'HE20'
	option cell_density '0'
	option txpower '20'
	option channel 'auto'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option cell_density '0'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'el Residence Guest'
	option encryption 'sae'
	option isolate '1'
	option key 'xx'
	option network 'lan_guest'

config wifi-iface 'wifinet2'
	option device 'radio1'
	option mode 'ap'
	option ssid 'el Residence Guest 5Ghz'
	option encryption 'sae'
	option isolate '1'
	option key 'xx'
	option network 'lan_guest'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option ssid 'el Residence'
	option encryption 'sae'
	option isolate '1'
	option key 'xx'
	option network 'lan_dynamic'
	option ieee80211w '1'

config wifi-iface 'wifinet4'
	option device 'radio1'
	option mode 'ap'
	option ssid 'el Residence 5Ghz'
	option encryption 'sae'
	option isolate '1'
	option key 'xx'
	option network 'lan_dynamic'

config wifi-iface 'wifinet5'
	option device 'radio0'
	option mode 'ap'
	option ssid 'el Residence Local'
	option encryption 'sae'
	option hidden '1'
	option key 'xx'
	option network 'lan_mixed'

config wifi-iface 'wifinet6'
	option device 'radio1'
	option mode 'ap'
	option ssid 'el Residence Local 5Ghz'
	option encryption 'sae'
	option hidden '1'
	option key 'xx'
	option network 'lan_mixed'

config wifi-iface 'wifinet7'
	option device 'radio0'
	option mode 'ap'
	option ssid 'el Residence IoT'
	option encryption 'sae'
	option hidden '1'
	option isolate '1'
	option key 'xx'
	option network 'lan_iot'

config wifi-iface 'wifinet8'
	option device 'radio1'
	option mode 'ap'
	option ssid 'el Residence IoT 5Ghz'
	option encryption 'sae'
	option hidden '1'
	option isolate '1'
	option key 'xx'
	option network 'lan_iot'

config wifi-iface 'wifinet9'
	option device 'radio0'
	option mode 'ap'
	option ssid 'el Residence NoT'
	option encryption 'sae'
	option hidden '1'
	option isolate '1'
	option key 'xx'
	option network 'lan_not'

config wifi-iface 'wifinet10'
	option device 'radio1'
	option mode 'ap'
	option ssid 'el Residence NoT 5Ghz'
	option encryption 'sae'
	option hidden '1'
	option isolate '1'
	option key 'xx'
	option network 'lan_not'

config wifi-iface 'wifinet11'
	option device 'radio0'
	option mode 'ap'
	option ssid 'test'
	option encryption 'sae-mixed'
	option network 'lan_test'
	option key 'test1234'

Command cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option authoritative '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'lan_dynamic'
	option interface 'lan_dynamic'
	option start '10'
	option limit '100'
	option leasetime '1h'
	option master '1'
	option force '1'

config dhcp 'lan_iot'
	option interface 'lan_iot'
	option start '2'
	option limit '127'
	option leasetime '15m'
	option dynamicdhcp '0'
	option force '1'

config dhcp 'lan_mixed'
	option interface 'lan_mixed'
	option start '10'
	option limit '255'
	option leasetime '15m'

config dhcp 'lan_guest'
	option interface 'lan_guest'
	option start '10'
	option limit '40'
	option leasetime '2h'

Command cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan_mixed'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'lan_guest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan_dynamic'
	list network 'lan_guest'

config forwarding
	option src 'lan'
	option dest 'lan_guest'

config forwarding
	option src 'lan_guest'
	option dest 'wan'

config zone
	option name 'lan_iot'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan_iot'

config forwarding
	option src 'lan_iot'
	option dest 'lan'

config forwarding
	option src 'lan_iot'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'lan_iot'

config zone
	option name 'lan_not'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan_not'

config forwarding
	option src 'lan_not'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'lan_not'

Quite long configurations, because I've got many subnets and twice as much wireless networks.

I want to add that incominc connection from internet provider is plugged into WAN port in router1 of course.

There are serious problems with the config as shared. You'll be best served by resetting to defaults and starting over. We can help you with that.

Is there a reason you're not using standard /24 networks?

I can reset it, no problem with that. All things there I did while studying OpenWRT.
Only WAN configurations is important there.

I didn't use /24 mask because I don't expect as much devices in subnets. But of course I can change that to it.

What steps should I follow now?

post the (near) default configs from the main router.... we'll build up from there.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd90:03c8:60b3::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'static'
	option ipaddr 'xx'
	option netmask '255.255.255.0'
	option gateway 'xx'
	list dns 'xx'
	list dns 'xx'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HE20'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
config defaults
	option syn_flood	1
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT

Almost default configuration except WAN config to access internet.
What I need there is:

  • Subnet for guests (to not have access to any other device connected, only internet)
  • Subnet for IoT (access to internet)
  • Subnet for NoT (without access to internet, only local smart devices)
  • Subnet for devices (all other local devices, connected to internet)

All subnetw should have wireless configurations, but IoT, NoT and devices subnets should also be available through cable on both routers.

Ok... great. I need to know what networks appear on each of the physical ports

For now, this router hasn't connected any other devices. Only WAN port is connected to provider's device.
Or you are asking for something else?

Sorry if it wasn’t clear. The question is which networks do you want on each of the ports. Are all of the Ethernet ports for the lan, or will one be set aside for one of the other networks, or one to connect as a trunk (carrying multiple networks) to another downstream vlan aware device like?

I want to share all subnets through second router, both wireless and on lan ports.
Exception is only for guest subnet, which will be available only wireless.

Maybe this drawing will be clear what I want to achieve:

Note: ALL LAN PORTS - I mean all left free ports except that one port which is needed to connect routers each other.

Summary:
Router1 - main router with 4 subnets. Subnets are available through LAN ports (all subnets except guest on each) and wirelessly.
Router2 - access point with all subnets available through LAN ports (all subnets except guest on each) and wirelessly to extend range for Router1.

@psherman I'm adding also little explaination for provided image:

  • RED and BLACK - cable connections between router (I want to use as many RJ45 ports as I can) and end device,
  • BLUE and YELLOW - wireless connections between router and end device
  • connection between routers - will it be on LAN ports or LAN->WAN?

You diagram doesn't really tell me what I need to know... I'm hoping for a port-by-port description such as:

  • Router 1
    • Port Lan 1: subnet 1 untagged
    • Port Lan 2: subnet 2 untagged
    • Port Lan 3: subnet 3: untagged
    • Port Lan 4: connects to Router 2, all 4 subnets tagged
  • Router 2
    ...

That's just an example, but tells us how you plan to use each port.

  • Router1
    • Lan 1: subnet 1, subnet 2, subnet 3
    • Lan 2: subnet 1, subnet 2, subnet 3
    • Lan 3: subnet 1, subnet 2, subnet 3
    • Lan 4: connects to router 2, all subnets
  • Router2
    • Wan: incoming configuration from router1 (if not Wan I will use Lan1)
    • Lan 1: subnet 1, subnet 2, subnet 3
    • Lan 2: subnet 1, subnet 2, subnet 3
    • Lan 3: subnet 1, subnet 2, subnet 3
    • Lan 4: subnet 1, subnet 2, subnet 3

I’ll try to get back to this soon with specific config suggestions. But I just want to make sure you do understand that it is only possible to have multiple subnets on a port when tagging is involved. This means that you must be using vlan aware devices downstream (ie managed switches or or vlan aware APs). Is that your intent?

Also, do you want any of the ports to have an untagged network? If so, which vlan on each port?

Both routers are the same model - Asus RT-AX53U (AX1800U) with OpenWRT so I think it's reachable to have multiple subnets on second router.
Also all devices connected through cable to router1 or router2 will have static IP.

Is it looks possible with that hardware? I'm not familiar with tagged networks.

If port will be untagged what subnet's IP i could set for end device there? Only from one subnet?

The usual/preferred setup is to have the one router configured for all the actual routing (i.e. the main router), and the second device setup as a bridged AP / managed switch. Typically, the 2nd device will only have an address on one network -- that is, the network that is used to manage the infrastructure devices. The other networks (such as guest, iot, etc.) will simply pass through the device transparently, but will not be abke to access the device itself because they don't actually need to, nor is it recommended, especially for untrusted devices/networks.

Yes, the hardware (coupled with OpenWrt) is absolutely capable of this.

I'd say that this is likely the gap in our discussion.

The quick summary is this:

  • Normal ethernet (for connecting your computer, game console, etc.) is untagged and has just a single network.
    • a port that services end devices in this way is known as an access port.
  • 802.1q tags enable the use of a single port/cable to transport multiple networks.
    • This is known as a trunk.
    • A trunk may have:
      • zero or one untagged network
      • one or many tagged networks
      • There are differing opinions about the use of an untagged network on a trunk -- some argue that all networks should be tagged on a trunk, and some hardware actually does not like untagged networks when used in a trunk; but the standard does allow the mix.
      • The tags are required in order to keep the network traffic separate and properly identified on a trunk. That is why only up to one untagged network is allowed (otherwise it would be impossible to distinguish the different networks at L2).
    • Most end devices do not undertstand VLANs/802.1q tags. That is to say that if you plug a set top box or a game console or a computer into a port that only has tagged networks, it will be unable to obtain an address and get connectivity.
    • Typically, VLAN aware devices like managed switches or APs are required as the next downstream connection. These devices can then map VLANs to ports as access or trunk ports, or to SSIDs for wifi connections.

Hopefully the above made it more clear...
You need to define, on a port-by-port basis, what the purpose of each port will be. This can be changed later, so you don't need to worry, but you want to define things based on what will be connectde to each port.

For example:

  • if port lan1 on the main router will be used for a trusted computer, you probably want that one set as an access port for the trusted lan.
  • Maybe port lan2 connects to an ethernet connected iot device (maybe a smart light bridge device)... since it's an iot device, you'll define it as an access port for the iot network.
  • If port lan4 connects to the second router/AP device, that would probably be a trunk connection. Either All tagged or one untagged network + the rest tagged. You need to define that (typically the untagged one, if used, would be the management VLAN).
  • Likewise on the second AP -- each port must be defined for the desired purpose.

Okay, so maybe let's make it simplier.

Let stay with that router1 is a main router. Second router will only serve one subnet on lan ports, but it will serve all subnets through wifi. Is it simplier now?

Yes.

  • Will all ethernet ports on both devices (aside from the trunk that connects the two routers together) be associated with the lan?
  • Please confirm that physical ports that connect the two routers together are:
    • main router lan4
    • secondary router (AP) wan

Yes, main router, if possible should use all subnets on free lan ports.

I will connect that two routers as you say: main router lan4 <=> AP wan