Setup second router as access point with many VLANs

Please clarify this... do you mean

  • all ports are trunk ports
  • all ports are access ports associated with the trusted lan
  • all ports are access ports but one port per network
  • something else?

Okay, I read a little bit more about that what I need and it will looks like this: one port = one subnet.

so does this imply that you want all ports (other than the ones connecting the two routers) to use the main trusted lan?

Yes, exactly.

Ok... let's start with the main router. From its near-default config, let's add bridge-VLANs:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan3:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'lan3:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'
	list ports 'lan3:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '99'
	list ports 'lan3:t'

Now, we'll edit the lan to use br-lan.1:

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

And now we'll add the additional networks:

config interface 'mixed'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'

config interface 'iot'
	option device 'br-lan.20'
	option proto 'static'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'

config interface 'lan-not'
	option device 'br-lan.30'
	option proto 'static'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'

config interface 'guest'
	option device 'br-lan.99'
	option proto 'static'
	option ipaddr '192.168.99.1'
	option netmask '255.255.255.0'

Now we can add dhcp servers for all of them:

config dhcp 'mixed'
	option interface 'mixed'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'iot'
	option interface 'iot'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'lan-not'
	option interface 'lan-not'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'

Finally, we'll add all of these networks to the lan firewall zone. You should consider changing this later, but it will make it easy to validate that things are working. Later, you can start to isolate the networks. The lan firewall zone already exists -- jsut add the additional networks:

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'lan-not'
	list network 'iot'
	list network 'mixed'
	list network 'guest'

Once you've made all the changes, post your config files for review and we'll move on to the AP.

BTW, I noticed that these devices only have 3 lan ports... so lan 1 and lan 2 are for your regular lan, and lan 3 is for the trunk to the AP.