Thanks. That clears up the Linux questions for me. Especially interesting was that the root account doesn't need to be called 'root'. I didn't realize that, but it makes sense.
This has turned into quite a thread. Your help has been invaluable. Every time I get ready to say 'After this last question I'll mark this one 'Solved'' you show me some more great stuff and I keep asking more questions...
I'll wait to see if you have any comments on my wireless question(s) and then I'll mark it solved. I have one more simple question that I'm going to start a new topic for, and I suspect you'll know the answer to that one.
I haven't looked into the fine details of how client isolation works under OpenWrt. As I recall reading in some of the many threads here on the topic, there is both the isolation within the wireless subsystem that needs to be considered, as well as that once the packets reach the router "proper".
For me, in my setting, VLAN isolation is enough. I generally want clients of the same subnet to be able to communicate with each other. I put all my Brand X IoT devices on their own SSID and subnet so that they can merrily scan and attack each other, if that's what they're up to, but they won't know about my Brand Y devices.
Others find client-to-client isolation very important, especially those that offer public wireless service.
Darn, I was really hoping to let you off the hook here, as you've given more than I could have hoped for. I think I completely understand how you described your setup, but am still trying to understand if I have a wireless interface do I tie it to a VLAN even if I wouldn't have any router ports attached to it (like my VLAN_40). I read something that said not if you are not going to bridge it to a lan port. I just don't want to have it not associated with a VLAN and later find out that that was really stupid. I guess the reason I can't seem to find this answer in the documentation or forum is because few have their wireless not attached to a port? I can't find the reference I mentioned above in my notes...
the only reason to bridge two interfaces like a WLAN and VLAN interface, is to let the different machines connected on those interfaces talk to each other
When a wireless interface comes up, the OpenWrt subsystems look at the option network 'blah' in the wifi-iface section of /etc/config/wireless. It then matches against an interface entry in /etc/config/network. Typically those are set up as bridges. You can bridge a sub-interface, such as eth0.222 to get VLAN 222 on that interface. You then need to configure your switch if you want to trunk that out over the physical wire.
It doesn't really "look at" the config files, but rather an in-memory representation of the current state that they initially set up, and other things might have modified. uci show is one user tool to look at that in-memory content.
As @dlakelan points out, you don't need anything if the clients aren't going to "talk" with anybody not on the same wireless interface (this AP, if you have more than one and that SSID).
In this case, I offer services to the subnet on 10.11.12.1 (through VLAN 123 on eth1) as well as trunking it to my other APs over "bat0" (a mesh interface).
The wiki has some magic-decoder rings for this, if you search on /etc/config/wireless or /etc/config/network
Thanks a lot for all the very detailed responses. I think I can find my way on this now. I can't get over how great the OpenWrt community is. So helpful. I hope someday I can make some kind of contribution...