[Solved] WDR4900 router config as switch with wireless AP

I have this router set up with OpenWrt 22.03.5 running as a switch and access point in the basement.
OpenWrt 23.05.0-rc3 needs a complete reconfiguration because the config can not be ported automatically.
When I started into OpenWRT two years ago, I had no idea how many options this OS offers.
I followed some guide and managed to set up the device. It's been running ever since but the firmware update made me revisit the settings I made back then.
Although it is running, I think there are some issues in the config.
At least I have some gaps in my understanding of how it works (most likely forgotten).
In addition to that, I have to set up another site with OpenWRT and would like to fully understand what I'm doing.

I would like to start with a review of the config of this device and maybe get an answer on this or that question.
I will post what I think to be the relevant LuCI screens.
Here is the switch config:

All ports are part of VLAN1 so I can use all as regular switched ports.
Q1: Is there a reason why the eh0 should be "tagged"?
Q2: It looks like VLAN2 is not really used here?

The devices:

br-lan is bridging VLAN1 (eth0.1)
It seems the physical WAN port is not on an extra network device (eth1).
Q3: There should be no need of VLAN1. Switching all ports should work without.
Q4: Not even the br-lan should be necessary to brigde eth0 alone. But the bridge will be set up when the wifi radios are added.

Here are the interfaces:

The lan interface has a fixed IP and DHCP is disabled. The main router will take care of IPs.
Q5: Given, how wan is switched, this interface can be deleted?

The br-GAST is bridging the guest wifi networks.
Setting up the Wifi is quite straight forward. No questions on that side.
But I don't understand how this bridge is connected to the switch/lan.
Properties of br-GAST:

I figure it is related to the firewall settings. But where is the (virtual) wire between the interfaces?

Q6: If the wan interface i not used, the firewall rules set are also obsolete?

When inspecting the first rule (lan-->wan), I see this:

The second (wan-->reject) looks like this:

The last (GAST --> lan) is this:

I feel I have to read up on firewall settings next.
Anyway, If someone could review this config and maybe answer one or the other question raised so far, I would be really glad. Improvements and corrections are very welcome.

Here is the config in nerd style

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'
        option ula_prefix 'fdcut by me'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option delegate '0'
        option ipaddr '192.168.158.14'
        option gateway '192.168.158.1'
        list dns '192.168.158.7'
        list dns '192.168.158.1'
        option device 'br-lan'

config interface 'wan'
        option _orig_ifname 'eth0.2'
        option _orig_bridge 'false'
        option proto 'dhcp'
        option delegate '0'
        option device 'eth0.2'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 1 2 3 4 5'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t'
        option vid '2'

config interface 'GAST'
        option type 'bridge'
        option proto 'static'
        list ipaddr '192.168.178.14/24'
        option delegate '0'
        option force_link '0'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'
        option macaddr 'f8:cut by me'
        option ipv6 '0'

Yes, this is necessary because there is just a single connection between the hardware switch and the CPU (eth0), which must normally handle both wan and lan (the tags keep the traffic identified and flowing through the routing engine appropriately).

By default. it was probably used for the wan. In this case, you appear to not be using it, though.
You can leave it there, it doesn't cause any issues. (same with the tags)

If you were to turn off the connection to the cpu (or untag it without making a change from eth0.1 to eth0 in br-lan), the switch would still function properly, but the device would become unreachable and it would also no longer be able to bridge wifi for use as an AP.

A bridge is necessary to use the device as a dumb AP.

You can delete the wan interface, if you want. It doesn't hurt to leave it there, though.

The gast > lan rule and the masquerading on the lan zone would still be required. The wan zone can be deleted (but again, it can stay, it has no negative impact).

Your config looks a bit odd in terms of the syntax -- probably really old. What version of OpenWrt is it using?

ubus call system board

Given that you're just starting to come up with a more complex configuration, which you haven't quite settled yet, I'd recommend to upgrade to 23.05.0-rc3 now, before your spend more time on it. The tl-wdr4900 apparently was ported over to DSA based switch configurations between 22.03 and 23.05~, which implies rather different semantics/ configuration syntax.

Thanks for the comprehensive information so far.
@slh
As I already mentioned in the introduction, I'm trying to better understand the configuration before I pull the trigger and switch over to the 23.05

I suppose the config was created two years ago with firmware OpenWrt 19.07.8 r11364

Can you elaborate a bit on how the br-GAST is connected to the switch?

In the properties of the br-GAST there is no device specified.

I also wonder why there is TX data on the wan interface although it is not used.

You do not have br-GAST from what I can see in your config, but you do have the GAST network defined as a bridge (this syntax is not valid in more recent version of OpenWrt, so in that case you would need to have a separate bridge defined).

GAST is not connected to the switch. I'm guessing you're using the guest wifi on a dumb AP type configuration.

A bridge is the software equivalent of an unmanaged switch. It is necessary if you are connecting more than one physical interface to a network. So, for example, ethernet + wifi or multiple wifi radios. In the case of your main br-lan, this is necessary to make the dumb AP work.

When you move to 22.03 or 23.05, I believe you will be migrating to DSA. You will actually see that the switch goes away, and each ethernet port is treated as an independent port. In this case, you also need a bridge anytime you use 2 or more ethernet ports on the same network (even if you are not using wireless) since each port will be treated independently. (with swconfig, the ethernet ports are a single entity behind eth0.x where the switch config handles the individual ports).

You don't have br-gast, unless I missed something.

It is indeed confusing, to have it named br-GAST on the interface screen but not being present in the devices - see next.
You are right, it is configured as a dumb AP.

So, if the GAST is not connected to the switch nor is it bridged to an interface that is, how can the packets flow to/from the guest wifi.
The link is missing in my understanding.

The normal (trusted lan) wifi is simply bridged. But the GAST network is routed. That is to say that the WDR4900 is treating your normal lan in the same way as your main router treats its WAN (uplink to the internet)... it's performing NAT and firewall operations and routing between the GAST network and the upstream. This is Layer 3 (routing), rather than Layer 2 (switching).

Yes, of course!
I forgot about the firewall zones
That makes sense now.

Great! Glad I could help.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!