Use SSID in specific VLAN - Wifi connection can not be established

I'm quite experienced with VLANs, switches, routing and iptables.
However I have some trouble assigning a SSID to a specific VLAN on OpenWRT. I use CPE210 and today is my first day with OpenWRT.
So I've created an interface "TEST" in VLAN19 and assigned it to "LAN" on Firewall-Tab.

VLAN19 fully works with TP-Link stock firmware on this switchport. The switchport ist configured to be without VLAN-Tag in normal LAN and allows vlan 19 tagged.
For testing purposes I had also selected DHCP-Client on eht0.19 and I got an IP-Adress in VLAN19. I also could do a curl --interface eth0.19 ifconfig.me and got the outbound IP-Adress of VLAN19.

In wireless I configured (see Post2, as new User I'm only allowed to Post one picture per Post)

However my smartphone, doesn't get a connection.
You can see it even in the Associated Stations for a short time before it tells, that it can't connect (see Post3, as new User I'm only allowed to Post one picture per Post)

As soon as I select "lan" instead as "Test" of network, smartphone connects, but is in wrong LAN, of course.

Is there some firewall issue I forgot to configure or what is missing here to get the SSID to VLAN19?

Thanks for your help.

Use ssh to connect to the device.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user

Here is the output. Wifi Passwords removed.

ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user
{
        "kernel": "5.4.143",
        "hostname": "OpenWrt",
        "system": "Qualcomm Atheros QCA9533 ver 2 rev 0",
        "model": "TP-Link CPE210 v3",
        "board_name": "tplink,cpe210-v3",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02.0",
                "revision": "r16279-5cc0535800",
                "target": "ath79/generic",
                "description": "OpenWrt 21.02.0 r16279-5cc0535800"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd89:01ff:20b6::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.178.41'
        option gateway '192.168.178.1'
        list dns '192.168.178.1'

config interface 'Test'
        option device 'eth0.19'
        option type 'bridge'
        option proto 'none'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11g'
        option path 'platform/ahb/18100000.wmac'
        option htmode 'HT40'
        option cell_density '0'
        option country 'TW'
        option channel '13'
        option noscan '1'
        option txpower '6'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'psk2+ccmp'
        option key 'XXXXXXX'
        option disabled '1'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option ssid 'TEST'
        option encryption 'psk2+ccmp'
        option key 'XXXXX'
        option network 'Test'
        option disabled '1'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'TestOPN'
        option key 'XXXXX'
        option network 'Test'
        option encryption 'sae-mixed'
        option ieee80211w '1'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'Test'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

Test interface doesn't have any protocol, or is unmanaged. Therefore it doesn't matter if it is assigned to a zone or not, as it is not routing anything.
Also it seems that you are on version 21.02 which is using the DSA and is slightly different in configuration.

Thanks for confirmation, that is the expected behaviour.

Thanks for the link. That helps a lot, especially finding VLAN settings in Network -> Can you assist me with configuration? I don't get it to work.
So without enabling VLANs everything works fine, so primary LAN is untagged.
VLAN19 is available at the switchport when tagged.

No matter what configurations I've tried, I had no access anymore and things were reverted back after 90 seconds to gain access again.

Settings look like

So in the screenshot VLAN ID 1 is set to "do not participate". When setting VLAN-ID 1 to "egress untagged" and checking "primary vlan-id" it won't work, also when omitting check "primary vlan-id". When only setting up VLAN19 and as tagged, there is also no connection, also when leaving "local" unchecked.

Sorry with bridging I have almost no experience so far. Probably it is just one little configuration I'm missing.

lan interface should be assigned to vlan1 since you are going to use it for management of the device. So I presume you'll make the eth0 port untagged and pvid 1. For vlan19 it can remain tagged as it is. Furthermore the lan interface will have to use the br-lan.1 device.
There is actually a better example for single port devices.

Thanks. The linked article explains it for CPE210. So my interfaces are configured correctly.
Currently the bridge between vlan19 and the TestOPN SSID is missing.

How can that be configured via Webinterface? I mean in stock firmware it is just entering VLAN-ID 19 and SSID is in VLAN-19, so it should work.

I've also tried this configuration

This suits more, because I have no VLAN-ID 1. Network port is untagged for main network, so first line in screenshot where VLAN ID is empty and "100FD" is correct, because to access network there is no VLAN awareness.
When adding VLAN-19 Tag than guest network is accessible. But still when applying this configuration network connectivity is lost.

I can add a new bridge device but there is no option to bridge to the Wifi interface as you can see in the screenshot. See next post, still counting as new user and can't post two images in one post.

So how can I bridge Wifi "TestOPN" SSID and VLAN 19.

The principle is to connect the wifi SSID to an existing interface.
Taking in consideration the existing lan interface, I'd try this one:

config interface 'Test'
        option device 'br-lan.19'
        option type 'bridge'
        option proto 'none'

I think you need to configure the switch since the ath79 target is still swconfig. (in swconfig you use the Network-Switch page to directly control the hardware switch; bridge-vlans are DSA oriented). Each VLAN needs an entry in the switch to bring it from the eth port to the external port. Also the 10/100 SoCs don't directly support VLAN numbers over 16-- it requires CLI configuration of separate option vlan and option vid.

Avoid running tagged and untagged on the same cable. When running a trunk between two VLAN-aware devices, tag all packets. This means you should convert the lan network to VLAN 1 or some other VLAN number, conventionally 1 is the privileged network used for administration.

I'm not sure how that worked at all since an unmanaged interface has no IP address in the kernel, so there is no way for it to originate layer 3 traffic from the router OS. The 'Test' bridge is going to be a passive layer 2 conversion of wifi to wired. The device at the other end of the Ethernet cable needs to handle DHCP and all layer 3 actions.

Taking in consideration the existing lan interface, I'd try this one:

I've already tried without success, see

I think you need to configure the switch since the ath79 target is still swconfig. (in swconfig you use the Network-Switch page to directly control the hardware switch; bridge-vlans are DSA oriented). Each VLAN needs an entry in the switch to bring it from the eth port to the external port. Also the 10/100 SoCs don't directly support VLAN numbers over 16-- it requires CLI configuration of separate option vlan and option vid.

Can you explain that a bit more? With stock firmware, I just enter VLAN19 at the SSID setting and SSID is in VLAN. I find it strange that this seems to hard to setup in OpenWRT.

Avoid running tagged and untagged on the same cable.

It is historically grown. Network was completely without VLAN. Then TP-Link APs with stock firmware were added and another VLAN was added as guest network. Works very well.

I'm not sure how that worked at all since an unmanaged interface has no IP address in the kernel, so there is no way for it to originate layer 3 traffic from the router OS. The 'Test' bridge is going to be a passive layer 2 conversion of wifi to wired. The device at the other end of the Ethernet cable needs to handle DHCP and all layer 3 actions.

See:

For testing purposes I had also selected DHCP-Client on eht0.19 and I got an IP-Adress in VLAN19. I also could do a curl --interface eth0.19 ifconfig.me and got the outbound IP-Adress of VLAN19.

But now interface is removed again, because from VLAN19 should be no possibility to access any device in the network (except firewall/router, see below).

There is another Linux machine attached to the same ethernet configuration, so without VLAN normal network and an eth0.19 interace where DHCP and routing with seletected firewall rules is running. So OpenWRT should be a stupid AP, just connect eth0.19 with TestOPN Wireless network in this case.

You need to make a bridge containing eth0.19, maybe call it br-vlan19.

config device
    option name 'br-vlan19'
    option type 'bridge'
    list ports 'eth0.19'

And a network with proto none to claim this bridge. That really doesn't do anything but if you don't have this section the bridge doesn't get set up at all.

config interface 'vlan19'
    option device 'br-vlan19'
    option proto 'none'

For testing you can set the interface as DHCP client proto dhcp instead and have a local IP.

Then since there is a network called 'vlan19' use option network 'vlan19' in /etc/config/wireless to attach your AP to the bridge. A bridge takes over the interfaces within it, you wouldn't reference 'eth0.19' directly except in the bridge device creation.

brctl show should show the br-vlan19 bridge and the ports within it.

Thanks. Now it works with your configuration.

To get this done via LuCI without editing config files with VLAN19 example:

1. Add vlan19 device
   Go to Network --> Interfaces --> Tab Interfaces. Click "Add new interface"
   Type eth0.19 and hit enter, then click "Create interface" and then "Save and apply". BTW: eth0.19 is only a common convention for establishing a VLAN with id 19. eth0.19 could also access vlan id 42, see https://wiki.archlinux.org/title/VLAN#Create_the_VLAN_device
   So OpenWRT just interprets eth0.19 as ip link add link eth0 name eth0.19 type vlan id 19

2. Now go to tab device and click "Add device configuration"
   Select "Bridge Device" as device type, give a name like "br-vlan19" and bridge port eth0.19, click Save and then "Save and Apply"
   

   

   grafik893×255 11.5 KB

3. Now go to interfaces again, you see now a VLAN19 interface.
   

   

   grafik963×349 18.9 KB

4. Click Edit button and change device to "br-vlan19".
   

   

   grafik896×380 12.6 KB

5. Now you have a br-vlan19 interface (that was the missing step)
   

   

   grafik977×200 10.6 KB

6. Now you can choose vlan19 at your SSID as Network and it will work. If not enabling and disabling SSID helps.

@Mods: Seems to work as soon as I flagged this as solution. No need to change anything of new user status.

These pictures may be used for an official Wiki article.

@mk24
What a coincidence, I am trying exactly the same thing.

I want to use my old Archer C7v2 as a wireless AP connected to pfSense.

Only LAN1 port is used
One «Wifi» subnet on VLAN110
One «Guests» subnet on VLAN115

Whether I connect to Wifi SSID or Guests SSID, I get a DHCP lease from the VLAN110

On pfSense, VLAN110 is 10.0.110.1
On pfSense VLAN115 is 172.16.115.1

Any help will be greatly appreciated.

{
        "kernel": "5.4.143",
        "hostname": "OpenWrt",
        "system": "Qualcomm Atheros QCA9558 ver 1 rev 0",
        "model": "TP-Link Archer C7 v2",
        "board_name": "tplink,archer-c7-v2",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02.0",
                "revision": "r16279-5cc0535800",
                "target": "ath79/generic",
                "description": "OpenWrt 21.02.0 r16279-5cc0535800"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd55:6aa3:81e2::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.0.110.2'
        option gateway '10.0.110.1'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 2 3 4 5'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 6t'
        option vid '2'

config bridge-vlan
        option device 'br-guests'
        list ports 'eth1.4:t'

config bridge-vlan
        option device 'br-wifi'
        list ports 'eth1.3:t'

config bridge-vlan
        option device 'br-guests'

config bridge-vlan
        option device 'br-wifi'

config interface 'Wifi'
        option proto 'none'
        option device 'br-wifi'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0t 2t 6t'
        option vid '3'
        option description 'VLAN110 (Wifi)'
        option pvid '110'

config device
        option type 'bridge'
        option name 'br-wifi'
        list ports 'eth1.3'
        option ipv6 '0'

config interface 'Guests'
        option proto 'none'
        option device 'br-guests'

config device
        option type 'bridge'
        option name 'br-guests'
        list ports 'eth1.4'
        option ipv6 '0'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option ports '0t 2t 6t'
        option vid '4'
        option description 'VLAN115 (Guests)'
        option pvid '115'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option htmode 'VHT80'
        option cell_density '0'
        option channel '157'
        option country 'CA'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'sae-mixed'
        option ieee80211w '1'
        option key 'xxx'
        option network 'Wifi lan'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option path 'platform/ahb/18100000.wmac'
        option htmode 'HT20'
        option cell_density '0'
        option channel '6'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'sae-mixed'
        option key 'xxx'
        option ieee80211w '1'
        option network 'Wifi lan'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt_Invites'
        option encryption 'sae-mixed'
        option key 'xxx'
        option ieee80211w '1'
        option network 'Guests lan'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid 'OpenWrt_Invites'
        option encryption 'none'
        option network 'Guests lan'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'
        list ra_flags 'none'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config zone
        option name 'off'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'Guests'
        list network 'Wifi'

Hold on before any of you reply....

I created the Guest VLAN but forgot to put any rules..... But then, why does my cell phone gets on the Wifi subnet ?

[EDIT 22h00]
Ok, so I configured the firewall rules on pfSense.

My phone is still getting on the Wifi subnet when connecting to Guests SSID.

What's missing ?

Did you already check if this is a pfsense issue or a OpenWRT issue? So did you connect a PC to pfSense to the port where Archer C7v2 is and set in Ethernet Controller VLAN115?

If there is no IP from Guests network, then error is on pfSense.

I can see multiple entries both from swconfig and DSA.
Also clean up the stale entries.

I am not sure I understand what you call stale entries.

While @VLANMaster had only VLAN19, I want to have two VLANS, one for private users and another one for guests. Those 2 entries highlighted in blue are different bridges.