Assuming I have an openwrt AP connected via lan1 to a linux router and via lan4 to a linux client, how can I create a rule to have lan4 talk only to a vlan on lan1 and untagged lan1, lan2, lan3 still work as default?
Does your main router have VLANs already configured?
All of the routing will happen on the main router itself (so that means the firewall on that router will be relevant, too). What is the main router (device + firmware/OS)?
As far as using the OpenWrt device as a managed switch, it is generally possible to do this -- you'll setup a trunk for the uplink, and then access ports or trunks for the downlinks... It would be helpful to know what you are trying to achieve with a basic diagram that includes the VLANs for each port.
Either they are or are not currently setup. If they're not, set those up first. Otherwise, you won't be able to determine if the downstream stuff is working.
A trunk is, by definition, a port/cable carying multiple networks. The 802.1q standard allows you to have:
zero or one untagged network
zero, one or many tagged networks
If you wish to carry multiple networks, you must tag them. Technically speaking, one may be untagged. Some people will advise against using any untagged networks, but that is usually a matter of personal opinion. That said, some devices do not work properly with tagged + untagged configurations, so you may need to have all tagged from a practical perspective.
Please add some detail to the diagram (or explain in text)...
What VLANs will be carried from the router to the OpenWrt switch (via the trunk)
What VLAN should the OpenWrt switch be a member of?
What port will be used on the OpenWrt switch as the uplink?
Ok, I set up enp1s3.7 on the router, subnet 192.168.7.0/24 and enp1s3 is on 192.168.15.0/24.
If possible, I would like to keep the latter untagged.
VID 7 plus untagged or 7 and 15 if the former not possible.
This is not completely clear to me. As I wrote above, I would like enp1s3 to
carry the AP traffic and possibly be untagged.. enp1s3.7 should link to the
openwrt switch and receive the traffic from lan4, AP side.
Any individual network can only be tagged or untagged. It cannot be both. You have VLAN tagged on your router, so the downstream device (i.e. the switch) must be tagged, too. VLAN 15 is currently utagged from the router.
So is the OpenWrt managed switch also being used as an AP?
My goal is to have a clear definition of each port (and SSID):
To further expand on my question, assuming I wanted a new vlan with a single port, bridged to a new SSID, how safe should L2 isolation be considered if it were to be connected to a potentially hostile machine?
Is it conceivable that it could access the rest of the LAN?
If you create a new subnet for a physical port and/or wifi, your firewall is the thing that protects your trusted network from a potential hostile host on the other network. This happens at L3 (routing). On L2 (switching), the subnets will be isolated by nature (provided you configure it poperly).
Take a look at the guest wifi wiki for a bit of context on that.
the list ports 'wifi50' should be removed from the wbr50 device defintion.
If the idea here is that you'll be taking port lan3 and bridging it to wifi (as a dumb AP), you also need to create a network interface for it with proto none. Then you tie the wireless to that network.
The device doing this bridging will not do any routing and will be essentially invisible to the wifi devices on that network as well as anything connected on port 3. Therefore, (for most normal use cases) you must have a DHCP server/router upstream on port 3... otherwise the wifi network won't go anywhere.
But to answer your question, the L2 isolation will work as long as the rest of your network is properly configured... you don't need to do anything special... your upstream router(s) will be the parts of the system that can allow/restrict the inter-vlan connections.