VLAN config on WRT1900ACS

HI,

I am trying for hours now to configure my guest wifi on a WRT1900ACS which is configured as dumb ap. The dumb ap stuff is running since years. Also, I already have a guest wifi, segregated into a vlan on an Edgerouter X SFP in combination with a Unifi AP, which is also running fine since years. However, I cannot successfully connect my dumb ap to that vlan - other SSIDs bound to the untagged LAN are working fine, though.
i read many forum posts, I watched many Youtube videos, and read things like the DSA mini tutorial in the wiki.

My network configuration on the dumb ap is as follows now:

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'
config globals 'globals'
        option ula_prefix 'xxxx:xxxx:xxxx::/48'
        option packet_steering '1'
config interface 'lan'
        option proto 'dhcp'
        option device 'br-lan.1'
config device
        option name 'br-lan'
        option type 'bridge'
        option arp_accept '1'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4:u*'
config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'lan4:t'
config interface 'guest'
        option proto 'dhcp'
        option device 'br-lan.3'

The interface guest gets no IP from my router, which is connected via LAN4. My goal is, that my LAN works as before (hence VLAN untagged), and additionaly the dumb ap uses VLAN3 for the guest SSID.

System info:

{
        "kernel": "6.6.73",
        "hostname": "dkap2",
        "system": "ARMv7 Processor rev 1 (v7l)",
        "model": "Linksys WRT1900ACS",
        "board_name": "linksys,wrt1900acs",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10-SNAPSHOT",
                "revision": "r28403-1e9966a63a",
                "target": "mvebu/cortexa9",
                "description": "OpenWrt 24.10-SNAPSHOT r28403-1e9966a63a",                "builddate": "1737808453"
        }
} 

If there is anything else, I should provide, please ask.
I would be very happy, if someone could guide me into the right direction.

There are only 3 things I see in the config file you have posted:

Remove the arp_accept line below:

Make the untagged+PVID status of the ports for VLAN 1 explicit by adding :u* to ports lan1-lan3:

And change the guest network from dhcp to none to make it unmanaged:

Restart and test again. If it doesn't work, please post the wireless config file from this device, and then also the complete config of your ER-X:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

Thank you very much @psherman for looking into the config. I changed what you mentioned and rebooted, still, I cannot acquire an IP address in that VLAN. Following is the wifi config of the WRT1900ACS:

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
        option htmode 'VHT80'
        option country 'DE'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'APX5'
        option encryption 'psk2'
        option key 'xxx'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
        option htmode 'HT20'
        option country 'DE'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'APX2'
        option encryption 'psk2'
        option key 'xxx'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'AP2'
        option encryption 'psk2'
        option key 'xxx'
        option network 'lan'

config wifi-iface 'wifinet3'
        option device 'radio0'
        option mode 'ap'
        option ssid 'AP5'
        option encryption 'psk2'
        option key 'xxx'
        option network 'lan'

config wifi-iface 'wifinet4'
        option device 'radio1'
        option mode 'ap'
        option ssid 'GUEST'
        option encryption 'psk2+ccmp'
        option key 'xxx'
        option isolate '1'
        option network 'guest'

And here is the information of the Edgerouter X. I just want to mention again, that the VLAN for my guest wifi (via a Unifi AP connected to the Edgerouter X) is working since years.

{
        "kernel": "5.15.145",
        "hostname": "dkrouter",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Ubiquiti EdgeRouter X SFP",
        "board_name": "ubnt,edgerouter-x-sfp",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r24723-7ddd3abd27",
                "target": "ramips/mt7621",
                "description": "OpenWrt SNAPSHOT r24723-7ddd3abd27"
        }
}

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'xxxx:xxxx:xxxx::/48'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option device 'br-lan'

config interface 'wan'
        option proto 'pppoe'
        option username 'xxx'
        option password 'xxx'
        option peerdns '0'
        list dns '127.0.0.1'
        option ipv6 '1'
        option device 'eth0'

config interface 'wan6'
        option proto 'dhcpv6'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '::1'
        option reqaddress 'none'
        option device '@wan'

config interface 'DKMODEM'
        option proto 'static'
        option ipaddr '192.168.100.2'
        option netmask '255.255.255.0'
        option device 'eth0'

config interface 'DKSWITCH'
        option proto 'static'
        option ipaddr '192.168.88.2'
        option netmask '255.255.255.0'
        option device 'eth4'
        option auto '0'

config interface 'GUEST'
        option proto 'static'
        option ipaddr '192.168.11.1'
        option netmask '255.255.255.0'
        option device 'eth1.3'

config interface 'wg_lan'
        option proto 'wireguard'
        option private_key 'xxx'
        option listen_port 'xxx'
        list addresses '10.0.5.1/24'
        option mtu '1420'

config wireguard_wg_lan
        option public_key 'xxx'
        option preshared_key 'xxx'
        option description '1_lan_De'
        list allowed_ips '10.0.5.2/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_wg_lan
        option public_key 'xxx'
        option preshared_key 'xxx'
        option description '2_lan_Fe'
        list allowed_ips '10.0.5.3/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_wg_lan
        option public_key 'xxx'
        option preshared_key 'xxx'
        option description '3_lan_DKDev'
        list allowed_ips '10.0.5.4/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'
        list ports 'eth5'

config interface 'ISOLATE'
        option proto 'static'
        option device 'eth1.4'
        option ipaddr '192.168.22.1'
        option netmask '255.255.255.0'

config dnsmasq
        option localise_queries '1'
        option rebind_protection '0'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'
        option allservers '1'
        list notinterface 'wan'
        list server '127.0.0.1#6053'
        option noresolv '1'

config dhcp 'lan'
        option interface 'lan'
        option start '150'
        option limit '100'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config dhcp 'wan6'
        option interface 'wan6'
        option ignore '1'

config dhcp 'GUEST'
        option interface 'GUEST'
        option start '100'
        option limit '150'
        option leasetime '1h'
        list dhcp_option '6,1.1.1.1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'ISOLATE'
        option interface 'ISOLATE'
        option start '100'
        option limit '150'
        option leasetime '12h'

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list device 'tun0'
        list network 'lan'
        list network 'wg_lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'DKMODEM wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config rule
        option name 'NTP for Modem'
        list src_ip '192.168.100.1'
        option target 'ACCEPT'
        option src '*'
        option dest_port '123'
        list proto 'udp'
        option family 'ipv4'

config zone
        option name 'guest'
        option network 'GUEST'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option name 'SNMP for Modem'
        list proto 'udp'
        option src '*'
        list src_ip '192.168.100.1'
        option dest_port '162'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option src 'guest'
        option target 'REJECT'
        option name 'Deny guest to dkmodem'
        list dest_ip '192.168.100.1'
        option dest 'wan'

config rule
        option name 'Guest DNS'
        option src 'guest'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'
        option dest_port '53'

config rule
        option name 'Guest DHCP'
        list proto 'udp'
        option src 'guest'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule 'wg'
        option name 'Allow-WireGuard-lan'
        option src 'wan'
        option dest_port 'xxx'
        option proto 'udp'
        option target 'ACCEPT'

config redirect 'adblock_guest53'
        option name 'Adblock DNS (guest, 53)'
        option src 'guest'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_guest853'
        option name 'Adblock DNS (guest, 853)'
        option src 'guest'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'

config redirect 'adblock_guest5353'
        option name 'Adblock DNS (guest, 5353)'
        option src 'guest'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

config redirect 'adblock_lan53'
        option name 'Adblock DNS (lan, 53)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_lan853'
        option name 'Adblock DNS (lan, 853)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'

config redirect 'adblock_lan5353'
        option name 'Adblock DNS (lan, 5353)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

config rule
        list proto 'udp'
        option target 'ACCEPT'
        option family 'ipv4'
        list src_ip 'xxx'
        list src_ip 'xxx'
        option src_port 'xxx'
        option name 'Allow SIP'
        option src 'wan'
        option dest_port 'xxx'

config nat
        option name 'SIP'
        option src 'wan'
        option src_ip '192.168.1.8'
        option target 'MASQUERADE'
        list proto 'udp'
        option enabled '0'

config redirect
        option target 'DNAT'
        option name 'SIP1'
        list proto 'udp'
        option src 'wan'
        option src_ip 'xxx'
        option src_port 'xxx'
        option dest 'lan'
        option dest_ip '192.168.1.8'
        option src_dport 'xxx-xxx'
        option enabled '0'

config redirect
        option target 'DNAT'
        option name 'SIP2'
        list proto 'udp'
        option src 'wan'
        option src_port 'xxx'
        option dest 'lan'
        option dest_ip '192.168.1.8'
        option src_ip 'xxx'
        option src_dport 'xxx-xxx'
        option enabled '0'

config rule
        option name 'Block-WAN-for-device-x'
        option src 'lan'
        list src_mac 'xxx'
        option dest 'wan'
        option target 'REJECT'

config zone
        option name 'isolate'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'ISOLATE'

config forwarding
        option src 'isolate'
        option dest 'wan'

config rule
        option name 'Deny isolate to dkmodem'
        option src 'isolate'
        option target 'REJECT'
        option dest 'wan'
        list dest_ip '192.168.100.1'

config rule
        option name 'Isolate DNS'
        option src 'isolate'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Isolate DHCP'
        list proto 'udp'
        option src 'isolate'
        option dest_port '67-68'
        option target 'ACCEPT'

I hope, this helps. If there is anything else, I can post here, please ask.

There are likely some issues with the ER-X-SFP config. To fix them, I need to know what's connected to each port and what your intended VLAN membership is on each port. A network topology diagram would be helpful here.

The key issues here are:

• you have ports eth1-eth5 assigned to br-lan but then you are using dotted notation on those ports in several of the interfaces (specifically eth1.x). This is not the correct way to handle VLANs in DSA config.
• Despite the fact that the syntax is not correct, you have stated it is working... but because you have your guest network assigned to eth1.3, it is only expected to be present on physical port eth1. That means that unless your WRT1900ACS is connected to eth1 (directly or via a managed switch), the AP will not be able to connect to the guest VLAN.
• Your VLANs should be redefined using proper bridge-vlan syntax... I can help with that once the port-vlan memberships are clearly defined.

Thank you very much for offering your help! The connection between the Edgerouter X SFP and the WRT1900ACS is indeed via eth1 - so it works but, it's not like it should be. Attached is a simple drawing of my network, as it should be. I hope, it helps you to understand, what I want to achieve. If you need anything else, please ask. Looking forward to your reply.

networktopo.drawio1658×1070 126 KB

Ok... so both the working AP (Unifi) and the one that isn't (WRT1900ACS) are connected to the same managed switch?

Please verify that the Unifi AP is indeed working as expected. Then, swap the ports such that the WRT1900ACS is plugged into the port that is currently used by the Unifi AP and vice versa.

Test both APs and let us know what happens.

I have to apologize! Swapping the ports on my managed switch lead to getting no more ip in my guest network - as you maybe expected, right? This immediately prompted me to take another look at the configuration of my switch. And shame on me, I had forgotten to enter the VLAN3 as tagged on the other port as well. That makes me very uncomfortable, sorry for that. Now it works as it should.

However, as you mentioned, my config is not state of the art, could you tell me, what I should change on my router to achieve that?