Just recently setup VLAN for myself first time, so don't consider myself as expert. Just give you couple of remarks.
Learn basics and terminology (for example trunking and tagging is just different name for same thing). Highly recommend book Packet Guide to Routing and Switching by Oreilly
As you already guessed, you can't set WAN port as tagged, because it would mean you're sending tagged packets to your ISP. Instead you need to tag LAN ports and route all traffic to the WAN.
Also make sure you know your device hw switch. For example in my case one of my routers (in role of AP) doesn't have all ports connected to hw switch, meaning this port (labelled as WAN) cannot be used in VLAN config.
I don't know if I'm being really thick but I'm struggling to connect to the LAN ports on the back of the router to the switch and then isolate the top and bottom row on the switch, one being Private LAN and the bottom being Guest LAN. Every time I do it I'm unable to acquire a connection and weirdly my PC freezes.
Well, reading your posts once again, you can ignore my comment about sending tagged packets to ISP with WAN port tagging, because I didn't realized you have also modem connected to switch in play. With your switch config, I see at least one potential problem - mixing tagged and untagged packets on WAN port. Some devices support this, but some will just freeze with this config. I would say WAN port should not be part of any private vlan. Normally to access internet from private LAN, you need to setup routing LAN->WAN, but in your case WAN seems to be just regular port.
Unfortunately due to the wiring this is the reason why I'm choosing to use the WAN connection. It provides WAN and the same cable goes back downstairs to another switch to make a wired bridge. The very reason why I'm trying to trunk the two LAN's and WAN.
I see. My point is that in your case WAN is just regular port (you could use any another port to achieve same connectivity. Also make sure this WAN port is part of hw switch. It seems to be with WRT1900ACS (also I believe @jeff can correct me if not :).
EDIT: But really try not mix tagged and untagged packets on same port (WAN in your case).
Not sure if, I'm interpreting it correctly. But from my understanding ports 0 - 3 and eth1 (cpu 0) are part of switch, but WAN port is connected to second CPU (eth0) may not be part of of the switch. Meaning WAN might be isolated. If it's true, you will not be able to achieve what you want to achieve, without routing. Meaning you'll have to route all packets from your private vlans through WAN port or just use any other port which is part of hw switch.
Well, if my theory is correct then it could cause freezing (but it can be something else too). But I don't know hw config of Marvell 88E6176, so I can only tell from that openwrt page. Anyway, try to switch (replace) WAN port for any of ports 0 - 3 (yes, you will "lose" one port, but consider it as a test).
Well, in my theory this would not be a valid config. But like I said, it's just theory, I might be wrong and this would be perfectly valid config in case I'm wrong.
Or I can turn off the WAN port for all VLAN's like this and port 3 becomes the new WAN port.
yes, this should work
Also make sure you've proper config of your switches. One of them should only "passthrough" tagged packets, but the other one in front of switch should remove tags before sending packets to your modem.
I just can't work out how to bring my LAN in on one port from the router to the switch and have multiple ports.
I removed the tags on VLAN 5 and VLAN 10 from the WAN port on OpenWrt and I was able to plug LAN port 1 from the router into port 23 of the switch. All the other odd numbered ports which are untagged in that VLAN set on the switch now work. Question is, now that I'm not trunking the LAN on the WAN port, I still need to be able to attached the LAN to the WAN port for downstairs.
Yes, I've seen that picture. But my point is that there is chance that you simply cannot add WAN port to be part of same VLAN together with all other ports due hw limitation.
EDIT: I'm talking from my personal experience with TP-Link TL-WR841N (crappy router I know), where WAN port is not part of a switch so my attempts to use it as trunk port failed, but using any other port was OK and is working perfectly fine. Like I said, maybe it's not your case, but I would give it a try.
Just a nit here, but trunking and tagging are very much different concepts, although tagging is required for trunking.
Tagging a network literally adds a tag (the VLAN ID) to the ethernet frames indicating which VLAN the frame belongs to. Equipment must be configured to listen for tagged VLANs and will only listen to the specific VLAN IDs that are specified. All non-specified VLAN IDs (tagged) and possibly the untagged network will be ignored. This compares to an untagged network that doesn't have a VLAN tag attached -- most consumer equipment only works with untagged ethernet (at least by default) and will simply ignore any tagged frames (unless configured otherwise).
Similarly, switching (and routing) equipment that is VLAN aware will utilize the tagged ethernet frames to ensure that packets are switched properly. Even ports that have an untagged network configured will assign a VLAN ID internally on the VLAN aware switch fabric (untagged data entering a port has a tag added so it can traverse the switch fabric, and it is removed as the data is exiting the port).
If I haven't explained this well, let me know and I'll see if I can clarify it or make up some analogies.
Trunking is the act of sending multiple networks over the same wire. If your wire carries only one network, even if the network is tagged, it is not a trunk.
Generally speaking, you may have 0 or 1 untagged network, plus 0, 1, or many tagged networks that are carried over the same physical link.
So for example:
1 untagged + 0 tagged = 1 network ==> this is not a trunk.
0 untagged + 1 tagged = 1 network ==> this is not a trunk.
1 untagged + 1 tagged = 2 networks ==> this constitutes a trunk.
0 untagged + 2 tagged = 2 networks ==> this is also a trunk
Yeah, sorry I was not 100% exact. I was referring to Oreilly's book
“When a port is used to interconnect switches and convey VLAN information, the operation of the port is changed to a trunk. For example, on a Cisco switch the mode command would be used to make this change. Other vendors indicate that the port is now “tagged,” indicating that a VLAN id will now be inserted into the frames.”
Excerpt From: Bruce Hartpence. “Packet Guide to Routing and Switching.” Apple Books.