I am replacing my trusty Archer C7 dumb AP with one of those fancy AX3600 WiFi 6 thingies, also configured as dumb AP.
C7 is regular AP/edge switch except one thing: anything connected to LAN 3 or LAN 4 was handled differently by router via VLAN id 5.Those ports were isolated from the rest of network on its own subnet and could only reach internet.
Unfortunately, AX3600 does not have built in switch, so I wonder how can I map C7 switch config above into network configuration that fits AX3600 (which seems to have individual ports instead of programmable switch).
I tried this and only succeeded with locking myself out (there is no LAN 4 on AX3600 so I only want LAN3 to be handled differently on new device):
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'wan'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u'
list ports 'lan2:u'
list ports 'lan3:t'
list ports 'wan:u'
config bridge-vlan
option device 'br-lan'
option vlan '5'
list ports 'lan3:u'
list ports 'wan:t'
This makes ports wan and lan3 trunk ports, the others are access ports for access ports for VLAN1.
Is that what you're going for?
The final part of the puzzle is assigning the networks appropriately...
if VLAN 1 is your main network (used to manage the device), typically you want that to have an address assigned. So you'll do that with a network using device br-lan.1 and then proto static (or DHCP).
The other network (in this case, VLAN 5), will have a network associated that has proto 'none' and device br-lan.5. From there, you can connect either or both of them to SSIDs for wifi.
I just want to rewrite "switch" parts of config into "dsa" lingo, if possible.
Disclaimer: I have very little understanding of VLAN tagging. I just got it to work on C7, via managed switch and into the router I then set up a separate interface on router to handle VLAN5 as "guest".
You've pretty much done it already, other than the fact that I'd recommend you us 'u*' for the access ports (i.e. the ports that have only one network associated).
You have the bridge device defined twice... remove the second instance.
Since ports LAN1 and LAN2 are access ports for VLAN 1, use u* like this:
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:t'
list ports 'wan:u'
Change the lan to use br-lan.1 like this:
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.0.7'
option gateway '192.168.0.1'
list dns '192.168.0.1'
Create an unmanned network interface for the other VLAN (so that you can connect it with a wifi SSID) -- I'm calling it vlan5, but you can call it something else if you want (i.e. guest, iot, etc).
config interface 'vlan5'
option device 'br-lan.5'
option proto 'none'
I got it running! Many thanks you kind strangers, you are the best!
For future reference, here is a recipe for "dumb AP" with IP 192.168.0.9 with two (LAN3, LAN2) of four ports being tunnelled as "VLAN5" for further isolation in router. (if there is switch in between it needs to be able to handle VLAN's and be configured accordingly)
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd47:5f38:59af::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'wan'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u*'
list ports 'lan2:t'
list ports 'lan3:t'
list ports 'wan:u'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.0.9'
option gateway '192.168.0.1'
list dns '192.168.0.1'
config interface 'vlan5'
option device 'br-lan.5'
option proto 'none'
config bridge-vlan
option device 'br-lan'
option vlan '5'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'wan:t'
This way, I can connect dodgy Chinese IoT things to port 2 or 3 and keep them isolated from internal network.