I have some questions about VLANs and OpenWRT. I have used OpenWRT for years but I have never worked with VLANs and it is a rather complicated topic as I gather from reading here and about managed switches.
I have a basic network setup right now with a large unmanaged switch linked to PCs and several camera systems, and some OpenWRT routers being used as APs. One of the OpenWRT routers also has an isolated public WLAN interface configured. I would like to isolate those camera systems and their WLAN IP cameras to a new VLAN but they still need internet access.
So the plan would be to replace the main unmanaged switch with a managed switch. Can OpenWRT be configured in such a way that on one cable it can be an AP (wired & wireless) for the main LAN (VLAN1?) and also have a WLAN that links to a different upstream VLAN?
Do you have a router upstream of the switch? If so, is it running OpenWrt? I think the normal setup would be to configure both your VLANs (LAN and Cameras, say, VLAN1 and VLAN3) on the main router, then connect them both over a single trunk to the AP (not going through the unmanaged switch), while another port from your main router provides the VLAN1 distribution for your PCs. Then the downstream AP is also set up with both VLANs, and receives them from the upstream router over the trunk, then is able to connect the WLAN to the Camera VLAN3, while providing LAN1 access over its other ports. The AP would be "Dumb" in this scenario.
Would that work for you, or have I misunderstood the situation?
The generally preferred topology is to perform all routing (and thus establish all the VLANs/subnets) on the main router. Then, connect a single cable as a trunk between your main router and your managed switch. Configure your managed switch such that the ports that need to handle multiple VLANs (i.e. the connection between the router and the switch, and the switch and the APs) are all trunks with the desired VLANs. The other ports that will have direct connections to computers or cameras and the like will usually be setup as "access ports" (that is a port that has just a single network, untagged) for the VLAN that is needed for a given device.
It sounds like you're using OpenWrt for your main router as well as the APs, so this should all be relatively straight forward... there is a learning curve, but everything should be possible on a technical level once you have a managed switch in place.
I'm sorry. I forgot to mention that there is an Asus AC68U router going out to the web. That is running AsusWRT Merlin. It could be swapped for an OpenWRT router however.
It depends on what "AsusWRT Merlin" supports in terms of VLANs and multiple vAP interfaces - that question is better asked in another, more relevant venue for that firmware (OpenWrt will 'never' support that device). And -obviously- if you can get the dedicated trunk port between router and AP(s), without having an unmanaged switch inbetween those devices.
The ASUS firmware doesn't officially have VLAN functionality and I don't think I would want to mess with making the firmware do things it's not intended to do. So I think that router would be replaced.
I have TPLink Archer C7, Netgear WNDR4300v1 and a Buffalo G300NH2 running the latest OpenWRT. So one of those could be swapped in.
I imagine the ASUS router could be used as a basic AP somewhere right?
Sure, as long as you can turn off the DHCP server and set the IP address so that it doesn't conflict with anything else on your network. Keep in mind that it will only be able to broadcast a single SSID.