Ha! Just did that! Tagged an empty port and it works with the weird caveat that the network has the same name as the standard wi-fi. And the laptop gets an IP from VLAN 1 and not VLAN 3, although the port is tagged to VLAN 3.
Maybe I need to reload the switch
Yes, at this point it appears that you need to configure your switch and or AP. This is not OpenWrt, and I am not familiar with the Ruckus devices, so I can't really help here other than general advice.
Thanks! this is the VLAN config on the switch:
SSH@ICX7150-C12 Switch>show vlan
Total PORT-VLAN entries: 3
Maximum PORT-VLAN entries: 1024
Legend: [Stk=Stack-Id, S=Slot]
PORT-VLAN 1, Name DEFAULT-VLAN, Priority level0, On
Untagged Ports: (U1/M1) 1 2 3 4 5 6 7 8 9 10 11 12
Untagged Ports: (U1/M2) 1 2
Untagged Ports: (U1/M3) 1 2
Tagged Ports: None
Mac-Vlan Ports: None
Monitoring: Disabled
PORT-VLAN 2, Name Why-Fi, Priority level0, On
Untagged Ports: None
Tagged Ports: (U1/M1) 2 4
Mac-Vlan Ports: None
Monitoring: Disabled
PORT-VLAN 3, Name Why-Fi-IOT, Priority level0, On
Untagged Ports: None
Tagged Ports: (U1/M1) 2 4 11
Mac-Vlan Ports: None
Monitoring: Disabled
Looks ok, but who knows! Thanks a LOT!
What ports connect to the router and each of the APs?
1/1/1 connects the switch to the router
1/1/2 and 1/1/4 connect the APs to the switch
VLAN 3 is not active on port 1. It should be tagged on port 1.
Also, your computer is probably expecting untagged traffic on the ethernet connection, so you need to set a port on the switch to have VLAN 3 untagged. This will also require setting the default (sometimes called PVID) VLAN on the port to VLAN 3 as well.
OK, so now we are on the switch on VLAN 3 with the wired connection. At least the laptop gets an IP from that range. Same for Wi-Fi
Awesome! It seems we got it.
Next questions 
When I connect the IOT devices to VLAN 3, I want to keep them away from what's going on in VLAN 2. How do I separate the two and how can I stop the internet connection for VLAN 3 on-demand?
Great.
Create a new firewall zone for VLAN 3 (you can do that by editing the firewall zone the way you did previously, create a new zone).
Then adjust the firewall rules for that zone (Network > Firewall).
I'd recommend accept output, drop input and forward.
You'll also need two traffic rules to accept DNS (port 53) and DHCP (ports 67-68) to reach the router from the IoT zone.= since the "drop" on input will prevent that from working (but it will otherwise protect the router from any IoT devices trying to access any other services).
Is that only for internet access or also to separate the VLAN traffic
Cool, will try that later or tomorrow . Ted Lasso is calling 
Thanks so much for your help - I have tried and tried for weeks - your help made my day
Glad I could help. Please mark the most useful response as the solution since the primary issue is solved. When you start working with the firewal, open a new thread if you have questions about that part.
I set up all VLANs and they work fine with some limitations 
I can log in via cable and wifi and get the correct IP etc. I also set up a firewall zone for each of them (see screenshot). I also assigned each VLAN to its firewall zone. I thought this link is necessary, although it seems when an interface is linked to its respective zone, internet access works and it stops working, when I do not link the interface to a zone. For IOT, I adjusted them based on what @psherman recommended above.
I still have some problems / issues:
For the IOT vlan/wifi I selected drop, accept, drop and the internet does still work. It only stops working, when I unlink the interface from the firewall zone. Same is true for guests, but as the only difference is reject vs drop I assume it is caused by the same mistake.
Although I created separate firewall zones, I can still log into the router from all VLANs. My understanding was/is that VLANs are separated from another. What am I missing?
@thimplicity - would you mind moving this to a new thread since it is firewall specific (rather than the earlier issues of VLAN tagging/trunking and such). Tag me into a new thread and I can answer it there.
Done!
Here is the new one: How to set up firewall rules/zones correctly for VLANs? - Installing and Using OpenWrt / Network and Wireless Configuration - OpenWrt Forum
Thanks in advance for your help!
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
