VLans for separate SSIDs for Mi4A Gig with eth switch

So my config is as follows.
I have a main router with openwrt fully set and working with VLANs and everything.

I have a VLAN aware switch connected to port 1 of this router:

I want to create an almost dumb AP with openwrt and connect it on the switch (port 8 of the switch used by the dumb AP).

For the dumb AP I am using a flashed Mi 4A with OpenWrt 21.02.0-rc3 r16172-2aba3e9784.
What I want is to have the ability to have separate SSIDs which will take packets and tag them so I can pass them to the main router and provide networking.

I am new to all this so whatever I do I seem to end up just locking myself out.

By default openwrt has these as physical devices:
wan, eth0, lan1, lan2, br-lan(lan1, lan2) and wlan1.
lan1, lan2 and wan are seen as switch ports and eth0 as the switch I suppose.

And interfaces:
wan and wan6 with DHCP and lan on the br-lan device.

I have created one more wlan1-1 ph. device with a management interface with a static ip and separate mac (assigned to a separate SSID) just so every time I lock myself out of the device I don't have to debrick it.

I want to create three SSIDs (Main (5Ghz), IoT(2.4Ghz), Guests(2.4Ghz)) and with probably a dumb(unmanaged?) interface just pass the traffic to lan after tagging it accordingly (Main->VLAN10, IoT->VLAN60, Guest->VLAN70) so it passes tagged through the switch to the main router etc.

The problem is that I don't even have a switch menu on my installation. I only have the option to enable VLAN on the bridge physical device, create subdevices (f.e.: br-lan.10) but there I am doing something completely wrong and I cannot get it to work.

I tried a lot of different configurations with separate bridges and all and nothing worked. Even if I enable VLAN on the bridge I immediately lose access to the router.

Some side notes: The firewall daemon is disabled. DCHP is supposed to operate on the main router for all the VLANs as I have interfaces there giving IPs. I suppose I should take more of my info from:
https://forum.openwrt.org/t/mini-tutorial-for-dsa-network-config
but I cannot practically and successfully apply it to my case.

Any help would be greatly appreciated (I am HIGHLY beyond my comfort zone fiddling with these network settings).

Consider changing your firmware to 19.07 to get the familiar switch page instead of the devices. I have a Mi4A on 19.07 and can confirm this. If you want to try, I do have an idea. This is basically an educated guess, just to be clear.

Delete MAIN interface.
Create MAIN again; unmanaged, interface eth0.10 in the custom field.
Create MAIN ssid using MAIN(eth0.10) as interface.
Check or Edit br-lan interface making sure LAN1, LAN2, and software VLAN(eth0.10) are bridged.

If it works do the same for iot and guest. Hope it works!

Don't mix tagged and untagged on the same port. A trunk cable between two VLAN capable devices should be tagged on all VLANs being carried.

Read the DSA tutorial thread here. Make one bridge with all the Ethernet ports in it, and a bridge_vlan for each VLAN.

Set up a wifi AP and log in by wifi, which will always work even if you misconfigure the Ethernet.

Some of the later DSA configurations to be found in the tutorial thread will only be available with netifd commits which happened post RC3 tag, consequently are not to be found in RC3 images. You will have to at least update to 21.-SNAPSHOT to get that functionality.

I would hope that to be the very very last option I have mostly if I do not have ANY other option. As it seems this will be the new normal and it is better to learn it now than later.

I can find references online talking about "hybrid ports", probably making an easy explanation of the native VLAN traffic. There is usually a security feature added f.e. in CISCO devices by the command "vlan dot1q tag native" but I think this is not the default by the standard. I will fix this later but I suppose this is more of a best practice part than a must that would break my network. If I am mistaken I would prioritize it immediately.

All the (real) Ethernet ports I can see are one. If you are talking about the lan ports these are all under the br-lan bridge by default so nothing to do there. The bridges of the VLANs what should they be bridging? Just a reminder the ethernet is already bridged, I am trying to connect the wireless interfaces. Should I make the VLAN devices having as the basic physical device the initial bridge (br-lan), the eth0 (switch) or something else, in which case what?

Does this mean that I cannot achieve what I am trying currently?
The official page of my hardware (Xiaomi 4A) suggests that the snapshot builds may brick the device and this is why I am trying to avoid updating further than needed.

Unsure, just a hint if you pull things from a config in the thread and it does not work. My reference was to the 21.02-SNAPSHOT not a master snapshot; not sure if that is your device, but that build might not be recent enough from the date currently showing.

Edit: relevant VLAN setup post, cisco to ...

Just for the shake of completeness and having a solution for the future problems of other people:

The solution might be easier than initially thought. So what I did, is instead of relying on the bridge or the switch (eth0) device to create the VLANs, I manually (!) created entries for the two lan virtual physical ports (so lan1.10, lan2.10 etc), bridges to bridge each subVLAN (so a bridge for lan1.10 and lan2.10), interfaces for the bridges and assigned these interfaces to the WiFi interfaces and everything is magically working now. Now VLAN settings needed anymore no anything else.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.