The videos at the following link are a little bit dated but conceptually I believe are not. I might be mistaken but I think the R7800 still uses the old switch interface which I think is depicted in the first video so that might help you too.
the best solution (if you want to do it from luci) is to remove a port from the br.lan bridge and create a new administrative interface "admin" or something else so that you can intervene on br-lan (the other remaining ports) without losing access to the router while modifying br-lan.
r7800/ ipq806x is DSA. Information about swconfig on ipq806x may still be prevalentfrom the olden times, but incorrect (outdated/ obsolete), now it's DSA(-only).
yes perhaps it would be better to create a guide at least for the creation with lights of a separate administrative interface with images in order to help new people but given that the routers where it is possible to install openwrt range from models with a single port to models with many ports it would be really difficult to give graphical feedback on how to do it.
an example could be this: sorry for the unprofessional and/or unclear presence (if that's the case, I apologize in advance).
hoping this helps you...
WARNING: Before continuing, verify that LAN1 is NOT currently being used as your management access to the router (PC connection or primary access path).
If LAN1 is your active connection and you are unsure, do NOT proceed unless you have an alternative access method (WiFi admin network or another LAN port).
plug cable pc to lan1 on router ...
and verify that it has taken an IP address from the configured pool 10.0.0.x now you can intervene on the other br-lan ports without being cut off ....
The problem is fairly simple in that your management network (likely lan) is using device br-lan when you start, but this 'base device' is no longer valid once the bridge-VLANs are defined. This causes the lan interface to become disconnected from the ports, and thus the problem you are experiencing.
To solve that, once the bridge-VLANs are defined, you need to change the device that the lan is using to br-lan.1. Do that before applying the new settings and lan will pick up the newly defined bridge vlan settings.
Meanwhile, there is one other issue -- you have VLAN 1 and VLAN 60 both assigned to port lan4 as untagged. This is an invalid configuration. On any given port, you are allowed zero or one untagged network and zero, one, or many networks tagged. Depending on the purpose of port lan4, you can thus have:
thanks guys for the help. I watched the linked video about DSA in Openwrt and i read all you comments here. I Will try it and let you know when i succeed
Just for clarification - yes i have the newest openwrt Version 25.12.4 installed and the DSA is present.
Here are the pictures how its look right now after freshly resetting the router (because i locked myself out)
just to let you know - i thought some days about my new network config
WAN-Port is connected to a DSL-Modem
LAN1 is uplink to a ZYxEL gsp 1900 8 Port managed POE switch
8 Port Dlink Unmanaged Switch
WNDR3700v4 openwrt AP in bridge mode (extending WIFI in the upper floor)
WIFI with 4 different SSIDs (Main, Guest, Energy, IOT)
and then generated some uci scripts with the help of ki .. for example this one for setting up network and vlan. but perhaps its better to make it manual step by step through lucy.
[admin edit: deleted ai generated scripts per community guidelines]
Since "lan1" is already in use, if you intend to temporarily create an "admin" interface, use "lan2" or "lan4" (not used by you at this time) for testing.
Be careful, tagged traffic is not handled correctly by the unmanagement switch, so the general advice is to replace it.
As a general advice, once you've created all the necessary "VLANs," it's best to use tagged traffic for traffic between the AP/management switch and the main router.
i think i got now the principle behind it. it works - i managed to create to vlans MAIN and IOT_UNTRUSTED. I use Main also when i want to connect with laptop directly to the Router.
when iam ready with configuring my zyxel switch for teh correct vlans i will change Lan-Port1 to taged for VLAN10 - on LAN2 my Musicplayer is connected.
The R7800 ist configured so far with all the vlans
the zyxel GS1900-8HP also works receiving the trunk port from the R7800
Unfortunately the last action i did on the webinterface was to move the ip-config from the device from vlan 1 to vlan 10 ... then i didnt could connect anymore. but i saved the config so i could later try to reset / put in the backup
actual iam trying to configure the bridge-ap wndr3700v4 - also freshly flashed with 25.12.4. could you give me some hints on what the problem could be?
when i login with a wlan client it get no ip/no wifi. actual the bridge-ap is connected through the yellow wan port as trunk to the trunk port from the mainrouter (r7800)
i would expect the main-interface to grab an 10.10.0.x ip from the dhcp of the mainrouter.
here are some infos from the actual config of the brdige-ap:
Is the latest config you posted from the WNDR3700? It is entirely wrong and will not work. You've bridged VLANs (defeating the purpose of them) as well as mixed DSA/bridge-VLAN and swconfig constructs which produces an invalid configuration.
You need to reset and start from scratch.
That said, let's see the configuration of your R7800 first to make sure it is properly configured. Please indicate which port is connected to your GS1900-8HP.
yes. the config is from the wndr3700v4 .. but i startet from scratch with a freshly new openwrt image. so should i make a factory reset?
here is the actual config from my r7800 mainrouter. trunc port to the zyxel is port 1, port 2 is the musciplacer, port 3 for main network, port 4 debuginterface :
so my made a factory reset of the wndr3700v4 - that is the original config that comes with openwrt. should i go on with this or should i clean it up before?
BusyBox v1.37.0 (2026-05-13 22:42:09 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 25.12.4, r32933-4ccb782af7 Dave's Guitar
-----------------------------------------------------
OpenWrt recently switched to the "apk" package manager!
OPKG Command APK Equivalent Description
------------------------------------------------------------------
opkg install <pkg> apk add <pkg> Install a package
opkg remove <pkg> apk del <pkg> Remove a package
opkg upgrade apk upgrade Upgrade all packages
opkg files <pkg> apk info -L <pkg> List package contents
opkg list-installed apk info List installed packages
opkg update apk update Update package lists
opkg search <pkg> apk search <pkg> Search for packages
------------------------------------------------------------------
For more information visit:
https://openwrt.org/docs/guide-user/additional-software/opkg-to-apk-cheatsheet
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
list ipaddr '127.0.0.1/8'
config globals 'globals'
option dhcp_default_duid '00048c8345708b1248c09e25dee63bc51458'
option ula_prefix 'fd15:3ff8:fdc7::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
list ipaddr '192.168.1.1/24'
option ip6assign '60'
config device
option name 'eth0.2'
option macaddr '04:a1:51:80:14:cd'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'
Now that it is reset, you can add your VLANs. Do this for just one to start, prove it works, then do the rest.
For example, let's add VLAN 10, tagged, to port lan 1 on the WNDR3700v4. I'm guessing you're using main as your main trusted lan, so to do this, you'll add the following to the network config:
Note that in the above, I think that logical port 4 corresponds to physical port lan 1, but it's possible that's wrong. The documentation for your device says that logical port 4 doesn't correspond to a physical port, but at the same time I do see it in your default config -- we'll adjust as necessary if this doesn't work.
Once the above is demonstrated to be working, you can move on to the others.
The other VLANs will use similar structures, but will be unmanaged like this:
config switch_vlan
option device 'switch0'
option vlan '20'
option ports '4t 0t'
config device
option name 'br-private'
option type 'bridge'
list ports 'eth0.20'
config interface 'private'
option proto 'none'
option device 'br-private'
wooow. it works. great. when i plug the cable into the port 1 (1st black port at the side of the yellow wan port) i can ping the wndr3700v4 from the r7800's trunk port.
root@OpenWrt:~# ping 10.10.0.2
PING 10.10.0.2 (10.10.0.2): 56 data bytes
64 bytes from 10.10.0.2: seq=12 ttl=64 time=1.189 ms
64 bytes from 10.10.0.2: seq=13 ttl=64 time=0.590 ms
64 bytes from 10.10.0.2: seq=14 ttl=64 time=0.536 ms
so i try now to setup the corresponding wlan and then i will continue with the other vlans.
but when i added the other vlans i could not connect to the router anymore - i had to extract these settings out in failsafe mode that i added before. do you have an idea what could be wrong with that?
config switch_vlan
option device 'switch0'
option vlan '30'
option ports '4t 0t'
config device
option name 'br-guest'
option type 'bridge'
list ports 'eth0.30'
config interface 'guest'
option proto 'none'
option device 'br-guest'
config switch_vlan
option device 'switch0'
option vlan '50'
option ports '4t 0t'
config device
option name 'br-energy'
option type 'bridge'
list ports 'eth0.50'
config interface 'energy'
option proto 'none'
option device 'br-energy'
config switch_vlan
option device 'switch0'
option vlan '60'
option ports '4t 0t'
config device
option name 'br-iot_untrusted'
option type 'bridge'
list ports 'eth0.60'
config interface 'iot_untrusted'
option proto 'none'
option device 'br-iot_untrusted'
WARNING: Before continuing, verify that LAN1 is NOT currently being used as your management access to the router (PC connection or primary access path).
