Wifi clients cant connect to vlan interface?

hello everyone,

i have been trying for days to get some access points working with some vlans.

the end goal is to have 3 wifi networks that are issolated and running over the same ethernet cable.

here is an overview of my current network

home network (3)3613×1665 325 KB

the issue im currently faceing is both the AP's can get an IP via dhcp from the main router but any client trying to connect via wifi does not get an ip or stay connected..

here is the configuration for the main router, switch1 and AP1. switch2 and AP2 have the same configuration as 1 and 2

Main

root@Main:~# ubus call system board
{
        "kernel": "5.15.137",
        "hostname": "Main",
        "system": "ARMv8 Processor rev 4",
        "model": "reyee AX3200 E5",
        "board_name": "reyee,ax3200-e5",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "mediatek/mt7622",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}
root@Main:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd65:e5d6:c4f5::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'private_VPN'

config device
        option name 'lan1'
        option macaddr '28:d0:f5:a2:7b:0e'

config device
        option name 'lan2'
        option macaddr '28:d0:f5:a2:7b:22'

config device
        option name 'lan3'
        option macaddr '28:d0:f5:a2:7b:0e'

config device
        option name 'lan4'
        option macaddr '28:d0:f5:a2:7b:0e'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '1.1.1.1'

config interface 'wan'
        option proto 'dhcp'
        option broadcast '1'
        option device 'wan'
        option type 'bridge'
        option macaddr '96:ab:a6:b8:a9:60u'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option type 'bridge'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option device 'br-guest'
        list dns '1.1.1.1'

config interface 'cameras'
        option proto 'static'
        option ipaddr '10.10.10.1'
        option device 'br-camera'
        option netmask '255.255.255.0'

config device
        option type 'bridge'
        option name 'br-guest'
        list ports 'lan3.20'
        list ports 'lan4.20'

config device
        option type 'bridge'
        option name 'br-camera'
        list ports 'lan2.30'
        list ports 'lan3.30'
        list ports 'lan4.30'

config device
        option type '8021q'
        option ifname 'lan3'
        option vid '20'
        option name 'lan3.20'

config device
        option type '8021q'
        option ifname 'lan3'
        option vid '30'
        option name 'lan3.30'

config device
        option type '8021q'
        option ifname 'lan4'
        option vid '20'
        option name 'lan4.20'

config device
        option type '8021q'
        option ifname 'lan4'
        option vid '30'
        option name 'lan4.30'

config interface 'wg_vpn'
        option proto 'wireguard'
        option private_key 'REDACTED'
        option listen_port '51820'
        list addresses '10.10.14.1/24'
        option mtu '1280'

config wireguard_wg_vpn
        option public_key 'REDACTED'
        option preshared_key 'REDACTED'
        option description 'phone'
        list allowed_ips '10.10.14.2/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option private_key 'REDACTED'

config device
        option type '8021q'
        option ifname 'lan2'
        option vid '30'
        option name 'lan2.30'

root@Main:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/18000000.wmac'
        option band '2g'
        option cell_density '0'
        option htmode 'HT40'
        option channel '2'
        option country 'US'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option band '5g'
        option cell_density '0'
        option channel '36'
        option htmode 'VHT20'
        option country 'US'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option encryption 'psk2'
        option key 'REDACTED'
        option ssid 'MotherOfDragons-5G'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'MotherOfDragons'
        option encryption 'psk2'
        option key 'REDACTED'
        option network 'lan'

config wifi-iface 'wifinet4'
        option device 'radio0'
        option mode 'ap'
        option ssid 'MotherOfDragons-Guest'
        option encryption 'none'
        option isolate '1'
        option network 'guest'

config wifi-iface 'wifinet6'
        option device 'radio0'
        option mode 'ap'
        option ssid 'cameras'
        option encryption 'psk2'
        option network 'cameras'
        option key 'REDACTED'

root@Main:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option dhcpscript '/usr/sbin/iptmon'

config dhcp 'lan'
        option interface 'lan'
        option start '50'
        option limit '200'
        option leasetime '24h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dns '2606:4700:4700::1111'
        list dhcp_option '6,1.1.1.1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'alex-pc'
        option dns '1'
        option mac 'B4:2E:99:6E:20:D1'
        option ip '192.168.1.90'
        option duid '0004443d74464a82e88761a9940d587eedfd'

config host
        option name 'supermicrogameserver'
        option ip '192.168.1.108'
        option mac '0C:C4:7A:0C:15:D0'

config host
        option ip '192.168.1.203'
        option mac 'BC:60:A7:E0:C5:67'

config host
        option name 'pterlocalnode1'
        option ip '192.168.1.107'
        option mac '00:A0:98:6B:AF:51'

config host
        option name 'wlan0'
        option ip '192.168.1.111'
        option mac '18:69:D8:7E:3D:C1'

config host
        option name 'pterodactyl'
        option ip '192.168.1.144'
        option mac '00:A0:98:11:7C:41'

config host
        option name 'mailu'
        option ip '192.168.1.236'
        option mac '00:A0:98:0D:66:7F'

config host
        option name 'mainsailos'
        option ip '192.168.1.145'
        option mac 'D8:3A:DD:47:14:1B'

config host
        option name 'server'
        option dns '1'
        option mac '00:25:90:E9:75:DE'
        option ip '192.168.1.4'

config host
        option name 'pterodactyl'
        option ip '192.168.1.211'
        option mac '00:A0:98:68:E7:04'

config host
        option name 'wled-WLED'
        option ip '192.168.1.202'
        option mac 'AC:0B:FB:CF:BC:EE'

config host
        option name 'PterNode'
        option ip '192.168.1.225'
        option mac 'BC:24:11:89:4A:21'

config host
        option name 'HomeAssistant'
        option ip '192.168.1.188'
        option mac 'BC:24:11:E2:F0:D7'

config dhcp 'guest'
        option interface 'guest'
        option start '50'
        option limit '200'
        option leasetime '24h'
        list dhcp_option '6,1.1.1.1'

config dhcp 'cameras'
        option interface 'cameras'
        option start '50'
        option limit '200'
        option leasetime '24h'
        option force '1'

config host
        option ip '192.168.1.184'
        option name 'proxmox'
        list mac 'BC:24:11:AD:46:CF'

config host
        option name 'proxmoxPrivate'
        option ip '10.10.10.184'
        list mac 'BC:24:11:DD:AD:3F'

config host
        option name 'camera1'
        option mac 'EC:71:DB:A7:55:30'
        option ip '10.10.10.50'

config host
        option name 'camera2'
        option mac 'EC:71:DB:65:32:81'
        option ip '10.10.10.51'

config host
        option name 'camera3'
        option mac '00:96:C0:46:88:53'
        option ip '10.10.10.52'

config host
        option name 'cameras'
        list mac 'BC:24:11:AD:46:CF'
        option ip '192.168.1.200'

config host
        option name 'camerasPrivate'
        list mac 'BC:24:11:DD:AD:3F'
        option ip '10.10.10.200'

config host
        option name 'wificamera1'
        option ip '10.10.10.100'
        list mac '38:BE:AB:76:F6:BA'

config host
        option name 'wificamera2'
        option ip '10.10.10.101'
        list mac '38:BE:AB:1C:80:55'

root@Main:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg_vpn'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'web'
        list proto 'tcp'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.1.4'
        option dest_port '980'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'web https'
        list proto 'tcp'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.1.4'
        option dest_port '9443'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'pter 1'
        list proto 'tcp'
        option src 'wan'
        option src_dport '8080'
        option dest_port '8080'
        option dest_ip '192.168.1.108'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'pter 2'
        list proto 'tcp'
        option src 'wan'
        option src_dport '2022'
        option dest_port '2022'
        option dest_ip '192.168.1.108'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'minecraft'
        option src 'wan'
        option src_dport '25565-25575'
        option dest_ip '192.168.1.108'
        option dest_port '25565-25575'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'mariadb'
        list proto 'tcp'
        option src 'wan'
        option src_dport '3306'
        option dest_ip '192.168.1.4'
        option dest_port '3306'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'factorio'
        list proto 'udp'
        option src 'wan'
        option src_dport '34197'
        option dest_ip '192.168.1.108'
        option dest_port '34197'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name '24454'
        list proto 'udp'
        option src 'wan'
        option src_dport '24454'
        option dest_ip '192.168.1.108'
        option dest_port '24454'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'gmod - jazz'
        option src 'wan'
        option src_dport '27015-27020'
        option dest_port '27015-27020'
        option dest_ip '192.168.1.108'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'wireguard'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '192.168.1.1'
        option dest_port '51820'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'honeypot_cowrie'
        option src 'wan'
        option src_dport '22'
        option dest_ip '192.168.1.161'
        option dest_port '22'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'honeypot_cowrie2'
        option src 'wan'
        option src_dport '23'
        option dest_ip '192.168.1.161'
        option dest_port '23'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'dionaea_ftp'
        option src 'wan'
        option src_dport '21'
        option dest_ip '192.168.1.161'
        option dest_port '21'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'dionaea_smb'
        option src 'wan'
        option src_dport '445'
        option dest_ip '192.168.1.161'
        option dest_port '445'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'dionaea_sftp'
        option src 'wan'
        option src_dport '69'
        option dest_ip '192.168.1.161'
        option dest_port '69'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'rdio'
        option src 'wan'
        option src_dport '5568'
        option dest_ip '192.168.1.108'
        option dest_port '3000'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'val'
        option src 'wan'
        option src_dport '2456-2466'
        option dest_ip '192.168.1.108'
        option dest_port '2456-2466'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'palworld'
        option src 'wan'
        option src_dport '8211'
        option dest_ip '192.168.1.225'
        option dest_port '8211'

config zone
        option name 'GuestZone'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'guest'

config zone
        option name 'CameraZone'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'cameras'

config forwarding
        option src 'GuestZone'
        option dest 'wan'

config rule
        option name 'guest DHCP and DNS'
        option src 'GuestZone'
        option dest_port '53 67 68'
        option target 'ACCEPT'

config rule
        option name 'Cameras DHCP and DNS'
        option src 'CameraZone'
        option dest_port '53 67 68'
        option target 'ACCEPT'

config rule 'wg_rule_vpn'
        option name 'Allow-WireGuard-vpn-wan'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

Switch1

root@Switch1:~# ubus call system board
{
        "kernel": "5.15.137",
        "hostname": "Switch1",
        "system": "Intel(R) Pentium(R) CPU  @ 1.50GHz",
        "model": "Cisco MX100-HW",
        "board_name": "cisco-mx100-hw",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "x86/64",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}
root@Switch1:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd2f:400a:2ca0::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'
        list ports 'eth5'
        list ports 'eth6'
        list ports 'eth7'
        list ports 'eth8'
        list ports 'eth9'
        list ports 'eth10'
        list ports 'eth11'
        list ports 'mgmt'
        list ports 'wan'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.5'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '1.1.1.1'

config device
        option type 'bridge'
        option name 'br-guest'
        list ports 'eth2.20'
        list ports 'eth4.20'

config device
        option type 'bridge'
        option name 'br-camera'
        list ports 'eth2.30'
        list ports 'eth4.30'

config device
        option type '8021q'
        option ifname 'eth2'
        option vid '20'
        option name 'eth2.20'

config device
        option type '8021q'
        option ifname 'eth2'
        option vid '30'
        option name 'eth2.30'

config device
        option type '8021q'
        option ifname 'eth4'
        option vid '20'
        option name 'eth4.20'

config device
        option type '8021q'
        option ifname 'eth4'
        option vid '30'
        option name 'eth4.30'

config interface 'cameras'
        option proto 'static'
        option device 'br-camera'
        list ipaddr '10.10.10.5'
        option gateway '10.10.10.1'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.2.5'
        option netmask '255.255.255.0'

root@Switch1:~# cat /etc/config/wireless
cat: can't open '/etc/config/wireless': No such file or directory
root@Switch1:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config relay
        option local_addr '192.168.1.5'
        option server_addr '192.168.1.1'

root@Switch1:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option synflood_protect '1'

AP1

root@AP1:~# ubus call system board
{
        "kernel": "5.15.137",
        "hostname": "AP1",
        "system": "ARMv8 Processor rev 4",
        "model": "reyee AX3200 E5",
        "board_name": "reyee,ax3200-e5",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "mediatek/mt7622",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}
root@AP1:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd80:6deb:7a96::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'wan'

config device
        option name 'lan1'
        option macaddr '28:d0:f5:56:4e:43'

config device
        option name 'lan2'
        option macaddr '28:d0:f5:56:4e:43'

config device
        option name 'lan3'
        option macaddr '28:d0:f5:56:4e:43'

config device
        option name 'lan4'
        option macaddr '28:d0:f5:56:4e:43'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.2'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option type '8021q'
        option ifname 'wan'
        option vid '20'
        option name 'wan.20'

config device
        option type 'bridge'
        option name 'br-camera'
        list ports 'wan.30'

config device
        option type 'bridge'
        option name 'br-guest'
        list ports 'wan.20'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.2.2'
        option netmask '255.255.255.0'

config interface 'cameras'
        option proto 'static'
        option device 'br-camera'
        option ipaddr '10.10.10.2'
        option netmask '255.255.255.0'

config device
        option type '8021q'
        option ifname 'wan'
        option vid '30'
        option name 'wan.30'

root@AP1:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/18000000.wmac'
        option channel '2'
        option band '2g'
        option htmode 'HT40'
        option cell_density '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT20'
        option cell_density '0'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'MotherOfDragons'
        option encryption 'psk2'
        option key 'REDACTED'
        option network 'lan'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option ssid 'MotherOfDragons-Guest'
        option encryption 'none'
        option network 'guest'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'cameras'
        option encryption 'psk2'
        option key 'REDACTED'
        option network 'cameras'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid 'MotherOfDragons-5G'
        option encryption 'psk2'
        option key 'REDACTED'
        option network 'lan'

root@AP1:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'cameras'
        option interface 'cameras'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ignore '1'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ignore '1'

root@AP1:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option synflood_protect '1'

Your list ports for guest and camera are associated with WAN.

i just changed AP1 to get everything fron LAN1 but im still seeing the same issues,

it seams to be getting an ip but the client wont stay connected for some reason

Your main router's VLAN and bridge constructs are incorrect -- you need to use dsa syntax -- specifically bridge-VLANs.

There are numerous issues with your main router's configuration. The best thing to do is to reset to defaults and then provide the configuration (in its default state) here. In addition, tell us what you want in terms of port-vlan membership (which VLANs on which ports, tagged or untagged), and we can help you with the proper setup.

I haven't looked at your other devices yet, but we need to start at the main router.

i have gone ahead and reset the main router config, the only thing i copyed over from the old config was the static leases and port fowarding

heres the overview
vlan 20 is for the guest network 192.168.2.1/24
vlan 30 is for the cameras/iot devices network 10.10.10.1/24

vlan 20 should be going to LAN3 and LAN4
vlan 30 should be going to LAN2 LAN3 and LAN4

LAN1, LAN3 and LAN4 should have the main connection as well 192.168.1.1/24

here is the default configuration with the changes i mentioned eairler

root@Main:~# ubus call system board
{
        "kernel": "5.15.137",
        "hostname": "Main",
        "system": "ARMv8 Processor rev 4",
        "model": "reyee AX3200 E5",
        "board_name": "reyee,ax3200-e5",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "mediatek/mt7622",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}
root@Main:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd06:ed2a:4527::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'lan1'
        option macaddr '28:d0:f5:a2:7b:0e'

config device
        option name 'lan2'
        option macaddr '28:d0:f5:a2:7b:0e'

config device
        option name 'lan3'
        option macaddr '28:d0:f5:a2:7b:0e'

config device
        option name 'lan4'
        option macaddr '28:d0:f5:a2:7b:0e'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

root@Main:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/18000000.wmac'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '36'
        option band '5g'
        option htmode 'HE80'
        option disabled '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

root@Main:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'alex-pc'
        option dns '1'
        option mac 'B4:2E:99:6E:20:D1'
        option ip '192.168.1.90'
        option duid '0004443d74464a82e88761a9940d587eedfd'

config host
        option name 'supermicrogameserver'
        option ip '192.168.1.108'
        option mac '0C:C4:7A:0C:15:D0'

config host
        option ip '192.168.1.203'
        option mac 'BC:60:A7:E0:C5:67'

config host
        option name 'pterlocalnode1'
        option ip '192.168.1.107'
        option mac '00:A0:98:6B:AF:51'

config host
        option name 'wlan0'
        option ip '192.168.1.111'
        option mac '18:69:D8:7E:3D:C1'

config host
        option name 'pterodactyl'
        option ip '192.168.1.144'
        option mac '00:A0:98:11:7C:41'

config host
        option name 'mailu'
        option ip '192.168.1.236'
        option mac '00:A0:98:0D:66:7F'

config host
        option name 'mainsailos'
        option ip '192.168.1.145'
        option mac 'D8:3A:DD:47:14:1B'

config host
        option name 'server'
        option dns '1'
        option mac '00:25:90:E9:75:DE'
        option ip '192.168.1.4'

config host
        option name 'pterodactyl'
        option ip '192.168.1.211'
        option mac '00:A0:98:68:E7:04'

config host
        option name 'wled-WLED'
        option ip '192.168.1.202'
        option mac 'AC:0B:FB:CF:BC:EE'

config host
        option name 'PterNode'
        option ip '192.168.1.225'
        option mac 'BC:24:11:89:4A:21'

config host
        option name 'HomeAssistant'
        option ip '192.168.1.188'
        option mac 'BC:24:11:E2:F0:D7'

config host
        option ip '192.168.1.184'
        option name 'proxmox'
        list mac 'BC:24:11:AD:46:CF'

config host
        option name 'proxmoxPrivate'
        option ip '10.10.10.184'
        list mac 'BC:24:11:DD:AD:3F'

config host
        option name 'camera1'
        option mac 'EC:71:DB:A7:55:30'
        option ip '10.10.10.50'

config host
        option name 'camera2'
        option mac 'EC:71:DB:65:32:81'
        option ip '10.10.10.51'

config host
        option name 'camera3'
        option mac '00:96:C0:46:88:53'
        option ip '10.10.10.52'

config host
        option name 'cameras'
        list mac 'BC:24:11:AD:46:CF'
        option ip '192.168.1.200'

config host
        option name 'camerasPrivate'
        list mac 'BC:24:11:DD:AD:3F'
        option ip '10.10.10.200'

config host
        option name 'wificamera1'
        option ip '10.10.10.100'
        list mac '38:BE:AB:76:F6:BA'

config host
        option name 'wificamera2'
        option ip '10.10.10.101'
        list mac '38:BE:AB:1C:80:55'
root@Main:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'web'
        list proto 'tcp'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.1.4'
        option dest_port '980'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'web https'
        list proto 'tcp'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.1.4'
        option dest_port '9443'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'pter 1'
        list proto 'tcp'
        option src 'wan'
        option src_dport '8080'
        option dest_port '8080'
        option dest_ip '192.168.1.108'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'pter 2'
        list proto 'tcp'
        option src 'wan'
        option src_dport '2022'
        option dest_port '2022'
        option dest_ip '192.168.1.108'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'minecraft'
        option src 'wan'
        option src_dport '25565-25575'
        option dest_ip '192.168.1.108'
        option dest_port '25565-25575'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'mariadb'
        list proto 'tcp'
        option src 'wan'
        option src_dport '3306'
        option dest_ip '192.168.1.4'
        option dest_port '3306'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'factorio'
        list proto 'udp'
        option src 'wan'
        option src_dport '34197'
        option dest_ip '192.168.1.108'
        option dest_port '34197'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name '24454'
        list proto 'udp'
        option src 'wan'
        option src_dport '24454'
        option dest_ip '192.168.1.108'
        option dest_port '24454'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'gmod - jazz'
        option src 'wan'
        option src_dport '27015-27020'
        option dest_port '27015-27020'
        option dest_ip '192.168.1.108'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'wireguard'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '192.168.1.1'
        option dest_port '51820'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'honeypot_cowrie'
        option src 'wan'
        option src_dport '22'
        option dest_ip '192.168.1.161'
        option dest_port '22'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'honeypot_cowrie2'
        option src 'wan'
        option src_dport '23'
        option dest_ip '192.168.1.161'
        option dest_port '23'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'dionaea_ftp'
        option src 'wan'
        option src_dport '21'
        option dest_ip '192.168.1.161'
        option dest_port '21'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'dionaea_smb'
        option src 'wan'
        option src_dport '445'
        option dest_ip '192.168.1.161'
        option dest_port '445'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'dionaea_sftp'
        option src 'wan'
        option src_dport '69'
        option dest_ip '192.168.1.161'
        option dest_port '69'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'rdio'
        option src 'wan'
        option src_dport '5568'
        option dest_ip '192.168.1.108'
        option dest_port '3000'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'val'
        option src 'wan'
        option src_dport '2456-2466'
        option dest_ip '192.168.1.108'
        option dest_port '2456-2466'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'palworld'
        option src 'wan'
        option src_dport '8211'
        option dest_ip '192.168.1.225'
        option dest_port '8211'

just my advise, there are couple of ways vlans can be configured, for me the below logic is something i can easily comprehend and follow. maybe it can be useful for you as well.

1. whatever approach you take make tiny steps: create one extra vlan, extend to one switch, to one ap at a time. if that works then you can extend setup further.
2. i'd separate logical and physical networks by introducing a new layer.

# create a bridge which covers all physical ports
# instead of the default configuration, e.g. physical ports in br-lan
# "physical" layer
config device
        option type 'bridge'
        option name 'sw0'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'

# then you can create your vlans as you wish
# this connects the "physical" layer with the "logical"
# "logical" layer which is bind to a vlan, ie. respective vlan-only traffic is handled
config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'sw0.x'

config device
        option type 'bridge'
        option name 'br-guest'
        list ports 'sw0.y'

# you can specify which port is native or trunk etc
# eth1 is untagged, native port in vlan.x
# eth4 is tagged
config bridge-vlan
        option device 'sw0'
        option vlan 'x'
        list ports 'eth1:u*'
        list ports 'eth4:t'

# eth2 is untagged, native port in vlan.y
# eth4 is tagged
config bridge-vlan
        option device 'sw0'
        option vlan 'y'
        list ports 'eth2:u*'
        list ports 'eth4:t'

# set your interfaces on top  of the vlan bridges
# "logical" networks, each are in its own vlan
config interface 'lan'
        option device 'br-lan'
        option proto 'static'

config interface 'guest'
       option device 'br-guest'
        option proto 'static'

# then you can connect wired network with wifi as usual

the idea as that with adding sw0 as a "physical" layer you can configure which ports to be part in which vlan and it is responsible for proper tagging (=config bridge-vlan ) if you want to extend your network over multiple switch/ap. once tagging is done in sw0 then on top of it, br-lan and br-guest will only be part of the respective vlan (=list port sw0.x) as isolation is already done within sw0 . and then as usual you can assign interface to these "logical" bridges, and connect to wifi networks as you wish.

there are guides how to extend networks over multiple devices using vlans, i suggest to go through them first. then come back and check again my recommended approach. the guides are using vlan notations without my extra sw0, so those are perfect, official solutions. mine is just mine, how i was able to consume vlans so probably you'll find other approach easier for you.

Not with DSA devices when it comes to bridges.

This above is incorrect syntax for DSA and will not work properly.

The below is valid DSA syntax.

The guest bridge implied below will work with older swconfig based syntax and/or when the guest network is wifi only and doesn't use ethernet.

In the case of DSA, though, any bridges that use ethernet must be bridge-vlans.

What is the tagged/untagged status for each VLAN on each port?

For example (making this up, feel free to correct):

• LAN 1: untagged VLAN 1 (192.168.1.0/24)
• LAN 2: untagged VLAN 30
• LAN 3: untagged VLAN 1, tagged VLAN 20, tagged VLAN 30
• LAN 4: untagged VLAN 1, tagged VLAN 20, tagged VLAN 30

your example is exactly correct! sorry i forgot to mention that in my last reply

Start by editing your network config file:
Create bridge-vlans:

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan3:t'
        list ports 'lan4:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'lan2:u*'
        list ports 'lan3:t'
        list ports 'lan4:t'

Now, edit the lan interface to use br-lan.1:

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

And create the guest and cameras/iot networks using br-lan.20 and br-lan.30:

config interface 'guest'
        option device 'br-lan.20'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

config interface 'cameras'
        option device 'br-lan.30'
        option proto 'static'
        option ipaddr '10.10.10.1'
        option netmask '255.255.255.0'

Now, add your DHCP servers (in the /etc/config/dhcp file):

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

config dhcp 'cameras'
        option interface 'cameras'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

And finally in your firewall, you can use the same rules you had previously

In your zone definitions, you can set the input rule to REJECT since you've got the an allow rule for DHCP and DNS. But for the moment, might as well keep it as it is to reduce the number of variables (once everything is working as expected, then you can change that rule and verify once more).

Now, restart your router and test.
You can immediately verify that VLAN1 and VLAN30 are working by plugging into ports LAN1 and LAN2 respectively. Then we can move on to the rest of the configs.

there are many (hundreds?) post regarding DSA, if there would be one ultimate way only, why?
for your information this is my working config generated by luci. and it does work with ethernet.

anyhow, bottom line, there is no pressure to try and see if fits for one's use case.

Thank you so much for your help,
i was able to go through and update everything using DSA syntax and everything is working as expected now!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.