Router, 2 AP and vlans ... need bit of hand holding here ;)

sup guys,
this is kind of last mile for me, on this topic as i’ve spend some non really sucessfull hours on it, so i’ve decided to try ask for bit of help here.

I do have main router which is running tomato firmware on which I’m indeed perfectly able to create IOT network which is completely separated from my main network with one exception which is my MQTT server.
This is not really an issue.

Here comes the dark side…

having only one iot AP is not an option, so I need to configure other two AP’s which are on each floor of my house to provide IOT SSID (what is not a problem) which then will be sent to the router which will asign it to the separated network, which is a problem.

Two AP’s are running OpenWrt 18.x so I’m flexible, but I can’t figure this thing up.
APs are connected to main router by cable which indeed is used to main network as well.

So my guess was to use VLAN tagging and tag IOT wifi network so main router will recognize what is what and move from there.
But no luck here.

What is my thinking about how it may work:

  • router:
    ** configure separated network
    ** configure SSID and assign it to said network
    ** create VLAN which will contain incomming LAN ports from AP’s and bridge SSID to that VLAN with ID 4
  • AP
    ** create SSID same as on router
    ** create new interface which will contain outgoing LAN port and SSID
    ** create Swtich with VLAN tag ID 4 and tag LAN ports

but so far, nope…
I don’t need to have on that separated network internet access, trully said it’s more about to not provide any internet access to that network if possible. Only local network with one open IP to mqtt server which is on mainnet.
What I really need is to figure out how to send traffic from AP to the router in a way that router will send it to already working separated network

So, here is a question, can somebody give me some help?
Thanks a lot

Your general idea is sound. Two SSID at each AP, one of which is linked to a VLAN. Router handles both VLAN and untagged separately, keeping them isolated.
I have just this setup working for a in-house and guest lans situation. But is on proprietary HP and Draytek gear, so I cannot help with actual settings.
If I recall, the hard part was setting an HP switch to carry VLAN and untagged over one wire.

yes I have exactly same issue on same place.
I’m able to separate it on the router itself, but those additional AP/switch parts are killing me

I run the same idea. but i use a cisco router with 3 netgear AP.
I have 4 vlans
v1 - home internet with some rules ( wifi own ssid)
v2 - streaming (cat 6 link)
v3 - Home automation (own ssid and cat 6 links)
v4 - guest wifi limited speed .:smiling_imp: (own ssid)

damn that was not really easy task … but finally I’ve figured that shit out
on main : define vlans and tag incomming lan ports
on ap : define interfaces which uses same vlan.id as on router, set STATIC ip/gw/dns on each of those
on ap which has got switch as well : define same vlans and ids as on router and tag wan + eth0 (this was tricky part) + static ip/gw/dns as well

For some reason it was not able to work in DHCP Client mode at all
uff