[tandh327]

Questions:
1. Is this possible or is it too complex to implement and maintain (See below)?
2. What is the best order to onboard with the hardware/requirements listed below?

Current Issue:
1. I cannot seem to get DHCP to issue IPs to devices coming across Eth0. If I hard set IP and Gateway they can access the router when plugged into Eth0 (Port 1)
2. I cant seem to get the NetGear VLAN and PVID set to allow communication from a device plugged in to the GS116E on any port 2-16 (Port 1 is the uplink to the router).
3. I am uncertain how to flag the "uplink/trunk" ports on the GS108E's to pass the VLANs correctly (I tagged all VLANs on the port currently.

General Statement:
1. I have found plenty of guidance in the forum on the multiple SSIDs and Virtual Wireless interfaces but not with both Wireless and Ethernet with multiple switches.
2. I am having issues with understanding bridging on the router using DD-WRT to accomplish the above. Seems like I need to un-bridge something to start with??
3. Still checking to see if IoT devices (Rokus, Smart (Dumb) TVs, XBOX One, XBOX 360, NVR, VOIP appliance)can be set with a VLAN tag. if not may have to used port based VLAN for those devices

Current Infrastructure:
Router = ASUS-RT-N66U
Router Firmware = DD-WRT v3.0-r47720 big (12/02/21)
Wireless: Using 2.4Ghz only
Switches = In total 3 (All Managed) ((1)NetGear GS116E v2, (2) NetGear GS108E v2)
Switch Firmware = V 1.00.12 (GS108E) and V 2.6.0.48 (GS116E)
Router connected to port 1 on GS116E (16-ports) (SW-01)- (2)GS108E's (8-ports)(SW-02) and (SW-03)connected to GS116E (Port 2 and Port 10)
Synology NAS (DS920)running storage and Docker container for JellyFin (Media Center)Single interface currently (Has 2)
VLANs are set on NetGear switches using 802.1Q
Since two GS108E are connected to GS116E switch I need to use tagging
Devices are allowed access from any switch via ethernet connection so no port dedicated VLANs


Requirements:
-Devices in VLAN 3 should use OpenVPN client from router for Internet communication
-Devices in VLAN 4 should use OpenVPN client from router for Internet communication
- Would like to leverage OpenDNS for filtering. I have a Dynamic IP from ISP
-Would like to leverage Adblocking or PiHole in Docker container on Synology NAS if possible
-No other devices should go across OpenVPN client tunnel
-VLAN 3 consists of Ethernet and Wireless devices
-VLAN 4 consists of Ethernet and Wireless devices
-VLAN 5 consists of Ethernet and Wireless devices
-Need 3 Virtual Wireless LANs (Two Virtual Networks need OpenVPN Client and the other goes straight to Internet)
-Would like isolation for wireless devices on VLAN 4
-Need 6 VLANs (VLAN 3 = Home_Protected), (VLAN 4 = Trusted), (VLAN 5 = Work), VLAN 6 = Untrusted),(VLAN 7 = Voice), (VLAN 8 = Security), VLAN 9 = Media Center (Synology Docker (JellyFin)
-Synology NAS needs to perform backups for devices in VLAN 3 and 5
-Devices in VLAN 3,4,5 need to access File Shares/Services on Synology NAS
-Need devices in VLAN 3,4,5,6 to access JellyFin (Media Center) running in docker container on Synology NAS
-Would like for VLAN 5 to have priority during business hours
-Would like voice (VLAN 7) to have priority over everything else

VLAN 3 Can talk to VLAN 4,7,8,9
VLAN 4 Can talk to VLAN 9
VLAN 5 Can talk to VLAN 3,4,8,9
VLAN 6 Can talk to VLAN 9 and Internet only
VLAN 7 Internet only
VLAN 8 Internet only
VLAN 9 Internet only

Assume VLANs IP Subnet will be 192.168.(VLAN ID).X

Current Configuration:

Router:
DHCP provided by router
Using DDNS (DNS-o-Matic) -> OpenDNS
Nat Forward for JellyFin (Docker on Synology)
Single Wireless Interface (Wl0) currently (Bridged to br0)
Created 9 additional bridges (assumed for each VLAN)
Assigned new VLAN interfaces (3 - 9) to new bridges (br3 - br9) (Something doesn't seem right)
Assigned br3 - br9 to VLAN interfaces (Something doesn't seem right)
No changes made to br0
STP set to no on all new bridges
set IP address on each new br3 -br9 configuration
Added additional DHCP servers for each VLAN bound to VLAN interface no Bridge or Port
There are brX.X showing up and not sure where they came from
No added Firewall Rules
VLAN 1 bound to Port 1 - 4
VLAN 2 bound to WAN Port
VLAN 3 - 9 bound to Port 1
All Port 1 traffic Tagged
OpenVPN Client not yet configured


NAS:
Using Synology DDNS
Single interface currently
NAS on 192.168.1.X (Will move to VLAN 3)
Docker on 172.16.X.X

Switches:
SW-01 (Using Tagged and Untagged) PVID set to default of 1, Ports 2 and 9 are Trunks (All VLANs Tagged)
- VLAN 1 Port 1,2,9
- VLAN 2 Port 1,2,9
- VLAN 3 Port 1,2,3,4,9
- VLAN 4 Port 1,2,5,6,7,8,9
- VLAN 5 Port 1,2,3,9
- VLAN 6 Port 1,2,9,10,11,12,13,14
- VLAN 7 Port 1,2,9,15
- VLAN 8 Port 1,2,9,16
- VLAN 9 Port 1,2,9

SW-02 (Using Tagging) PVID set to default of 1
Port 1 is a Trunk Port
- VLAN 1 Port 1
- VLAN 2 Port 1
- VLAN 3 Port 1,2,3,4
- VLAN 4 Port 1,5
- VLAN 5 Port 1,6
- VLAN 6 Port 1,7
- VLAN 7 Port 1
- VLAN 8 Port 1
- VLAN 9 Port 1,8

SW-03 (Using Tagging) PVID set to default of 1
Port 1 is a trunk port
- VLAN 1 Port 1
- VLAN 2 Port 1
- VLAN 3 Port 1,2,3
- VLAN 4 Port 1,4,5
- VLAN 5 Port 1,6
- VLAN 6 Port 1,7,8
- VLAN 7 Port 1
- VLAN 8 Port 1
- VLAN 9 Port 1

[Alozaros]

Hello..and welcome to the forum...
it seams you know what you are doing, as well according to your requirements you are ready to aim on a serious endeavour with DDWRT...

So, for CLI Vlan & Tagging segregation on the recent builds Broadcom, routers use swconfig command same like Atheros based routers...

The main Vlan thread for Atheros routers Vlan segregation is this one
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1119771

the information is there, but you have to carefully read trough..


apart of that...on my R7000 witch is a Broadcom device
I can fairly use the GUI interface (switch config page) to visually select and create Vlans and tag those...
bear in mind you also have to create DHCPd for those
Vlans to fetch an IP and sometimes you have to force a static IP from the client side...

I also prefer to bridge the Vlans, so ill have more control over them...kind of...

bear in mind router WAN port is always Vlan2 and VLan 1 is the switch...

[Per Yngve Berg]

I have currently on my GS108T V2:

Boot version: B5.1.0.2
Sowftware version: 5.4.2.36