Let's see if I can do this...
First of all, sorry for my bad english, I'm Brazilian.

I started trying to do Tagged VLANs on dd-wrt an never understood it.
Then I came to openwrt and... well, now I have one Virtual Machine running Openwrt Attitude Adjustment 12.09-rc1, with multiwan (2 wans), DDNS (one for each wan), one private network, one guest network limited to 1 mbps (wired connections too) and one network for my virtual machines.
Connected to this VM, there is a Netgear WNDR 3700 v1 (same Openwrt version) as Switch/AP (one 2.4 Ghz wifi on the private network, one 2.4 Ghz wifi on the guest network and one 5.0 Ghz wifi on the private network) and a Tp-link WR1043ND v1.8 (same Openwrt version) as Switch/AP (one 2.4 Ghz wifi on the private network, one 2.4 Ghz wifi on the
guest network). The guest network on both routers is the same.
The reason I'm using a VM, is because none of my routers (wndr3700 and wr1043) could handle both wans with perfomance.

So, to configure the guest network across both routers... (In my case, I use more then two routers)

I'm assuming:
-First router is Netgear WNDR 3700 v1, with OpenWrt Attitude Adjustment 12.09-rc1 (this one will be the one on the internet)
-Second router is TP-Link WR1043ND v1.8, with OpenWrt Attitude Adjustment 12.09-rc1
-The routers are on First Boot, with Luci installed on both routers
-The routers are not connected to each other, yet
-IP Range to be used for the private network: 192.168.1.0/24 (192.168.1.1 to 192.168.1.254)
-IP Range to be used for the guest network: 192.168.2.0/24 (192.168.2.1 to 192.168.2.254)

On your computer:
a-) Connect a cable between your computer and the SECOND router, on port 1. (or 2, 3, 4... just remember which of them you're connected to)
b-) Set your IP Address to 192.168.1.10 (for example), with netmask 255.255.255.0 (if you want, you can set gateway and DNS to 192.168.1.1)

On the second router:
1-) Access http://192.168.1.1, login to Luci Web Interface with user root and no password
2-) Go to System, Administration, type in a password, confirm it, click save & apply
3-) Go to Network, Interfaces. Click "Edit" (Under Actions) in the LAN interface.
4-) Set: IPv4 Address to 192.168.1.2, IPv4 netmask: 255.255.255.0, IPv4 gateway: 192.168.1.1. If you want, you can use a custom DNS (like 192.168.1.1 ), without a DNS you cannot install nothing on the router.
5-) Check "Disable DHCP for this interface" under "DHCP Server". Hit Save & Apply.
6-) Wait a moment and access http://192.168.1.2. Log in to the router with root and password (created on item 2)
7-) Go to Network, Interfaces again. If I remember right, the WAN interface is actually VLAN 2 (under "WAN" there is something like "eth0.2"). If you want, you can delete the WAN interface (it will not be used on this router),
so you can use all 5 ports of the router.
8-) Now go to Network, Switch.
- I THINK WR1043ND comes configured like this:
   VLAN ID 1, Port 0 off (its the wan port), Ports 1, 2, 3, 4 untagged, CPU port tagged
   VLAN ID 2, Port 0 untagged, Ports 1,2,3,4 off, CPU port tagged (this was the VLAN in use by the WAN interface)
- IF you deleted the WAN interface, you can use it to connect this router to the first router. If not, you can use ports 1 to 4 instead. Change both VLANs to (assuming you deleted the WAN interface):
   VLAN ID 1, Port 0 tagged, Ports 1 to 4 untagged, CPU port tagged
   VLAN ID 2, Port 0 tagged, Ports 1 to 4 off, CPU port tagged
   Save & Apply (And just to be sure, reboot your router)
- If this is done right, you should have access to your router again in a few moments.
- This way you're saying to the router that VLAN 1 (Already configured "LAN" interface/network) AND VLAN 2 (the one we will configure as "GUEST" interface/network) will use the (original labeled) WAN port

WARNING: If you TAG the port that you've connected your computer, you will be locked out of the router, unless you tag your computer network interface too.

9-) (if you rebooted, log in again). Got to Network, Interfaces. Click Add new interface.
10-) Give it a name (GUEST), the protocol is "Static Address", on "Cover the following interface" select "VLAN Interface eth0.2", and hit "submit".
11-) On the next page, set: IPv4 Address to 192.168.2.2, IPv4 netmask: 255.255.255.0. You don't need to setup DHCP Server (will be configured on the other router). Hit Save.
12-) On the SAME page click on "Firewall Settings". On "unspecified -or- create" put "guest". Hit Save & Apply
13-) Go to Network, Wifi. Click Add. ESSID "Guest" (example), Mode Access Point, Network "GUEST" (created on item 10). Configure security as(or "if") desired. Save & Apply.
14-) Go to Network, Firewall. Delete the "WAN" zone on firewall or, at least, disable the lan forwarding to it.
15-) Connect the WAN port of this router, to port 4 of the first router (which is Port 0, in Luci Web Interface). At this point, they do not "see" each other... yet.
16-) (Optional) If you want a little more security: Go to Network, Firewall. Under "zones", change "Input" of "guest" to "drop". Save & Apply.
-This way, the guest network could no reach this router, it is only used to "pass" the traffic to the first router
17-) Now, remove the cable connecting your computer and this router, and connect the cable to the first router, on port 1 which is port 3 on Luci (or remember the on you've used).

On the first router (the one connected to the internet):

18-) Access http://192.168.1.1, login to Luci Web Interface with user root and no password
19-) Go to System, Administration, type in a password, confirm it. Click Save & Apply
20-) Configure your WAN (Network, Interfaces, "Edit" on WAN and so on). If you configured your computer with gateway AND dns, you should have internet now.
21-) Go to Network, Switch.
- On "VLANs" you probably have something like VLAN ID 1, Port 0,1,2,3 Untagged, Port 4 off, CPU tagged
- Click Add, it should appear "VLAN ID" "2".
- Configure both VLAN like this:
  (if you did item 15 as I told) VLAN ID 1, Port 0 tagged, ports 1,2,3 untagged, Port 4 off, CPU tagged
  VLAN ID 2, Port 0 tagged, ports 1,2,3,4 off, CPU tagged.
   Save & Apply (And just to be sure, reboot your router)
- If this is done right, you should have access to your router again in a few moments.
22-) (if you rebooted, log in again). Go to Network, Interfaces. Click Add new interface.
23-) Give it a name (GUEST), the protocol is "Static Address", on "Cover the following interface" select "VLAN Interface eth0.2", and hit "submit".
24-) On the next page, click "Setup DHCP Server". The page will reload. Set: IPv4 Address to 192.168.2.1, IPv4 netmask: 255.255.255.0. Configure DHCP as desired. Hit Save.
25-) On the SAME page click on "Firewall Settings". On "unspecified -or- create" put "guest". Hit Save & Apply
26-) Go to Network, Wifi. Click Add. ESSID "Guest" (example), Mode Access Point, Network "GUEST" (created on item 23). Configure security as(or "if") desired. Save & Apply.
27-) Go to Network, Firewall. Under "Zones" click "Edit" on GUEST. Under "Inter-Zone Forwarding" select "wan" on "Allow forward to destination zones". Save & Apply.

Well... If I didn't forgot nothing, I think it's done.
This way you have 2 networks (private and guest) on both routers. The guest wifi accessing internet, but not your private network.
It's possible to change a lot of things like...
- Is it possible to put a wired client on guest network? Yes
- Is it possible to the guest network access my private network? Yes
- Is it possible to assign a different DNS to the guest network? Yes
- Is it possible to limit the download rate of the guest network? Yes
And so on.

Could someone validate all of this? I've done it by myself, with no one validating.

Nice tutorial, but keep in mind that not all routers are the same, some have eth1 for WAN for example, and some don't supprt tagged and untagged traffic on the same port.

Also some routers can't work with vlans at all.

Yeah... you're right
That's why I wrote this part "I'm assuming:".

Thanks for the walkthrough digital. One question though: on my WNDR3700 v1, the CPU is set as untagged in the default VLAN configuration. I've never messed with VLANs before so it's vanilla. What difference does tagging or untagging the CPU make? Can I just add a second VLAN and reconfigure both VLAN 1 and 2 as per your instructions but ignore the setting on the CPU?

Thank you!

Hi Borromini,
You know that part that I wrote "Warning"? THAT's... because of this router
You're using which version off Openwrt? It is Backfire 10.03.1?
Because the first one I was using in this router was this version, and to make vlan work I had to use a workaround listed here in the foruns. I don't know if that is a bug or something, I know that everytime I changed CPU port to tagged, I had to reset the router.
And then I upgraded to Attitude Adjustment 12.09-rc1, and my CPU port was tagged, and I could work with vlans without problem.
So, if you're working with Backfire 10.03.1 (WNDR3700 v1 router) DO NOT change the CPU port to tagged, or you will be locked out of the router.
(Searching for the topic that has the workaround)

Edited:
Found it on wiki. Read this...
http://wiki.openwrt.org/toh/netgear/wnd … .for.vlans
This is valid for Backfire 10.03.1

There you can see this:
"config interface lan
    option ifname    eth0.1
    option type    bridge
    option proto    static
    option ipaddr    192.168.1.1
    option netmask    255.255.255.0"

AND...

"config switch_vlan
    option device    rtl8366s
    option vlan     0
    option ports    "5*"

config switch_vlan
    option device    rtl8366s
    option vlan     1
    option ports    "1 2 3 5t""

Basically what this shows is: You've configured interface "LAN" to use eth0.1 (VLAN 1), BUT you've configured both vlans (0 and 1) and Luci do not work well with that. Well... actually it does not work at all with that config.
So, if you are using Backfire and continue to use it, you will have to do this workaround and ignore vlan configuration on Luci.

My config (on Attitude Adjustment 12.09-rc1) don't have a "VLAN 0", and is like this:

"config switch_vlan
        option device 'rtl8366s'
        option vlan '1'
        option ports '0t 1t 2 3t 5t'"

and

"config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.30'
        option netmask '255.255.255.224'
        option gateway '192.168.1.29'
        option dns '192.168.1.26 192.168.1.25'
        option ifname 'eth0.1 eth1'
"

(Last edited by digital on 3 May 2013, 01:07)

I'm using Attitude Adjustment. Upgraded from Backfire a while ago though (SVN builds in between), not sure if it's a leftover from the Backfire configs.

Thanks for the clarification, I might check on IRC just to be sure I won't be fucking up my router(s).

I checked on IRC, apparently you can have only one VLAN untagged (ie the CPU) if the firmware supports it. I'm just going to tag both the VLANs.

Borromini...I'm confused.
What I know is that you can have only one untagged vlan for each port, didn't know that this applies to the cpu port. I thought cpu port had to be tagged always.
You can have more than on untagged vlan, I use that, but not on the same ethernet port, which is obvious (for me)

Do you mean always as in: even with only one VLAN? Because that's why I asked - the CPU being untagged in the only VLAN I have now.

Sometimes if a device has two physical ports eth0 and eth1, by default there is one vlan configured and the cpu port is untagged.

However, most devices both support tagged and untagged cpu port (not that often a mix of them). So you can try to set the CPU port to tagged. But becarefull if it wasn't supported it can lock you out of the device. Make sure you can access the router by other means (with wifi or wan port for example)

Here, everytime I "tagged" cpu port on default vlan (with or without other vlan configured) I was locked out... to work, I need to change things (like I already explained). I'm talking about Netgear WNDR3700 v1.
With the version  I'm using now, cpu port came tagged (OpenWrt Attitude Adjustment 12.09-rc1 / LuCI 0.11 Branch (0.11+svn9425))

So if understand it correctly, you had issues with an older version of openwrt?
in that case see: https://dev.openwrt.org/ticket/12667

Yes, in the older version (backfire) I had problems with that.