Ooh, using one of the existing vlans or existing bridge sounds like a great idea. I was mostly worried about the DHCP config or breaking existing guest wifi IP options. I was looking at maybe upgrading to something like Ubiquiti, but at the moment it looks like most of their gear is sold out, so I figured I'd see what I could manage with what I had on hand already. I'm also pretty cloud-averse; do you happen to know if Ubiquiti can run with no cloud/internet access at all? Last time I checked a few years ago they were going all-in on cloud.
Yes I use their stuff and you can administer it from a local PC. Actually the cloud option is newer, previously it was all done via local server/pc. You don't even have to leave the management server running unless you want to collect traffic/log stats or run the Captive Portal (where you have to login or pay to use wifi). The devices will restore the last config from local NVRAM if rebooted. They have FAQ and documentation on their site as to what each device (AP, router, firewall, etc) needs to have the management server always running, but it is mostly for the stuff I listed above. I just run the server "on demand" when I need to change something. I used to run it 24x7 but that was when I had a server that was always online anyway. Now it isn't worth wasting the power. If you have certain brands of NAS, I think some people have even gotten it to run on there, since it is online always anyway and consumes less power than a PC and is just a linux box.
The cloud key service is actually something you have to pay an annual fee for and is more for people running large deployments at multiple site typically.
For the Asus solution, this will only work on 386 code base as that implemented these new vlans, subnets, and DHCP ranges. Actually in your case you'd only need 386 on the main router. On the remote switch you could use older firmware (not sure if the N series supports 386?) and create VLAN 501 or 502 yourself, as no DHCP or L3 interfaces are needed if just using as a switch and/or AP. Actually if only using it as a dumb switch with no wifi, you won't have guest network and thus have to create the VLANs yourself anyway which is simple.
If you wanted to use VLAN 501 (2.4Ghz under BR1) or 502 (5 ghz under BR2) then just enable guest wireless 1, reboot, then create a script to use robocfg to add it tagged on the port to your other AP. Then you can pick another port, remove VLAN 1 from it, and add VLAN 501 or 502 to that untagged which will put it in the guest wireless network.
Same on the other side.
Something like this
robocfg vlan 1 ports "1 2 3 5t" (remove non-guest VLAN from port 4)
robocfg vlan 501 ports "1t 4 5t" (added tagged on port1 to other AP and untagged on port 4 for wired guest, or in my case fixing someone's computer that may have viruses etc)
This will send VLAN 1 untagged to the other AP and VLAN 501 tagged. In my case, my Ubiquiti AP likes it this way. Some like to see VLAN 1 tagged when doing a trunk port but this is not common. Not sure how Asus is, you might have to use "1T" on vlan 1. Techically VLAN 1 is the native vlan on a 802.1Q trunk and is not supposed to be tagged, but again, have seen it required sometimes. The reason asus is tagging it on the VLAN port (5) is a different reason I won't get into, the tag gets stripped off once it hits the CPU.
All VLANs always have to be tagged on the CPU port (5 in my case). The ports above are for an RT-AC1900, yours may differ.
Doesn't really matter if you use 501 or 502, you could even use both if you wanted to have two wired guest networks. One is mapped to 2.4ghz wireless and one to 5ghz but that doesn't really matter for wired connections. Each gets its own /24 192.168 subnet. Note these guest networks have 24 hour lease times and no IP address reservations, at least not via the GUI, but you could change both via script I believe.
Since I wasn't 100% sure if there would be any other implications of using these two AIMESH VLANs (on quick look, didn't seem to be) I created a new vlan 999 and added it to the same bridge as 501. Then did the robocfg above but with 999 instead of 501. The script is a little longer but not much. The guest firewall filters are applied between the main interfaces and not the VLAN so you can put as many VLAN IDs into the BR1 or BR2 and they will get the filters applied so they can't communicate to LAN (again, this is on my router, each model can exhibit differences, so always test after and make sure there is no access).
Technically proper networking practices say that VLAN 1 never carries traffic when used in an 802.1Q trunk. It is just the "native" vlan which carries control traffic related to the trunk. However since Asus is using this VLAN for various purposes, it may be somewhat involved to change and use something like 10 for your regular LAN. Haven't looked into it, in the home environment, its fine to use VLAN 1. But in my day job, its a big "no no".