Interesting. I thought the idea behind DSA is that all those "ports" are supposed to look like ordinary Ethernet NICs so one would be excused for thinking that "vconfig add" should work on them. So it was like, no errors, no packets, no nothing?
BTW, I hope you know that tcpdump is a thing and aren't working completely in the dark, right?
I know tcpdump is a thing, but I've been mostly flying blind as I haven't installed tcp dump on the router.
However...
I did get the lab successfully set up to replicate the solution successfully.
Still not quite done yet. In the lab I had the advantage of using the "Host only network" as the management LAN. And creating separate "Admin" interfaces on both routers. On the real network I don't have that luxury, so need a way to VLAN them all up somehow so they are accessible from LAN, but not GUEST.
There weren't any surprises, except a bug with submitting VLAN changes which has a work around.
"UpstairsSwitch" was configured with 4 eth adapters. 3 on br-lan all on individual "Internal networks" called SwitchPort1,2,3 and the final ethernet as "Admin" with only the router itself on the "Host only network"
"MainRouter" was configured with 3 eth adapters. 1 for Admin on host only. 1 for WAN DHCP on the VMWare NAT network. 1 for "LAN" which was a single trunk on SwitchPort1 internal network.
With that in place, everyone could take to everyone else and the internet.
So I then configured the VLANs on the bridges with 1 being LAN and 3 being Guest. This caused devices br-lan.1 and br-lan.2 to magically appear.
I terminated these at the main router by assigning both interfaces and DHCP servers. "UpstairsSwitch" does not need these as it is meant to be a switch not a router.
It just needed the tagging setup for the ports and the trunk.
Surprisingly this worked and the Guest got their own IP range from the Main Router VLAN 3 DHCP and the LAN got it's from the VLAN 1 DHCP server.
... they could still access each other though. So firewall zones needed to be set up.
Finally the guest could not access the lan.... but it couldn't get an IP address either.
So a little "Traffic rule" to allow DHCP and DNS through the router itself on the Guest VLAN and all is good.
Just need to figure out how to VLAN up those admin interfaces and give LAN access.