I have an RB2011UiAS-RM that I have using as a router. I also have a BaseBox2 with an extra 5Ghz Card in it.

I would like to setup 2 SSID's on the BaseBox. One for Guest and One for Private. That is the ultimate Goal. However before even getting into the WAP setup, I decided to start with setting up the router with VLANs, WAN Ports, and DHCP services. This is where my trouble begins.

I want the router/switch to function as a switch on the private VLAN for all ports accept the one the AP is plugged into. This way when the end-user plugs in another station to a free switch port everything will work just fine. Here is a quick port run-down.

1- WAN
2 - Switch/Private/VLAN1
3 - Switch/Private/VLAN1
4 - Switch/Private/VLAN1
5 - Switch/Open/Trunk to AP, must carry VLAN1 and VLAN2 traffic
6 - Switch/Private/VLAN1
7 - Switch/Private/VLAN1
8 - Switch/Private/VLAN1
9 - Switch/Private/VLAN1
10 - Switch/Private/VLAN1

Here are some quick config notes:
I have all FE ports (7 -10) set with 6 as master.
I have all GE ports (3-5) set with 2 as Master.
I have created a bridge (local-bridge) with ports 2 and 6 in them. There is no-ip assigned to this bridge.
I have Created 2 VLANs Interfaces (PublicVLAN and Private VLAN). These are both assigned to local-bridge. These have IPs assigned from the respective VLAN Subnets.
I have 2 DHCP Servers. They have pools and options assigned and are bound to the respective VLAN interfaces.
I have create 2 VLAN switch tables (VLAN1 and VLAN2).
I have ports, 2, 3, 4, 5 assigned to VLAN1
I have port 5 assigned to VLAN2

After all of this. I plugged my laptop into Port 4 as a test and expected to be attached to the Private VLAN1 and be assigned an address. However my laptop will not communicate with the VLAN1 Interface. I cannot ping the IP assigned to this interface and I cannot get a DHCP address.

Why is this happening!? Can someone help. I am in VLAN Hell!

Thanks,
John Hamilton

What interfaces are a part of the bridge? Add the master interfaces for the switches, and try again.

Like I stated above, all ports in the GE ports are set with master to 2. All FE ports are set to 6 as a master. Both ports 2 and 6 are added to the bridge. Port 1 is a routed port (WAN) so it is left out of the bridge.

I performed a ping from my VLAN1 interface and rand packet sniff on it and none of the packets show that they have a clan id on them, is this normal? Also should my up be bound to the VLAN interface or the bridge that the VLAN interface is bound to?

The trunking port should be left out of the bridges. And configure the Vlans on the trunk interface, not on the bridge.
Probably you wil need one of the Vlan interfaces as member of the local bridge, to allow traffic to your access point