Adding 802.1q VLANs to a TP-Link TL-WR810N

Out of the box, the current OpenWRT build (18.06.1 at the time of writing) for the TP-Link TL-WR810N does not include VLANs. It defines three interfaces, eth0, eth1, and radio0.

The network controller in the device is VLAN-capable, so adding VLAN support is not difficult (he wrote, after spending a lot of time working out how difficult it isn't...)

Only two files need to be modified: /etc/config/network and /etc/config/firewall. The below examples will create two VLANs, 4 and 5, and assign them as sub-interfaces of eth1, the TL-WR810N's LAN interface. The steps can be easily adapted for additional VLANs and different VLAN numbers.

The TL;DR bit...

The default OpenWRT configuration on a TL-WR810N:

/etc/config/network

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
/etc/config/firewall

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

The modified VLAN-aware configuration:

/etc/config/network

config interface 'lan1'
	option ifname 'eth1.4'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

config interface 'lan2'
	option ifname 'eth1.5'
	option proto 'static'
	option ipaddr '172.17.0.2'
	option netmask '255.255.255.0'

[...]

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan 'eth1_4'
	option device 'switch0'
	option vlan '4'
	option ports '0t 4t'

config switch_vlan 'eth1_5'
	option device 'switch0'
	option vlan '5'
	option ports '0t 4t'
/etc/config/firewall

config zone
	option name 'lan'
	list network 'lan1'
	list network 'lan2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

The above example does not apply any filters to inter-VLAN traffic. If I wanted to use the firewall I could create a separate zone for each VLAN and set up appropriate traffic rules to suit my needs. But for this example I'm happy for both VLANs to sit in the same zone.

And that's it! VLANs on a single Ethernet port on a TL-WR810N. Making the above changes will add a Switch entry to the LuCI Network menu, but you can ignore it. Just do everything on the command line.

Keep on reading for a more detailed explanation.

Finding out the details of the network controller:

root@OpenWrt:~# swconfig list
Found: switch0 - eth1

root@OpenWrt:~# swconfig dev switch0 help
switch0: eth1(AR934X built-in switch), ports: 5 (cpu @ 0), vlans: 16
     --switch
	Attribute 1 (int): enable_vlan (Enable VLAN mode)
	Attribute 2 (int): mirror_monitor_port (Mirror monitor port)
	Attribute 3 (none): apply (Activate changes in the hardware)
	Attribute 4 (none): reset (Reset the switch)
     --vlan
	Attribute 1 (int): vid (VLAN ID)
	Attribute 2 (ports): ports (VLAN port mapping)
     --port
	Attribute 1 (int): enable_mirror_rx (Enable mirroring of RX packets)
	Attribute 2 (int): enable_mirror_tx (Enable mirroring of TX packets)
	Attribute 3 (int): pvid (Primary VLAN ID)
	Attribute 4 (unknown): link (Get port link information)

The CPU is on port 0, but which port is used by eth1?

root@OpenWrt:~# swconfig dev switch0 show
Global attributes:
	enable_vlan: 0
	mirror_monitor_port: 15
Port 0:
	enable_mirror_rx: 0
	enable_mirror_tx: 0
	pvid: 0
	link: port:0 link:up speed:1000baseT full-duplex txflow rxflow 
Port 1:
	enable_mirror_rx: 0
	enable_mirror_tx: 0
	pvid: 0
	link: port:1 link:down
Port 2:
	enable_mirror_rx: 0
	enable_mirror_tx: 0
	pvid: 0
	link: port:2 link:down
Port 3:
	enable_mirror_rx: 0
	enable_mirror_tx: 0
	pvid: 0
	link: port:3 link:down
Port 4:
	enable_mirror_rx: 0
	enable_mirror_tx: 0
	pvid: 0
	link: port:4 link:up speed:100baseT full-duplex auto
VLAN 0:
	vid: 0
	ports: 0 1 2 3 4 

Port 4 is the only other active port (nothing is plugged into the WAN port), so ports 0 and 4 need to participate in the VLANs.

Then it's just a matter of tagging every desired VLAN for both the CPU and the Ethernet port, to make the Ethernet port a trunk to carry those VLANs.