Assign port VLAN membership dynamically

Belushi · December 29, 2025, 9:49pm

Hi guys,

I usually use Linux for all of my tasks, but recently I had to install Windows 11 on my PC because of a very specific program. As a result, my system now runs in dual-boot mode. I have never trusted Microsoft products, especially since the release of Windows 10, when many users raised concerns about privacy issues.

Because of this, I decided not to allow Windows to connect to my LAN. Instead, I assigned a dedicated physical port to my guest VLAN and physically switch the Ethernet cable to that port whenever I need to boot into Windows. I understand that this is not intended to be a permanent solution, but it serves as a temporary workaround.

What I want to achieve

I would like to change the VLAN membership of that port dynamically based on the operating system that is currently booted. In short:

If I boot into Linux, the port should have access to the LAN.
If I boot into Windows, the Ethernet connection should be restricted to the guest network.

I have never encountered a similar scenario before, so I am not sure how to approach this and am currently stuck. Perhaps 802.1X could be a solution, but the official wiki mainly focuses on wireless networks. I am unsure whether it would also work over a wired connection (802.1X EAP?), since sources (even on this forum) seem to contradict each other.

Any answers / ideas would be appreciated.

Thanks in advance!

aardwolf2 · December 29, 2025, 9:55pm

In windows set the ethernet port to a vlan you firewall only to the wan, assuming you trust windows to do that, and you have that control.

psherman · December 29, 2025, 10:04pm

You could set the Linux box to use a vlan (tagged) for its network interface and windows so use the untagged network. Then setup a trunk port with 2 VLANs - untrusted is untagged, trusted is tagged.

The above is the simple/poor-man’s approach.

The more complicated method is to setup a radius server and use 802.1x authentication.

Belushi · December 30, 2025, 9:36pm

Thanks!

To be honest, it would be easier to apply your simple approach, but I mainly use my setup as a homelab to discover and practice new techniques.

802.1x sounds interesting, so I’ll give it a try. Do you think it is feasible using OpenWrt? I’m aware it is not a big deal with wireless connections, but what about wired ones? I’m a little bit confused because the official wiki says it is currently not supported. On the other hand there are several post on this forum discussing that topic (with more or less success).

_bernd · December 31, 2025, 1:02am

To get an idea what is needed to provide this functionality take https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/assembly_setting-up-an-802-1x-network-authentication-service-for-lan-clients-using-hostapd-with-freeradius-backend_configuring-and-managing-networking as an example.

This mostly relates to wifi which is somehow far more easier to achieve with poor men's workarounds which are far more then good enough for most home and small network usecases.

cookiemonster · December 31, 2025, 3:40am

What psherman suggested or just use a Win11 VM without internet access. I use the latter + autounattend.xml to create win11 vm when needed.

(https://schneegans.de/windows/unattend-generator/)

system · January 10, 2026, 3:41am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.