Bridge Mode and management VLAN


I installed OpenWRT on a NanoPi with 1 onboard eth0 interface (, and a eth1 interface over a USB to LAN adapter (
I wanted to bridge both interfaces and still be able to access LEDE. So I think a management VLAN will be needed.

I connected the NanoPi directly to my laptop, I than created a new interface, eth0.2, gave it the IP address, and added it to the LAN firewall rule.
I than set the IP address of my laptop LAN interface to, but I have no access to NanoPi.

What have I done wrong?

Thank you

The eth0.2 interface implies that you are using dot1q vlans, so if you have not configured your laptop accordingly you won't be able to communicate.
Basically you don't need any management vlan. Just assign an IP/mask (optionally gw,NS) on the bridge interface and use that one for management.


Thank you for your answer.

In bridge mode I can access LEDE if the NanoPI is connected to any of the LAN ports of my Ubiquiti router.

When I connect the NanoPi to the modem, and the other port to the Ubiquiti's WAN port, the bridge works well, but I lose access to LEDE. Even if I assign an IP to eth0/1.

When you use a kernel bridge such as br-lan, it is a layer 2 bridge. The ports can't have their own IP addresses. They all operate with the IP from br-lan. It works like an unmanaged switch.

Putting the device on the WAN side of your main router it has to have a WAN like address for you to reach it. That is an address that is outside of the LAN range, so the router knows to route it out to the WAN port as the default route (for all IPs that are outside the router's known networks).

My local LAN has the addresses

I configured br_lan with the address

I connected it to the WAN port of my main router, but still can't access LEDE.
Do I have to change any firewall rule on my main router???

You should assign to Ubiquity WAN port an IP in the range
Then use that IP address as gateway in br-lan interface.

But what is the point of this network bypass?

Oh, I'm just trying out how to bridge 2 interfaces. The goal is to use the NanoPi Neo with an USB LTE modem connected to it, as a regular modem with LAN interface. The would let all the routing/VPN stuff the the already configured Ubiquiti router.

By the way, do you think a NanoPi Neo2 with 4x A53 cores are powerful enough for that task (I expect an LTE connection around 200Mbit/s max)?

mmh, shouldn't the WAN port of the router be configured as DHCP in order to get an (public) IP address from the ISP???

Yes, if I give my WAN port an address in the same range as the OpenWRT, it works, but I loos access to the internet.

What you're doing now then is really making it more complicated and not in the direction of that goal. After you set up what you need to set up, you should have a 4G to Ethernet converter that provides a WAN gateway address via DHCP, just like a cable or DSL modem does.

Just like is possible with a cable modem, administration of that device over the WAN cable is done one of two ways.

If the modem is also routing, the WAN gateway IP is also the IP used to log into the modem. It is important that this network be outside the LAN range of the main router. This way when a machine on the main router's LAN goes to the modem IP, the main router considers it an unknown network and by default forwards it out the WAN port.

If the modem is not routing, the main router obtains a public IP from the modem. There is also a separate interface on the modem for administration. On cable modems, this address is usually Again this address is outside the main router's LAN, so it can be accessed by being routed to the WAN port.

1 Like

Yes that's what I want it to do. But it isn't working, except if I set a static address (in the same range as the bridge in the Openwrt's) for the WAN port of the main router.

Is there a default firewall rule that blocks the access to the management website if the source is not in the IP range of the bridge???

If you have configured the bridge to belong in the LAN firewall zone, then all traffic is accepted.
Otherwise you need to verify that firewall is not blocking it.
However you could test more easily by moving the NanoPi inside the LAN.