Configuring LAN and WAN on same physical (wired) interface

Hello board!

I am trying to configure OpenWRT to use the same ethernet port for its LAN and WAN interfaces.

My use case is to run OpenWRT+OpenVPN on a RaspberryPI3b+ (single eth port) to offer a VPN'd gateway on my LAN. I'd like to be able to plug the Pi to an eth port on my router, have the Pi configure its WAN IP via DHCP (192.168.1.x). Then I set the Pi's LAN IP to, so that any home device that I configure on 192.168.2.x with as gateway is routed through the Pi's VPN.

I've tried to use interface aliases and VLANs without success.

Is my objective feasible at all?


If it's possible then it will be complicated. And if (or when) things get messy, they will be difficult to diagnose. i'm curious, though to see how it can be done.

Or if you have a USB Ethernet dongle, you can just use it to add another LAN port.


Yes, but you'll need to understand VLANs so that the downstream devices "understand" that there are two virtual ports.

Since this is a static setup, you might as well configure the Pi with static addresses and take that mess away.

The Pi and the router will both need to be configured for VLANs, say 10 and 20, tagged on the router's switch and tagged on the Pi's interface. That way the router's eth0.10 and the Pi's enx0.10 (or whatever the base interfaces' names are) get used for the and the eth0.20 and enx0.20 for the (numbers at your discretion).

For that matter, you really don't need them to be on different subnets. Using the "dot one" is merely a convention. You could probably have the Pi on (to pick a number) as a single interface and have it all work. The Pi has as its default gateway. The devices you want to route through the VPN have as their default gateway.


are you actually trying to enforce separation between two subnets? because you could always just have the raspberry pi offer to be a gateway and those members of the subnet that want their traffic encrypted use your raspberry pi as the gateway those that want unencrypted use the main router as the gateway

to do this configure the pi as and any device that wants VPN sets their gateway to instead of .1


Thanks Jeff. I indeed don't necessarily want two separate subnets. If I configure all my devices on the same subnet and set static IPs for the Pi's WAN and LAN ifaces, do I still need to configure VLANs? What interfaces would I set for LAN and WAN? eth0 for both?

dlakelan - thank you for your reply. No I'm not trying to enforce separation. How would I configure the Pi to do what you're suggesting? Do I set ifname=eth0 and proto=static for both, and additionally type=static for LAN? would that work? Thanks!

are you running openwrt on the pi? I think the pi just needs a LAN and a VPN interface, the main router is the only one with WAN.

on the pi any packet coming in on LAN destined for the internet goes to VPN. any packet generated by the PI goes to as gateway. probably requires a little policy routing.


^ works well.... i run similar via x64 vbox....

the only tricky thing about such a setup is on the vbox looking out when it comes to firewalling, on the vbox.... as the endpoint is already inside.... the perspective gains another layer.... works by general setup guidelines tho'

while inefficient.... it's also possible to reflect / perform the policy side on the true gateway ( for non-pi/vbox hosts )..... via the internal vbox LAN ip. very effective and easy to configure assuming the true gateway has this support. lucky for me it openwrt :wink:

for the pi/vbox... a few routes in the vpn config will also do nicely.

1 Like

thanks ! Yes it looks like doing a little routing will be easier than having two interfaces.