Dynamic MAC-based VLAN assignment for OpenWrt network

I'm looking for any documentation or tutorial how to configure dynamic MAC-based VLAN assignent on the OpenWrt router.


  • There is main OpenWrt router with 2 VLANs configured on it: LAN, and Guest.

Goal details:

  • scenario_1 (default): any device that will be connected to the Ethernet port of OpenWrt router should be auto-assigned to the Guest VLAN (to get Guest IP address).
  • scenario_2: any device that will be connected to the Ethernet port of OpenWrt router AND the MAC address of the device is present in the "LAN" mac list, should be auto-assigned to the LAN VLAN (to get LAN IP address).

Any suggestion (the simplest way) how to start using MAC based authentication for the scenarios defined above on the OpenWrt v.21.0x or higher with DSA framework?

I do not think this is how VLANs actually work (they work on a per port basis not on a per-host basis independent of how you identify hosts)... so you want some special sauce here... if the end device is not using VLAN tags itself you require an untagged port, now if one of your guest MACs (hopefully your guests do not know how to spoof MAC addresses or have MAC randomization activated) shows up you will need to figure out the port they are switch/LAN they are connecting over, and then add/move that port to the guest VLAN (which might be empty). However if the switch port is connected to another switch and you see both guest and non-guest MACs on the same port you need to figure out how you want to to deal with it.

The more traditional approach is to statically assign one or more switch ports to the guest VLAN and only connect guest devices to those ports, and for WiFi you need to create a dedicated guest SSID and bridge it to the guest VLAN as well.

Honestly? Not at all, MACs are easily changed so they are no reliable identifiers for strict security isolation (however if your adversaries are not all that sophisticated MAC based isolation might be enough of a stumbling block to be worth your while).

BTW. I would not maintain two sets of MACs (because what to do with MACs in neither list) but would auto assign everything to guest and only elevate select devices to the lan if the MAC is in your allowlist...

1 Like

Radius config can be used. Known Mac addresses gets defined vlan (private tunnel group id) and everything without a match a default vlan. Void phones, printer and other dump stuff without proper 802.1x support get their vlan this way in enterprise lan networks.

Edit: typos

1 Like

yes, exactly. I would like to know if OpenWrt architecture theoretically allows config when multiple clients on a single switch port to receive different untagged VLAN assignments. If yes, then we can proceed with this.

Yes, but it more for flexibility. The idea is not related to security (although some minimum level of security is added here), but rather to flexible connection. All the requirements in the description are simplified, and there can be a much more VLANs, and I just need to allow clients to use any free untagged LAN ports in the specific public room, and any LAN-connected laptop should be auto-assigned to appropriate VLAN customer group based on the MAC.

I find your goal interesting and would like to see a proof on concept for wired 802.1x on OpenWrt too.
Atm I have not the time to dig deeper into it but I found at least this somehow useful to get a rough idea: https://docs.nvidia.com/networking-ethernet-software/cumulus-linux-40/Layer-1-and-Switch-Ports/802.1X-Interfaces/
Please keep us updated on your progress!
Atm I only have Mac addresses based vlan assignment on wifi with traditional PSK/wpa2 without wpa2-enterprise. But would like to get it for wired clients too. For the same reason: I'm lazy and want to just plugin a cable and at home I have no high security requirements ^^

Not sure if my level of experience with OpenWrt would allow me to configure it by my own from scratch.

I am currently just trying to get confirmation if this is even possible for OpenWrt.
That's why i've started there with question, because there are a lot of info that can be googled for this "solution" for other projects or brands, but unfortunately nothing for OpenWrt i've found.

This looks promising: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/assembly_setting-up-an-802-1x-network-authentication-service-for-lan-clients-using-hostapd-with-freeradius-backend_configuring-and-managing-networking
The last point 20.6. Configuring hostapd as an authenticator in a wired network

I guess yes and no... your switchport by itself will not be able to differentiate between different untagged packet sources, however you should be able to configure the switch such that all packets are passed to the kernel isolated and the kernel should be able to do what ever it likes based on whatever criterion. However that will create high traffic on the CPU-2-switch port, since now every packet between machines on the LAN needs to traverse the CPU port twice...

I still wonder what kind of flexibility you are looking for here, how many devices (wired and wireless) are you expecting in your network?

I respectfully argue, the default OpenWrt works out of the box by simply plugging devices in. Not saying your use-case is not justified, but it does not appear the most lazy/hands-off approach.

As OpenWrt nowadays runs on switches too with 10, 16, 24, .. ports you simple would not reconfigure Ports everytime you plug in a device. Especially based on the fact that you can not configure Ports like on an enterprise switch. You need to restart half the network stack which effects all connected devises. If however it's possible to configure easily individual ports on DSA please tell me I will be more then have an open ear.
If I get me dsg1210 debricked soon I will try to configure hostapd with the red hat document because it looks really simple (as I mentioned I have the hostapd and freeradius setup already in place to put unknown wifi clients in a default guest vlan).

This is the promise of DSA individual ports can just be configured using the normal kernel tools for interfaces, in fact to make a switch a switch, you need to create a bridge over all its ports...

You have seen the note that hostpad will not do any interface configuration for you, so expect some shell scripting to get the required 'magic' performed.

Sweet! However I am simply minded enough that offering a guest and a non-guest SSID and configuring each device to select the desired one (for IoT devices that means never ever entering the password for the non-guest SSID). But I am only wrangling a small number of devices in a generally friendly setting, so I assume I am simply too naive/daft to see what a radius based approach can offer.