Exploring VLANs, Network Security, DSA Compatibility, and Wireless Access: Questions and Best Practices

I'm in the process of setting up my home network from scratch again and have several questions regarding VLANs and network security. For illustration, I'm using the following VLANs: 10 for Management, 20 for LAN, 30 for IoT, and 40 for Guests.

  1. What's the most effective way to restrict access to the web GUI of the VLANs? Can setting the Interface Protocol to 'Unmanaged' achieve this, or are there better security measures for managing the GUI?
  2. If an interface is set to 'Protocol: Unmanaged,' can OpenWRT still operate a DHCP service on this interface? If so, how should I specify the IP address?
  3. In the Linux context, VLANs are typically divided into sub-interfaces like eth0.10, eth0.20, etc., under an eth0 parent device. What happens to the original device (eth0)? Can it still be used, say, for management, or is it better to use a sub-interface like eth0.10 for such purposes?
  4. I own a router with only two ports. How can I determine whether it supports DSA (Distributed Switch Architecture) or not?
  5. Is it necessary to associate each VLAN interface with a separate bridge to enable access to that VLAN over WiFi?
  6. I came across a forum post suggesting the use of a wpa_psk_file to facilitate access to VLANs over WiFi, which appears to be an elegant solution. However, I'm curious about which OpenWrt version supports this, and whether bridges need to be created for this purpose, or how the mapping between WiFi and, for example, the eth0.20 device functions?

This isn't as much the network/VLANs themselves, but rather the firewall. The easiest way is to associate the network with a firewall zone that has the input rule set to drop or reject. Be aware that this will result in hosts on that network not being able to access the router at all, including dhcp and dns. Often, an accept rule will be created to allow dhcp and dns. This method is common for guest and iot networks.

No. Unmanaged is purely used if you are in a dumb AP or switch mode where the VLAN is simply being bridged through two or more physical interfaces. The router itself will not have any services on an unmanaged network.

The base device can still be used, in general, but there is a lot of nuance.

  • For DSA based devices using bridges, it is best (possibly required) to set the bridge as a device and then create a bridge-vlan for what would normally be the base device. I can give specific examples if you need.
  • For individually routed ports (i.e. no switch), using the base device results in an untagged network.
  • For devices with a built-in switch that still uses swconfig, usually all networks are tagged between the CPU and the switch chip, and the switch configuration is what allows you to set a given network as tagged or untagged on each port.

Chances are that they are two individually routed ports with no switch. There are exceptions to this, though. Post your config and we can tell you.

Yes. A bridge is basically an unmanaged switch but in software. It is necessary any time you want to connect a network to more than one physical interface (i.e. ethernet + wifi, multiple wifi radios, etc.).

This is relatively newly supported. I think 22.03 supports it, and for sure 23.05. I've never used it, but the principle is simple -- one SSID, multiple networks, multiple passwords. The password used for connecting to the SSID will determine the network to which the host device gets connected.


Thanks for the clear explanation! Your insights were very helpful.

  1. So firewall zones that block access to the GUI should have the following configuration:
    Name: "Gui block"
    Protocol: "TCP"
    Source zone: "Guest" (eth0.40)
    Source address: ""
    Source port: ""
    Destination zone: Device (input)
    Destination address: ""
    Destination port: "80;443"
    Action: Drop.
  2. To simplify, does 'untagged' essentially mean using eth0?
  3. Yes, I interpreted it that way as well. However, I was wondering if you also need to create a bridge for this when the 'SSID' is mapped to the (vlan) device with wpa_psk_file?

I'd have to see the complete configuration to know for sure if this is correct, but generally speaking, yes, that's the idea. Don't forget, there is also ssh access, so the router is still accessable, and if you have any other services running, those would be, too. For guest and iot networks, usually the strategy is to block all and then explicitly allow the services that are needed/desired.

Yes, but this depends on your hardware (are you using a device with individually routed ports or a built-in switch?)... again, your config could be useful here, too.

I don't know the answer to this. But there are a few threads on the topic -- check those out and you may get your answers (or you can ask in those threads).

1 Like

Thank you very much.

  1. Model: D-Link COVR-X1860 A1
    Architecture: MediaTek MT7621 ver:1 eco:3
    Target Platform: ramips/mt7621
    Firmware Version: OpenWrt SNAPSHOT r23694-9b80635510 / LuCI Master git-23.215.54576-0ea7495

I will provide you with the firewall configuration when I'm ready.

Is this the same device as D-Link DAP-X1860 A1?
If so, you should install 23.05.0 unless you have a specific reason to use a snapshot build.


I just followed:

However, I would be happy to use the (official?) firmware, if I can use the same firmware as the DAP-X1860 A1, and it won't brick my device.

No, it looks like they are indeed different devices. Don't flash the DAP version to your device (unless someone knowledgable about those two models can tell you it's safe).

Thank you! But the question remains, it seems to work with the DSA configuration, but here you could also create a VLAN device and a bridge for each Vlan. For exampel: internet.10 internet.20 internet.30 internet.40.

let's see your config:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ubus call system board
        "kernel": "5.15.123",
        "hostname": "",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "D-Link COVR-X1860 A1",
        "board_name": "dlink,covr-x1860-a1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r23694-9b80635510",
                "target": "ramips/mt7621",
                "description": "OpenWrt SNAPSHOT r23694-9b80635510"
cat /etc/config/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr ''
        option netmask ''

config globals 'globals'
        option ula_prefix 'fded:e870:c7f0::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'ethernet'
        list ports 'internet'

config device
        option name 'ethernet'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'lan'
        option device 'br-lan.20'
        option proto 'static'
        option ipaddr 'xxx.xxx.20.xxx'
        option netmask ''
        option gateway 'xxx.xxx.20.3'
        option delegate '0'

config device
        option name 'internet'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'internet:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'ethernet:u*'
        list ports 'internet:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'internet:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '40'
        list ports 'internet:t'

config interface 'Gast'
        option proto 'none'
        option device 'br-lan.40'

config interface 'Familie'
        option proto 'none'
        option device 'br-lan.20'

config interface 'IoT'
        option proto 'none'
        option device 'br-lan.30'

Firewall doesn't matter because this device is just a dump access point with System->Startup dnsmasq disabled and firewall disabled. For management, the VLAN ID is 10, not 20. I have corrected my previous post.

So this all looks fine -- basically appears to be DSA. Is there a question/concern about the config?

No, only if I could confirm beforehand that it supports DSA before I proceed with trial and error, or if I could also proceed with configurations like internet.10, internet.20, etc.

This should work, even if it is not dsa, the syntax can still be applied.

From this perspective, sure, you are right, because Luci transfers it into the same configuration file.

For today, I say thank you very much. I'll show you my router and firewall settings later if you'd like to review them.

If you would like a review, feel free to post the configs.

Otherwise, I think you should be all set.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

A PR for adding covr-x1860 support is pending (waiting for the prerequisites for the firmware utilities/ encryption stuff to be merged first), while dap-x1860 and covr-x1860 are roughly similar, each of them needs its own bespoke firmware image (and that isn't merged for the later, yet).

I had a really difficult time configuring my router for 'Individual per-passphrase Wifi VLANs using wpa_psk_file (no RADIUS required),' and as long as I'm tinkering with this, I won't change my main router's default firewall settings. So I will mark this thread as solved. If I encounter any issues with my firewall settings in the future, I will create a new thread.

Thank you all.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.