Hi, I'm a newbie in OpenWRT. I'm trying to learn how to use/configure OpenWRT. As for starters, I want to configure my 22.03 OpenWRT router with a VLAN and connect all my TVs to that VLAN. The idea is to separate all the TV traffic from the rest of the network but with one exception, they still need to access my Plex host on my network.
Is there a place that I can start looking at examples for such a configuration?
Thanks for your help in advance.
Are your TVs on ethernet or wifi connections?
If wifi, you can treat it like a wifi guest network and then make a few minor changes to the firewall rules to allow communications with the plex host.
If you're using ethernet, you'll probably be looking at proper VLANs, as described in the VLAN article. Implementation details will depend on the hardware you are using and how things are physically connected. If you'd like to share those details, we can give you more specific advice.
There are 4 TVs and all of them are wired. Eventually I would like to use Ansible to configure them (somebody wrote a module for OpenWRT) but to start it off, I'm using GUI and save commands and inspect the commands.
I read that article already, I'm pretty new to the concepts, I can't say I have a good grasp on them yet but trying to understand the stanzas and go from there...
I'm using an old router and cleared up the WAN port and added an interface br-lan where I have 3 devices br-lan bridge device, eth0 network device, eth0.1 vlan.
To test it out, I want to use just one a router port and use a vlan and configure it to access plex. If I can get it done, I can probably work it out from there.
Let's see the config from that device.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Below is the information requested;
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '[redacted]::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway 'X.X.X.1'
list dns_search 'my.tld'
list dns 'X.X.X.200'
list dns 'X.X.X.210'
option ipaddr 'X.X.X.2'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '8t 1 2 3 4 0'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:01.0/bcma1:1'
option band '2g'
option cell_density '0'
option disabled '1'
option channel '4'
config wifi-iface 'wifinet0'
option device 'radio0'
option disabled '1' # it's not enabled yet
option encryption '[redacted]'
option key '[redacted]'
option network 'lan'
option mode 'ap'
option ssid 'ap_[redacted]'
cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ignore '1'
option dynamicdhcp '0'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
An example of adding another interface and assigning it to a new vlan 10, taking one port from vlan 1 and assigning it to vlan10.
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config device
option name 'br-test'
option type 'bridge'
list ports 'eth0.10'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway 'X.X.X.1'
list dns_search 'my.tld'
list dns 'X.X.X.200'
list dns 'X.X.X.210'
option ipaddr 'X.X.X.2'
config interface 'test'
option device 'br-test'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '64'
option ipaddr '10.0.0.2'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '8t 2 3 4 0'
config switch_vlan
option device 'switch0'
option vlan '10'
option ports '8t 1'
You'd then also need to setup dhcp for test interface, and assign it to some firewall zone with proper forwardings to allow communication from/to wan or lan.
Thank you for your answer, however I'm not willing to copy paste code without understanding what I'm doing.
That's not necessarily a bad perspective, but it would be helpful for us if you could provide some insight into what you're not understanding. We can explain the purpose of the various stanzas/lines if we know where there is confusion.
So I'm a bit overwhelmed with this because a few days ago I knew nothing about setting up vlans and now as I read more and more, I'm realizing I have to implement this in my whole network, it's a lot more complicated than I thought initially. I planned to create a vlan in one router and by changing in one port I thought I could make it work. But it doesn't seem to be that easy.
Here's what I have as far as network devices go;
- Main Router: Merlin LTS Fork (Connects to Internet, Lan port 1 goes to managed switch TL-SG108E, I want to install OpenWRT on this when I feel confident enough with my OpenWRT knowledge. I used YazFi script to create IoT and guest wifis and took out so many IoT devices from my main network. They all work as of today and have different network segments 10.34.3.X, 10.34.4.X
- Switch #1: TL-SG108E - Managed switch port 2 goes to an dummy switch where all TVs are connected, port 5 goes to Router#2
- Router #2: OpenWRT 22.03 - Asus RT-N66U - Wire from Switch#1 goes into WAN port, 4 LAN ports are used by workstations, also this is the router that I provided the above info. I thought I could swap this with the dummy switch and connect all the TVs here, create a vlan and take TVs out like I did with IoT devices as a start.
- Switch #2: TL-SG108. All TVs are connected to this dummy switch.
- Router #3: OpenWRT 22.03 - Netgear WNDR3700 V3 - Another wire from Switch#1 goes into WAN port, this router is not used at all, I thought I could use this as a wifi extender over time. Or I could use it as a test device for learning OpenWRT.
- Proxmox hosts: I have 3 of them, I was planning to put them on a vlan to make their access more secure. Possibly separate VM traffic from management traffic. VMs are a Kubernetes cluster and I host my own websites, there are lots of workloads on the cluster. Main router port forwards 443 to a Load balancer here.
As you can see, lots of ideas but not enough knowledge about networking to implement or weed out bad ideas 
I thought carving out TVs to their own vlan network would be a good place to start and learn and implement other ideas as I go along...
Ok... so most of your ideas here are fine and easily achievable.
I'm a bit confused about this (from point 3):
You describe your main router as already having 2 subnets. Are you proposing a 3rd here? If so, why not create it on the main router? If you do that, all you have to do is add the additional VLAN to the switch and router 2.
This is fine and reasonable. Small nit here -- instead of calling this a wifi extender, a more accurate term would be a dumb AP. Wifi extender is vague and often means that it is completely wireless repeater. Here you have a wire (and this is the recommended approach), so you can make a dumb AP and it will just be another AP on your network.
You are a bit sparse about specifying what routers you're talking about…
[emphasis mine]
"Merlin" strongly suggests Broadcom based hardware, which is not going to run well with OpenWrt at all (especially the wireless side), so this medium-term plan probably might not be feasible.
Another Broadcom based device, for which there is no (wireless-) AP support at all.
We have no idea what kind of hardware we're talking about here.
Don't get me wrong, the wired side of these devices is supposed to work, including VLAN setup (well, swconfig or DSA, depending on the target (bcm47xx vs bcm53xx)), performance will be limited relative to the OEM firmware (Broadcom relies heavily on proprietary offloading for routing/ NAT, which is not available to OpenWrt) - and these devices are rather 'exotic' for OpenWrt (little development, very, very few users, you might be the first to notice bugs).
While I don't want to put you off this track, I would nevertheless suggest to reconsider the feasibility of these plans for 'production use' - or if a hardware change might be a better way out.
2 Likes
YazFi Script creates vlans on the Wifi (wl0.1 and wl0.2 ), it doesn't create a wired vlan. Based on what I have seen, I think robocfg could do that but I haven't risked it yet. I can make changes on this router, I just have to be really careful.
Okay 
I didn't know that. But looking at the information page closely;
| Device | Architecture | Target Platform |
|---|---|---|
| Router 2 | Broadcom BCM5300 | bcm47xx/mips74k |
| Router 3 | Broadcom BCM4716 | bcm47xx/mips74k |
I think this is what you are saying, BCM5300 doesn't work very well
Router #3 is Netgear WNDR3700 V3, I also updated my above post.
If you want to recommend one, I'm open to buying a new router.
Edit: Added Architectures
Are the cli or a shell script that can setup vlans?
I'm also interested but the UI is just confusing. I would like cli so I can write it down for later.
When your main router supports multiple subnets and VLANs, it is generally recommended that you use the main router for all of your networks -- this simplifies the management of your network and generally makes things more efficient. Maybe you can look into how to modify the configuration on your main router such that you can service those subnets with ethernet as well as wifi.
If you still wish to configure a new network on your OpenWrt device, you can start with the dumb AP + guest wifi configuration (described here) and then modify that configuration to connect the new network with ethernet.
1 Like
@psherman thank you for all your input. It looks like there's a scope creep on this ticket as I discovered more about vlans, it's evident that I have to deal with a variety of devices. Simply put, I don't have that know how today. Also evident that the devices that are NOT powered by OpenWRT are NOT the subjects of this forum. I tend to close this ticket now and possibly seek help on creating a vlan on the main router and take it step by step from there as you suggest.
@trendy, @slh thank you for your contributions as well, I appreciate your input.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.