Help with configuring VLAN


I'm new to OpenWrt and VLANs, I was able to make the VLANs work as expected but I'm worried I made some configuration mistakes.

I've done everything on LUCI and not on command line like SSH

The router is an Archer C7 with 4 lan ports and 1 Wan port


cctv - eth1.4 (lan port #4 for cctv)
Protocol: Static Address

srv - eth1.3 (lan port #1, 2, 3 for workstation server)
Protocol: Static Address

LAN - br-lan
Protocol: Static Address

WAN - eth0.2
Protocol: DHCP Clint


Switch "switch0"
Enable VLAN functionality [x]


for lan firewall i added Allow forward to destination zones : srv

for cctv firewall i added Allow forward to destination zones : wan

for srv firewall i added Allow forward from source zones : lan


Are the configurations secured/correct?

When I'm on the workstation server, I can ping the ip of the cctv and the ip of the lan, would it be more secure if they can't ping the workstation server ? how to do it?

What other settings I need to configure to safeguard the network?

Thank you!

Would you be able to explain what you want to achieve? Is this server serving only your local network, or do you access it form outside? Do you have other users on the LAN, and you want to deny them access to the server? Or is the purpose to prevent guests (in which case you could have the server on your LAN and make a separate guest network)?

1 Like

Thank you mhegab for the questions, sorry I didn't explain the settings properly, I'm new to openwrt and VLAN, before I just use the default ISP router/modem.

I like to separate the following:
server - separate from the cctv, and other unauthorized devices (guests)

cctv - separate from the server, and other unauthorized devices, allow access from the internet using mobile app

test - I got the idea from you :smile: , outside access to a computer for testing purpose, this is different from the server,
not accessible to the server, cctv and other unauthorized users.

The server is serving only local network for now, but I would like to access it from the outside in the future.

How do I set it up for local only?

and for access from the outside? (I will use a test computer to do this using a VLAN.)

There are only 2 authorized users on Wireless LAN using RDP to access the server, I like them to have access to the server.

Other authorized users connected to the router are using the internet, I would like to limit/deny access to the server

For unauthorized users/guests, I would create another SSID to connect to another VLAN (I just found out about this,pretty cool) and deny access to the server, is this the best option for guests?

Thank you mhegab!

Well, I see you have 3 main segments:

  • Main network: That's your trusted PC, plus the server. If and when you get to want to allow outside access to the server, then you could modify the firewall.
  • Guest network: for guests. It will have it's SSID.
  • CCTV: or the cameras. As you will allow outside access, you could also use it for testing accessing PCs form outside.
1 Like

Can we also have a screenshot of your interfaces? that could be the missing link. In order to do it this way you would need an interface for each of the firewall zones you created.

Here's another idea to throw out....

If you want cctv to ONLY have remote access, you don't need a firewall zone or interface for it, you can simply use VLAN to completely separate it from the router's LAN by keeping it on the WAN side, acting as an independent switch. In your case, you would do that by setting VLAN ID 4 as: eth1 off, eth0 tagged, WAN untagged, LAN 4 untagged (or tagged).

BTW: you can do this by simply adding LAN 4 to VLAN ID 2, and then you dont need a VLAN ID 4

The same goes for srv, but it seems like you would like to access it through the router...

Edit: I'm not sure if its possible if you set both eth0 and eth1 to off...

1 Like

Thank you mhegab,

do you see any security problem with the current firewall settings?

To allow outside access I will just add Allow forward to destination zones : wan, is that correct?

Thanks, I will create a guest ssid on another interface

Great idea! I would also streamline this using mpratt14 advice. I will move it to VLAN ID 2

Thank you mpratt14 for the help,

I will follow your advice on adding the cctv on VLAN ID 2, just like to ask, is there no difference if I use the VLAN ID 4 in function and security?

I didn't understand this part, do you mean because it has a different ip address?

Here is the interface

Again the idea is.......

Depending on your use case, if you want SRV and CCTV to ONLY have remote access, you ONLY need VLAN to keep them on the WAN side. If you want them to have local access or both remote and local access, you have to use VLAN to bring them to the LAN side, but then separate LAN's using interfaces and firewall zones.

If you want CCTV to be remote access only, you don't need interfaces or firewall zones for it, just VLAN

If you want SRV to have local access, you do need interfaces and firewall zones for it, and have it on the VLAN for LAN side.

Also, the idea of showing us your interfaces is so we can see that your LAN interfaces have different addresses and that you have a separate interface for anything you don't want guests to access...but it looks sufficient by the color codes...

You only need to hide the addresses for WAN and WAN6, even then, if you have a modem on the other side of WAN, then those addresses are also private. Also, ensure that the physical methods that guests connect to the network are only paired with the LAN interface (not SRV). Addresses like 10.x.x.x and 172.x.x.x and 192.168.x.x are all private addresses and does not reveal your public address to us.
you can read about that here:

As for your function and security question, there is no difference between two VLANS where:

  • one attaches WAN to cctv
  • one attaches WAN to eth0

Compared to a single VLAN where: cctv and eth0 are attached to WAN

The difference is, the way you had it before on VLAN 4 was:

  • cctv was attached to eth1

and since the interfaces define eth1 as the LAN side, that places any device attached to eth1 as a LAN device (aka being served by the router internally/locally). Consequently, since the WAN interfaces have the WAN firewall zone, and are attached to eth0, anything else attached to eth0 are on the WAN side (aka treated as remote/external to the network).

TLDR: you want your WAN interfaces to be on eth0 and LAN interfaces to be on eth1.

You could reverse all that if you wanted, but it's that way by default and doesn't make a difference, as long as everything is consistent. The difference between eth0 and eth1 is arbitrary in the virtual environment (the effect of reversing eth0 and eth1 to LAN and WAN in the physical world would be reversing/changing the order of the physical ports, plugging each device in a different ethernet port, and that would make it all the same). But, it is VLAN setup that decides which devices are virtually attached to eth0 and eth1. All it does is represent two different sides of the routing space, WAN and LAN, and which devices are on which. You could for example, not have a WAN port at all (where the source of internet could be wireless only instead of ethernet) by placing every port in the VLAN page to be attached to eth1.

VLAN has a feature where you can separate every device by a managed tag ID that is a number attached to every ethernet packet that is sent between devices, this is part of the 802.11Q standard. I assume that you are not using the VLAN ID tagging outside of the single router, and if that its the case, then your only use case is to separate devices from eth0 and eth1. Because you only have two physical ethernet interfaces, eth0 and eth1, you can achieve this by using only 2 VLANs in the virtual switch. In your case, you can also combine VLANs 1 and 3 and remove VLAN 3 as well. And like I said before, you can combine VLANs 2 and 4 into one, and its the same thing.

Imagine it like this: you have a completely separate physical switch, and in that switch you connect the Internet (true WAN), the routers WAN, and the CCTV. No one on the LAN side of the router can talk to the modem (or other internet source device), nor can they talk to the CCTV (unless you do port forwarding, removal of firewall, etc...). This would be the same as having TWO separate physical switches that are connected to each other, and also connected to these 3 different things, including the router on the WAN side. That's effectively what you're doing by having so many VLANs (unless you want to use 802.11Q tagging). It doesn't make a difference though, just a little more efficient.

VLAN is essentially designed so that you can set any ethernet port to do whatever you want it to do...which includes separate every single device from each other if you want...

So in your case i'm pretty sure you can just have two (unless you are using tag IDs 1 through 4):

  • VLAN1: eth1, LAN1, LAN2, LAN3
  • VLAN2: eth0, LAN4, WAN

So what's your real goal? Do you simply want the router, CCTV, and SRV to all have internet access, but separately? Then you just need VLANs

More complicated than that? then it gets complicated... lol

1 Like

Thank you for your knowledge mpratt14, I learned a lot from you!

Sorry about removing the addresses I thought you have to remove it for security, but I know better now, thanks for the link!

Here are the things I did.

  1. I moved the CCTV (LAN 4) to VLAN ID 2 with the WAN, removed the cctv firewall

  2. I added a new Guest SSID, I connected it directly to the network WAN

  3. I don't actually need the Interface SRV, I moved it to the Interface LAN

I do have 2 questions.

  1. You can add 2 or more networks on one SSID, when and how do you use this?

  2. Do you use network WAN6 and interface DHCPv6? I read somewhere that its better to disable this for security.

I'm just curious, I've seen other router that only have one eth in openwrt, does it mean the LAN and WAN is mixing there?

You pretty much nailed it:+1: , after reading your post and rethinking it over, I only do need 2 VLANs.

I don't know if this is complicated, I'm planning of adding another Archer C7 router (also openwrt) going to the upper floor. I would like to use the VLAN ID 1 so that you can access the workstation server on the 1st Floor. How do i connect the 2 routers?

Thanks again !

If you have or can run an Ethernet cable that's your best option.

If not possible or not convenient, then you can set WDS, subject to signal quality between the two routers. You could login in to one router and go to (or whatever the IP address is of the LAN interface of that router, click Scan under the 2.4 GHz WiFi (should be radio1) and see if the WiFi of the other router is seen and of reasonable strength. If it looks OK then you could implement WDS.

If WiFi is weak then your other option would be a poweline kit (presuming the 1st and 3rd floor get electricity via the same meter.

1 Like

Thank you mhegab for the quick reply, I would be using an Ethernet cable, I'm not sure where to connect the cable.

Currently, I connected the Archer C7's WAN port to the ISP Modem/Router's LAN port

If I added another Archer C7, should I connect it to the WAN port or the LAN port to maintain the VLANs?

ISP Modem/Router LAN port --> 1st Floor Archer C7's WAN port --> 1st Floor Archer C7's LAN port --> 3rd Floor Archer C7's WAN port.

Is that right?

If you connect it LAN to LAN then basically it becomes an extension of the same LAN of the connected LAN port of main router.

If you connect LAN to WAN then the client router will have a separate LAN

Like I was saying, you can actually connect the ethernet cable "anywhere" on both routers. Since you are using OpenWRT on both routers, you have access to VLAN settings and you can assign any ethernet port to any ethernet interface on each router. Like @Hegabo was saying, you probably want both sides of that ethernet connection to be paired with eth1 (LAN).

BTW: I noticed on your screenshot of interfaces, that for SRV you are bridging a wired interface and a wireless interface together. I assume you want guests to access the internet wirelessly only, and for you to access the SRV network by wired I would not make it a bridge of interfaces, or at least only bridge wired interfaces. This is part of making sure the firewall zones and interfaces are consistent in which ones are paired and which ones are separated.

Thank you for the help mpratt14 and mhegab! I have now configured the VLAN and learned a lot in the process!

This assumes an upstream ISP supplied router I guess, and also that your CCTV doesn't require any firewall at all. It sounds like a terrible idea to me, of all things on my network I'd want to control access to CCTV pretty tightly.

1 Like

Hello dlakelan, thank you for your advice. I agree that you need to control the CCTV. could you check my setup for any security problem?

The cctv is connected to the Archer C7's LAN 4 port, while the Archer C7's WAN port is connected to a LAN port of the ISP modem/router.

I'm not sure if the CCTV requires firewall but I did not open/change anything on the ISP router/modem, I did add LAN 4 port to VLAN ID 2 (WAN side).

I'm using the brand Hikvision CCTV and I'm using the Hik-Connect feature to view externally.

Do you see any security concerns?

Thank you!

So it has whatever security the ISP router provides. My default assumption is zero security for any device I don't control, so yes there are serious issues. I recommend to put the CCTV on its own VLAN, not bridged to anything, then put this vlan in its own camera firewall zone. Disallow forwarding from camera zone to anywhere by default, Finally allow only forwarding of the exact traffic needed for your HIK connect stuff from camera to WAN.


Thanks dlakelan,

I've added a new VLAN ID 4 for LAN 4 port and added an Interface for CCTV back again.

I've added a new cctv firewall zone, I didn't add any inter-zone forwarding

I don't know what are the exact traffic needed for HIK connect, how to get this data?
and where do I add this on openwrt?

Thank you!

Start by letting the cameras forward everything to WAN, then look at the connection status to see which ports they actually use.

You should also set up firewall rules to block the cctv network from logging into the router's http ssh etc. The only ports needed to the router OS are 67 and 68 for DHCP and possibly 53 for DNS.