Isolating LAN clients

newopenwrtuser · September 14, 2025, 3:11am

I am very impressed with the OpenWrt project. I especially like the firmware selector.

After successfully flashing my router I am trying to create VLANs to isolate connected devices from each other. It would be nice if there was an "Isolate Clients" checkbox for the LAN like there is for WLAN.

I have seen information on the 'net saying that VLANs are automatically isolated from each other so if I create four VLANs they should be isolated by default. But I've also seen people say that firewall rules need to be created.

I have tried to create a VLAN in LuCI. Under Network > Switch, I entered a VLAN ID of 20 like I've seen in a screenshot but the field says "Expecting value between 1 and 15".

Can you point me to a good document to show me how to do what I want correctly so I don't mess up the security of my network?

psherman · September 14, 2025, 3:44am

Isolating client devices can be achieved in a few different ways, depending on the context/details and goals. But it is best to fully define the problem space in order to arrive at the best solution(s).

So...

Can you describe in more detail the goals you have. For example:

How many devices need to be isolated from each other?
Do you need the some of these devices to talk to each other while prevented from communicating with others, or are all devices isolated.
- So for example, you might be okay with 2 "classes" of devices where members of each class can connect to each other, but not to the devices in the other class -- this would be the typical iot network isolated from the trusted lan.
- Or maybe you need all devices in the iot network to be isolated from each other as well as from the trusted lan, but the trusted lan devices don't need to be isolated.
What is the connection type for the devices? Wifi or ethernet? or both?
Are there multiple APs in your network?

The more detailed your description of the goals, the better we can understand your situation and how it might be implemented.

newopenwrtuser · September 14, 2025, 8:24am

Here is the intended goal, thanks for asking.

Router 1:
	Always on
	Static IPs?
	Device 1 (ethernet):
		Router 1 admin (local only--no remote)
		Modem admin
		WAN access
		No access to other devices
	Device 2 (ethernet):
		WAN access only
		No access to router
		No access to modem
		No access to other devices
	Device 3 (ethernet):
		Router 1 admin (local only--no remote)
		No WAN access
		No access to other devices
Router 2:
	Only powered on as needed
	Static IPs? Or DHCP if advised
	Device 4 (Wi-Fi):
		WAN access only
		No access to router
		No access to modem
		No access to other devices	
	Device 5 (ethernet):
		Router 2 admin (local only--no remote)
		No WAN access
		
No access to any device from WAN

psherman · September 14, 2025, 4:31pm

Why does router 2 exist?

Based on your description, you could create 3 networks on router 1, each assigned to a physical port (assuming your router has 4+ Ethernet ports).

Device 4 could be connected to router 1 (assuming that router 1 has wifi), otherwise you may want to create another network on router 1 such that router 2 is just a bridged AP.

For device 5, if you actually need router 2 in the first place, I'd recommend considering combining it with the description from device 3. That is to say, setup a management network that is used specifically for the management if your infrastructure devices (I.e. routers)

newopenwrtuser · September 14, 2025, 7:51pm

you may want to create another network on router 1 such that router 2 is just a bridged AP

I think this may be a good idea. What are the pros and cons?

For device 5, if you actually need router 2 in the first place, I'd recommend considering combining it with the description from device 3. That is to say, setup a management network that is used specifically for the management if your infrastructure devices (I.e. routers)

Router 2 is needed because of the location of router 1. With a management network would device 1 and 3 be able to see router 2? And would device 5 be able to see router 1? I'd like the network to be as locked down as possible with clients having no more access than they actually need.

newopenwrtuser · September 21, 2025, 8:24am

Most tutorials I've come across uses VLANs for client isolation. This video by OneMarcFifty, who seems to know what he's talking about, doesn't:

How to configure OpenWrt as Firewall for your home network and Guest Wifi and IPTables explained

Do VLANs add any value to his approach?