Need help setting up basic VLANs

I current have a modem - router - AP flat network set up. Everything is on a flat network (proxmox servers, router, computers, etc). I have OpenWrt installed on a router (24.10.3) that is vlan aware. I also have a managed TP-link switch. I set up the switch with the following configuration:

image986×273 24.3 KB

I assume I messed something up with the tagging/untagging. Then I tried setting up the first VLAN, VLAN 10 (Home) in the OpenWrt router, so I can move my router, proxmox servers, etc onto VLAN 10.

Most of the guides and googling gives me answers related to the old config, not DSA. But what I did was in LuCI went to Network > Devices > configure Br-lan. Bridge ports are all four lan ports on my router. Went to "Bridge VLAN filtering" and set port 1 to tagged with the others "not a member". Port 1 on the router is connected to port 1 on the switch. I did try untagged and it also didn't work.

Then I went to interfaces > Add new interface set up VLAN10, gave it a IPv4 address of 192.168.10.0 with a IPv4 netmask of 255.255.255.0, then enabled DCHP server and hit save. (I also tried not doing this and same result).

What happens is I get the pop up to revert back to original settings. Obviously I am missing something in setting this up. Can anyone kindly point me in the right direction?

Let's get more specific information about your configs and setup.

First, it would be very useful to see the physical topology of your network. You can make a diagram and post it here -- a photo of a hand-drawn diagram is sufficient. With that, please indicate the network infrastructure devices and the VLANs that should be present in each place.

The other thing we need is your complete router config:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

As requested:
What I am trying to achieve:

Capture1041×652 54.2 KB

Requested outputs:

ubus call system board

{
	"kernel": "6.6.104",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "TP-Link Archer AX23 v1",
	"board_name": "tplink,archer-ax23-v1",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.3",
		"revision": "r28872-daca7c049b",
		"target": "ramips/mt7621",
		"description": "OpenWrt 24.10.3 r28872-daca7c049b",
		"builddate": "1758316778"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd0a:4ca9:5c8c::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option vlan_filtering '1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option band '2g'
	option channel '1'
	option htmode 'HE20'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid <deleted>
	option encryption 'psk2'
	option key <deleted>

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
	option band '5g'
	option channel '36'
	option htmode 'HE80'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
	option disabled '1'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

This is not a valid IP address for a host in a /24 or smaller network. It is a network address (it refers to the entire subnet), so you need a valid host address such as 192.168.10.1.

You need to use bridge-VLANs (DSA syntax) to setup your new VLAN. Let's assume that port lan1 will be your trunk to the TL-SG105E, and let's assign port lan4 to be the new network so you can test that it works (without concern for any issues on the other switch).

We'll start by creating two bridge VLANs:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1:t'
	list ports 'lan4:u*'

Now we'll edit the lan interface to use br-lan.1 as its device:

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

And now we can create VLAN 10's interface:

config interface 'vlan10'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'

Next, create a DHCP server for VLAN10:

config dhcp 'vlan10'
	option interface 'vlan10'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

And finally, you'll need to assign the new network to a firewall zone. We can create a new zone as I'll show here, but your goals may be different (this will at least get it working):

config zone
	option name 'vlan10'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'vlan10'

config forwarding
	option src 'vlan10'
	option dest 'wan'

This will allow the new VLAN10 full access to the router itself and will allow it access to the internet. VLAN 1 will not be able to reach VLAN 10 and vice versa. All of this is adjustable, but again, this is just to get things working.

Port lan1 connects to your switch, ports lan2-3 are for your lan, and port lan4 is for the new network. Again, all of this can be adjusted, too.

I really appreciate you taking the time to type this out.

So in terms of my set up, am I unable to have everything segregated into VLANs? As in, I always need to have at least one LAN?

I assume best practice would be to disable any unused ports on the router?

I'm not sure what you mean... what I just showed was a way to segregate your devices into two distinct networks: 192.168.1.0/24 and 192.168.10.0/24. These networks are (based on the example config) both able to reach the internet, but cannot reach each other. This can be adjusted.

Well, by definition, a VLAN is a "Virtual LAN" -- so you have multiple lans now (or at least once you implement what I suggested).

That entirely depends on your goals and your threat model. If you need to protect the device against a hostile environment, that's a different approach than for a home network where you can generally assume a certain level of trust.

I re-read the code, and it makes sense. Disregard.

Good point. It's more for playing around and learning networking than it is a security concern.

Great. Give it a shot and let us know how this works out for you.

Did I not configure the tagging correctly for the switch in my original post? I am trying to use the ports on the switch to test (it obviously works for the router ports). I assume my router/switch is unable to isolate devices within vlans? I read that needs more enterprise equipment.

Do you mind describing the firewall rules you set up? I assume the forwarding part is what gives vlan 10 internet access.

Lastly, if I wanted to give a wifi SSID, I assume it would be a similar process? Create a new wifi interface, create an SSID, and bridge it to whatever VLAN?

You did not configure the switch correctly. For ports 2-5, assuming you're connecting "regular" devices like a computer, you want the respective network to be untagged + PVID on the port. Right now, it looks like VLAN 1 is setup for untagged + PVID on those ports.

I simply created a new zone with the same zone rules as the lan (of which, the rule that allows input to the router itself might be revisited if you don't trust the devices/users on that VLAN). Then a forward rule to the wan -- this will allow internet accesss.

Yes.

For the other VLANs listed in the switch, essentially if one connects to those ports with a VLAN aware device, then I would like them to go to that VLAN. If I do not want any VLAN connected via a port, would I just put it as untagged VLAN 1? (e.g., guest network). For the untagged ports, should the PVID just be whatever VLAN ID?

For the SSIDs, would I need additional firewall rules? Or would they automatically fall under the ones already created for the VLANs? I just want to make sure I am not leaving any vulnerabilities open haha.

Just to ensure the right context:

• Most devices are not VLAN aware, at least not by default
• Game consoles, STBs, IoT devices, and the like are almost never VLAN aware.
• Most modern desktop-class OS's have the capability to be VLAN aware, but it requires advanced configuration as it is not a 'standard' feature.
• Managed switches are VLAN aware as are many purpose built APs that are designed for business/enterprise networks; consumer routers and APs are not typically not VLAN aware with the vendor's firmware (but if supported by advanced open source firmware like OpenWrt, they almost always can be).

With that said, most of the time you'll be working with either trunks (carrying multiple networks) or access ports (one network, untagged + PVID). You can setup a single network tagged if you want, but that will only work if the other end's device is LAN aware and configured to expect that VLAN ID (802.1q tagged).

If you want a port to be effectively non-functional/disconnected:

• With OpenWrt, simply omit the port in the VLAN configurations.
• With an external switch, assign it to an unused VLAN

Often, the only reason to make switch ports appear non-functional is if you are unable to control physical access to the device and you have an untrusted/hostile environment.

• On OpenWrt, untagged + PVID will look like :u* for the port in the bridge-VLAN stanzas.
• On an external switch, the process may vary depending on the vendor. On TP-Link and Netgear devices that I've used, you set the VLAN as untagged on a given port and then go into another screen where you set the PVID as the same VLAN ID.

The firewall rules apply equally (i.e. no differentiation) for wifi vs wired for any given network interface. You simply create the SSIDs and then connect them against the respective network.

Keep in mind that if you are using an external AP, you typically only want the device to have an address on the management VLAN, the rest will simply be unmanaged.

Thank you for the reply. Apologies -- I must've missed this. Some of the stuff you describe went a bit over my head. But, I am going to play around this weekend with it. I really appreciate your help.

Let me know if you need alternate expectations for the stuff that you found a bit hard to understand. Networking stuff is very jargon heavy and some of the concepts are just generally hard to wrap your head around at first... but sometimes analogies or other ways to express the ideas can help.