Need help with routing between VLANs

before writing this post, I have spent hours reading docs, watching YT tutorials, experimenting myself, and not countable times restoring my OpenWrt working configuration...

I have following topology:

Currently I have one big network What I want to achieve is to split it to smaller network, which would help me with better control over resources and security.

I would like to have following networks: - VLAN1 - default/infra - VLAN11 - services (e.g. pihole, transmission) - VLAN21 - IOT (e.g. docker services like HASS, esphome, node-red, but also WiFi connected esp8266 devices) - VLAN41 - trusted devices (e.g. my phone, my wife's phone - I would like to filter those by MAC address) - VLAN51 - guests/everything else

Because I have a problem with overlapping IP pools, I decided to create POC network assigned to VLAN21.

I have started by configuring my switch. That was pretty easy.
Next I have created 802.1q VLANs in OpenWrt.
(new users are not allowed to post multiple images....)

Then I have configured Switch on router:
(new users are not allowed to post multiple images....)

Next I have created an interface "net_iot":
(new users are not allowed to post multiple images....)

Then I created Wifi connection to this interface.
For testing purposes, I have decided to configure firewall forwarding so, that there are no rejection just for testing purposes:
(new users are not allowed to post multiple images....)

Now, important note here is that I have running pihole on ip (it's part of this bug subnet

So the issues:

  1. So first I have logged in to "nuc" device, and I have started a docker container with macvlan driver attached to eth0.21. Without any issue I'm able to ping, but... I'm not able to dig A record from With nmap I see that 53 is open, but I don't get any response.

  2. When my wifi network is bound with device eth0.21, I don't get DHCP address. Even if using static IP address, I cannot ping

  3. When I have checked how by default OpenWrt is creating WiFi, I saw that it's bound to bridge device, which is bridging only eth0.1. So I thought "ok, let's try it". So I have created bridge br-iot which is bridging only eth0.21. With such configuration Android devices are able to get proper IP address from But... I don't get it. Why? From what I read on OpenWrt docs, bridging is creating "a virtual switch" between bridged devices and creating a broadcast address across those devices. Is it so that eth0.1 or eth0.21 are like single RJ45 socket? So I need a "switch" that will handle all WiFi devices trying to connect to this one socket? I really would like to understand it, I would be greatful for help in this topic.

  4. When for the test I decided to change the bound device to lan interface from br-lan to eth0.1, I was cut off from WiFi. I was able to normally work and use Internet with cable, but not with WiFi.

Thank you in advance for any help and ideas how to proceed.

Bonus question:
Would it be possible for me that I would have only 2 WiFi networks? One "main" and second "iot" ? Can I use DHCP tagging mechanism to filter trusted vs unknown (guests?) devices so trusted devices would get different DHCP server than unknown devices?

The short answer is yes, OpenWrt supports everything you want to do, including as many different WiFi networks attached to different VLANs with different DHCP servers as you have the patience to configure.

What is not clear is how many of your network devices are running OpenWrt firmware. You will need to get support from the OEM for devices not running OpenWrt to figure out if they support what you want to accomplish.

Is your OpenWrt gateway a target that has been migrated to DSA by OpenWrt, or is it still on swconfig? Setup is a bit different depending on whether it is using DSA or swconfig.

Regarding bridging, the wifi needs to be bridged to the correct vlan subinterface. Vlan subinterfaces are separated one from another, even though they share the same cable.

Better create a guest wifi.

Oh, sorry, I completly forgot about it.
So I'm having TP-Link Archer C6 V2 with OpenWrt 21, so yes, I have DSA.

The switch is TP-Link TL-SG108e. So I'm running there stock firmware, which is supporting 802.1q

But why do those need to be bridged? Is it somewhere well described? I would like to understand how it's working under the hood.

Yes, thank you for the tip, but I would really like to not create 3 wifis. I live in a really crowded environment and the band 2.4GHz is already crowded enough for my IoT network, so I would not put another stone. Also from a UX perspective, I don't want my home guests to feel worse. This is why I would like to go DHCP tagging direction if it's doable.

This is a function of how DSA works. It can be a bit hard to wrap your head around, but this may help:

if the same radio is used to create multiple SSIDs, it does not change the RF landscape. Oversimplifying, the radio is basically time-sharing across multiple SSIDs. It's kind of like how some drivers will work for Uber and Lyft -- it's the same driver, same car, just one driver, working for one company or the other based on some timing or other criteria.


Those are ath79, so it's still swconfig. The V3 changed to a MT7621 chip, which is DSA.

You can tell this by looking for a Network--Switch page.

1 Like