OpenWrt 21 creating two subnets - how?

Hey there,
I am a complete newbie in OpenWrt. Just flashed Archer A7.

I have an existing network of 2 unmanaged switches (Switch 1 and 2) and 1 unmanaged POE switch (Switch 3).

I would like to create two networks IoT and Secure in TWO subnets 192.168.107.XXX (IoT) and 192.168.100.XXX (Secure) and like to "assign" these subnets as follows
LAN 1 & LAN 2 Ports assign "Secure" subnet
LAN 3 & LAN 4 Ports assign "IoT" subnet

The idea here is I can "physically" connect LAN1 and LAN2 to Switches 1 and 2 which will be used for "Secure" network and LAN3 will be connected to Switch 3 (POE).

This way the unmanaged switch will get the respective subnet and there is no need for me to buy "managed" switch and create VLAN's.

First off, will my idea work? If so, can you please walk me thru with screen shots how I go about doing this in OpenWrt version 21?

Thank you

This model is swconfig so you do this by creating VLANs in the internal switch. The packets will come out untagged so they can be used in unmanaged switches. Go to the Network-Switch page and it's reasonably self-explanatory. Note that there are two VLANs already defined, 1 is the LAN and 2 is the WAN. Create an additional one numbered 3 and set it tagged to the CPU port and untagged to two external ports. Set those ports to off in the existing LAN; an untagged port can only be a member of one VLAN.

Now you have another device eth0.3 for a new network. Create the interface with a static IP. Note that IPv4 numbers are bytes, they can't have a value of 480, only up to 255. There are a few other rules too. In typical home use use /24 networks with the router's IP being 192.168.X.1.

The wiki page about guest networks also applies to an untrusted IoT network.

1 Like

Some good videos on setup and on the concepts:

Also, I would like to setup firewall rules as follows:

Secure network can read/see IoT network BUT
IoT network cannot see Secure network

Has anybody have a "working" setup like this

That is very simple to achieve.

Make sure that either:

  1. Secure and IoT networks are in different firewall zones
  2. if they are in the same firewall zone, the 'forward' option is set to drop or reject.

If you use method 1 (edit the zone itself):

  • allow forwarding from the secure zone > iot zone.
  • do not allow forwarding from iot zone > secure zone.

If you use method 2:

  • create a firewall rule that accepts all protocols with source of the secure network's subnet (for example and destination of the iot network's subnet (for example,