OpenWrt 24.10.1 - Help with configuring wired VLAN per port

resonator · May 14, 2025, 2:52am

Hi all,

I'm running OpenWrt 24.10.1 on my Flint 2 and am looking for some guidance with my VLAN/network design.

The Flint 2 has 1 WAN port and 5 LAN ports.

I'd like to create a VLAN per LAN port, so that anything plugged in to a port gets added to that VLAN and DHCP assigns it an IP from a corresponding CIDR. I'd also like the following routing:

Lan 1 port: VLAN 10 (media)
- CIDR: 192.168.10.0/24
- Egress to WAN
- Egress to VLAN 20
- Egress to VLAN 120
- Ingress from VLAN 20
- Ingress from VLAN 110
- There will be a 4-port unmanaged switch connected to this port
- DNS resolver A
Lan 2 port: VLAN 20 (iot)
- CIDR: 192.168.20.0/24
- No egress to WAN
- Egress to VLAN 10
- Ingress from VLAN 10
- DNS resolver B
Lan 3 port: VLAN 30 (dmz)
- CIDR: 192.168.30.0/24
- Network isolation
- Egress to WAN
- No egress to LAN
- DNS resolver C
Lan 4 port: VLAN 40 (work)
- CIDR: 192.168.40.0/24
- Egress to WAN
- Egress to VLAN 120
- DNS resolver D
Lan 5 port: VLAN 50 (mgmt)
- CIDR: 192.168.50.0/24
- I would like to restrict access to LUCI/SSH to this port, and this port would only be used for this.

Out of scope for this topic, but included for completeness, I also plan to create the following 3 wireless SSIDS, each with their own VLANs.:

VLAN 110 (wireless media):
- CIDR: 192.168.110.0/24
- Egress to VLAN 10
- Egress to VLAN 120
- DNS resolver A
VLAN 120 (wireless iot):
- CIDR: 192.168.120.0/24
- No egress to WAN
- Ingress from VLAN 10
- Ingress from VLAN 40
- Ingress from VLAN 110
- DNS resolver B
- mDNS needed for wifi speakers
VLAN 130 (guest):
- CIDR: 192.168.130.0/24
- No egress to LAN
- Network Isolation
- DNS resolver C

Question 1: Does this make sense to folks? Does anyone see any glaring issues with this design?

Question 2: Can I get some help with the VLAN config?

Here's my current configs:

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd14:d070:8843::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'

config device
        option name 'lan1'

config device
        option name 'lan2'

config device
        option name 'lan3'

config device
        option name 'lan4'

config device
        option name 'lan5'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1.201'
        option proto 'pppoe'
        option username ''
        option password ''
        option ipv6 'auto'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'lan4:t'
        list ports 'lan5:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'lan4:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'lan4:t'
        list ports 'lan5:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'lan4:t'
        list ports 'lan5:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '40'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'lan4:t'
        list ports 'lan5:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '50'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'lan4:t'
        list ports 'lan5:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '110'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'lan4:t'
        list ports 'lan5:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '120'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'lan4:t'
        list ports 'lan5:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '130'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'lan4:t'
        list ports 'lan5:t'

config interface 'home'
        option device 'br-lan.10'
        option proto 'static'
        option ipaddr '192.168.10.0'
        option netmask '255.255.255.0'

config interface 'solo'
        option device 'br-lan.20'
        option proto 'static'
        option ipaddr '192.168.20.0'
        option netmask '255.255.255.0'

config interface 'dmz'
        option device 'br-lan.30'
        option proto 'static'
        option ipaddr '192.168.30.0'
        option netmask '255.255.255.0'

config interface 'lair'
        option device 'br-lan.40'
        option proto 'static'
        option ipaddr '192.168.40.0'
        option netmask '255.255.255.0'

config interface 'mgmt'
        option device 'br-lan.50'
        option proto 'none'

config interface 'wihome'
        option device 'br-lan.110'
        option proto 'static'
        option ipaddr '192.168.110.0'
        option netmask '255.255.255.0'

config interface 'wiiot'
        option device 'br-lan.120'
        option proto 'static'
        option ipaddr '192.168.120.0'
        option netmask '255.255.255.0'

config interface 'wiguest'
        option device 'br-lan.130'
        option proto 'static'
        option ipaddr '192.168.130.0'
        option netmask '255.255.255.0'

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'home'
        option interface 'home'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'solo'
        option interface 'solo'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'dmz'
        option interface 'dmz'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'lair'
        option interface 'lair'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'wiguest'
        option interface 'wiguest'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'wihome'
        option interface 'wihome'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'wiiot'
        option interface 'wiiot'
        option start '100'
        option limit '150'
        option leasetime '12h'

/etc/config/firewall

config defaults
        option syn_flood        1
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

config rule
        option name             Allow-ISAKMP
        option src              wan
        option dest             lan
        option dest_port        500
        option proto            udp
        option target           ACCEPT

/etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option band '2g'
        option channel '1'
        option htmode 'HE20'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option band '5g'
        option channel '36'
        option htmode 'HE80'
        option disabled '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

ahuman · May 14, 2025, 7:25pm

I have no input on the implementation side, but I do see one potential concern with your overall design: I would be terrified to restrict SSH/LuCI access to a single physical port on any device. I've had multiple RJ-45 ports fail on various devices over the years, often without any apparent reason (no physical damage, etc). Getting completely locked out of the device in the unlucky event of that port failing would feel pretty bad.

If nothing else (i.e. you simply can't allow for another port to be available for this as a backup), I'd suggest allowing for SSH access through one of your other VLANs via Wireguard tunnel or something.

resonator · May 18, 2025, 3:18am

Thanks for the suggestion, I'll keep that in mind, I hadn't considered that.

For now, here's my full configs with a nearly completed solution. I think all I'm missing at this point is restricting LUCI/SSH access to port 5 and properly setting port 5 as VLAN 50.

Now that I've got everything working, anyone have suggestions on improvements, issues, or thoughts on setting my vlan tagging or firewall zones input, output, and intra-zone forwarding?

Thanks all!

dhcp


config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'dmz'
	option interface 'dmz'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'home'
	option interface 'home'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'lair'
	option interface 'lair'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'media'
	option interface 'media'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'solo'
	option interface 'solo'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config dhcp 'wiguest'
	option interface 'wiguest'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'wiiot'
	option interface 'wiiot'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'wihome'
	option interface 'wihome'
	option start '100'
	option limit '150'
	option leasetime '12h'

firewall


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'media'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'media'

config rule
	option src 'media'
	option name 'Media DHCP, DNS, and PING'
	option dest_port '53 67 68'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'

config zone
	option name 'dmz'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'dmz'

config forwarding
	option src 'dmz'
	option dest 'wan'

config rule
	option src 'dmz'
	option name 'DMZ DHCP, DNS, and PING'
	option dest_port '53 67 68'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'

config zone
	option name 'lair'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lair'

config forwarding
	option src 'lair'
	option dest 'wan'

config rule
	option src 'lair'
	option name 'Lair DHCP, DNS, and PING'
	option dest_port '53 67 68'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'

config zone
	option name 'solo'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'solo'

config rule
	option src 'solo'
	option name 'solo DHCP, DNS, and PING'
	option dest_port '53 67 68'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'

config zone
	option name 'wiguest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wiguest'

config forwarding
	option src 'wiguest'
	option dest 'wan'

config rule
	option src 'wiguest'
	option name 'Guest DHCP, DNS, and PING'
	option dest_port '53 67 68'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'

config zone
	option name 'wiihome'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wihome'

config zone
	option name 'wiiot'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wiiot'

config rule
	option src 'wiiot'
	option name 'iot DHCP, DNS, and PING'
	option dest_port '53 67 68'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'

config forwarding
	option src 'media'
	option dest 'wan'

config forwarding
	option src 'media'
	option dest 'wiiot'

config forwarding
	option src 'wiiot'
	option dest 'media'

config forwarding
	option src 'solo'
	option dest 'wiiot'

config forwarding
	option src 'solo'
	option dest 'wan'

config forwarding
	option src 'lair'
	option dest 'wiiot'

config forwarding
	option src 'dmz'
	option dest 'media'

config forwarding
	option src 'wiihome'
	option dest 'media'

config forwarding
	option src 'wiihome'
	option dest 'wan'

config forwarding
	option src 'wiihome'
	option dest 'wiiot'

network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'
	option ipv6 '0'

config device
	option name 'lan1'
	option ipv6 '0'

config device
	option name 'lan2'
	option ipv6 '0'

config device
	option name 'lan3'
	option ipv6 '0'

config device
	option name 'lan4'
	option ipv6 '0'

config device
	option name 'lan5'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth1.201'
	option proto 'pppoe'
	option username ''
	option password ''
	option ipv6 'auto'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan3:t'
	list ports 'lan4:t'
	list ports 'lan5:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1'
	list ports 'lan2:t'
	list ports 'lan3:t'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'lan1:t'
	list ports 'lan2'
	list ports 'lan3:t'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan3'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '40'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan3:t'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '50'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan3:t'
	list ports 'lan4:t'

config bridge-vlan                        
        option device 'br-lan'            
        option vlan '110'                 
        list ports 'lan1:t'               
        list ports 'lan2:t'               
        list ports 'lan3:t'               
        list ports 'lan4:t'   

config bridge-vlan
	option device 'br-lan'
	option vlan '120'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan3:t'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '130'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan3:t'
	list ports 'lan4:t'

config interface 'media'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option delegate '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'solo'
	option device 'br-lan.20'
	option proto 'static'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'

config interface 'dmz'
	option device 'br-lan.30'
	option proto 'static'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'

config interface 'lair'
	option device 'br-lan.40'
	option proto 'static'
	option ipaddr '192.168.40.1'
	option netmask '255.255.255.0'

config interface 'mgmt'
	option device 'br-lan.50'
	option proto 'none'

config interface 'wihome'
        option device 'br-lan.110'        
        option proto 'static'             
        option ipaddr '192.168.110.1'     
        option netmask '255.255.255.0'  

config interface 'wiiot'
	option device 'br-lan.120'
	option proto 'static'
	option ipaddr '192.168.120.1'
	option netmask '255.255.255.0'

config interface 'wiguest'
	option device 'br-lan.130'
	option proto 'static'
	option ipaddr '192.168.130.1'
	option netmask '255.255.255.0'

config device
	option name 'br-lan.10'
	option type '8021q'
	option ifname 'br-lan'
	option vid '10'
	option ipv6 '0'

config device
	option name 'br-lan.1'
	option type '8021q'
	option ifname 'br-lan'
	option vid '1'
	option ipv6 '0'

config device
	option name 'br-lan.20'
	option type '8021q'
	option ifname 'br-lan'
	option vid '20'
	option ipv6 '0'

config device
	option name 'br-lan.30'
	option type '8021q'
	option ifname 'br-lan'
	option vid '30'
	option ipv6 '0'

config device
	option name 'br-lan.40'
	option type '8021q'
	option ifname 'br-lan'
	option vid '40'
	option ipv6 '0'

config device
	option name 'br-lan.50'
	option type '8021q'
	option ifname 'br-lan'
	option vid '50'
	option ipv6 '0'

config device                             
        option name 'br-lan.110'          
        option type '8021q'               
        option ifname 'br-lan'            
        option vid '110'                  
        option ipv6 '0' 

config device
	option name 'br-lan.120'
	option type '8021q'
	option ifname 'br-lan'
	option vid '120'
	option ipv6 '0'

config device
	option name 'br-lan.130'
	option type '8021q'
	option ifname 'br-lan'
	option vid '130'
	option ipv6 '0'

config device
	option name 'phy0-ap0'
	option ipv6 '0'

config device
	option name 'phy1-ap0'
	option ipv6 '0'

wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option band '2g'
	option channel '3'
	option htmode 'HE20'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option band '5g'
	option channel '36'
	option cell_density '0'
	option htmode 'HE80'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'iot'
	option encryption 'psk2'
	option key ''
	option network 'wiiot'

config wifi-iface 'wifinet1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'guest'
	option encryption 'psk2'
	option isolate '1'
	option key ''
	option network 'wiguest'

config wifi-iface 'wifinet2'
	option device 'radio1'
	option mode 'ap'
	option ssid 'home'
	option encryption 'psk2'
	option key ''
	option network 'wihome'

psherman · May 18, 2025, 5:33am

I haven't reviewed the entire config, but the network config itself should probably be cleaned up. First, delete all of this:

resonator:

config device
	option name 'br-lan.10'
	option type '8021q'
	option ifname 'br-lan'
	option vid '10'
	option ipv6 '0'

config device
	option name 'br-lan.1'
	option type '8021q'
	option ifname 'br-lan'
	option vid '1'
	option ipv6 '0'

config device
	option name 'br-lan.20'
	option type '8021q'
	option ifname 'br-lan'
	option vid '20'
	option ipv6 '0'

config device
	option name 'br-lan.30'
	option type '8021q'
	option ifname 'br-lan'
	option vid '30'
	option ipv6 '0'

config device
	option name 'br-lan.40'
	option type '8021q'
	option ifname 'br-lan'
	option vid '40'
	option ipv6 '0'

config device
	option name 'br-lan.50'
	option type '8021q'
	option ifname 'br-lan'
	option vid '50'
	option ipv6 '0'

config device                             
        option name 'br-lan.110'          
        option type '8021q'               
        option ifname 'br-lan'            
        option vid '110'                  
        option ipv6 '0' 

config device
	option name 'br-lan.120'
	option type '8021q'
	option ifname 'br-lan'
	option vid '120'
	option ipv6 '0'

config device
	option name 'br-lan.130'
	option type '8021q'
	option ifname 'br-lan'
	option vid '130'
	option ipv6 '0'

config device
	option name 'phy0-ap0'
	option ipv6 '0'

config device
	option name 'phy1-ap0'
	option ipv6 '0'

Then, to meet your goals:

VLAN 10 on port 1
VLAN 20 on port 2
VLAN 30 on port 3
VLAN 40 on port 4
and VLAN 5 on port 5

Make the following changes:

Remove all ports from VLAN 1 since you have indicated you don't want that on any ethernet ports. So it will look like this:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'

Now, set VLAN 1o explicitly to untagged+PVID on lan 1 and then remove all the other ports from the VAN since you don't need it tagged anywhere else:

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1:u*'

Likewise for VLANs 20, 30, 40, and 50:

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'lan2:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'
	list ports 'lan3:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '40'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '50'
	list ports 'lan5:u*'

That will setup the port-VLAN assignments you want.
Reboot and test.

Let us know if anything else needs to be addressed.