Raspberry Pi Router/VLAN/Switch

Hello, new to OpenWRT

I need some advice. I am trying to isolate some devices on my network, but I need a device with VLAN. They ONLY need to connect through Wi-Fi (for now). My best candidate at the moment is a Raspberry Pi (which I will call the RPI). However the RPI only has one physical LAN port which I would use to connect to the WAN port on my ISP supplied gateway (which does not support VLAN).

I had a few questions:

A.1: Can I use a raspberry pi (or any computer that supports VLAN) simultaneously as a switch + a router?

A.2: I have looked through some articles about using the RPI as an OpenWRT router. Most of them say for VLAN you need a managed switch. However, I would like to avoid buying any new hardware at this moment (need a quick solution). Is it possible to have some sort of "virtual" ports/devices only for Wi-Fi?

B: I saw on the OpenWRT VLAN Page at the end they show a configuration for a device with only 1 physical port however here (and in other VLAN configurations with more than one port) it says

This configuration assumes another device providing DHCP servers per network segment

I wanted to inquire:

  1. Why does the RPI not just run the DHCP servers (one per wifi SSID)?
  2. Can this still work if the gateway connected too the RPI does not have VLAN support?
  3. Wont the Wi-Fi network still be broadcasted from the gateway device (if its a modem/router combo)?

C: This is sort of a general question (feel free to ignore it unless its relevant). Assuming everything works, what happens after traffic exits the router into a gateway? Does it matter if it supports VLAN? It seems like to go outside of the router's network onto the internet to VLAN tags would be eliminated (I doubt every VLAN network in the world fits into a 4 bits)? Wouldn't that mean the isolation is eliminated? I suppose anything on VLAN 0 could connect to anything on VLAN 1 through the wider internet like any other device, but if its de-isolated while still on a local network, isn't there a chance of loosing isolation (say from malicious software that was trying to map a network you don't want it to map)?

Thank you for taking the time to review/answer my question!

P.S: I do have a unmanaged switch if necessary, but AFIK it does not support VLAN

Depending on your network topology, wouldn’t a dedicated SSID with static route for your ‘VLAN’ devices suffice?

In general, for VLAN you’d need equipment that understands the tags, otherwise they get lost.

Thank you for the quick reply

Depending on your network topology, wouldn’t a dedicated SSID with static route for your ‘VLAN’ devices suffice?

I have been going through some of the sources I was looking at previously. I read that the reason people did not just use subnets on LAN was due to ports "overflowing" new connections.

I am seeing that it may be possible to do this with firewall rules. But its seems potentially more complicated and less isolated that way and people seem to recommend VLAN + New SSID [+ firewall combo] [0][1] (though I see some recommend the "guest network" option).

One source told me its probably not enough if the router just makes a new SSID + password its probably not enough isolation, but they may not have been thinking of static routing.

I'll admit when I have been reading I have been pretty assuming the Wi-Fi connected networks are part of LAN.

In general, for VLAN you’d need equipment that understands the tags, otherwise they get lost.

Do modems typically support VLAN? This is why I am thinking about originating the DHCP servers on the RPI, then just making my ISP supplied gateway effectivley a modem (would that solve it?). But if modems need VLAN, idk :person_shrugging:


maybe easy solution is to plug USB3->ETH adapter and enjoy wired networking. If you search a forum, you will find compatible adapters. It is low cost solution

if you really want to pull your vlans (trunk) over wifi, then you need openwrt device on both side, RPI will serve as main router/dhcp and client router will "unpack" vlans

Your saying client router would have untagged ports connecting too the RPI?

It would then go into my ISP provided router?


no, i am talking about two different solution

  1. you could use USB->ETH to add another port to RPI, this way, you could have WAN and LAN (access or trunk,as you wish) , two ports on RPI

  2. if you don't want to use USB->ETH, then you have only one ETH on RPI, which will be WAN, and then (if i read/understood correctly) you need to pass all VLANs trough WIFI to second router

sorry if i miss something in your OP
it is confusing

It would be amazing if you could tell us what your ultimate goal is….

You don‘t actually need vlans to separate networks when your only goal is to connect your clients via wifi and you don‘t want to spread your wifi/network across multiple devices (e.g ap‘s or routers).

Just create a new network interface in a different subnet. Assign a separate firewall zone to it and add the network to your ssid. Depending on your firewall config you then may need to allow dns and dhcp traffic from your newly created zone to your router.

You can just follow this guide:

Keep in mind the wifi of the rpi isn’t that powerful.

I'll try to help by addressing some points (some of which may be repeating what the other contributors have already said):

VLANs are often confused with and/or used (technically incorrectly) as an interchangeable term for the idea of multiple subnets. VLANs specifically relate to Ethernet when a single link will carry more than one subnet. Having multiple subnets does not strictly require the use of VLANs unless you are sending them over the same ethernet link.

In your case, you probably don't need to use VLANs, and it sounds like you don't have any other VLAN aware hardware, so you shouldn't even go down that route.

Typically, you'd be connecting your Pi's ethernet connection to the LAN port of your ISP supplied router. The WAN port on that device is probably already in use for the upstream (ISP) connection. You'll want to adjust the Pi's network config to accommodate this so that it doesn't cause a problem on your main network.

The Pi can operate as a router. It does support VLANs (or generally just multiple subnets), but nothing else you have appears to have such support, so you won't be using VLANs. You would need, at a minimum, a managed switch and/or a main router that does have VLAN support.

Yes, you do typically need a managed switch. In your case, though, if you're just creating a guest network over wifi (on the Pi only), you don't need VLANs and thus you don't need a managed switch.

Yes, but you may be confusing the issue a bit. You'll be creating a new subnet on your Pi for your guest network. You'll actually be using your Pi in a nearly typical router configuration (I'll explain more shortly). The idea of a "virtual LAN" (i.e. VLAN) is related to Ethernet does not extend to wifi (at least not normal wifi; that's a more complex situation and not used for normal client devices to connect). Here, you'll just be creating an SSID and linking it with a second subnet that will be setup on your Pi for the guest network. No 'virtual' networks here.

It can run the DHCP server, and it should for your situation. The article you've referenced doesn't apply to your situation at all, and in general it also doesn't apply to the Pi since it doesn't have an ethernet switch onboard.

Yes, because you'll be using the Pi in a common configuration where the upstream network will be associated with a firewall zone that includes NAT masquerading (unless your main router supports static routes -- this is optional).

Yes, unless you change the configuration of that device. You're only going to be able to setup a single wifi SSID on the pi anyway, so you should leave the ISP one as your main wifi.

I'm not exactly sure what you're asking here, but generally this is the concept of routing. The traffic on a LAN (in this case your guest network) will be routed by the gateway to the upstream network (and by extension, the internet). Your main router works the same way -- you have a single IPv4 address (we'll ignore IPv6 for now), and your entire network sits behind that address. NAT masquerading basically allows one public facing address to be shared with many devices behind the gateway. Your pi will probably be configured in a similar fashion.

VLANs are a layer 2 (switching) concept and apply only to ethernet. Once it goes through a router, you'll be dealing with Layer 3 (routing) and VLANs (and the 802.1q tags) no longer apply.

The isolation you're asking for is only local... you'll setup firewall rules to prevent your guest network from accessing your main LAN. Once the traffic reaches the internet, there's no need to worry about that anymore.

Unmanaged switches do not support VLANs. Yet another reason you won't be using VLANs.

Now... onto the Pi and some things you need to know.

  1. The wifi on the Pi is terrible. It has poor throughput and range. It is particularly bad if you use it as an AP and then connect multiple wifi clients. From a wifi performance standpoint, you would be much better off with a real wifi AP or all-in-one wifi router device (even an older one).
  2. The Pi's wifi chipset does not support multiple SSIDs -- this means that you will only be able to setup a single SSID (presumably your guest network). You won't be able to have it broadcast your main wifi. And refer to my previous statement about the performance.
  3. If you're using a Pi4, it's a good option as a wired router, but wifi (again) is just barely useful.
  4. If you're using a Pi3 or earlier, the routing performance may not be very good... depending on your internet connection speed and expectations for the guest netowrk. But then again, wifi will be the limiting factor on all Pis.

Now, if you do decide to move forward in this direction, you'll basically do these thigns:

  1. set your Pi's address such that it is on the same subnet as your main network, but using an address that does not conflict with anything else (i.e. a unique address such that there are no other devices with static assignments using the same IP, and also outside the DHCP range of the main router)
  2. create a new network with a different subnet than your main lan (so if your main lan operates on, you'll create something different, for example
  3. Setup a DHCP server for the new guest network
  4. Assign the guest network to a new firewall zone (initially, set the input/output/forward rules to accept, that can be adjusted later).
  5. enable masquerading for the lan firewall zone.
  6. allow forwarding from the guest zone > lan zone.
  7. enable the wifi radio (set your country code, SSID name, encryption type, password, and check the enabled box), and tie the SSID to the guest netowrk.

Test your guest network by connecting to the new SSID.

If all that works, you can then set the firewall rules to block the guest network from accessing the main lan, and adjust the firewall such that the guest network cannot reach the administration interface of your Pi.