My set up is an x86 self built router with 2 NICs, one for WAN. The LAN NIC is connected to an unmanaged switch in the roof of my house servicing every room. It's running OpenWrt v24.10.0.
Is it possible to create a vlan and assign specific devices (via MAC?) to that vlan in OpenWrt? I need certain devices to connect to specific external services (workplace vpn etc).
Or do I need to swap my unmanaged switch for a managed one to do the vlan tagging there?
Unmanaged switches don't support VLANs.
The sensible choice would be to get a ~5 buck PCIe ethernet card (USB if you really don't have a choice) as dedicated WAN interface. This makes your setup simple and reliable.
If you then want additional LAN side VLANs, you will have to replace the unmanaged switch with a managed one.
@slh My bad - my question was badly phrased. I have 2 NICs. OP edited. Many thanks.
The same answer is still true - you need a managed switch.
Going further…
This would be the domain of a higher end managed switch. Or, it can be achieved with 802.1x authentication - but this is usually serious overkill and complicated.
Most managed switches don’t support the automatic vlan assignment, but they do make it trivially easy to create port-vlan memberships such that you can have the VLANs assigned as appropriate for the devices that will be connected to each port.
Thanks, and I should have thanked @slh for confirming my thoughts.
Do I need to create a vlan on the router that the managed switch "uses" or does the switch take care of this? I need to set up a specific DHCP server on the vlan side of things. As you can tell I've never set a vlan up before, so I'm clueless on this!
Are there any posts/wikis I can read on this stuff? Everything I've found so far seems to be related to WiFi guests rather than ethernet vlans.
You’ll create the VLANs in the router and then configure the switch with the same vlan ids.
Since you have an x86 system, you can use simple dotted notation (such as eth0.x where x is the vlan id) for the devices that are used by each of your new subnets (network interfaces). Each new network interface will typically also have a dhcp server added, and you’ll assign these networks to a firewall zone and set rules as appropriate for your goals.
This is only useful once you’ve got a managed switch, though.
Brilliant. I suspect I'll have more questions once I've got the switch...