[solved] Dumb AP with VLAN interface: unmanaged or static?

Hello! I have a Mikrotik device as the main router and 3 dumb APs with openwrt, everything is working as expected.

I have 3 vlans to separate lan, iot and guest devices.

I have configurated the vlan interfaces for iot and guest as "unmanaged", but playing with them I can see that is possible to configure them with static IP and it works. The main difference I see is that the unmanaged does not requires an IP.

But, what is the real difference between the unmanaged and the static interface when using vlans?


config interface 'iot'
        option proto 'none'

none Unspecified protocol, therefore all the other interface settings will be ignored (like disabling the configuration) -

as the documentation says an unmanaged interface has no ip address, it doesn't respond so you have classic ping, nmap, etc commands

it could be useful to assign an ip address in the hypothesis that you want to serve a service provided by a dump-ap (samba, http, etc.)


1 Like

however, I recommend keeping an ip address on your dump-ac's br-lan so that you can maintain/manage the same ex:

config interface 'lan'
        option proto 'static'
        option device 'br-lan.vlanx'
        option ipaddr ''
        option netmask ''
        option gateway ''
        option delegate '0'
        list dns ''


the real difference is possible attack vector

for ex, you have
Vlan1 (native) for MGMN, with address set
Vlan20 for GUEST, without address
vlan30 for IoT, without address
... etc

so, basically, someone from IoT/GUEST network could not (easily) attack your dumb AP
Ok, there is a firewall, but still ... no address -> no attack


I agree with you


Thanks all for your help!

I will left the vlans as unmanaged (iot, guest) and only the vlan for lan as static. Seems more simple in this way.

With vlans as static, ssh & luci are accessible from all vlans by default, unless you configure them to only listen in one specific ip.


the correct answer (solution) to your question is surely to be given to


as it pointed out to you the reason for using VLANs.

as for ssh and/or luci access it depends on both your main router configurations if hosts on guest zone / iot zone can access resources in lan, or your dump-ap configuration if you allow it to accept connections on static ip addresses assigned to your guest/iot interfaces.

it was a pleasure to be able to help you.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.