Struggling create VLAN in DSA config (OpenWrt 22.03)


sorry I have severe chronic pain, I can't even read, but I have also anxiety and OCD about being hacked! This would give me more peace of mind so I can focus on other things... Otherwise I would leave it for other time if I could really... And this point: I just need it done... I Am reading this guide, but I don't even understand what to do... I need to create VLAN! Can someone help me please?

I managed at this point to create Device and Interface for my VLAN according to some youtube tutorial. What I don't understand, there is not "Switch" tab anymore in DSA config! I read that this is br-lan supposedly. But I don't understand how networking works on a router, so I Am not sure how to achieve what I want!

I want to:

  1. create separate VLANs (from anything else) for each device connected to physical LAN ports
  2. then I want to do same for each wireless devices connected to my router (2.4ghz)
  3. same for IOTs

First I want to try simpler things...

a) Am I supposed to add VLAN ID in br-lan in Bridge VLAN filtering and tag each respective VLAN to LAN ports I Am using? Would this separate devices connected on LAN from anything else?

b) Do I need to create new bridge for each VLAN to achieve this?

I will get overwhelmed fast, for now I would like just to test VLANs for LAN devices.

Lastly how do I test (easily if possible) whether or not devices on these VLANs are completely separated from anything else?

PS: I tried using chatgpt to help me, but it doesn't know DSA config, and I get overwhelmed quickly in my state...

So you are first bridging all the LAN ports together into one group, then logically re-separating them all out into individual VLANs. I suspect it will be more performant to just dump the bridge entirely and treat the constituent ports individually.

802.11 doesn't have the concept of VLANs. So what you are talking about here is making a separate SSID for each and every device that connects. This will destroy performance as the SSID housekeeping/beacons will be taking up more airtime than your actual data transfers. I also hope you're far from neighbours, because they won't thank for for cluttering up their SSID discovery with a dozen names or more.

Instead, please consider the judicious use of tiered security zones where you have an SSID for trusted home clients, one for guests, one for IoTs. Use of the "Isolate Clients" setting on an SSID will prevent clients connected on that SSID from seeing each other. That feature exists precisely so you don't have to make many SSIDs when you want to keep clients separate.

DSA uses "bridge vlan" as the method to create vlans.
Being slightly pedantic, VLANs are technically used when you have one or more tagged networks associated with one or more ports. We tend to use the term interchangeably in most discussions about having multiple networks (and I'm guilty of this, too), but there is sometimes a need to more precisely define the word and the goals -- especially when it comes to how someone might want to configure their device.

The concept of multiple networks/VLANs is precisely about separating devices into different "virtual" networks. You can then allow and/or restrict connections between networks using the firewall -- and you can do this with whatever granularity is needed to meet your goals.


I think that the easiest way to start would be to:

  1. draw a basic diagram that shows your desired network topology. This would include all network infrastructure devices (routers, switches, APs; ideally labeled with the brand/model of the device so we can understand its capabilities). On that diagram indicate what ports will be used for each network as well as what wifi networks you need (such as a lan, guest, and iot, etc.).

If you have already started configuring your main router, let's take a look at where you've landed with your config:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Don't bother... work with real people who are enthusiasts/experts on the topic... that's why this forum exists.

Couldn’t have said it better my self! Have anyone ever been helped by a “smart chatbot” in any support forum anywhere on earth?

Maybe if you are a very standardized human with a standardized fault like “connect the power cable to power outlet” you are helped. DSA…but we now actually talk about the actual tec to do brain surgery of the chatbot own life itself, and it want to help…

And OpenWrt is secure, how are the chatbot supposed to know about the internal network for someones personal use if it is secure data to begin with?

I Am sorry. Does this mean I can tag "VLAN IDs" to "LAN ports" under br-lan/Bridge VLAN filtering? And this would create separate VLANs for devices which are connected to physical LAN ports?

  1. Diagram:
    Well do I need to? It is really simple I have just one Router TP-Link Archer C6 v3.2 and 2 computers connected via LAN ports. And 1 phone and 1 laptop connected to wifi (I thought it will be WLAN instead of LAN) + 1 Iot currently connected over wifi to the router. No APs... I want separate all devices on respective isolated VLANs.

Do I need SSH access or something?

I don't if I can set it up...

I understand you need this information to help. But I think I Am really close.

Can't I just tag VLAN IDs to LAN devices in Device "Bridge device: br-lan"? And then somehow figure out how to create separate VLANs for Wifi? I didn't change anything from default, except making one VLAN interface and one VLAN device for now.

I don't know how hard it is to set up SSH access. And I didn't find accessible command line in routers firmware.

I don't think it is probably needed, if you could please just tell me how to separate VLANs, because I really don't have strength for this now... I Am not far from accomplishing that right?


Yes, but you also need to create new network interfaces so that the VLANs have an associated network.

Is it that hard to draw a diagram? The reason I asked is that the details matter here.
You may not need to use bridge-vlans at all, depending on your desired configuration. It's not clear what network(s) need to be on what physical ports, and if some are wifi only and others are wifi+ethernet.

A diagram can be hand drawn with a pen and paper.... just take a photo of that and upload it into a post. This shouldn't be too hard, but is important if you want specific guidance.

Do you mean literally every single device is on a separate network from all others? Or just 'classes' of devices (like IoT, trusted LAN, etc.). If literally every device is separated... are you certain you want this? It will complicate sharing and general device-to-device connectivity (depending on the details of said devices).

On wifi, there is a simple wifi client isolation control which can achieve the same goal (if actual isolation is required), but that will make inter-device connections impossible (as compared to just a bit more complex), and it doesn't apply to wifi > wired or wired > wired connections.

If you want people to review your config for troubleshooting and/or verification, yes -- screenshots aren't a good way to do this, so ssh allows access to the text config.

OpenWrt has ssh already enabled by default. You just need an ssh client (on Windows, most people use PuTTY; on Mac/Linux, just use the standard terminal).

Per the above, I can't tell how 'close' you are without the text configs.

You don't have to set anything up... already there by default.

Regarding ssh and getting the text configurations, that's really easy. Setting up VLANs and additional networks (and the corresponding settings for firewall, DHCP, and wifi) isn't complex, but is far more difficult than grabbing the text configs via ssh. To make a silly analogy, you're basically asking how to build a car from scratch, and then saying it's too much work to understand how to use a power screwdriver/drill as part of that process. Sure, you could use a regular screwdriver, but it'll be a lot more work and the learning curve for a power screwdriver/drill is pretty minimal.

This is too difficult I give up...

That's a shame...

We never established how much there was remaining... you might be/have been close. But we can't know how close or how far without more details from you.

Ultimately, there is a learning curve for setting up VLANs (on any firmware/vendor)... VLANs are an advanced networking concept. So in the end, it depends on how interested you are in learning how to implement them... if this feels like too much work (in general), that's fine, but realize that most people have to struggle a bit at the beginning of almost any new skill, and it gets easier as you learn.

You know what, I Am to try again because you seem very nice! And I feel bit better :slight_smile:

I installed Putty but already don't know how to connect, I saw on some youtube video first time you are supposed to connect using Telnet, and not SSH. Already don't know what to do so I rather ask. Also do I need to set static IP in OpenWrt for my computer? I don't know where to do that also, and was confused last time I tried.

Whatever youtube video this is, it is very very outdated.
Connect via ssh.

You'll connect to the device (address: using username root with a blank password (unless you've already changed it from the default). You can also login via the web interface.

No. Just plug your comptuer into your device and you should get a connection in the network using DHCP.

There is much more you told me to don't include public IP (i don't know how this would be even in router, that is on ISP's exit node no?), mac that and passwords that I got.

But there is also under WIFI

  • option type (which is supposedly BSSID)
  • option path


  • option ula_prefix

And so many weird things I Am worried about, I Am unsure what to redact, are you sure you didn't forget anything?! Just asking to confirm. All this can be shared without compromising security?

Is this really necessary?

I have problem when I enable Bridge VLAN filtering in br-lan and tag my VLAN ID to even 1 LAN port, i lose network access on all ports. I tried both untagged/tagged and check/uncheck Primary VLAN ID.

To be clear.... this mesage:

is boiler-plate to remind people not to post personally identifiable information (such as usernames and passwords for PPPoE connections, keys for Wireguard and other VPNs, and IP addresses if the user has a publicly routable static IP configured on the wan, as well as passwords for their wifi networks). MAC addresses don't actually need to be removed since MAC's are only relevant at L2 (and everything over the internet is L3+), but many people do redact the information anyway.

If you're starting from a near-default config, there's usually not much that you need to redact.
You never need to redact the RFC1918 "private" IP addresses (here the word private doens't mean that it is uniquely yours -- it is private in that it cannot be routed on the internet, only on a private/internal network behind a NAT router).

If you end up posting something that should have been redacted, I can delete it for you such that it cannot be viewed by anyone else (I'll of course let you know if I do that). Likewise, you can ask for posts to be deleted (I am a moderator, so I can help and/or one of the other mods).

But yes, the bottom line is that the configs are necesary to see because without them we can only guess what is happening.

This is not necessarily unexpected, but we need to see the configs to be able to further advise.

You told me to run:
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

So you tell me what is near-default.config.

Isn't there some guide I can follow, I just tried to google it but nada...

What changes did you make from the default config? Most users will enable wifi and that's it. Some may change the lan subnet. Those are basic, and pretty near-default.

These are basic linux commands.... you ssh into your router and then issue those commands. Copy the output and paste it into the forum with a </> code block from the formatting pallette. Should be pretty straight forward.

Enabled SSID, set up password and encryption and create VLAN device and VLAN interface and that's it.

Yeah but I don't know what to redact. There are weird things under wifi for instance some mac+number and some pci address or something.

This is so hard for me chatgpt telling me there could be literally trillion settings which are sensitive, i am in like middle and didn't see many except SSID and password yet.

But if I post it, will you really redact it properly, you probably have a lot of request like this and I want just to make sure i dont post anything sensitive!

Just remove the ports you want to use for vlan from br-lan. Make a new bridge device and add them there instead and enable vlan filtering, etc. In your case you probably want to set each vlan enabled port as untagged.

This is about the third vlan topic this week with basically the same question/solution. I haven’t read the openwrt mini guide, but I wonder if it’s confusing people.

You don't need to worry about it.

ChatGPT isn't actually all that smart. It just produces human sounding results.

I'll let you know if there is anything that is sensitive. I've been doing this for a long time and all of the frequent contributors ask for exactly the same things. There are only rare instances of actual personal data being published.

I tried that already, but you need to new interface for bridge, i found it daunting and i got instantly overwhelmed and i was doubting if i am doing even right thing, because then it got complicated by another 20 things and i was lost not even knowing what i do anymore...

I know, i use it for basic advice, it is useful.

OH I forgot that PMs exist :smiley:

I trust you, i am just worried you have lot of work and don't have time read everything ofc.

Well try it again. And remember to breathe🙂 I literally have a router here set up with that exact configuration. I plug a cable in port 1, i get the usual 192.168.1.x. Ip. I plug it in port 2, I get 192.168.20.x etc

What exactly are you aiming to achieve as a result of this setup? You clearly are at a very novice stage of networking knowledge/skills and you're trying to do something that is quite complicated.

You mention above that you only have a handful of devices connected to the router. Why are are wanting to use vlans with such a small number?