Using OpenWrt to create a VLAN Switch

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi

New to OpenWRT and I'd appreciate some help.

I'd like to set up a VLAN in my home LAN, but I don't have a VLAN capable switch to use.

I do have an spare Wifi router with a WAN port, 4 1Gbps LAN ports and a dual band wifi. It's a Netgear WNDR3700. I have flashed it with OpenWRT and it appears to work.

What I wonder is, can I effectively turn the OpenWRT router into a VLAN capable switch ?

So on the OpenWRT Router I think it would be necessary to set up a VLAN bridge between the LAN and WAN ports to bypass the 'firewall' NAT. Connect the OpenWRT router WAN port to a LAN port on my Primary router. Set up the OpenWRT LAN ports, to belong to a tagged VLAN. Then on the Primary router set up a tagged VLAN on the LAN port for the Secondary router.

Does this sound viable ?
And if so how would I go about it ?
Is there something else I should be doing ?
Or am I barking up the wrong tree entirely ?

Would appreciate your advice.

Thanks

2

There's no actual reason you need to involve the wan port, but yes this sounds fine. You might look at examples for guest Network and for dumb AP on the wiki. They will give you explanations of various relevant ideas though your situation will not fit in either cookbook.

2 Likes
3

Personally, I use the blue, WAN port for my management or trunk cable as it's immediately identifiable as very different than the yellow, LAN1-4 ports. On most devices, there isn't any real logical/electrical difference between them as they're all "wired" to the internal switch chip and the internal switch chip has other connections to the Ethernet device(s) on the SoC.

How to do it?

  • Turn off the wireless
  • Turn off DHCP, DNS (keep at least ssh and probably NTP and the logger)
  • Create a management VLAN, add a static address on a "unique" subnet for it and trunk it tagged
  • Configure your "master" computer for an alias on that unique subnet and VLAN
  • Confirm that you can connect to the router over your management VLAN
  • Kill the LAN and WAN interfaces
  • Set up your switch either with LuCI or, my preference is in /etc/config/network directly
  • Confirm everything is working
  • Back up your config
  • Kill LuCI
4

Could it be done by changing the 02_Network on board.d ? And then rm board.json and bin/board_detect ?

Like 5:wan to 5:lan ?

image

5

It can be done with straightforward changes to standard UCI-based config, either through LuCI, or directly in the config files themselves. A custom build is not required.

1 Like
6

Those are just the text names that will appear in the web interface. The "board" files are used mostly to help the user understand how the router chips are wired to the external ports and LEDs. This varies by model, so there can be a different board definition for different routers made from the same chipset.

Functionally in the config file the ports are referred to by number 0 to 5. You can use them for any purpose. Gigabit routers have a separate Ethernet switch chip that can switch any of its ports to any other port.

7

Thanks all for the responses, it will take me a while to digest it properly.

My goal is to 'isolate' devices on the OpenWRT LAN from other devices on my Primary LAN using VLANs. I want Wifi on the OpenWRT LAN as well, so re-purposing the old router will hopefully allow me to have Ethernet and Wifi in one box.

Ideally I'd like the OpenWRT LAN to be on a different subnet to the Primary, and have DHCP and DNS provided by OpenWRT. But I'm not clear how setting up VLANs restricts what I can and can't do in that regard. I've put a diagram below (hope it doesn't get mangled).

I think I need to go and read some more and try some things now, and then come back here with further questions.

Thanks again

ISP Modem
| [10,20] = Tagged VLANs
WANa[10,20]
RouterA (Primary) LANa ---- eth2[10], eth3[10], eth4[10], WifiA[10]
|
eth1[20]
|
|
| (vlan trunk)
|
|
WANb[20]
RouterB (OpenWRT)
LANb ---- eth1[20], eth2[20], eth3[20], eth4[20], WifiB[20]

8

This is interesting -- do you mean that your ISP's modem is already providing two different services on two different VLANs, or that you'd like both the clients you later assign to VLAN 10 and those you assign to VLAN 20 to be able to access the Internet?

9

Your plan is very doable, as you say it just requires wrapping your head around how VLANs work. They are just a way to add tags to packets that indicate which portion of your network they belong to. Compliant switches will only ever send the packets out ports that belong to that vlan, thereby dividing your ports into separate groups.

1 Like
10

jeff: The "[10,20] = Tagged VLANs" was just to note that [10] is a VLAN tag, and [20] is a VLAN tag. I had originally spaced that out to the right away from the 'diagram', but the forum editor seems to have removed unnecessary spaces.

11

OK, it seems then that it is that the clients on "Subnet 10" and those on "Subnet 20" both have access through your ISP modem.

If so, you'll probably have your ISP <=> OpenWrt link untagged and let your OpenWrt Router A manage NAT, routing, and assignment to VLAN (if even needed) on its "LAN" interface(s). If Router B only handles one of the two subnets, then it the whole thing could be done without VLANs "on the wire" (still needed to associate physical ports and the Ethernet / wireless devices in each of their internal switches).

Let's say that your ISP assigns you (static or DHCP) 203.0.113.113/24 as your public IP.

You could then configure:

  • Router A
    • WAN -- 203.0.113.113/24
    • LAN -- 10.0.0.1/24
    • default route via (something in 203.0.113.0/24)
    • static route for 192.168.168.0/24 via 10.0.0.2
  • Router B
    • WAN -- 10.0.0.2/24
    • LAN -- 192.168.168.0/24
    • default route via 10.0.0.1

(The internal subnets are of your own choice. I picked two that were very clearly different just as an example.)