VLAN on DL-WRX36

Installing and Using OpenWrt
2

Start by creating bridge-VLANs. To make sure it works, we'll use lan 1 for your normal lan, lan2 for the guest network, and lan3 for the iot network. Then we'll use port lan4 for the trunk which would go to your dumb APs. You can modify the port assignments as you need -- it should be fairly clear once this is done.

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan2:u*'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan3:u*'
	list ports 'lan4:t'

Now, edit the main lan to use br-lan.1:

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

Add two new networks:

config interface 'guest'
	option device 'br-lan.2'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config interface 'iot'
	option device 'br-lan.3'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

Next, add dhcp servers for the two neworks:

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'iot'
	option interface 'iot'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

And finally, add the networks to the respective firewall zones:

config zone
	option name 'guest_zone'
	list network 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'iot_zone'
	list network 'iot'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

Restart your router and test the ports as described by plugging in a computer directly into each of the ports in turn (ports 1 and 4 will have lan as untagged, ports 2 and 3 will be guest and iot, respectively; port 4 is actually a trunk with those two other networks tagged). Once you have proven these to work, you can create SSIDs for each of the networks, and you can set the ports however you need for your other devices.

3 Likes