Hi,
I tried to setup Openwrt One using a Zyxel GS1200 managed switch but doing something wrong and locked myself out. Is there any instruction on how to setup the "One" since it only has one port?
I guess the VLANs in br-lan should be set to U or am I wrong ?
/Chris
Only one br-lan vlan can be U on each port. plus 4095 others tagged.
Hi,
Thanks brad
After several factory resets and frustration I realised I need guidance. I have an openers one latest FW and a Zyxel GS1200 Switch. It would be great if someone could upload a screenshot or link on how to setup a Guest VLAN . Then I can add the other VLANs later. Thanks in advance for any help.
/Chris
On the OpenWrt One, you'll just use dotted notation to specify the VLAN ID. When you do that, it will emerge from the port tagged. On the GS1200, you need to define the uplink port as a trunk that expects the new VLAN ID to ingress tagged. From there, you can build other trunks (such as for APs) or you can create access ports for 'regular' devices to connect.
Thank you!
After a lot of struggles I got it working, actually it was the Ethernetadapter for my MAC that couldn't handle tagged VLAN. A couple of things to sort though, I made a bridge VLANs and then used eth1.xx so looks a bit messy ( See screenshot). I also like to have the units connecting to guest wifi in the same IP range as when you connect by cable. Guess I have to bridge it some other way.
Many adapters will support tagged VLANs -- certainly the built-in ones (on Mac desktops) do, and many of the typical USB ones can, as well.
The screenshot is really hard to see....
Let's see your text based configs:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
And most importantly, please describe what you are trying to achieve -- we can look at the configs in context with your goals to see if it will work the way you want. Also, another key thing -- what is connected to the lan port on your OpenWrt One? Do you have a managed switch there?
Hi,
You guys are very helpful, thanks!!
I have configured the Openwrtone (OWRT1), connected a managed Switch to it (GS1200) this for ethernet (wired) on second floor. For better WiFi next step will be a dump AP connected to switch.
What I like to achieve is:
VLANS for Work, Guest ,IoT (this works fine for ethernet, a bit messy setup though.)
If I connect a unit to Work or Guest WiFi then I would prefer if it ends up in that IP range.
Main router can handle FW rules and DHCP but not a big deal if dumb AP do this.
What is not working atm, Connecting to Work, Guest and IoT doesn't work without connecting it to lan in network settings for wifi.
If I connect to Guest WiFi I get IP in wrong IP range (192.168.1.1).
/Chris
OpenWrt 24.10.0, r28427-6df0e3d02a
-----------------------------------------------------
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.73",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "OpenWrt One",
"board_name": "openwrt,one",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.0",
"revision": "r28427-6df0e3d02a",
"target": "mediatek/filogic",
"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
"builddate": "1738624177"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd82:d05:10b8::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
option type 'bridge'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
config device
option type 'bridge'
option name 'VLANs'
option bridge_empty '1'
list ports 'eth0'
list ports 'eth1'
list ports 'eth1.20'
list ports 'eth1.30'
list ports 'eth1.40'
list ports 'eth1.50'
config bridge-vlan
option device 'VLANs'
option vlan '20'
list ports 'eth0:t'
list ports 'eth1:t'
list ports 'eth1.20:t'
config bridge-vlan
option device 'VLANs'
option vlan '30'
list ports 'eth0:t'
list ports 'eth1:t'
list ports 'eth1.30:t'
config bridge-vlan
option device 'VLANs'
option vlan '40'
list ports 'eth0:t'
list ports 'eth1:t'
list ports 'eth1.40:t'
config bridge-vlan
option device 'VLANs'
option vlan '50'
list ports 'eth0:t'
list ports 'eth1:t'
list ports 'eth1.50:t'
config interface 'Guest'
option proto 'static'
option ipaddr '192.168.20.5'
option netmask '255.255.255.0'
option gateway '192.168.20.1'
option device 'eth1.20'
option type 'bridge'
config interface 'Work'
option proto 'static'
option device 'eth1.30'
option ipaddr '192.168.30.5'
option netmask '255.255.255.0'
option gateway '192.168.30.1'
option type 'bridge'
config interface 'IoT'
option proto 'static'
option device 'eth1.40'
option ipaddr '192.168.40.5'
option netmask '255.255.255.0'
option gateway '192.168.40.1'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/18000000.wifi'
option band '2g'
option channel 'auto'
option htmode 'HE20'
option num_global_macaddr '7'
option country 'SE'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'wan'
option mode 'ap'
option ssid 'IoT'
option encryption 'psk2'
option key 'PWD2'
option ieee80211r '1'
option ft_over_ds '1'
option ft_psk_generate_local '1'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/18000000.wifi+1'
option band '5g'
option channel 'auto'
option htmode 'HE80'
option num_global_macaddr '7'
option country 'SE'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'Ares'
option encryption 'sae'
option key 'PWD'
option ocv '0'
option ieee80211r '1'
option ft_over_ds '1'
config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid 'AresGuest'
option encryption 'psk2'
option network 'Guest lan'
option key 'PWD2'
config wifi-iface 'wifinet4'
option device 'radio1'
option mode 'ap'
option ssid 'AresLenovo'
option encryption 'sae-mixed'
option key 'PWD'
option ieee80211r '1'
option ft_over_ds '0'
option ocv '0'
option network 'lan'
option hidden '1'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'Guest'
option interface 'Guest'
option start '11'
option limit '25'
option leasetime '12h'
config dhcp 'Work'
option interface 'Work'
option start '11'
option limit '25'
option leasetime '12h'
config dhcp 'IoT'
option interface 'IoT'
option start '11'
option limit '25'
option leasetime '12h'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'GuestZone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'Guest'
config forwarding
option src 'GuestZone'
option dest 'wan'
config zone
option name 'IoTzone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'IoT'
config zone
option name 'WorkZone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'Work'
config rule
option name 'Guest DHCP and DNS'
option src 'GuestZone'
option dest_port '53 67 68'
option target 'ACCEPT'
config rule
option name 'Work DHCP and DNS'
option src 'WorkZone'
option dest_port '53 67 68'
option target 'ACCEPT'
config rule
option name 'IoT DHCP and DNS'
option src 'IoTzone'
option dest_port '53 67 68'
option target 'ACCEPT'
config forwarding
option src 'IoTzone'
option dest 'wan'
config forwarding
option src 'WorkZone'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'IoTzone'
You've got lots of issues here -- I don't have time to go through them now, but i'll take a look through and try to help you with it later. Or, someone else may do so before me, which is fine, too.
I had a look through the configs and I agree with @psherman that there are lots of interesting choices here to go through one by one (e.g. why default_radio0 is in wan, are VLANs tagged on themselves?). I would suggest doing a factory reset, forgetting about any external switches and APs in the beginning, and focusing on adding VLANs, supporting Wi-Fi networks, and firewall zones one by one to understand what is happening. VLANs can be overwhelming. It wouldn't hurt to plan things out in advance and write out which VLAN and Wi-Fi network can be accessed from where.
Here is a very visual step-by-step walkthrough by @onemarcfifty that focuses on using bridge VLAN filtering to set up VLANs and matching Wi-Fi networks:
A good idea is to follow along and also see what the underlying config changes are after each step.
I hope this didn't sound too condescending.
Haha, well I felt the settings wasn't quite right. The thing is i googled and YouTube to many different solutions just to realise that my PC got IP but not my MAC. I actually did follow the instructions from onemarc but the other way around 
I will set up the other router as main and then reset the openers one and start with "normal" router and then add VLANs. Thanks for your help, I will upload new configs in a day or two
I haven't watched the OneMarkFifty videos, but I would be careful because of two things:
But, I do agree that your config has so many issues that it would be best to reset to defaults rather than try to fix what you have.
Once you're in the default state, configure as you desire for the first network. Test and verify that the single network scenario is working as you want. Then just add one more network -- get it working end-to-end (including through your switches and external APs) before you move on to adding the rest. The reason is twofold: 1) learn the full 'recipe' once and then apply it to the others; 2) less to clean up if you make mistakes in the first recipe.
Without going to deep into it, what's the major difference? Can Bridge VLAN filtering still be used?
You probably know already, but on macos you need to use the network system preference, click the button with the three dots and select "Manage Virtual Interfaces..." there click the + button and select "New VLAN..." where you can select the VLAN name the VLAN ID and which interface to instantiate this VLAN interface on. Last time I tried (like 2 macos versions and 2 years ago) that just worked as expected...
I might be wrong, but I believe that "Bridge VLAN filtering" is something that only really helps on physical multi-port switches, but there is no switch on the One?
Hi,
Thanks for all input, I followed your advice and got a guest network in own IP range to act as suspected. Used br-guest, next step is to add VLANS using eth1.xx, will study manual if I do this for each br or one br-VLANs with all of them in same bridge. It will be very much appreciated if you have time to double check.
I tried to swap eth0 and eth1 so I got 2.5GhZ for internal but behaved weirdly so changed back.
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.73",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "OpenWrt One",
"board_name": "openwrt,one",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.0",
"revision": "r28427-6df0e3d02a",
"target": "mediatek/filogic",
"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
"builddate": "1738624177"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdba:a7c7:c157::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
config interface 'Guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.20.5'
option netmask '255.255.255.0'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/18000000.wifi'
option band '2g'
option channel '1'
option htmode 'HE20'
option num_global_macaddr '7'
option cell_density '0'
option country 'SE'
option disabled '1'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/18000000.wifi+1'
option band '5g'
option channel '36'
option htmode 'HE80'
option num_global_macaddr '7'
option cell_density '0'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'AresGuest2'
option encryption 'psk2'
option key 'testtest'
option network 'Guest'
option disabled '1'
config wifi-iface 'wifinet1'
option device 'radio1'
option mode 'ap'
option ssid 'Ares2'
option encryption 'psk2'
option key 'testtest'
option network 'lan'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'AresGuest2'
option encryption 'psk2'
option key 'testtest'
option network 'Guest'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'Guest'
option interface 'Guest'
option start '100'
option limit '150'
option leasetime '12h'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'GuestZone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'Guest'
config forwarding
option src 'GuestZone'
option dest 'wan'
config rule
option name 'Allow-DNS-Guest'
option src 'GuestZone'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Allow-DHCP-Guest'
list proto 'udp'
option src 'GuestZone'
option dest_port '67 68'
option target 'ACCEPT'
Bridge vlan filtering gives you a very nice visual representation in lucy. I use it devices with switches and with devices without them. I have not found a simple walk through for dotted implementation, yet.
Any reason your Guest gateway is on 192.168.20.5?
Hi,
Thanks for checking!
Just to know which VLAN it is part of,
20 Guest
30 Work
40 IoT
Sorry I wasn't clear, I meant the .5 part. The .20. makes sense.