VLAN or just bridge?

boris099 · May 15, 2025, 7:31pm

Sorry to ask but not easy to understand for beginners.
Just reading the guest network guide what is a bridge, not VLAN.
So I need to understand if I even need a VLAN at all?

What I would like to achieve:

Guest network, OK that is clear this is no VLAN - only bridge.
Just to ask - the firewall zone settings is it were you block network access or block it as typical for guests? I mean Input, Output, Forward and Masquerade
Need separate DHCP network addresses for Ethernet and WLAN allowing to separate Smart Home devices but need full access from other devices using another DHCP range e.g from the standard bridge. Is that requiring VLAN or is it similar to the guest bridge with some adjustment allowing full access in both IP ranges? Is that possible and how to approach?
Need wireguard client allowing me to connect some devices e.g. IPTV to VPN. That should be assigned to the main DHCP address range. I understood that PBR will allow me to restrict only some IPs using the VPN, is my understanding correct? Is that using bridge or VLAN functionality?

psherman · May 15, 2025, 7:59pm

The word VLAN is often used colloquially to discuss multiple subnets, but in actuality, VLANs actually only apply to Ethernet (there is additional nuance as they can be encapsulated as VXLAN or GRE and run over wifi, but that's a bit in the weeds). So you can have a bridge that doesn't contain any Ethernet ports for a guest network that is used only on wifi. There are also other contexts that may or may not be considered true VLANs, but those will probably only be more confusing at the moment.

Anyway, a bridge can be thought of as a software defined switch. A switch is simply a device that allows you to connect multiple physical interfaces (wifi + etherent, multiple ethernet ports, etc) to a single L3 network interface.

If your guest network only uses wifi on a single AP and is not needed on ethernet, yes, this is true.

Yes, the firewall sets what is allowed and/or blocked. You can make it broad or very granular.

I'm a little confused by what you're trying to say/ask here, but I'll try to clarify in case you are a bit confused:

Wifi and ethernet can be bridged together such that they us a common DHCP server/range on the same subnet.
You can have a wifi network that is wifi only (no ethernet) or vice versa, and you can have separate subnets relative to each other. If you have separate subnets, you usually need/want a DHCP server on each subnet (it's not required, but most networks will have one).

Maybe it would be best for you to describe what you want to happen. For example (these are ideas/possibilities, and you can have tons of variations on these themse):

You could have a guest network that is entirely isolated from the main trusted lan.
You could have a network (maybe for iot) that has the ability to reach the internet, but cannot initiate a connection to the trusted lan; the trusted lan, however, can initiate connections to the iot network.
You could have two or more networks that can route freely between each other
You could have networks that route freely between each other but that cannot reach the internet.
etc.

This again depends on your goals. Some people might want a separate/dedicated network that always goes over a VPN. Other people might want to have a single network where certain services, deivces, or addresses are always routed via the VPN. And yes, PBR is the key to achieving that.

boris099 · May 15, 2025, 8:16pm

I just would like to have the IoT devices LAN and WLAN using a separate IP range, not isolated from the main trusted LAN. I think my MQTT server will be assigned to the main LAN (IP range). When an IoT device is on 192.168.3.1 I need to access from and to the 192.168.2.x IP range.

Oh cool, so I think when I also could use here a separate network with separate DHCP and SSID would be great. So that is running and I just could add a device by using that specific SSID or IP range. That wouldn´t need PBR right? How to approach that?

psherman · May 15, 2025, 8:20pm

Sure, this is totally possible. The isolation (or allowances) is based on the firewall rules you setup.

It's not clear from your description of you you want a main trusted lan that is wifi + ethernet and then a separate iot network that is also wifi + ethernet, or if you want unique networks for the iot-wifi vs iot-ethernet, etc.... but all of that is possible. You just need to be very specific about the goals so we can recommend the right topology/configurations.

PBR will still be required. It will say that all the traffic from Network A will egress via the standard wan, and all the traffic from network B will egress via the VPN.

boris099 · May 15, 2025, 9:35pm

It's not clear from your description of you you want a main trusted lan that is wifi + ethernet and then a separate iot network that is also wifi + ethernet,
Yes this is it, generally I just look like a possibility to separate all these IoT devices from main network using separate IP range, but fully accessible and trusted

psherman · May 15, 2025, 9:54pm

Sure. You haven't specifically declared if all of your iot devices connect via wifi, ethernet, or a combination. That's an (important) implementation detail, but there are generally no technical concerns here.

boris099 · May 16, 2025, 12:04pm

OK, does it mean I do setup another "like guest network", and assign somehow LAN and WLan, and do allow different forwards in the firewall settings?
Can you help me here a bit or is there already a guide available that I could use?

ZaHaDum1984 · May 16, 2025, 12:48pm

In general you can setup most networks in OpenWRT with just bridges for multiple LANs and WLANs. I did that myself and it works perfectly fine.

This is my personal oppinion, but I would not use VLAN, if I don't really have to. It can make things much more complicated and the ROAS becomes a SPOF in most cases.

ariznaf · May 16, 2025, 1:03pm

I understand that you do not need vlans to isolate devised in different lans , be them on WiFi or on ethernet.

On WiFi yo can create a different ssid.

On ethernet you can take out the appropriate switch port from the bridge device of one Kan and assign it to the bridge device of the other.

Then you can create separate firewall zones.

You need a vlan if different lans need to share the same cable.

For example you need a device connected to both lans and it has only one ethernet port.

Or you have devices not connected to the same switch and share some intermediate switches that are connected to the main switch by one cable, or switches that you cannot manage and change the switch configuration.

Separate labs are more secure as the traffic is physically separated.

Vlans share the same cable and anyone with appropriate hardware and config can see all the traffic.

mattimat · May 16, 2025, 1:11pm

Somewhere in 1990's we needed more separate networks than it was possible to create in physical router chassis, we had to start compining multiple lans into a same wire. Saving also copper wiring.

ariznaf · May 16, 2025, 2:51pm

Yes I need it them to connect to routers through a single switch and a single cable and to implement an iot, lan and a guest network at home.

I cannot use three wires for connect the routers.

Maybe it would have been better to put the router in the cabinet where the switch is.
But it is a small cabinet, too small in the wall and not easily accessible.
I had it there and each time there was s problem it was a nightmare to access the router or fiber connection.
So I put a dumb switch clan capable there and the router and iso router and fiber connection in a room.

boris099 · May 17, 2025, 6:11pm

Yes the IoT devices will use WLan and LAN.
Basically I just would like to have these devices in another IP range and fully trusted an accessible from the main network.
Should I setup a bridge similar the guest network? And what is required to support LAN and WLAN and how to fully integrate instead blocking like the guest network?

Thank you

ariznaf · May 18, 2025, 9:30am

I am trying to get similar results (different requirements)

But if you want separate networks in ethernet, you will need two separate bridged TCP/IP interfaces iot and lan (in interfaces/add new interface and select static address).

Configure each interface with a different range of IPS,say 192.168.1.1 for Lan and 192.168.0.1 for iot (static Io address IP I. The router with 255.255.355.0 mask).

Activate a DHCP server in each of them if you want to provide dynamic address for devices (recommended and needed for some kit devices that don't let you easy access to configure their IP settings).

You have to networks now, basically they are two separate software switches where each connected device can reach any other of the network).

To get access through wifi, you need to create two wifi SSID in the access point with a password or security configuration. Assign lan interface to the wifi lan and iot interface to the iot wifi.
That will create corresponding wlX-apY devices that will be assigned to the interface you select under network when you created the SSID.

Now you get access through wifi to two separate lans: iot and lan.

The created wifi devices (wlxxx) will be added to the selected interface (that are a bridge, a software switch).

But usually you want to connect devices by ethernet wire too, at least for the lan interface.

So in the lan interface when you created it you assign it a device that is the hardware bridge of your router (usually called br-lan, check that you have it added as device in lan interface).

The iot interface should not have a device assigned to if it is meant to access it only by wifi.

Until now you have to separate networks one (lan) that can be access through wifi and ethernet and the other (iot) that can be access through wifi only.

Now if you want to be able to connect devices via ethernet to the router ports, you will need to make changes to the configuration.

Each interface can be assigned one o more devices created in the devices page of your router.

In many routers all ports (but wan port) in the default are assigned to a switch device called br-lan.

If you want to connect iot devices in say port 2 and 3, you have to open br-lan device and take out the corresponding lan ports (usually devices called lan2 and lan3).

Thus those ports won't form part of the br-lan switch any more.

Then you should create another device (add new device) select bridge device as type and give it a name, say br-iot. Add devices that should be assigned to ti (lan2 and lan3).

Save it.
Finally open iot interface and assign br-iot to it.

You have now a lan network that can be access using wifi lan and ports in your router (but 2 and 3) and a iot network that can be access via wifi iot and ports 2 and 3 in your router.

If all devices are connected by wire to your router you don't need vlans.

Vlans are needed if you want separate networks (like lan and iot) to share one ethernet cable.

Imagine you have a switch or other router in other part of your home connected with your router only with one cable, and you want to connect via wire a device to iot and another device to lan in that part of the home.

You can configure that switch with two separate networks too, assigning some ports to lan and others to iot.
But if they have to access devices in your main router, you would need to connect both routers with two cables and corresponding ports assigned each to one of the networks.

But you only have one cable and one port in each router connecting them.

So you use a Vlan (think of it as a virtual cable identified by a number).
You configure say vlan 3 to iot and 1 to lan, and in the br-lan device, in the page filter vlan of bridge, activate vlan and add vlan 1 and 3. In te port that connects both routers (say port4) select tagged for both vlans (or tagged for iot and untagged for lan).
Make the same in both routers.

Select untagged in vlan 3 for all ports you want to connect to the iot network.

Select untagged in vlan 1 for all ports you want to connect to lan.

Each port can have only one untagged vlan, but you can add tagged traffic to many vlans.

The untagged vlan will be sent using normal packets seen by any device connected.
Tagged vlans will send the packets marked with the number and that traffic will be hidden for normal devices (only devices that support vlans like openwrt routers can see it).

Now you have created in the router two more bridge devices named br-lan.1 and br-lan.3 (you can change names).

Open lan interface and change the device assigned to it to br-lan.1.
Open the iot interface and change the device to br-lan.3.

That way traffic comming from the other router will be directed to the aprropiate network in each switch in the router.

After that you will need to configure zones and firewall rules to get the routing and isolation you are seeking.

That is where I am a bit stacked and not getting the expected results.

I am from the old days, where ip networks were much more simples, you directed traffic configuring gateways for each lan and configuring rules and routes.
There were no zones and no policies.

If I understand well zones are a way to simplify rules creation, you define what you want using zones and then te software creates routes and rules for you,
But I have yet to master what the do exactly and how it relates to policies (pbr).

[OpenWrt Wiki] DSA Mini-Tutorial