VLAN Setup to Extend Home Network


I'm planning on extending my home network by installing another AP so that I can extend my guest LAN and private LAN.

Due to cabling restrictions I've discovered that VLAN's would be the best approach.

I want to know if it's possible to trunk a WAN and two LAN's down one physical cable (the WAN port on the rear of my router) on OpenWrt to a managed switch. From here I can then split the WAN to the modem and the two LAN's onto another OpenWrt router where I will further split the private LAN and guest LAN.

To explain this better, my Linksys WRT1900ACS will be the main router and AP. So far the internet comes in on the WAN port and the four gigabit Ethernet ports are configured to the private LAN. On OpenWrt I have three interfaces, one for private LAN another for guest LAN and finally one for the WAN.

I'm still trying to get my head around configuring VLAN's but I do understand the basic concept. What I think I'm trying to do is trunk WAN, private LAN and guest LAN, but I can't work out what needs tagging, untagging and then what to set the interfaces to.

All I know is on the trunked VLAN (combined WAN and two LAN's), once it arrives at the managed switch on the one physical port, VLAN's are used to split the trunk into their respective three separate connections.

Could someone tell me this is all possible, and if so could some kindly explain how I would do this in LuCI (the graphic VLAN will easy to understand if it's visual) please?

Many thanks


Yes, possible (and something I do all the time).

My general rule is on a trunk, everything is tagged. Depending on your switch, they may call the port “general” instead of “trunk” or the like. I also reject untagged packets on my trunks and set the PVID to a “black hole” PVID (one not connected to anything).

(I configure without LuCI, so I can’t help with pictures.)


In general how do I create the trunk for the WAN port? At the moment VLAN 1 is my WAN connection and the WAN port is port 6 on the system which is set to untagged.

VLAN 2 is my home network and is untagged across ports 2-4, ports 0 and 1 being the CPU.

Do I simply tag port 6 across all three VLAN's?

I don't think that you need to connect the WAN port over a switch to the modem and mess with VLANs, unless you have reached the maximum distance allowed for the cable and you want to use the switch as repeater.
Back to the main topic. I did something like you want to do. My RSpro has 3 LAN ports and I have LAN, Guest, and IoT. Each one is assigned and tagged to one VLAN and one physical port. So from port LAN1 I have my LAN tagged on vlan1, LAN2 Guest vlan2, and LAN3 IoT vlan3. On the other side of the cable the switch is configured accordingly.
Tricky parts: Check the mac addresses of the LAN interfaces and adjust them if they are identical, or you might have a loop. If you connect more than one ports of the same vlan on the switch, make sure you enable STP. VLANs need to be tagged on CPU, if you plan to do the router on a stick (in your case you want)
Read these: https://openwrt.org/docs/guide-user/base-system/basic-networking
and you'll get how VLANs work in OpenWrt.
Other than that it is not very difficult. Create the new VLANs you need, tag them in CPU and LAN port, turn off other ports, and configure the switch accordingly.


For each VLAN that is not used to access the router's services (I run DHCP, DNS, NTP, ... , on other hosts and use a restricted management VLAN)

(This from an Archer C7v2, your device names may be different)

config interface 'vlanNNNN'
	option type 'bridge'
	option stp '1'
	option ifname 'eth1.NNNN'
	option proto 'none'
	option auto '1'
	option delegate '0'    # My recollection is this disables sending IPv6 RAs on the interface

For interfaces that need an IP address

config interface 'vlanNNNN'
	option type 'bridge'
	option stp '1'
	option ifname 'eth1.NNNN'
	option proto 'static'
	option ipaddr '`  # or whatever is appropriate
	option netmask ''
	option delegate '0'

For the switch, if the VLAN ID is greater than the number of entries in the driver's table1, you need to specify the VLAN ID explicitly

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid 'NNNN'
	option ports '6t 1t'    # For this device, 6 is the eth1 interface, 1 is the WAN port which I use as a trunk

You also should prevent forwarding between VLANs with the firewall rules at all devices that can route, assuming you want isolation between them.

1 Here the device has a 128-VLAN limit:

jeff@garage:~$ swconfig dev switch0 help
switch0: mdio-bus.0(Atheros AR8327), ports: 7 (cpu @ 0), vlans: 128
1 Like

Thanks for the replies.

Unfortunately due to the number of floors and the layout of the house I'm only able to route the one cable.

The fibre broadband comes in at the front of the house on the ground floor and the main router is at the other end of the house on the second floor. The fibre box connects to the router via an outside graded CAT6a cable. However, before the outside CAT6a cable was installed, the router was previously installed on the ground floor on an interior cable. I want to extend my private LAN and guest lan to a second AP/router on this cable using that existing cable.

AP/router_1 and AP/router_2 won't physically talk to each other other directly hence the use of VLAN's as I will now carefully explain:-

  • AP/router_1 will route private LAN (VLAN_2), Guest LAN (VLAN_10) and WAN (VLAN_1) down the physical WAN port thus creating a VLAN trunk.

  • At the other end of this trunk will be a small, 5-port, managed switch where I will split the WAN traffic (VLAN_1) to the fibre modem to acquire a internet connection.

  • The remaining 2 VLAN's (VLAN_2 & VLAN_10) will route down the old CAT6a interior cable from this 5-port switch to another VLAN, OpenWrt supported router/AP (AP/router_2).

  • On AP/router_2 will be the Private LAN and Guest LAN with identical SSID's to AP/router_1. I also intend to utilise the LAN ports on AP/router_2 so that they are on the Private LAN.

In short. AP/router_2 will be an extension of AP/router_1 through it's physical WAN port, which is also being used to provide an internet connection to AP/router_1.

Hope that made sense.


1 Like

This is a "textbook example" of the use of VLANs -- carry multiple, independent packet streams over a single cable.


UPDATE My Netgear Prosafe 24-port Gigabit Switch arrived today and I been playing around with the VLAN's and I have a guest network and a private network set to two different ports. In OpenWrt here's a screenshot of the switch in LuCI

Here's the screenshot of Netgear's VLAN Configuration

Netgear VLAN ID 1 (WAN)

Netgear VLAN ID 5 (Private LAN)

Netgear VLAN ID 10 (Guest LAN)

Netgear PVID
Setting these two tol separate ports I was able to achieve a guest network on port 5 and a private network on port 6. However, I would like to combine the two LAN's together to send to the another OpenWrt router. This will done using the existing cable on the ground floor I mentioned earlier. Do I need these PVID's?

Possible idea; I could be completely wrong. Leaving port Netgear's port 5 dedicated to the Guest LAN and port 6 to the Private LAN, if I were to set port 24 VLANs 5 and 10 both to tagged would this trunk the two LANs on one port ready for the receiving switch to de-trunk them? Please see screenshots.

I think what you want to achieve is possible, however it would be much easier to help you with the configuration if you created a diagram of the devices and the physical connections. It can be an image or you can use asciidraw and paste it here as preformatted text </>

1 Like

I shall download Cisco Packet Tracer and draw up the designs :+1:

Okay Cisco packet tracer was too complex and fiddly. Instead I've used Visio from Microsoft. Here's the result.

AP/Router1 is the main router and connects to the ONT/fibre modem downstairs.

In my previous setup there was a cable between the ONT/fibre modem and AP/router2, hence I want to use VLAN trunking to connect AP/router1 and AP/router2 in-directly using the WAN cable to the trunk (shown at the top of the picture) to bridge them together. The trunk connected upstairs to downstairs simply put.

With this mind I want to route the three VLAN's from AP/router1 through to the 5-port switch where VLAN 20 (WAN) carries on through to the ONT/fibre modem and VLAN's 5 (Guest LAN and VLAN 10 (Private LAN) go off to AP/router2.

In regards to the LAG (Link Aggregation) I hoping to connect all four Gigabit LAN ports on the OpenWrt router to four ports on the 24-port switch. The Netgear ProSafe GS724T supports LAG, however from my understanding LAG has to be supported a both ends so I would need to configure OpenWrt with LAG support??

If I'm correct, I did look on the forums and someone mentioned installing the kmod-bond package. Apart from that how do I physically bond the connections? As my LAN goes through eth0 and the WAN goes through eth1 I thought about segmenting the four physical RJ45 connections on the back into their own VLAN's so I could bond them together somewhere in OpenWrt??

With the trunk on the WAN port and the LAG ports separated it results with the following:-

Looks possible to achieve. Most of the job is done by the switches, so if you configure them correctly there is not much to do in OpenWrt.
On 5-port switch configure one port in access mode (or untagged) for the ONT modem in VLAN20. The other connections are trunk (or tagged) with the VLANs you need.
The same applied for the 24-port switch. Trunk the port towards 5-port switch and trunk the port towards the AP/Router-1.
You cannot have the LAG in different ports with different VLANs though. FIrst you need to configure the LAG for the ports and then you assign VLANs in the LAG interface.
One more thing, it is pointless to add the VLAN20 in the LAG, as your bottleneck is the single connection through the exterior Cat6 cable. In fact I don't see much point in LAG anyway, unless you expect to have vast amount of traffic between Guest and Private VLANs on the upper floor.

1 Like

The reason for the LAG is because I'm planning on connecting my NAS and Dell PowerEdge Server with 4 Gigabit Ethernet leads each (total 8) so that Wi-Fi and cable clients can share traffic more fairly, hence I want to have a 4 LAG link back into the router.

The bottleneck of the SoC having only one or two [R]GMII interfaces to the switch fabric makes me question the value of such a setup.


Wifi clients will hardly tickle the gigabit connection of the wired server.
The wired clients will use the switch fabric rather than the OpenWrt router to communicate with the servers.
So I don't see the point in that.


So you reckon just one connection between the LAN port of the router and the switch would be enough bandwidth for all of the cabled devices wired into the switch?

I would essentially have the following connected to the 24-port switch:-

  • Dell PowerEdge x 4 Gbps ports
  • QNAP-NAS x 4 Gbps ports
  • Desktop PC 1 x Gbps port
  • PS3 x 1 Gbps port
  • PS4 x 1 Gbps port
  • Rock64 single-board computer x 1 Gbps port

One connection from 24-port switch to the LAN port of the router, or if it makes you feel better you can make them 2, one for Private VLAN and one for the Guest. Then one more connection to the WAN port. If you go for the 3 port option, all can be access ports. If you combine Private and Gues VLANs then you need to use a trunk port there. The WAN can still be access.
All the devices attached to the switches and in the same VLAN will not go through the router to communicate with each other.

I'm going to stick with the trunk linking the Private LAN, Guest LAN and WAN on the single WAN port so that I can extend the connection down to the small 5-port switch, and then have a single connection between one of the 4 LAN ports and the switch as like you said the switch fabric will do all of the talking to one another.

1 Like

Going back to topic of the VLAN's in OpenWrt. On my second AP would I need to have a similar switch setup? The incoming WAN port would be untagged and this would be carrying my two LAN's. I would then need to create two VLAN's Private LAN and Guest LAN using the same VLAN ID's as my main AP/router1 and connect them to two DHCP client interfaces?

P.S I suppose if I wanted to connect a wired client to one of the 4 free LAN ports on the second AP/router I would just assign an untagged port to one of the interfaces and set the matching VLAN on the interface settings?

If I were setting it up, the second AP would not provide any services other than the AP itself. I would use tagged VLANs on all your trunks as then there is no question as to how an untagged packet should be handled. (I have my switches' trunked ports and trunked devices set to drop all untagged packets to enforce clear tagging and "prevent" surprises.)

Yes, it's OK to use the port labeled "WAN", though you'll need to assign it to the proper firewall zone (without NAT, DHCP, and all).

I personally use a "special" management VLAN to keep "everybody" from accessing the router and other devices. This may be a later enhancement to consider.

1 Like