VLAN | Work separate from home but share WAN

My home network set up is:

Raspberry Pi 4 - router on a stick.
5 port managed switch

  • Port 1 = WAN = VLAN10 untagged.
  • Port 2 = connection to router = VLAN1 tagged & VLAN10 tagged.
  • Port 3 = connection to another managed switch and currently all traffic is VLAN 1 untagged.

I would like to create VLAN20 and connect my work provided device.

So, the new configuration would be:

5 port managed switch

  • Port 1 = WAN = VLAN10 untagged.
  • Port 2 = connection to router = VLAN1 tagged, VLAN10 tagged & VLAN20 tagged.
  • Port 3 = VLAN1 tagged & VLAN20 tagged - connects to Port 1 on the second switch.

Second 5 port managed switch:

  • Port 1 = VLAN1 tagged & VLAN20 tagged - connects to Port 3 on the first switch.
  • Port 5 = work = VLAN 20 untagged.

My question is, how do I configure OpenWRT to allow VLAN20 to connect to the WAN, but not connect to VLAN1?

Is 'br-lan' going to be an issue?



See the documentation about VLANs.

It should all be explained there, and the key to separating your networks is the firewall.

Feel free to ask more questions here if anything is unclear or confusing, or if you get stuck.

I had a go at configuring things and I think I have it working.

Home network = /24
Work network = /24

I configured a new interface and firewall zone.


I connected my personal laptop to the VLAN20 port and received an IP address in the correct range.

I was able to ping the VLAN address (i.e. and received 'Destination port unreachable' when attempting to ping devices on my home network. I presume that this message, as opposed to 'timed out', is because the packets are being rejected by the firewall?

My work device is now connected to Port 5 / VLAN20 and it has internet access and, hopefully, can't access my home network - it's an Aruba VPN device and I can't run any tests directly.

Looks like you have it running as desired.

If you want to block the work VLAN from reaching the router, you can change the input rule to drop. If you go that route, you'll likely want to add traffic rules to accept DHCP and DNS from the work network.

Otherwise, the setup looks good and your results are exactly as expected.

Sorry, I don't understand.

The VLANs are sharing the same router. If I block access, then it won't be able to connect to the internet.

I'm referring to the ability to access the router itself, rather than having traffic routed through it.

For example, if you were setting up a guest network in a cafe, you would not want the patrons to be able to access the admin interface or other services running on the router. Therefore, you would block all connections from the guest network that are destined for the router itself (aside from DHCP and DNS, in most cases). The router will still allow the traffic to be routed through to the internet.

Thanks for clarifying. Would these be the correct rules?


It's the same as a guest network.

DNS may be TCP or UDP you need to allow both.

Block management you want to block all IP's that may exist in your network (e.g. a double NAT) and allow only the Internet. For example block

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.