pcplanet Table of Contents
Introduction:
Configuring VLANs on OpenWrt 23.05 can really help organize and secure your network. If you’ve updated from OpenWrt 19.07 to OpenWrt 23.05.2, you might be facing some new challenges with setting it up because of the switch to something called DSA.
The starting config is at the bottom, paste it and build further vlans from it, don’t try to create the starting config unless you know what you’re doing. You can try, but I’m willing to bet you’ll keep facing a UI timeout issue constantly.
I highly recommend using this on a fresh install, don’t blindly copy paste.
Network used:
For simplicity here is a small environment example:
Wireless devices -> WRT1900ac (plugged in lan1 nothing in WAN port of router) -> Cisco switch (properly configured to accept vlan) -> top level firewall (where vlans are, dhcp,dns)
Initial Challenge:
Moving from the old system (swconfig) to the new one (DSA) can feel a bit tricky. You might be used to seeing your network settings laid out in a certain way, like this (mine is in excel because i forgot to back up/screenshot my settings):
A similar configuration but in DSA looks like this:
My biggest problem was that after i would click save and apply i would lose connection to the router ip and had to wait for a rollback. To avoid this you need to set your main LAN interface to br-lan.1 instead since VLAN ID 1 is default for the internal network.
Once that is done you will need to create unmanaged interfaces for each of the vlans:
Once that is done you can now you and assign the wireless SSIDs to the corresponding vlans that the SSID should be in:
Configuration Files
Here is what the standard stock configuration looks like when you drop into openwrt for the first time:
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdf7:4c8b:cbcd::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'lan1'
option macaddr ''
config device
option name 'lan2'
option macaddr ''
config device
option name 'lan3'
option macaddr ''
config device
option name 'lan4'
option macaddr ''
config interface 'lan'
option device 'br-lan'
option proto 'dhcp'
config device
option name 'wan'
option macaddr 'x'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'Here is the template/formula to add 2 vlans of your choice:
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdf7:4c8b:cbcd::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'lan1'
option macaddr ''
config device
option name 'lan2'
option macaddr ''
config device
option name 'lan3'
option macaddr ''
config device
option name 'lan4'
option macaddr ''
config interface 'lan'
option device 'br-lan.1'
option proto 'dhcp'
config device
option name 'wan'
option macaddr 'x'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:u*'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan1:t'
list ports 'lan2:t'
list ports 'lan3:t'
list ports 'lan4:t'
config bridge-vlan
option device 'br-lan'
option vlan '337'
list ports 'lan1:t'
list ports 'lan2:t'
list ports 'lan3:t'
list ports 'lan4:t'
config interface 'vlan10'
option device 'br-lan.10'
option proto 'none'
config interface 'vlan337'
option device 'br-lan.337'
option proto 'none'Conclusion:
At first, setting up VLANs on the WRT1900ac with the latest OpenWrt version can seem pretty confusing, but once you understand DSA, it’s straightforward. This setup makes your network more secure and runs better. Keep in mind that what worked for me might need some tweaks for your network. I’ll keep updating this guide to keep it helpful.
This is a solution that worked for me and may not be a one size fits all. This guide will be updated as more ways are found.
