VLANs in OpenWrt 21

00:01

Many of you left me comments for my OpenWrt VLAN videos.

00:06

Many thanks for that.

00:07

The general feed back was „Where have the VLANs gone in OpenWrt 21 ? Everything has

00:14

changed.“

00:15

Well, surprisingly enough – the VLAN functionality in OpenWrt 21 has not changed at all – it

00:23

still works exactly the same like in Version 19, but two things are new in OpenWrt 21 – one

00:30

is called Distributed Switch Architecture or DSA – which in fact changes the way we

00:36

configure the switch portion of our OpenWrt devices and replaces swconfig – and the

00:43

second profound change is bridge VLAN filtering.

00:47

Stay tuned.

00:51

(intro)

00:55

Guys, here is the breakdown of this episode.

01:01

Do not hesitate to use the chapter markers if you want to skip or fast forward.

01:06

For those who have seen the previous videos, we do the Version 21 configuration at this

01:11

time marker here.

01:12

Many thanks.

01:15

First let’s quickly recap what a VLAN is.

01:18

A physical Ethernet LAN is basically a wire or cable.

01:23

Data is sent over that wire in packets.

01:27

Devices on the Ethernet are identified with MAC addresses.

01:30

So a typical Ethernet packet would look like this.

01:33

We have a small header, then the source MAC address and the destination MAC address, some

01:39

more information and then the payload, so the data that we want to transmit.

01:45

Plus a checksum at the end.

01:47

This way every switch in the network knows where to send the data to.

01:53

If we want to segment our Network let’s say into a guest zone and a LAN zone then

02:00

we would hence need two wires.

02:03

One Wire would go to the Guest WiFi access point and the other one to the LAN access

02:09

point here.

02:10

Or – we can do with one wire running two virtual LANs, two VLANs.

02:17

Rather than pulling a second wire we use one wire and identify the packets inside with

02:22

an additional tag in order to figure out which LAN they belong to.

02:27

In essence it’s like putting a yellow or red or blue post it on the packets saying

02:34

the blue packets belong to guest and let’s say the yellow packets are for the LAN.

02:39

Of course we don’t do colors here but rather bits and bytes which we just insert into the

02:45

packet here.

02:46

A VLAN aware device like a managed switch or an OpenWrt Access point can then receive

02:53

those packets and dispatch them to either a physical Ethernet port or to a separate

02:59

WiFi Network.

03:00

Just like we did in the Guest Wi-Fi video.

03:03

In case you haven’t seen it – here is a link.

03:07

Another way of thinking of VLANs is this: On your router you have physical Ethernet

03:12

ports.

03:13

You can plug in a wire to those.

03:15

With VLANs you can create multiple virtual ports on one physical port.

03:20

You can do pretty much everything with such a virtual port.

03:24

You can even connect a virtual port to a physical port or to a Wifi.

03:30

On Linux – you remember – OpenWrt is Linux - this can easily be done by defining interfaces

03:37

that are attached to a physical interface like eth0 for example.

03:42

If I wanted to call my VLANs 21 and 56 then I would create interfaces called eth0.21 and

03:50

eth0.56 – that would tag the packets on one VLAN with 21 and with 56 on the other.

04:00

We have seen that a VLAN can be used to run multiple networks over one wire or cable.

04:05

The packets are assigned to the right network by an additional identifier that is inserted

04:11

into the Ethernet packet.

04:13

When a VLAN aware network device is attached to a physical device such as eth0 on linux,

04:20

one can define it just by appending a dot and the VLAN number.

04:24

Let’s see how to define those in OpenWrt.

04:28

So – I told you in the beginning that this has not changed from Version 19 to Version

04:33

21.

04:34

Let’s have a look at Version 19.

04:36

In my last videos I showed you how to do that in the switch menu.

04:41

We went to Network – then switch and klicked on “add VLAN” and then we selected the

04:47

parameters such as the VLAN ID and the ports which we wanted to have in the VLAN either

04:52

tagged or untagged or not participating at all.

04:57

This actually did a couple of things.

05:00

It created the eth0.x interface and then updated the switch configuration to reflect the port

05:06

assignment.

05:07

So we defined the VLAN and we defined the switch configuration.

05:11

Two distinct things here.

05:13

The VLAN definition only tells the system to add an interface and tag packets.

05:20

The switch configuration tells the system which VLAN has to be dispatched or distributed

05:26

to which Ethernet port at the back of the device.

05:30

The “proper” way of just defining the VLAN interface would have been to actually

05:35

go to network –

05:37

then interfaces,

05:40

click edit on the desired interface,

05:43

then go to the “Physical Settings” tab

05:47

and then select or create the interface where we want to have the VLAN on and type it into

05:53

the custom field down here directly.

05:56

For example if I type eth0.123 that would create a VLAN 123 aware network device attached

06:03

to eth0.

06:06

We haven’t told the switch what to do with it or in other words – which port of the

06:10

switch should actually use that VLAN – so why would we want to do it that way ? Well,

06:16

think of hardware that does NOT have an integrated switch, such as your laptop or a raspberry

06:22

Pi or a virtual machine or a container.

06:25

You could in fact use VLANs on those devices and then attach a managed switch which would

06:31

take care of the tagging and dispatching etc.

06:36

So we have seen that the Network interface and the switch are two distinct parts of our

06:40

Wifi-Router or generally speaking of our device.

06:45

We know how to define VLAN aware devices and we know how to dispatch or distribute the

06:51

VLANs across the ports of our switch.

06:54

We also know that there are devices that do NOT have switch hardware, such as Raspberry

06:59

Pis or Virtual Machines.

07:02

That actually was the buzzword for a – CALL TO ACTION – I need you to get involved please.

07:09

I have seen that there are a couple of videos here on YouTube about turning a Raspberry

07:14

Pi into a router.

07:16

There are also some about VLANs on the raspberry Pi.

07:21

However, I found that they are either kind of klick here, klick there style without really

07:26

explaining why or they tell you to use a USB Ethernet device.

07:31

So here’s my question – would you be interested in seeing a video on how to use OpenWrt on

07:36

the raspberry pi ? Presumably together with VLANs over a managed switch.

07:42

Or maybe we can use it as a VPN gateway with Wireguard or I could think of integrating

07:49

PiHole or Adguard.

07:51

Let me know what you think.

07:53

The same question can be asked with regards to virtual Machines – that means using OpenWrt

08:00

with VLANs inside let’s say Proxmox – let me know if you would like to see anything

08:05

of that kind.

08:06

Please do leave me a comment!

08:09

Thanks guys ! Let’s get back to OpenWrt 21.

08:15

This device menu with the custom interface option still exists on OpenWrt 21.

08:21

So we can do exactly the same like we did on Version 19 here in version 21.

08:26

Or – there is a more comfortable way to do that on this new devices tab here.

08:31

If we click on “Add device configuration” then we can select VLAN 802.1Q as the device

08:38

type, select a base device, for example eth0 and specify the VLAN ID.

08:45

You can see the device name that would be created here.

08:48

while true; do clear ; diff network network.old ; sleep 1 ; done

08:52

Actually let me try something here.

08:55

I want to show you the changes in real time.

08:59

The configuration of the network devices and interfaces which is read by OpenWrt at boot

09:05

time is stored in the file /etc/config/network.

09:12

I have ssh’d into the router, moved into the /etc/config folder, and I have taken a

09:18

copy of that file.

09:20

I just need the software package diffutils installed in order to have the diff command

09:25

available.

09:26

With this small one-liner here I am monitoring the changes of the file compared to the copy

09:32

that I have just taken.

09:34

That will make it clear what actually gets defined when we do changes in luci here.

09:39

First I define the VLAN device in the device tab.

09:42

Hitting save and apply creates that config device section in the file.

09:47

On the command line we would do UCI commit.

09:50

That actually saves the configuration.

09:52

You can see the name, type and vid defined here.

09:56

When I define the device on the interface then you can see those changes added in the

10:02

config interface section in this option device line here.

10:07

What happens if I reset the VLAN device config ?

10:10

It disappears in the config file but is still listed in luci.

10:14

So it is kind of an implicit configuration as opposed to an explicit definition in the

10:19

first case.

10:20

Both scenarios will work.

10:22

Let me do the interface definition on Version 19 here and as you can see it is kind of the

10:27

same result just the option name is not called device but rather ifname.

10:35

We have just seen that we can define VLAN aware network interfaces in exactly the same

10:40

way on OpenWrt versions 19 and 21.

10:43

Now what HAS changed is how switch ports are presented to the user.

10:49

In OpenWrt 19 we had the switch menu and could tag and untag the ports there.

10:55

In OpenWrt 21 each port of the switch is actually shown as a network device, in this case lan1,

11:02

lan2 and wan.

11:04

So each of these devices corresponds to a port on the switch.

11:08

This is called distributed switch architecture or DSA.

11:12

If you want to know more about DSA and why it had been introduced then check out the

11:17

Linux Kernel documentation.

11:18

I’ll put a link into the description.

11:21

Just so much that with DSA each port of the switch is now shown as a separate network

11:26

device.

11:28

Another thing that has changed is the fact that when we create an Interface such as GUEST

11:32

or IOT or LAN, in Openwrt 19 we could say – this device is a bridge – directly on

11:39

the interface.

11:40

We could then select multiple devices that should be on that bridge from the dropdown

11:46

in the physical settings tab.

11:48

In OpenWrt 21 we don’t have that option any more.

11:52

Here again we define a bridge on the devices tab under Network- Interfaces.

11:58

The device type is “Bridge device” and the Ports of that bridge can be selected in

12:02

the Bridge ports dropdown.

12:05

By default you should at least have a br-lan bridge that bridges all the lan ports together

12:11

of course.

12:13

Cool – we already know a lot of things here.

12:17

We know what a VLAN is, we know that there is a switch part and a network interface part

12:21

in our system and we know how they are defined in the GUI.

12:26

Now with this knowledge let’s see how we can implement the GUEST-IOT-LAN segmentation

12:31

from the earlier videos in OpenWrt 21 – for this we will use the second new feature which

12:38

is called bridge VLAN filtering.

12:41

I want to define the following VLANs – 3 for the IOT network, 4 for the GUEST network

12:49

and 99 for the LAN.

12:53

I want to have all of them tagged on let’s say the lan1 port, I then want to have let’s

12:58

say LAN on the lan2 port of the switch untagged.

13:02

The wan port will remain the wan port connected to my ISP.

13:06

I also want to have three Wi-Fi Interfaces attached to each one of those VLANs.

13:12

So if a guest connects to the guest Wi-Fi then they should be on the guest VLAN and

13:16

not see anything in my LAN.

13:18

In the second step I will attach a second Access point to the lan1 port which covers

13:24

let’s say the 2nd floor of my house and that should of course also have all three

13:28

Wi-Fi’s.

13:29

Guys, for the firewall configuration of this please see my earlier video . Link up here.

13:36

Let’s go.

13:38

The first thing that I do is that I define the bridge.

13:41

By default all lan ports are bridged together.

13:44

We will keep it that way and do the VLAN filtering later.

13:47

Let’s go to Network – Interfaces – Devices tab – select the br-lan and click on configure.

13:55

If there is no bridge, then click on “Add device configuration” down here and select

14:00

bridge device as the device type and let’s call it br-lan.

14:06

On the General device options tab make sure that the lan1 and lan2 port are selected in

14:10

the bridge ports dropdown.

14:12

If you have more lan ports then you can add them of course.

14:16

Next, let’s select the “Bridge VLAN filtering” tab.

14:20

Here we need to tick the box “Enable VLAN filtering” of course.

14:24

Now we add the VLANs.

14:26

We just click on Add three times and then let’s review the settings.

14:31

Change the VLAN IDs to reflect the numbers which we want to use, so 3, 4 and 99.

14:38

Tick the “Local” box next to each VLAN – I’ll explain that in a second.

14:43

While you do this please make sure that your laptop or PC where you do that on is actually

14:48

connected to the port that you want to have untagged on the LAN, in my case that’s lan2.

14:55

Very important, otherwise you will be locked out.

14:59

Quick remark here – if ever you lock yourself out – the easiest way of getting back in

15:04

is to – do nothing.

15:07

If the connection to the router is not re-established within 90 seconds after having clicked “Save

15:12

and Apply” then Luci will revert the changes.

15:16

So don’t click, unplug etc.

15:18

Just wait a minute and a half and you should be back in business.

15:22

Might be a life saver ;-)

15:26

I want to have all VLANs tagged on the lan1 port – this is the port where we will connect

15:32

the second access point later – so I select “egress tagged” on all VLANs on that lan1

15:39

port.

15:40

The VLAN 99 is my internal LAN so I set the lan2 port to “egress untagged” and also

15:46

I select the “primary VLAN” tickbox – or “Port VLAN” as it should be called or

15:52

as it is called – that’s actually the PVID on many switches.

15:57

Do NOT click save and apply yet – we will need to let the LAN interface know about the

16:04

new VLAN first.

16:05

But first let me explain these settings.

16:07

We need to take two aspects into consideration here: The first one is ingress vs. egress

16:14

and the second one is tagged vs. untagged.

16:18

When we select “t” or “egress tagged” on a port then this means that packets that

16:23

we send to the VLAN 99 will also be sent out to that port.

16:28

They will be kind of “dispatched” or “distributed” to that port.

16:32

Outgoing – hence the word egress.

16:35

The “t” means that we actually write the VLAN tag into the Ethernet packet.

16:40

A non-VLAN-aware device would in fact not know what to do with such a packet, so we

16:45

need a VLAN-aware device such as a managed switch or of course our access point at the

16:50

other end.

16:52

If we select “u” for “egress untagged” that means that we also write to that port

16:58

but we do not add a VLAN tag.

17:01

You could then attach a normal PC to that port and it wouldn’t ever know that it’s

17:05

on a VLAN.

17:07

In simple terms – if you have multiple VLANs going over a cable and you want to connect

17:12

two switches or access points etc. then use tagged.

17:17

If you just want to attach a laptop or PC to that port then assign it to one single

17:23

VLAN and select “untagged”.

17:25

So “untagged” actually means that we are assigning this single port to that VLAN without

17:31

letting a connected device know that there is actually VLANs involved here.

17:37

So far for egress.

17:39

But what if a packet comes in ? How do we know which VLAN it belongs to ? Of course

17:45

if there is a tag in the packet then we can assign it easily.

17:50

But how about untagged packets ? This is what the PVID – the primary or port VLAN ID it

17:57

should rather be called - does.

18:00

On this lan port 2 we have set this on the VLAN 99.

18:04

So every packet that comes in untagged will be assumed to go to VLAN 99.

18:11

Perfect.

18:12

Let’s save.

18:13

Again - don’t save and apply yet.

18:15

What happened here is that three new devices have been created.

18:19

Br-lan.3, 4 and 99.

18:23

So that’s a big difference compared to OpenWrt 19 – it’s not the physical interface such

18:28

as eth0 that gets the VLAN id but it is the bridge.

18:33

Next step is to actually assign that bridge to interfaces.

18:36

And we need to do this before we apply, otherwise we will be locked out.

18:41

So let’s go to the Interface tab.

18:43

Click on edit next to the LAN interface.

18:46

You can see that the Device is set to br-lan – we need to change this to br-lan.99 because

18:53

our LAN will now be the VLAN 99.

18:57

Now we can save and apply.

18:59

Alternatively we can click on that “unsaved changes” icon in the upper right corner

19:03

here and review the changes and click “Save and apply” there.

19:07

If everything went well then you should be reconnected to your device.

19:12

Just now you are on the VLAN 99 – but you don’t notice because the port that you are

19:18

connected to is set to untagged.

19:21

If you connected your PC to the lan port 1 you would not be able to connect.

19:26

Perfect.

19:28

This showed the first big change in Version 21 – VLANs can be filtered on a bridge rather

19:33

than on the physical device.

19:35

First we bridge all the switch ports and then we tell the bridge where to assign the VLANs

19:40

to.

19:41

Actually, shall we quickly compare the Version 19 switch tagging to the version 21 bridge

19:46

vlan filtering from a config file perspective ? Let’s monitor both network configs on

19:51

this Version 19 and this version 21 router.

19:55

First the switch on Version 19.

19:58

Then the bridge on Version 21.

20:03

Now the interface on Version 19.

20:07

And the interface on Version 21

20:11

So you can see here that the config option is called switch_vlan in version 19 and bridge-vlan

20:18

in version 21.

20:20

Awesome – now let’s add the other interfaces and the WiFi interfaces.

20:24

Click on add new interface for each one of them, select the br-lan.x device to be the

20:29

physical device and assign it to the right firewall zone.

20:33

Also we want each one of them to act as a DHCP server on different IP address ranges.

20:39

Again – firewall setup is in an older video.

20:42

Next we go to Network-Wireless and create the corresponding wireless settings.

20:47

Now here is another change in OpenWrt 21 – in order to assign the WiFi to the right network

20:53

you need to open that dropdown box here that reads “Network” and tick the box next

20:58

to the right network.

20:59

Guys, for Wireless setup see my two videos about WiFi fast roaming and the other one

21:06

about how to add a second Access point to an existing network – the links are up here

21:10

again and in the description.

21:13

Thanks.

21:14

Cool.

21:16

That’s all on the first router.

21:18

Oh – hang on – you remember that I told you to tick that “local” box next to the

21:22

VLANs in the bridge VLAN configuration ? Let’s see what happens if we don’t do this.

21:27

Let me add another VLAN 55 here and NOT tick the box.

21:32

As you can see, no br-lan.55 has been created, so we can tag or untag that VLAN on the switch

21:41

but we can not use it locally on the router to create an interface.

21:44

That’s the difference.

21:48

Now we know so many things – how to define the VLANs on the bridge, how to tag or untag

21:54

them on the bridge, we know how to assign Interfaces to a VLAN and we know how to hook

21:59

up W-Fi to them.

22:01

Let’s move to the second device now.

22:06

The second router should act as an access point only – a “dumb” access point as

22:11

it’s often called in the OpenWrt forums.

22:15

That means that it should NOT act as a router and NOT serve IP addresses over DHCP and also

22:21

it should not have a firewall.

22:24

The basic steps are actually outlined in this older video here – how to extend a Wifi

22:30

to a second access point so I will not go over all of them.

22:35

Just the high level overview here.

22:37

On the VLAN side the configuration is quite similar.

22:41

In my case I want to use the wan port as the uplink to the main router so rather than having

22:46

everything tagged on lan1 I’ll move that to wan – but it doesn’t really matter

22:52

– the wan port is just another switch port – very much like the lan ports – and we

22:58

are totally free to assign it to one VLAN or the other.

23:02

In fact, naming it lan or wan is just a convention.

23:05

I could as well call them Fritz or Hans or Otto.

23:10

Let’s remove the wan and the wan6 interface and then go back to the br-lan bridge, add

23:18

the wan port and tag the port there accordingly on the Bridge VLAN configuration.

23:24

Once this is set up then the final result should look like this: three interfaces, again

23:30

called GUEST, IOT and LAN on br-lan.4,3 and 99.

23:37

If we set those interfaces to be DHCP clients then each one of them should get an IP address

23:42

from the router out of the respective IP address range.

23:46

We set up the Wi-Fis with the same SSID and passwords like on the first one but you may

23:52

use different channels here.

23:53

Again – that’s very well outlined in my WiFi fast Roaming video.

23:58

Actually I have a whole playlist of videos about OpenWrt – the link is up here.

24:03

You might want to bookmark that or actually subscribe to my channel and check out the

24:07

channel page.

24:08

All links are in the description as well.

24:12

Cool.

24:14

Now we have a real network.

24:16

We have a main router with access to the internet, we have three VLANs going over one single

24:22

wire to a second access point which extends our three Wi-Fi networks for example to another

24:29

floor in the house.

24:32

Once we have checked everything there are however a couple of things that we should

24:36

do on the access point for security reasons.

24:39

The access point still thinks that it should act as a router.

24:42

As we have no firewall here that means if someone changed his or her default gateway

24:47

to be that access point then they would actually potentially be able to route from one network

24:53

to the other.

24:55

In order to prevent that we can do two things:

24:58

First, we disable routing on that access point by setting the ipv4 forwarding flag to 0.

25:06

Second, we can also remove the IP addresses from all but one interfaces.

25:13

If there are no IP addresses on that device then it can’t route.

25:17

You need to keep one however in order to be able to access luci.

25:21

We do that by setting the protocol to “unmanaged” on the IOT and GUEST and just keep dhcp client

25:28

on the LAN interface.

25:30

Now we can still access luci over the LAN address but the access point has become invisible

25:35

from an IP standpoint in the other networks.

25:40

Yet another tip here – don’t use VLANs 0, 1 and 2 – they are hard coded on some

25:46

devices for LAN and WAN and could also potentially present a security risk.

25:53

So – let’s sum this all up.

25:56

Here is what we now know about VLANs and so on in OpenWrt 21:

26:01

First – VLANs can be explicitly defined as VLAN 802.1Q devices under Network-Interfaces

26:08

then device tab or implicitly on the Interface by typing in the device name into the custom

26:15

field.

26:17

Second – the Distributed Switch architecture DSA shows every port of the switch as a network

26:23

device, for example lan1, lan2 and wan

26:26

Third – VLAN filtering can be done on the bridge by selecting the “Bridge VLAN Filtering”

26:34

tab.

26:35

This will generate devices like br-whatevername.x

26:39

Last but not least – we know how to attach interfaces and Wi-Fi’s to those VLANs and

26:44

we know how to do basic security on the access point.

26:48

Awesome – that’s pretty much it – Oh – maybe one last thing.

26:54

At the time of making this video, that is in December 2021, not all architectures are

27:00

using the Distributed switch architecture DSA.

27:03

Some of them still use swconfig, that means the “old” way of assigning VLANs to switch

27:10

ports.

27:11

One example is the Archer C7, a very popular router for OpenWrt.

27:15

One of the reasons is that on devices with multiple Ethernet cards, like eth0 and eth1

27:22

in the Archer C7, currently there is no way with DSA to assign the switch ports to one

27:28

or the other interface.

27:29

So I guess we will just have to wait on those.

27:31

I’ll see if I can find a page on the OpenWrt web site that summarizes the supported architectures

27:38

and put into the description.

27:40

You will actually have to decide if you only use one card and DSA or if you want to use

27:46

VLAN distribution to the switch the old way.

27:51

Guys – that’s it for today, many thanks for liking, subscribing and sharing the video

27:57

with others.

27:58

Please don’t forget to leave a comment.

28:01

Many thanks for watching – stay safe, stay healthy, bye for now.