OpenWRT is a powerful open-source firmware replacement for many home “appliance” routers that gives you enterprise router features out of home network appliances. One key feature it offers is the ability to implement Virtual LANs (VLANs), which allow you to segment your network into distinct virtual networks. I will guide you through the process of setting up VLANs in OpenWRT, with a focus on three use cases: isolating IoT devices, creating guest networks and isolating homelab networks.
Understanding VLANs
A VLAN is a logical grouping of network devices. By using VLANs, you can create isolated networks that operate as if they were physically separate, providing enhanced security and efficiency.
a VLAN uses an identifier called a “Tag” to identify a virtual network. VLAN-aware devices can associate a tag with a specific physical port or wireless network and isolate traffic to those ports/networks.
A port can also be configured as a “trunk” port, which can pass all traffic. This is useful when you want to extend multiple VLANs across devices, for example a backbone network connecting two ethernet segments.
Steps to Implement VLANs in OpenWRT
1. Accessing OpenWRT Web Interface
- Connect to your router’s web interface by entering its IP address in your web browser. Typically, this is
192.168.1.1. Hopefully you’ve changed yours. 🙂 - Log in with your admin credentials.
2. Install VLAN Support
Navigate to System > Software and click on Update lists to ensure you have the latest package information. Then, search for and install the luci-proto-relay package. This package provides the necessary tools for configuring VLANs.
3. Configure VLANs
- Go to Network > Switch. Here, you will see a list of your router’s switch ports.
- Identify the port to which your LAN devices are connected. This is often labeled as ‘CPU’ or ‘WAN’.
- Click Edit next to the identified port.
- In the “VLAN” section, create a new VLAN by clicking Add.
- Assign a VLAN ID (e.g., 10 for IoT devices) and choose a CPU Port. The CPU port should be the same port you identified earlier.
- Click Save.
- Repeat steps 4-6 for additional VLANs, such as a guest network (e.g., VLAN ID 20).
4. Configure Interfaces
- Go to Network > Interfaces.
- Click Add new interface.
- Choose a name for the interface (e.g.,
IoT). - Select the VLAN you created for IoT devices from the dropdown menu.
- Click Submit.
- Repeat steps 2-5 for each additional VLAN you want to create.
5. Configure DHCP (Optional)
If you want each VLAN to have its own DHCP server, go to Network > DHCP and DNS. Click Add to create a new DHCP server for each VLAN interface you created.
Use Cases for VLANs
1. Isolating IoT Devices
IoT devices are notorious for their security vulnerabilities. My oven and my refrigerator both connect to a phone app which is mildly helpful and frighteningly connected. By placing them on a separate VLAN, you can isolate them from your main network, minimizing the risk of an IOT security exploit affecting my home network.They can talk to specific hosts/networks on the internet, but not any of my internal hosts.
2. Guest Networks
Creating a guest network on a separate VLAN allows you to provide internet access to visitors while keeping them isolated from your private network. With my guest network, I’ve set an easy password and configured “client isolation”, meaning that a client on the guest network can’t access another guest, or my home network.
3. Homelabs
I have a VLAN set up for my homelab, so I can restrict my traffic from a test Active Directory environment, a test Linux environment and several home servers in their own virtual network, separating their traffic from my home streaming traffic.
Conclusion
Implementing VLANs in OpenWRT is a powerful way to enhance network security and efficiency. By segmenting your network into distinct virtual networks, you can isolate specific groups of devices and control their access. This is particularly useful for securing IoT devices and providing a secure guest network. With OpenWRT’s flexibility, you can tailor your network to meet your specific needs.
