Skip to content

OpenWrt

Jump to bottom
Allex edited this page Oct 8, 2025 · 8 revisions

At the time of writing I'm running OpenWrt 24.10

VLAN

To create VLANs,

  • Network > Interfaces > Devices select (or create if it does not exist) br-lan > Configure.
  • Ensure all ports you want to use with VLANs are in the bridge device.
  • Bridge VLAN filtering > enable
  • Add the VLANs, don't use VLAN 1 or 2, as they are the default lan and wan VLAN IDs on some devices
    • I use ID 10 with subnet *.*.1.* for LAN, and 30 with *.*.3.* and up for other things, this is mainly because all my static IPs were already assigned in the 1.* subnet and I did not want to reassign everything.

If you checked local, this will create devices br-lan.<vlan id> which we can assign to an interface.

  • not member: output traffic with the corresponding VLAN ID won't be able to use this port
  • tagged: output traffic with the corresponding VLAN ID is allowed on this port
  • untagged: output traffic is stripped from its corresponding VLAN ID (think user-devices like laptops since they are not VLAN aware)
  • is Primary VLAN: input traffic on this port, that is untagged, will receive the corresponding VLAN ID (aka PVID), this basically adds user-devices to a VLAN
    Seems to have no effect on tagged ports

wifi traffic is always untagged and assigned to an interface, since the interface is assigned to a VLAN it is able to access what was configured for that VLAN on the bridge device.

2 VLANs, 10 and 30, lan0 carries both VLANs tagged upstream, the other ports are only used in VLAN 10 for VLAN-unaware devices:

image

Both VLANs have their own interface with each a separate wifi SSID:

image

Upstream

If there are any devices upstream you'll have to match the VLAN settings on those devices, so they have to be VLAN aware. mark any ports connected between devices as tagged for all the VLANs they will carry.

Mark all ports connecting to VLAN-unaware devices as untagged and assign them a VLAN ID (PVID).

If all is set up correctly you'll be able to configure your DHCP servers (one for each VLAN) and firewall zones/rules, all on a single router.

Firewall

DO NOT REMOVE ALL ZONES FROM ALL INTERFACES AND SET DEFAULT input TO REJECT!!!! This will lock you out of the device...

To recover from this, power-cycle the device, wait for a rapid blinking of one of the lights and press any button. My EAP615 had a very short window right at the start where it would blink slowly, this is not the correct blink.
If you did it right, the blinking will start to go faster.
If you did it wrong, the blinking will go slower, then solid.

Afterwards you can log into the device on ssh root@192.168.1.1 to fix your config.

Single-port device backup

Note that upstream devices need to match the tagged vlan setup to work properly, if the upstream device does not have the same VLAN ID on its port configured as tagged the traffic will fail.

On single-port devices this means that if you only configure the used VLANs, it's only port will only accept tagged traffic, blocking you out of connecting to the device directly on the same port.

To remedy this you can add a management VLAN ID (I use 99) which is untagged and primary on that port. image

Then add a management interface with:

  • br-lan.99 assigned to it.
  • DHCP server enabled
  • static IP

I added a firewall zone that restricts this interface to just the device itself, but you could also assign it to your lan zone if you wanted to. image

Now, if you plug in your laptop into the port, your laptop will get an IP from the management interface, any traffic will get VLAN ID 99, and your will be able to connect to the device (and any other devices you allowed in your firewall settings).

mDNS

With VLANs you'll have to repeat the broadcast messages into each VLAN for mDNS to work.

ref: https://blog.christophersmart.com/2020/03/30/resolving-mdns-across-vlans-with-avahi-on-openwrt/

In summary:

  • install avahi-daemon-service-http
  • edit /etc/avahi/avahi-daemon.conf so enable-reflector=yes
  • /etc/init.d/avahi-daemon start (don't think this is needed when restarting..)
  • /etc/init.d/avahi-daemon enable
  • reboot openwrt

Wireguard

https://www.wireguard.com/#conceptual-overview

To run a wireguard server on your OpenWrt router: (https://openwrt.org/docs/guide-user/services/vpn/wireguard/server#luci_web_interface_instructions)

One thing I noticed is that you'll need to restart the created interface when making changes.

AllowedIPs

AllowedIPs acts both as a routing table and access control, on both sides of the tunnel.

On the "client", when making a request, AllowedIPs determines if and to what Peer the request should be sent. So AllowedIPs = 0.0.0.0/0, ::/0 would route all IPv4 and IPv6 requests to the configured Peer. AllowedIPs = 192.168.1.0/24 would match all traffic on the 192.168.1.x subnet and route it to the Peer.

On the "server", when a request comes in from a client over the wireguard interface, the AllowedIPs determines if that clients IP is allowed to make requests from that interface. So if the client configured an IP of 192.168.6.2/32 on the wireguard interface, AllowedIPs = 192.168.6.2/32 would allow the request to continue. Note however that this is also used to determine what to send to the connected client, if you use AllowedIPs = 192.168.6.2/24, all 192.168.6.x traffic would be sent to the client.

So this works both ways, so adding AllowedIPs = 0.0.0.0/0 on the "server" side would route all traffic originating at the server to the configured peer. So don't do this on your main router as it will kill your access to the router itself, don't ask how I know.

When configuring multiple Peers on the server, make sure the AllowedIPs of the Peers don't overlap, otherwise traffic will be sent to the first match, which is probably not what you intended.

NAT

To connect two LAN networks, so for example routing all traffic from one router through a second router, you might need to enable NAT (masquerading) on the "source" side like you would on a WAN interface. This allows multiple devices to be routed over the wireguard connection while still only needing a single IP in the "server" AllowedIPs.

Linux UI

I can't get wireguard configured when using the (gnome ?) VPN UI.. To not need it, put your config in /etc/wireguard/<wg interface name>.conf and then run wg-quick up <wg interface name>.

Note that the VPN will show up in the the UI while active. Just disabling the VPN in the UI makes it disapear but it leaves some config intact, so you'll have to wg-quick down <gw interface name> to clean properly.

Clone this wiki locally