FINALLY - someone who actually can talk about home VLANs without mentioning Ubiquiti. I do have one question though. Is it necessary to reserve an ethernet port on the router for the IoT VLAN, or can you just do it with WiFI only? I don't have any ethernet IoT devices (all WiFi) so I wasn't sure about this point. Thanks -great video!
I havent done a wifi-only IoT subnet personally, but I believe it should be perfectly possible. You would associate the virtual wifi with the bridge you've created for the IoT network. So, you'd still create the IoT bridge, you'd just skip the step in the video where I assigned the LAN ports. Again, haven't done it personally, but try it out :)
Fantastic Video Chris. It worked like a charm on my 3200WRT on my first shot. Thanks a lot for making the video and explaining so well. Want a challenge? Demonstrate doing the exact same thing using OPNsense (or pfSense) on a 6 port Protectli vault. Because DDWRT development seems to be stalling, particularly with WiFi 6 - I'm being forced into the xxSense wilderness. A pity as DDWRT is the work of Gods!
Found a cheap Cisco Linksys E1200 v2 at a Renaissance, 5.25 $CAD ; installed dd-wrt (can't get the exact version I installed now, but was June / july 2023) and setup was similar to this. It's key to do CTRL-Shift-R to refresh and ensure settings were saved as many times the UI won't reflect the real settings. Also the VLAN (Switch) page in the video doesn't show a CPUPORT checkbox that need to be enabled for all VLANs, for the ports to work.
I had spent day's looking for a way to isolate IP cameras from other computers on my lan. This is great thank you so much for taking the time to make this video.
Thank you so much for this great video! The issue I was having that made me seek out this video was that trying to change the switch config would either disable internet access or LAN access completely. I ended up just restoring to factory settings and starting from scratch. I'm running r48971 on a Buffalo WZR-600DHP2, so my config pages looked a little different, but other than that I was able to follow along. One thing I noticed is that my switch config had the LAN ports on VLAN1 and the WAN port on VLAN2. I didn't want to mess with it again, so I just created VLAN 3 and it worked like a charm. I'm doing WFH, so it'll be nice to keep my work computer (and IOT devices) separated from the rest of my network.
Absolutely amazing tutorial! Straight to the point and easy to follow along with. The only issue I was having is that the IoT VLAN didn't have access to the internet. I could connect to the WiFi network and communicate with local devices just fine, but I had no internet access. After some troubleshooting and forum reading, I found the fix was to go under Setup > Networking > and then all the way down under, "Network Configuration br1 - IoT Network" I had to enable, "Masquerade / NAT" and then I had internet access! Hope this helps someone who may be experiencing the same issues
This is not the most intuitive interface. Thanks a lot for making the video and explaining the pitfalls (like default vlan0 going away when you added the others -- which is what got me)
Really Excellent. I've been looking at DD-WRT after being away for a while, and I want to use it to replace my Eero Mesh. I see some tutorials on setting up Mesh with DD-WRT, and I would love to make sure there's also VLANs that I can setup, so thank you for this. Really great stuff. Subscribed.
Thanks for writing this up! I had a slightly more complex use case (secondary AP behind main DD-WRT router) and wanted to VLAN all the IoT devices which connect to the secondary router. Once I realized that STP config was causing ports on my core switch to get disabled (because I had STP on on all the bridges on both primary router and secondary AP, likely with default priorities, etc. so that probably looked like a loop to the switch), but eventually got it working. It's worth noting that versions of DD-WRT v3.0-r48646 (on routers with enough flash) also have the ability to reflect mDNS between different networks, which can help put even your Google home / Alexa speakers on a VLAN... in my case I also needed that to isolate my ESPHome devices from the LAN where the Home Assistant system sits and still be able to access them via HA.
Thumbs UP! Just what I was looking for. In my case, my cameras don't even need the internet, but I can handle that leveraging off of the firewall script.
@@DevbaseMedia After setting up the firewall, should I be able to get to 192.168.0.1 or 192.168.1.1 from the IoT wifi network? From what I can see, I can't access any device with 192.168.0... except the router's admin panel. My router is behaving a bit strange. Do you know any solution? Thank you in advance for your answer :)
What I have noticed is when I'm on am IoT subnet, I can only get the admin console from the subnet ip address (if the firewall rules are in place, that is). In the video example, when I'm on the 192.168.107.x subnet, I can get the admin console at 192.168.107.1, but I can't get it at 192.168.1.1 (because the firewall rules restrict my ability to see the main subnet).
@@DevbaseMedia For me it works weird, because when I am on subnet 192.168.107.x I can reach the dd-wrt admin panel with the address 192.168.0.1 and 192.168.107.1 but I cannot reach any other device for example 192.168.0.2, 192.168. 0.4. Could you post a link to the forum topic where you got this config?
Hi. The 107 subnet *shouldn't* be able to see any other devices - it should only have access to the internet (so it's totally isolated). With that said, there is no reason a subnet needs to be restricted like that (you are right it's enforced by firewall rules). Here is the original forum post where I explained how I did my VLANs, and the helpful reply for the firewall rules. Note that my *media* subnet (192.168.50.x) was specifically set up to have access to the main network, that is possibly what you are looking for: forum.dd-wrt.com/phpBB2/viewtopic.php?p=1212560#1212560 Let me know if you need more info
This was a superb instructional video - thanks for taking the time to make it! I am struggling, however, with WAN/Internet access from the VLAN and VAP. I must be missing a route, bridge setting or some other parameter. Even if I remove all of the IPCHAIN firewall commands, and if I run traceroute, there doesn't seem to a route to the outside. What have I missed? Found it - you need to enable Masquerade/NAT under the Setup->Network Configuration for br1!
Hello , what build are you running? I have 47495 and after i create a bridge ,even if i create a firewall rule or not , asign an interface to that bridge or not , my wan network show that is conected , by have no internet access . After i delete the bridge and reboot the router , everything works like normal. Thank you.
Most importantly, thank you. Plugging into the new vlan port initiates a new subnet ip, however putting the connection back still recognizes the device/computer as that new subnet ip, that is until the provided firewall commands are applied. (My router ASUS RT-AC66U)
Great video, thanks for a great explanation and walk-through. I followed everything and everything works except when I add my VAPs to br1, I lose DHCP on the VAP but LAN port 4 still works
I had a similar problem. If I tried to add any VAP to a bridge, the VAP would stop working. However in my case updating to the firmware to v3.0-r47900 std from 12/20/21 fixed my issues. Although I did have to do a factory reset after upgrading.
@DevbaseMedia As far as I can tell, I've got your solution working (thankyou!), but I was hoping you could help with a couple things? First, oddly, I cannot ping (from a terminal/cmd) anything on br1 from anything on br0. I can however remote desktop from br0 devices to br1 devices, so I br0 can obviously talk to br1... just not ping it (also cannot remote from br1 to br0, so that seems to work as desired.) It's a small thing, but make me very curios why? Additionally, the GUI has changed quite a bit in the newer beta versions. Wondered if you'd consider doing an updated video? Was hoping the newer interfaces would allow you to achieve the same result using the gui - maybe tagging? - without the need to manually write the firewall rules?
I think that designing DD-WRT so that you have to apply IP addresses and DHCP servers to 'bridge' virtual interfaces is counter-intuitive and potentially quite confusing. It would also be very helpful if there was a set of commands made known that would help anyone with a DD-WRT device discover the interface stack and full Physical to logical mapping (layer 1 to layer 3 via layer 2)
I have a pfsense firewall already. So if i set the router running DD-WRT into AP mode will the VLAN function still work? Essentially for my scenario, the WAN in your setup will act as a trunk access and pfsense will manage the firewall rules?
Great video. Thank you very much. I have 1 question - can you tell me (or show video) - is it possible to set direct access from the internet (from the provider) on this (or any dd-wrt) router, for example, on port 1 and 2, and to set wireguard on ports 3 and 4, for example?
Thank you for the tutorial. I got my vlan setup without an issue via ethernet, however I'm not able to connect to the wifi vlan that I set up. I know this video is old, but are there any tips you can provide?
Well, I would like to say very, very interesting for sure I do like solid security however it will take sometime for me to configure these settings however I'm more interested In the wireless settings for now. Are The wireless interfaces and virtual interfaces under wireless settings similar ? One more secure that the other? I would like to put my Amazon Fire Stick on the wireless virtual however I keep it hidden from broadcasting (maybe being more secure) but it will not connect that way since hidden. Amazon device wants to see the device to connect to it I'm not sure if this would be wise move or not. Is there another secure way to keep streaming device in their own WIFI zone I guess separate from others? Thanks for the video.
Hey! So if I wanted to create a vlan just for Wifi for my security cams and untrusted devices, do I have add new passwords and SSID again for that particular vlan after set up? My cams are annoyingly to set up wifi on. I'd rather keep those settings on the cams and then change them on my main wifi network for trusted devices. For extra security. But what if I keep same SSID/password on both networks will that be worse? Just askin', I rather not change anything besides two separate networks, but I will if I must. Sorry if this is super simple. But this vid was exactly what I needed. Very good!
The problem with this process is that devices such as Linksys 32x routers Wi-Fi do not do a valid handshake with many Internet of Things devices. They simply cannot connect to it. I have to use a separate Linksys router running stock firmware in order to use wi-fi.
As your IOT devices are on SSID network dd_wrt_ IOT and your trusted devices (like your phone) would be on SSID dd- wrt, in order for you to "see" or in cases where you needed to update an IOT device, would you have to switch out of of dd-wrt and get into dd-wrt-iot to see it? Or does this "virtual" lan be visible when you are attached to dd-wrt?
Great Instruction. Worked perfect. Unfortunately as soon as I assign the Virtual Wifi to the Iot Bridge I cannot connect to it anymore. Without Bridge set it works fine. Any ideas? THX
I had the same problem. If I tried to add any VAP to a bridge, the VAP would stop working. However in my case updating to the firmware to v3.0-r47900 std from 12/20/21 fixed my issues. Although I did have to do a factory reset after upgrading.
Great video. I have Pfsense as my main router and 3x ddwrt AP. Ill try vlans soon, but is there a way to create a mesh system; then use vlans to segment?
A very useful video! I followed your steps and successfully created an IoT network. With the iptables commands you advised, a device in the IoT network (i.e. 192.168.107.*) is not able to ping all the other devces in the 192.168.1.* network.....except 192.168.1.1. In fact, 192.168.1.1 is the same as 192.168.107.1 so I would not be surprised if devices in the 107.* network can ping 192.1.168.1. However, I found in your video that you was able to block the traffic from 107.* to 192.168.1.1. I wonder why and what caused the difference. I will keep searching to find a way to block the traffic from 107.* to 192.168.1.1. In case you know what caused the difference, please advise.
maybe somebody will know better but I think that is something to do with the fact that 192.168.1.1 is the gateway for the vlan, maybe there is a way to create another ip address for the same router in the 192.168.107 network
Do you think setting up a managed switch with VLAN is enough to keep IoT devices from talking to trusted devices on my home network or would I need to have a firewall setting? my setup internet>router>managed switch: port 1 (router), port 2-4 trusted devices, port 5 (another 5 port unmanaged switch of IoT devices)
I just followed this tutorial and while I was able to successfully setup a VLAN on Port 4 of my Asus AC1900P and get a new IP address the commands to stop VLAN traffic accessing my 192.168.1.xx network did not work. From the VLAN I could access my home network and from my home network I could not access the laptop I had on my VLAN 192.168.107.xx I made sure to add the rule to the firewall but no matter what I did I could not stop VLAN traffic back to my 192.168.1.xx which kinda defeats the object. Any ideas what may be wrong? I am running the latest version of DD-WRT
I managed to stop the IOT network from communicating with the private network but setting the IOT WiFi up as per the video I cannot access it, just keeps saying "wrong password" The only way I can connect to the IOT WiFI is by deleting the bridge assignment from br1 to wl0.1 then setting up a separate DHCP server for the WiFI. Then I can connect a WiFi camera to this network but if I have my laptop connected to the VLAN I cannot access the WiFi device. I assume this is a firewall issue but I am not sure how to fix it. It appears that when the br1 to wl0.1 is added no IP is given to the wireless client which I think then stops it from connecting. Hope someone can help, I am so close to moving my cameras to a VLAN, most of my cameras are hardwired but I do have 2 that are WiFi
Have the same issue were you able to resolve at all? I take that back I can connect to the guest WiFi but only if no password or WPA. if left disable works fine.
@@jimbieker7484 Yes I did, I cannot remember where I found the answer, I thought I bookmarked it but I had to add the following as a startup script sleep 20; stopservice nas; wlconf eth1 down; wlconf eth2 down; wlconf eth1 up; wlconf eth2 up; startservice nas
I have home assistant running a VM in my PC, which vlan should I put it in IOT vlan or private vlan? If I put it in the private vlan, will the update from the IOT be able to reach the VM?
I am running latest dd-wrt firmware , vlan works well and ip address issued as set but still vlan on br1 can ping comfortably system on vlan linked to br0 , have used entire set of commands as shown and for denying iptables -I FORWARD -i br1 -o br+ -j DROP
No internet connection, but figured it out after a couple of hours. Setup everything two times, thinking I did something wrong the first time. Went to Setup > Networking > Port Setup > WAN Port Assignment and changed it to vlan1 and I was able to access to internet again. Hope this helps someone, took forever to figure it out.
I use ddwrt and changed my ssid name in setup. Sometimes my windows pc can't decide which ssid to use...the new one or the old one. ?? Any help on this? --thanks do you need to reset the router to factory defaulys before changing the ssid?
super helpful! like and subscribed. i have just one question: i’m reconfiguring our whole home network for better security. other than changing my wireless router to dd-wrt, i’ll be adding a managed switch to hardwire as many devices as possible. it may not make a huge difference but i can’t tell if it is better to set up the VLAN for iot on the switch or on the dd-wrt. do you recommend one or the other? as far as i can tell, the only advantage to doing it on the dd-wrt would be for the virtual AP. on the switch, i would need a second physical wireless router. thanks again!!
I'd test speeds both ways. I don't have any managed switches, only unmanaged switches, so for me, putting dd-wrt as the principal and putting an unmanaged switch on the IoT LAN port made sense. Another consideration might be whether you want to use many additional features of dd-wrt. I have another couple of videos on setting up OpenVPN and Wireguard servers. If you end up wanting to do that, you might consider using dd-wrt for your main (DHCP) router.
@@DevbaseMedia Right, DDWRT has a ton and ton of great features. I’ll go check out your videos. And I like the (obvious) idea of basing the decision on speed. my only hesitation with not utilizing more ddwrt features is making it a bottleneck with too much going on. thanks for the reply!
SOS Chris, my ISP demande to set a tagged Vlan ID as 40 in order to connect to internet via PPPoE. But I don't know how to config it in DD-WRT, could you PLEASE help me out?
hi, I ended up with 2 routers and I wanted them for IoT and home usage. However I have a dilemma: most (if not all) of my IoT devices talk to my local home assistant server as well as local MQTT server. So for the sake of being able to talk, home assistant also has to be in the IoT segment, right? If so it means: my HA will be also in insecure segment. On top of that, my HA is also talking to my home devices (other servers). So I think I need another solution. What I however did is: all IoT have internet access blocked (anyway, all of them are controlled only from HA and only with the local integrations) - I am thinking: do I need then 2 segments (for security purpose) or not? If YES (2 segments still needed) then how to solve the issue of HA being accessible to IoT devices, yet not being exposed?
I was in a similar situation & got it to work by adjusting the firewall rules to allow access to my HA IP Address. Caution: remember, your HA doesn't use a default HTTP(S) port. Sadly, I don't have the firewall commands anymore, or I'd pass them along.
@@TheKauff Yeap, I think I found a solution: 1-outer router for IoT, 2-inner router for home devices, including HA, 3-port forward from outer to inner only for specific ports - everything else blocked. I am yet to test it as I am not sure about which ports (for sure HA http and MQTT) and what about autodiscovery
i have a very simple question when using DDWRT on my wrt54g, asus n66u , etc I only use port -1-4 , usng port 1, I click VLAN 2 and tag and I get automatically a WAN ip address from ISP on my router, now with WRT3200ACM DDWRT HOW ON earth do i do that .. all the guides are confusing AF , thanks in advance
This has been so helpful! Thanks so much. Everything works except my vap isn't getting DHCP from br1...the LAN port in the same VLAN is getting DHCP tho. I was wondering if you can help me out. Thanks!
@@bruceice For both of you, I would try double-check ing your DHCP settings, rebooting your router, or doing a factory reset & re-building your config. There's a part in the video where you have to make sure your setting the DHCP on the right bridge. It's also possible DHCP traffic is being blocked, but that's a much deeper issue.
It may also be worth trying a newer firmware. I was running into the same issue. If I tried to add any VAP to a bridge, the VAP would stop working. However in my case updating to the firmware to v3.0-r47900 std from 12/20/21 fixed my issues. Although I did have to do a factory reset after upgrading.
Little bit old, but still usefull...except ... I followed your tutorial, everything works. Except that the connection on the iot vlan won't connect to the internet. On the other vlan (wired and wireless) i can get internet connection. But on the iot network not. IP address is correct, but there it stops. What am i doing wrong?
if you're on new firmware, have you got the LAN CPUPORT box checked for your IoT vlan? So you need the 'LAN COUPORT' check-bock ticked for every LAN vlan you setup (but not on the WAN row, obviously. that should have the 'WAN CPUPORT' checked.) NB: this will also automatically setup vlans, which is handy. I'm using DD-WRT v3.0-r52330 std (04/14/23) on a Linksys WRT1900ACSv2. Side note, if you are using the same/similar router, I found that the port-mappings are actually backwards in the GUI... so for me, Port 1 in the GUI is actually the port 4 socket on the hardware.
I can’t get no internet in the IoT WiFi. Even tho o followed this by the letter three times. Clearing NVRAM in between each. Any help would be greatly appreciated.
I had to follow someone else’s tutorial. It’s curious how that other one did work. Same happened with the WireGuard video here. Broke my internet connection. Take this videos down. Stop this.
Anyone who knows anything about the E4200 on DD-WRT is that the default VLAN assignments were wrong for quite some time. VLAN 2 is WAN, VLAN 1 is LAN. You have to correct this FIRST via webUI, save, and reboot. Prime example of someone not doing enough research before creating a how-to video.
I have a different goal in mind. I don't want untrusted devices to connect to the internet at all, hardening the home network. I could have a have a baby monitor to keep tabs on kids when I'm at work. Kids being kids might sometimes be inappropriately dressed for company as they walk through the house when no one else is home. Or perhaps I have an IP based security system. Either way, I can't be sure these devices don't have built-in hacking programs that might be able to capture local IP and Wi-Fi traffic for the purpose of masquerading as another device by switching the other device's MAC address, and SSID if the other device is Wi-Fi. So, I want multiple vLANS, one for each untrusted device and filtered so that only that device's MAC address can communicate. For the Wi-Fi devices, a unique hidden SSID + password + MAC filter for that device is routed to a unique vLAN. Each Wi-Fi SSID needs its own MAC filter as well, so only that device can connect to that SSID and only that device can route to the assigned vLAN. Then a routing table to allow an NVR on the main LAN to communicate with any untrusted camera vLANs, and to allow a security controller to connect to any security devices on the other untrusted vLANs. Is it your impression that DD-WRT can do this all in a single router, or will it need two routers, one for untrusted devices.
FINALLY - someone who actually can talk about home VLANs without mentioning Ubiquiti. I do have one question though. Is it necessary to reserve an ethernet port on the router for the IoT VLAN, or can you just do it with WiFI only? I don't have any ethernet IoT devices (all WiFi) so I wasn't sure about this point. Thanks -great video!
I havent done a wifi-only IoT subnet personally, but I believe it should be perfectly possible. You would associate the virtual wifi with the bridge you've created for the IoT network. So, you'd still create the IoT bridge, you'd just skip the step in the video where I assigned the LAN ports. Again, haven't done it personally, but try it out :)
still works for me all Virtual AP same concept.
Literally spent all day trying to figure this out and was just about ready to use my router as a sporting clay....THANK YOU!!!!!
20 yard target practice with Kimber!
Fantastic Video Chris. It worked like a charm on my 3200WRT on my first shot. Thanks a lot for making the video and explaining so well. Want a challenge? Demonstrate doing the exact same thing using OPNsense (or pfSense) on a 6 port Protectli vault. Because DDWRT development seems to be stalling, particularly with WiFi 6 - I'm being forced into the xxSense wilderness. A pity as DDWRT is the work of Gods!
Found a cheap Cisco Linksys E1200 v2 at a Renaissance, 5.25 $CAD ; installed dd-wrt (can't get the exact version I installed now, but was June / july 2023) and setup was similar to this. It's key to do CTRL-Shift-R to refresh and ensure settings were saved as many times the UI won't reflect the real settings.
Also the VLAN (Switch) page in the video doesn't show a CPUPORT checkbox that need to be enabled for all VLANs, for the ports to work.
I had spent day's looking for a way to isolate IP cameras from other computers on my lan. This is great thank you so much for taking the time to make this video.
Wow. Concise, to the point, exactly what i was looking for. Thank you.
Thank you so much for this great video!
The issue I was having that made me seek out this video was that trying to change the switch config would either disable internet access or LAN access completely. I ended up just restoring to factory settings and starting from scratch.
I'm running r48971 on a Buffalo WZR-600DHP2, so my config pages looked a little different, but other than that I was able to follow along. One thing I noticed is that my switch config had the LAN ports on VLAN1 and the WAN port on VLAN2. I didn't want to mess with it again, so I just created VLAN 3 and it worked like a charm.
I'm doing WFH, so it'll be nice to keep my work computer (and IOT devices) separated from the rest of my network.
Great Video.. This is exactly what I was looking for long. Conceptually we understand what needs to be done but this hands on real demo helped a lot.
Glad it was helpful!
Absolutely amazing tutorial! Straight to the point and easy to follow along with. The only issue I was having is that the IoT VLAN didn't have access to the internet. I could connect to the WiFi network and communicate with local devices just fine, but I had no internet access. After some troubleshooting and forum reading, I found the fix was to go under Setup > Networking > and then all the way down under, "Network Configuration br1 - IoT Network" I had to enable, "Masquerade / NAT" and then I had internet access! Hope this helps someone who may be experiencing the same issues
This is not the most intuitive interface. Thanks a lot for making the video and explaining the pitfalls (like default vlan0 going away when you added the others -- which is what got me)
Very good, thanks. Played with this a few years back for a VPN-only SSID and couldn't get it to work. Reckon I could now after watching this video!
Really Excellent. I've been looking at DD-WRT after being away for a while, and I want to use it to replace my Eero Mesh. I see some tutorials on setting up Mesh with DD-WRT, and I would love to make sure there's also VLANs that I can setup, so thank you for this. Really great stuff. Subscribed.
Thank you for this! Thank you for explaining so well also thank you for not assuming i know anything. Thank you!
This is the god of explanations right here. thanks
Thanks for writing this up! I had a slightly more complex use case (secondary AP behind main DD-WRT router) and wanted to VLAN all the IoT devices which connect to the secondary router. Once I realized that STP config was causing ports on my core switch to get disabled (because I had STP on on all the bridges on both primary router and secondary AP, likely with default priorities, etc. so that probably looked like a loop to the switch), but eventually got it working.
It's worth noting that versions of DD-WRT v3.0-r48646 (on routers with enough flash) also have the ability to reflect mDNS between different networks, which can help put even your Google home / Alexa speakers on a VLAN... in my case I also needed that to isolate my ESPHome devices from the LAN where the Home Assistant system sits and still be able to access them via HA.
Perfect video, finally, i can try VLAN's
Thank you so much! I wanted to repurpose my TP-Link Archer A7 for IoT instead of purchasing Ubiquiti and this solves that problem wonderfully!
Thumbs UP! Just what I was looking for. In my case, my cameras don't even need the internet, but I can handle that leveraging off of the firewall script.
Man this was perfect thank you for posting. Different router model but same software!
Great video, I plan on installing dd-wrt on my old router this week. Keep up the great videos!!!
Thank you very much! :) I will get going right away, been searching around and there is a lot of older video's.
Happy to help. I'll admit I'm not a network guy and it took me awhile to piece this together. Hope this works out for you!
@@DevbaseMedia After setting up the firewall, should I be able to get to 192.168.0.1 or 192.168.1.1 from the IoT wifi network? From what I can see, I can't access any device with 192.168.0... except the router's admin panel. My router is behaving a bit strange. Do you know any solution? Thank you in advance for your answer :)
What I have noticed is when I'm on am IoT subnet, I can only get the admin console from the subnet ip address (if the firewall rules are in place, that is). In the video example, when I'm on the 192.168.107.x subnet, I can get the admin console at 192.168.107.1, but I can't get it at 192.168.1.1 (because the firewall rules restrict my ability to see the main subnet).
@@DevbaseMedia For me it works weird, because when I am on subnet 192.168.107.x I can reach the dd-wrt admin panel with the address 192.168.0.1 and 192.168.107.1 but I cannot reach any other device for example 192.168.0.2, 192.168. 0.4. Could you post a link to the forum topic where you got this config?
Hi.
The 107 subnet *shouldn't* be able to see any other devices - it should only have access to the internet (so it's totally isolated).
With that said, there is no reason a subnet needs to be restricted like that (you are right it's enforced by firewall rules).
Here is the original forum post where I explained how I did my VLANs, and the helpful reply for the firewall rules. Note that my *media* subnet (192.168.50.x) was specifically set up to have access to the main network, that is possibly what you are looking for:
forum.dd-wrt.com/phpBB2/viewtopic.php?p=1212560#1212560
Let me know if you need more info
@10:17 why is their not the default wl0 and wl1 listed?
This was a superb instructional video - thanks for taking the time to make it! I am struggling, however, with WAN/Internet access from the VLAN and VAP. I must be missing a route, bridge setting or some other parameter. Even if I remove all of the IPCHAIN firewall commands, and if I run traceroute, there doesn't seem to a route to the outside. What have I missed? Found it - you need to enable Masquerade/NAT under the Setup->Network Configuration for br1!
Hello , what build are you running? I have 47495 and after i create a bridge ,even if i create a firewall rule or not , asign an interface to that bridge or not , my wan network show that is conected , by have no internet access . After i delete the bridge and reboot the router , everything works like normal. Thank you.
@@mihaitutuian Same issue, figured it out. Setup > Networking > Port Setup> WAN Port Assignment (change this to vlan1).
This video helped me understand vlan in dd-wrt. thanks bro! You deserve a like and comment, and subscribed
How to set-up VLANs on Qualcomm Atheros QCA9533? thank you
Most importantly, thank you.
Plugging into the new vlan port initiates a new subnet ip, however putting the connection back still recognizes the device/computer as that new subnet ip, that is until the provided firewall commands are applied. (My router ASUS RT-AC66U)
Very clear explanation of the steps! Thank you.
Please a video to configure multiple WANs for Load balancing or failover.
Great video, thanks for a great explanation and walk-through. I followed everything and everything works except when I add my VAPs to br1, I lose DHCP on the VAP but LAN port 4 still works
I had a similar problem. If I tried to add any VAP to a bridge, the VAP would stop working. However in my case updating to the firmware to v3.0-r47900 std from 12/20/21 fixed my issues. Although I did have to do a factory reset after upgrading.
@@Oakey38 same issue here stuck still at the VAP. giving me incorrect password no matter what.
Do you need to create a different SSID for your IoT untrusted devices? Should the IoT SSID be hidden?
Just in time. Getting ready to make some wrt vlans from old routers.
Nice job. Perfect for my use case. Thanks.
@DevbaseMedia As far as I can tell, I've got your solution working (thankyou!), but I was hoping you could help with a couple things?
First, oddly, I cannot ping (from a terminal/cmd) anything on br1 from anything on br0. I can however remote desktop from br0 devices to br1 devices, so I br0 can obviously talk to br1... just not ping it (also cannot remote from br1 to br0, so that seems to work as desired.) It's a small thing, but make me very curios why?
Additionally, the GUI has changed quite a bit in the newer beta versions. Wondered if you'd consider doing an updated video? Was hoping the newer interfaces would allow you to achieve the same result using the gui - maybe tagging? - without the need to manually write the firewall rules?
Flawless tutorial. Thank you so much!
i've been looking for days man , thanks !
Very clear and well explained, thank you :)
I think that designing DD-WRT so that you have to apply IP addresses and DHCP servers to 'bridge' virtual interfaces is counter-intuitive and potentially quite confusing. It would also be very helpful if there was a set of commands made known that would help anyone with a DD-WRT device discover the interface stack and full Physical to logical mapping (layer 1 to layer 3 via layer 2)
Great video.
I will put this knowledge to good use, I promise.
did you try creating a trunk on a single port?
I have a pfsense firewall already. So if i set the router running DD-WRT into AP mode will the VLAN function still work? Essentially for my scenario, the WAN in your setup will act as a trunk access and pfsense will manage the firewall rules?
Let me see if I understand fully...you isolated both lans here so they can't communicate with one another. Is that correct?
If I want the router to receive the Internet via cable from the main router, I have to turn on the client mode ? And connect LAN >LAN right ?
Great video. Thank you very much.
I have 1 question - can you tell me (or show video) - is it possible to set direct access from the internet (from the provider) on this (or any dd-wrt) router, for example, on port 1 and 2, and to set wireguard on ports 3 and 4, for example?
Good Job I Think you did well and explain very good
Thank you for the tutorial. I got my vlan setup without an issue via ethernet, however I'm not able to connect to the wifi vlan that I set up. I know this video is old, but are there any tips you can provide?
Well, I would like to say very, very interesting for sure I do like solid security however it will take sometime for me to configure these settings however I'm more interested In the wireless settings for now. Are The wireless interfaces and virtual interfaces under wireless settings similar ? One more secure that the other? I would like to put my Amazon Fire Stick on the wireless virtual however I keep it hidden from broadcasting (maybe being more secure) but it will not connect that way since hidden. Amazon device wants to see the device to connect to it I'm not sure if this would be wise move or not. Is there another secure way to keep streaming device in their own WIFI zone I guess separate from others? Thanks for the video.
Thank you a 1000000 times ❤️🎉
Simple, clear and very helpfull!!!
Thanks for the great video
Hey! So if I wanted to create a vlan just for Wifi for my security cams and untrusted devices, do I have add new passwords and SSID again for that particular vlan after set up? My cams are annoyingly to set up wifi on. I'd rather keep those settings on the cams and then change them on my main wifi network for trusted devices. For extra security. But what if I keep same SSID/password on both networks will that be worse? Just askin', I rather not change anything besides two separate networks, but I will if I must. Sorry if this is super simple. But this vid was exactly what I needed. Very good!
The problem with this process is that devices such as Linksys 32x routers Wi-Fi do not do a valid handshake with many Internet of Things devices. They simply cannot connect to it. I have to use a separate Linksys router running stock firmware in order to use wi-fi.
Fantastic one. Thanks a ton 🥳
As your IOT devices are on SSID network dd_wrt_ IOT and your trusted devices (like your phone) would be on SSID dd- wrt, in order for you to "see" or in cases where you needed to update an IOT device, would you have to switch out of of dd-wrt and get into dd-wrt-iot to see it? Or does this "virtual" lan be visible when you are attached to dd-wrt?
Do I need a DHCP assigned if all my iOT devices are using reserved IP's?
Great Instruction. Worked perfect. Unfortunately as soon as I assign the Virtual Wifi to the Iot Bridge I cannot connect to it anymore. Without Bridge set it works fine. Any ideas? THX
Give your device the IP that matches vlan manually
I had the same problem. If I tried to add any VAP to a bridge, the VAP would stop working. However in my case updating to the firmware to v3.0-r47900 std from 12/20/21 fixed my issues. Although I did have to do a factory reset after upgrading.
Thanks so much for this !
Is there a way to have the IoT network use my PiHole that is on the main network? How would that config work? Thanks
Also I Have an AP point ( Nano HD ) from Ubiquiti ... any toughts on how to add a wifi IOT on it with the DD-WRT setup ?
Great video. I have Pfsense as my main router and 3x ddwrt AP. Ill try vlans soon, but is there a way to create a mesh system; then use vlans to segment?
A very useful video! I followed your steps and successfully created an IoT network. With the iptables commands you advised, a device in the IoT network (i.e. 192.168.107.*) is not able to ping all the other devces in the 192.168.1.* network.....except 192.168.1.1. In fact, 192.168.1.1 is the same as 192.168.107.1 so I would not be surprised if devices in the 107.* network can ping 192.1.168.1. However, I found in your video that you was able to block the traffic from 107.* to 192.168.1.1. I wonder why and what caused the difference. I will keep searching to find a way to block the traffic from 107.* to 192.168.1.1. In case you know what caused the difference, please advise.
maybe somebody will know better but I think that is something to do with the fact that 192.168.1.1 is the gateway for the vlan, maybe there is a way to create another ip address for the same router in the 192.168.107 network
Did you find a solution?
Is there a way of doing this in ddwrt where devices you want to isolate are mingled on the same wired network?
Do you think setting up a managed switch with VLAN is enough to keep IoT devices from talking to trusted devices on my home network or would I need to have a firewall setting?
my setup internet>router>managed switch: port 1 (router), port 2-4 trusted devices, port 5 (another 5 port unmanaged switch of IoT devices)
Just what I was looking for today- thx!
Glad I could help!
I just followed this tutorial and while I was able to successfully setup a VLAN on Port 4 of my Asus AC1900P and get a new IP address the commands to stop VLAN traffic accessing my 192.168.1.xx network did not work. From the VLAN I could access my home network and from my home network I could not access the laptop I had on my VLAN 192.168.107.xx
I made sure to add the rule to the firewall but no matter what I did I could not stop VLAN traffic back to my 192.168.1.xx which kinda defeats the object. Any ideas what may be wrong? I am running the latest version of DD-WRT
I managed to stop the IOT network from communicating with the private network but setting the IOT WiFi up as per the video I cannot access it, just keeps saying "wrong password" The only way I can connect to the IOT WiFI is by deleting the bridge assignment from br1 to wl0.1 then setting up a separate DHCP server for the WiFI. Then I can connect a WiFi camera to this network but if I have my laptop connected to the VLAN I cannot access the WiFi device. I assume this is a firewall issue but I am not sure how to fix it. It appears that when the br1 to wl0.1 is added no IP is given to the wireless client which I think then stops it from connecting.
Hope someone can help, I am so close to moving my cameras to a VLAN, most of my cameras are hardwired but I do have 2 that are WiFi
Have the same issue were you able to resolve at all? I take that back I can connect to the guest WiFi but only if no password or WPA. if left disable works fine.
@@jimbieker7484 Yes I did,
I cannot remember where I found the answer, I thought I bookmarked it but I had to add the following as a startup script
sleep 20; stopservice nas; wlconf eth1 down; wlconf eth2 down; wlconf eth1 up; wlconf eth2 up; startservice nas
I have home assistant running a VM in my PC, which vlan should I put it in IOT vlan or private vlan? If I put it in the private vlan, will the update from the IOT be able to reach the VM?
Can there be a real trunk port which carries multiple vlans to another switch, say a Cisco SG300-10MP ? if so, how? I have tried. no luck.
Hi there, how to connect wireless devices like Mobile or laptops to VLAN and access the internet through vlan ?? thnx
Genius! Thank you!
I am running latest dd-wrt firmware , vlan works well and ip address issued as set but still vlan on br1 can ping comfortably system on vlan linked to br0 , have used entire set of commands as shown and for denying iptables -I FORWARD -i br1 -o br+ -j DROP
No internet connection, but figured it out after a couple of hours. Setup everything two times, thinking I did something wrong the first time. Went to Setup > Networking > Port Setup > WAN Port Assignment and changed it to vlan1 and I was able to access to internet again. Hope this helps someone, took forever to figure it out.
I use ddwrt and changed my ssid name in setup. Sometimes my windows pc can't decide which ssid to use...the new one or the old one. ?? Any help on this? --thanks do you need to reset the router to factory defaulys before changing the ssid?
super helpful! like and subscribed. i have just one question: i’m reconfiguring our whole home network for better security. other than changing my wireless router to dd-wrt, i’ll be adding a managed switch to hardwire as many devices as possible.
it may not make a huge difference but i can’t tell if it is better to set up the VLAN for iot on the switch or on the dd-wrt. do you recommend one or the other?
as far as i can tell, the only advantage to doing it on the dd-wrt would be for the virtual AP. on the switch, i would need a second physical wireless router.
thanks again!!
I'd test speeds both ways. I don't have any managed switches, only unmanaged switches, so for me, putting dd-wrt as the principal and putting an unmanaged switch on the IoT LAN port made sense.
Another consideration might be whether you want to use many additional features of dd-wrt. I have another couple of videos on setting up OpenVPN and Wireguard servers. If you end up wanting to do that, you might consider using dd-wrt for your main (DHCP) router.
@@DevbaseMedia Right, DDWRT has a ton and ton of great features. I’ll go check out your videos. And I like the (obvious) idea of basing the decision on speed. my only hesitation with not utilizing more ddwrt features is making it a bottleneck with too much going on. thanks for the reply!
additional : Switch Config/Vlan tagging doesn't work Atheros routers
SOS Chris, my ISP demande to set a tagged Vlan ID as 40 in order to connect to internet via PPPoE. But I don't know how to config it in DD-WRT, could you PLEASE help me out?
Hi!
Thanks a lot it was ver helpful
thank you.. great video
To find out CPU port number, ssh into DD-WRT and run "dmesg | grep 'CPU Port'"
Thank you!
Off topic question, but what xfce theme are you using?
It's called Greybird (there is also a Greybird dark, but I'm using the standard version)
@@DevbaseMedia Thanks. I think it looks beautiful.
hi, I ended up with 2 routers and I wanted them for IoT and home usage.
However I have a dilemma: most (if not all) of my IoT devices talk to my local home assistant server as well as local MQTT server.
So for the sake of being able to talk, home assistant also has to be in the IoT segment, right? If so it means: my HA will be also in insecure segment. On top of that, my HA is also talking to my home devices (other servers). So I think I need another solution.
What I however did is: all IoT have internet access blocked (anyway, all of them are controlled only from HA and only with the local integrations) - I am thinking: do I need then 2 segments (for security purpose) or not? If YES (2 segments still needed) then how to solve the issue of HA being accessible to IoT devices, yet not being exposed?
I was in a similar situation & got it to work by adjusting the firewall rules to allow access to my HA IP Address. Caution: remember, your HA doesn't use a default HTTP(S) port.
Sadly, I don't have the firewall commands anymore, or I'd pass them along.
@@TheKauff Yeap, I think I found a solution: 1-outer router for IoT, 2-inner router for home devices, including HA, 3-port forward from outer to inner only for specific ports - everything else blocked. I am yet to test it as I am not sure about which ports (for sure HA http and MQTT) and what about autodiscovery
Thanks for the video.
Wish I would have had this video sooner, guess I’ll try it with my new nighthawk.
You never tested the wireless. I can not get my wireless ap to pass shcp addresses.
thanks this helped me big time
hi is there a way to add a vpn to the new VLAN only without it affecting the other LANs?
i have a very simple question when using DDWRT
on my wrt54g, asus n66u , etc
I only use port -1-4 , usng port 1, I click VLAN 2 and tag and I get automatically a WAN ip address from ISP on my router, now with WRT3200ACM DDWRT HOW ON earth do i do that .. all the guides are confusing AF , thanks in advance
This has been so helpful! Thanks so much. Everything works except my vap isn't getting DHCP from br1...the LAN port in the same VLAN is getting DHCP tho. I was wondering if you can help me out. Thanks!
Same here. You got any solution?
@@peremilskjold9388 no solution yet and I'm still searching. Will update if I find anything that works
@@bruceice For both of you, I would try double-check ing your DHCP settings, rebooting your router, or doing a factory reset & re-building your config. There's a part in the video where you have to make sure your setting the DHCP on the right bridge. It's also possible DHCP traffic is being blocked, but that's a much deeper issue.
It may also be worth trying a newer firmware. I was running into the same issue. If I tried to add any VAP to a bridge, the VAP would stop working. However in my case updating to the firmware to v3.0-r47900 std from 12/20/21 fixed my issues. Although I did have to do a factory reset after upgrading.
Little bit old, but still usefull...except ... I followed your tutorial, everything works. Except that the connection on the iot vlan won't connect to the internet. On the other vlan (wired and wireless) i can get internet connection. But on the iot network not. IP address is correct, but there it stops. What am i doing wrong?
if you're on new firmware, have you got the LAN CPUPORT box checked for your IoT vlan?
So you need the 'LAN COUPORT' check-bock ticked for every LAN vlan you setup (but not on the WAN row, obviously. that should have the 'WAN CPUPORT' checked.)
NB: this will also automatically setup vlans, which is handy. I'm using DD-WRT v3.0-r52330 std (04/14/23) on a Linksys WRT1900ACSv2. Side note, if you are using the same/similar router, I found that the port-mappings are actually backwards in the GUI... so for me, Port 1 in the GUI is actually the port 4 socket on the hardware.
I tried this and it works but the wan port is no working as well. Does anyone knows how to fix that
i think this is a stupid question but how would you see the feed from the ip camera if its on a vlan.
Try ispy and add your camera, it should give you a link, put that link in VLC player streaming.
Thanks!
I can’t get no internet in the IoT WiFi.
Even tho o followed this by the letter three times. Clearing NVRAM in between each.
Any help would be greatly appreciated.
I had to follow someone else’s tutorial. It’s curious how that other one did work. Same happened with the WireGuard video here. Broke my internet connection. Take this videos down. Stop this.
@@luis.encisogot a link to that video you used to fix it?
Every time I change the VLAN settings in the "switch config" tab my router will disconnect from the internet and not return unless I factory reset.
Manually give your device an IP that matches vlan.
I would double-check that you're not moving the port the Internet is connected to, to the new VLAN.
Good tutorial! However every time I enable vLANs the WAN port stops working, and I cannot figure out why. I am running build 44719.
If you still not have the access to the internet , i can provide an example of iptables rules that works for me.
Same issue, figured it out. Setup > Networking > Port Setup> WAN Port Assignment (change this to vlan1).
Great vid. Thanx
What if i dont have vlan tab?!
Anyone who knows anything about the E4200 on DD-WRT is that the default VLAN assignments were wrong for quite some time. VLAN 2 is WAN, VLAN 1 is LAN. You have to correct this FIRST via webUI, save, and reboot. Prime example of someone not doing enough research before creating a how-to video.
Can i block the vlan network(with cameras) access to internet? basically i would like it to be local vlan only
I managed to do with by giving the camera no gateway or wrong gateway. Use NVR or VLC to watch stream. RUclipsr level1techs did a video on this.
I have a different goal in mind. I don't want untrusted devices to connect to the internet at all, hardening the home network.
I could have a have a baby monitor to keep tabs on kids when I'm at work. Kids being kids might sometimes be inappropriately dressed for company as they walk through the house when no one else is home. Or perhaps I have an IP based security system. Either way, I can't be sure these devices don't have built-in hacking programs that might be able to capture local IP and Wi-Fi traffic for the purpose of masquerading as another device by switching the other device's MAC address, and SSID if the other device is Wi-Fi.
So, I want multiple vLANS, one for each untrusted device and filtered so that only that device's MAC address can communicate. For the Wi-Fi devices, a unique hidden SSID + password + MAC filter for that device is routed to a unique vLAN. Each Wi-Fi SSID needs its own MAC filter as well, so only that device can connect to that SSID and only that device can route to the assigned vLAN. Then a routing table to allow an NVR on the main LAN to communicate with any untrusted camera vLANs, and to allow a security controller to connect to any security devices on the other untrusted vLANs.
Is it your impression that DD-WRT can do this all in a single router, or will it need two routers, one for untrusted devices.