Hi Marc! I very much appreciated your video and like Carl below, it really helped with my understanding of vLANs in an OpenWRT context. Like yourself, I have created a separate vLAN for IOT with intent to use Home Assistant to automate. However, I seem to be having problems with port forwards/traffic rules in OpenWRT to allow NTP only on the IOT network and then to allow access to Home Assistant at port 8123 (and anything else I may need, such as HTTP access to the TASMOTA installs on various devices etc). Perhaps as a suggestion for another video you could walk through these steps as well, as I'm sure this type of security would be of interest to your audience. Thank you again and I am looking forward to your future content!
Sounds great! It would bridge the gap between the network and home automation world - actually we could go through the typical home automation network setup including MQTT Server, IOT subnet, NTP, IPv4 / IPV6 etc. I would just need to do some research on the different ports used etc. for the various home automation software solutions. MANY THANKS FOR YOUR FEED-BACK !!!
Thanks for sharing, most informative I’ve seen so far, and nice safeguard to prevent locking out (almost did this yesterday where openwrt was smart enough to do a rollback after 90+ seconds)
Many thanks Vince, I am glad that you liked it - yeah, this had happened to me so often so I thought I'd show that part because I really learnt it the hard way ;-)
just pulled out an old router and follow your instructions, If the device has 2 cpu(eth0, eth1).... Should I tagged both or just 1? Thank you Marc for your tremendous help
Hi, yesterday I just realized that I owned a router since 2018. Its model is Netgear R6100. Today I'm trying to set up the VLAN part but it makes me confused. This router receives internet from the WAN port. Do I need more devices like a switch to use vlan port or it just work like I've already said?
I'm just trying to learn about VLANs and your video is the only one that I've understood so far, It would be interesting to see the configuration on the other side, is the trunk port tagged for every VLAN on both sides?
Many thanks Carl. Yes the ports are tagged in pretty much the same way. If you watch my video VLANs explained in 3 minutes ruclips.net/video/oCzi735wtk8/видео.html it shows more detail about the config on both sides. Let me know if this helps.
Hi Marc, Thanks for your Videotutorial. I followed along, but there are some questions: When you check the ports if they distribute (get) the "right" IP/subnet, where comes the dhcp server? Which not mentioned router/switch/pc is handling the different subnets with dhcp? Where is it connected to? Could you show/explain how to manage dhcp subnets with an other cheap home router? Thanks for your answer und greetings from Frankonia!
Hi Klaus, the DHCP Server would be the Internet Gateway or your "main router" really. I have silently assumed that people would set up the main router the same way. You might want to check this video ruclips.net/video/qeuZqRqH-ug/видео.html where I show the whole VLAN setup etc. in OpenWrt 21. Another one to check out could be this one: ruclips.net/video/4t_S2oWsBpE/видео.html Greetings from Swabia ;-)
Marc: It looks like when you have all VLAN tagged, it is called a Trunk, when it is one untagged & rest tagged, it is called hybrid, and when only one untagged and rest off it is access (as per industry switch terminology). Is this correct?
Hi Anil, I am not sure if there is a real standard terminology (i.e. outlined in an RFC or the like) - but it's true that in the industry the terms used are mostly CISCO-ish like outlined here for example: documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Fundamentals_of_802.1Q_VLAN_Tagging
What should I be using if my router lists 2 CPUs (eth0 and eth1)? Also, if I have a WAN port, can I use that to connect to my router as my alternative to your port 4?
Check the interface section of OpenWrt in order to figure out which interface to use. Your br-lan will use either eth0 or eth1 on the physical tab. Presumably your WAN line is tagged to the other, so to answer your second question - yes, you could tag the WAN port to the other cpu and use it as a LAN port. But be careful, it's easy to lock yourself out ;-)
Thank you so much for your clear explanations! I am a beginner to networking, so I was hoping I could ask you about a couple of things: 1. Does this work the same for routers with ethernet ports that support VLANs? 2. Why do you leave the second VLAN and just turn it off? Is there something significant about the VLAN ids that require that VLAN to be unused, etc.? 3. Why did you keep two ports on the Parachute VLAN until the end? 4. Did you set Unmanaged on the Guest and other interfaces so it can’t access the switch itself to administer? 5. It seems like interfaces themselves can have IP addresses as well as the devices connecting to them. Is that correct? Thank you again!!!
Hey, Ravi - let me try and answer in order: 1.) I assume you refer to Distributed Switch Architecture (DSA) as of KErnel 5 - yes that works as well. On a linux host you can also just add ethx.y devices in the network config and they will support VLANs. 2.) In my network, the VLAN 2 is the WAN - that's all. Generally speaking, with regards to VLAN IDs best practice is to NOT use VLAN ID 1 in order to avoid VLAN hopping attacks. (In a nutshell use another VLAN, e.g. 24 and give the ports a different PVID, e.g. 44 which you don't use) 3.) One port would have been enough of course. 4.) Yes-you are correct - that makes the switch "invisible" in those networks 5.) Correct.
Hey Marc. I know its a year now since you made this video. And a great one too! I wonder if you will help me? Im stock and cant get my old router to connect to my godt router. The old router and is in bridge mode. Triede to change ip addr to my main routers ip range. and turned off DHCP on old router.
Hi Morten, the best way to get this fixed would probably be to jump on the discord server and ask the question- we can share screenshots and also there’s a lot of friendly people there who can help ;-) discord.gg/DXnfBUG
Marc, I have been following your videos for few weeks now. They helped me segmenting my network for Private, Guest and IoT access on my Openwrt router setup. Could you make a video that shows how to properly forward traffic between subnets like between Private and IoT networks. And secure firewall rules to go along with the configuration.
You must have read my mind. Just yesterday I thought - hmm - you have been promising that Firewall video for so long, it's about time you make it ;-) I have 6 videos scheduled for the next weeks but I will definitely push this forward for mid/end february. Firewall setup for IOT/LAN/Guest plus second access point over VLAN.Reason for the delay in my promised videos was that I used my vacation to make over my network ;-)
I appreciate your video But i want to ask one thing If i have main openwrt router (1) and another openwrt router as vlan switch (2) How to setup on main openwrt to assigne to vlan port on 2nd router on each vlan id? May i create interface for iot, guest etc one by one on main router?
Hallo Marc! With the new version of openwrt 21.02 the concept of DSA was implemented. This significantly changed the VLAN setup. Would you please be so kind to update this/make new video how to separate wired and wireless subnets (with separate DHCP address pools). I am struggling with no success up to now. Danke im Voraus, Leonid.😀
Well, you know - like so often in IT you use what you know - I know Linux and I know OpenWrt - just happened so 😉 I have just never felt the need for anything else. I am tempted to believe that it must be the same for someone who uses pfsense. I do have it on my list though 😉
Hi, SQM should be done on the Internet gateway really. You can however have SQM run on any downstream router separately as well - it should not do any harm.
Hello Marc, I came across your channel while looking for a video over VLAN. I was so excited that I watched all of your OpenWrt videos right away. Everything is understandable - even if my english is not the best -, but still explained with sufficient depth. Fantastic. I had a WDR4900 lying around that I spontaneously flashed to OpienWrt. I was able to adapt the setup as an AP with VLANs without any problems. But I can't just test whether it works because I don't have a configured main router. As hardware I would have a C7 lying around. I would like to recreate the complete setup that you showed in the video "Cheap WiFi Mesh Alternative ..". But I'm a little scared of killing my existing network ... In addition, I would then install a WireGuard VPN and a Freifunk offloader, to make my network complete. Could the main router also be simulated in VirtualBox? More videos on this topic would be great. Henning
Now this is amazing feedback Henning, many thanks! Well yes you could build the main router in a VM but configuring the VLans in a VM is something I haven‘t tried yet. If you want then you can join my discord server and we can chat it through - Sunday 9 AM and 6PM we do voice/video chat
i watched the video many times, but there is something missing, i could define my vlan, my pc gets ip correctly but it does not connect from this vlan to the wan. i hope you have a special tutorial for vlan, what is tagged and when to use it. Unfortunately, i did not find other tutorials for openwrt for vlans.
Hi Sherif, I have been asked to provide more on this subject a couple of times and it will come! I am in the process of planning two more episodes - one on firewall setup for IOT/LAN/Guest plus one on extending guest/IOT to a second access point. These videos will answer your questions and again explain VLANs with OpenWRT in depth!
I like the way you make your videos, thumbs up !! But I was wondering if you would do a detailed session on the pfsense w/o proxmox. Thanks in advance :)🙂🙂
@@OneMarcFifty the issue with the vpn bonding and speedify has the limitations. the mptcp protocol eliminates all the issues with the virtual private server connection and slowing down for the slowest link so there should be a real speed aggregation. it is based on openwrt and could completement this channel
Thank you Erdem - the reason that held me back from doing stuff with openmptcprouter so far is basically the fact that you would need to compile an MPTCP enabled kernel on the VPS. Furthermore, the supported hardware. But you know what ? I think I'll contact Yannick Chabanois (the maintainer of openmptcprouter) and see if we can do something ;-)
I have tried many times to bridge via wifi to my internet access point from an openwrt wifi client/station router. I have always tried to do this via routing but it seems to be a limitation of atheros chipsets that layer three does not work across such a bridge. Once NAT is enabled then it seems to work. Will this bridging work if the wifi client and the lan on the station are bridged via a vlan? Will dhcp requests from clients on the lan succesfully traverse to the internet access point via the wifi client on the station?
These issues seem to be addressed with batman-adv. If you want to do a workshop on setting this up and utilizing the management functions such as syslog and snmp and snort then I could be willing to make some donations. I have a netgear wndr4300v1(ar9344), wndr4300v2(qca9563) a WD MyNet 600v1 (ar9344) and a Netgear ex6100 v2(ipq4018). Since they are all qualcomm I am hoping they will be compatible enough to build a batman-adv mesh network but I am not sure about the ex6100 because it is an ARM processor and the others are MIPS. It also uses the Ath10k driver instead of the ath9k.
I have tried this a couple of times and could not get it to work- as you say it seems to be a limitation of the driver. Bridging AP works like a charm, but bridging in wifi client mode does not.
W/r to batman/mesh I had been thinking about this too - building my own mesh solution. I am still in an investigation phase however - but it is something that I have on the list. Many thanks for the hardware offer, however I do have a big box of stuff lying around;-)
Hi Marc!
I very much appreciated your video and like Carl below, it really helped with my understanding of vLANs in an OpenWRT context.
Like yourself, I have created a separate vLAN for IOT with intent to use Home Assistant to automate.
However, I seem to be having problems with port forwards/traffic rules in OpenWRT to allow NTP only on the IOT network and then to allow access to Home Assistant at port 8123 (and anything else I may need, such as HTTP access to the TASMOTA installs on various devices etc).
Perhaps as a suggestion for another video you could walk through these steps as well, as I'm sure this type of security would be of interest to your audience.
Thank you again and I am looking forward to your future content!
Sounds great! It would bridge the gap between the network and home automation world - actually we could go through the typical home automation network setup including MQTT Server, IOT subnet, NTP, IPv4 / IPV6 etc. I would just need to do some research on the different ports used etc. for the various home automation software solutions. MANY THANKS FOR YOUR FEED-BACK !!!
Thanks for sharing, most informative I’ve seen so far, and nice safeguard to prevent locking out (almost did this yesterday where openwrt was smart enough to do a rollback after 90+ seconds)
Many thanks Vince, I am glad that you liked it - yeah, this had happened to me so often so I thought I'd show that part because I really learnt it the hard way ;-)
VLAN5 is the anti-lockout port a.ka subnet, it is very useful for complex network topologies or networking experiments :)
just pulled out an old router and follow your instructions, If the device has 2 cpu(eth0, eth1).... Should I tagged both or just 1? Thank you Marc for your tremendous help
Thanks for sharing this. Need to test this with a cheap router.
Go for it ;-) let us know if it worked
@@OneMarcFifty sure.
Hi, yesterday I just realized that I owned a router since 2018. Its model is Netgear R6100. Today I'm trying to set up the VLAN part but it makes me confused. This router receives internet from the WAN port. Do I need more devices like a switch to use vlan port or it just work like I've already said?
Your tip is very useful, I can't configure vlan until I watch this video, and now, I know what is problem, thanks for your sharing!
Awesome - glad it helped ;-)
Thank you for the guide. I seem to have missed where each vlan picks up dhcp settings from though.
Hi Paul, that would have to come from your main router.
Thank you for explaining the one bit I was missing. It wasn't so obvious. Appreciate the video!
Hi, many thanks for your feedback. Yes, I do agree - it's not obvious. It took me years to figure out ;-)
I'm just trying to learn about VLANs and your video is the only one that I've understood so far, It would be interesting to see the configuration on the other side, is the trunk port tagged for every VLAN on both sides?
Many thanks Carl. Yes the ports are tagged in pretty much the same way. If you watch my video VLANs explained in 3 minutes ruclips.net/video/oCzi735wtk8/видео.html it shows more detail about the config on both sides. Let me know if this helps.
@@OneMarcFifty Great, thanks, I was able to get it to work as a proof of concept, I understand things much better now!
@@sp1es Excellent - that is great news - I am glad you got it working.
Hi Marc, Thanks for your Videotutorial. I followed along, but there are some questions: When you check the ports if they distribute (get) the "right" IP/subnet, where comes the dhcp server? Which not mentioned router/switch/pc is handling the different subnets with dhcp? Where is it connected to? Could you show/explain how to manage dhcp subnets with an other cheap home router? Thanks for your answer und greetings from Frankonia!
Hi Klaus, the DHCP Server would be the Internet Gateway or your "main router" really. I have silently assumed that people would set up the main router the same way. You might want to check this video ruclips.net/video/qeuZqRqH-ug/видео.html where I show the whole VLAN setup etc. in OpenWrt 21. Another one to check out could be this one: ruclips.net/video/4t_S2oWsBpE/видео.html Greetings from Swabia ;-)
Marc: It looks like when you have all VLAN tagged, it is called a Trunk, when it is one untagged & rest tagged, it is called hybrid, and when only one untagged and rest off it is access (as per industry switch terminology). Is this correct?
Hi Anil, I am not sure if there is a real standard terminology (i.e. outlined in an RFC or the like) - but it's true that in the industry the terms used are mostly CISCO-ish like outlined here for example: documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Fundamentals_of_802.1Q_VLAN_Tagging
Hello, could you show how to virtualize it, for instance inside Truenas and Proxmox? THanks in advance.
What should I be using if my router lists 2 CPUs (eth0 and eth1)?
Also, if I have a WAN port, can I use that to connect to my router as my alternative to your port 4?
Check the interface section of OpenWrt in order to figure out which interface to use. Your br-lan will use either eth0 or eth1 on the physical tab. Presumably your WAN line is tagged to the other, so to answer your second question - yes, you could tag the WAN port to the other cpu and use it as a LAN port. But be careful, it's easy to lock yourself out ;-)
I have a pfsense firewall already. So if i set the router running OpenWRT into AP mode will the VLAN function still work?
Yes- pfsense can of course do 802.1Q VLANs as does OpenWrt.
This help me understand networking and a new level. Please continue to make great content thank you. Subscribed and like...🤙😎
Thank you very much 😊
Thank you so much for your clear explanations! I am a beginner to networking, so I was hoping I could ask you about a couple of things:
1. Does this work the same for routers with ethernet ports that support VLANs?
2. Why do you leave the second VLAN and just turn it off? Is there something significant about the VLAN ids that require that VLAN to be unused, etc.?
3. Why did you keep two ports on the Parachute VLAN until the end?
4. Did you set Unmanaged on the Guest and other interfaces so it can’t access the switch itself to administer?
5. It seems like interfaces themselves can have IP addresses as well as the devices connecting to them. Is that correct?
Thank you again!!!
Hey, Ravi - let me try and answer in order: 1.) I assume you refer to Distributed Switch Architecture (DSA) as of KErnel 5 - yes that works as well. On a linux host you can also just add ethx.y devices in the network config and they will support VLANs. 2.) In my network, the VLAN 2 is the WAN - that's all. Generally speaking, with regards to VLAN IDs best practice is to NOT use VLAN ID 1 in order to avoid VLAN hopping attacks. (In a nutshell use another VLAN, e.g. 24 and give the ports a different PVID, e.g. 44 which you don't use) 3.) One port would have been enough of course. 4.) Yes-you are correct - that makes the switch "invisible" in those networks 5.) Correct.
@@OneMarcFifty thank you!!
Hey Marc. I know its a year now since you made this video. And a great one too! I wonder if you will help me?
Im stock and cant get my old router to connect to my godt router. The old router and is in bridge mode. Triede to change ip addr to my main routers ip range. and turned off DHCP on old router.
Hi Morten, the best way to get this fixed would probably be to jump on the discord server and ask the question- we can share screenshots and also there’s a lot of friendly people there who can help ;-) discord.gg/DXnfBUG
Marc, I have been following your videos for few weeks now. They helped me segmenting my network for Private, Guest and IoT access on my Openwrt router setup. Could you make a video that shows how to properly forward traffic between subnets like between Private and IoT networks. And secure firewall rules to go along with the configuration.
You must have read my mind. Just yesterday I thought - hmm - you have been promising that Firewall video for so long, it's about time you make it ;-) I have 6 videos scheduled for the next weeks but I will definitely push this forward for mid/end february. Firewall setup for IOT/LAN/Guest plus second access point over VLAN.Reason for the delay in my promised videos was that I used my vacation to make over my network ;-)
@@OneMarcFifty Thank you. Looking forward for them.
I appreciate your video
But i want to ask one thing
If i have main openwrt router (1) and another openwrt router as vlan switch (2)
How to setup on main openwrt to assigne to vlan port on 2nd router on each vlan id?
May i create interface for iot, guest etc one by one on main router?
Hi, that's exactly what we do in these videos: ruclips.net/video/4t_S2oWsBpE/видео.html and ruclips.net/video/UvniZs8q3eU/видео.html
Hallo Marc! With the new version of openwrt 21.02 the concept of DSA was implemented. This significantly changed the VLAN setup. Would you please be so kind to update this/make new video how to separate wired and wireless subnets (with separate DHCP address pools). I am struggling with no success up to now. Danke im Voraus, Leonid.😀
Next week - it’s in the making
@@OneMarcFifty Just have watched the v21' video - excellent! Very condensed and informative. But for me needed several stoppings and rewindings :)
Many thanks Alexey - yes, when I cut the video I thought it might go too fast at some parts…
Epic videos bro. I watched most about openwrt..dang..i corrected many fak ups :)
Hi Igor, glad you could use it - thanks for the feedback ;-)
I am sure if you choose openwrt over pfsense there is a solid reason. Kindly share with us. Thanks. I admire your projects.
Well, you know - like so often in IT you use what you know - I know Linux and I know OpenWrt - just happened so 😉 I have just never felt the need for anything else. I am tempted to believe that it must be the same for someone who uses pfsense. I do have it on my list though 😉
Both are great products. pfsense (now opensense or earlier m0n0wall) tends to be less supported on so many commodity hardware.
Could you please me in setting up a ovs wireless acces point on raspberry Pi using openwrt? I am using openwrt 18.6 and Pi 3B
I will do something similar in the near future with 4G/LTE and mpcie hat - stay tuned 😉
Hello how would I use my openwrt router to manage sqm to my duma os router?
Hi, SQM should be done on the Internet gateway really. You can however have SQM run on any downstream router separately as well - it should not do any harm.
@@OneMarcFifty Couldn't figure it out so I just flashed my xr500 with OpenWRT, and run two routers to mange different devices.
Hello Marc,
I came across your channel while looking for a video over VLAN. I was so excited that I watched all of your OpenWrt videos right away.
Everything is understandable - even if my english is not the best -, but still explained with sufficient depth. Fantastic.
I had a WDR4900 lying around that I spontaneously flashed to OpienWrt. I was able to adapt the setup as an AP with VLANs without any problems.
But I can't just test whether it works because I don't have a configured main router. As hardware I would have a C7 lying around. I would like to recreate the complete setup that you showed in the video "Cheap WiFi Mesh Alternative ..". But I'm a little scared of killing my existing network ...
In addition, I would then install a WireGuard VPN and a Freifunk offloader, to make my network complete.
Could the main router also be simulated in VirtualBox?
More videos on this topic would be great.
Henning
Now this is amazing feedback Henning, many thanks! Well yes you could build the main router in a VM but configuring the VLans in a VM is something I haven‘t tried yet. If you want then you can join my discord server and we can chat it through - Sunday 9 AM and 6PM we do voice/video chat
PS : I have subtitles enabled - so you can select automatic translation at least for the subtitles if you want to have a different language.
I can’t find switch in network menu. How can I install it in from my windows 7 pc?
Which version of OpenWrt are you using ? Things have changed in Version 21.
i watched the video many times, but there is something missing, i could define my vlan, my pc gets ip correctly but it does not connect from this vlan to the wan. i hope you have a special tutorial for vlan, what is tagged and when to use it. Unfortunately, i did not find other tutorials for openwrt for vlans.
Hi Sherif, I have been asked to provide more on this subject a couple of times and it will come! I am in the process of planning two more episodes - one on firewall setup for IOT/LAN/Guest plus one on extending guest/IOT to a second access point. These videos will answer your questions and again explain VLANs with OpenWRT in depth!
I like the way you make your videos, thumbs up !! But I was wondering if you would do a detailed session on the pfsense w/o proxmox. Thanks in advance :)🙂🙂
You mean pfsense on metal, i.e. physical hardware without virtual?
@@OneMarcFifty Thanks a lot for replying :). It will be good if it is on metal, but virtualizing it on proxmox is also a great option...
Marc great videos. Video idea : Setup an openmptcrouter and aggregate real speed in a video
Many thanks @Erdem - I assume you have seen my VPN bonding video where we do this with Openvpn? ruclips.net/video/I08A4-PWawk/видео.html
@@OneMarcFifty the issue with the vpn bonding and speedify has the limitations. the mptcp protocol eliminates all the issues with the virtual private server connection and slowing down for the slowest link so there should be a real speed aggregation. it is based on openwrt and could completement this channel
Thank you Erdem - the reason that held me back from doing stuff with openmptcprouter so far is basically the fact that you would need to compile an MPTCP enabled kernel on the VPS. Furthermore, the supported hardware. But you know what ? I think I'll contact Yannick Chabanois (the maintainer of openmptcprouter) and see if we can do something ;-)
@@OneMarcFifty he replies in github issues section
@@OneMarcFifty the vps works in google gcp. The local hardware needs to be something can run openwrt
I have tried many times to bridge via wifi to my internet access point from an openwrt wifi client/station router. I have always tried to do this via routing but it seems to be a limitation of atheros chipsets that layer three does not work across such a bridge. Once NAT is enabled then it seems to work. Will this bridging work if the wifi client and the lan on the station are bridged via a vlan? Will dhcp requests from clients on the lan succesfully traverse to the internet access point via the wifi client on the station?
These issues seem to be addressed with batman-adv. If you want to do a workshop on setting this up and utilizing the management functions such as syslog and snmp and snort then I could be willing to make some donations. I have a netgear wndr4300v1(ar9344), wndr4300v2(qca9563) a WD MyNet 600v1 (ar9344) and a Netgear ex6100 v2(ipq4018). Since they are all qualcomm I am hoping they will be compatible enough to build a batman-adv mesh network but I am not sure about the ex6100 because it is an ARM processor and the others are MIPS. It also uses the Ath10k driver instead of the ath9k.
I have tried this a couple of times and could not get it to work- as you say it seems to be a limitation of the driver. Bridging AP works like a charm, but bridging in wifi client mode does not.
W/r to batman/mesh I had been thinking about this too - building my own mesh solution. I am still in an investigation phase however - but it is something that I have on the list. Many thanks for the hardware offer, however I do have a big box of stuff lying around;-)
give me backup plz ???
Hi Refresh Garden, I am not sure if I understand your request correctly. Could you be more specific please ?