VLAN filtering works pretty well, but it's best to just kill all the stock interfaces and create all your VLANS as 802.1q, then bridge. Also, VERY helpful: Add software package for "ip-bridge". It gives you a really good method via SSH to see the VLANs and confirm the GUI setup.
When you make vlans make one extra where anything untagged can be sent and it doesn't have to have any interface asigned to it, such Vlan is often refered to as Black Hole vlan.
@Pragmatic Security Actually not... If u mess up network conf. and lost access, you can boot into recovery mode, assign your NIC static IP, SSH into router and fix it under CLI via ssh...
Awesome video. How did you setup the boosters. I have a couple of TP-Link consumer routers that I could use as APs but not sure how you set your up to use as boosters
I need to correct you. Most IOT devices can use both 2.4 and 5ghz. Enable on your wifi to have both avaliable bit make sure that whichever device you can is configured to ise 5ghz band to reduce interfearances because everything in your house that can disrupt network works on 2.4 ghz. Not all IOT devices can use 2.4ghz but whenever you have an option to use 5ghz band go for it. 5ghz band had 36 channels i think and 2.4 ghz has 13. Do the and you'll understand.
In my cse I have OpenWRT in a container LXC. Is there any difference since the lan ports are virtual and larger part of my network is WIFI and want to add vlan to wired and wifi connection?
unfortunatelly this doesn't work anymore... if you configure a new bridge on lan1 you need to delete that port from the old bridge. You can’t use same port on two bridges anymore.
Sure let me see if I can find the original one from this video. I am in the process of making a new set of videos that covers more deployments from different diagrams not just what I was doing at the time I made this video. If I find it I will put it in the description of this video.
I have an XR500 which made the ports named kind of goofy, so it was hard to follow any tutorials on setting them up in here. Theres 4 LAN ports but they are all referenced through 2 "CPU(eth)" interfaces so its a further layer of confusion. I ended up tagging all my vlans in the switch page, then creating a bridge device for each vlan with the management vlan individually. Then creating an unmanaged interface for each vlan bridge device that i can assign to the wireless. They are going through a trunk to a managed switch which is trunked to a firewall. It's working without the 'vlan bridge filtering' stuff, and I only have one static address for management configured on the openwrt. hope any of that makes sense.
I unfortunately have a few routers that also use that imbedded switch tab with two cpu ports. I honestly kept my config the same and just tagged the cpu ports due to having other issues earlier. If it works though and the traffic is segmented thats really whats important!
I have followed your instructions to the T. however after adding interface and choosing my software vlan 10 (i have added only one VLAN) the interface shows an error: Network device not present. Any idea why?
So in my experience that will happen if there is nothing else connected to the VLAN you create. You could test it out be creating a wifi network under the wireless tab and attempting to use the VLAN you created. If the error is still there I am not sure what else it could be unfortunately.
@SameerGurung1975 & @HeinserTorres Did you figure it out? I'm having that same issue right now!!! Edit: I solved it by removing the VLANS bridge port (LAN1) from my br-lan. Then I saved and applied and re-added it to br-lan and it worked. However, I don't really understand why that worked 😶
When segregating IoT devices via vlans (192.168.2.1), are you still able to view/control them via their app even when your iphone is connected to the main network (192.168.1.1)?
So at some points I was able to actually use both the bridges and it was very convenient. However there are some strange things that happen now when I use the double bridge and it pretty much just becomes as you say now. I think the solution you proposed is probably slightly less of a headache and a lot more consistent.
So if I had to tag vlans on wan and then lan ports I need to add the wan port to vlans bridge and tag the vlans for the wan port, or do i need to configure a seperate bridge for wan?
couldnt the red line ( internet line) just connect to the wan port on the router ? I know it probably doesn't matter as all ports can be change to but yeah :D
Yes, because it's actually the most robust port on most routers, I actually recommend it. I don't use my OpenWRT builds as routers, they are all just WAPs (router is pfSense). I assign what was the WAN port to the bridge and use if for a wired backhaul on each WAP. All the VLANs are built as 802.1q devices and that way the "Bridge VLAN Filtering" works just fine on the base br-lan device. Then the only interfaces are the .xx VLANS.
Hello there. I've watched your video part 1 and a bit of part 2 as well. But I do have a different situation with my home network setup. I have Openwrt running on x86 PC as a router and connected to TP-Link TL-SG1016PE v1. I wanted to have three different vlan IDs. So I want to have similar idea as yours, but mine is different because it's directly to connect to my TP-Link smart managed switch since I have two WIFI APs (has three SSIDs) and one LAN for everything else. I want to assign vlan on those three ones. Will this setup works? I'm pretty newbie with vlan configuration. I'm very familiar with Openwrt but vlan.
I think it should work, as long as you remain consistent with ALL of your VLAN rules. I dont have a lot of experience pushing VLANS to another OpenWrt device but I imagine as long as your firewall zones are not blocking one zone on one device it should be ok. Only wildcard is how the switch works with VLANS and where exactly it is in the network.
I created couple of VLAN's (IOT and Guest) but my Amazon Echo devices keeps losing WiFi network intermittently somehow but all other devices remains connected to IOT. I am unable to figure out what's wrong :(
I have limited exp with amazon echos but generally IoT devices go berserk with all kinds of flooding which is also why its nice to have them on their own network. There should be a setting under the Wireless tab for your Wifi network to "Isolate clients", that may help but not positive. In my eyes there are a couple different possible problems. 1 your echo is having connection issues due to other devices flooding IoT network in which case, the "isolate" option might help or 2 your echo is flooding and its triggering a protocol in OpenWrt that is trying to stop it from flooding in which case I am not sure how to help other than try to put your echo on an unrestricted network or 3 the chipset for the antenna in your router is not very compatible with the antenna in the Echo. I have encountered this issue before and to fix it I had to turn off "WMM Mode" on my IoT wifi network. Turning WMM mode off will dramatically reduce the IoT network's speed but it also helps IoT devices connect. If this doesnt help keep going! The worst that can happen is you learn something :)
If you wanted to use LAN 4, on the virtual bridge section of the video you can change the from LAN 1 to LAN 4. You would need to make sure that the physical port "lan 4" on the back of your router is actually the one plugged in.
Just the thing I was looking for! Great job!
Nicely done. Much appreciated on the explanations.
VLAN filtering works pretty well, but it's best to just kill all the stock interfaces and create all your VLANS as 802.1q, then bridge. Also, VERY helpful: Add software package for "ip-bridge". It gives you a really good method via SSH to see the VLANs and confirm the GUI setup.
When you make vlans make one extra where anything untagged can be sent and it doesn't have to have any interface asigned to it, such Vlan is often refered to as Black Hole vlan.
@@raughboy188 Yep, agree.
@@ramosel having black hole vlan can help you possibly prevent VLAN hopping attack.
great explanation, you make the day
perfetto .. funziona alla grade nella mia rete... molto simile ... pfsense.... > switch managed trunk port ---> vlan OPENWRT... iot -wifi ..THANK !!!
Very nice and heplful.
@Pragmatic Security Actually not... If u mess up network conf. and lost access, you can boot into recovery mode, assign your NIC static IP, SSH into router and fix it under CLI via ssh...
You save my day!
Awesome video. How did you setup the boosters. I have a couple of TP-Link consumer routers that I could use as APs but not sure how you set your up to use as boosters
I need to correct you. Most IOT devices can use both 2.4 and 5ghz. Enable on your wifi to have both avaliable bit make sure that whichever device you can is configured to ise 5ghz band to reduce interfearances because everything in your house that can disrupt network works on 2.4 ghz. Not all IOT devices can use 2.4ghz but whenever you have an option to use 5ghz band go for it. 5ghz band had 36 channels i think and 2.4 ghz has 13. Do the and you'll understand.
In my cse I have OpenWRT in a container LXC. Is there any difference since the lan ports are virtual and larger part of my network is WIFI and want to add vlan to wired and wifi connection?
unfortunatelly this doesn't work anymore... if you configure a new bridge on lan1 you need to delete that port from the old bridge. You can’t use same port on two bridges anymore.
Would it be at all possible to publish the network diagram to allow viewers to "Follow along"???
Sure let me see if I can find the original one from this video. I am in the process of making a new set of videos that covers more deployments from different diagrams not just what I was doing at the time I made this video. If I find it I will put it in the description of this video.
I found it, ill put it in description somehow!
I have an XR500 which made the ports named kind of goofy, so it was hard to follow any tutorials on setting them up in here. Theres 4 LAN ports but they are all referenced through 2 "CPU(eth)" interfaces so its a further layer of confusion. I ended up tagging all my vlans in the switch page, then creating a bridge device for each vlan with the management vlan individually. Then creating an unmanaged interface for each vlan bridge device that i can assign to the wireless. They are going through a trunk to a managed switch which is trunked to a firewall. It's working without the 'vlan bridge filtering' stuff, and I only have one static address for management configured on the openwrt. hope any of that makes sense.
I unfortunately have a few routers that also use that imbedded switch tab with two cpu ports. I honestly kept my config the same and just tagged the cpu ports due to having other issues earlier. If it works though and the traffic is segmented thats really whats important!
I have followed your instructions to the T. however after adding interface and choosing my software vlan 10 (i have added only one VLAN) the interface shows an error: Network device not present. Any idea why?
So in my experience that will happen if there is nothing else connected to the VLAN you create. You could test it out be creating a wifi network under the wireless tab and attempting to use the VLAN you created. If the error is still there I am not sure what else it could be unfortunately.
same issue with device not present.
@SameerGurung1975 & @HeinserTorres
Did you figure it out? I'm having that same issue right now!!!
Edit: I solved it by removing the VLANS bridge port (LAN1) from my br-lan. Then I saved and applied and re-added it to br-lan and it worked. However, I don't really understand why that worked 😶
When segregating IoT devices via vlans (192.168.2.1), are you still able to view/control them via their app even when your iphone is connected to the main network (192.168.1.1)?
Why the double bridge? Why not remove lan1 from br-lan, then add lan1 to a new bridge and do the vlan filtering on the lan1 bridge?
So at some points I was able to actually use both the bridges and it was very convenient. However there are some strange things that happen now when I use the double bridge and it pretty much just becomes as you say now. I think the solution you proposed is probably slightly less of a headache and a lot more consistent.
So if I had to tag vlans on wan and then lan ports I need to add the wan port to vlans bridge and tag the vlans for the wan port, or do i need to configure a seperate bridge for wan?
couldnt the red line ( internet line) just connect to the wan port on the router ? I know it probably doesn't matter as all ports can be change to but yeah :D
Yes you could do that. In my experience sometimes I had some odd issues with it but every router will be different!
Yes, because it's actually the most robust port on most routers, I actually recommend it. I don't use my OpenWRT builds as routers, they are all just WAPs (router is pfSense). I assign what was the WAN port to the bridge and use if for a wired backhaul on each WAP. All the VLANs are built as 802.1q devices and that way the "Bridge VLAN Filtering" works just fine on the base br-lan device. Then the only interfaces are the .xx VLANS.
Hello there. I've watched your video part 1 and a bit of part 2 as well. But I do have a different situation with my home network setup. I have Openwrt running on x86 PC as a router and connected to TP-Link TL-SG1016PE v1. I wanted to have three different vlan IDs. So I want to have similar idea as yours, but mine is different because it's directly to connect to my TP-Link smart managed switch since I have two WIFI APs (has three SSIDs) and one LAN for everything else. I want to assign vlan on those three ones. Will this setup works? I'm pretty newbie with vlan configuration. I'm very familiar with Openwrt but vlan.
I think it should work, as long as you remain consistent with ALL of your VLAN rules. I dont have a lot of experience pushing VLANS to another OpenWrt device but I imagine as long as your firewall zones are not blocking one zone on one device it should be ok. Only wildcard is how the switch works with VLANS and where exactly it is in the network.
I created couple of VLAN's (IOT and Guest) but my Amazon Echo devices keeps losing WiFi network intermittently somehow but all other devices remains connected to IOT. I am unable to figure out what's wrong :(
I have limited exp with amazon echos but generally IoT devices go berserk with all kinds of flooding which is also why its nice to have them on their own network. There should be a setting under the Wireless tab for your Wifi network to "Isolate clients", that may help but not positive. In my eyes there are a couple different possible problems. 1 your echo is having connection issues due to other devices flooding IoT network in which case, the "isolate" option might help or 2 your echo is flooding and its triggering a protocol in OpenWrt that is trying to stop it from flooding in which case I am not sure how to help other than try to put your echo on an unrestricted network or 3 the chipset for the antenna in your router is not very compatible with the antenna in the Echo. I have encountered this issue before and to fix it I had to turn off "WMM Mode" on my IoT wifi network. Turning WMM mode off will dramatically reduce the IoT network's speed but it also helps IoT devices connect. If this doesnt help keep going! The worst that can happen is you learn something :)
Thanks
I like
HI thanks for your video,how can you add ex LAN 4 to vlan 20?
If you wanted to use LAN 4, on the virtual bridge section of the video you can change the from LAN 1 to LAN 4. You would need to make sure that the physical port "lan 4" on the back of your router is actually the one plugged in.
OpenWrt, no OpenWRT.
DD-WRT