FINALLY - someone who actually can talk about home VLANs without mentioning Ubiquiti. I do have one question though. Is it necessary to reserve an ethernet port on the router for the IoT VLAN, or can you just do it with WiFI only? I don't have any ethernet IoT devices (all WiFi) so I wasn't sure about this point. Thanks -great video!
I havent done a wifi-only IoT subnet personally, but I believe it should be perfectly possible. You would associate the virtual wifi with the bridge you've created for the IoT network. So, you'd still create the IoT bridge, you'd just skip the step in the video where I assigned the LAN ports. Again, haven't done it personally, but try it out :)
I had spent day's looking for a way to isolate IP cameras from other computers on my lan. This is great thank you so much for taking the time to make this video.
Fantastic Video Chris. It worked like a charm on my 3200WRT on my first shot. Thanks a lot for making the video and explaining so well. Want a challenge? Demonstrate doing the exact same thing using OPNsense (or pfSense) on a 6 port Protectli vault. Because DDWRT development seems to be stalling, particularly with WiFi 6 - I'm being forced into the xxSense wilderness. A pity as DDWRT is the work of Gods!
Absolutely amazing tutorial! Straight to the point and easy to follow along with. The only issue I was having is that the IoT VLAN didn't have access to the internet. I could connect to the WiFi network and communicate with local devices just fine, but I had no internet access. After some troubleshooting and forum reading, I found the fix was to go under Setup > Networking > and then all the way down under, "Network Configuration br1 - IoT Network" I had to enable, "Masquerade / NAT" and then I had internet access! Hope this helps someone who may be experiencing the same issues
Thank you so much for this great video! The issue I was having that made me seek out this video was that trying to change the switch config would either disable internet access or LAN access completely. I ended up just restoring to factory settings and starting from scratch. I'm running r48971 on a Buffalo WZR-600DHP2, so my config pages looked a little different, but other than that I was able to follow along. One thing I noticed is that my switch config had the LAN ports on VLAN1 and the WAN port on VLAN2. I didn't want to mess with it again, so I just created VLAN 3 and it worked like a charm. I'm doing WFH, so it'll be nice to keep my work computer (and IOT devices) separated from the rest of my network.
Really Excellent. I've been looking at DD-WRT after being away for a while, and I want to use it to replace my Eero Mesh. I see some tutorials on setting up Mesh with DD-WRT, and I would love to make sure there's also VLANs that I can setup, so thank you for this. Really great stuff. Subscribed.
This is not the most intuitive interface. Thanks a lot for making the video and explaining the pitfalls (like default vlan0 going away when you added the others -- which is what got me)
Found a cheap Cisco Linksys E1200 v2 at a Renaissance, 5.25 $CAD ; installed dd-wrt (can't get the exact version I installed now, but was June / july 2023) and setup was similar to this. It's key to do CTRL-Shift-R to refresh and ensure settings were saved as many times the UI won't reflect the real settings. Also the VLAN (Switch) page in the video doesn't show a CPUPORT checkbox that need to be enabled for all VLANs, for the ports to work.
Thanks for writing this up! I had a slightly more complex use case (secondary AP behind main DD-WRT router) and wanted to VLAN all the IoT devices which connect to the secondary router. Once I realized that STP config was causing ports on my core switch to get disabled (because I had STP on on all the bridges on both primary router and secondary AP, likely with default priorities, etc. so that probably looked like a loop to the switch), but eventually got it working. It's worth noting that versions of DD-WRT v3.0-r48646 (on routers with enough flash) also have the ability to reflect mDNS between different networks, which can help put even your Google home / Alexa speakers on a VLAN... in my case I also needed that to isolate my ESPHome devices from the LAN where the Home Assistant system sits and still be able to access them via HA.
Thumbs UP! Just what I was looking for. In my case, my cameras don't even need the internet, but I can handle that leveraging off of the firewall script.
This was a superb instructional video - thanks for taking the time to make it! I am struggling, however, with WAN/Internet access from the VLAN and VAP. I must be missing a route, bridge setting or some other parameter. Even if I remove all of the IPCHAIN firewall commands, and if I run traceroute, there doesn't seem to a route to the outside. What have I missed? Found it - you need to enable Masquerade/NAT under the Setup->Network Configuration for br1!
Hello , what build are you running? I have 47495 and after i create a bridge ,even if i create a firewall rule or not , asign an interface to that bridge or not , my wan network show that is conected , by have no internet access . After i delete the bridge and reboot the router , everything works like normal. Thank you.
@@DevbaseMedia After setting up the firewall, should I be able to get to 192.168.0.1 or 192.168.1.1 from the IoT wifi network? From what I can see, I can't access any device with 192.168.0... except the router's admin panel. My router is behaving a bit strange. Do you know any solution? Thank you in advance for your answer :)
What I have noticed is when I'm on am IoT subnet, I can only get the admin console from the subnet ip address (if the firewall rules are in place, that is). In the video example, when I'm on the 192.168.107.x subnet, I can get the admin console at 192.168.107.1, but I can't get it at 192.168.1.1 (because the firewall rules restrict my ability to see the main subnet).
@@DevbaseMedia For me it works weird, because when I am on subnet 192.168.107.x I can reach the dd-wrt admin panel with the address 192.168.0.1 and 192.168.107.1 but I cannot reach any other device for example 192.168.0.2, 192.168. 0.4. Could you post a link to the forum topic where you got this config?
Hi. The 107 subnet *shouldn't* be able to see any other devices - it should only have access to the internet (so it's totally isolated). With that said, there is no reason a subnet needs to be restricted like that (you are right it's enforced by firewall rules). Here is the original forum post where I explained how I did my VLANs, and the helpful reply for the firewall rules. Note that my *media* subnet (192.168.50.x) was specifically set up to have access to the main network, that is possibly what you are looking for: forum.dd-wrt.com/phpBB2/viewtopic.php?p=1212560#1212560 Let me know if you need more info
I have a pfsense firewall already. So if i set the router running DD-WRT into AP mode will the VLAN function still work? Essentially for my scenario, the WAN in your setup will act as a trunk access and pfsense will manage the firewall rules?
@DevbaseMedia As far as I can tell, I've got your solution working (thankyou!), but I was hoping you could help with a couple things? First, oddly, I cannot ping (from a terminal/cmd) anything on br1 from anything on br0. I can however remote desktop from br0 devices to br1 devices, so I br0 can obviously talk to br1... just not ping it (also cannot remote from br1 to br0, so that seems to work as desired.) It's a small thing, but make me very curios why? Additionally, the GUI has changed quite a bit in the newer beta versions. Wondered if you'd consider doing an updated video? Was hoping the newer interfaces would allow you to achieve the same result using the gui - maybe tagging? - without the need to manually write the firewall rules?
Thank you for the tutorial. I got my vlan setup without an issue via ethernet, however I'm not able to connect to the wifi vlan that I set up. I know this video is old, but are there any tips you can provide?
Great video, thanks for a great explanation and walk-through. I followed everything and everything works except when I add my VAPs to br1, I lose DHCP on the VAP but LAN port 4 still works
I had a similar problem. If I tried to add any VAP to a bridge, the VAP would stop working. However in my case updating to the firmware to v3.0-r47900 std from 12/20/21 fixed my issues. Although I did have to do a factory reset after upgrading.
Most importantly, thank you. Plugging into the new vlan port initiates a new subnet ip, however putting the connection back still recognizes the device/computer as that new subnet ip, that is until the provided firewall commands are applied. (My router ASUS RT-AC66U)
Do you think setting up a managed switch with VLAN is enough to keep IoT devices from talking to trusted devices on my home network or would I need to have a firewall setting? my setup internet>router>managed switch: port 1 (router), port 2-4 trusted devices, port 5 (another 5 port unmanaged switch of IoT devices)
Great video. Thank you very much. I have 1 question - can you tell me (or show video) - is it possible to set direct access from the internet (from the provider) on this (or any dd-wrt) router, for example, on port 1 and 2, and to set wireguard on ports 3 and 4, for example?
Hey! So if I wanted to create a vlan just for Wifi for my security cams and untrusted devices, do I have add new passwords and SSID again for that particular vlan after set up? My cams are annoyingly to set up wifi on. I'd rather keep those settings on the cams and then change them on my main wifi network for trusted devices. For extra security. But what if I keep same SSID/password on both networks will that be worse? Just askin', I rather not change anything besides two separate networks, but I will if I must. Sorry if this is super simple. But this vid was exactly what I needed. Very good!
Well, I would like to say very, very interesting for sure I do like solid security however it will take sometime for me to configure these settings however I'm more interested In the wireless settings for now. Are The wireless interfaces and virtual interfaces under wireless settings similar ? One more secure that the other? I would like to put my Amazon Fire Stick on the wireless virtual however I keep it hidden from broadcasting (maybe being more secure) but it will not connect that way since hidden. Amazon device wants to see the device to connect to it I'm not sure if this would be wise move or not. Is there another secure way to keep streaming device in their own WIFI zone I guess separate from others? Thanks for the video.
As your IOT devices are on SSID network dd_wrt_ IOT and your trusted devices (like your phone) would be on SSID dd- wrt, in order for you to "see" or in cases where you needed to update an IOT device, would you have to switch out of of dd-wrt and get into dd-wrt-iot to see it? Or does this "virtual" lan be visible when you are attached to dd-wrt?
A very useful video! I followed your steps and successfully created an IoT network. With the iptables commands you advised, a device in the IoT network (i.e. 192.168.107.*) is not able to ping all the other devces in the 192.168.1.* network.....except 192.168.1.1. In fact, 192.168.1.1 is the same as 192.168.107.1 so I would not be surprised if devices in the 107.* network can ping 192.1.168.1. However, I found in your video that you was able to block the traffic from 107.* to 192.168.1.1. I wonder why and what caused the difference. I will keep searching to find a way to block the traffic from 107.* to 192.168.1.1. In case you know what caused the difference, please advise.
maybe somebody will know better but I think that is something to do with the fact that 192.168.1.1 is the gateway for the vlan, maybe there is a way to create another ip address for the same router in the 192.168.107 network
super helpful! like and subscribed. i have just one question: i’m reconfiguring our whole home network for better security. other than changing my wireless router to dd-wrt, i’ll be adding a managed switch to hardwire as many devices as possible. it may not make a huge difference but i can’t tell if it is better to set up the VLAN for iot on the switch or on the dd-wrt. do you recommend one or the other? as far as i can tell, the only advantage to doing it on the dd-wrt would be for the virtual AP. on the switch, i would need a second physical wireless router. thanks again!!
I'd test speeds both ways. I don't have any managed switches, only unmanaged switches, so for me, putting dd-wrt as the principal and putting an unmanaged switch on the IoT LAN port made sense. Another consideration might be whether you want to use many additional features of dd-wrt. I have another couple of videos on setting up OpenVPN and Wireguard servers. If you end up wanting to do that, you might consider using dd-wrt for your main (DHCP) router.
@@DevbaseMedia Right, DDWRT has a ton and ton of great features. I’ll go check out your videos. And I like the (obvious) idea of basing the decision on speed. my only hesitation with not utilizing more ddwrt features is making it a bottleneck with too much going on. thanks for the reply!
I think that designing DD-WRT so that you have to apply IP addresses and DHCP servers to 'bridge' virtual interfaces is counter-intuitive and potentially quite confusing. It would also be very helpful if there was a set of commands made known that would help anyone with a DD-WRT device discover the interface stack and full Physical to logical mapping (layer 1 to layer 3 via layer 2)
Great video. I have Pfsense as my main router and 3x ddwrt AP. Ill try vlans soon, but is there a way to create a mesh system; then use vlans to segment?
Great Instruction. Worked perfect. Unfortunately as soon as I assign the Virtual Wifi to the Iot Bridge I cannot connect to it anymore. Without Bridge set it works fine. Any ideas? THX
I had the same problem. If I tried to add any VAP to a bridge, the VAP would stop working. However in my case updating to the firmware to v3.0-r47900 std from 12/20/21 fixed my issues. Although I did have to do a factory reset after upgrading.
I have home assistant running a VM in my PC, which vlan should I put it in IOT vlan or private vlan? If I put it in the private vlan, will the update from the IOT be able to reach the VM?
I use ddwrt and changed my ssid name in setup. Sometimes my windows pc can't decide which ssid to use...the new one or the old one. ?? Any help on this? --thanks do you need to reset the router to factory defaulys before changing the ssid?
No internet connection, but figured it out after a couple of hours. Setup everything two times, thinking I did something wrong the first time. Went to Setup > Networking > Port Setup > WAN Port Assignment and changed it to vlan1 and I was able to access to internet again. Hope this helps someone, took forever to figure it out.
Anyone who knows anything about the E4200 on DD-WRT is that the default VLAN assignments were wrong for quite some time. VLAN 2 is WAN, VLAN 1 is LAN. You have to correct this FIRST via webUI, save, and reboot. Prime example of someone not doing enough research before creating a how-to video.
The problem with this process is that devices such as Linksys 32x routers Wi-Fi do not do a valid handshake with many Internet of Things devices. They simply cannot connect to it. I have to use a separate Linksys router running stock firmware in order to use wi-fi.
SOS Chris, my ISP demande to set a tagged Vlan ID as 40 in order to connect to internet via PPPoE. But I don't know how to config it in DD-WRT, could you PLEASE help me out?
I just followed this tutorial and while I was able to successfully setup a VLAN on Port 4 of my Asus AC1900P and get a new IP address the commands to stop VLAN traffic accessing my 192.168.1.xx network did not work. From the VLAN I could access my home network and from my home network I could not access the laptop I had on my VLAN 192.168.107.xx I made sure to add the rule to the firewall but no matter what I did I could not stop VLAN traffic back to my 192.168.1.xx which kinda defeats the object. Any ideas what may be wrong? I am running the latest version of DD-WRT
hi, I ended up with 2 routers and I wanted them for IoT and home usage. However I have a dilemma: most (if not all) of my IoT devices talk to my local home assistant server as well as local MQTT server. So for the sake of being able to talk, home assistant also has to be in the IoT segment, right? If so it means: my HA will be also in insecure segment. On top of that, my HA is also talking to my home devices (other servers). So I think I need another solution. What I however did is: all IoT have internet access blocked (anyway, all of them are controlled only from HA and only with the local integrations) - I am thinking: do I need then 2 segments (for security purpose) or not? If YES (2 segments still needed) then how to solve the issue of HA being accessible to IoT devices, yet not being exposed?
I was in a similar situation & got it to work by adjusting the firewall rules to allow access to my HA IP Address. Caution: remember, your HA doesn't use a default HTTP(S) port. Sadly, I don't have the firewall commands anymore, or I'd pass them along.
@@TheKauff Yeap, I think I found a solution: 1-outer router for IoT, 2-inner router for home devices, including HA, 3-port forward from outer to inner only for specific ports - everything else blocked. I am yet to test it as I am not sure about which ports (for sure HA http and MQTT) and what about autodiscovery
Little bit old, but still usefull...except ... I followed your tutorial, everything works. Except that the connection on the iot vlan won't connect to the internet. On the other vlan (wired and wireless) i can get internet connection. But on the iot network not. IP address is correct, but there it stops. What am i doing wrong?
if you're on new firmware, have you got the LAN CPUPORT box checked for your IoT vlan? So you need the 'LAN COUPORT' check-bock ticked for every LAN vlan you setup (but not on the WAN row, obviously. that should have the 'WAN CPUPORT' checked.) NB: this will also automatically setup vlans, which is handy. I'm using DD-WRT v3.0-r52330 std (04/14/23) on a Linksys WRT1900ACSv2. Side note, if you are using the same/similar router, I found that the port-mappings are actually backwards in the GUI... so for me, Port 1 in the GUI is actually the port 4 socket on the hardware.
I am running latest dd-wrt firmware , vlan works well and ip address issued as set but still vlan on br1 can ping comfortably system on vlan linked to br0 , have used entire set of commands as shown and for denying iptables -I FORWARD -i br1 -o br+ -j DROP
I managed to stop the IOT network from communicating with the private network but setting the IOT WiFi up as per the video I cannot access it, just keeps saying "wrong password" The only way I can connect to the IOT WiFI is by deleting the bridge assignment from br1 to wl0.1 then setting up a separate DHCP server for the WiFI. Then I can connect a WiFi camera to this network but if I have my laptop connected to the VLAN I cannot access the WiFi device. I assume this is a firewall issue but I am not sure how to fix it. It appears that when the br1 to wl0.1 is added no IP is given to the wireless client which I think then stops it from connecting. Hope someone can help, I am so close to moving my cameras to a VLAN, most of my cameras are hardwired but I do have 2 that are WiFi
Have the same issue were you able to resolve at all? I take that back I can connect to the guest WiFi but only if no password or WPA. if left disable works fine.
@@jimbieker7484 Yes I did, I cannot remember where I found the answer, I thought I bookmarked it but I had to add the following as a startup script sleep 20; stopservice nas; wlconf eth1 down; wlconf eth2 down; wlconf eth1 up; wlconf eth2 up; startservice nas
i have a very simple question when using DDWRT on my wrt54g, asus n66u , etc I only use port -1-4 , usng port 1, I click VLAN 2 and tag and I get automatically a WAN ip address from ISP on my router, now with WRT3200ACM DDWRT HOW ON earth do i do that .. all the guides are confusing AF , thanks in advance
This has been so helpful! Thanks so much. Everything works except my vap isn't getting DHCP from br1...the LAN port in the same VLAN is getting DHCP tho. I was wondering if you can help me out. Thanks!
@@bruceice For both of you, I would try double-check ing your DHCP settings, rebooting your router, or doing a factory reset & re-building your config. There's a part in the video where you have to make sure your setting the DHCP on the right bridge. It's also possible DHCP traffic is being blocked, but that's a much deeper issue.
It may also be worth trying a newer firmware. I was running into the same issue. If I tried to add any VAP to a bridge, the VAP would stop working. However in my case updating to the firmware to v3.0-r47900 std from 12/20/21 fixed my issues. Although I did have to do a factory reset after upgrading.
I have a different goal in mind. I don't want untrusted devices to connect to the internet at all, hardening the home network. I could have a have a baby monitor to keep tabs on kids when I'm at work. Kids being kids might sometimes be inappropriately dressed for company as they walk through the house when no one else is home. Or perhaps I have an IP based security system. Either way, I can't be sure these devices don't have built-in hacking programs that might be able to capture local IP and Wi-Fi traffic for the purpose of masquerading as another device by switching the other device's MAC address, and SSID if the other device is Wi-Fi. So, I want multiple vLANS, one for each untrusted device and filtered so that only that device's MAC address can communicate. For the Wi-Fi devices, a unique hidden SSID + password + MAC filter for that device is routed to a unique vLAN. Each Wi-Fi SSID needs its own MAC filter as well, so only that device can connect to that SSID and only that device can route to the assigned vLAN. Then a routing table to allow an NVR on the main LAN to communicate with any untrusted camera vLANs, and to allow a security controller to connect to any security devices on the other untrusted vLANs. Is it your impression that DD-WRT can do this all in a single router, or will it need two routers, one for untrusted devices.
I can’t get no internet in the IoT WiFi. Even tho o followed this by the letter three times. Clearing NVRAM in between each. Any help would be greatly appreciated.
I had to follow someone else’s tutorial. It’s curious how that other one did work. Same happened with the WireGuard video here. Broke my internet connection. Take this videos down. Stop this.
Thanks so much for the informative video. I was able to flash my Asus router with DD-WRT and assign the VLAN to port 4 and all the IP addresses work great but I can still ping 192.168.1.1 from 192.168.107.1. I used the command lines in the video for the firewall but it appears the firewall still also traffic between the two subnetworks. Any ideas what I may have missed or causing this? Thanks….
Yeah I'm wondering about this too. Perhaps In order for the VLAN to function a connection has to be established with the DDWRT router and the commands the forum user posted assume any attempts to breach the router will be shut down by the SP1 firewall? Just my guess.
Yeah, I had the same problem. Router's management console was accessible from both IPs 192.168.1.1 from 192.168.107.1 from IoT network. I think even if we block packets to 192.168.1.1, we won't resolve the vulnerability to router's console. A workaround I used is to add below lines in firewall config to block access to router services from br1. #Block guest access to router services iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
@@DisasterousRDX Thank you for this! The programming of firewalls is something that has always really intimidated me haha so I appreciate posting your workaround. While still pingable, rejecting all those protocols from the br1 subnet essentially safegaurds our routers console from harm. Thank you again!
@@TheKauff Or it would be even better to just accept traffic to port 53 for DNS and 67 and 68 for DHCP. Then you can have any additional service on your router, you won’t have to block it in firewall.
FINALLY - someone who actually can talk about home VLANs without mentioning Ubiquiti. I do have one question though. Is it necessary to reserve an ethernet port on the router for the IoT VLAN, or can you just do it with WiFI only? I don't have any ethernet IoT devices (all WiFi) so I wasn't sure about this point. Thanks -great video!
I havent done a wifi-only IoT subnet personally, but I believe it should be perfectly possible. You would associate the virtual wifi with the bridge you've created for the IoT network. So, you'd still create the IoT bridge, you'd just skip the step in the video where I assigned the LAN ports. Again, haven't done it personally, but try it out :)
still works for me all Virtual AP same concept.
I had spent day's looking for a way to isolate IP cameras from other computers on my lan. This is great thank you so much for taking the time to make this video.
Fantastic Video Chris. It worked like a charm on my 3200WRT on my first shot. Thanks a lot for making the video and explaining so well. Want a challenge? Demonstrate doing the exact same thing using OPNsense (or pfSense) on a 6 port Protectli vault. Because DDWRT development seems to be stalling, particularly with WiFi 6 - I'm being forced into the xxSense wilderness. A pity as DDWRT is the work of Gods!
Literally spent all day trying to figure this out and was just about ready to use my router as a sporting clay....THANK YOU!!!!!
20 yard target practice with Kimber!
Absolutely amazing tutorial! Straight to the point and easy to follow along with. The only issue I was having is that the IoT VLAN didn't have access to the internet. I could connect to the WiFi network and communicate with local devices just fine, but I had no internet access. After some troubleshooting and forum reading, I found the fix was to go under Setup > Networking > and then all the way down under, "Network Configuration br1 - IoT Network" I had to enable, "Masquerade / NAT" and then I had internet access! Hope this helps someone who may be experiencing the same issues
Great Video.. This is exactly what I was looking for long. Conceptually we understand what needs to be done but this hands on real demo helped a lot.
Glad it was helpful!
Wow. Concise, to the point, exactly what i was looking for. Thank you.
Perfect video, finally, i can try VLAN's
Thank you so much for this great video!
The issue I was having that made me seek out this video was that trying to change the switch config would either disable internet access or LAN access completely. I ended up just restoring to factory settings and starting from scratch.
I'm running r48971 on a Buffalo WZR-600DHP2, so my config pages looked a little different, but other than that I was able to follow along. One thing I noticed is that my switch config had the LAN ports on VLAN1 and the WAN port on VLAN2. I didn't want to mess with it again, so I just created VLAN 3 and it worked like a charm.
I'm doing WFH, so it'll be nice to keep my work computer (and IOT devices) separated from the rest of my network.
Really Excellent. I've been looking at DD-WRT after being away for a while, and I want to use it to replace my Eero Mesh. I see some tutorials on setting up Mesh with DD-WRT, and I would love to make sure there's also VLANs that I can setup, so thank you for this. Really great stuff. Subscribed.
This is not the most intuitive interface. Thanks a lot for making the video and explaining the pitfalls (like default vlan0 going away when you added the others -- which is what got me)
Thank you for this! Thank you for explaining so well also thank you for not assuming i know anything. Thank you!
This is the god of explanations right here. thanks
Thank you so much! I wanted to repurpose my TP-Link Archer A7 for IoT instead of purchasing Ubiquiti and this solves that problem wonderfully!
Very good, thanks. Played with this a few years back for a VPN-only SSID and couldn't get it to work. Reckon I could now after watching this video!
Found a cheap Cisco Linksys E1200 v2 at a Renaissance, 5.25 $CAD ; installed dd-wrt (can't get the exact version I installed now, but was June / july 2023) and setup was similar to this. It's key to do CTRL-Shift-R to refresh and ensure settings were saved as many times the UI won't reflect the real settings.
Also the VLAN (Switch) page in the video doesn't show a CPUPORT checkbox that need to be enabled for all VLANs, for the ports to work.
Thanks for writing this up! I had a slightly more complex use case (secondary AP behind main DD-WRT router) and wanted to VLAN all the IoT devices which connect to the secondary router. Once I realized that STP config was causing ports on my core switch to get disabled (because I had STP on on all the bridges on both primary router and secondary AP, likely with default priorities, etc. so that probably looked like a loop to the switch), but eventually got it working.
It's worth noting that versions of DD-WRT v3.0-r48646 (on routers with enough flash) also have the ability to reflect mDNS between different networks, which can help put even your Google home / Alexa speakers on a VLAN... in my case I also needed that to isolate my ESPHome devices from the LAN where the Home Assistant system sits and still be able to access them via HA.
Thumbs UP! Just what I was looking for. In my case, my cameras don't even need the internet, but I can handle that leveraging off of the firewall script.
Man this was perfect thank you for posting. Different router model but same software!
This was a superb instructional video - thanks for taking the time to make it! I am struggling, however, with WAN/Internet access from the VLAN and VAP. I must be missing a route, bridge setting or some other parameter. Even if I remove all of the IPCHAIN firewall commands, and if I run traceroute, there doesn't seem to a route to the outside. What have I missed? Found it - you need to enable Masquerade/NAT under the Setup->Network Configuration for br1!
Hello , what build are you running? I have 47495 and after i create a bridge ,even if i create a firewall rule or not , asign an interface to that bridge or not , my wan network show that is conected , by have no internet access . After i delete the bridge and reboot the router , everything works like normal. Thank you.
@@mihaitutuian Same issue, figured it out. Setup > Networking > Port Setup> WAN Port Assignment (change this to vlan1).
Thank you very much! :) I will get going right away, been searching around and there is a lot of older video's.
Happy to help. I'll admit I'm not a network guy and it took me awhile to piece this together. Hope this works out for you!
@@DevbaseMedia After setting up the firewall, should I be able to get to 192.168.0.1 or 192.168.1.1 from the IoT wifi network? From what I can see, I can't access any device with 192.168.0... except the router's admin panel. My router is behaving a bit strange. Do you know any solution? Thank you in advance for your answer :)
What I have noticed is when I'm on am IoT subnet, I can only get the admin console from the subnet ip address (if the firewall rules are in place, that is). In the video example, when I'm on the 192.168.107.x subnet, I can get the admin console at 192.168.107.1, but I can't get it at 192.168.1.1 (because the firewall rules restrict my ability to see the main subnet).
@@DevbaseMedia For me it works weird, because when I am on subnet 192.168.107.x I can reach the dd-wrt admin panel with the address 192.168.0.1 and 192.168.107.1 but I cannot reach any other device for example 192.168.0.2, 192.168. 0.4. Could you post a link to the forum topic where you got this config?
Hi.
The 107 subnet *shouldn't* be able to see any other devices - it should only have access to the internet (so it's totally isolated).
With that said, there is no reason a subnet needs to be restricted like that (you are right it's enforced by firewall rules).
Here is the original forum post where I explained how I did my VLANs, and the helpful reply for the firewall rules. Note that my *media* subnet (192.168.50.x) was specifically set up to have access to the main network, that is possibly what you are looking for:
forum.dd-wrt.com/phpBB2/viewtopic.php?p=1212560#1212560
Let me know if you need more info
Great video, I plan on installing dd-wrt on my old router this week. Keep up the great videos!!!
Very clear explanation of the steps! Thank you.
I have a pfsense firewall already. So if i set the router running DD-WRT into AP mode will the VLAN function still work? Essentially for my scenario, the WAN in your setup will act as a trunk access and pfsense will manage the firewall rules?
Do you need to create a different SSID for your IoT untrusted devices? Should the IoT SSID be hidden?
Let me see if I understand fully...you isolated both lans here so they can't communicate with one another. Is that correct?
did you try creating a trunk on a single port?
Very clear and well explained, thank you :)
Just in time. Getting ready to make some wrt vlans from old routers.
Nice job. Perfect for my use case. Thanks.
@DevbaseMedia As far as I can tell, I've got your solution working (thankyou!), but I was hoping you could help with a couple things?
First, oddly, I cannot ping (from a terminal/cmd) anything on br1 from anything on br0. I can however remote desktop from br0 devices to br1 devices, so I br0 can obviously talk to br1... just not ping it (also cannot remote from br1 to br0, so that seems to work as desired.) It's a small thing, but make me very curios why?
Additionally, the GUI has changed quite a bit in the newer beta versions. Wondered if you'd consider doing an updated video? Was hoping the newer interfaces would allow you to achieve the same result using the gui - maybe tagging? - without the need to manually write the firewall rules?
Thank you for the tutorial. I got my vlan setup without an issue via ethernet, however I'm not able to connect to the wifi vlan that I set up. I know this video is old, but are there any tips you can provide?
Great video, thanks for a great explanation and walk-through. I followed everything and everything works except when I add my VAPs to br1, I lose DHCP on the VAP but LAN port 4 still works
I had a similar problem. If I tried to add any VAP to a bridge, the VAP would stop working. However in my case updating to the firmware to v3.0-r47900 std from 12/20/21 fixed my issues. Although I did have to do a factory reset after upgrading.
@@Oakey38 same issue here stuck still at the VAP. giving me incorrect password no matter what.
Most importantly, thank you.
Plugging into the new vlan port initiates a new subnet ip, however putting the connection back still recognizes the device/computer as that new subnet ip, that is until the provided firewall commands are applied. (My router ASUS RT-AC66U)
Do you think setting up a managed switch with VLAN is enough to keep IoT devices from talking to trusted devices on my home network or would I need to have a firewall setting?
my setup internet>router>managed switch: port 1 (router), port 2-4 trusted devices, port 5 (another 5 port unmanaged switch of IoT devices)
Flawless tutorial. Thank you so much!
Great video. Thank you very much.
I have 1 question - can you tell me (or show video) - is it possible to set direct access from the internet (from the provider) on this (or any dd-wrt) router, for example, on port 1 and 2, and to set wireguard on ports 3 and 4, for example?
Hey! So if I wanted to create a vlan just for Wifi for my security cams and untrusted devices, do I have add new passwords and SSID again for that particular vlan after set up? My cams are annoyingly to set up wifi on. I'd rather keep those settings on the cams and then change them on my main wifi network for trusted devices. For extra security. But what if I keep same SSID/password on both networks will that be worse? Just askin', I rather not change anything besides two separate networks, but I will if I must. Sorry if this is super simple. But this vid was exactly what I needed. Very good!
Well, I would like to say very, very interesting for sure I do like solid security however it will take sometime for me to configure these settings however I'm more interested In the wireless settings for now. Are The wireless interfaces and virtual interfaces under wireless settings similar ? One more secure that the other? I would like to put my Amazon Fire Stick on the wireless virtual however I keep it hidden from broadcasting (maybe being more secure) but it will not connect that way since hidden. Amazon device wants to see the device to connect to it I'm not sure if this would be wise move or not. Is there another secure way to keep streaming device in their own WIFI zone I guess separate from others? Thanks for the video.
As your IOT devices are on SSID network dd_wrt_ IOT and your trusted devices (like your phone) would be on SSID dd- wrt, in order for you to "see" or in cases where you needed to update an IOT device, would you have to switch out of of dd-wrt and get into dd-wrt-iot to see it? Or does this "virtual" lan be visible when you are attached to dd-wrt?
Is there a way to have the IoT network use my PiHole that is on the main network? How would that config work? Thanks
A very useful video! I followed your steps and successfully created an IoT network. With the iptables commands you advised, a device in the IoT network (i.e. 192.168.107.*) is not able to ping all the other devces in the 192.168.1.* network.....except 192.168.1.1. In fact, 192.168.1.1 is the same as 192.168.107.1 so I would not be surprised if devices in the 107.* network can ping 192.1.168.1. However, I found in your video that you was able to block the traffic from 107.* to 192.168.1.1. I wonder why and what caused the difference. I will keep searching to find a way to block the traffic from 107.* to 192.168.1.1. In case you know what caused the difference, please advise.
maybe somebody will know better but I think that is something to do with the fact that 192.168.1.1 is the gateway for the vlan, maybe there is a way to create another ip address for the same router in the 192.168.107 network
Did you find a solution?
Thank you a 1000000 times ❤️🎉
super helpful! like and subscribed. i have just one question: i’m reconfiguring our whole home network for better security. other than changing my wireless router to dd-wrt, i’ll be adding a managed switch to hardwire as many devices as possible.
it may not make a huge difference but i can’t tell if it is better to set up the VLAN for iot on the switch or on the dd-wrt. do you recommend one or the other?
as far as i can tell, the only advantage to doing it on the dd-wrt would be for the virtual AP. on the switch, i would need a second physical wireless router.
thanks again!!
I'd test speeds both ways. I don't have any managed switches, only unmanaged switches, so for me, putting dd-wrt as the principal and putting an unmanaged switch on the IoT LAN port made sense.
Another consideration might be whether you want to use many additional features of dd-wrt. I have another couple of videos on setting up OpenVPN and Wireguard servers. If you end up wanting to do that, you might consider using dd-wrt for your main (DHCP) router.
@@DevbaseMedia Right, DDWRT has a ton and ton of great features. I’ll go check out your videos. And I like the (obvious) idea of basing the decision on speed. my only hesitation with not utilizing more ddwrt features is making it a bottleneck with too much going on. thanks for the reply!
I think that designing DD-WRT so that you have to apply IP addresses and DHCP servers to 'bridge' virtual interfaces is counter-intuitive and potentially quite confusing. It would also be very helpful if there was a set of commands made known that would help anyone with a DD-WRT device discover the interface stack and full Physical to logical mapping (layer 1 to layer 3 via layer 2)
Great video. I have Pfsense as my main router and 3x ddwrt AP. Ill try vlans soon, but is there a way to create a mesh system; then use vlans to segment?
How to set-up VLANs on Qualcomm Atheros QCA9533? thank you
Simple, clear and very helpfull!!!
Great Instruction. Worked perfect. Unfortunately as soon as I assign the Virtual Wifi to the Iot Bridge I cannot connect to it anymore. Without Bridge set it works fine. Any ideas? THX
Give your device the IP that matches vlan manually
I had the same problem. If I tried to add any VAP to a bridge, the VAP would stop working. However in my case updating to the firmware to v3.0-r47900 std from 12/20/21 fixed my issues. Although I did have to do a factory reset after upgrading.
Great video.
I will put this knowledge to good use, I promise.
If I want the router to receive the Internet via cable from the main router, I have to turn on the client mode ? And connect LAN >LAN right ?
This video helped me understand vlan in dd-wrt. thanks bro! You deserve a like and comment, and subscribed
I have home assistant running a VM in my PC, which vlan should I put it in IOT vlan or private vlan? If I put it in the private vlan, will the update from the IOT be able to reach the VM?
Thanks for the great video
I use ddwrt and changed my ssid name in setup. Sometimes my windows pc can't decide which ssid to use...the new one or the old one. ?? Any help on this? --thanks do you need to reset the router to factory defaulys before changing the ssid?
No internet connection, but figured it out after a couple of hours. Setup everything two times, thinking I did something wrong the first time. Went to Setup > Networking > Port Setup > WAN Port Assignment and changed it to vlan1 and I was able to access to internet again. Hope this helps someone, took forever to figure it out.
Also I Have an AP point ( Nano HD ) from Ubiquiti ... any toughts on how to add a wifi IOT on it with the DD-WRT setup ?
Do I need a DHCP assigned if all my iOT devices are using reserved IP's?
i've been looking for days man , thanks !
Good Job I Think you did well and explain very good
Please a video to configure multiple WANs for Load balancing or failover.
Thanks so much for this !
Anyone who knows anything about the E4200 on DD-WRT is that the default VLAN assignments were wrong for quite some time. VLAN 2 is WAN, VLAN 1 is LAN. You have to correct this FIRST via webUI, save, and reboot. Prime example of someone not doing enough research before creating a how-to video.
The problem with this process is that devices such as Linksys 32x routers Wi-Fi do not do a valid handshake with many Internet of Things devices. They simply cannot connect to it. I have to use a separate Linksys router running stock firmware in order to use wi-fi.
SOS Chris, my ISP demande to set a tagged Vlan ID as 40 in order to connect to internet via PPPoE. But I don't know how to config it in DD-WRT, could you PLEASE help me out?
Can there be a real trunk port which carries multiple vlans to another switch, say a Cisco SG300-10MP ? if so, how? I have tried. no luck.
Thank you!
I just followed this tutorial and while I was able to successfully setup a VLAN on Port 4 of my Asus AC1900P and get a new IP address the commands to stop VLAN traffic accessing my 192.168.1.xx network did not work. From the VLAN I could access my home network and from my home network I could not access the laptop I had on my VLAN 192.168.107.xx
I made sure to add the rule to the firewall but no matter what I did I could not stop VLAN traffic back to my 192.168.1.xx which kinda defeats the object. Any ideas what may be wrong? I am running the latest version of DD-WRT
thank you.. great video
Is there a way of doing this in ddwrt where devices you want to isolate are mingled on the same wired network?
Fantastic one. Thanks a ton 🥳
Off topic question, but what xfce theme are you using?
It's called Greybird (there is also a Greybird dark, but I'm using the standard version)
@@DevbaseMedia Thanks. I think it looks beautiful.
hi, I ended up with 2 routers and I wanted them for IoT and home usage.
However I have a dilemma: most (if not all) of my IoT devices talk to my local home assistant server as well as local MQTT server.
So for the sake of being able to talk, home assistant also has to be in the IoT segment, right? If so it means: my HA will be also in insecure segment. On top of that, my HA is also talking to my home devices (other servers). So I think I need another solution.
What I however did is: all IoT have internet access blocked (anyway, all of them are controlled only from HA and only with the local integrations) - I am thinking: do I need then 2 segments (for security purpose) or not? If YES (2 segments still needed) then how to solve the issue of HA being accessible to IoT devices, yet not being exposed?
I was in a similar situation & got it to work by adjusting the firewall rules to allow access to my HA IP Address. Caution: remember, your HA doesn't use a default HTTP(S) port.
Sadly, I don't have the firewall commands anymore, or I'd pass them along.
@@TheKauff Yeap, I think I found a solution: 1-outer router for IoT, 2-inner router for home devices, including HA, 3-port forward from outer to inner only for specific ports - everything else blocked. I am yet to test it as I am not sure about which ports (for sure HA http and MQTT) and what about autodiscovery
Genius! Thank you!
Just what I was looking for today- thx!
Glad I could help!
@10:17 why is their not the default wl0 and wl1 listed?
Little bit old, but still usefull...except ... I followed your tutorial, everything works. Except that the connection on the iot vlan won't connect to the internet. On the other vlan (wired and wireless) i can get internet connection. But on the iot network not. IP address is correct, but there it stops. What am i doing wrong?
if you're on new firmware, have you got the LAN CPUPORT box checked for your IoT vlan?
So you need the 'LAN COUPORT' check-bock ticked for every LAN vlan you setup (but not on the WAN row, obviously. that should have the 'WAN CPUPORT' checked.)
NB: this will also automatically setup vlans, which is handy. I'm using DD-WRT v3.0-r52330 std (04/14/23) on a Linksys WRT1900ACSv2. Side note, if you are using the same/similar router, I found that the port-mappings are actually backwards in the GUI... so for me, Port 1 in the GUI is actually the port 4 socket on the hardware.
I am running latest dd-wrt firmware , vlan works well and ip address issued as set but still vlan on br1 can ping comfortably system on vlan linked to br0 , have used entire set of commands as shown and for denying iptables -I FORWARD -i br1 -o br+ -j DROP
Hi there, how to connect wireless devices like Mobile or laptops to VLAN and access the internet through vlan ?? thnx
hi is there a way to add a vpn to the new VLAN only without it affecting the other LANs?
I managed to stop the IOT network from communicating with the private network but setting the IOT WiFi up as per the video I cannot access it, just keeps saying "wrong password" The only way I can connect to the IOT WiFI is by deleting the bridge assignment from br1 to wl0.1 then setting up a separate DHCP server for the WiFI. Then I can connect a WiFi camera to this network but if I have my laptop connected to the VLAN I cannot access the WiFi device. I assume this is a firewall issue but I am not sure how to fix it. It appears that when the br1 to wl0.1 is added no IP is given to the wireless client which I think then stops it from connecting.
Hope someone can help, I am so close to moving my cameras to a VLAN, most of my cameras are hardwired but I do have 2 that are WiFi
Have the same issue were you able to resolve at all? I take that back I can connect to the guest WiFi but only if no password or WPA. if left disable works fine.
@@jimbieker7484 Yes I did,
I cannot remember where I found the answer, I thought I bookmarked it but I had to add the following as a startup script
sleep 20; stopservice nas; wlconf eth1 down; wlconf eth2 down; wlconf eth1 up; wlconf eth2 up; startservice nas
i have a very simple question when using DDWRT
on my wrt54g, asus n66u , etc
I only use port -1-4 , usng port 1, I click VLAN 2 and tag and I get automatically a WAN ip address from ISP on my router, now with WRT3200ACM DDWRT HOW ON earth do i do that .. all the guides are confusing AF , thanks in advance
i think this is a stupid question but how would you see the feed from the ip camera if its on a vlan.
Try ispy and add your camera, it should give you a link, put that link in VLC player streaming.
Thanks for the video.
Thanks!
thanks this helped me big time
Hi!
Thanks a lot it was ver helpful
additional : Switch Config/Vlan tagging doesn't work Atheros routers
Wish I would have had this video sooner, guess I’ll try it with my new nighthawk.
This has been so helpful! Thanks so much. Everything works except my vap isn't getting DHCP from br1...the LAN port in the same VLAN is getting DHCP tho. I was wondering if you can help me out. Thanks!
Same here. You got any solution?
@@peremilskjold9388 no solution yet and I'm still searching. Will update if I find anything that works
@@bruceice For both of you, I would try double-check ing your DHCP settings, rebooting your router, or doing a factory reset & re-building your config. There's a part in the video where you have to make sure your setting the DHCP on the right bridge. It's also possible DHCP traffic is being blocked, but that's a much deeper issue.
It may also be worth trying a newer firmware. I was running into the same issue. If I tried to add any VAP to a bridge, the VAP would stop working. However in my case updating to the firmware to v3.0-r47900 std from 12/20/21 fixed my issues. Although I did have to do a factory reset after upgrading.
Good tutorial! However every time I enable vLANs the WAN port stops working, and I cannot figure out why. I am running build 44719.
If you still not have the access to the internet , i can provide an example of iptables rules that works for me.
Same issue, figured it out. Setup > Networking > Port Setup> WAN Port Assignment (change this to vlan1).
Every time I change the VLAN settings in the "switch config" tab my router will disconnect from the internet and not return unless I factory reset.
Manually give your device an IP that matches vlan.
I would double-check that you're not moving the port the Internet is connected to, to the new VLAN.
I have a different goal in mind. I don't want untrusted devices to connect to the internet at all, hardening the home network.
I could have a have a baby monitor to keep tabs on kids when I'm at work. Kids being kids might sometimes be inappropriately dressed for company as they walk through the house when no one else is home. Or perhaps I have an IP based security system. Either way, I can't be sure these devices don't have built-in hacking programs that might be able to capture local IP and Wi-Fi traffic for the purpose of masquerading as another device by switching the other device's MAC address, and SSID if the other device is Wi-Fi.
So, I want multiple vLANS, one for each untrusted device and filtered so that only that device's MAC address can communicate. For the Wi-Fi devices, a unique hidden SSID + password + MAC filter for that device is routed to a unique vLAN. Each Wi-Fi SSID needs its own MAC filter as well, so only that device can connect to that SSID and only that device can route to the assigned vLAN. Then a routing table to allow an NVR on the main LAN to communicate with any untrusted camera vLANs, and to allow a security controller to connect to any security devices on the other untrusted vLANs.
Is it your impression that DD-WRT can do this all in a single router, or will it need two routers, one for untrusted devices.
I can’t get no internet in the IoT WiFi.
Even tho o followed this by the letter three times. Clearing NVRAM in between each.
Any help would be greatly appreciated.
I had to follow someone else’s tutorial. It’s curious how that other one did work. Same happened with the WireGuard video here. Broke my internet connection. Take this videos down. Stop this.
@@luis.encisogot a link to that video you used to fix it?
Can i block the vlan network(with cameras) access to internet? basically i would like it to be local vlan only
I managed to do with by giving the camera no gateway or wrong gateway. Use NVR or VLC to watch stream. TH-camr level1techs did a video on this.
Great vid. Thanx
You never tested the wireless. I can not get my wireless ap to pass shcp addresses.
To find out CPU port number, ssh into DD-WRT and run "dmesg | grep 'CPU Port'"
Thanks so much for the informative video. I was able to flash my Asus router with DD-WRT and assign the VLAN to port 4 and all the IP addresses work great but I can still ping 192.168.1.1 from 192.168.107.1. I used the command lines in the video for the firewall but it appears the firewall still also traffic between the two subnetworks. Any ideas what I may have missed or causing this? Thanks….
Yeah I'm wondering about this too. Perhaps In order for the VLAN to function a connection has to be established with the DDWRT router and the commands the forum user posted assume any attempts to breach the router will be shut down by the SP1 firewall? Just my guess.
Yeah, I had the same problem. Router's management console was accessible from both IPs 192.168.1.1 from 192.168.107.1 from IoT network. I think even if we block packets to 192.168.1.1, we won't resolve the vulnerability to router's console. A workaround I used is to add below lines in firewall config to block access to router services from br1.
#Block guest access to router services
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
@@DisasterousRDX Thank you for this! The programming of firewalls is something that has always really intimidated me haha so I appreciate posting your workaround. While still pingable, rejecting all those protocols from the br1 subnet essentially safegaurds our routers console from harm. Thank you again!
@@DisasterousRDX @ChromeAftermath I'd also add in a line to block http traffic, not just HTTPS. It'd be the same command, just set dport to be http.
@@TheKauff Or it would be even better to just accept traffic to port 53 for DNS and 67 and 68 for DHCP. Then you can have any additional service on your router, you won’t have to block it in firewall.
I tried this and it works but the wan port is no working as well. Does anyone knows how to fix that