How to Create a VLAN - A Beginner's Guide // OpenWrt Router (Up to 19.x)

Guests.

Perfect use for VLANs, I do the same.
Actually funny enough, when I had my Linksys Velop router, and when setting up a guest network on it, I noticed that it was actually creating a VLAN with I believe a ID of 3. I started googling this info for some reason and found out in the support forums that their guest network is just a VLAN. I was disappointed to see the lack of control provided by Linksys (couldn’t changed the VLAN ID or make a different network range), but then again not surprised. This is why I was happy to move over to UniFi hardware.

@@DevOdyssey Media devices, such as smart TV or rokus, that simply need internet connection and access to nothing else.

@TheGreatNorris great use case! The best way to isolate those media devices that really only need internet access. Especially since you don't always know what these devices are trying to do, attempting to access within your internal network, or what vulnerabilities they may have, potentially letting unwanted guests into your network.

I will set up two vlans. one for my kids net and another for my home networking/hacking lab

Thanks for watching Bryant!
Let alone, thank you so much for the very kind words. Compliments like this truly mean a lot to me, and is why I try my best to make these videos informative, easy to digest, and simple enough to do on their own. When my viewers can learn, and solve problems using my videos, I couldn't feel any more rewarded to know I impacted them in some positive way.
I appreciate your viewership and hope my other videos are interesting and helpful for you as well!

Thanks for the compliment @wilsonomonz299!
I enjoy sharing practical educational material, as its fun for me, but also what I find to be the most helpful when I'm looking to learn how to do something new. So thats my preferred format, to talk about it and do it 🙂

Thanks for watching Vince! I really appreciate the compliment 😊

You're welcome! thanks for watching!
It makes me happy to hear this helped you with your college class, especially since I didnt learn this in college at all! I am a visual learner myself, and this is how I see it, and has helped me understand VLANs a lot.

Thanks for watching and the compliment @RiskyStars! I really appreciate the support 😊

Thank you very much @Romain Pelissier It means a lot to hear this was helpful, and how it was helpful. I struggled myself to find a good video and step by step guide. While I did find plenty of resources on OpenWrt's forum, it took some finessing to put it all together. Have fun with all the VLANs you create 😊 The possibilities are endless!

You're welcome! Thanks for watching Wagner! 😊
If you have any further questions on VLANs or tagging and untagging on switch ports, let me know.

Thank you @Zerowing!.
I use VLANs for the same as well, and segmented by wireless and wired networks, each with their own (main) client network, IoT network, and guest networks. I still have to get some security cameras but when I do I intend to have those on their own VLAN as well. My UniFi AP's do a pretty good job broadcasting those VLAN networks, even for mesh. Though I take a service hit, its functional. Ideally I'm looking to put more network drops around my home so each AP can get its own network drop and improve my wireless speeds. This should be easier when I set uo some wired UniFi cameras.
I also have some site to site VPN networks, but I'll get into that in another video 😊

Thanks for watching Allen! I really appreciate the compliment 😊
I try to be short sweet and to the point, but also easy enough to understand.

Thanks for watching and for the compliment! Really means a lot to hear that. Glad you enjoy my style / content and that you learn from it. Appreciate the sub!

Thanks for helping Nikolai!
I'll be quite honest, I'm not sure if I was using the stable version or the release candidate version. The version I was using was the same as in this video, when I initially flashed my Netgear R6080 with a snapshot release of OpenWrt, including the upgrade (sysupgrade.bin) th-cam.com/video/1IgwDwoa9yY/w-d-xo.html
You can see the version number at 17:18 in the video above. Looks like its r15838-d2d32dcd5f. I'm not sure if the 'r' in that snapshot release means 'release' candidate.
You can also see the version number at 4:10 in this VLAN video. Do you happen to know if that snapshot release is a release candidate? I'm not too familiar with the version numbering for OpenWrt's release candidates and stable versions, so if this is a release candidate, I apologize for not mentioning it in the video.
Thanks again for chiming in!

Thanks for watching and for the compliment. Jose!
This should be fairly simple. If you are using an OpenWrt version that uses swconfig (such as in this video), then all you need to do is tag all your VLAN IDs (or the VLANs you specifically going to the managed switch) on a specific port of your choosing (ex: LAN 1). Refer to 6:55 in the video for the following example. Say port LAN 1 will carry all your VLANs to a managed switch. You want to change each drop down, next to a VLAN ID on the left and under LAN 1, to “tagged”. It should basically reflect the CPU port (notice how all the drop downs are set to “tagged”). The only VLAN you’d want to leave untagged is the one you want to access LUCI from. So if you want to access LuCI from VLAN 3, you’d leave VLAN 3 untagged. Then you plug in an Ethernet cable from the LAN 1 port, to the Ethernet port on your managed switch.
If you are using DSA, instead of swconfig, as with newer versions of OpenWrt (21.02 and beyond) then you can also refer to my DSA VLAN + Managed Switch video I made recently on how to configure tagged parts for a managed switch How to Create VLANs using DSA // OpenWrt Managed Switch on RPi 4
th-cam.com/video/d3aYMqt-b_c/w-d-xo.html

Thank you so much for kind words @T4505, and thanks for subscribing! 😊
I agree 100%. I paid $45 dollars for this router, that you can now find on Amazon for $33 dollars. Paying that, over the hundreds of dollars it costs to get similar enterprise grade features, its an insane cost savings to help secure your home, let alone get experience into more technical networking that you'd otherwise have to get at a job or school. Please let me know how this goes for you!
As for your questions. I'll be honest, I'm not quite sure if thats possible. My first thought here is not knowing how the router will know what network to place your device on, when the router antenna is broadcasting WiFi with two different networks on it. While I think you can actually have both networks on one antenna, I have a feeling that your device would just not end up getting an IP address. I have not tried this, I'm just assuming, so feel free to try it.
Otherwise, you could tackle this in potentially two different ways.
1. Send tagged VLAN traffic on the broadcasted WiFi.
I did notice section where you can send tagged traffic on the WiFi network, (since in this video the VLAN traffic is untagged), though your end device would have to be smart enough to untag the VLAN traffic for the network of your choosing. I have no experience doing this at all, but its got to be there for some reason, maybe for other network devices that can handle tagged VLAN traffic over WiFi.
2. (Likely the better option). Assuming your TP Link is dual band, and OpenWrt supports it on your TP Link, you can set up your 2.4 Ghz WiFi on the default network, and the 5 Ghz WiFi on the VLAN network. This way you have either option, depending on what devices you want to connect to which network.
As for your physical LAN port question. Any network settings you do on the WiFi, will not affect the LAN port, and vice versa. So you will have to manually untag the physical LAN port with whatever VLAN ID you chose, in order to set that physical LAN port with that VLAN to access it over ethernet as I did at part 6:39. And it certainly can be a different VLAN than your WiFi if you chose.

@@DevOdyssey thank you for your reply, I'll let you know how it went.
Does the router you have contain 2 antennas? If I understood correctly, your tutorial demonstrates the broadcast of 2 Wi-Fi networks (Home & VLAN/Guest WiFi) right? I may have misunderstood something.
If my problem is whether or not the router will connect me on the right one, can't I just manually connect on the preferred one so the router can remember the SSID? I assume since the devices broadcast probes for known networks via SSID knowledge, it won't be a problem.

@T4505 Great, looking forward to hearing how it goes.
Yes, the router I do have 2 antennas or radios. If you see at 7:30 in the video, there are 2 radios, radio0 and radio1, those correspond to 2.4 and 5 GHz bands respectively.
So you’re almost right. In this video I’m actually showing how you can broadcast a VLAN over one WiFi radio wave, and not two networks over the same radio wave. But, since I only used the 2.4Ghz band for the VLAN, you can easily edit the second radio interface (radio1) to broadcast the Home network. Actually by default it’s already configured to do that. So if I just turned it on, it would be broadcasting the Home network, or the default network it’s configured with, and not the VLAN. Thereby, you’d get the two networks over WiFi. These would have 2 different SSIDs, the first you can called guest (the VLAN one I turned on in the video), and the Home one (radio1 interface), that I didn’t enable. You’d just have to click enable and then it’s up and running, though I’d change the SSID, and add security to it, as it’s open by default.
So yes, you can connect manually to the preferred SSID and you’d be fine. In my earlier comment, I was making the the point that you likely can’t have two networks on the same WiFi radio wave. In this video, I’m only broadcasting the VLAN over the one radio wave (radio0).
To accomplish your guest network, all you’d need to do is turn in the second radio wave (radio1), and name it however you’d like. This will be your home network. The VLAN I set up and broadcasted in the video (on radio0) can be your guest network.
Let me know if this makes sense!

@@DevOdyssey everything makes sense now, I just misunderstood a little bit before writing my initial comment.
Now I get everything and I will experiment a little bit. Thank you again, I'll let you know how it went. Also, if everything goes south, I can just connect a rpi4 to the VLAN via ethernet and configure that as a wifi network. I can also setup more firewall rules like a pfSense for example, so it's still a win.
For now I'll try to set the 5Ghz band for the VLAN and keep the 2.4Ghz for the default WiFi network.

@T4505 ah good, glad it’s cleared up.
Yes thats a good backup plan to have, as long as you untag the VLAN on that Ethernet port. Or even if you forget to, you can access the router interface from either network to configure the WiFi. You can also shut this access off with firewall rules or maybe they have an option to disable the firewall interface on a specific network. Haven’t looked into that yet.
I’d also certainly set up some firewall rules as well, because by default, your guest network will be able to access the home network. One easy firewall rule should fix that. I like FreeBSD firewalls better, like pfSense, and understand those rules better with the experience I have, but iptables isn’t too bad, just takes more time for me. Plus I don’t know of any routers that can flash pfsense on it so that’s a win for OpenWrt.
That configuration sounds good to me, best of luck!

Thanks for watching plixplux!
Logical / virtual concepts aren't always the easiest to understand from the get go, so I understand. It took me some time to get a full grasp on it myself.
In this example, I didnt want to get into configuring custom routes or any default routes. So technically, devices that connect on this network can communicate with all private IPs (and external via the gateway). Generally after this, I would configure firewall rules that allow / prevent access to other networks outside of the CIDR / network range. While you could technically do this with specifying routes to prevent access, I usually do it with firewall rules.
Technically speaking, specifying routes via the routing table is not a means of implementing security or network segregation. It's more so used to designate how network traffic should leave your network, whether it be other internal networks, or external networks. I have some experience here, though again I usually set up different network access via firewall rules.
Let me know if this answers your question!

You're welcome! Thanks for watching CC 😊

You're welcome @baconsledge! Thanks for watching, I appreciate the compliment.

Thanks @emmanueljaramba5325!
So basically, if you want to practice VLANs with your secondary router, the tp-link w/ OpenWrt 23.05, you will need to basically use that as your network switch. You'll want to connect your devices to the tp-link, and basically nothing on your primary router (unless you want it on primary router network and not on a VLAN).
Then you'd simply create your VLANs on the secondary router, and broadcast it over WiFi, or untag them on switch ports (using the new updated guide at the top of my description), and thats it. Just plug in or connect and it should work. Now depending on your primary router, you might have to double NAT, if it wont NAT addresses from another network. I can't be 100 percent sure as I don't know what you're using as a primary router or how it works, but there's a possibility it might not do that. For example, some consumer grade routers don't respond to pings from outside their network.
So first give it a shot without NAT and see how it works.

You're welcome and thanks for watching! @Kim-jj3nr

Thanks for watching ramosel!
So for OpenWrt 21.02, you can use DSA to create VLANs with or without a bridge. Watch the updated video I made below and look at 07:15 of the video that I believe is what you're looking for.
th-cam.com/video/d3aYMqt-b_c/w-d-xo.html

Hi Malik, thanks for watching and for telling me your version of OpenWrt you are using. That should be the version I was using, well at the least it was a snapshot of that version.
Anyway, maybe this User Interface option didnt make it into the final release. Though it should still be available when you edit the interface after creating it. Can you edit the VLAN Interface you made and see if "Bridge Interfaces" option is available under "Physical Settings" tab? See 6:12 in the video. If its there, you should be able to bridge interfaces here just as you would've at 5:14.

​@@DevOdyssey thanks for quick reply, to be specific of my openwrt version is OpenWrt 21.02.0 r16279-5cc0535800.
Sorry I forgot to mention about the "Device" after I clicked the "Add new Interface". I can only pick one, there's no "tick boxes" like on the video.
I created the VLAN Interface and edit it, there's no "Physical settings" on the tab bar. Only general, advanced, firewall, & dhcp.
maybe I should try to flash/downgrade openwrt?

@@xMyPlaylistx You're welcome! Sorry for the delay, its been a busy few days for me.
All good no worries. That is quite strange. I'm not sure why you wouldn't have a "Physical Settings" tab bar at the top there. You could try downgrading, though I'm not sure how well this will work, or if this issue is even related to the version of OpenWrt. The version I'm using is an older snapshot, r15838-d2d32dcd5f, so I would think the newer versions wouldn't break this, but I could be wrong, as I havent tried with that snapshot. Maybe it's the hardware and that it doesn't support VLANs (802.1q)? I find that a bit doubtful only since its a protocol thats been around for a long time. But I'm certainly not an expert in OpenWrt builds.
Anyway, before doing a flash/downgrade, would it be possible to try setting up a VLAN using the configuration files? Below you'll see a link to a post on how to do this via the config files. It's actually how I set up the VLAN before doing it graphically, I just copied config files, tweaked and tested it. I only did it graphically since I thought that would be better for video, but with how many comments I've gotten where people can't see devices tab, maybe I should've shown this with the config files! Regardless, let me know if you do get this working with the config files, and if not, what you encountered.
jasonschaefer.com/setup-vlan-on-openwrt-using-hardware-that-has-no-switch-ports/

Im stuck here as well. WRT3200ACM? I had VLAN running properly prior to updating. :(

@@brendanharris9197 I'm sorry to hear that! 😕
Looks like you had some breaking changes when upgrading to OpenWrt 21.02. Doing a search on the OpenWrt Forum, looks like someone else was going through getting VLANs to work on OpenWrt 21.02 and using the same router, WRT3200ACM.
forum.openwrt.org/t/reconfiguring-vlan-on-openwrt-21-02/103592
Hopefully this forum post helps you, or at least lead you down the right path.

Hi Treeck57!
Thanks for watching. Regardless of the architecture, or the amount of NICs on the device, the same concepts should apply. So with regards to your APs, if you want them isolated with VLANs, that shouldn't be a problem, however this depends on what you want those APs to do. If you want the APs to broadcast the same VLAN that they are on, and no other VLAN, you can isolate that ethernet port as an untagged VLAN port, and then in your AP, you can turn on the a setting to isolate WiFi clients (Layer 2), assuming you AP has that setting. If you want your APs to broadcast multiple VLANs, it first will need to be VLAN capable. Then in addition, you will need to tag the port with the VLANs you want, and untag it with the VLAN you want the AP to reside on.
The smart managed TP-Link switch will come in handy here as you will pass the VLANs from your OpenWrt instance to the TP-Link managed switch with your VLAN config.
You might want to check out my Advanced VLAN video, as that will likely be very helpful for you here, and your instance will likely use DSA, as opposed to swconfig like in this video. But again, the same concepts apply overall, just the way it's achieved is a little different.
th-cam.com/video/2dH-O0crThk/w-d-xo.html

Thanks for watching Mark!
Sounds like you are on the right track to me, especially since you are aware of your switch having VLAN capabilities. Segmenting that traffic between two different VLANs makes perfect sense from a use case standpoint. Definitely good to have surveillance cameras on their own network, given their importance. They should have all the protection and isolation they can get. With your Sodola switch, you just have to untag each port appropriately with the right VLAN (if a TiVO or a camera is connecting to it), and if you tag the trunk port correctly with all your VLANs coming from the router, you should be good to go.

Thanks for the compliment ciberconntrol!
I'm not sure I completely understand your question. Can you elaborate more on how you want to connect those two devices? Are you trying to connect them wired or wirelessly? Are you trying to set up these devices on two different VLANs? It sounds like you aren't since your TP LINK Archer C50 can't since it has no VLAN option (unless you flash OpenWrt on it), so I'm a bit confused as to what the ask is. If you can also elaborate on the overall goal you are trying to accomplish, I can then better assist.

Thanks for watching @pascalleprevost1489.
So I assume you are already using the OpenWrt LuCI web GUI and not the Gl.iNet web GUI. If so, are you now speaking about 5:09 in the video or 7:23?
I'm not sure at which place you are speaking of, but those should be available, regardless if you are using 19.x or anything beyond it. Given you are using the GL.INET gl-ax1800, you probably are on OpenWrt 21.xx at the very least, so you should have these options available. I'm just using the existing wireless interfaces available, and not adding a new one. The GUI should look very similar as well.
If you aren't using LuCI, you can find it at the bottom under advanced. This video below might be the help you are looking for to get there, so long as the GL.iNet interface hasn't changed.
th-cam.com/video/jEZ-HMWY5JA/w-d-xo.html

Hi @Aisan Estrella,
Thanks for the compliment 😊. I try my best. And you're welcome!
As for using a vlan to set up a "fence" between home and work devices, yes thats a perfect use case, and I'm currently doing that. I have work devices on a separate network where I also include Layer 2 isolation, meaning any devices on that same network cannot directly talk to each other. This is a feature that a router or access point would have, and not on the vlan itself. But if you go with OpenWrt, I'm pretty sure I saw this feature in there and I recommend using it for a work or guest network.
Nonetheless, all I would suggest in addition to creating a "work" vlan is to be sure there are firewall rules that prevent communication of your home devices and your work computer. This should be a very easy block rule to implement.
Let me know if this makes sense.

@@DevOdyssey awesome! guess i have something to tinker with this weekend thanks heaps :)

@Aisan Estrella You're welcome! Feel free to ask my any more questions if any come up. I'll be glad to help. Took me some time to figure this out myself. If you do plan on using OpenWrt, you can watch my video on how I flashed a Netgear R6080 router to OpenWrt.
th-cam.com/video/1IgwDwoa9yY/w-d-xo.html
Though I caution, you'll have to check if your router is compatible with OpenWrt. If not, there are other firmwares you can try like DDWRT or Tomato. I will say though that when making a vlan with DDWRT, I had a lot of difficulty and I couldn't get it to work. OpenWrt was easier once I figured it out, and their documentation was better as well. Anyway, best of luck! Let me know how it goes 😊

Thanks for watching @gmcenore!
Thats a good question. I'd say in the past, more consumer grade routers used layer 2 switching, even though the hardware was layer 3 capable. Now, there are more modern routers and software that probably use layer 3 switching. Some router stock router software will offer the ability to create VLANs in the GUI, which is nice when I do see that. However, most of the ways layer 3 is implemented is via guest networks / WiFi. This will actually create a separate VLAN for that guest network, with default rules to block traffic between the main network and guest network (if done so correctly), and give that network its own WiFi radio and SSID. So it does happen in routers with guest networks, but its very much under the covers.
In terms of security, I'm not exactly sure what attacks you are referring to here, but I'd imagine it could be one of two things. For routers using layer 2 switching, they'd be switching on the same layer 3 network. Meaning, the network is flat, and everything is connected together with no rules prevent access to the other devices on that network. The only methods of protection here are Dynamic Access Control Lists (DACLs, which you're less likely to see unless using enterprise grade hardware / software), or host based firewalls. The attacks here would simply be passed through the network without any layer 3 controls or prevention techniques, i.e. firewall rules. So in this regard you could call them "vulnerable to attacks".
If we are using VLANs (layer 3, with a layer 3 switch), then we can separate and segment out the network so that not all devices live on the same network, and utilize layer 3 controls to protect against attacks. Now, technically speaking, VLANs could be circumvented by creating your own custom packets on the network, that are tagged with the VLAN ID, which could ultimately route that traffic to an endpoint of your choosing. Thats a bit more sophisticated, so proper network segmentation should work in most cases to protect your devices.

Thanks for watching Saeed! I appreciate the compliment 😊
Thats pretty strange. I'm not sure what is wrong, given that I can't see your configuration, but I will do my best to help.
First, I will say that OpenWrt 21.xx introduced Distributed Switch Architecture (DSA) moving away from swconfig. To make VLANs in OpenWrt 21.xx you create bridge interface(s) and set up VLAN filtering within the interface. This is roughly how it works, as I haven't actually personally done this yet, but I have read some docs on it from OpenWrt, and I plan to make a video on it.
Anyway, back to your issue. So first, the router itself doesn't have internet connectivity after creating the VLAN? Or is it that you aren't connecting to the VLAN after creating it? Trying to better understand the situation at hand. Since you followed along in creating a VLAN via Network >> Switch, that should create the VLAN device for you, but you'd still have to configure the VLAN in the Network >> Interfaces section, as I did in 4:50. Have you configured the VLAN after creating the device it up in Network >> Switch section?
As for the Devices tab not showing up, I think that my be because the version of LuCI you are using is 21.xx, even though you are on OpenWrt 19.xx. This is actually possible and something I really wasn't aware of at first until someone else who commented on this video mentioned in to me.
Hope this helps, and at the very least, figure out where the problem is.

Hi Ryan,
Before I got into networking, most of my IT experience was in software development and testing, but slowly I started to move into infrastructure, as I've had a natural fascination for it, and really wanted to learn the full stack of IT from top to bottom. Eventually you learn quite a bit about everything.
So you should hypothetically be able to do that. But I'm not sure if you would secure it really with a "VLAN", and thats because it sounds like you want your printer to be a "network printer", because, well you're connecting it to a router. Well, if you are using OpenWrt as your print server, your printer is basically going to use the IP Address of your router, or whatever interfaces / IP addresses it listens on (which could be more than one, especially with VLANs). Just as an FYI, the software you'd use is Common Unix Printing System (CUPS). There is a package for that too by the way.
I haven't set up CUPS before on OpenWrt, but there is a configuration you can use as well to create rules to allow or deny certain IP Addresses. You can refer to the link below for more info.
openwrt.org/docs/guide-user/services/print_server/cups.server
The VLAN is more for network segmentation. So like you dont want one network of devices, talking to another network. So in your case, you'd probably allow your guest network to print, and expose the guest range, in the CUPS configuration to print. So I guess VLANs kind of work in this scenario, but to me it seems like the CUPS configuration is doing more of the heavy lifting. The VLAN network segmentation works more with devices that have a network interface (Wireless or ethernet), as opposed to USB devices that get their networking from routers. In this case, since the Printer is connected to the router, it can hypothetically be networked to all networks your router would create and manage.
The way around this would be to use a Raspberry Pi as a CUPS server and hook that up with the printer via USB.
Lastly, your printer would likely not hurt your home devices, because its a "dumb" printer, and has no networking capabilities. Your print server would handle that.
Otherwise, for your other smart devices, VLANS would be very helpful there. I have an IoT network for my smart devices, to keep them properly segmented. I want to do traffic analysis one day of what these devices are doing / where they are communicating, but thats if / when I have time. If you are not sure if your computers are updating themselves, all you can do is check their configuration and see if automatic updates are on, and when they last checked.

Thanks for watching @mr.boniato6402!
So in order to use VLANs, all networking equipment must support VLANs. So on the Tomato router, you would "tag" your interfaces with VLAN traffic. Then on the Asus router, you would "untag" those interfaces (wired or wireless). The tagging basically tells the other equipment, that a certain packet belongs to a certain VLAN. Then for an endpoint to consume that traffic, that tag must be removed, or "untagged".
So first make sure your Asus router supports VLANs. If it does, then make sure you can untag your VLAN traffic on your WiFi, so that traffic can be consumed by your wireless devices.

Thanks for watching @algolove185!
I do have a VLAN guide for 21.02 and beyond, where VLANs are using DSA architecture. This should work for 23.05, so long as the device supports DSA VLANs.
th-cam.com/video/d3aYMqt-b_c/w-d-xo.html

Thanks for watching JAFO-PTY!
Great question. The answer is yes and no.
Allowing your TV (on VLAN 1) to access your NAS (on VLAN 2), does not defeat the added security of VLANs. Thats because if the appropriate firewall rules are set up between the two VLANs, you can deny traffic between the two networks, except for devices that you want to communicate, say your TV and NAS. This protects you if there are other devices on VLAN 1, but you don't want to access the NAS on VLAN 2, or and other device on VLAN 2. Its basic network segmentation which is good.
Otherwise on a flat network, you have not firewall rules you can put on that prevents communication between devices on the network, since they on the same network.
However, yes your NAS would still be at risk if your TV were compromised. Because you have specific firewall rules that allow the TV to communicate to the NAS, this does put your NAS at risk. But its less of a risk than if all your devices could talk to the NAS, especially ones that don't need to.

@@DevOdyssey amazing! thank you so much for you reply! I am trying to increase the security of my openwrt router, but this topic is still new to me. Thanks again!

@@JAFOpty You're welcome! Glad to reply and help out 😊
There certainly are plenty of ways to increase the security of your OpenWrt router, and VLANs are one way to improve the security of the devices on your network(s).
Other things you can do include creating custom firewall rules, using HTTPS when logging into LuCi, securing SSH access by only allowing SSH keys and logging in with non root accounts, etc. Plenty of things you can to do improve the security of your router, along with doing frequent updates.
All the best in your security efforts!

Thanks EMS GUY! I appreciate your viewership!
Hm I'm not sure, but usually this is due to version differences. Do you know what version of OpenWrt you are using? You can also create bridge interface in the /etc/config/network file, using syntax like so (at least for OpenWrt 21.02):
config device
option type 'bridge'
option name 'br'
list ports 'eth0'
list ports 'eth1'

Thanks for watching @auslander1026!
I do have an updated video for OpenWrt 21.02, which is when DSA VLANs took over for switch config. As of 23.05, DSA is the way VLANs are made. You can watch that video linked below.
th-cam.com/video/d3aYMqt-b_c/w-d-xo.html

Hi Syamantak Pati, thanks for watching! Sorry for the late reply, looks like your comment ended up in spam for some reason.
To answer your question, what I showed in the video was merely for example. In this case, I just wanted to show the example of how to create a VLAN, and then assign it to the WiFi / radio0 interface. The point in this case would be to isolate all wireless clients onto their own network, and all the wired clients on a different network (except for one lan port thats on VLAN3). So you should have no problem creating a VLAN, creating an interface for that VLAN, and then assigning that interface to the WiFi network. You can repeat this process for however many SSIDs you have, more likely than not its usually 2 - 3 depending on the hardware of your router.
Then if you want, you can do layer 2 client isolation, so that each device on that WiFi network cannot communicate with each other over layer 2. This is generally a great setting for guest networks. This should accomplish what you're trying to achieve.

@@DevOdyssey thanks for taking the time to read and respond. Much appreciated.

@@syamantakpati9009 You're welcome! Glad to help. Best of luck!

Hi Ryan, thanks for watching!
Yes, I am working on a Mac, good observation! Though I have used a nice "macOS" GTK theme on my Linux Desktops that look very close to a real macOS Desktop.

Thanks for watching John!
If I'm reading everything correctly, then yes, you should be able to accomplish a VLAN aware access point with OpenWrt. In your example, all you would need to do is make sure that VLAN5 and VLAN30 are tagged traffic on that ethernet wire. Then from there, on the OpenWrt access point, that ethernet NIC on the device should be tagged with those same VLANs, and you'll be able to use those VLANs for WiFi or other ethernet ports on the OpenWrt device. DHCP would not be involved here (on the OpenWrt device). You'll just have to untag one of the VLANs on the NIC so the OpenWrt device can get an IP address from your main DHCP server.
Now for setting up WiFi, you should be able to do that, but it might be finicky, in particular when using a Raspberry Pi. I did run into some trouble but I did get it to work. I actually made an updated video for VLANs on OpenWrt 21.02 using DSA, so that video should be very helpful for you to set this up.
th-cam.com/video/d3aYMqt-b_c/w-d-xo.html
But overall, your use case is definitely doable with OpenWrt. Might be better to use a different device (not a Raspberry Pi) since its WiFi chip (lack of a good antenna) is not best suited as an access point; you won't get the best coverage. Definitely a fun way to learn something new!

Thank you Thom and thanks for watching!
Sounds like a good setup! I'm actually working on a video that somewhat addresses the set up you're looking at. It's putting together two raspberry pis, both with OpenWrt. One that acts as a router, and the other that acts as a managed switch. The single cable comes from the router and goes to the managed switch and carries the tagged VLAN traffic to the managed switch. This sounds like what you are looking to achieve, correct? If not, let me know what other details you have and I'll do my best to help 😊

Thanks for watching @piotrzajac5694!
First I’d like to ask, what’s your purpose for this TPLink router? Is it to use it as router, an access point, or something else? How are you getting internet access if you are using it as a router, wireless WAN or via the Ethernet port?
I only ask because if you plan to use it as a router, and get your internet via the Ethernet port, you’ll need to setup your VLANs appropriately to get internet access but also set up VLANs for internal networks.
Anyway, yes you should not have any issues with your set up. Since you are on OpenWrt 23, I’d recommend following my updated video where it goes over VLANs using the DSA architecture. As for your VLAN numbering, you’re just gonna have to use those lower numbers and change your existing VLANs to match that. Otherwise you can’t carry those VLANs to the switch and therefore can’t access those networks.
Given your setup, you should be able to get it working, so long as you change your VLAN ids to what your switch can use or you get a new switch that does not have the same limitation.

Thanks for watching Michael!
The great part about OpenWrt is the interface doesn’t really change when you install it on different hardware. They should effectively look the same, even if you install it on a retail router, a Raspberry Pi, or just a plain old PC.
Now there will be differences depending on the hardware, but for the most part, you won’t encounter too much of his unless they’re blatant (like lack of a wifi chip, more/less Ethernet ports, etc)
Also, so long as the OpenWrt versions installed on each system are vanilla OpenWrt, i.e., not modified by any one person or company and straight from their available images, then they’ll look the same on different systems. Some companies, like Seeed Studio, may change the look and feel of their version of OpenWrt on their systems.
Anyway, I already have a video that covers VLANs on OpenWrt, that would apply to Raspberry Pis and newer versions of OpenWrt. You can find that here:
th-cam.com/video/d3aYMqt-b_c/w-d-xo.html

You're welcome @Rufus Murphey, thanks for watching! 😊
I have an OPNSense instance in my lab and I gotta say I do like it. Took me some time to learn more about iptables versus using pf.
As for your question, I'm not sure exactly how to answer, but I'll try my best. So in terms of a captive portal, that should be no different on OpenWrt, thought I have not tried setting that up whatsoever. I imagine there is a dedicated VLAN used for authenticated sessions and thats it.
As for a game server / webserver getting authenticated and tagged on the right VLAN, lets talk about the tagging first. That's going to basically rely on how you connect to game server / webserver to your network. If you happen to connect it with an ethernet cable and that is connected to ethernet port on a router that is untagged with a certain VLAN, then that game server / web server will be on that network. The same concept applies for WiFi, as I did in the video for both. Now in terms of authentication, if you want the machine itself to authenticate onto the network, that would be 802.1x controls, which is configurable on OpenWrt, when using RADIUS.
Overall, a captive portal is user authentication vs 802.1x (RADIUS) is machine level authentication. One controls if a user gets onto a VLAN and the other controls if a machine gets onto a VLAN. I hope this clears things up for you and if not, feel free to ask more questions!

@@DevOdyssey Yes, sorry I should have been more specific : I'll connect he game server through a managed switch, I wasn't aware there was any captive portal functionality in OpenWrt. I recently found a port of OPNSense for the R2S on the forum but it's not official, so I might give that a test.

No worries @Rufus Murphy. Yes there are a few packages you can download that will enable captive portal, like openNDS and NoDogSplash. But again, in this case you don't need a captive portal to connect to that proper gaming VLAN.
That's awesome to hear! I hope that port of OPNSense works well for you. It's a powerful firewall platform and would be good to stay on. OpenWrt is good too, and really choosing between the two is a matter of preference between BSD and Linux. Let me know if it ends up working out.

Thanks for watching Valence! I'm not sure exactly what you are seeing, but from the sound of it, it looks like you are using DSA for your VLAN config, as opposed to swconfig. If thats the case, then you should watch my DSA "Advanced" video I made, that should cover your scenario from what it seems. With OpenWrt 21.02 and beyond, DSA is the new way of making VLANs, so long as your device supports it.
th-cam.com/video/d3aYMqt-b_c/w-d-xo.html
Let me know if this works!

@TheGreatNorris, yep! There is hundreds, if not thousands of dollars of enterprise features, with OpenWrt or other custom router firmware. You wouldn't really need a managed switch at that point, though I personally have a used managed switch as I find it useful. But you can buy unmanaged switches, as you mentioned, to handle your untagged VLAN traffic out of the OpenWrt Router for those extra ethernet ports. Its quite amazing all what you can do with OpenWrt.

@@DevOdyssey Thanks for replying, that is truly amazing to be able to utilize the same features of enterprise switches/routers that cost thousands of dollars.

You're welcome @TheGreatNorris. It really is amazing, and it goes to show you that consumer hardware can be quite capable of amazing things. Often times what really limits you is the software they put on it. So if you can find better software, you can get more features and often times improve whatever it is you're doing, and in this case, improve your network.

@@DevOdyssey all through open source router firmware such as open wrt or pfsense. I agree, being able to flash your own preferred custom firmware that's supported for whatever router is a much smarter choice than staying with the standard issued ISP router software, a lot of the times can be very insecure or either isn't being updated anymore. In fact, surprisingly, all the ISP issued routers I've came across all have a horrible interface, lack of important features such as changing dns (unencrypted same ISPs dns servers/resolvers by default) no support in router obviously for VPNS, and you are essentially locked down on what you can do. The flexibility/features and the software or firmware being open source make Open-Wrt absolutely definitely the way to go no question.

@TheGreatNorris I couldn't have said it any better myself 😊

Thanks for watching Quan!
While not knowing enough about the Netgear R6700, I’m going to be making an assumption. It should work, where you can create two VLANs in pfSense, send them to your WAP via trunk ports. And then set up two different wireless networks using each VLAN. I assume it has more than one wireless radio (aka 2.4 GHz and 5 GHz), and given that, you shouldn’t need an additional WAP.

@@DevOdyssey thank you. Do you mean I could use 2.4GHz for a VLAN and 5GHz for the other? Is it possible to do so?

@@QuanNguyen-og6pq you’re welcome! And yup that’s correct. You can use two separate VLANs for reach radio, 2.4 GHz and 5GHz (or more specifically, two separate networks / LANs, doesn’t have to be a VLAN)

Thanks for watching A J!
Personally, I don't have any specific recommendation based on my experience. I've only used Netgear R6080 with OpenWrt and a Raspberry Pi. I myself would end up creating an OpenWrt router by choosing the hardware I like, but I still haven't gotten to doing that just yet.
I'd honestly go with the community recommendations, and referring to their Table of Hardware.
openwrt.org/toh/recommended_routers
openwrt.org/toh/start
You should be good with anything in the first list, or if you're searching for router compatibility, refer to the second list.

@Wieczor178 You're welcome! Thanks for watching 😊
So a few other commentors on this video have said they have the same problem. To be quite honest, I haven't exactly figured it out yet, but it seems to likely be that your version of OpenWrt is not up to date, and if you can update it, you would likely see the devices tab interface.
There are other ways you can do this however. @TheGreatNorris found a good article on how you can log into your router via the terminal (SSH), and manually edit config files to get it working. Here is an article describing how: jasonschaefer.com/setup-vlan-on-openwrt-using-hardware-that-has-no-switch-ports/
In addition I was able to do this another way. I automatically created a device (the first way I actually did it before this video), by adding a VLAN to the switch. See 6:37 in the video. Once you add the VLAN to the switch, there should be a device available for you to use, that will say "Switch VLAN" with the ID you gave the VLAN in the switch configuration.

@@DevOdyssey thanks as you said one vlan was created in switch section I was able to add it in interface section. Openwrt is in the latest version so not sure where the difference is coming from but most important is that it works :)

@Wierczor178 thats great! I'm glad you hear you could use that "Switch VLAN" method to create a VLAN. Thats interesting, maybe its something to do with hardware. I'm no expert so I can't really diagnose it well without doing a lot of research but as you said, all that matters is that it works. Happy you got it working 😊. Enjoy your new VLAN!

Thanks for watching @Paul Do!
So in terms of trunk port, if your talking about Cisco terminology, then yes this is basically creating a trunk port, however I’m only carrying traffic for one VLAN. If I had more VLANs then the Ethernet port I assign to carry all the VLAN traffic would be the trunk port. But regardless, this port would go to a smart (managed) switch to the do tagging and untagging of VLAN traffic on different ports in the smart switch.
If you were talking about HP terminology then no, this trunk ports in that case are grouping ports together with LACP for purposes of increasing bandwidth or redundancy in case a port failed.

Thats a great question @TheGreatNorris. So I am not familiar with doing this myself, however, it looks like it is possible. In doing my searching, it doesn't seem like its enabled out of the box, though I've read some conflicting things about configuring it. I have read the most about the following though, so I recommend trying it out, though I have not tried it out myself.
1. Install package 'iptables-mod-tee'
2. Then enable port mirroring in Network/Switches (for incoming and outgoing)
3. Then set up mirror source port and mirror monitor port
Here are a few articles you can reference:
www.testdevlab.com/blog/2017/08/setting-up-router-traffic-mirroring-to-wireshark/
forum.openwrt.org/t/setting-up-a-network-tap/38721/10
Hopefully this helps!

@@DevOdyssey I figured that "Snort" IDS and IPS would be ideal software for carry out traffic monitoring, utilizing port mirroring for it's IDS as well as an intrusion protection system. Snort can be installed at hardware level on router, by searching for packages in Software tab.

Snort would be a great addition to your router for IDS / IPS capabilities. Now I will say depending on the resources of the router (CPU, RAM, storage, etc) that it might be best to use another machine / computer, where it can monitor that mirrored traffic. Its awesome though to see that it's available as a package in OpenWrt.
Give it a shot and let me know how it works! I've wanted to get into IDS / IPS stuff but I've been too preoccupied. It's something I plan on getting too, and hearing your feedback would be helpful.

Thanks for watching Brandon!
Yes this should be possible. What you'd do is create VLANs on top of your LAN port, and then you'd need a managed switch to take that VLAN traffic, and disperse it accordingly. OpenWrt shouldn't have any issues running VLANs on your mini PC and all you really need is two ports, one for WAN, and the other for LANs/VLANs.

Great! I'm glad you better understand VLANs and connecting to them through our conversation. Good things to know if you want to create more networks with your router especially with limited physical ports / WiFi / physical forms of connection. Best of luck!

Thanks for watching @m.h.323!
I assume you're on a newer version of OpenWrt. The switch menu is now deprecated (unless your router doesn't support the newer way, DSA). That change actually happened not too long after releasing this video. You can watch my newer video below that shows you how to create VLANs using DSA.
th-cam.com/video/d3aYMqt-b_c/w-d-xo.html

@ryz_raiyze Thanks for watching!
In your scenario, you'd almost have a correctly configured VLAN, but to really get it correct, you'll need to have the settings configured properly on both the router and the switch. Assuming you're following this video, you'll have to create the VLAN within your router (or OpenWrt in this case), and then you'll have to tag an ethernet port (on the router) with the specific VLAN ID, or multiple VLANS (IDs). Then in your network switch, you would untag each ethernet port on the switch with a specific VLAN ID.
That covers you most of the way. However, to have true isolation, you'll need to create firewall rules within OpenWrt to block / drop traffic coming from the other VLANs, into the VLAN you want with your specific isolated device. Otherwise, traffic from other devices on different networks / VLANs could get to the device you're trying to isolate.
In addition, there is this feature within OpenWrt you could use to isolate clients on a wireless network (if you happen to configure your VLAN for use over WiFi). In OpenWrt, go to "Network" > "Wireless" > "Edit" (for your specific SSID / WiFi name). Then scroll down to "Interface Configuration" > "Advanced Settings" tab, you'll see the first check box is "Isolate Clients". What this does is isolate your clients on the same Layer 3 (IP) network. So if you have two devices on the same WiFi network with this option checked, those two devices won't be able to communicate even if though they're on the same network. (This is a useful feature for guest networks too).
Not sure if that bit helps, but your question made me think of it. Hope this helps!

@@DevOdyssey Hi, thanks for your reply! My router is incapable of VLAN and incompatible with OpenWrt. Instead of buying a new router to get VLAN capabilities, what if I connected a VLAN-capable switch to my modem and then used the router as an access point for my Wi-Fi network by connecting it to the switch. Would this allow me to tweak the firewall settings on the switch to correctly configure the VLAN?

@@conundrum765 You're welcome! I do like the way you're thinking outside of the box a bit, however, unfortunately that set up won't work. This is because your VLAN capable switch does not have firewalling and routing capabilities. When the modem receive's its connection from the ISP, it transforms it into a TCP/IP networking type connection, and sending a public IP address assignment, to the device connected on the other end of the modem.
So sure, you can have your VLAN capable switch get assigned a public IP address, and publicly exposed on the internet, but VLAN capable switches don't have all the abilities in a router, like a firewall and DHCP server, that are essential in creating your own home network. While the VLAN capable switch can carry VLAN traffic, it doesn't actually create VLAN networks, if that makes sense.
My suggestion, as of now, would be to get a router thats OpenWrt capable (you can find their table of hardware on OpenWrt's website) so that you can use OpenWrt's features to create VLANs. There are plenty of cheap router equipment on eBay you can use second hand. Or, if you really want, you can also use a Raspberry Pi and install OpenWrt there, then get an USB (3.0) to Ethernet adapter so you have 2 Ethernet ports (one for WAN and another for LAN). Then on the LAN port, you can create VLANs on top of it, and really then utilize the power of your VLAN capable switch. Lastly, that router you have now could then be used as an access point as you mentioned.
I know this is a lot of information so if you have any questions, let me know!

You're welcome Fa Sh! thanks for watching and for the compliment 😊

@ramonoe samuel that’s correct, the changes accumulate in OpenWrt as you move to different screens and make those changes. You can then review all the changes when clicking Save and Apply, regardless of where those changes were made. Definitely a good feature of the LuCI GUI.

Thanks for watching Allen!
Hm, not sure why you don't have that. It seems like it would be common enough in most routers but I can't be sure.
Anyway, from my understanding you technically don't need to bridge interfaces to create the VLAN, as bridging here just allows you to connect to the VLAN over multiple interfaces. You'd certainly want the eth0.3 interface (in this video example, but whatever your VLAN interface that you created), so you associate the interface with the VLAN.
Then if you want to connect to it over WiFi, I believe you could just edit the WiFi interface under Network, Wireless, and then when editing, chose the Network for the WiFi to be the VLAN interface and that should do it too. Another way to accomplish effectively the same thing.

Hi @Md. Rashadul Islam thanks for watching!
I don't have easy access to a C111 ISR router, so I won't be able to demonstrate that now or in the near future. However I was able to find Cisco documentation that has the commands you'd use to configure a VLAN.
www.cisco.com/c/en/us/td/docs/routers/access/1100/software/configuration/xe-16-7/cisco_1100_series_swcfg_xe_16_7_x/cisco_1100_series_swcfg_chapter_01100.html
This should be what you need, however as I haven't done it myself, I can't be 100% certain. Hope this helps!

Thanks for watching @Wojtek Śleziak!
To be honest, I am not sure why you are not seeing the Devices tab in the Interfaces menu. It may be a hardware compatibility issue with your router, but again I can't confirm that. However you can try making a device in a couple of different ways.
You can log in to the router using ssh, and create a device in the /etc/config/network file. You should also see examples in there.
You can also automatically create a device (the first way I actually did it before this video), by adding a VLAN to the switch. See 6:37 in the video. Once you add the VLAN to the switch, there should be a device available for you to use, that will say "Switch VLAN" with the ID you gave the VLAN in the switch configuration.
Hope this helps you get around that issue!

Just another suggestion @Wojtek Śleziak but if you were/are not on the latest version of OpenWrt, I would try doing that first to see if the devices tab shows up in LuCI. Feel free to let me know if that resolves your issue.

@Torin Storkey thanks for watching! 😊
Now I'm not sure how well this would work, though I believed my snapshot I used in this video was a OpenWrt 19.0x version.
You should be able to do this in a couple of different ways. If you login to the router via SSH, you can change some configuration files that should create a VLAN for you. You can refer to this article on how to do it.
jasonschaefer.com/setup-vlan-on-openwrt-using-hardware-that-has-no-switch-ports/
In addition you can try to create a VLAN this way, (actually the first way I actually did it before this video), by adding a VLAN to the switch. See 6:37 in the video. Once you add the VLAN to the switch, you should see it available for use, that will say "Switch VLAN" with the ID you gave the VLAN in the switch configuration.
Either method should work. Let me know if you're able to get it working!

Thanks for watching @algolove185!
Just to clarify, are you talking about 4:22 in the video when adding a device configuration?
This could be device and OpenWrt version dependent (and even LuCI version dependent). What hardware are you using, whats your OpenWrt version and LuCI version too?
It's possible that your hardware does not support VLANs, but I find that doubtful, given how old the protocol is for 802.1q, most networking hardware supports it. In addition, are you using plain OpenWrt / LuCI or some modification by another vendor / developer? This could also be a reason why you don't see it, as its been modified from the base, which is what I am using in this video.

@@DevOdyssey Thanks - openwrt version is 22.03 and luci version is LuCI openwrt-22.03 branch git-22.361.

Can you make a video for creating VLAN for openwrt 22.03 version?

@@algolove185 You're welcome. Thanks for sharing that information. You should still see those options even in version 22.03, for any clean install of OpenWrt. So I'm not really sure why you aren't seeing that unless its due to hardware limitations.
Glad you asked! I do have a video that should you on how to make VLANs for OpenWrt 22.03, using DSA. In this video, it uses the old way of making VLANs, with swconfig. The router I use in this video still only supports VLANs via swconfig, due to hardware limitations, so you may still see this around. But for any newer more capable hardware, DSA is the way to make VLANs. This video below also covers it from the perspective of creating a managed switch, but nonetheless it addresses making VLANs in OpenWrt 22.03.
th-cam.com/video/d3aYMqt-b_c/w-d-xo.html

Thanks for watching!
I have heard about ROOter, and looked at it, but never personally interacted with it. I'll probably spend some time in the future trying it out, and seeing what it can do. Since it is OpenWrt based, I'd imagine they use the same configuration files for it. Depending of the version of OpenWrt it is based off, and the hardware being used, it could be using different software to create the VLANs. DSA is the newer way of doing it (not supported by all hardware for OpenWrt), and sw_config is the old way of doing it, which is the way I have done so in the video.
So it will take some investigation to see how it works, but in the mean time, I'd suggest doing some reason on your hardware, the ROOter build for it, what OpenWrt version its based on, and from there, what software is used for VLANS. Then you can start to see how its configured in OpenWrt, and give it a go yourself.

Thanks for watching Liam!
I like your idea there. for your ISP modem router combo, if you can just make it a passthrough, with no routing, and add your own OpenWrt router there, then you can utilize all the power of OpenWrt in your home network. Then with the Nighthawks acting as your mesh system, you can utilize the mesh power of the nighthawks and get great WiFi coverage.
Now as for the utilizing VLANs here, that might be more difficult. You can use VLANs on your OpenWrt router, and that network for your Nighthawks, but I am not aware of the VLAN capabilities of the Nighthawk, to create separate VLAN networks. I'm sure the Nighthawk has a guest network mode, but since you are using the Nighthawks as Access Points, and not routers, I don't think you can use that feature.

Hmm, interesting, thanks for sharing @TheGreatNorris.
Looks like there may be some confusion here, and I'm hoping its not an issue with OpenWrt and your router. But this is just my understanding from your description.
In the Wireless Overview section, you won't actually see any of the interface your have created. Rather, you will see all the Wireless Radios available. The first row is the radio hardware interface, then the second is actually your WiFi (SSID) that is broadcasted on that radio interface, which there can be multiple WiFi's (SSIDs) on different channels on the same radio interface. Let me know if this makes sense and you can refer to 7:30 in the video.
So what you'd want to do is Add (or edit the existing WiFi (SSID) thats there by default, named "OpenWrt"), and rename this to "Public Wifi" (or whatever name you want). This will be the second column, and not the radio0 hardware interface above it.
You can do this by clicking the "Edit" button in that SSID / BSSID column, then under the "General Settings" tab in the window that pops up, under "Interface Configuration" on the bottom half of the window, and under the "General Setup" tab, you will see a dropdown labeled "Network". Here is where you want to chose that interface you made earlier called "Public". This ties together the actual network interface (Public), and the WiFi (SSID) (Public WiFi), that we just renamed.
This sounds to me like where the confusion is, but if this is incorrect (or if you get it working) let me know.

Thanks for watching Albert! 😊
I'm sorry its been taking you long to wrap your head around VLANs! I won't say they are the easiest to understand, but when you do understand them, it all comes together.
Thats a very interesting set up. So which is acting as your network router, the TP LINK or the PC? As long as you can connect your OpenWrt pc to your TP LINK router with an ethernet cable, (could even do WiFi), then you can download the packages for your USB WiFi stick, and for tethering as well. Now if you want to tether to the OpenWrt PC, and you don't have a USB port, then there really is now way to tether to it.
If your PC has a PCIe slot, you can put in a 4G modem and get 4G internet that way. You can also set up a WiFi relay between the WiFi on OpenWrt and the hotspot WiFi on your phone, and that way the OpenWrt PC can get internet from your phone that way.
I'm still not sure what role the TP Link plays in all this, but sounds like to me you could use a good network diagram 😊.
Anyway, You probably don't even need VLANs for this set up. VLANs are good for network segmentation, so if you have a need for that, then this video would apply.
And lastly, this video is using an older version of OpenWrt, 19.07, versus the new version is now 21.02. With that, they've made significant changes to how they do VLANs (use Distributed Switch Architecture, DSA, over switch0 method) so this video won't exactly apply. However, the concepts are definitely the same. The way of doing it just looks different now, and should be more performant too. You can refer to documentation / links here for help as well.
openwrt.org/docs/guide-user/network/dsa/start
Hope this helps a little bit!

Thanks for watching Brian.
So there have been a few viewers who have had the same issues as you have. When I made this video, I didn’t realize I was using a newer version of the LuCI GUI, with an older backend (21.02 LuCI and 19.x backend). This resulted in the mismatch I noticed, as I still was pretty new to OpenWrt when I made this video. You likely have an older version of LuCI that doesn’t expose the devices tab.
I’d refer you to the comments section, specifically from _CapR_ and K, where they raise the same question. In there, you should find some guidance on how to get around this issue. Let me know if you get it working!

Thanks for watching @marcg1043.
Yes, so they're physically separate, in that each port on a router, is its own physical port. Now most of these are switch ports, which, I'll get back to in a second regarding its significance, but technically they aren't the same port.
By default on any off the shelf router, if you plug into each LAN port, you'll be placed on the same network. That, of course, is by design. They will be on the same layer 2 and technically won't be separated as you noted.
On other systems, say a mini PC's with more than one ethernet port, those will often have a dedicated ethernet controller for each ethernet port. As a result, this physical separation of ethernet controllers means that the ports can have their own separate networks defined, alluding to that physical separation of networks. On a standard router, these physical ethernet ports share the same ethernet controller, thereby acting as switch ports, and placing you on the same layer 2 network, unless its VLAN capable, which this video goes into how thats done.
Anyway, thats the gist of it, but a notable caveat, so I appreciate the question. I assign a separate subnet to my VLAN because I want that VLAN to be a different network, its a simple as that. I can't make the VLAN be the same subnet as my primary LAN, as that would cause collisions and it simply doesn't work that way. Conceptually its against the purpose of a VLAN. A new subnet must be created for each new VLAN. Each are their own network.

Hi @KC,
Yes I do, its pretty easy in OpenWrt. First, in the admin interface, click "Network" dropdown at the top navigation bar, then click on "Firewall". Next, in the Firewall page, near the top you will see another set of tabs, here you will click "Traffic Rules". Then scroll to the bottom and click on "Add" in the bottom left corner area of the rules section. Then in the pop up window, fill it out like so:
Name: Incoming Cloudflare to port 443 (or whatever you decide)
Protocol: (choose TCP or UDP, depending on your need, likely TCP)
Source zone: wan
Source address: (Insert a single Cloudflare IP address, scroll to the bottom of the drop down to add a custom IP)
Source port: 443
Destination zone: lan (or your zone where your destination IP is)
Destination address: (Insert your specific destination address you need to forward to)
Destination port: 443 (or the specific port you need to forward to for the specific IP)
Action: accept
You can repeat the above process for however many Cloudflare IP addresses you need to forward to port 443. Once you are done, then you can click "Save and Apply" and you should be good to go.

@@DevOdyssey Thanks a lot. I just tried this method, but it's not working. Is it because of the Cloudflare IP address range is too large? For example, their IP range is something like 173.245.48.0/20 or 103.22.200.0/22. Do you have any ideas?

@ KC You're welcome! Hmm, interesting. So first before I answer any of your questions, mind if I ask what your end goal is? Or what is it that you are trying to do with Cloudflare? If I can refer to their documentation, maybe I can better help you.
So for your first question, if the range is too large, I don't think thats the issue. Any CIDR range should be accepted. I first wasn't sure if the rules could accept a CIDR IP range, but it looks like that shouldn't be a problem, when looking at examples on their forum.
openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_config_examples
Other than that, I'm not sure what the problem is. How are you verifying that it's not working? If I can get answers to those questions, I can better assist you.

@@DevOdyssey Sorry, it’s working now. I entered the wrong port number!

@KC no worries! Thanks for confirming with me that it's working. Easy to mistype a number 😊

Thanks for watching Guido!
Just to be clear, you are not able to find the Devices tab under Interfaces? You should be able to see this as a part of plain and unmodified OpenWrt. Are you using a customized version of OpenWrt, say from GL.iNet? If so, that might be some reason why you are having trouble seeing that Devices tab.
You can also start at 6:37 in the video and create a VLAN from there, as the steps I did before that will be automatically done when you are assigning VLANs to the ports.
Lastly, you can also do this configuration manually, by editing the /etc/config/network files. Refer to the OpenWrt wiki page below for some guidance there.
openwrt.org/docs/guide-user/network/vlan/switch_configuration

@@DevOdyssey it is a version already installed on the gl-Inet router mod: GL.SF1200

@@guidobizzarri746 Thanks for sharing that information. I do have some experience with GL.iNet routers, in particular, their travel router.
th-cam.com/video/jEZ-HMWY5JA/w-d-xo.html
In the above video, you'll see there that you can install LuCI. I imagine this is how you are accessing LuCI, correct?
If not, give this a shot to try and find the devices tab. Otherwise, see if you can upgrade your router to a newer version, which would also likely upgrade the OpenWrt version, and you'd more likely find the devices tab, where you can then follow this video more easily.
Generally, you just want to be cautious to make sure any changes you are making, do not interfere with GL.iNet customizations that you are using on your router, so it takes some due diligence to reassure that, but it should be possible.

@Cod Calling Thanks for watching!
I am a bit confused though of what you’re asking. In this video I create a VLAN to make a separate virtual local area network, which really isn’t a block of static IPs. If you can explain what your end game is maybe I can better assist you.
Otherwise, if there are certain static IPs you have in mind if using, and they’re all in the same network, you can create a vlan with that network containing those static IPs, and then assign out those static IPs to the intended devices.

Thanks for watching Ken!
So what you are seeing at 5:02 is the creation of an interface VLAN3, that will be used to access the VLAN3 network. This is so that I can access it over a specific ethernet port on the router, but also over WiFi. The ethernet port I'm using is the device I created earlier at 4:21
At 6:13, I remove the bridge for the LAN interface specifically, and not the VLAN3 interface. This is done so that my configurations between VLAN3 and LAN are not conflicting, in particular for WiFi. The bridge is removed on LAN3 so that LAN is not accessible over WiFi, however it is still accessible over the default eth0.1 port (base device). VLAN3 would be accessible over port (device) eth0.3 and WiFi, so I can test out the new VLAN I created at 8:00 and 8:38 respectively.

@ramonoe samuel I'm not sure what you are asking here, though it sounds like we are comparing different networking technologies, and they are similar, but also different concepts. A VPN being a virtual private network, can also be thought of as a software defined network. IT does have similarities to a VLAN, being a virtual local area network, which is also actually a software defined network as well, in different respects. You can tunnel your VLAN or LAN traffic over a VPN, onto a network in a different physical location, but logically speaking, then networks "border" each other, and are close in virtual proximity. VLANs are only local, just like a LAN, and basically provide you the means to create multiple networks without all the additional hardware of ethernet ports, where you only effectively need one. With VPNs you don't need any ethernet ports, and all the networking is virtual as implied by the name. These similarities are interesting to think about.

@ramonoe samuel I’m not sure what you’re speaking about in regards with this video. This video is about creating a VLAN and carrying that traffic over WiFi and Ethernet, and not about VPNs. It sounds like you’re talking about when changing the wireless network to VLAN fro the default LAN.
This process shouldn’t interfere with your internet connection from your ISP, but if not configured properly, your devices can lose access to the home network that your OpenWrt router sets up.

@Jesse Baker Thanks! 😊

Sadly, most off the shelf consumer routers do not support VLANs. I would say to flash your Netgear R8500 with OpenWrt, but it doesn't seem like thats supported by OpenWrt. If you have any old hardware laying around, you can use that with OpenWrt or another open source firewall distribution, and then use your Netgear as a wireless access point (if has one). However, you will be limited to only using one VLAN, so it may be worth it to get another router that supports VLANs.
You can also find fairly inexpensive routers that support OpenWrt, and flash it, which will then support VLANs.

@@DevOdyssey I'm looking at getting the Netgate 2100. I just picked up a couple of Aruba AP-22's to place around the house.

@@bme7491 Sounds like some great hardware! I'm a fan of Aruba in general, though, I've never used any Netgate appliances. I have worked with OPNsense and I'm a fan of BSD based networking. So definitely enjoy that hardware and setup! You should have no difficulty using VPNs on that hardware and software, given those well known enterprise grade hardware / software providers.
This video should help a bit if you get stuck on pfSense VLANs.
th-cam.com/video/GxTA0b1gAsU/w-d-xo.html
Best of luck!

Thanks for watching @KC
So looks like this is a problem for some users, someone else had the same comment. I am not sure why its not present to be completely honest. First I would try updating to the latest version of OpenWrt, however but it might have to do with the hardware in your router and its capabilities with OpenWrt. I do have a workaround the might work.
You can log in to the router using ssh, and create a device in the /etc/config/network file. You should also see examples in there.
You can also automatically create a device (the first way I actually did it before this video), by adding a VLAN to the switch. See 6:37 in the video. Once you add the VLAN to the switch, there should be a device available for you to use, that will say "Switch VLAN" with the ID you gave the VLAN in the switch configuration.
Hope this helps you get around that issue and let me know if it works!

@@DevOdyssey After a little research, I successfully managed to connect to the router or open a shell through SSH. From there, I can list network interfaces and see my unmanaged switch connected with the command swconfig list. You can add virtual lans or get the option to see virtual lans as there is no option for "Switch" in services nor the devices tab that would allow for vlan creation as seen in your video with unmanaged switches as explained here jasonschaefer.com/setup-vlan-on-openwrt-using-hardware-that-has-no-switch-ports/jasonschaefer.com/setup-vlan-on-openwrt-using-hardware-that-has-no-switch-ports/ I hope this helps everyone! I finally see the option for "virtual lans" and have successfully created two vlans that are bridged to the new interface I've created.

@@DevOdyssey You can configure everything you need for the new interface created in >Interfaces>Edit Then it will give you options and show the list of "software vlans" in Physical settings>interface :)

@@futuresocieties. thanks so much!!

@@DevOdyssey thanks so much !!

Thanks for watching Sukhdeep!
I’ve already made a video on VLANs in OpenWrt 21.02 and attaching them to WiFi.
You can find that video here, along with examples of the configuration files.
th-cam.com/video/d3aYMqt-b_c/w-d-xo.html

@@DevOdyssey Couldn't find it

@@sukhdeepzz The video above should explain more and have the files available, but for reference, I have linked the github gists below.
gist.github.com/odevodyssey/b81c12b8d1c373aebeda04f48e3ca21e

Thanks for watching Matt!
I'm not sure where you are seeing that for OpenWrt 22.03. When I look at that same version running on a Raspberry Pi 4B, I do not see "Switch" under the "Network" menu. This is something that can be hardware dependent, as the hardware may still support swconfig, which is used for VLANs in this video.
In addition, since OpenWrt 21.02, DSA is now used for VLANs. So II'd recommend doing it that way and following the updated video I made below:
th-cam.com/video/d3aYMqt-b_c/w-d-xo.html
Unless your hardware does not support DSA VLANs, that is the only reason I believe you'd still have the Switch menu available to you. That is the case for the router I am using in this video, as it doesn't seem to support DSA VLANs in OpenWrt 21.02 and beyond, and the Switch menu is still there for me.

@@DevOdyssey sorry late night. no*(not now) thanks for the link thats what I was looking for

@@mmgregoire1 No worries! You're welcome! Glad it helped. Good luck!

Thanks for watching Hazens!
switch0 is installed on OpenWrt by default on snapshot versions 19.0x and prior. The newest release of OpenWrt (21.0x) use Distributed Switch Architecture, where you use bridges to configure your VLANs. So not sure which version of OpenWrt you are working with but if its 19.0x and prior, switch0 is in there by default, according to my understanding.

Thanks for watching KC king collin.
Im assuming you are using OpenWrt version that is newer, 21.02 and beyond. If thats the case, then I made a follow up video for creating VLANs using the new DSA architecture, which is a Linux standard now, and the standard in newer OpenWrt builds for VLANs.
th-cam.com/video/d3aYMqt-b_c/w-d-xo.html

@@DevOdyssey thanks I found it shortly after making this comment, took some getting used to, but I think I understand vlans pretty well now, just trying to figure out how to separate my VPN tunnel from my other networks

@@KCKingcollin You're welcome! I'm glad that you found it. It is a bit different I will say, requires a bit more technical mindset. But once you do wrap your head around it, its easier to implement VLANs in the future. As for separating this VLAN out for a VPN tunnel, you'd basically want to create a route from that VLAN network, to your tunnel / VPN IP, as your gateway IP (or you can choose the tunnel / VPN interface). Once you set that up, it should tunnel all your traffic from your VLAN of choice, through that tunnel.
Let me know if that makes sense.

@@DevOdyssey thanks I actually used policy based routing to separate VPN traffic to a different network that's also connected to a single wifi radio for VPN traffic via vlans, my network is all set up thanks to your tutorials ^^

​@@KCKingcollin Now thats what I'm talking about! Really cool to hear how you used my videos in different ways to accomplish what your network goals. Policy Based Routing is definitely another way to separate out your networks to use different gateways. Nice work 👌

@_CapR_ Thanks for watching!
So looks like this is a common problem amongst those who've been watching this video, and seems like it might be an issue with your OpenWrt not being up to date, though I personally can't confirm thats the issue.
Nonetheless, one of viewers who commented on this video had success with the following:
Create a device, by first adding a VLAN to the switch. See 6:37 in the video. Once you add the VLAN to the switch, there should be a device available for you to use when creating the VLAN interface, that will say "Switch VLAN" with the ID you gave the VLAN in the switch configuration.
Otherwise, you can try to create the device in the config files directly by logging in with SSH. Use the article below for reference.
jasonschaefer.com/setup-vlan-on-openwrt-using-hardware-that-has-no-switch-ports/
Let me know if you get it working, and if so, what method you use.

@@DevOdyssey Sorry for the super late replay. I tried your instructions and that article you linked but none works. I think I will simply use a smaller access point router as my VLAN. Thanks!

@_CapR_ No worries! I’m sorry that didn’t work for you. Did you see any errors during the setup? Maybe you need to update your OpenWrt version or the hardware doesn’t support it. It can be difficult to figure out the underlying issue.
Using another router as VLAN is another method that should suffice. Just be aware though that the VLAN devices would be able to access the network devices on the main router (if there are any). So if you want to segregate them, be sure to put in place some firewall rules on the VLAN / smaller access point interface to prevent the devices from talking to each other.
Best of luck in your set up and feel free to let me know how it goes!

@@DevOdyssey Thanks for the help. I understand what you mean about using a separate access point router. I guess I'll have to learn how to use VLANs.
I successfully flashed OpenWRT 21 to my WRT1900ACS, upgrading from 19. However, I can't find the checkbox for bridging interfaces when adding a new interface. I was told it moved under the device tab in the interface page in rc4 but I can't find it.

@@DevOdyssey There's no physical settings either.

Thanks for watching Lars!
Configuring the VLAN in OpenWrt using this method is technically out of date, as it applies to 19.x. However, the concepts in the beginning of this video apply to the actual standard itself, 802.1Q, and remain relevant. The only time this method still applies is for router hardware that does not support DSA architecture in newer versions. For example, the router used in this demonstration does not use DSA, and still uses swconfig, even with version 21.02 (and likely beyond). So there is that aspect to take into account.
I'm sure many are visiting to learn how to configure VLANs for their newer OpenWrt routers, which likely are 21.02 and beyond. I have a newer video that does cover VLANs for those viewers, and is a card in the beginning of the video to direct anyone to that video.
th-cam.com/video/d3aYMqt-b_c/w-d-xo.html

Ha ha for watching @floodtheinbox! Sorry to hear that, I’m not sure how else I can explain it. VLANs are just virtual LANs, or networks, meaning you don’t need an extra physical interface to make another network. You create a virtual interface on top of a physical one. It’s simply a way to create more networks without having to put them all on different physical interfaces. The implications go way beyond that, but that’s essentially what it does.

@B Gable thanks for watching!
I have to agree, yellow does not show up well on white. I was working with limited color options with the software I was using, and grudgingly chose yellow. Which after the fact I see strains the eye. I haven't used yellow since in other demonstration videos, and plan not to for any future ones as well haha. Thanks for the feedback!

Gracias CharlysPro! Lo siento, pero si tienes preguntas, puedo posiblemente ayudarte. ¿Tienes ajustes en español?

Thanks for watching 6cef!
Yea, it did not come out so great when looking back at it. It was an oversight when I made this video, and after I realized that, I haven't gone back to using yellow on white haha. First time doing this kinda drawing; I learned my lesson there.

Thanks for watching Null!
I’m sorry to hear about the difficulty you are experiencing. In terms of OpenWrt, this video is outdated with the current version on LuCI and OpenWrt. This version of LuCI does include UI elements that aren’t in current versions of LuCI, but also it depends on the hardware you use, as some of these UI elements still exist, depending on the hardware install.
For example, the LuCI options for the Netgear R6080 actually still have the same options here, because VLANs still use the old method, swconfig, versus the new method DSA.
Nonetheless, the concepts in this video apply, but the implementation certainly has changed. So I apologize for the confusion, since this isn’t specifically a tutorial that applies to all OpenWrt routers and versions.
The advanced VLAN video isn’t really more difficult than this beginner video, so maybe I should modify the title. It’s basically an introduction to using DSA for VLAN configuration, effectively a beginner’s guide to DSA VLANs. Then I tie it together with a good example of creating a managed switch, but nonetheless, that is the video that should be followed for newer versions of OpenWrt for hardware that supports DSA VLANs. The concepts in this beginner video apply to any way you create VLANs, regardless of the tech stack.
If you are experiencing other specific issues, I’d be happy to offer my guidance 😊

Thanks for watching realSushi_official!
That sounds right to me! Devices are the precursors to network interfaces and once made, you can use them to create any network interfaces, wired, wireless or virtual. Creating the bridge interfaces is important to have communication across the interfaces, as opposed to isolating them (without bridge interfaces).
I appreciate you sharing the reddit post as well so others can follow instructions there too.