OpenWrt VLAN setup guide using LUCI for IOT and Wireless with DSA
In this easy to use step by step tutorial I will show you how to setup a basic VLAN on your OpenWrt router using LUCI. For help with advanced VLAN setup refer to OpenWrt forums or OpenWrt website since this example isolates an Ethernet port for VLAN use. In this example I want to isolate my Ethernet port 3 for my NVR system this way my NVR cannot access the Internet (WAN) and my local network (LAN). This tutorial applies to OpenWrt version 21.02 and newer since the new version uses DSA for network interfaces. Keep in mind I am not a networking expert so use this guide at your own risk.
1. To setup VLANs for OpenWRT go to Network > Devices.
2. Now edit br-lan by clicking Configure
3. Now I want to set my Ethernet port 3 as VLAN for my NVR. In General device options go to Bridge ports dropdown and uncheck your Ethernet port 3 and Save.
4. Now switch over to interfaces tab and click the button Add new interface and add your desired Name = NVR, Protocol = Static address, Device = lan3 and Create interface.
5. Now edit the newly created interface with your new desired subnet range and netmask (255.255.255.0).
6. Now switch over to Firewall Settings tab and create a new firewall zone for your VLAN. Type a new name for your firewall zone (NVR) and press enter.
7. Now switch over to DHCP Server tab and Set up DHCP Server for your VLAN interface. You can accept the default values for your DHCP server.
8. Now go to Network > Firewall and edit your VLAN firewall zone as shown. Edit your LAN zone to include forwarding to NVR zone this way your LAN clients can access the NVR zone. Click the Edit button and go to Allow forward to destination zones drop down menu and check your VLAN zone (NVR) along with wan zone.
9. Save and apply and you should have a working VLAN on Ethernet port 3 isolated from your LAN and WAN.
Additional configuration
If you are planning on adding your VLANs with the Internet access then some additional settings are required.
a. On your VLAN zone (NVR) click the Edit button and go to Allow forward to destination zones drop down menu and set the destination zone as wan and save, now your VLAN zone can access the Internet but not LAN.
Adding WiFi to your VLAN is also very easy for Internet isolation or your guest network.
a. Just edit your Wireless access and select your VLAN interface from Network drop down list and now you have a guest network.
Hopefully this guide is easy enough for setting up VLANs for your OpenWrt router. Let me know if you have any comments or if there is any bug or error in this guide.