DD-WRT: VLAN Guide

3 semanas ago

VLANs are an important part of any advanced network and while DD-WRT is capable of such setups it isn’t as easy and obvious as it should be. In this article I explain, in simple terms and with examples, how you may setup VLANs on a R7000 or any other DD-WRT router.

Before we start you should be aware of how VLANs work in general, more specifically the following topics:

What’s a trunked port and the difference between a tagged and untagged port;
What is the PVID;
The DD-WRT VLAN UI (Switch Config) is useless for most configurations;
How does your DD-WRT VLAN router works, check my Netgear R7000 block diagram;
What a network bridge is and how it works.

Take your time to read read through the topics above because they’re vital to ensure your VLAN configuration is quick, painless and secure.

⚠️ Poorly managed setups may expose you to real security issues such as leaking your LAN traffic into the public internet and/or allowing anyone on the Internet to connect to your local devices. ⚠️

Checking Your VLAN Configuration

The swconfig command can be used to view how the VLANs are currently configured and other router details:

# swconfig dev switch0 help
switch0: bcm53011(BCM53012), ports: 9 (cpu @ 5), vlans: 4096

Besides the model of the switch chip there are two important pieces of information on the output, first it tells us that the CPU is connected to the internal port 5 (yours may differ) and also that can have up to 4096 VLANs.

# swconfig dev switch0 port 1 show
Port 1:
(...)
        disable: ???
        pvid: 1
        link: port:1 link:up speed:1000baseT full-duplex auto

The command above allows us to query a specific port on the switch. In this case we found out that the physical port 1 (labeled on the router) is connected and has a PVID of 1. The PVID of a port is the VLAN id that will be assigned to any incoming untagged traffic entering that port.

# swconfig dev switch0 vlan 1 show
VLAN 1:
        ports: 0 1 2 3 4 5t

For outgoing traffic we’ve the ability to set it as tagged or untagged as well.

In this case the VLAN 1 is set to untagged on all ports except for the 5th one (the CPU port). This means that traffic leaving port 1 will be untagged.

Important: on DD-WRT you’re almost always required to set all VLANs as tagged on the CPU port.

Settings VLANs and Ports

# swconfig dev switch0 set enable_vlan 1
# swconfig dev switch0 set apply
# swconfig dev switch0 vlan 1 set ports '1 2 3 4 5t'
# swconfig dev switch0 port 4 set pvid 1
# swconfig dev switch0 vlan 30 set ports '4t 5t'
# swconfig dev switch0 set apply

What I’m doing here is setting it so VLAN 1 is untagged on all ports however in port 4 we also have VLAN 30 tagged. I’m also specifying that any untagged traffic that reaches port 4 should be automatically assigned VLAN 1 as well. On the CPU port (5) VLAN 30 is also present as tagged.

Important: on DD-WRT you’re almost always required to set all VLANs as tagged on the CPU port.

I guess after this example you’ll understand how it works and be able to adapt to your needs. You can then use the UI to create bridges for your VLANs and decide what is bridged into what.

Persisting VLAN Setups

If you reboot your router you may lose your setup, however you can into Administration > Commands and add it at the beginning of your startup commands.

The Magic CPU Port

I also don’t understand the CPU port, would I have to assign it to all my custom VLANs as well?
~ mawesome4ever

Well, it really depends on your goals. Do you want the CPU to see the traffic or not?

There are two scenarios:

1. “Dumb switch”: You want to set port 1 and 2 as a isolated switch from the rest of the network. Remove those ports from VLAN 1 and add them to VLAN 200. Don’t add the VLAN 200 to the CPU port:

# swconfig dev switch0 vlan 1 show
        VLAN 1:
            ports: 1 2 3 4 5t

# swconfig dev switch0 vlan 1 set ports '3 4 5t'

# swconfig dev switch0 vlan 1 show
        VLAN 1:
            ports: 3 4 5t

# swconfig dev switch0 vlan 200 set ports '1 2'
# swconfig dev switch0 port 1 set pvid 200
# swconfig dev switch0 port 2 set pvid 200
# swconfig dev switch0 set apply

# swconfig dev switch0 vlan 200 show
        VLAN 200:
            ports: 1 2

In this scenario ports 1 and 2 are configured as a “dumb switch”, the router will not see the traffic and the software has zero control over it, the ports will be totally isolated from everything else.

Note that I’ve set the PVID on the ports as 200 to make sure that incoming traffic is tagged internally as VLAN 200 as well.

2. Routing: eg. provide internet on the ports / enable access to something, then you need to tag it on the CPU port and the CPU will see the traffic:

(similar to before but tagging enabled on the CPU port)
swconfig dev switch0 vlan 200 show
        VLAN 200:
            ports: 1 2 5t

Don’t forget to set the PVID for those ports, otherwise incoming untagged traffic won’t get into the VLANs.

Routing and Internet Access on VLANs

Now, if you’ve the second scenario those ports won’t have internet or access to anything on the LAN and that’s because even though the CPU sees the traffic you didn’t configure anything. This is what bridges are for (among other things).

In short Bridges act like virtual switches and can be used to “merge” traffic between physical ports or VLANs.

# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.b0..........       yes             eth1
                                                        eth2
                                                        vlan1

By looking into the bridge assignments with the command above you can see that the router has a br0 which holds your private network / LAN and the Wi-Fi. The router is placing the Wi-Fi interfaces (eth1 and eth2) and the LAN (vlan1) on the same bridge making it so your Wi-Fi devices can access devices wired to your LAN ports and vice versa.

You may notice that there’s no WAN (vlan2) referenced above and that’s intentional – you don’t want all your br0 private traffic to end up on the Internet nor all Internet traffic to reach your private network.

The flow of packets between br0 (private net) and vlan2 (WAN/Internet) is managed by routing with firewall rules that essentially say “if any device wants to access an IP outside of the range of the private network then NAT those packets and send to the vlan2 interface”.

The simplest way to provide Internet/network access to VLAN 200 is to add it to the to br0:

brctl addif br0 vlan200

Note that bridge assignments can also be managed on the UI under Setup > Networking.

While this setup works be aware that this will make every device in your LAN be able to access devices in VLAN 200 and vice versa.

Advanced Scenarios and Further Reading

Now that you know the basics and have a working VLAN setup you can read the official VLAN Detached Networks (Separate Networks With Internet) in order to find out how to create individual networks that can’t see each other but that can still browse the Internet or enable cross-VLAN communication for just for specific devices.