Hello,

I am looking to segment my network but I am unable to figure out exactly how to set it all up in OpenWrt. I have read the main wiki page for my router (Archer C7 v2) and other OpenWrt VLAN guides online, but they mostly focus on creating a VLAN for wifi guests. Also, I jacked up my config when attempting it and had to essentially disable VLANs to be able to get back on the internet (I am assuming I tagged WAN  with VID 1 when it shouldn't be?).

I am wanting to have 3 vlans
VLAN1/Default 192.168.1.1/24 (or whatever openwrt has by default, doesn't matter)
VLAN2 192.168.2.0/24
VLAN3 192.168.3.0/24

LAN1 - VLAN1
LAN2 - VLAN1
LAN3 - VLAN 1
LAN4 - Trunk port (for VLANs 1,2,3).

VLAN2 and 3 will live exclusively on a switch I would have attached to LAN4 .

/etc/config/network:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd70:516a:fc1e::/48'

config interface 'lan'
        option ifname 'eth1'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option mirror_source_port '0'
        option mirror_monitor_port '0'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0 1 2 3 4 5 6'

config route
        option interface 'lan'
        option target '192.168.2.0'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'

Unfortunately I can't post links to screenshots etc, I am guessing cause I am a new user. The wiki page for my router seems to show that VLAN2 is a default one and assigned to the WAN port, is this correct ? Also I read the page titled "extend_router_ports_managed_switch" in the wiki but it was a little confusing.

(Last edited by fulanodoe on 2 Aug 2017, 05:25)

The router has two CPU ports and 5 Ethernet ports all going into a 7 port switch.

The default configuration uses VLAN1 to switch one CPU port to the 4 "LAN" ports and VLAN2 to send the other CPU port to the "WAN" port.

It is a good idea to be logged in via wifi while changing Ethernet configurations, so you don't lose contact if you mess up.

If you want to use VLAN2 for other reasons the first thing to do is to change the WAN link VLAN to some other number.  The actual number doesn't matter it is only used internally by the switch.

Change VLAN1 on the CPU and on the trunking cable port from untagged to tagged.  Make sure you have the correct physical port as the numbering doesn't always line up.  Then create some new VLANs and apply them tagged to the trunk port and the CPU, but nowhere else.

In the network configuration, you will need to refer to the original LAN as eth1.1 instead of eth1.  Don't use plain eth1 anywhere.  Create new network interfaces and attach them to eth1.2 and eth1.3.

The LUCI switch page makes the switch configuration more visually apparent instead of editing the config file directly.

(Last edited by mk24 on 2 Aug 2017, 13:31)

So, I set VLAN1 as tagged on all ports except the ports that had the WAN VLAN as tagged (I set it as off on those). That locked me out of the router and broke networking. I had to use the  safe mode method to replace the config with the stuff pasted above. Is VLAN1 supposed to be tagged to all ports except port 6/1 (the wan ports) ?

How do I get permission to post images? Would be helpful to be able to post screenshots of LuCI.

The ethernet ports to which you will connect ordinary devices such as a PC or printer must be untagged in one VLAN and off in all the others.  Tagging an ethernet port requires that the device at the other end of the cable be VLAN-aware and properly configured.