Adding a new bridge/VLAN to OpenWRT using the LuCI web UI

In this tutorial, I’ll walk you through how you can add a new bridge and/or VLAN to an OpenWRT based router using the LuCI web UI. In my case this is for a Turris Omnia, but the procedure should be similar for others. Many explanations (e.g. in the OpenWRT user guide, or the Turris Omnia docs on this topic) focus on the command-line or config file editing, which may be less accessible. I’m assuming you already know what VLANs are and that you already have OpenWRT setup on your router, and that you have access to the LuCI web interface.

As far as I understand it, in OpenWRT you can create Linux bridges to bridge different interfaces together (e.g. to switch packets beteween a wireless and a wired interface). If you want to send packets out with a VLAN tag, then you can create an appropriately configured subinterface, which will add the IEEE 802.1q (the VLAN standard) packet header with the VLAN id.

Create network interface

First, we need an interface which terminates the VLAN on the router. In the top menu bar in LuCI, navigate to Network->interfaces, and hit the Add new interface button.

Configure the following:

  • Name: something appropriate, e.g. iot
  • leave the Protocol of the new interface set to Static address (this means the router’s address will be static).
  • Tick the Create a bridge over multiple interfaces if appropriate or in doubt.
  • For the Cover the following interfaces, you’ve got a few choices:
    • If you want one specific physical Ethernet interface to be connected to this bridge, choose e.g. lan2 (you probably want to de-select it from whatever bridge it’s currently connected to beforehand, if appropriate)
    • If you want 802.1q tagged packets going out of the interface lan1.12 (for interface lan1, tagged with VLAN id 12)
    • If you want a specific WiFi network to end up in this bridge, select the appropriate radio (sub)interface, e.g. radio0.network2

Hit Submit. This will create the interface and send you to the detailed configuration page.

Interface configuration

The next page allows you to edit more properties of the new interface. First, you probably want to scroll to the bottom of the page and add a DHCP server (I found that hitting this button would reload the page, thus possibly resetting fields you’ve not explicitly saved). Now, go back to the top and configure:

  • The IPv4 address of the router interface, e.g. 192.168.<vlan>.1
  • The subnet mask, e.g. 255.255.255.0.
  • Then, click through each of the tabs at the top and at the bottom DHCP Server section, and check if there’s anything else you want to change, and then hit Save & Apply.
  • Lastly, go the Firewall tab and Create/assign a firewall zone by setting the zone name here. You could make this VLAN part of your lan firewall zone, or create a new one, e.g. called iot or whatever you named the network interface.

Check interface configuration

If you want to check whether your Ethernet interface is configured to tag packets, you can run the following command:

# ip -d link show dev lan4.23  15: lan4.23@lan4:  mtu 1500 qdisc noqueue master br-helloworld state LOWERLAYERDOWN mode DEFAULT group default qlen 1000      link/ether 01:23:45:67:89:0a brd ff:ff:ff:ff:ff:ff promiscuity 1      vlan protocol 802.1Q id 23      ...

Firewall

If you created a new firewall zone, go to Network->Firewall. There, set the appropriate default rule actions for your zone (accept/reject/drop for each of input/output/forward).

If you want to be liberal and allow all traffic between your new zone (e.g. iot) and an existing zone (e.g. lan or wan), you can use the inter-zone forwarding settings to set that up. It appears that this results in a default ACCEPT rule for traffic from the selected source zone to the selected destination zone. This is useful e.g. if you want to allow servers in your servers zone to be able to do updates, run iperf3 against servers on the internet, etc. On the other hand, if you want to be explicit about what you want to allow/deny, e.g. with IOT devices, then it appears to be best to configure the Traffic Rules manually. You probably at least want the following rules:

  • DNS: TCP+UDP port 53 (DNSSEC for example may use TCP)
  • NTP: UDP port 123

You can configure them as a pair of stateless rules (one for outgoing traffic from e.g. iot to wan destination port 53, and wan to iot source port 53 for the return traffic), or investigate using (stateful) connection tracking.

Notes

As part of my research, I came across the 8021q kernel module, which provides VLAN support. In some guides, they suggest you check it’s loaded. However, at least on my router, this appears to be compiled in, so it doesn’t show up with lsmod:

# lsmod|grep 8021q
# dmesg|grep 8021q
  [    4.543451] 8021q: 802.1Q VLAN Support v1.8

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.