In this tutorial, I’ll walk you through how you can add a new bridge and/or VLAN to an OpenWRT based router using the LuCI web UI. In my case this is for a Turris Omnia, but the procedure should be similar for others. Many explanations (e.g. in the OpenWRT user guide, or the Turris Omnia docs on this topic) focus on the command-line or config file editing, which may be less accessible. I’m assuming you already know what VLANs are and that you already have OpenWRT setup on your router, and that you have access to the LuCI web interface.
As far as I understand it, in OpenWRT you can create Linux bridges to bridge different interfaces together (e.g. to switch packets beteween a wireless and a wired interface). If you want to send packets out with a VLAN tag, then you can create an appropriately configured subinterface, which will add the IEEE 802.1q (the VLAN standard) packet header with the VLAN id.
Create network interface
First, we need an interface which terminates the VLAN on the router. In the top menu bar in LuCI, navigate to Network
->interfaces
, and hit the Add new interface
button.
Configure the following:
- Name: something appropriate, e.g.
iot
- leave the
Protocol of the new interface
set toStatic address
(this means the router’s address will be static). - Tick the
Create a bridge over multiple interfaces
if appropriate or in doubt. - For the
Cover the following interfaces
, you’ve got a few choices:- If you want one specific physical Ethernet interface to be connected to this bridge, choose e.g.
lan2
(you probably want to de-select it from whatever bridge it’s currently connected to beforehand, if appropriate) - If you want 802.1q tagged packets going out of the interface
lan1.12
(for interfacelan1
, tagged with VLAN id 12) - If you want a specific WiFi network to end up in this bridge, select the appropriate radio (sub)interface, e.g.
radio0.network2
- If you want one specific physical Ethernet interface to be connected to this bridge, choose e.g.

Hit Submit
. This will create the interface and send you to the detailed configuration page.
Interface configuration
The next page allows you to edit more properties of the new interface. First, you probably want to scroll to the bottom of the page and add a DHCP server (I found that hitting this button would reload the page, thus possibly resetting fields you’ve not explicitly saved). Now, go back to the top and configure:
- The IPv4 address of the router interface, e.g.
192.168.<vlan>.1
- The subnet mask, e.g.
255.255.255.0
. - Then, click through each of the tabs at the top and at the bottom DHCP Server section, and check if there’s anything else you want to change, and then hit
Save & Apply
. - Lastly, go the
Firewall
tab andCreate/assign a firewall zone
by setting the zone name here. You could make this VLAN part of yourlan
firewall zone, or create a new one, e.g. callediot
or whatever you named the network interface.
Check interface configuration
If you want to check whether your Ethernet interface is configured to tag packets, you can run the following command:
# ip -d link show dev lan4.23 15: lan4.23@lan4: mtu 1500 qdisc noqueue master br-helloworld state LOWERLAYERDOWN mode DEFAULT group default qlen 1000 link/ether 01:23:45:67:89:0a brd ff:ff:ff:ff:ff:ff promiscuity 1 vlan protocol 802.1Q id 23 ...
Firewall
If you created a new firewall zone, go to Network
->Firewall
. There, set the appropriate default rule actions for your zone (accept
/reject
/drop
for each of input
/output
/forward
).
If you want to be liberal and allow all traffic between your new zone (e.g. iot
) and an existing zone (e.g. lan
or wan
), you can use the inter-zone forwarding settings to set that up. It appears that this results in a default ACCEPT
rule for traffic from the selected source zone to the selected destination zone. This is useful e.g. if you want to allow servers in your servers
zone to be able to do updates, run iperf3
against servers on the internet, etc. On the other hand, if you want to be explicit about what you want to allow/deny, e.g. with IOT devices, then it appears to be best to configure the Traffic Rules
manually. You probably at least want the following rules:
- DNS: TCP+UDP port 53 (DNSSEC for example may use TCP)
- NTP: UDP port 123
You can configure them as a pair of stateless rules (one for outgoing traffic from e.g. iot
to wan
destination port 53, and wan
to iot
source port 53 for the return traffic), or investigate using (stateful) connection tracking.
Notes
As part of my research, I came across the 8021q
kernel module, which provides VLAN support. In some guides, they suggest you check it’s loaded. However, at least on my router, this appears to be compiled in, so it doesn’t show up with lsmod
:
# lsmod|grep 8021q # dmesg|grep 8021q [ 4.543451] 8021q: 802.1Q VLAN Support v1.8