Use DD-WRT to set up a VLAN and Virtual Wifi for IoT devices 

FINALLY - someone who actually can talk about home VLANs without mentioning Ubiquiti. I do have one question though. Is it necessary to reserve an ethernet port on the router for the IoT VLAN, or can you just do it with WiFI only? I don't have any ethernet IoT devices (all WiFi) so I wasn't sure about this point. Thanks -great video!

THANK YOU!!! Hours of rummaging around forums and you managed to actually explain it

Man this was perfect thank you for posting. Different router model but same software!

Very clear explanation of the steps! Thank you.

I had spent day's looking for a way to isolate IP cameras from other computers on my lan. This is great thank you so much for taking the time to make this video.

Thumbs UP! Just what I was looking for. In my case, my cameras don't even need the internet, but I can handle that leveraging off of the firewall script.

Thank you so much! I wanted to repurpose my TP-Link Archer A7 for IoT instead of purchasing Ubiquiti and this solves that problem wonderfully!

Great video, I plan on installing dd-wrt on my old router this week. Keep up the great videos!!!

Wow. Concise, to the point, exactly what i was looking for. Thank you.

Very clear and well explained, thank you :)

Really Excellent. I've been looking at DD-WRT after being away for a while, and I want to use it to replace my Eero Mesh. I see some tutorials on setting up Mesh with DD-WRT, and I would love to make sure there's also VLANs that I can setup, so thank you for this. Really great stuff. Subscribed.

This is not the most intuitive interface. Thanks a lot for making the video and explaining the pitfalls (like default vlan0 going away when you added the others -- which is what got me)

This is the god of explanations right here. thanks

Great Video.. This is exactly what I was looking for long. Conceptually we understand what needs to be done but this hands on real demo helped a lot.

Very good, thanks. Played with this a few years back for a VPN-only SSID and couldn't get it to work. Reckon I could now after watching this video!

Thanks for writing this up! I had a slightly more complex use case (secondary AP behind main DD-WRT router) and wanted to VLAN all the IoT devices which connect to the secondary router. Once I realized that STP config was causing ports on my core switch to get disabled (because I had STP on on all the bridges on both primary router and secondary AP, likely with default priorities, etc. so that probably looked like a loop to the switch), but eventually got it working. It's worth noting that versions of DD-WRT v3.0-r48646 (on routers with enough flash) also have the ability to reflect mDNS between different networks, which can help put even your Google home / Alexa speakers on a VLAN... in my case I also needed that to isolate my ESPHome devices from the LAN where the Home Assistant system sits and still be able to access them via HA.

Thank you so much for this great video! The issue I was having that made me seek out this video was that trying to change the switch config would either disable internet access or LAN access completely. I ended up just restoring to factory settings and starting from scratch. I'm running r48971 on a Buffalo WZR-600DHP2, so my config pages looked a little different, but other than that I was able to follow along. One thing I noticed is that my switch config had the LAN ports on VLAN1 and the WAN port on VLAN2. I didn't want to mess with it again, so I just created VLAN 3 and it worked like a charm. I'm doing WFH, so it'll be nice to keep my work computer (and IOT devices) separated from the rest of my network.

Fantastic Video Chris. It worked like a charm on my 3200WRT on my first shot. Thanks a lot for making the video and explaining so well. Want a challenge? Demonstrate doing the exact same thing using OPNsense (or pfSense) on a 6 port Protectli vault. Because DDWRT development seems to be stalling, particularly with WiFi 6 - I'm being forced into the xxSense wilderness. A pity as DDWRT is the work of Gods!

Flawless tutorial. Thank you so much!

Nice job. Perfect for my use case. Thanks.

Literally spent all day trying to figure this out and was just about ready to use my router as a sporting clay....THANK YOU!!!!!

i've been looking for days man , thanks !

Absolutely amazing tutorial! Straight to the point and easy to follow along with. The only issue I was having is that the IoT VLAN didn't have access to the internet. I could connect to the WiFi network and communicate with local devices just fine, but I had no internet access. After some troubleshooting and forum reading, I found the fix was to go under Setup > Networking > and then all the way down under, "Network Configuration br1 - IoT Network" I had to enable, "Masquerade / NAT" and then I had internet access! Hope this helps someone who may be experiencing the same issues

This video helped me understand vlan in dd-wrt. thanks bro! You deserve a like and comment, and subscribed

Simple, clear and very helpfull!!!

Just in time. Getting ready to make some wrt vlans from old routers.

Great video. I will put this knowledge to good use, I promise.

Just what I was looking for today- thx!

Found a cheap Cisco Linksys E1200 v2 at a Renaissance, 5.25 $CAD ; installed dd-wrt (can't get the exact version I installed now, but was June / july 2023) and setup was similar to this. It's key to do CTRL-Shift-R to refresh and ensure settings were saved as many times the UI won't reflect the real settings. Also the VLAN (Switch) page in the video doesn't show a CPUPORT checkbox that need to be enabled for all VLANs, for the ports to work.

Thank you a 1000000 times ❤️🎉

Thank you very much! :) I will get going right away, been searching around and there is a lot of older video's.

Thanks for the great video

Fantastic one. Thanks a ton 🥳

Thanks so much for this !

Great video, thanks for a great explanation and walk-through. I followed everything and everything works except when I add my VAPs to br1, I lose DHCP on the VAP but LAN port 4 still works

Most importantly, thank you. Plugging into the new vlan port initiates a new subnet ip, however putting the connection back still recognizes the device/computer as that new subnet ip, that is until the provided firewall commands are applied. (My router ASUS RT-AC66U)

Good Job I Think you did well and explain very good

Genius! Thank you!

Thanks for the video.

thank you.. great video

Anyone who knows anything about the E4200 on DD-WRT is that the default VLAN assignments were wrong for quite some time. VLAN 2 is WAN, VLAN 1 is LAN. You have to correct this FIRST via webUI, save, and reboot. Prime example of someone not doing enough research before creating a how-to video.

Great video. Thank you very much. I have 1 question - can you tell me (or show video) - is it possible to set direct access from the internet (from the provider) on this (or any dd-wrt) router, for example, on port 1 and 2, and to set wireguard on ports 3 and 4, for example?

Hi! Thanks a lot it was ver helpful

This was a superb instructional video - thanks for taking the time to make it! I am struggling, however, with WAN/Internet access from the VLAN and VAP. I must be missing a route, bridge setting or some other parameter. Even if I remove all of the IPCHAIN firewall commands, and if I run traceroute, there doesn't seem to a route to the outside. What have I missed? Found it - you need to enable Masquerade/NAT under the Setup->Network Configuration for br1!

thanks this helped me big time

Great video. I have Pfsense as my main router and 3x ddwrt AP. Ill try vlans soon, but is there a way to create a mesh system; then use vlans to segment?

Great vid. Thanx

Hey! So if I wanted to create a vlan just for Wifi for my security cams and untrusted devices, do I have add new passwords and SSID again for that particular vlan after set up? My cams are annoyingly to set up wifi on. I'd rather keep those settings on the cams and then change them on my main wifi network for trusted devices. For extra security. But what if I keep same SSID/password on both networks will that be worse? Just askin', I rather not change anything besides two separate networks, but I will if I must. Sorry if this is super simple. But this vid was exactly what I needed. Very good!

Well, I would like to say very, very interesting for sure I do like solid security however it will take sometime for me to configure these settings however I'm more interested In the wireless settings for now. Are The wireless interfaces and virtual interfaces under wireless settings similar ? One more secure that the other? I would like to put my Amazon Fire Stick on the wireless virtual however I keep it hidden from broadcasting (maybe being more secure) but it will not connect that way since hidden. Amazon device wants to see the device to connect to it I'm not sure if this would be wise move or not. Is there another secure way to keep streaming device in their own WIFI zone I guess separate from others? Thanks for the video.

Do you think setting up a managed switch with VLAN is enough to keep IoT devices from talking to trusted devices on my home network or would I need to have a firewall setting? my setup internet>router>managed switch: port 1 (router), port 2-4 trusted devices, port 5 (another 5 port unmanaged switch of IoT devices)

Do you need to create a different SSID for your IoT untrusted devices? Should the IoT SSID be hidden?

@DevbaseMedia As far as I can tell, I've got your solution working (thankyou!), but I was hoping you could help with a couple things? First, oddly, I cannot ping (from a terminal/cmd) anything on br1 from anything on br0. I can however remote desktop from br0 devices to br1 devices, so I br0 can obviously talk to br1... just not ping it (also cannot remote from br1 to br0, so that seems to work as desired.) It's a small thing, but make me very curios why? Additionally, the GUI has changed quite a bit in the newer beta versions. Wondered if you'd consider doing an updated video? Was hoping the newer interfaces would allow you to achieve the same result using the gui - maybe tagging? - without the need to manually write the firewall rules?

I have a pfsense firewall already. So if i set the router running DD-WRT into AP mode will the VLAN function still work? Essentially for my scenario, the WAN in your setup will act as a trunk access and pfsense will manage the firewall rules?

Wish I would have had this video sooner, guess I’ll try it with my new nighthawk.

Thanks!

Also I Have an AP point ( Nano HD ) from Ubiquiti ... any toughts on how to add a wifi IOT on it with the DD-WRT setup ?

As your IOT devices are on SSID network dd_wrt_ IOT and your trusted devices (like your phone) would be on SSID dd- wrt, in order for you to "see" or in cases where you needed to update an IOT device, would you have to switch out of of dd-wrt and get into dd-wrt-iot to see it? Or does this "virtual" lan be visible when you are attached to dd-wrt?

super helpful! like and subscribed. i have just one question: i’m reconfiguring our whole home network for better security. other than changing my wireless router to dd-wrt, i’ll be adding a managed switch to hardwire as many devices as possible. it may not make a huge difference but i can’t tell if it is better to set up the VLAN for iot on the switch or on the dd-wrt. do you recommend one or the other? as far as i can tell, the only advantage to doing it on the dd-wrt would be for the virtual AP. on the switch, i would need a second physical wireless router. thanks again!!

Thank you for the tutorial. I got my vlan setup without an issue via ethernet, however I'm not able to connect to the wifi vlan that I set up. I know this video is old, but are there any tips you can provide?

Please a video to configure multiple WANs for Load balancing or failover.

If I want the router to receive the Internet via cable from the main router, I have to turn on the client mode ? And connect LAN >LAN right ?

How to set-up VLANs on Qualcomm Atheros QCA9533? thank you

To find out CPU port number, ssh into DD-WRT and run "dmesg | grep 'CPU Port'"

I think that designing DD-WRT so that you have to apply IP addresses and DHCP servers to 'bridge' virtual interfaces is counter-intuitive and potentially quite confusing. It would also be very helpful if there was a set of commands made known that would help anyone with a DD-WRT device discover the interface stack and full Physical to logical mapping (layer 1 to layer 3 via layer 2)

I have home assistant running a VM in my PC, which vlan should I put it in IOT vlan or private vlan? If I put it in the private vlan, will the update from the IOT be able to reach the VM?

No internet connection, but figured it out after a couple of hours. Setup everything two times, thinking I did something wrong the first time. Went to Setup > Networking > Port Setup > WAN Port Assignment and changed it to vlan1 and I was able to access to internet again. Hope this helps someone, took forever to figure it out.

did you try creating a trunk on a single port?

Is there a way of doing this in ddwrt where devices you want to isolate are mingled on the same wired network?

Is there a way to have the IoT network use my PiHole that is on the main network? How would that config work? Thanks

I am running latest dd-wrt firmware , vlan works well and ip address issued as set but still vlan on br1 can ping comfortably system on vlan linked to br0 , have used entire set of commands as shown and for denying iptables -I FORWARD -i br1 -o br+ -j DROP

additional : Switch Config/Vlan tagging doesn't work Atheros routers

Can there be a real trunk port which carries multiple vlans to another switch, say a Cisco SG300-10MP ? if so, how? I have tried. no luck.

I use ddwrt and changed my ssid name in setup. Sometimes my windows pc can't decide which ssid to use...the new one or the old one. ?? Any help on this? --thanks do you need to reset the router to factory defaulys before changing the ssid?

I just followed this tutorial and while I was able to successfully setup a VLAN on Port 4 of my Asus AC1900P and get a new IP address the commands to stop VLAN traffic accessing my 192.168.1.xx network did not work. From the VLAN I could access my home network and from my home network I could not access the laptop I had on my VLAN 192.168.107.xx I made sure to add the rule to the firewall but no matter what I did I could not stop VLAN traffic back to my 192.168.1.xx which kinda defeats the object. Any ideas what may be wrong? I am running the latest version of DD-WRT

hi is there a way to add a vpn to the new VLAN only without it affecting the other LANs?

I have a different goal in mind. I don't want untrusted devices to connect to the internet at all, hardening the home network. I could have a have a baby monitor to keep tabs on kids when I'm at work. Kids being kids might sometimes be inappropriately dressed for company as they walk through the house when no one else is home. Or perhaps I have an IP based security system. Either way, I can't be sure these devices don't have built-in hacking programs that might be able to capture local IP and Wi-Fi traffic for the purpose of masquerading as another device by switching the other device's MAC address, and SSID if the other device is Wi-Fi. So, I want multiple vLANS, one for each untrusted device and filtered so that only that device's MAC address can communicate. For the Wi-Fi devices, a unique hidden SSID + password + MAC filter for that device is routed to a unique vLAN. Each Wi-Fi SSID needs its own MAC filter as well, so only that device can connect to that SSID and only that device can route to the assigned vLAN. Then a routing table to allow an NVR on the main LAN to communicate with any untrusted camera vLANs, and to allow a security controller to connect to any security devices on the other untrusted vLANs. Is it your impression that DD-WRT can do this all in a single router, or will it need two routers, one for untrusted devices.

Great Instruction. Worked perfect. Unfortunately as soon as I assign the Virtual Wifi to the Iot Bridge I cannot connect to it anymore. Without Bridge set it works fine. Any ideas? THX

Do I need a DHCP assigned if all my iOT devices are using reserved IP's?

Hi there, how to connect wireless devices like Mobile or laptops to VLAN and access the internet through vlan ?? thnx

I have run the firewall rules and I still have access to my samba shares from IoT network :(

This has been so helpful! Thanks so much. Everything works except my vap isn't getting DHCP from br1...the LAN port in the same VLAN is getting DHCP tho. I was wondering if you can help me out. Thanks!

Great Video, any idea why my IoT speed is only 60mbps when my main wifi is 300mbps ?

@10:17 why is their not the default wl0 and wl1 listed?

The problem with this process is that devices such as Linksys 32x routers Wi-Fi do not do a valid handshake with many Internet of Things devices. They simply cannot connect to it. I have to use a separate Linksys router running stock firmware in order to use wi-fi.

SOS Chris, my ISP demande to set a tagged Vlan ID as 40 in order to connect to internet via PPPoE. But I don't know how to config it in DD-WRT, could you PLEASE help me out?

i have a very simple question when using DDWRT on my wrt54g, asus n66u , etc I only use port -1-4 , usng port 1, I click VLAN 2 and tag and I get automatically a WAN ip address from ISP on my router, now with WRT3200ACM DDWRT HOW ON earth do i do that .. all the guides are confusing AF , thanks in advance

I managed to stop the IOT network from communicating with the private network but setting the IOT WiFi up as per the video I cannot access it, just keeps saying "wrong password" The only way I can connect to the IOT WiFI is by deleting the bridge assignment from br1 to wl0.1 then setting up a separate DHCP server for the WiFI. Then I can connect a WiFi camera to this network but if I have my laptop connected to the VLAN I cannot access the WiFi device. I assume this is a firewall issue but I am not sure how to fix it. It appears that when the br1 to wl0.1 is added no IP is given to the wireless client which I think then stops it from connecting. Hope someone can help, I am so close to moving my cameras to a VLAN, most of my cameras are hardwired but I do have 2 that are WiFi

A very useful video! I followed your steps and successfully created an IoT network. With the iptables commands you advised, a device in the IoT network (i.e. 192.168.107.*) is not able to ping all the other devces in the 192.168.1.* network.....except 192.168.1.1. In fact, 192.168.1.1 is the same as 192.168.107.1 so I would not be surprised if devices in the 107.* network can ping 192.1.168.1. However, I found in your video that you was able to block the traffic from 107.* to 192.168.1.1. I wonder why and what caused the difference. I will keep searching to find a way to block the traffic from 107.* to 192.168.1.1. In case you know what caused the difference, please advise.

hi, I ended up with 2 routers and I wanted them for IoT and home usage. However I have a dilemma: most (if not all) of my IoT devices talk to my local home assistant server as well as local MQTT server. So for the sake of being able to talk, home assistant also has to be in the IoT segment, right? If so it means: my HA will be also in insecure segment. On top of that, my HA is also talking to my home devices (other servers). So I think I need another solution. What I however did is: all IoT have internet access blocked (anyway, all of them are controlled only from HA and only with the local integrations) - I am thinking: do I need then 2 segments (for security purpose) or not? If YES (2 segments still needed) then how to solve the issue of HA being accessible to IoT devices, yet not being exposed?

gold

I tried this and it works but the wan port is no working as well. Does anyone knows how to fix that

i think this is a stupid question but how would you see the feed from the ip camera if its on a vlan.

Little bit old, but still usefull...except ... I followed your tutorial, everything works. Except that the connection on the iot vlan won't connect to the internet. On the other vlan (wired and wireless) i can get internet connection. But on the iot network not. IP address is correct, but there it stops. What am i doing wrong?

Off topic question, but what xfce theme are you using?

Can i block the vlan network(with cameras) access to internet? basically i would like it to be local vlan only

can you give that port vpn and the others not?

Thanks a lot for this video, which perfectly explains what I'm trying to do with my WRT3200 :) I've been running through a lot of issues though and haven't been able to sort them out... If someone could help me, I'd be very grateful :) My main issue is that as soon as I add a new bridge and click save, then apply changes, I lose all connection to the router (wireless or wired). If I try to reconnect manually in wifi, it loops and tells me no IP adress can be retrieved. If I try using an eth cable, I get an IP adress (192.168.1.x), but cannot access the router's interface or even get a ping response. Only way to get back access to the router's interface is to factory reset and on doing so, my "switch config" tab simply disappeared :D I had to reinstall the original firmware, then reinstall dd-wrt to get the tab back... And when I tried redoing things again, same issue... Been spending many countless hours trying to get this done but to no avail...

You never tested the wireless. I can not get my wireless ap to pass shcp addresses.

I can’t get no internet in the IoT WiFi. Even tho o followed this by the letter three times. Clearing NVRAM in between each. Any help would be greatly appreciated.

Thanks so much for the informative video. I was able to flash my Asus router with DD-WRT and assign the VLAN to port 4 and all the IP addresses work great but I can still ping 192.168.1.1 from 192.168.107.1. I used the command lines in the video for the firewall but it appears the firewall still also traffic between the two subnetworks. Any ideas what I may have missed or causing this? Thanks….