VLAN Setup on TP-Link Archer v7 with OpenWRT

Posted on

VLAN Setup

General Overview

  • Create VLANs in Network → Switch
  • Create Bridge Devices in Network → Interfaces → Devices
  • Create Interfaces in Network → Interfaces
  • Create Firewall Zones / Rules
  • Assign WiFi radios to Interfaces

Switch Assignment

TP-Link Archer A7 does not use the DSA technology that is present in more modern OpenWRT router setups.  This made it harder to find correct setup information for VLANs on OpenWRT.  The VLANs are created in the Network → Switch section.  

VLAN 1 on this router acts as the shared Bridge device that links all of the internal LAN physical ports.

VLAN2 is the WAN device that connects externally.

Click “Add VLAN” which will bring up VLAN 3, which we can change to any number from 1 – 4095.  I’ve noted this with the Mgmt description which I will use to manage my routers / switches, etc.

LAN 4 port has been set to untagged.  Any device that does not attach VLAN tags to a packet will have VLAN3  tag attached when communicating through this port.  All packets with VLAN3 tags attached will also be sent to this network port.

The CPU must be tagged with every VLAN ID that the switch is going to process.  If the CPU is not tagged with a VLAN ID, that VLAN’s packets will not be processed.

Save and Apply settings.

Note: if you change the VLAN of the port you are connected to before correctly setting up Device, Interface, & Firewall, you will be locked out of that port.  

Creating Bridge Devices

I first assumed that I would be creating 802.1q devices, as that is VLAN designation.  This leads to failure.  We are making Bridge Devices that allow us to bridge connection to the VLANs we made on the Network → Switch.

My physical device is eth0 on this router.  Sub-interfaces are created to allow network separation. The LAN and WAN ports are just sub-interfaces of the physical eth0 switch. A device sub-interface is automatically created for each VLAN when that VLAN is first created.  Making VLAN3 on the switch creates the device eth0.3, VLAN20 creates eth0.20.  We need to create a bridge device that will allow us to connect to that VLAN.

Click “Add device configuration…”

  • Set the options for Device type: Bridge device
  • Set the Device name: (Arbitrary, I chose br-mgmt)
  • Set the Port to the device that was created with the VLAN (eth0.3)
  • I choose to bring up empty bridges.

Creating Interfaces

Click on the Interfaces tab. Network → Interfaces → Interfaces

This interface serves as the virtual connection point to the Bridge device that was just created.

  • Click “Add new interface…”
  • Enter the Name
  • Set Protocol to Static address
  • Select the Bridge device you just created (br-mgmt)
  • Create interface

This will open additional fields in the interface setup menus.

General Settings

  • Set Protocol to Static address
  • Set IPv4 address. 192.168.3.1 to keep the network segment identifiable with the VLAN
  • Set IPv4 mask 255.255.255.0
  • Make sure ‘Bring up on boot’ is selected

Firewall Settings

  • Click Create / Assign firewall-zone
  • Click the Custom dialog box and create an appropriate firewall zone name
  • Hit Enter

DHCP Server

  • Click “Set up DHCP Server”
  • Click IPv4 Settings and set an appropriate range for IP addresses
  • Click “Save” and “Save and Apply”

Firewall – Zone Settings

Trying to connect will fail at this point because the Interface does not have permission to initiate traffic with the internal router and obtain DHCP information.  We must set the firewall zone traffic so that the router accepts traffic from the Mgmt interface.

  • Go to Network → Firewall
  • Under the traffic rules for Mgmt zone, change Input to accept so the router will accept traffic from the Mgmt zone
  • Click “Save” and “Save and Apply”

Connecting to the Switch Port or the Wireless device should now negotiate a proper DHCP IP address.

Internet (WAN) access

We must be able to forward traffic from a zone to the wan zone in order to access outside networks.  WAN access for the Mgmt zone is only for demonstration at this time and should not be used in a real Management VLAN setting.

  • Click “Edit” on the Mgmt zone
  • Change Allow forward TO DESTINATION ZONES and select wan.
  • Click “Save” and “Save and Apply”

Wireless Setup

Go to Network → Wireless

There are two radios listed on this router. One for 5g and for 2.4g.

![](6_VLAN Setup_image.png)

The first radio listed here is the 5g radio, click “Add”

  • Set the Country code to your locality
  • Set Mode to Access Point
  • Set the ESSID or Network Name
  • Set Network to the Interface your WiFi radio is associated with (Mgmt)

Note: This Mgmt WiFi is temporary, only for this demonstration.  Mgmt network should not be available via WiFi.

Select the “Wireless Secuity” tab under Inferface Configuration.

  • Select the encryption type
  • Set Key to your password if you are using PSK

Click “Save” and “Save and Apply”

You may need to click “Save” before switching to a new configuration tab. Some tabs would remember the settings between tabs and some would not. If your setup isn’t acting correctly, check back through the config tabs and make sure that all your settings are correct.

Final Thoughts

OpenWRT is a feature rich platform, but quirky. More than one person gave me the response that they just gave up on trying to get it working. The biggest hurdle I faced was the conflicting setup guides due to OpenWRT migrating to their Distributed Switch Architecture (DSA ). Reading their documentation left me confused, as I did not understand their text-only config files. After working through this problem in the GUI, the config file makes much more sense.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts