VLAN - How to make it work?

Dear all,

I try to setup a VLAN and I have to admit, I’m completely confused. I read forum posts here and elsewhere on the topic (most notably https://forum.turris.cz/t/tos5-vlan-nightmare/13175 and https://forum.turris.cz/t/total-obsolete-vlan-documentation/13121) as well as the OpenWRT documentation. I also watched videos on youtube on how to set up VLANs on OpenWRT, which make it appear to be a simple process with Luci - and make me feel even dumber because I can’t get it to work.

I understand that there are differences between different router, of course, and one is not like the other, but it seems I’m unable to transfer the information to my setup.

My setup is as follows:

“Dumb” AP is connected to Lan1 port on Omnia. VLAN ID should be 20.

What I try to achieve:
Users connected to the “GuestWifi” should be able to access the Internet, but should not be able to connect devices connected to other networks such as

What I did so far:
I followed https://docs.turris.cz/basics/luci/vlan/luci-vlan/ to create a virtual interface. In /etc/config/networks it looks like this:

config interface ‘VLAN20’
option proto ‘static’
option ifname ‘lan1.20’
option type ‘bridge’
option netmask ‘’
option ipaddr ‘’

As firewall rules I added:

config zone
option name ‘vlan20forw’
option input ‘ACCEPT’
option forward ‘REJECT’
list network ‘VLAN20’
option output ‘ACCEPT’

config forwarding
option dest ‘wan’
option src ‘vlan20forw’

in /etc/config/girewall using Luci.

What works:
Clients can access GuestWifi.

What does not work:
Clients are not assigned an IP address cannot access the Internet.

So, after all this, how do I get it working? Maybe someone has a simple, working configuration to share?

I feel tangled up in information only relevant for TOS3, unclear instructions (or better put instructions I do not understand) and generally content and comments where I can’t determine whether it is still relevant or not.

Every help is highly appreciated! I would also like to help with the documentation on https://docs.turris.cz/basics/luci/vlan/luci-vlan/ to make it into a full Luci-based example.

Wait to TOS 6 and DSA. VLAN in TOS 4 or 5 is problematic. Yes, they worked great in TOS 3.

Thank you! I thought TOS5 already uses DSA, but I might have understood that wrong.
Since TOS6 is in HDB it probably takes quite some time before it ends up as a version usable for end users like me.
I still hope that I can get it working wit TOS5 somehow as I won’t be able to wait for a HBK/HBS TOS6 release.

Does dns resolution work?

nslookup google.com

Do clients get the ip inside the correct subnet?
Can they access the router‘s web interface?

TOS 4/5 using DSA, but many hints and instructions works only from OpenWrt 21.02, respectively TOS 6.

protree, I checked again.
I was sure of clients being assigned a correct IP (and was pretty happy that it worked) but now I checked again and realized I was wrong. NO IP is assigned. So I’m fully back to square one with DHCP. Sorry!

However, when I manually set the IP to, e.g.,, I can ping omnia and ssh to it.

ping # → Network not reachable
nslookup google.com # → No result

And yes, with the static IP set, I can also reach reForis and Luci.

Did you enable a dhcp server instance for your guest-interface?
Go to Network → Interfaces → your guest interface → DHCP Server → General setup and enable it
Also, set 6, in Advanced Settings → DHCP Options to set correct DNS Server for your clients

Btw I‘d suggest you connect a network device directly to lan1 on your omnia to minimize possible sources of error for debugging. Change lan1.20 to lan1 in your network config for this. If you get a connection you can switch your config back and try to get access through your Access Point.

EDIT: The config snippets you provide seem to be valid (despite they lack configuration for dhcp). Are you sure your configuration is applied (Restart your Omnia to be sure)

Does it work if you create vlan int on one of the eth instead lan port?

This cannot work due to DSA-architecture. There are links to DSA documentation here on the forum, have a look into them.

I strongly discourage from using VLANs right now as they somewhat invoke DSA (doesn’t matter whether via config or bridge/ip commands) and that is as of now and also still for TOS v6 broken. The ARP-bug makes productive use of VLANs for switch ports other than eth2 impossible.
VLAN use is possible via the following workaround only (incompatible with usage of sfp-port for wan):

  • assign eth2 to lan and some other port of your choice to WAN
  • connect wan-ethernet to assigned port
  • define your VLANs on eth2
  • connect eth2 to a managed switch which is configured alike
  • connect VLAN configured devices to alike configured ports of this managed switch.

This does only work around there ARP-bug because it does not trigger DSA…

Out of curiosity, what is the ARP-bug you are referring to?

Here you are: [Omnia] kernel's bridge FDB not reconciling switch's ATU (#165) · Issues · Turris / Turris OS / Turris Build · GitLab
It was initially solved in TOSv6 but reintroduced somehow so as of now TOS v4/5/6 are broken to some extend when it comes to roaming WiFi clients connected to VLAN-separated subnets where DSA is involved .

1 Like

In TOS 6 we trust. Hopefully!

protree, thank you! It appears that rebooting helped to get DHCP working!

After setting gateway to the router address in VLAN20 (which Luci complains about when doing it there) and providing DHCP option 6, I can ping outside hosts and DNS also works!

/etc/config/networks now looks like this:

config interface 'VLAN20'
    option proto 'static'
    option ifname 'lan1.20'
    option type 'bridge'
    option netmask ''
    option ipaddr ''
    option gateway ''
    option delegate '0'


config dhcp 'VLAN20'
    option start '100'
    option limit '150'
    option interface 'VLAN20'
    list dhcp_option '6,'
    option leasetime '5h'

I think I now have to reconfigure my firewall rules from option input 'ACCEPT' to option input 'REJECT' to shield the router from guests. I already defined traffic rules for DHCP and DNS:

config rule
    option src 'vlan20forw'
    option name 'VLAN20 DHCP'
    option target 'ACCEPT'
    option src_port '67-68'
    option dest_port '67-68'
    list proto 'udp'

config rule
    option src 'vlan20forw'
    option name 'VLAN20 DNS'
    option target 'ACCEPT'
    list proto 'tcp'
    list proto 'udp'
    option src_port '53'
    option dest_port '53'

However, when I apply

config zone
    option name 'vlan20forw'
    list network 'VLAN20'
    option output 'ACCEPT'
    option forward 'REJECT'
    option input 'REJECT'    # <- Changed option

clients cannot connect to the internet, again. What am I missing?


Remove the „src_port“ options from your DHCP and DNS rule.

I also had to use this workaround to make my network configuration fully work. With this workaround it works rock solid. However, if you use your vlan for guests only and they don‘t roam that often between your Omnia‘s wifi and your AP it might not be necessary in your case.

You defined zone but missing FW, I think you need somethin’ like this:

config zone 'vlan20'
	option enabled '1'
	option name 'vlan20'
	option input 'REJECT'
	option forward 'REJECT'
	option output 'ACCEPT'
	list network 'VLAN20'

config forwarding 'vlan20forw_wan'
	option enabled '1'
	option name 'vlan20 to wan forward'
	option src 'vlan20'
	option dest 'wan'

Also don’t forget to restart firewall after changing firewall configuration, similarly don’t forget to restart network after changing network configuration, reboot is not needed.

Why do you guys have problems?
I got TOS 5 latest migrated from TOS 3 on Indiegogo Omnia couple months ago.

I have just done one manual change after migration.
VLANS work absolutely great. I got around 10 of them but use around 3 or 4.
I got APs in network using VLANS fine as well as switches. No problem anywhere.

Weakest links for VLANs/subnets is not Omnia but O2 with /64 for IPV6.

Regarding VLANs,
I just set up interface, with relevant IP config/mac config. and then I just chose vlan ID for the interface.
Its just simple, use ethx.y where x is the port and y vlan.

Its unbelievable how great is is now. No need to config ports in some other GUI. No downtimes, or anything. It just works

And of course you need to define FW zones. but you got to do that in the past as well. Its even simpler.

Dear all,

Thank you all for your comments! I managed to get VLAN 20 working! While @protree set me on the right path, @iron-maiden put the final brick into my (fire)wall. Thank you all!

So I replaced the lines in /etc/config/firewall as shown in my previous post with:

config zone
    option name 'VLAN20zone'
    option input 'REJECT'
    option forward 'REJECT'
    list network 'VLAN20'
    option output 'ACCEPT'

config forwarding
    option dest 'wan'
    option src 'VLAN20zone'

In result,

  • on connecting to AP, clients get IP addresses assigned (DHCP),
  • clients have Internet access
  • clients cannot access the router interface and hosts on other networks, e.g.,

Of course, I still have to find out whether this configuration is stable and hence cannot tell whether the changes suggested by @ssdnvv still need to be applied.

So to sum it up, and for users using Luci, I include some screenshots to hopefully help them in achieving the same result.

  1. First, setup an VLAN interface (shown as VLAN20) in Luci by navigating to “Network” → “Interfaces”:

  2. Setup VLAN20 like this: Click “Add new interface …”, choose a name, e.g., VLAN20 and also “Static address” as Protocol. Activate “Bridged interfaces” and click on the drop-down box stating “unspecified” next to “Interfaces”. Enter LANx.20 in the box at the bottom of the dropdown, where x is the LANport you or your AP is connected to at the Turris Omnia. This is also explained here: https://docs.turris.cz/basics/luci/vlan/luci-vlan/ .

  3. After clicking “Create interface”, in the next window, set options as shown below in “General Settings”:

  4. Switch to Tab “DHCP Server” and activate DHCP. Check whether the default settings are ok in sub-tab “General Setup”.

  5. Switch to sub-tab “Advanced Settings” and add 6, to “DHCP-Oprions”. The IP is that of the gateway IP that you set under under tab “General Settings” previously.

  6. Save and apply the changes made.

  7. Go to “Network” → “Firewall”:

  8. Click “Add” under “Zones”.

  9. Enter values as shown below:

  10. Save and click Save & apply. The Result should look like this:

  11. On the current page, navigate to tab “Traffic Rules”. Add two rules:

    Settings for VLAN20 DHCP:

    Settings for VLAN20 DNS:

  12. Restart network and firewall. In a shell (ssh to Omnia) you can use the commands /etc/init.d/firewall restart to restart the firewall and /etc/init.d/network restart to restart network from the command line. This avoids downtime. Alternatively, you can reboot the router.

Finally in case all went well, all of this leads to a working VLAN20 setup.


Great that you succeeded! And nice tutorial :+1:t3:

I think the gateway should be left blank as it is configured automatically. The gateway is the next hop upstream, so its ip depends on your wan interface. Setting it to the ip of your router itself makes no sense and i believe it works in your case only because it is ignored…

1 Like

Thanks for the hint! I changed number 3 in the list and replaced the screenshot.