FINALLY - someone who actually can talk about home VLANs without mentioning Ubiquiti. I do have one question though. Is it necessary to reserve an ethernet port on the router for the IoT VLAN, or can you just do it with WiFI only? I don't have any ethernet IoT devices (all WiFi) so I wasn't sure about this point. Thanks -great video!

I had spent day's looking for a way to isolate IP cameras from other computers on my lan. This is great thank you so much for taking the time to make this video.

Fantastic Video Chris. It worked like a charm on my 3200WRT on my first shot. Thanks a lot for making the video and explaining so well. Want a challenge? Demonstrate doing the exact same thing using OPNsense (or pfSense) on a 6 port Protectli vault. Because DDWRT development seems to be stalling, particularly with WiFi 6 - I'm being forced into the xxSense wilderness. A pity as DDWRT is the work of Gods!

Great Video.. This is exactly what I was looking for long. Conceptually we understand what needs to be done but this hands on real demo helped a lot.

Literally spent all day trying to figure this out and was just about ready to use my router as a sporting clay....THANK YOU!!!!!

This is not the most intuitive interface. Thanks a lot for making the video and explaining the pitfalls (like default vlan0 going away when you added the others -- which is what got me)

Let me see if I understand fully...you isolated both lans here so they can't communicate with one another. Is that correct?

Wow. Concise, to the point, exactly what i was looking for. Thank you.

Absolutely amazing tutorial! Straight to the point and easy to follow along with. The only issue I was having is that the IoT VLAN didn't have access to the internet. I could connect to the WiFi network and communicate with local devices just fine, but I had no internet access. After some troubleshooting and forum reading, I found the fix was to go under Setup > Networking > and then all the way down under, "Network Configuration br1 - IoT Network" I had to enable, "Masquerade / NAT" and then I had internet access! Hope this helps someone who may be experiencing the same issues

Thank you so much for this great video! The issue I was having that made me seek out this video was that trying to change the switch config would either disable internet access or LAN access completely. I ended up just restoring to factory settings and starting from scratch. I'm running r48971 on a Buffalo WZR-600DHP2, so my config pages looked a little different, but other than that I was able to follow along. One thing I noticed is that my switch config had the LAN ports on VLAN1 and the WAN port on VLAN2. I didn't want to mess with it again, so I just created VLAN 3 and it worked like a charm. I'm doing WFH, so it'll be nice to keep my work computer (and IOT devices) separated from the rest of my network.

Found a cheap Cisco Linksys E1200 v2 at a Renaissance, 5.25 $CAD ; installed dd-wrt (can't get the exact version I installed now, but was June / july 2023) and setup was similar to this. It's key to do CTRL-Shift-R to refresh and ensure settings were saved as many times the UI won't reflect the real settings. Also the VLAN (Switch) page in the video doesn't show a CPUPORT checkbox that need to be enabled for all VLANs, for the ports to work.

Really Excellent. I've been looking at DD-WRT after being away for a while, and I want to use it to replace my Eero Mesh. I see some tutorials on setting up Mesh with DD-WRT, and I would love to make sure there's also VLANs that I can setup, so thank you for this. Really great stuff. Subscribed.

This is the god of explanations right here. thanks

Very good, thanks. Played with this a few years back for a VPN-only SSID and couldn't get it to work. Reckon I could now after watching this video!

Perfect video, finally, i can try VLAN's

Thumbs UP! Just what I was looking for. In my case, my cameras don't even need the internet, but I can handle that leveraging off of the firewall script.

I have a pfsense firewall already. So if i set the router running DD-WRT into AP mode will the VLAN function still work? Essentially for my scenario, the WAN in your setup will act as a trunk access and pfsense will manage the firewall rules?

Thank you for this! Thank you for explaining so well also thank you for not assuming i know anything. Thank you!

Thank you so much! I wanted to repurpose my TP-Link Archer A7 for IoT instead of purchasing Ubiquiti and this solves that problem wonderfully!

Thanks for writing this up! I had a slightly more complex use case (secondary AP behind main DD-WRT router) and wanted to VLAN all the IoT devices which connect to the secondary router. Once I realized that STP config was causing ports on my core switch to get disabled (because I had STP on on all the bridges on both primary router and secondary AP, likely with default priorities, etc. so that probably looked like a loop to the switch), but eventually got it working. It's worth noting that versions of DD-WRT v3.0-r48646 (on routers with enough flash) also have the ability to reflect mDNS between different networks, which can help put even your Google home / Alexa speakers on a VLAN... in my case I also needed that to isolate my ESPHome devices from the LAN where the Home Assistant system sits and still be able to access them via HA.

Man this was perfect thank you for posting. Different router model but same software!

Do you need to create a different SSID for your IoT untrusted devices? Should the IoT SSID be hidden?

Great video, I plan on installing dd-wrt on my old router this week. Keep up the great videos!!!

This was a superb instructional video - thanks for taking the time to make it! I am struggling, however, with WAN/Internet access from the VLAN and VAP. I must be missing a route, bridge setting or some other parameter. Even if I remove all of the IPCHAIN firewall commands, and if I run traceroute, there doesn't seem to a route to the outside. What have I missed? Found it - you need to enable Masquerade/NAT under the Setup->Network Configuration for br1!

@DevbaseMedia As far as I can tell, I've got your solution working (thankyou!), but I was hoping you could help with a couple things? First, oddly, I cannot ping (from a terminal/cmd) anything on br1 from anything on br0. I can however remote desktop from br0 devices to br1 devices, so I br0 can obviously talk to br1... just not ping it (also cannot remote from br1 to br0, so that seems to work as desired.) It's a small thing, but make me very curios why? Additionally, the GUI has changed quite a bit in the newer beta versions. Wondered if you'd consider doing an updated video? Was hoping the newer interfaces would allow you to achieve the same result using the gui - maybe tagging? - without the need to manually write the firewall rules?

Thank you very much! :) I will get going right away, been searching around and there is a lot of older video's.

Thank you for the tutorial. I got my vlan setup without an issue via ethernet, however I'm not able to connect to the wifi vlan that I set up. I know this video is old, but are there any tips you can provide?

did you try creating a trunk on a single port?

Just in time. Getting ready to make some wrt vlans from old routers.

How to set-up VLANs on Qualcomm Atheros QCA9533? thank you

Great video. Thank you very much. I have 1 question - can you tell me (or show video) - is it possible to set direct access from the internet (from the provider) on this (or any dd-wrt) router, for example, on port 1 and 2, and to set wireguard on ports 3 and 4, for example?

A very useful video! I followed your steps and successfully created an IoT network. With the iptables commands you advised, a device in the IoT network (i.e. 192.168.107.*) is not able to ping all the other devces in the 192.168.1.* network.....except 192.168.1.1. In fact, 192.168.1.1 is the same as 192.168.107.1 so I would not be surprised if devices in the 107.* network can ping 192.1.168.1. However, I found in your video that you was able to block the traffic from 107.* to 192.168.1.1. I wonder why and what caused the difference. I will keep searching to find a way to block the traffic from 107.* to 192.168.1.1. In case you know what caused the difference, please advise.

Very clear explanation of the steps! Thank you.

Do you think setting up a managed switch with VLAN is enough to keep IoT devices from talking to trusted devices on my home network or would I need to have a firewall setting? my setup internet>router>managed switch: port 1 (router), port 2-4 trusted devices, port 5 (another 5 port unmanaged switch of IoT devices)

As your IOT devices are on SSID network dd_wrt_ IOT and your trusted devices (like your phone) would be on SSID dd- wrt, in order for you to "see" or in cases where you needed to update an IOT device, would you have to switch out of of dd-wrt and get into dd-wrt-iot to see it? Or does this "virtual" lan be visible when you are attached to dd-wrt?

If I want the router to receive the Internet via cable from the main router, I have to turn on the client mode ? And connect LAN >LAN right ?

This video helped me understand vlan in dd-wrt. thanks bro! You deserve a like and comment, and subscribed

Well, I would like to say very, very interesting for sure I do like solid security however it will take sometime for me to configure these settings however I'm more interested In the wireless settings for now. Are The wireless interfaces and virtual interfaces under wireless settings similar ? One more secure that the other? I would like to put my Amazon Fire Stick on the wireless virtual however I keep it hidden from broadcasting (maybe being more secure) but it will not connect that way since hidden. Amazon device wants to see the device to connect to it I'm not sure if this would be wise move or not. Is there another secure way to keep streaming device in their own WIFI zone I guess separate from others? Thanks for the video.

Hey! So if I wanted to create a vlan just for Wifi for my security cams and untrusted devices, do I have add new passwords and SSID again for that particular vlan after set up? My cams are annoyingly to set up wifi on. I'd rather keep those settings on the cams and then change them on my main wifi network for trusted devices. For extra security. But what if I keep same SSID/password on both networks will that be worse? Just askin', I rather not change anything besides two separate networks, but I will if I must. Sorry if this is super simple. But this vid was exactly what I needed. Very good!

Very clear and well explained, thank you :)

Great video, thanks for a great explanation and walk-through. I followed everything and everything works except when I add my VAPs to br1, I lose DHCP on the VAP but LAN port 4 still works

Is there a way to have the IoT network use my PiHole that is on the main network? How would that config work? Thanks

Great Instruction. Worked perfect. Unfortunately as soon as I assign the Virtual Wifi to the Iot Bridge I cannot connect to it anymore. Without Bridge set it works fine. Any ideas? THX

I think that designing DD-WRT so that you have to apply IP addresses and DHCP servers to 'bridge' virtual interfaces is counter-intuitive and potentially quite confusing. It would also be very helpful if there was a set of commands made known that would help anyone with a DD-WRT device discover the interface stack and full Physical to logical mapping (layer 1 to layer 3 via layer 2)

Most importantly, thank you. Plugging into the new vlan port initiates a new subnet ip, however putting the connection back still recognizes the device/computer as that new subnet ip, that is until the provided firewall commands are applied. (My router ASUS RT-AC66U)

Nice job. Perfect for my use case. Thanks.

I use ddwrt and changed my ssid name in setup. Sometimes my windows pc can't decide which ssid to use...the new one or the old one. ?? Any help on this? --thanks do you need to reset the router to factory defaulys before changing the ssid?

I just followed this tutorial and while I was able to successfully setup a VLAN on Port 4 of my Asus AC1900P and get a new IP address the commands to stop VLAN traffic accessing my 192.168.1.xx network did not work. From the VLAN I could access my home network and from my home network I could not access the laptop I had on my VLAN 192.168.107.xx I made sure to add the rule to the firewall but no matter what I did I could not stop VLAN traffic back to my 192.168.1.xx which kinda defeats the object. Any ideas what may be wrong? I am running the latest version of DD-WRT

Flawless tutorial. Thank you so much!

I have home assistant running a VM in my PC, which vlan should I put it in IOT vlan or private vlan? If I put it in the private vlan, will the update from the IOT be able to reach the VM?

Great video. I have Pfsense as my main router and 3x ddwrt AP. Ill try vlans soon, but is there a way to create a mesh system; then use vlans to segment?

i've been looking for days man , thanks !

super helpful! like and subscribed. i have just one question: i’m reconfiguring our whole home network for better security. other than changing my wireless router to dd-wrt, i’ll be adding a managed switch to hardwire as many devices as possible. it may not make a huge difference but i can’t tell if it is better to set up the VLAN for iot on the switch or on the dd-wrt. do you recommend one or the other? as far as i can tell, the only advantage to doing it on the dd-wrt would be for the virtual AP. on the switch, i would need a second physical wireless router. thanks again!!

Great video. I will put this knowledge to good use, I promise.

Please a video to configure multiple WANs for Load balancing or failover.

Do I need a DHCP assigned if all my iOT devices are using reserved IP's?

Also I Have an AP point ( Nano HD ) from Ubiquiti ... any toughts on how to add a wifi IOT on it with the DD-WRT setup ?

I have run the firewall rules and I still have access to my samba shares from IoT network :(

Can there be a real trunk port which carries multiple vlans to another switch, say a Cisco SG300-10MP ? if so, how? I have tried. no luck.

I managed to stop the IOT network from communicating with the private network but setting the IOT WiFi up as per the video I cannot access it, just keeps saying "wrong password" The only way I can connect to the IOT WiFI is by deleting the bridge assignment from br1 to wl0.1 then setting up a separate DHCP server for the WiFI. Then I can connect a WiFi camera to this network but if I have my laptop connected to the VLAN I cannot access the WiFi device. I assume this is a firewall issue but I am not sure how to fix it. It appears that when the br1 to wl0.1 is added no IP is given to the wireless client which I think then stops it from connecting. Hope someone can help, I am so close to moving my cameras to a VLAN, most of my cameras are hardwired but I do have 2 that are WiFi

Off topic question, but what xfce theme are you using?

hi, I ended up with 2 routers and I wanted them for IoT and home usage. However I have a dilemma: most (if not all) of my IoT devices talk to my local home assistant server as well as local MQTT server. So for the sake of being able to talk, home assistant also has to be in the IoT segment, right? If so it means: my HA will be also in insecure segment. On top of that, my HA is also talking to my home devices (other servers). So I think I need another solution. What I however did is: all IoT have internet access blocked (anyway, all of them are controlled only from HA and only with the local integrations) - I am thinking: do I need then 2 segments (for security purpose) or not? If YES (2 segments still needed) then how to solve the issue of HA being accessible to IoT devices, yet not being exposed?

SOS Chris, my ISP demande to set a tagged Vlan ID as 40 in order to connect to internet via PPPoE. But I don't know how to config it in DD-WRT, could you PLEASE help me out?

Hi there, how to connect wireless devices like Mobile or laptops to VLAN and access the internet through vlan ?? thnx

Good Job I Think you did well and explain very good

The problem with this process is that devices such as Linksys 32x routers Wi-Fi do not do a valid handshake with many Internet of Things devices. They simply cannot connect to it. I have to use a separate Linksys router running stock firmware in order to use wi-fi.

No internet connection, but figured it out after a couple of hours. Setup everything two times, thinking I did something wrong the first time. Went to Setup > Networking > Port Setup > WAN Port Assignment and changed it to vlan1 and I was able to access to internet again. Hope this helps someone, took forever to figure it out.

Anyone who knows anything about the E4200 on DD-WRT is that the default VLAN assignments were wrong for quite some time. VLAN 2 is WAN, VLAN 1 is LAN. You have to correct this FIRST via webUI, save, and reboot. Prime example of someone not doing enough research before creating a how-to video.

Is there a way of doing this in ddwrt where devices you want to isolate are mingled on the same wired network?

Thank you a 1000000 times ❤️🎉

Simple, clear and very helpfull!!!

Little bit old, but still usefull...except ... I followed your tutorial, everything works. Except that the connection on the iot vlan won't connect to the internet. On the other vlan (wired and wireless) i can get internet connection. But on the iot network not. IP address is correct, but there it stops. What am i doing wrong?

i have a very simple question when using DDWRT on my wrt54g, asus n66u , etc I only use port -1-4 , usng port 1, I click VLAN 2 and tag and I get automatically a WAN ip address from ISP on my router, now with WRT3200ACM DDWRT HOW ON earth do i do that .. all the guides are confusing AF , thanks in advance

@10:17 why is their not the default wl0 and wl1 listed?

Thanks for the great video

I can’t get no internet in the IoT WiFi. Even tho o followed this by the letter three times. Clearing NVRAM in between each. Any help would be greatly appreciated.

Good tutorial! However every time I enable vLANs the WAN port stops working, and I cannot figure out why. I am running build 44719.

Thanks so much for this !

Fantastic one. Thanks a ton 🥳

hi is there a way to add a vpn to the new VLAN only without it affecting the other LANs?

Just what I was looking for today- thx!

i think this is a stupid question but how would you see the feed from the ip camera if its on a vlan.

Genius! Thank you!

Every time I change the VLAN settings in the "switch config" tab my router will disconnect from the internet and not return unless I factory reset.

You never tested the wireless. I can not get my wireless ap to pass shcp addresses.

Great Video, any idea why my IoT speed is only 60mbps when my main wifi is 300mbps ?

Can i block the vlan network(with cameras) access to internet? basically i would like it to be local vlan only

This has been so helpful! Thanks so much. Everything works except my vap isn't getting DHCP from br1...the LAN port in the same VLAN is getting DHCP tho. I was wondering if you can help me out. Thanks!

additional : Switch Config/Vlan tagging doesn't work Atheros routers

Wish I would have had this video sooner, guess I’ll try it with my new nighthawk.

thank you.. great video

I have a different goal in mind. I don't want untrusted devices to connect to the internet at all, hardening the home network. I could have a have a baby monitor to keep tabs on kids when I'm at work. Kids being kids might sometimes be inappropriately dressed for company as they walk through the house when no one else is home. Or perhaps I have an IP based security system. Either way, I can't be sure these devices don't have built-in hacking programs that might be able to capture local IP and Wi-Fi traffic for the purpose of masquerading as another device by switching the other device's MAC address, and SSID if the other device is Wi-Fi. So, I want multiple vLANS, one for each untrusted device and filtered so that only that device's MAC address can communicate. For the Wi-Fi devices, a unique hidden SSID + password + MAC filter for that device is routed to a unique vLAN. Each Wi-Fi SSID needs its own MAC filter as well, so only that device can connect to that SSID and only that device can route to the assigned vLAN. Then a routing table to allow an NVR on the main LAN to communicate with any untrusted camera vLANs, and to allow a security controller to connect to any security devices on the other untrusted vLANs. Is it your impression that DD-WRT can do this all in a single router, or will it need two routers, one for untrusted devices.

I tried this and it works but the wan port is no working as well. Does anyone knows how to fix that

Thank you!

I am running latest dd-wrt firmware , vlan works well and ip address issued as set but still vlan on br1 can ping comfortably system on vlan linked to br0 , have used entire set of commands as shown and for denying iptables -I FORWARD -i br1 -o br+ -j DROP

Thanks for the video.

Hi! Thanks a lot it was ver helpful

Thanks so much for the informative video. I was able to flash my Asus router with DD-WRT and assign the VLAN to port 4 and all the IP addresses work great but I can still ping 192.168.1.1 from 192.168.107.1. I used the command lines in the video for the firewall but it appears the firewall still also traffic between the two subnetworks. Any ideas what I may have missed or causing this? Thanks….

thanks this helped me big time

Thanks!