Raspberry Pi Based OpenWRT Router/Firewall Using Tagged VLANs

Raspberry Pi’s main downside (as far as using it as a router) is that it has only one Ethernet port. This can be overcome by using a USB Ethernet dongle to get an additional Ethernet port. I did not like that idea, because USB dongles are not designed for 24/7 operation. I stumbled upon a forum post that suggested using VLAN tagging to carry two virtual interfaces through the only Ethernet port of the Raspberry Pi, thus eliminating the need for the USB dongle. This article is a quick how-to for setting that up.

Why Use Raspberry Pi as a Router/Firewall

OpenWRT and DDWRT are very popular solutions for home router/firewall. Traditionally, people replace proprietary firmware on wireless routers with OpenWRT, and this is what I have been doing, too. Over the years, I grew to love OpenWRT, but hate installing it on wireless routers.

Replacing router’s original firmware with OpenWRT is often a process that is not straight forward. You need to choose the correct firmware file from a gazillion of available permutations. Then follow documentation that is very often out of date, through a series of steps to flash OpenWRT. In the end it may or may not work. If it does not work, then the steps for unbricking the router are even more obscure and nerve wrecking.

Now consider Raspberry Pi, a general-purpose computer with open specifications, that uses a microSD card for storage. There are relatively few hardware variants of Raspberry Pi, which makes the user base a lot more homogeneous, which leads to better documentation. Installing OS onto a Raspberry Pi is as simple as writing to a microSD card, with no risk of rendering the Raspberry Pi unusable.

Additionally, Raspberry Pi has a lot more CPU, a lot more RAM, and a lot more storage than the most expensive of wireless routers. This allows you to install additional software without risking running out of space, and configuring demanding services, such as VPN, without running out of resources.

To top it off, a Raspberry Pi costs as much as the absolute cheapest of the routers.

Why Not Use a USB Ethernet Adapter

As I’ve already said above, I don’t like the fact that the usual use case for a USB Ethernet dongle does not involve it operating 24/7. They are designed for use with laptops, and this does not inspire a lot of confidence in me. Additionally, USB adapters increase Raspberry Pi’s electrical power consumption. Very often a Raspberry Pi already approaches the limits of wattage supplied by its power adapter, so adding a USB-powered device in the mix may aggravate the situation.

Sources of Inspiration

I got the initial idea of using Raspberry Pi instead of a WiFi router from this article by Vladimír Záhradník. I recommend skimming through it before proceeding. The idea to use tagged VLANs came from this forum post.

Hardware: Raspberry Pi

You can use any Raspberry Pi for this application, but keep in mind that the theoretical throughput of the Ethernet port on it will be split in half. I am saying “theoretical” because it is rare that the interface is fully loaded in full duplex (i.e. for sending data both ways). Usually a client would either mostly download, or mostly upload, in which case the split usage will not be much different from using two interfaces with the same speeds.

Consider your Internet speed. For example, my Internet connection is 50 MBit/s up, and 10 MBit/s down. For my case, a Raspberry Pi 2 or 3 (which have 100 MBit/s Ethernet) should be more than enough. Raspberry Pi 3B has Gigabit Ethernet, but its realistic speed is 300 MBit/s. If your Internet connection is faster than 300 MBit/s, you should probably go for a Raspberry Pi 4, which has a true Gigabit port.

Hardware: VLAN-capable Switch

If you already have a managed switch that supports tagged VLANS, you don’t need any additional hardware. Otherwise, you need to buy a small managed switch. I bought a Netgear GS305E for CAD$32. There are many inexpensive managed switches on the market, for example the Zyxel GS-1200-5.

Configuring the Switch

I decided on the following switch configuration:

• Port 1 connects the switch to my main switch (i.e. the rest of the LAN).
• Ports 2 and 3 are unused, but can be used to connect additional devices on my LAN in the future.
• Port 4 is connected to the modem.
• Port 5 is connected to the Raspberry Pi.

I will be using two 802.1Q VLANs: VLAN 1 for the LAN side of things, and VLAN 2 for the modem. Here are the steps I needed to take to configure this on my Netgear GS305E:

• Go to VLAN->802.1Q->Advanced->VLAN Configuration. VLAN id 1 was already present, so I typed “2” in the “VLAN ID” box, and clicked “Add”.
• Under “Port PVID” I changed PVID of port 4 to “2”. All other ports have PVID “1”. “PVID” means the main VLAN id of the port.
• Under “VLAN Membership” select VLAN Id “1”, then click on ports 1, 2, and 3 to show letter “U” (for “untagged”), click port 4 to be blank (not a member of VLAN 1), and click on port 5 to show “T” (for “tagged”).
  
• In the same screen, select VLAN Id “2”, click ports 1, 2, and 3 to be blank (not members of VLAN 2), click on port 4 to be “U” (untagged), and click on port 5 to show “T” (tagged).
  
• In summary, port 5 should be a member of both VLANs, and be tagged in both. Port 4 should be only a member of VLAN 2, untagged. Ports 1, 2, and 3 should be only members of VLAN 1, untagged.
• Apply the changes and reboot the switch. Then double-check that all the configuration is correct.

Configuring Raspberry Pi to use VLANs

I am not going to describe installation of OpenWRT for Raspberry Pi, as this is detailed in many other resources. I assume that you have an SD card with OpenWRT successfully written to it.

The easiest way to configure tagged VLAN interfaces is by editing the file /etc/config/network. You can edit it through an SSH session into your Raspberry Pi, or by inserting the SD card into your computer. Here is what that file should look like:

[Update, December 2021. According to the comment by Nicolay below, in the newer versions of OpenWRT you need to replace option ifname with option device.]

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.0.1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

This creates two virtual interfaces, “lan” (with VLAN tag 1) and “wan” (with VLAN tag 2). Obviously, edit the IP address of the “lan” interface to match your local network configuration.

At this point, you should be able to connect your Raspberry Pi to the port 5 of the switch, connect the switch to the rest of your LAN through port 1, 2, or 3, connect your modem to port 4, and the networking part of your configuration should be over.

You may need to reconfigure the “wan” interface to use “pppoe” or some other protocol, depending on how you are connected to the Internet. You will be able to finish this configuration using OpenWRT’s web interface.

Conclusion

That’s it for the tricky part. You can configure the rest of your OpenWRT functions normally, the same way as you would if it were running on a device with multiple Ethernet ports.

Let me know if you found this information useful, or if you run into any issues!