What is a VLAN & How to Setup VLANs in DD-WRT (Router FAQ)

At FlashRouters, our primary goal is to inform users of what they can do if they decide to take control back of their network and learn more about what their router does. From VPN (Virtual Private Network) integration to QoS (Quality of Service) to DNSMasq & Bandwidth Monitoring/Access controls, DD-WRT is a feature laden firmware alternative ready to maximize your router capabilities and performance.

In this post, we will explore a very popular feature most commonly found in alternative firmwares like DD-WRT called VLAN or VLAN tagging.

What is VLAN (Virtual LAN)?

According to Wikipedia,”In computer networking, a single layer-2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them via one or more routers; such a domain is referred to as a virtual local area network, virtual LAN or VLAN… More sophisticated devices can mark packets through tagging, so that a single interconnect (trunk) may be used to transport data for multiple VLANs…”

Basically a VLAN is a method of created separate networks on the same router for security and segmentation purposes. VLAN setup is a useful procedure if you have some devices on your network that you want to isolate from other devices like multiple guest networks for family friends or office visitors. Provide Internet access with a VLAN without giving them access to your entire network. The settings can easily be changed and adapted to however you want the network to be setup.

VLAN Benefits

A VLAN has the same attributes as a physical local area network (LAN), but it allows for devices to be grouped together more easily even if they are not on the same network switch. Most enterprise-level networks today use the virtual LANs.

Without VLAN functionality, this setup would require a separate, a collection of network cables and equipment separate from the primary network that would be costly and create the need for wiring an entire home or office again. Unlike physically separate networks, VLANs share bandwidth, so VLAN trunks may require aggregated links and/or quality of service prioritization for maximizing the capability.

For many users, VLAN alone is a enough of a reason to switch to third-party alternative firmware, but you can read the Intro to DD-WRT for more.

How to Setup VLAN in DD-WRT

Netgear R7000 Nighthawk - Wireless-AC Router

Netgear R7000 AC1900 Nighthawk DD-WRT

Now on to the fun!

In this DD-WRT tutorial, we will setup VLANs for each Ethernet port. This will create a network on each port that is isolated from all the other ports. An Asus RT-AC66U has been used for this tutorial but this same interface is pretty constant throughout any popular DD-WRT enhanced router like the Netgear Nighthawk R7000 AC1900.

VLAN Configuration of Ports 1-4

Go to (or your router management IP address) in your web browser.

Select Setup -> VLANs.

Uncheck ports 1, 2, 3, and 4. Place port 1 into VLAN1, port 2 into VLAN2, and port 3 into VLAN3, port 4 into VLAN4. Set the WAN port to VLAN0.

When this is done, the VLAN configuration page should look like this.

VLAN-howto 1 vlan setup

Click Save, then Apply Settings.

VLAN-howto 2 apply vlan settings

VLAN Configuration on Each Port

  1. Next, plug an Ethernet cable into port 1 on the router from your computer.
  2. Unplug the router power for 30 seconds and then plug it back in. Wait for the lights to return to normal.
  3. Go to Setup -> Networking.

In this tutorial, we will create a subnet for each VLAN.

VLAN1 will have the subnet VLAN2 will have the subnet VLAN3 will have the subnet VLAN4 will have the subnet

That means devices on VLAN1 will be assigned addresses such as and for VLAN2

VLAN-howto 3 port setup assignment

Under Port Setup set VLAN1 to Unbridged.

Set the IP Address to Set the Subnet Mask to

Change VLAN2 to Unbridged.

Set the IP Address to Set the Subnet Mask to

Change VLAN3 to Unbridged.

Set the IP Address to Set the Subnet Mask to

Change set VLAN4 to Unbridged.

Set the IP Address to Set the Subnet Mask to

Save your changes by clicking Save. When the interface responds, the Port Setup section should look like this.

VLAN-howto 4 port setup assignment 2

Below the Port Setup area you will see a section titled DHCPD.

What this area does is allow you to create multiple automatic assignment addresses for IP addresses in a network. So whenever someone authenticates into this section, this VLAN will assign it a user address in your network. This is create 4 sets of automatic assignments within the 4 new segments of your network to be handled by the router automatically in the future.

Under DHCPD click Add. Set DHCP 0 to vlan0 with a Leasetime of 1440 (24 hours). Click Save.

Click Add again. Set DHCP 1 to vlan1 with a Leasetime of 1440 (24 hours). Click Save.

Under DHCPD Click Add. Set DHCP 2 to vlan2 with a Leasetime of 1440 (24 hours). Click Save.

Once again, Once again,Set DHCP 3 to vlan3 with a Leasetime of 1440 (24 hours). Click Save.

And a final time, click Add. Set DHCP 4 to vlan4 with a Leasetime of 1440 (24 hours).

Click Save. Let it save. Then, click Apply Settings.

Once completed, the DHCPD -> Mutliple DHCP Server section should look like this:

VLAN-howto 5 multiple dhcp servers

Plug your Ethernet cable into any port on the router aside from port 4 or the WAN port. Unplug the power for 30 seconds and then plug it back in. Wait for the lights to return to normal.

 Adding Firewall Rules to Isolate the VLANs.

Now we have created 4 network segments but we need to use a firewall to fully isolate them from each other. These commands block all VLANs from communication with each other.

Browse to Administration -> Commands.

Copy and paste the following commands into the Commands text box:

iptables -I  FORWARD -s -j DROP
iptables -I  FORWARD -s -j DROP
iptables -I  FORWARD -s -j DROP
iptables -I  FORWARD -s -j DROP

Click “Save Firewall”.

VLAN-howto 6 firewall commands

Your DD-WRT VLAN basic configuration is now complete.

Testing the VLAN DD-WRT Setup

To test each VLAN, connect to that port. Take note of your IP address and see if your local IP address changes in your network. If it changes you have correctly setup VLANs, great job!

Looking for some VLAN ready routers? Check our our full selection of DD-WRT pre-installed routers.

Updated: Nov 14, 2016

14 thoughts on “What is a VLAN & How to Setup VLANs in DD-WRT (Router FAQ)

  1. kevdelaney

    Thanks for the great guide. In the “Port Setup” section though, you have the WAN port assignment set to VLAN 2. I don’t think this is correct because right after you’re configuring IP address details for VLAN2. What should the WAN port assignment actually be?

  2. Jeff

    This appears to be for just physical connections and not wireless. Aren’t you supposed to create a 2nd bridge and assign the wireless interfaces to the vlans?

  3. FernanDK

    Hi! Under Setup there is no VLAN submenu. My router is the TPLink WDR4300. Should I assume that I won’t achieve VLANing using this model? Thank you.

  4. Rik

    Hi there,

    Does vlan tagging affect the throughput of the device?

    I am on a 1Gb internet connection which had 2 vlans on it.
    I want to seperate them and forward it on a specific ethernet port.


  5. John

    whelp…time to drive an hr to reclaim the router.. does wan in 0 still allow trunking…i seem to recall 0 is not used on most devices because its special/for trunking

  6. Hanno

    I have DDRWRT on my E3200 Linksys (Cisco) an i can see the Vlan Tab….

    WAN is on Vlan 2 (Defalut) and if i follow your TUT nothing works and im forced to reset my router.

    In the picture “Port Setup” there is a dropdown menu “WAN port Assignment” you selected vlan02 ? Is this default or do i need to change this to another vlan? (WAN is on vlan2 per default on my router)?

  7. Zy Xeller

    This guide teaches how to set up VLAN on physical LAN port and respective DHCP conf. Then confusigly, it suggests to test this by connecting via WLAN, that is wirelessly….
    Not sure if this would work as expected. At best, you’d get VLAN1 leased IP, by some default. At worst, the WLAN won’t get an IP.
    Also WAN routing was not covered…

    1. Tyler Truong

      These VLAN settings are exclusively for wired connections. In order for wireless networks to be assigned to same subnets as the VLAN you need to create a bridge and assign both the wireless interface and the VLAN to that bridge.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.