Resuscitating an old router with OpenWrt
Building a Multi-VLAN Home Network: Repurposing Your Old Router for Enterprise-Grade Segmentation
TL;DR
Transformed a retired AVM Fritz!Box 7530 into a professional multi-VLAN wireless access point, achieving complete network segregation for Home, IoT, and Work networksβall without buying new hardware. Full 300 Mbps performance across all VLANs with software-based VLAN tagging.
The Challenge: Network Segmentation at Home
Modern homes are mini data centers: smart home devices, work laptops, personal devices, and IoT gadgets all sharing the same network. The problem? A compromised smart bulb shouldnβt access your work files.
Traditional solutions require expensive managed switches and enterprise access points. But what if you could achieve the same security with hardware you already own?
The Solution: OpenWrt + VLAN Trunking
By flashing OpenWrt on an old Fritz!Box 7530 and configuring it as a VLAN-aware access point, I created three completely isolated networks:
- π Home Network (VLAN 1): Trusted devices, full access
- π IoT Network (VLAN 25): Smart home devices, isolated with client isolation
- πΌ Work Network (VLAN 30): Work devices, isolated from everything else
Cost: $0 (using existing hardware)
Network Architecture
High-Level Topology
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Internet (300 Mbps) β
ββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β GL.iNet Flint 3 (Primary Router) β
β β
β βββββββββββββββ¬ββββββββββββββ¬ββββββββββββββ β
β β VLAN 1 β VLAN 25 β VLAN 30 β β
β β 192.168.8.1 β192.168.25.1 β192.168.30.1 β β
β β (Home) β (IoT) β (Work) β β
β βββββββββββββββ΄ββββββββββββββ΄ββββββββββββββ β
β β β
β Port 7 (Trunk) β
β 802.1Q: VLAN 1 (untagged) β
β VLAN 25 (tagged) β
β VLAN 30 (tagged) β
βββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββ
β
β 1000 Mbps
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Fritz!Box 7530 (Multi-VLAN Access Point) β
β OpenWrt 24.10.4 β
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β lan1 (Trunk Port) β β
β β Receives: VLAN 1 (untagged) + 25/30 (tagged) β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β ββββββββββββββββΌβββββββββββββββ β
β β β β β
β βΌ βΌ βΌ β
β βββββββββββ βββββββββββ βββββββββββ β
β β br-lan β β br-iot β βbr-work β β
β β VLAN 1 β β VLAN 25 β β VLAN 30 β β
β ββββββ¬βββββ ββββββ¬βββββ ββββββ¬βββββ β
β β β β β
β ββββββ΄βββββ ββββββ΄βββββ ββββββ΄βββββ β
β β Wired β β 2.4 GHz β β 5 GHz β β
β β Ports β β WiFi β β WiFi β β
β β lan2-4 β β IoT β β Work β β
β βββββββββββ βββββββββββ βββββββββββ β
β β β β β
β β ββββββ΄βββββ ββββββ΄βββββ β
β ββββββ΄βββββ β β β β β
β β 5 GHz β β Smart β β Work β β
β β WiFi β β Devices β β Laptop β β
β β Home β β β β β β
β βββββββββββ βββββββββββ βββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββVLAN Traffic Flow Diagram
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Traffic Flow Example β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Home Device (WiFi) β Internet:
ββββββββββββ Untagged βββββββββββ Untagged βββββββββββ
β Laptop β ββββββββββββββββΊ β br-lan β ββββββββββββββΊ β lan1 β
β192.168.8β β (bridge)β β (trunk) β
ββββββββββββ βββββββββββ ββββββ¬βββββ
β
Untagged
(VLAN 1)
β
βΌ
βββββββββββββββββ
β Flint 3 β
β 192.168.8.1 β
β (routes) β
βββββββββ¬ββββββββ
β
Internet
IoT Device (WiFi) β Internet:
ββββββββββββ Untagged βββββββββββ Tagged βββββββββββ
β Smart β ββββββββββββββββΊ β br-iot β ββββββββββββββΊ β lan1.25 β
β Bulb β β(bridge) β β(8021q) β
β192.168.25β βββββββββββ ββββββ¬βββββ
ββββββββββββ β
VLAN 25
Tagged
β
βΌ
βββββββββββββββββ
β lan1 β
β (trunk) β
βββββββββ¬ββββββββ
β
VLAN 25
Tagged
β
βΌ
βββββββββββββββββ
β Flint 3 β
β192.168.25.1 β
β (routes) β
βββββββββ¬ββββββββ
β
Internet
Work Device (WiFi) β Internet:
ββββββββββββ Untagged βββββββββββ Tagged βββββββββββ
β Work β ββββββββββββββββΊ β br-work β ββββββββββββββΊ β lan1.30 β
β Laptop β β(bridge) β β(8021q) β
β192.168.30β βββββββββββ ββββββ¬βββββ
ββββββββββββ β
VLAN 30
Tagged
β
βΌ
βββββββββββββββββ
β lan1 β
β (trunk) β
βββββββββ¬ββββββββ
β
VLAN 30
Tagged
β
βΌ
βββββββββββββββββ
β Flint 3 β
β192.168.30.1 β
β (routes) β
βββββββββ¬ββββββββ
β
InternetTechnical Deep Dive
Hardware Specifications
Primary Router:
- Model: GL.iNet Flint 3 (GL-BE9300)
- OpenWrt: 23.05-SNAPSHOT
- Role: DHCP, routing, firewall, VLAN management
- WAN: 300 Mbps fiber
Access Point:
- Model: AVM Fritz!Box 7530
- OpenWrt: 24.10.4 (kernel 6.6.110)
- CPU: Lantiq VRX288 (MIPS dual-core)
- Radios:
- 2.4 GHz: Qualcomm Atheros (ath10k)
- 5 GHz: Qualcomm Atheros (ath10k)
- Switch: Software-based (no hardware VLAN offload)
VLAN Configuration
| VLAN ID | Network | Purpose | Trunk Configuration | Wireless SSID |
|---|---|---|---|---|
| 1 | 192.168.8.0/24 | Home/Management | Untagged (PVID=1) | Mr-K-5G (5 GHz) |
| 25 | 192.168.25.0/24 | IoT Devices | Tagged | Mr-K-IoT (2.4 GHz) |
| 30 | 192.168.30.0/24 | Work Devices | Tagged | Mr-K-Work (5 GHz) |
Software VLAN Tagging (8021q)
Since the Fritz!Box 7530 lacks hardware switch support (no DSA, no swconfig), all VLAN tagging is performed in software:
# VLAN 25 interface creation
lan1.25 (8021q device)
ββ Parent: lan1 (physical switch port)
ββ VID: 25
ββ Bridge: br-iot β phy0-ap0 (IoT WiFi)
# VLAN 30 interface creation
lan1.30 (8021q device)
ββ Parent: lan1 (physical switch port)
ββ VID: 30
ββ Bridge: br-work β phy1-ap1 (Work WiFi)Bridge Architecture
br-lan (VLAN 1 - Home)
ββ lan1 (trunk, untagged traffic)
ββ lan2 (access port)
ββ lan3 (access port)
ββ lan4 (access port)
ββ phy1-ap0 (5 GHz Home WiFi)
br-iot (VLAN 25 - IoT)
ββ lan1.25 (tagged VLAN interface)
ββ phy0-ap0 (2.4 GHz IoT WiFi)
br-work (VLAN 30 - Work)
ββ lan1.30 (tagged VLAN interface)
ββ phy1-ap1 (5 GHz Work WiFi)Performance Results
Throughput Testing
All three VLANs achieve full ISP speed with minimal overhead:
| Network | VLAN | Speed | Latency | Jitter | Performance |
|---|---|---|---|---|---|
| Home | 1 | 300 Mbps | 16.2ms | 1.66ms | β Excellent |
| IoT | 25 | 300 Mbps | 16.8ms | 1.82ms | β Excellent |
| Work | 30 | 300 Mbps | 16.5ms | 1.71ms | β Excellent |
Key Findings
Initial Concern: Software VLAN tagging would create a bottleneck.
Reality: With proper configuration, software VLANs have zero performance impact:
- CPU Load During Full Speed Test: 0.13-0.16 (barely utilized)
- Wireless PHY Rates: 866.7 Mbps (maximum for VHT-MCS 9)
- Packet Loss: 0.02% (150 failures out of 700k packets)
- TX Retries: Virtually zero (2 retries total)
The Fritz!Box CPU is idle while achieving full line speed across all VLANs.
Wireless Performance
Radio0 (2.4 GHz) - IoT Network:
ββ Channel: 11 (auto-selected)
ββ Width: HT20 (20 MHz)
ββ TX Power: 20 dBm
ββ Channel Utilization: 27% (acceptable)
ββ Connected Devices: 10 IoT devices
Radio1 (5 GHz) - Home & Work Networks:
ββ Channel: 44 (5220 MHz)
ββ Width: VHT80 (80 MHz)
ββ TX Power: 23 dBm
ββ Channel Utilization: 6% (excellent)
ββ Concurrent SSIDs: 2 (Home + Work)Implementation Challenges & Solutions
Challenge 1: Hardware Switch Architecture
Problem: Fritz!Box 7530 has no hardware VLAN support (no DSA, no swconfig). Initial attempts to create VLANs on eth0 (CPU port) failed with βResource busyβ errors.
Solution: The Fritz!Box switch presents ports as sub-interfaces (lan1@eth0, lan2@eth0, etc.). VLANs must be created on lan1 (the switch port interface), not on eth0 directly.
# β Wrong approach
eth0.25 β FAILS (eth0 is CPU port, always busy)
# β
Correct approach
lan1.25 β SUCCESS (lan1 is switch port interface)Challenge 2: Wireless Interface Binding
Problem: Initial configuration had VLAN interfaces (lan1.25, lan1.30) but wireless SSIDs couldnβt connect to clients. WiFi would associate but no DHCP offers received.
Solution: Wireless interfaces cannot bind directly to VLAN interfaces in OpenWrt. They must join a bridge that contains the VLAN interface:
# β Wrong configuration
network.iot.device='lan1.25' # WiFi can't bind directly
# β
Correct configuration
network.br_iot (bridge) contains lan1.25
network.iot.device='br-iot' # WiFi binds to bridge
wireless.iot.network='iot' # WiFi joins iot networkChallenge 3: Multiple SSIDs on Single Radio
Problem: The 5 GHz radio (radio1) needed to broadcast two SSIDs (Home + Work), but initially only phy1-ap0 appeared. phy1-ap1 interface would not create.
Root Cause: The network.work interface was configured with proto='none' and no bridge. When hostapd tried to create phy1-ap1 and bind it to the work network, netifd couldnβt establish the binding because the network didnβt exist properly.
Solution: Create br-work bridge first, then phy1-ap1 automatically appears and joins it.
Challenge 4: Performance Mystery
Problem: Initial speed tests showed VLAN 1 at 300 Mbps, but VLANs 25/30 only achieved ~156 Mbps despite:
- Low CPU usage (0.13 load)
- Excellent wireless PHY rates (866 Mbps)
- Clean channels (6% busy time)
Root Cause: Client device issue - macOS had a network stack problem that was resolved with a reboot. This taught an important lesson: always verify the test client before blaming infrastructure.
Security Benefits
Network Isolation
Each VLAN is completely isolated at Layer 2 and Layer 3:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Firewall Rules (Flint 3) β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Home Network (VLAN 1): β
β β
Full internet access β
β β
Can access other VLANs (if needed) β
β β
Management access to Fritz!Box (192.168.8.2) β
β β
β IoT Network (VLAN 25): β
β β
Internet access only β
β β Cannot access Home network β
β β Cannot access Work network β
β β Cannot access router management β
β β
Client isolation enabled (devices can't see each other)β
β β
β Work Network (VLAN 30): β
β β
Internet access only β
β β Cannot access Home network β
β β Cannot access IoT network β
β β Cannot access router management β
β β
Client isolation enabled β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββAttack Surface Reduction
Before segmentation:
Smart Bulb β Same Network β Work Laptop
(If compromised, direct access to all devices)After segmentation:
Smart Bulb (VLAN 25) βXβ Firewall βXβ Work Laptop (VLAN 30)
(Compromise contained to IoT network only)Configuration Scripts
The complete configuration was automated with a production-ready script featuring:
- β Pre-flight safety checks (hardware validation, password verification, connectivity tests)
- β Automatic rollback protection (120-second timer, auto-revert on failure)
- β Dry-run mode (test before applying)
- β Comprehensive backups (timestamped config snapshots)
- β Idempotent operation (safe to run multiple times)
Key Configuration Snippets
VLAN Interface Creation:
# VLAN 25 (IoT)
uci set network.vlan25=device
uci set network.vlan25.type='8021q'
uci set network.vlan25.ifname='lan1'
uci set network.vlan25.vid='25'
uci set network.vlan25.name='lan1.25'
# Bridge for IoT
uci set network.br_iot=device
uci set network.br_iot.type='bridge'
uci set network.br_iot.name='br-iot'
uci add_list network.br_iot.ports='lan1.25'
# Network interface
uci set network.iot=interface
uci set network.iot.device='br-iot'
uci set network.iot.proto='none'Wireless Configuration:
# IoT SSID on 2.4 GHz
uci set wireless.iot=wifi-iface
uci set wireless.iot.device='radio0'
uci set wireless.iot.mode='ap'
uci set wireless.iot.network='iot'
uci set wireless.iot.ssid='Mr-K-IoT'
uci set wireless.iot.encryption='psk2'
uci set wireless.iot.isolate='1' # Client isolationLessons Learned
1. Software VLANs Are Not a Bottleneck
Myth: Software VLAN tagging on consumer hardware kills performance.
Reality: On modern hardware (even modest MIPS dual-core), software VLAN tagging adds negligible overhead. The Fritz!Box achieved full 300 Mbps across all VLANs with CPU load under 20%.
2. Bridge Architecture Matters
In OpenWrt, wireless interfaces cannot bind directly to VLAN sub-interfaces. The correct pattern is:
Physical Port β VLAN Interface β Bridge β Wireless Interface
lan1 β lan1.25 β br-iot β phy0-ap03. Always Verify the Test Client
When troubleshooting performance, check the client device first. A simple reboot resolved what appeared to be a complex VLAN performance issue. Tools like iw dev station dump can show the actual wireless PHY rate vs. throughput.
4. Documentation is Critical
Complex network configurations need proper documentation. Diagrams showing traffic flow and VLAN tagging help tremendously when troubleshooting months later.
Cost-Benefit Analysis
Traditional Solution (New Hardware)
Managed Switch (8-port): β¬150-300
Enterprise Access Point: β¬200-400
Configuration service: β¬100-200
βββββββββ
Total: β¬450-900This Solution (Repurposed Hardware)
Fritz!Box 7530 (already owned): β¬0
Time investment (learning): ~8 hours
OpenWrt (free software): β¬0
βββββββββ
Total: β¬0
Knowledge gained: PricelessROI: Infinite (β¬450-900 saved, skills learned, complete control)
Use Cases
This setup is ideal for:
1. Home Office Workers
- Isolate work devices from personal network
- Comply with corporate security policies
- Maintain separate guest network
2. Smart Home Enthusiasts
- Contain IoT device vulnerabilities
- Prevent smart devices from scanning home network
- Enable aggressive firewall rules for IoT without affecting other devices
3. Privacy-Conscious Users
- Separate trusted devices from experimental/untrusted ones
- Create a quarantine network for new devices
- Implement zero-trust principles at home
4. Tech Learners
- Learn enterprise networking concepts
- Practice VLAN configuration
- Understand 802.1Q trunking
- Experiment safely with network segmentation
Future Enhancements
Potential improvements to this setup:
1. Advanced Firewall Rules
- Time-based access controls for IoT devices
- Geo-blocking for specific VLANs
- Port forwarding per VLAN
- IDS/IPS integration2. VPN Per VLAN
- Route Work VLAN through corporate VPN
- Route IoT through privacy VPN
- Home network direct connection3. Dynamic VLAN Assignment
- RADIUS server for 802.1X authentication
- Assign VLANs based on device certificates
- Guest portal with captive authentication4. Monitoring & Analytics
- Per-VLAN bandwidth monitoring
- Grafana dashboards
- Alerting on suspicious IoT activity
- NetFlow analysisConclusion
Repurposing old networking hardware with OpenWrt demonstrates that enterprise-grade network segmentation doesnβt require enterprise budgets. With proper configuration, software VLAN tagging performs identically to hardware solutions while providing:
β
Complete network isolation
β
Full throughput (300 Mbps across all VLANs)
β
Enhanced security posture
β
Valuable learning experience
β
Zero additional hardware cost
The key insight: Modern consumer hardware is overpowered for basic routing tasks. A retired router collecting dust has enough processing power to handle sophisticated network segmentationβyou just need the right software and configuration.
Resources & References
Documentation
Tools Used
- OpenWrt 24.10.4
- 8021q kernel module
- hostapd (wireless management)
- netifd (network interface daemon)
Community
About This Project
This configuration was developed over several days of troubleshooting, learning, and optimization. Special thanks to the OpenWrt community for excellent documentation and support.
Hardware Used:
- GL.iNet Flint 3 (GL-BE9300)
- AVM Fritz!Box 7530
Software:
- OpenWrt 24.10.4 (Fritz!Box)
- OpenWrt 23.05-SNAPSHOT (Flint 3)
Project Status: Production-ready, running stable
Tags
#networking #homelab #openwrt #vlan #cybersecurity #networksegmentation #iot #homeautomation #opensource #infrastructure
Have questions about implementing this setup? Want to discuss optimizations? Connect with me on LinkedIn or drop a comment below!