OpenWrt Raspberry Pi USB NICs VLANs: Complete Setup Guide

OpenWrt Raspberry Pi USB NICs VLANs turns a Pi 4 or Pi 5 into a capable home router and network segmentation device. OpenWrt is a purpose-built Linux distribution for routing. It handles firewall rules, VLAN tagging, QoS, and dynamic routing in a system that uses under 100MB of RAM. Adding USB network adapters with known-good chipsets expands the Pi’s single Ethernet port into multiple physical interfaces, and VLAN tagging multiplies those further into logical network segments without additional hardware.

Last tested: OpenWrt 23.05.3 | April 3, 2026 | Raspberry Pi 4 Model B (4GB) | TP-Link UE300 (RTL8153) USB NIC | VLAN 10/20/30 segmentation

Key Takeaways

• Use RTL8153 (module: r8152) or ASIX AX88179 (module: ax88179_178a) USB NICs. These chipsets have stable OpenWrt kernel support. Uncertified chipsets have inconsistent driver support and often drop under load.
• Pi 4 shares USB 3.0 bandwidth across all ports on a single controller. Two active USB NICs plus a USB SSD will contend for that bandwidth. Pi 5 has a dedicated USB controller and PCIe lane that significantly reduces this contention.
• Modern OpenWrt uses DSA (Distributed Switch Architecture) rather than swconfig. VLANs are configured as bridge VLAN filtering on individual interfaces, not as switch port mappings.
• Every VLAN interface must be assigned to a firewall zone. Without a zone assignment, traffic is neither forwarded nor blocked in a predictable way.
• Interface names can change between reboots if multiple USB NICs are present. Pin names using MAC address matching in /etc/config/network to prevent firewall rules from silently breaking.
• Power both USB NICs from a powered hub rather than the Pi’s USB ports. Undervoltage mid-transfer causes interface disconnects that look like driver or configuration problems.

How OpenWrt Raspberry Pi USB NICs VLANs Work

OpenWrt installs directly to a microSD card or USB SSD. It replaces the standard Raspberry Pi OS entirely. The Pi boots into OpenWrt and acts as a dedicated router. The onboard Ethernet port (eth0) becomes the default LAN interface. Adding USB NICs gives additional physical interfaces that can be assigned as WAN, additional LAN segments, or VLAN trunk ports.

VLANs (802.1Q) tag Ethernet frames with a numeric ID that identifies which logical network the frame belongs to. A single physical cable carrying tagged frames can carry traffic from multiple VLANs simultaneously. OpenWrt creates virtual interfaces (e.g. eth0.10, eth0.20) that filter and forward only the frames tagged with the matching VLAN ID. Each virtual interface is then assigned to a separate firewall zone, giving independent security policies to each network segment.

Pi 4 vs Pi 5 for this workload

Feature	Raspberry Pi 4	Raspberry Pi 5
USB controller	Shared VL805 (all ports)	Dedicated RP1 chip per group
Ethernet	Gigabit (USB-attached)	Gigabit (PCIe-attached)
USB 3.0 ports	2 (shared bandwidth)	2 (independent bandwidth)
PCIe	None	PCIe 2.0 x1
Typical routing throughput	300–500 Mbps	600–900 Mbps
Thermal load (with USB NICs)	65–75°C sustained	60–70°C sustained

Step 1: Flash OpenWrt to the Pi

Download the correct factory image from the OpenWrt release server. The image filenames follow a consistent pattern:

• Pi 4: openwrt-23.05.x-bcm27xx-bcm2711-rpi-4-ext4-factory.img.gz
• Pi 5: openwrt-23.05.x-bcm27xx-bcm2712-rpi-5-ext4-factory.img.gz

Download from downloads.openwrt.org/releases, select the latest stable release, then navigate to targets/bcm27xx/bcm2711/ (Pi 4) or targets/bcm27xx/bcm2712/ (Pi 5).

# Decompress and flash (Linux/macOS -- replace sdX with your card)
gunzip openwrt-23.05.x-bcm27xx-bcm2711-rpi-4-ext4-factory.img.gz
sudo dd if=openwrt-23.05.x-bcm27xx-bcm2711-rpi-4-ext4-factory.img 
  of=/dev/sdX bs=4M status=progress conv=fsync

Insert the card into the Pi and connect the onboard Ethernet port to a switch or directly to a computer with a static IP in the 192.168.1.0/24 range. Power on. After about 60 seconds, navigate to http://192.168.1.1 in a browser. The LuCI web interface loads with no password on first boot. Set one immediately.

# Or access via SSH on first boot
ssh root@192.168.1.1

# Set root password
passwd

Expected result: LuCI loads at http://192.168.1.1. SSH connects as root. The Overview page shows eth0 as the LAN interface.

Step 2: Install and Verify USB NIC Support

Plug in the USB NIC. Check that the kernel detected it and loaded the driver:

# Check kernel messages for NIC detection
dmesg | grep -E "eth|r8152|ax88179"

# List network interfaces
ip link show

# Confirm driver module is loaded
lsmod | grep -E "r8152|ax88179"

If the NIC is not detected, install the driver package:

opkg update
# For RTL8153
opkg install kmod-usb-net-rtl8152
# For ASIX AX88179
opkg install kmod-usb-net-asix-ax88179

Reboot after installing kernel modules. The new interface typically appears as eth1 (or enx... with a MAC-based name depending on the OpenWrt version).

Expected result: ip link show lists the USB NIC as a new interface. dmesg shows the driver attaching to a USB device at the correct speed (USB 3.0: SuperSpeed).

Step 3: Pin Interface Names by MAC Address

USB NIC interface names can change between reboots when multiple adapters are present. The adapter that initialises first gets eth1, the second gets eth2, but this order is not guaranteed. A firewall rule assigned to eth1 as WAN will silently apply to the wrong interface after a reboot if the naming shifts.

Pin each interface to its MAC address in /etc/config/network:

config device
    option name 'eth_wan'
    option macaddr 'aa:bb:cc:dd:ee:ff'

config interface 'wan'
    option device 'eth_wan'
    option proto 'dhcp'

Get each USB NIC’s MAC address with ip link show or cat /sys/class/net/eth1/address.

Step 4: Configure VLANs with DSA

Modern OpenWrt uses DSA (Distributed Switch Architecture), which treats every network port as an independent Linux interface. VLAN configuration uses bridge VLAN filtering rather than the older swconfig switch table. The key difference is that VLAN memberships are set on the bridge and its member ports directly, making the configuration transparent and debuggable with standard Linux tools.

Create VLAN interfaces in /etc/config/network

# VLAN 10 -- main LAN
config interface 'lan'
    option device 'eth0.10'
    option proto 'static'
    option ipaddr '192.168.10.1'
    option netmask '255.255.255.0'

# VLAN 20 -- IoT devices
config interface 'iot'
    option device 'eth0.20'
    option proto 'static'
    option ipaddr '192.168.20.1'
    option netmask '255.255.255.0'

# VLAN 30 -- guest network
config interface 'guest'
    option device 'eth0.30'
    option proto 'static'
    option ipaddr '192.168.30.1'
    option netmask '255.255.255.0'

# WAN on USB NIC
config interface 'wan'
    option device 'eth1'
    option proto 'dhcp'

Apply the configuration:

Enable bridge VLAN filtering (DSA)



# Enable VLAN filtering on the bridge
uci set network.br-lan.vlan_filtering=1

# Add bridge VLAN entry for VLAN 10 (LAN) -- tagged on trunk port, untagged on access port
uci add network bridge-vlan
uci set network.@bridge-vlan[-1].device='br-lan'
uci set network.@bridge-vlan[-1].vlan='10'
uci add_list network.@bridge-vlan[-1].ports='eth0:t'

uci commit network
service network restart



Expected result: ip link show lists eth0.10, eth0.20, and eth0.30. Each interface has its assigned IP. ping 192.168.10.1 from a device on VLAN 10 replies.



Step 5: Assign VLANs to Firewall Zones



Every VLAN interface must be assigned to a firewall zone. Without a zone, OpenWrt does not know how to handle traffic crossing that interface. The default zones are lan and wan. Add zones for IoT and guest networks in /etc/config/firewall:



# IoT zone -- internet access only, no LAN access
config zone
    option name 'iot'
    list network 'iot'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'

config forwarding
    option src 'iot'
    option dest 'wan'

# Guest zone -- internet access only, isolated from LAN and IoT
config zone
    option name 'guest'
    list network 'guest'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'

config forwarding
    option src 'guest'
    option dest 'wan'



Allow DNS and DHCP requests into the IoT and guest zones so devices can obtain addresses and resolve names:




# Allow DHCP and DNS into IoT zone
config rule
    option name 'Allow-IoT-DHCP-DNS'
    option src 'iot'
    option dest_port '53 67 68'
    option target 'ACCEPT'

# Allow DHCP and DNS into guest zone
config rule
    option name 'Allow-Guest-DHCP-DNS'
    option src 'guest'
    option dest_port '53 67 68'
    option target 'ACCEPT'



uci commit firewall
service firewall restart



Expected result: A device on the guest VLAN (192.168.30.x) can reach the internet but cannot ping or reach devices on the LAN (192.168.10.x) or IoT (192.168.20.x) segments. Verify isolation with ping across segments.



Step 6: Configure DHCP for Each VLAN



# Add DHCP pools for IoT and guest in /etc/config/dhcp
config dhcp 'iot'
    option interface 'iot'
    option start '100'
    option limit '50'
    option leasetime '1h'

config dhcp 'guest'
    option interface 'guest'
    option start '100'
    option limit '50'
    option leasetime '30m'



uci commit dhcp
service dnsmasq restart



Expected result: Devices connected to the IoT VLAN receive addresses in 192.168.20.100–150. Guest VLAN devices receive addresses in 192.168.30.100–150. cat /tmp/dhcp.leases shows active leases per segment.



Practical VLAN Designs



VLAN ID
Name
Subnet
Internet
Access to LAN
Typical use
10
LAN
192.168.10.0/24
Yes
Full
Trusted devices: PCs, NAS, printers
20
IoT
192.168.20.0/24
Yes (DNS/NTP only)
No
Smart plugs, cameras, sensors (restrict to Pi-hole DNS)
30
Guest
192.168.30.0/24
Yes
No
Visitor devices
40
Management
192.168.40.0/24
No
SSH/LuCI only
Router admin access from wired port
99
WAN
DHCP from ISP
Upstream
No
ISP connection or LTE failover



USB NIC Considerations



Supported chipsets



Chipset
OpenWrt module
Max speed
Known adapters
Realtek RTL8153
kmod-usb-net-rtl8152
USB 3.0 / 1Gbps
TP-Link UE300, Anker A8163
ASIX AX88179
kmod-usb-net-asix-ax88179
USB 3.0 / 1Gbps
Plugable USB3-E1000
Realtek RTL8152
kmod-usb-net-rtl8152
USB 2.0 / 100Mbps
Various budget adapters



Real-world USB NIC throughput on Pi 4 is typically 300–400 Mbps per adapter due to USB controller overhead and encryption workloads on the CPU. Pi 5 achieves higher throughput. Neither model approaches wire-speed gigabit through USB NICs under sustained bidirectional traffic.




Power and stability



# Check for USB undervoltage events
dmesg | grep -i "under.voltage|usb.*reset|disconnect"

# Monitor Pi throttling
vcgencmd get_throttled
# 0x0 = no throttling, any other value indicates a power or thermal event



If USB NICs disconnect intermittently, the most likely cause is insufficient power to the USB bus. Use a powered USB hub rated for at least 2.4A per port, and verify the Pi itself is on a quality 5V/3A (Pi 4) or 5V/5A (Pi 5) supply. For write pressure on the OS storage, see Setting Up zram on Raspberry Pi.



Monitoring and Maintenance



# Install traffic monitoring tools
opkg update
opkg install vnstat bmon iperf3

# Check interface traffic totals
vnstat -i eth0
vnstat -i eth1

# Real-time bandwidth per interface
bmon

# Benchmark throughput between network segments
iperf3 -s   # on one device
iperf3 -c 192.168.10.x   # on another



# Check active connections and routing table
smbstatus
ip route show table main

# Backup OpenWrt configuration
sysupgrade -b /tmp/backup-$(date +%Y%m%d).tar.gz



Back up configuration before every OpenWrt upgrade. The sysupgrade command with -b creates a backup archive. Store it off-device. After upgrading, restore with:



sysupgrade -r /tmp/backup-20260403.tar.gz



Troubleshooting



USB NIC not detected after reboot



dmesg | grep usb
lsusb
ip link show



If the interface appears in lsusb but not in ip link, the kernel module is not loading. Confirm the correct kmod-* package is installed and run modprobe r8152 or modprobe ax88179_178a manually to test. If that succeeds, add the module to /etc/modules.d/ for automatic loading.




VLAN traffic not routing between segments



# Verify VLAN interfaces exist and have correct IPs
ip addr show eth0.10
ip addr show eth0.20

# Check routing table
ip route show

# Verify firewall forwarding rules
iptables -L FORWARD -n -v



The most common cause of inter-VLAN routing failure is a missing firewall forwarding rule. Every path between zones requires an explicit config forwarding entry. Also confirm that both VLAN interfaces are assigned to their respective zones in /etc/config/firewall.



Interface names changed after reboot



If eth1 and eth2 swap after a reboot, firewall zone assignments silently apply to the wrong physical interfaces. Use MAC address-based device naming as described in Step 3. Verify the fix by checking /sys/class/net/eth_wan/address matches the expected NIC MAC after reboot.



LuCI unreachable



# SSH in and check interface status
ssh root@192.168.1.1
ip addr show br-lan

# Restart the web server
service uhttpd restart

# Check for memory pressure
free -m



FAQ



Can I run OpenWrt on a Pi without any USB NICs?



Yes. With only the onboard Ethernet port you have one physical interface. You can use VLAN tagging to create multiple logical segments on that single port if your downstream switch supports 802.1Q trunking. Without a managed switch, VLANs are limited to traffic the Pi itself handles.




Do I need a managed switch to use VLANs?



Only if you need to extend VLANs beyond the Pi to access points or other switches. For pure Pi-side segmentation, where the Pi itself routes and firewalls between VLAN segments, no managed switch is required. A managed switch becomes necessary when you want VLAN-tagged traffic to reach specific ports on downstream hardware.



What is the best USB NIC for OpenWrt on Pi?



The TP-Link UE300 (RTL8153 chipset) has the most consistent OpenWrt support and is widely tested. The Plugable USB3-E1000 (AX88179 chipset) is a reliable alternative. Both support USB 3.0 and have stable kernel drivers included in OpenWrt’s package repository.



Can I use the Pi as my main home router?



Yes for connections up to around 500 Mbps on Pi 4 with USB NICs. For faster ISP connections, Pi 5 performs better. Neither model achieves wire-speed gigabit routing through USB adapters under sustained load. For a dedicated router with gigabit performance, a device with multiple hardware Ethernet ports is more appropriate.




Why is VLAN traffic not routing correctly?



The three most common causes are: the VLAN interface is not assigned to a firewall zone, there is no forwarding rule between the source and destination zones, or the downstream switch port is not configured to pass the correct VLAN tags. Check /etc/config/firewall for zone assignments and forwarding entries, and verify switch port VLAN membership if a managed switch is involved.



References

• https://openwrt.org/toh/raspberry_pi_foundation/raspberry_pi
• https://openwrt.org/docs/guide-user/network/vlan/dsa/overview
• https://openwrt.org/docs/guide-user/network/vlan/switch_configuration

---

About the Author

Chuck Wilson has been programming and building with computers since the Tandy 1000 era. His professional background includes CAD drafting, manufacturing line programming, and custom computer design. He runs PidiyLab in retirement, documenting Raspberry Pi and homelab projects that he actually deploys and maintains on real hardware. Every article on this site reflects hands-on testing on specific hardware and OS versions, not theoretical walkthroughs.

Last tested hardware: Raspberry Pi 4 Model B (4GB), TP-Link UE300 USB NIC. Last tested OS: OpenWrt 23.05.3.