When the Raspberry Pi 4 was released in June 2019, it represented a huge generational performance jump from its predecessor - a substantially beefier BCM2711 quad core Cortex-A72 CPU, USB 3.0, as much as 8GB of RAM, and native Broadcom gigabit Ethernet. With the advent of this latter upgrade (compared to the Raspberry Pi 3's gigabit NIC hamstrung to about 300 Mbps by its USB 2.0 connection to the CPU) the Raspberry Pi 4 is now much a more more viable platform for a router.

"But it only has one Ethernet port!" While many people end up adding USB 3.0-based gigabit Ethernet adapters to their Pi 4, I've never been a fan of USB-based Ethernet adapters - they just seem so informal and temporary. Instead, it's perfectly possible to make do with the Pi 4's single built-in Ethernet port using 802.1q VLANs and the aid of a managed switch, i.e. a router-on-a-stick configuration where multiple ethernet interfaces (e.g. the two separate LAN and WAN ports on a regular multi-port consumer router) are logically multiplexed onto a single physical interface. As the Pi 4's Cortex-A72 cores are sufficiently powerful to route the gigabit speeds achievable by the BCM54213PE NIC, you're not really losing out on any performance by doing this.

Any managed 802.1q VLAN-supporting switch will do fine, and these start at around $20-30 for a basic five-port or eight-port model. If you want to get a bit fancier and don't mind shelling out a bit more, you can pick up a model that also has Power over Ethernet (PoE) support that can additionally be used to power the Raspberry Pi 4 itself, in conjunction with a PoE HAT or an external PoE to USB-C converter. I decided to go with the Zyxel GS1200-8HP, an eight-port model with four PoE ports and a basic web interface suitable for home/small business use. In my case, I wanted PoE to minimize the need for adapters and wires as I already had a PoE-capable Ubiquiti wireless access point.


Essentially, getting everything working boils down to the following:

  • Defining separate WAN and LAN VLANs on the managed switch
  • Installing OpenWRT on the Rasberry Pi 4
  • Defining the same WAN and LAN VLANs on the Pi 4's OpenWRT interface

First decide what IDs you'd like to use for the WAN and LAN VLANs. Any two unique numbers between 1 and 4094 will do, but choose something sane, e.g. 10 for WAN and 100 for LAN. Most managed switches reserve VLAN 1 for their management interface, so you should avoid that. For the purposes of this guide we'll assign our WAN to VLAN 10 and LAN to VLAN 100.

Once you've chosen your VLAN IDs, you'll need to configure your managed switch. Generally, you should set up your switch ports as follows: one port for the Raspberry Pi (a "trunk" port tagged on all VLANs), one port for your WAN interface (untagged with the default VLAN/PVID set to 10) and the remaining ports on your switch untagged with the default VLAN/PVID set to 100. On the Zyxel with port 1 reserved for the Pi, port 8 reserved for the WAN device, and remaining ports as LAN, this would look like the following:

Setting up the Raspberry Pi 4

As of this writing, there is no stable OpenWRT release for the Pi 4 yet, only snapshots. However, thanks to the wonderful work of a user on the OpenWRT forums by the name of wulfy23 there is a wonderful community build available. Simply flash the image to your microSD card as you would anything else, and your Pi 4 should be booting OpenWRT before too long.

To add new VLAN interfaces in OpenWRT, go to Network -> Interfaces and click "Add New Interface". Select the appropriate protocol and enter a custom interface name in the form of eth0.VLANID, e.g. VLAN 10 would be eth0.10. Do this for your LAN and WAN networks, and also create a separate interface for VLAN 1 (eth0.1) so that you can access the managed switch itself later if needed. Finally, go to Network -> Static Routes and add a route for the switch's management interface; for example, if my switch had a static IP of, i'd create a static route for on interface VLAN 1 / eth0.1.

Once you've set up LAN and WAN VLANs in OpenWRT and assigned them to their corresponding firewall zones as appropriate, your Internet should be up and running!