Hi There,
I have a GL.iNet AX1800 and I’d like to configure it like this:
• Uplink/WAN: Internet comes from either Ethernet (DHCP) or hotel/Airbnb Wi-Fi (Wi-Fi as WAN/repeater).
• Then the router should broadcast 3 fully isolated SSIDs (no traffic between them), each with its own DHCP/subnet and forced routing:
1. Normal SSID → 192.168.8.0/24 → direct Internet via the venue WAN (public IP = hotel/Airbnb).
2. Work SSID → 192.168.100.0/24 → full-tunnel WireGuard to my corporate VPN (0.0.0.0/0).
3. Commercial VPN SSID → 192.168.200.0/24 → full-tunnel WireGuard to a consumer VPN provider (public IP = chosen country).
-
WAN / uplink (how I get Internet on the road)
• Wi-Fi WAN: I connect to the hotel/Airbnb Wi-Fi using the router’s client / STA mode (looks like sta0), currently via the “guest” / repeater setup.
• Ethernet WAN: WAN port is DHCP so I can plug into a physical modem/router when available. -
VPN setup (this part works)
• I import my setup / manage things through my company Ubiquiti controller.
• WireGuard #1 (Corporate): configured and stable, works fine.
• WireGuard #2 (Commercial VPN provider): also configured and stable.
• Since firmware ~4.8, GL.iNet has policy mode to route specific devices through a chosen VPN. That helps, but…
• it’s a pain in the ass to maintain because you must assign per-device in the UI
• some devices use randomized MACs, and I don’t want to force static MACs everywhere
• What I really want is routing by network/SSID, not by device: “Normal / Work / Commercial VPN” SSIDs so switching is easy for me + family. -
Trying to build 3 isolated SSIDs with LuCI (this is where it breaks)
Goal: 3 SSIDs = 3 separate VLAN/subnets + DHCP + isolation (routing rules come later).
What I did in LuCI:
• Network → Interfaces → Devices: on br-lan, enabled VLAN filtering, created VLAN100 + VLAN200 (also tried separate bridges, same result).
• Network → Interfaces: created new static interfaces bound to each VLAN, disabled “use default gateway”, enabled DHCP server per interface.
• Network → Firewall: created a firewall zone per VLAN/interface.
• Network → Wireless: 2 radios (the default one was 5GHz ch40). Added 2 new SSID(s) and bound SSID to VLAN100200 (copied same security settings; tried WDS/roaming options). Saved/applied after each step.
Symptoms:
• Once I start binding SSIDs to VLANs and enable them, it becomes unstable:
• sometimes after reboot no Wi-Fi SSID is broadcast
• sometimes SSIDs are missing/intermittent
• When I do connect to the “VLAN100/200 SSID”, clients often still get an IP from the main DHCP (192.168.8.x) instead of .100/.200 → looks like DHCP leakage / no proper isolation.
• I’m basically stuck before even implementing routing/PBR per network.
• At sAt some point, nothing works anymore and I have to factory reset the router. For now, I’m running the default setup using the GL.iNet interface (no extra SSIDs or VLANs), which is kind of sad.
Thanks for your help!