Configuring VLANS on Flint 2

Routers
1

Ok so I'm effectively trying to create something like this.. I'll preface this by saying I'm new to OpenWRT & related devices but I've been reading quite a lot and watching some videos but it's not quite clicking.

networkdiagram
networkdiagram936×459 37.7 KB

Devices
Devices1486×751 78.4 KB

Interfaces
Interfaces865×670 44.8 KB

My understanding is that I need to create a primary VLAN first (ie; br-lan10 according to picture in top diagram) and have my LAN (including main wifi network with trusted devices) included & then extend br-lan 20/30/40/50 in br-lan.10 so they're all part of the same LAN?

I have discord if anybody would like to help there as well. Other people I live with kind of depend on this WIFI so setting it up with as minimal downtime as possible would really be nice. I plan to learn it more in depth using proxmox where nobody else is effected by my foolery.

2

I think that because it is openwrt vanilla it would be better to ask on the openwrt forum.

3

It's actually stock glinet firmware.. sorry.

root@GL-MT6000:~# ubus call system board
{
        "kernel": "5.4.238",
        "hostname": "GL-MT6000",
        "system": "ARMv8 Processor rev 4",
        "model": "GL.iNet GL-MT6000",
        "board_name": "glinet,gl-mt6000",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02-SNAPSHOT",
                "revision": "r15812+1075-46b6ee7ffc",
                "target": "mediatek/mt7986",
                "description": "OpenWrt 21.02-SNAPSHOT r15812+1075-46b6ee7ffc"
        }
}
root@GL-MT6000:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxx:xxxx:xxxx::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config device
        option name 'lan1'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config device
        option name 'lan2'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config device
        option name 'lan3'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config device
        option name 'lan4'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config device
        option name 'lan5'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.8.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option isolate '0'

config device
        option name 'eth1'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option force_link '0'
        option ipv6 '0'
        option classlessroute '0'
        option metric '10'

config interface 'wan6'
        option proto 'dhcpv6'
        option device '@wan'
        option disabled '1'

config interface 'tethering6'
        option device '@tethering'
        option proto 'dhcpv6'
        option disabled '1'

config interface 'wwan6'
        option device '@wwan'
        option proto 'dhcpv6'
        option disabled '1'

config interface 'guest'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.9.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option multicast_querier '1'
        option igmp_snooping '0'
        option isolate '0'
        option bridge_empty '1'
        option disabled '1'

config interface 'wwan'
        option proto 'dhcp'
        option classlessroute '0'
        option metric '20'

config interface 'secondwan'
        option ipv6 '0'
        option proto 'dhcp'
        option metric '15'
        option force_link '0'
        option classlessroute '0'

config interface 'secondwan6'
        option proto 'dhcpv6'
        option device '@secondwan'
        option disabled '1'
        option metric '15'

config interface 'modem_1_1_2_6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@modem_1_1_2'

config rule 'policy_direct_rt'
        option lookup 'main'
        option suppress_prefixlength '0'
        option priority '1100'

config rule 'policy_default_rt_vpn'
        option mark '0x8000/0xc000'
        option lookup '8000'
        option priority '1101'
        option invert '1'

config rule6 'policy_direct_rt6'
        option lookup 'main'
        option suppress_prefixlength '0'
        option priority '1100'

config rule6 'policy_default_rt_vpn6'
        option mark '0x8000/0xc000'
        option lookup '8000'
        option priority '1101'
        option invert '1'

config rule 'policy_default_rt_vpn_ts'
        option lookup 'main'
        option priority '1099'
        option mark '0x80000/0xc0000'
        option invert '0'
4

In LUCI on the Devices screen that you've already found (as per your screenshot)

br-lan > configure > bridge vlan filtering, setup tagging/native.etc in there.

I think having "local" ticked means the vlan is available on the internal link between the switch chip and the main CPU.

I wasn't sure how "lan" would behave after this so I moved that to Vlan as well and then set it as Untagged and Primary on one of the LAN ports so I could still reach the router on it without going through the external switches.

I'd suggest backing up your config before you do this as if you do something wrong you might lose access to the router and have to factory reset it to regain access.

This is what mine looks like

image
image903×650 36.4 KB

image
image1117×95 14.1 KB

image
image1036×101 13.8 KB

I also have "Management" Vlan which is the default for the port facing my switch, its where the native vlan on the switch ends up because it didn't really want it having internet access (That vlan is blocked from internet on the firewall)

Edit:

Also make sure your switch is set to use Tagged for the additional vlans on the port connected to the flint

1 Like
5

Hi there! I still don't get it! Or in other words. I think I understand how to do it and then I go and configure it and then the change won't apply.
Isn't there a truly step by step how to?
If I go to YouTube the example there are all vanilla openwrt.
Using KI (ChatGPT, GEMINI) also doesn't help since those don't understand the current setup.

Please help!

  1. I want to have an own dhcp on two ports. Like 192.168.178.0/24 - let's call it vlan178
  2. I want to access everything from vlan178 as I can currently from 192.168.8.1
  3. I want to access everything inside 192.168.8.1 from vlan178 but not the other way around

Currently I'm running:
|Firmware Version|OpenWrt 24.10.0-rc2 r28161-ea17e958b9 / LuCI openwrt-24.10 branch 24.337.27339~b1968d9|
|Kernel Version|6.6.63|
on Flint 2

6

Hi, do you have your setup running now? I'm hitting the same issue :frowning:
thanks

7

I gave up, put everything in one giant subnet.

8

Hi, after 2 days of intense work, I have successfully done the job :grinning_face: I can help you if you want. very important, I flashed the openwrt 24.10 firmware as maybe the stock firmware is buggy. Other important details: after some save & apply, the router should be rebooted to get the new config.
this post also was very important: Flint 2 (GL-MT6000) VLAN Setup
last thing: the uplink port should be a trunk, in my case is connected to a pfsense firewall and this last one manage the DNS, DHCP, etc so my flint 2 is a "dumb" router in AP mode.
let me know if you need some guidance
*I'm missing the wifi separated SSID for one of the 2 VLAN that I configured, so at the end I have 3 ports and wifi in my main untagged LAN, one port in VLAN 10 and other port in VLAN 20.
btw in my case I had a lot of dns leaks with a giant unique LAN and that's why I decided to use VLANs.

2 Likes
9

do you mean vanilla openwrt or the 24.10 provided by GL.INet?

10

I downloaded the firmware from openwrt so yes, it's vanilla Openwrt 24.10 :grinning_face:

11

1. Vlans:

Ok, because OpenWrt recently changed to DSA alot of older yt videos talk about the older linux implementation (swconfig), even though gl software compiles with the swconfig switch tab, this is more a remnant and it is advised to use DSA (Distributed Switch Architecture).

The difference between them, is that swconfig has menu item called switch inside the network menu tab, and that the cpu0 had to be tagged, DSA aims to simplify that so that you no longer have to tag cpu :slight_smile: , to find the DSA settings this is under network -> interfaces and then you click on devices tab, you can also return to interfaces there via this tab menu.

now what you want is this I gonna make a mini tutorial in the hope all falls into pieces :slight_smile:

so first we head back to the devices tab and then click edit on br-lan.

IMG_20250622_230511
IMG_20250622_2305111220×1258 123 KB

and then we click on the tab: Bridge VLAN Filtering.

You will see a checkbox: Enable VLAN Filtering, check it.

As you can see you already have vlan 1, U means untagged, untagged means also the final destination port, each port can only use one Untagged vlan, in OpenWrt this also means practically this is your PVID or better said your primary vlan, after this port this vlan stops to exist and does no longer exist.

You also have T for tagged traffic, this will not be the destination port or pvid, however tagged vlans can be multiple combined on one port, and keep exist also if it traversed after a port, to illustrate as example you could have untagged port 1 on lan1, and have a other vlan i.e 90 as tagged on the router, then if you had a vlan aware switch, in this switch you could then untag 90 to the desired port on the switch but the switch listens on vlan1 (this can be seen as native vlan / management network).

But there is a catch:

keep in mind that in alot of cases you need to make sure the switch knows where to tag 90 back so you get: port 1(even though there is no real wan, it makes it easier to see it that way): 90t, port 5: 90u, now the switch tags 90 back to your router on port 1 and on port 5 this network is default, sometimes you need to also set the pvid for port 5, just do so, network switches take this much more seriously than OpenWrt in that regard.

There are network switches which aim to simplify this, the process of tagging vlan 90 back to the router they do this when specifying the native vlan (your management vlan) it then tags it automaticly back for better ease of use, unifi is such example, but you still need to untag or tag a other port.

^ you can also daisy chain switches like this, and even encapisulate network devices.

Okay back to the VLAN filtering tab:

lets click on add, and on the left we type 178, I do know the luci is very broken on GL firmware because it is older than OpenWrts, which means there is a visibility glitch, just click it once and then close it by clicking on save and then re-navigate again or refresh, clicking to many times on add results in hundreds of ghost entries :sweat_smile:, do not save and apply here.

Depending on the port and your use case you can use a port of the flint to use a U, then on vlan 1 you remove the U for that port, if you want to traverse it to a network switch you choose tagged as traffic, exactly how i described the basic concept of vlans, the local checkbox is fine if it is checked, it needs to for the cpu so, see:

Screenshot_2025-06-23-00-31-56-343_com.brave.browser
Screenshot_2025-06-23-00-31-56-343_com.brave.browser1220×2712 175 KB

Ok click on save, but do NOT click on save and apply, this is crucial because br-lan which is the device under lan as interface needs to be changed.

This can be done by clicking on the interfaces tab or from luci index -> network -> interfaces.

Then change the device from lan by clicking edit and then you use br-lan.1, you will see it as a new device showing in that dropdown list :slight_smile:

Great, now you can save and apply.

1.1 Interfaces

As continue from 1. we now must create a interface for vlan 178. this will be not so hard :slight_smile:

First we navigate to luci index -> network -> interfaces and click on: Add new interface... it's on the bottom of the page.

Screenshot_2025-06-22-23-50-56-997_com.brave.browser-edit
Screenshot_2025-06-22-23-50-56-997_com.brave.browser-edit1220×1077 98.7 KB

You could fill this in like this, the name can also be less generic, can also be iot or whatever suits your use case :slight_smile:

Then click on protocol and change to static.

This will change the window like this:

Screenshot_2025-06-22-23-53-34-803_com.brave.browser-edit
Screenshot_2025-06-22-23-53-34-803_com.brave.browser-edit1220×2712 212 KB

And you want to fill it in like this:

Screenshot_2025-06-22-23-56-31-544_com.brave.browser-edit
Screenshot_2025-06-22-23-56-31-544_com.brave.browser-edit1220×2135 183 KB

The gateway field must be leaved empty otherwise you create a default route, which messes with repeater, vpn functions, its better to not use it all.

Then you click on advanced settings:

And uncheck Use default gateway this is because otherwise other interfaces may think this is a gateway interface, which is wrong only wan and wwan should be typical wan interfaces and you want your traffic going there instead of going over the wrong one and then over wan/wg :slight_smile: , lan is more of a special interface in this case.

Now click on firewall settings and on the drop down make a new zone i.e 178 or what suits better for you, it is recommended to use short names.

Then go to dhcp server tab, click on setup dhcp server, basicly alot of the defaults are fine, you could setup the start with 192.168.178.2 and limit with 150 that is also fine.

Save and apply, then navigate back to luci index and go to network -> firewall, and edit the newly created zone, you have to change input from reject to accept, only then clients can receive dhcp leases.

Then edit it again and make sure it forwards to destination zone wan, it can also be both wan and wgclient.

1.2 forwarding

So you have different ways of allowing networks to talk to each other, this is why i think that a brief explaination how traditional firewalls work is needed.

So when I visit a website, my firewall allows it, this is because firewalls are designed to allow every source to destination, it's always one way, basicly everything I initiate as source is allowed, the other side is then allowed to communicate back on the same line.

But when unsolicitated traffic becomes the source traffic with no first initiation of me, then it gets blocked, unless i allow it by port forwarding.

This is why some games have clever ways to still allow multiplayer behind firewalls :slight_smile: , first you initiate contact to their main list server, because the server has the open window to communicate back it then can forward a other player.

To reflect this on the firewall zones:

You then can edit zone 178, and on dest zone you add lan, now 178 can talk with lan, but lan not with 178 unless they already talk on the same line as reaction to the first initiator.

I myself like more finer rules rather than zone forwarding, this can be done with traffic rules and it is basicly the same idea but you can do it much strict and finer, for example: only one dest ip in lan is accessible for 178, or only with selective ports.

1 Like