Hi all, I have a GL-MT6000 (Flint 2) which is working perfectly.
I would like to create a new WLAN and assign it a VLAN so that I can use Surfshark for that VLAN.
I followed this guide: https://www.youtube.com/watch?v=qeuZqRqH-ug but somehow the new WiFi is not working.
It tells: Wireless is not associated
Any idea on how to solve?
I am on FW 4.7.0.
Thx
uegia
Hi,
Do you have the possibility to sent the contents of /etc/config/network and /etc/config/wireless and /etc/config/firewall?
Please feel free to attach them in this format:
[details="your config name i.e network"]
```
//your contents
```
[/details]
And redact any vpn/mac addresses.
And also the output of ubus call system board?:
```
//Board infos
```
Many thanks 
Thx, here it is.
Note, I had to add a space after @ character since I am a new member and I cannot "quote" more than 2 people... and the forum thins that @wan is a quote 
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'XXXX:XXXX:XXXX::/XX'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
option macaddr 'XX:XX:XX:XX:XX:XX'
config device
option name 'lan1'
option macaddr 'XX:XX:XX:XX:XX:XX'
config device
option name 'lan2'
option macaddr 'XX:XX:XX:XX:XX:XX'
config device
option name 'lan3'
option macaddr 'XX:XX:XX:XX:XX:XX'
config device
option name 'lan4'
option macaddr 'XX:XX:XX:XX:XX:XX'
config device
option name 'lan5'
option macaddr 'XX:XX:XX:XX:XX:XX'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option isolate '0'
option ipaddr '192.168.100.1'
config device
option macaddr 'XX:XX:XX:XX:XX:XX'
option name 'eth1.1036'
config interface 'wan'
option force_link '0'
option ipv6 '0'
option classlessroute '0'
option proto 'pppoe'
option username 'XXXXXXX'
option password 'XXXXXXX'
option device 'eth1.1036'
option metric '1'
config interface 'wan6'
option proto 'dhcpv6'
option device '@ wan'
option disabled '1'
config interface 'guest'
option force_link '1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option multicast_querier '1'
option igmp_snooping '0'
option isolate '0'
option bridge_empty '1'
option ipaddr '192.168.5.1'
option disabled '0'
config rule 'policy_relay_lo_rt_lan'
option lookup '16800'
option in 'loopback'
option priority '1'
config interface 'tethering6'
option device '@ tethering'
option proto 'dhcpv6'
option disabled '1'
config interface 'wwan6'
option device '@ wwan'
option proto 'dhcpv6'
option disabled '1'
config interface 'secondwan'
option ipv6 '0'
option proto 'dhcp'
option force_link '0'
option classlessroute '0'
option metric '3'
config interface 'secondwan6'
option proto 'dhcpv6'
option device '@ secondwan'
option disabled '1'
option metric '15'
config rule 'policy_direct_rt'
option lookup 'main'
option suppress_prefixlength '0'
option priority '1100'
config rule 'policy_default_rt_vpn'
option mark '0x8000/0xc000'
option lookup '8000'
option priority '1101'
option invert '1'
config rule6 'policy_direct_rt6'
option lookup 'main'
option suppress_prefixlength '0'
option priority '1100'
config rule6 'policy_default_rt_vpn6'
option mark '0x8000/0xc000'
option lookup '8000'
option priority '1101'
option invert '1'
config rule 'policy_default_rt_vpn_ts'
option lookup 'main'
option priority '1099'
option mark '0x80000/0xc0000'
option invert '0'
config interface 'wgclient'
option proto 'wgclient'
option config 'peer_2000'
option disabled '1'
config interface 'wwan'
option proto 'dhcp'
option classlessroute '0'
option hostname '*'
option mtu '1500'
option metric '2'
config wifi-device 'mt798611'
option type 'mtk'
option band '2g'
option channel 'auto'
option txpower '100'
option random_bssid '1'
option legacy_rates '0'
option country 'IT'
option hwmode '11g'
option htmode 'HE20'
config wifi-iface 'wifi2g'
option device 'mt798611'
option mode 'ap'
option network 'lan'
option ifname 'ra0'
option encryption 'psk2'
option wds '1'
option isolate '0'
option ieee80211k '1'
option bss_transition '1'
option ssid 'XXXXXXXXXX'
option key 'XXXXXXXXXX'
option macaddr 'XX:XX:XX:XX:XX:XX'
option disabled '0'
config wifi-device 'mt798612'
option type 'mtk'
option band '5g'
option channel 'auto'
option txpower '100'
option country 'DE'
option random_bssid '1'
option legacy_rates '0'
option htmode 'HE160'
option hwmode '11a'
config wifi-iface 'wifi5g'
option device 'mt798612'
option mode 'ap'
option network 'lan'
option ifname 'rax0'
option wds '1'
option isolate '0'
option ieee80211k '1'
option bss_transition '1'
option ssid 'XXXXXXXXXX'
option key 'XXXXXXXXXX'
option hidden '0'
option encryption 'sae-mixed'
option macaddr 'XX:XX:XX:XX:XX:XX'
option disabled '0'
config wifi-iface 'guest2g'
option device 'mt798611'
option network 'guest'
option mode 'ap'
option ifname 'ra1'
option encryption 'psk2'
option guest '1'
option wds '1'
option isolate '1'
option key 'XXXXXXXXXX'
option ssid 'XXXXXXXXXX'
option macaddr 'XX:XX:XX:XX:XX:XX'
option disabled '0'
config wifi-iface 'guest5g'
option device 'mt798612'
option network 'guest'
option mode 'ap'
option ifname 'rax1'
option encryption 'psk2'
option guest '1'
option wds '1'
option isolate '1'
option macaddr 'XX:XX:XX:XX:XX:XX'
option disabled '0'
option ssid 'XXXXXXXXXX'
option hidden '0'
option key 'XXXXXXXXXX'
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'DROP'
list network 'wan'
list network 'wan6'
list network 'wwan'
list network 'secondwan'
config forwarding
option src 'lan'
option dest 'wan'
option enabled '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config zone
option name 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
option enabled '1'
config rule
option name 'Allow-DHCP'
option src 'guest'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
config rule
option name 'Allow-DNS'
option src 'guest'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
config include 'nat6'
option path '/etc/firewall.nat6'
option reload '1'
config rule 'process_mark'
option name 'process_mark'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 65533'
option target 'MARK'
option set_xmark '0x8000/0xc000'
config rule 'process_mark_dns'
option name 'process_mark_dns'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 453'
option target 'MARK'
option set_xmark '0x8000/0xc000'
config rule 'process_mark_stubby'
option name 'process_mark_stubby'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 410'
option target 'MARK'
option set_xmark '0x8000/0xc000'
config rule 'process_explict_vpn'
option name 'process_explict_vpn'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 20000'
option target 'MARK'
option set_xmark '0x20000/0x20000'
config rule 'wan_in_conn_mark'
option name 'wan_in_conn_mark'
option src 'wan'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m mark --mark 0x0/0x3f00 -j CONNMARK --set-xmark 0x8000/0xc000'
option enabled '0'
config rule 'lan_in_conn_mark_restore'
option name 'lan_in_conn_mark_restore'
option src 'lan'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark --nfmask 0xc000 --ctmask 0xc000'
option enabled '0'
config rule 'out_conn_mark_restore'
option name 'out_conn_mark_restore'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark --nfmask 0xc000 --ctmask 0xc000'
option enabled '0'
config include 'swap_wan_in_conn_mark'
option type 'script'
option reload '1'
option path '/etc/firewall.swap_wan_in_conn_mark.sh'
option enabled '0'
config include 'vpn_client_deal_leak'
option type 'script'
option reload '1'
option path '/etc/firewall.vpn_client_deal_leak.sh'
option enabled '1'
config include 'glblock'
option type 'script'
option path '/usr/bin/gl_block.sh'
option reload '1'
config include 'vpn_server_policy'
option type 'script'
option path '/etc/firewall.vpn_server_policy.sh'
option reload '1'
option enabled '1'
config include 'ethernet_ttl'
option type 'script'
option reload '1'
option path '/etc/firewall.ethernet_ttl'
config rule 'sambasharewan'
option src 'wan'
option dest_port '137 138 139 445'
option dest_proto 'tcpudp'
option target 'DROP'
config rule 'sambasharelan'
option src 'lan'
option dest_port '137 138 139 445'
option dest_proto 'tcpudp'
option target 'ACCEPT'
config rule 'glnas_ser'
option src 'wan'
option dest_port '6000-6002'
option dest_proto 'tcp'
option target 'DROP'
config rule 'webdav_wan'
option src 'wan'
option dest_port '6008'
option dest_proto 'tcp'
option target 'DROP'
config redirect 'adguard_home'
option name 'Adguard Home'
option src 'lan'
option src_dport '53'
option dest 'lan'
option dest_port '3053'
option proto 'tcp udp'
option mark '!0x8/0x8'
option enabled '1'
config redirect 'adguard_home_guest'
option name 'Adguard Home guest'
option src 'guest'
option src_dport '53'
option dest 'guest'
option dest_port '3053'
option proto 'tcp udp'
option mark '!0x8/0x8'
option enabled '1'
config redirect 'dns_vpn'
option name 'dns for vpn'
option src 'lan'
option src_dport '53'
option dest 'lan'
option dest_port '1653'
option mark '!0x8000/0xc000'
list proto 'tcp'
list proto 'udp'
option enabled '0'
config redirect 'dns_vpn_guest'
option name 'dns for vpn guest'
option src 'guest'
option src_dport '53'
option dest 'guest'
option dest_port '1653'
option mark '!0x8000/0xc000'
list proto 'tcp'
list proto 'udp'
option enabled '0'
config zone 'ovpnclient'
option name 'ovpnclient'
option forward 'DROP'
option output 'ACCEPT'
option mtu_fix '1'
option input 'DROP'
option masq '1'
option masq6 '1'
option enabled '0'
list network 'ovpnclient'
config forwarding 'ovpnclient2wan'
option src 'ovpnclient'
option dest 'wan'
option enabled '0'
config forwarding 'lan2ovpnclient'
option src 'lan'
option dest 'ovpnclient'
option enabled '0'
config forwarding 'guest2ovpnclient'
option src 'guest'
option dest 'ovpnclient'
option enabled '0'
config zone 'wgclient'
option name 'wgclient'
option forward 'DROP'
option output 'ACCEPT'
option mtu_fix '1'
option input 'DROP'
option masq '1'
option masq6 '1'
list network 'wgclient'
option enabled '0'
config forwarding 'wgclient2wan'
option src 'wgclient'
option dest 'wan'
option enabled '0'
config forwarding 'lan2wgclient'
option src 'lan'
option dest 'wgclient'
option enabled '0'
config forwarding 'guest2wgclient'
option src 'guest'
option dest 'wgclient'
option enabled '0'
config include 'portal_ttl'
option path '/etc/firewall-portal.user'
option reload '1'
{
"kernel": "5.4.238",
"hostname": "GL-MT6000",
"system": "ARMv8 Processor rev 4",
"model": "GL.iNet GL-MT6000",
"board_name": "glinet,gl-mt6000",
"release": {
"distribution": "OpenWrt",
"version": "21.02-SNAPSHOT",
"revision": "r15812+1082-46b6ee7ffc",
"target": "mediatek/mt7986",
"description": "OpenWrt 21.02-SNAPSHOT r15812+1082-46b6ee7ffc"
}
}
Thx in advance
uegia
I had the same problem here.
But i was able to fix it.
I had to add one line per new interface in /etc/config/wireless
option ifname 'ra2'
for the 2.4Ghz net and
option ifname 'rax2'
for the 5Ghz net.
The Interface names must be uniq, i think, so i used the next free number in the config
ra0 rax0 is the first lan, ra1 rax1 the guest lan, so i used ra2 and rax2
then i rebootet the system
afterwards, the wireless networks got activated
her is my config (just the added part)
config wifi-iface 'wifinet4'
option device 'mt798611'
option mode 'ap'
option ifname 'ra2'
option ssid 't01add'
option encryption 'psk2'
option key 'secure'
option network 'lan'
option macaddr 'secure'
config wifi-iface 'wifinet5'
option device 'mt798612'
option mode 'ap'
option ifname 'rax2'
option encryption 'psk2'
option key 'secure'
option network 'lan'
option macaddr 'secure'
option ssid 't01add1'
from now on, the new networks could be managed using luci
i hope this will work for you either.
Yours
Andreas
Thanks for the hint, I am going to try.
BTW, can you use it as a new vlan to split the VPN traffic using Flint2 web interface?
TIA
uegia
i have installed vpn-policy-routing and luci-app-vpn-policy-routing
for openvpn luci-app-openvpn openssl-util
created an openvpn client tunnel via luci
and added the "vpn - vpn policy routing" for that tunnel (via luci)
It is working perfectly.
The original wlan is located at home.
The new, second wlan is located somewhere else.
This seem not correct, try:
config interface 'guest'
option force_link '1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.5.1'
a note about bridges:
since the invalid config had both options of a DSA bridge device and a interface merged into one which is invalid, you don't neccessary need a bridge anymore, currently I'm using the Flint 2 with OP24 without a wifi bridge and it works flawless, you may choose to only use a bridge if:
, the wifi phy is DSA now so it can work as a device port/interface.just assign guest to wireless, if you take time you will see the wifi phy appearing in luci 
Hi all, I did some test.
First of all, thanks @stolle_web_de since, changing the name made the interface visible.
Now the problems: the new securewifi is not assigning me an address.
To be honest, none of my devices can connect to this wifi... like it was missing something.
Here is the config:
config interface 'lmesecure'
option proto 'static'
option ipaddr '192.168.50.1'
option netmask '255.255.255.0'
config dhcp 'lmesecure'
option interface 'lmesecure'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'disabled'
option ra 'disabled'
option ignore '0'
config wifi-iface 'wifinet5'
option device 'mt798611'
option mode 'ap'
option ifname 'ra2'
option ssid 'redacted'
option network 'lmesecure'
option key 'redacted'
option isolate '1'
option encryption 'psk2'
option macaddr 'redacted'
option disabled '0'
config zone
option name 'securenet'
list network 'lmesecure'
option input 'DROP'
option forward 'ACCEPT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'securenet'
option dest 'wgclient'
config zone 'wgclient'
option name 'wgclient'
option forward 'DROP'
option output 'ACCEPT'
option input 'DROP'
option masq '1'
option masq6 '1'
list network 'wgclient'
option enabled '1'
Ideas?
Thx
uegia
Must be the firewall.
I checked it here. New Wlan, connected to Static Interface with dhcp.
Everythink works well. But i put my new Interface to "Lan" Zone of Firewall.
For DHCP you need input 'ACCEPT', i think.
Also to add from the advise of @stolle_web_de this needs to be removed:
For the firewall zone securenet, because masquarading should only be the wan typically, mtu fixing isn't necessary since wan also does that, there are maybe very rare situations mtu fix is needed on a local scope, but for just wifi network there is not
It has more to do with exceeding mtu, and fragmentation where the mtu fix can help.
Hmmm.... Maybe I do not understand.
I changed to:
config zone
option name 'securenet'
option output 'ACCEPT'
list network 'lmesecure'
option forward 'ACCEPT'
option input 'ACCEPT'
config forwarding
option src 'securenet'
option dest 'wgclient'
And it still does not work...
What am I missing?
Does it work when you forward the zone to wan?
^ you cannot use gl-inets vpn for this, you either have to modify /usr/bin/route_policy and add your new hardcoded interface, or use Stangri's pbr, then route it towards the wgclient, or custom made wgclient with luci-proto-wireguard.
Or does the full dhcp lease not work even with the latest changes?
The full dhcp lease is not working.
Now I am thinking about installing OpenWRT loosing GLiNet interface or mantaining both.
Looks like having OpenWRT only could be a great solution and I think it would help me solving several problems.
Therefore being able to use GlInet interface for the 90% of the job is very useful.
Advices?
It depends, luci is more complicated and less user responsive/friendly for beginners.
On the other hand, there will be issues your topology becomes to advanced in where the gl software start conflicting.
I myself also went to normal OpenWrt because my reason was also for the vlans, more advanced split tunneling, and having better control what my dns does, meaning that it won't break my split tunnel over wan for iptv because it was using the vpns dns something i have seen in the gl firmware.
Also on the mtk versions you are extremely limited to what you can use on luci for wireless, often you also need to restart the router when selecting a network and check if a script did not accidentally added the lan network back.
are these additional networks visible in the UI, such that you could use the new network in the VPN Dashboard - 'VPN Policy Based on the VLAN'.
OP, did you ever figure this out?
I know how to do this with openwrt , but after a multi-week battle i realized the drivers they use in openwrt, dont seem as good as whatever Gl-inet is is using. So I'd rather not flash it.
`
I noticed i made a slight mistake here:
This is false, but because i used a different configuration, in my case the wifi phy are already hardcoded in br-lan to tag/untag with vlans, thats why it wasn't obvious to me, but i noticed when i needed this for something else, the phys don't hook on a empty interface, hostapd expects a bridge.
So in your case you want this:
Navigate to luci on the advanced settings to: network -> interfaces -> devices tab, scroll down to add a new device, change device type into bridge, and call it br-(insert_name) note try to keep the name short, openwrt could complain... and check keep bridge up, then save and apply, you don't need to add any devices.
now go back to luci -> network -> interfaces and click on the interfaces tab, edit the third network and change device to the empty bridge device you just created.
Now on wireless settings select your network interface, not the bridge device.
This must work
I eventually gave up because I couldn’t obtain an IP address despite my efforts. After further consideration, I believe the problem could be resolved by using a clean version of OpenWRT instead of the GL.iNet firmware, as the added customizations might be causing compatibility or network issues. However, I’m hesitant to take that route since I would lose many of the convenient and user-friendly features that GL.iNet provides, such as an easy-to-use interface, automated configurations, and simplified network management tools.
I honestly hope that GL.iNet adds the option to create a new WLAN in the firmware, specifically for use with VPN. This would be really helpful for those who need separate networks with custom VPN configurations.
Do you know if there's a place to submit suggestions or feature requests for their firmware?
Alot still go here:
But you can also create a new topic with [feature request] in the title.
Edited the link, there is a newer one.