Creating a VLAN for IOT Wifi with a single router

I previously asked this in the OpenWRT forum and they sent me here: Creating a VLAN for IOT Wifi with a single router - Installing and Using OpenWrt - OpenWrt Forum

I don't know why this is causing me so much trouble. It seems straightforward, but here we are. I'm going to try to describe what I did and highlight areas in bold where I think I may have made a mistake or have a misunderstanding. I've been at this for several hours, so I'm hoping someone can help.

Setup

Here is my setup. I have a GL-MT6000 (flint2) router that shipped with the gl-inet OpenWRT variant. The WAN ethernet-port is connected directly to the modem. The other LAN ethernet ports are connected to various devices including unmanaged switches which are effectively just increasing the number of ethernet ports on the router. I have a main WIFI SSID already setup for 2G and 5G that connect devices in the LAN. I want all of this to remain the same. I also have the guest WIFI setup for guests.

Based on my understanding, my network topology looks roughly like this:

    ╙── modem
        └─╼ flint2-router-wan
            └─╼ flint2-router
                ├─╼ flint2-router-lan2
                │   └─╼ unmanaged-switch-1
                │       ├─╼ device2
                │       ├─╼ device3
                │       └─╼ device4
                ├─╼ flint2-router-lan3
                │   └─╼ unmanaged-switch-2
                │       ├─╼ device5
                │       └─╼ device6
                ├─╼ flint2-router-lan4
                │   └─╼ device1
                ├─╼ flint2-router-lan5
                └─╼ flint2-router-wifi-ssid1
                    ├─╼ device7
                    ├─╼ device8
                    └─╼ device9

Goal

The new thing I want to do is create a separate SSID that IOT devices can talk to the internet and also talk to each other. This means I can't use the guest network out of the box because it seems to disable devices from communicating within the network and instead just gives them access to the WAN.

From what I understand the way you do this is with a VLAN. My understanding is each new VLAN will require a: device, an interface, firewall rules, and an finally an Wireless SSID.

Steps Taken

I attempted to set this up in LUCI.

Step 1:

I went to Network > Interfaces and then clicked the devices tab. From there I clicked "Add Device Configuration". I changed the following values in the popup:

   Device type: VLAN (802.1q)
   Base device: 'Ethernet Switch "etho0"'
   VLAN ID: 40

Note: this autopopulated

   Device name: br-lan.40

I'm unsure about what the base device is doing here. Other options where 'Ethernet Adapter: "acpli0"', 'Wireless Netwowrk Master "HOME-WIFI" (lan)' (which resolved to ra0), the guest wifi which resolved to ra1, 'Ethernet Switch "etho0"', 'Ethernet Adapter: "eth1" (wan)', 'Bridge: "br-lan" (lan)' . I've also seen other tutorials use a VLAN bridge here, and I don't know if I should be doing that.

Then I clicked "Save & Apply"

Step 2:

I went to Network > Interfaces and then "Add new interface...". I changed the following values in the popup:

   Name: VLAN40
   Protocol: Static address
   Device: br-lan.40

Then I clicked "Create Interface".

From there I changed the popup values:

   IPv4 address: 192.168.40.1
   IPv4 netmask: 255.255.255.0

   # In the "DHCP Server" tab, I clicked "setup dhcp server"

I then clicked "Save". Then I clicked "Save & Apply".

Step 3:

I went to Network > Firewall. Under Zones I clicked "Add", and changed the popup values:

   Name: iot40
   Input: reject
   Output: accept
   Forward: reject
   Covered networks: VLAN40
   Allow forward to destination zones: wan

I then clicked "Save". Then I clicked "Save & Apply".

Step 4:

I then went to Network > Wireless.

I found the radio device I want to add the SSID to, which was "mt798611 Generic 802.11bgnax Channel: 9 (2.452 GHz) | Bitrate: 573 Mbit/s". In the row for "mt798611" I clicked "Add".

I then changed the popup values:

   ESSID: IOT40-WIFI
   Network: VLAN40

   # In the wireless security tab
   Encryption: WPA2-PSK
   Key: <the-wifi-password>

I then clicked "Save". Then I clicked "Save & Apply".

Confusion

And here is where I'm stuck. At this point I would expect to see a IOT40-WIFI SSID come up as an available network to connect to, but I don't see anything. The new row in the Wireless Overview table says: disabled - SSID: IOT40-WIFI | Mode: Master, Wireless is not associated. Specifically, this is what I see:

(You'll note I've tried this 3 times with different variants still with no success).

I can ping 192.168.40.1, but I have no idea if I set this up correctly. Clearly I messed something up. I would prefer to learn how to do this via the LUCI GUI first, and then learn how to use the config files.

I've also heard that VLANs are only make sense if you have multiple routers, and I'm not sure if that is true. I do plan to connect another router to act as another WIFI access point in the future to improve connectivity far away from the main router, but it seems like the use-case where you setup a VLAN on the main router for an isolated non-guest wifi network is reasonable. Do I have a misunderstanding?

Additional information from running:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

_______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 21.02-SNAPSHOT, r15812+1076-46b6ee7ffc
 -----------------------------------------------------
root@GL-MT6000:~# ubus call system board
{
	"kernel": "5.4.238",
	"hostname": "GL-MT6000",
	"system": "ARMv8 Processor rev 4",
	"model": "GL.iNet GL-MT6000",
	"board_name": "glinet,gl-mt6000",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02-SNAPSHOT",
		"revision": "r15812+1076-46b6ee7ffc",
		"target": "mediatek/mt7986",
		"description": "OpenWrt 21.02-SNAPSHOT r15812+1076-46b6ee7ffc"
	}
}
root@GL-MT6000:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd07:de41:87be::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'
	option macaddr 'MA:CA:D:RE:SS:09'

config device
	option name 'lan1'
	option macaddr 'MA:CA:D:RE:SS:09'

config device
	option name 'lan2'
	option macaddr 'MA:CA:D:RE:SS:09'

config device
	option name 'lan3'
	option macaddr 'MA:CA:D:RE:SS:09'

config device
	option name 'lan4'
	option macaddr 'MA:CA:D:RE:SS:09'

config device
	option name 'lan5'
	option macaddr 'MA:CA:D:RE:SS:09'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option isolate '0'
	option ipaddr '192.168.222.1'

config device
	option name 'eth1'
	option macaddr 'MA:CA:D:RE:SS:08'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option force_link '0'
	option ipv6 '0'
	option classlessroute '0'
	option metric '10'

config interface 'wan6'
	option proto 'dhcpv6'
	option device '@wan'
	option disabled '1'

config interface 'tethering6'
	option device '@tethering'
	option proto 'dhcpv6'
	option disabled '1'

config interface 'wwan6'
	option device '@wwan'
	option proto 'dhcpv6'
	option disabled '1'

config interface 'guest'
	option force_link '1'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.9.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option multicast_querier '1'
	option igmp_snooping '0'
	option isolate '0'
	option bridge_empty '1'
	option disabled '0'

config interface 'wwan'
	option proto 'dhcp'
	option classlessroute '0'
	option metric '20'

config interface 'secondwan'
	option ipv6 '0'
	option proto 'dhcp'
	option metric '15'
	option force_link '0'
	option classlessroute '0'

config interface 'secondwan6'
	option proto 'dhcpv6'
	option device '@secondwan'
	option disabled '1'
	option metric '15'

config interface 'modem_1_1_2_6'
	option proto 'dhcpv6'
	option disabled '1'
	option device '@modem_1_1_2'

config rule 'policy_direct_rt'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule 'policy_default_rt_vpn'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config rule6 'policy_direct_rt6'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule6 'policy_default_rt_vpn6'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config rule 'policy_default_rt_vpn_ts'
	option lookup 'main'
	option priority '1099'
	option mark '0x80000/0xc0000'
	option invert '0'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '20'
	option name 'eth0.20'

config device
	option type '8021q'
	option ifname 'eth1'
	option vid '30'
	option name 'eth1.30'

config interface 'IOT30'
	option proto 'static'
	option device 'eth1.30'
	option ipaddr '192.168.30.4'
	option netmask '255.255.255.0'
	option type 'bridge'

config interface 'IOT20'
	option device 'eth0.20'
	option proto 'static'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'
	option type 'bridge'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '40'
	option name 'br-lan.40'

config interface 'VLAN40'
	option proto 'static'
	option device 'br-lan.40'
	option ipaddr '192.168.40.1'
	option netmask '255.255.255.0'

root@GL-MT6000:~# cat /etc/config/wireless

config wifi-device 'mt798611'
	option type 'mtk'
	option band '2g'
	option htmode 'HE40'
	option channel 'auto'
	option txpower '100'
	option country 'US'
	option random_bssid '1'
	option legacy_rates '0'
	option hwmode '11g'

config wifi-iface 'wifi2g'
	option device 'mt798611'
	option mode 'ap'
	option network 'lan'
	option ifname 'ra0'
	option encryption 'psk2'
	option wds '1'
	option isolate '0'
	option ieee80211k '1'
	option bss_transition '1'
	option ssid 'WhoWhatWhenWhereWifi'
	option hidden '0'
	option key 'password_0'
	option macaddr 'MA:CA:D:RE:SS:18'

config wifi-device 'mt798612'
	option type 'mtk'
	option band '5g'
	option channel 'auto'
	option htmode 'HE80'
	option txpower '100'
	option country 'US'
	option random_bssid '1'
	option disabled '0'
	option legacy_rates '0'
	option hwmode '11a'

config wifi-iface 'wifi5g'
	option device 'mt798612'
	option mode 'ap'
	option network 'lan'
	option ifname 'rax0'
	option encryption 'psk2'
	option wds '1'
	option isolate '0'
	option ieee80211k '1'
	option bss_transition '1'
	option ssid 'WhoWhatWhenWhereWifi-5G'
	option hidden '0'
	option key 'password_0'
	option macaddr 'MA:CA:D:RE:SS:02'

config wifi-iface 'guest2g'
	option device 'mt798611'
	option network 'guest'
	option mode 'ap'
	option ifname 'ra1'
	option encryption 'psk2'
	option key 'password_2'
	option ssid 'GL-MT6000-a77-Guest'
	option guest '1'
	option wds '1'
	option isolate '1'
	option disabled '0'
	option macaddr 'MA:CA:D:RE:SS:07'

config wifi-iface 'guest5g'
	option device 'mt798612'
	option network 'guest'
	option mode 'ap'
	option ifname 'rax1'
	option encryption 'psk2'
	option key 'password_2'
	option ssid 'GL-MT6000-a77-5G-Guest'
	option guest '1'
	option disabled '1'
	option wds '1'
	option isolate '1'
	option macaddr 'MA:CA:D:RE:SS:14'

config wifi-iface 'wifinet4'
	option device 'mt798611'
	option mode 'ap'
	option encryption 'psk2'
	option key 'password_1'
	option network 'IOT20'
	option ssid 'IOT20-WIFI'
	option disabled '1'
	option macaddr 'MA:CA:D:RE:SS:21'

config wifi-iface 'wifinet5'
	option device 'mt798611'
	option mode 'ap'
	option ssid 'IOT30-WIFI'
	option encryption 'psk2'
	option key 'password_1'
	option network 'IOT30'
	option macaddr 'MA:CA:D:RE:SS:04'

config wifi-iface 'wifinet6'
	option device 'mt798611'
	option mode 'ap'
	option ssid 'IOT40-WIFI'
	option encryption 'psk2'
	option key 'password_1'
	option network 'VLAN40'
	option macaddr 'MA:CA:D:RE:SS:12'

root@GL-MT6000:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option rebind_protection '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ra_slaac '1'
	option force '1'
	option dhcpv6 'disabled'
	option ra 'disabled'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config domain
	option name 'console.gl-inet.com'
	option ip '192.168.8.1'

config domain
	option name 'console.gl-inet.com'
	option ip '::ffff:192.168.8.1'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'disabled'
	option ra 'disabled'

config dhcp 'secondwan'
	option interface 'secondwan'
	option ignore '1'

config host
	option mac 'MA:CA:D:RE:SS:11'
	option ip '192.168.222.38'
	option tag 'device_07'

config host
	option mac 'MA:CA:D:RE:SS:00'
	option ip '192.168.222.35'
	option tag 'device_09'

config host
	option mac 'MA:CA:D:RE:SS:20'
	option ip '192.168.222.16'
	option tag 'device_11'

config host
	option mac 'MA:CA:D:RE:SS:19'
	option ip '192.168.222.29'
	option tag 'device_06'

config host
	option mac 'MA:CA:D:RE:SS:16'
	option ip '192.168.222.18'
	option tag 'device_05'

config host
	option mac 'MA:CA:D:RE:SS:15'
	option ip '192.168.222.19'
	option tag 'device_04'

config host
	option mac 'MA:CA:D:RE:SS:03'
	option ip '192.168.222.20'
	option tag 'device_10'

config host
	option mac 'MA:CA:D:RE:SS:13'
	option ip '192.168.222.17'
	option tag 'device_00'

config host
	option mac 'MA:CA:D:RE:SS:06'
	option ip '192.168.222.15'
	option tag 'device_02'

config host
	option mac 'MA:CA:D:RE:SS:05'
	option ip '192.168.222.14'
	option tag 'device_03'

config host
	option mac 'MA:CA:D:RE:SS:17'
	option ip '192.168.222.5'
	option tag 'device_12'

config host
	option mac 'MA:CA:D:RE:SS:10'
	option ip '192.168.222.30'
	option tag 'device_01'

config host
	option mac 'MA:CA:D:RE:SS:01'
	option ip '192.168.222.4'
	option tag 'device_08'

config dhcp 'IOT30'
	option interface 'IOT30'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config dhcp 'IOT20'
	option interface 'IOT20'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config dhcp 'VLAN40'
	option interface 'VLAN40'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

root@GL-MT6000:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	option input 'DROP'
	option masq '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'
	list network 'secondwan'

config forwarding
	option src 'lan'
	option dest 'wan'
	option enabled '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config include 'nat6'
	option path '/etc/firewall.nat6'
	option reload '1'

config rule 'process_mark'
	option name 'process_mark'
	option dest '*'
	option proto 'all'
	option extra '-m owner --gid-owner 65533'
	option target 'MARK'
	option set_xmark '0x8000/0xc000'

config rule 'process_mark_dns'
	option name 'process_mark_dns'
	option dest '*'
	option proto 'all'
	option extra '-m owner --gid-owner 453'
	option target 'MARK'
	option set_xmark '0x8000/0xc000'

config rule 'process_explict_vpn'
	option name 'process_explict_vpn'
	option dest '*'
	option proto 'all'
	option extra '-m owner --gid-owner 20000'
	option target 'MARK'
	option set_xmark '0x20000/0x20000'

config rule 'wan_in_conn_mark'
	option name 'wan_in_conn_mark'
	option src 'wan'
	option dest '*'
	option set_xmark '0x8000/0xc000'
	option target 'MARK'
	option extra '-m mark --mark 0x0/0x3f00 -j CONNMARK --set-xmark 0x8000/0xc000'
	option enabled '0'

config rule 'lan_in_conn_mark_restore'
	option name 'lan_in_conn_mark_restore'
	option src 'lan'
	option dest '*'
	option set_xmark '0x8000/0xc000'
	option target 'MARK'
	option enabled '0'
	option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark --nfmask 0xc000 --ctmask 0xc000'

config rule 'out_conn_mark_restore'
	option name 'out_conn_mark_restore'
	option dest '*'
	option set_xmark '0x8000/0xc000'
	option target 'MARK'
	option enabled '0'
	option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark --nfmask 0xc000 --ctmask 0xc000'

config include 'swap_wan_in_conn_mark'
	option type 'script'
	option reload '1'
	option path '/etc/firewall.swap_wan_in_conn_mark.sh'
	option enabled '0'

config zone
	option name 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'
	option enabled '1'

config rule
	option name 'Allow-DHCP'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'

config rule
	option name 'Allow-DNS'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'

config include 'vpn_server_policy'
	option type 'script'
	option path '/etc/firewall.vpn_server_policy.sh'
	option reload '1'
	option enabled '1'

config redirect
	option enabled '1'
	option proto 'tcp udp'
	option src_dport '30303'
	option dest_ip '192.168.222.35'
	option dest_port '30303'
	option src 'wan'
	option name 'GL-Ethereum Execution Client'
	option dest 'lan'

config redirect
	option enabled '1'
	option proto 'tcp udp'
	option src_dport '9001'
	option dest_ip '192.168.222.35'
	option dest_port '9001'
	option src 'wan'
	option name 'GL-Ethereum Concensus Client'
	option dest 'lan'

config redirect
	option enabled '1'
	option proto 'tcp udp'
	option src_dport '4001'
	option dest_ip '192.168.222.29'
	option dest_port '4001'
	option src 'wan'
	option name 'GL-IPFS Ports'
	option dest 'lan'

config rule 'sambasharewan'
	option src 'wan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'DROP'

config rule 'sambasharelan'
	option src 'lan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'ACCEPT'

config rule 'glnas_ser'
	option src 'wan'
	option dest_port '6000-6002'
	option dest_proto 'tcp'
	option target 'DROP'

config rule 'webdav_wan'
	option src 'wan'
	option dest_port '6008'
	option dest_proto 'tcp'
	option target 'DROP'

config redirect 'dns_vpn'
	option name 'dns for vpn'
	option src 'lan'
	option src_dport '53'
	option dest 'lan'
	option dest_port '1653'
	option mark '!0x8000/0xc000'
	list proto 'tcp'
	list proto 'udp'
	option enabled '0'

config redirect 'dns_vpn_guest'
	option name 'dns for vpn guest'
	option src 'guest'
	option src_dport '53'
	option dest 'guest'
	option dest_port '1653'
	option mark '!0x8000/0xc000'
	list proto 'tcp'
	list proto 'udp'
	option enabled '0'

config rule 'process_mark_stubby'
	option name 'process_mark_stubby'
	option dest '*'
	option proto 'all'
	option extra '-m owner --gid-owner 410'
	option target 'MARK'
	option set_xmark '0x8000/0xc000'

config include 'vpn_client_deal_leak'
	option type 'script'
	option reload '1'
	option path '/etc/firewall.vpn_client_deal_leak.sh'
	option enabled '1'

config include 'glblock'
	option type 'script'
	option path '/usr/bin/gl_block.sh'
	option reload '1'

config zone
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option name 'iot20'

config forwarding
	option dest 'wan'
	option src 'iot20'

config zone
	option name 'iot30'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'IOT30'

config zone
	option name 'iot40'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'VLAN40'

config forwarding
	option src 'iot40'
	option dest 'wan'

Unlike managed switches, OpenWRT routers have problems when mixing untagged and tagged frames.

You shouldn't use VLAN interface like br-lan.40 on the MT6000. You can still use VLAN interfaces, but really don't have to even if you want to connect with wired ethernet, and shouldn't create them on `br-lan anyway. Unless you have a very specific reason and know what you're doing.

It's different from what you asked, but I think you have to fix that part first.

Hmm, when using eth1 you are using it for tagged from wan, this seems wrong unless this is from a downstream router?

Of course one can make a 802.11q DSA device but this will not work on the Flint 2 because Flint 2 doesn't have invidual lan switch ports they share all ports with the switching cpu.

But what you still can do is bridge vlan filtering, if you navigate to luci -> network -> devices and edit br-lan under bridge vlan filtering you can define the vlans, this generates devices like: br-lan.49

Tagged or trunk means that your vlan can traverse further down into your network.

Untagged however is ment for the final port, after this port the vlan doesn't exist, often also one port can have one untagged vlan and this gets handled by the pvid.

You can also have one untagged port and like combine 4 tagged networks then these tagged network can traversel further down to vlan aware devices such as a other flint 2.

On a second downstream flint 2 you likely have to tag wan with eth1.49 here you can create a 802.1q device, add this device to br-lan like it is a port.

under bridge vlan under device br-lan you now see eth1.49 being added, so naturally you can do the same as the first flint 2 but for the vlans which need to reach wan you click T for eth1.49.

On a managed switch this kinda works the same

^ if that part doesn't work use U for eth1.49, because maybe openwrt thinks of it as eth1.49.49 it will still be tagged its just looking a little odd

And on your final router downstream, you can choose to only tag vlan, this means you just create a interface i.e iot and use device eth1.49 and set it on unmanaged, or static but you have to know carefully you don't create a overlapping dhcp it must be disabled, my advise is to assign static from your most upstream router to decrease the chance of a conflict.

Please be wary that often unmanaged switches strip tagged vlans it is very likely something can happen with this if you need a vlan there

This is wrong, the input must be set to accept or clients cannot request dhcp, if the idea was for a guest network like gl software does, you have to manual allow these ports by the firewall tab traffic rules.

Also in your network config i see this:
option type 'bridge'

I think this seem to be invalid under the interfaces this looks still from swconfig versions of openwrt, also are these interfaces on the downstream router??

Also about the mtk version of mt6000 for wifi:

It is recommended to restart the flint 2 because mtk has very limited support to luci when it goes about wifi , it will work but it only did for me after a restart.

For MT2500A and MT300N-V2, I always had problems when traffic increased or DHCP involved or so. So I gave up and just using as one of "tagged only" or "untagged only". Particularly MT300N-V2 had problems when have several VLAN interfaces even without untagged interface.

Anyway, regardless it's possible or not, I'd not recommend to use VLAN interface in this situation. Because it doesn't needed.

Probably you've heard that story a lot on the internet, but did you know that it's not true? There's no such "smart enough" unmanaged switch!

It turns out that when adding a Wireless SSID via LUCI, it never added an ifname field to the network options. When I added that in manually it worked. I think this may be a bug.

Notably my config was:

config wifi-iface 'wifinet4'
	option device 'mt798611'
	option encryption 'psk2'
	option key 'password-123'
	option mode 'ap'
	option network 'IOT20'
	option ssid 'OpenWrt-IOT-20'

Which did not do anything, but when I added the line:

	option ifname 'ra2'

into the wireless interface, it showed up on my devices as a network I could attempt to connect to. Now, I did have other configuration issues, but I was able to resolve those.

I figured out the GIST of the steps by carefully watching and rewatching:

And other videos from the channel were also helpful. On a high level I:

• Went to Network -> Interfaces -> Devices
• Hit "Configure" on the existing br-lan the router ships with
• Clicked the Bridge VLAN Filtering tab
• Clicked enable VLAN filtering
• I added 2 VLANs. One for what I wanted to be my "Normal" LAN and one for my IOT LAN. I chose "222" for my main LAN because I already had its address set to 192.168.222.1, and I chose 20 for my VLAN.
• Importantly I found the LAN Port that my unmanaged switch was connected to (and hence the rest of my wired devices that I want to be on the main LAN including my main desktop) and chose "Egress untagged" (which I believe means anything connected to that switch will be forced into the 222 "main" VLAN, which is exactly what I wanted) and I also chose "Primary VLAN ID" (or I suppose it will be renamed to "Port VLAN ID" in the future?).
• For the other physical-LAN-ports, I tagged them as egress untagged on the "main" 222 row, and left them "-" for the VLAN row. I did set some unused LAN ports to tag on both 222 and 20 rows, but that's not very important for my current use case, where I really only care about getting a VLAN for WIFI.
• From here *without yet hitting Save&Apply", I switched to Network -> Interfaces -> Interfaces, and clicked edit on the existing LAN interface. I changed its devices from br-lan to br-lan.222, because this VLAN is now the "main" LAN.
• At this point I hit "Save & Apply" and was pleasantly surprised when I didn't get locked out.
• I then created a new interface called IOT20, set its device to br-lan.20, its IP to 192.168.20.1, and its netmask to 255.255.255.0
• I also added a Firewall rule for the IOT20 interface as I previously described above.

Now is the point where we start getting into what might be a bug in the GL.INET OpenWRT fork and its interaction with LUCI.

• Going to Interfaces -> Wirelesss
• I found the 2.4GHz WIFI device of interest and clicked Add.
• I put in my ESSID, and then went to Wireless Security chose WPA2-PSK and entered a passkey

Hitting "Save & Apply" brought me to the same point I original was in the question: a wifi-iface that didn't seem to work. And again the issue seem to be that it didn't write the "ifname" option to the config. After I manually added it as "ra2" (where 2 was chosen not to conflict with the existing "ra0" and "ra1"), and ran /etc/init.d/network restart, the WIFI device popped up and everything worked.

I'm still working on understanding the firewall section well, but I think I have a much better understanding of VLANs now, and I hope this documentation can help anyone else who just wants to make a VLAN for WIFI without worrying about pushing that down to other network devices (although I think I have a better grasp on that now too).

Specifically my sanitized working config is:

root@GL-MT6000:~# ubus call system board
{
	"kernel": "5.4.238",
	"hostname": "GL-MT6000",
	"system": "ARMv8 Processor rev 4",
	"model": "GL.iNet GL-MT6000",
	"board_name": "glinet,gl-mt6000",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02-SNAPSHOT",
		"revision": "r15812+1076-46b6ee7ffc",
		"target": "mediatek/mt7986",
		"description": "OpenWrt 21.02-SNAPSHOT r15812+1076-46b6ee7ffc"
	}
}

root@GL-MT6000:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd07:de41:87be::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'
	option macaddr 'MA:CA:D:RE:SS:08'

config device
	option name 'lan1'
	option macaddr 'MA:CA:D:RE:SS:08'

config device
	option name 'lan2'
	option macaddr 'MA:CA:D:RE:SS:08'

config device
	option name 'lan3'
	option macaddr 'MA:CA:D:RE:SS:08'

config device
	option name 'lan4'
	option macaddr 'MA:CA:D:RE:SS:08'

config device
	option name 'lan5'
	option macaddr 'MA:CA:D:RE:SS:08'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option isolate '0'
	option ipaddr '192.168.222.1'
	option device 'br-lan.222'

config device
	option name 'eth1'
	option macaddr 'MA:CA:D:RE:SS:07'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option force_link '0'
	option ipv6 '0'
	option classlessroute '0'
	option metric '10'

config interface 'wan6'
	option proto 'dhcpv6'
	option device '@wan'
	option disabled '1'

config interface 'tethering6'
	option device '@tethering'
	option proto 'dhcpv6'
	option disabled '1'

config interface 'wwan6'
	option device '@wwan'
	option proto 'dhcpv6'
	option disabled '1'

config interface 'guest'
	option force_link '1'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.9.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option multicast_querier '1'
	option igmp_snooping '0'
	option isolate '0'
	option bridge_empty '1'
	option disabled '0'

config interface 'wwan'
	option proto 'dhcp'
	option classlessroute '0'
	option metric '20'

config interface 'secondwan'
	option ipv6 '0'
	option proto 'dhcp'
	option metric '15'
	option force_link '0'
	option classlessroute '0'

config interface 'secondwan6'
	option proto 'dhcpv6'
	option device '@secondwan'
	option disabled '1'
	option metric '15'

config interface 'modem_1_1_2_6'
	option proto 'dhcpv6'
	option disabled '1'
	option device '@modem_1_1_2'

config rule 'policy_direct_rt'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule 'policy_default_rt_vpn'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config rule6 'policy_direct_rt6'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule6 'policy_default_rt_vpn6'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config rule 'policy_default_rt_vpn_ts'
	option lookup 'main'
	option priority '1099'
	option mark '0x80000/0xc0000'
	option invert '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '222'
	list ports 'lan1:t'
	list ports 'lan2:u*'
	list ports 'lan3'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'lan1:t'
	list ports 'lan4:t'
	list ports 'lan5'

config interface 'IOT20'
	option proto 'static'
	option device 'br-lan.20'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'
	option ip6assign '64'


root@GL-MT6000:~# cat /etc/config/wireless

config wifi-device 'mt798611'
	option type 'mtk'
	option band '2g'
	option htmode 'HE40'
	option channel 'auto'
	option txpower '100'
	option country 'US'
	option random_bssid '1'
	option legacy_rates '0'
	option hwmode '11g'

config wifi-iface 'wifi2g'
	option device 'mt798611'
	option mode 'ap'
	option network 'lan'
	option ifname 'ra0'
	option encryption 'psk2'
	option wds '1'
	option isolate '0'
	option ieee80211k '1'
	option bss_transition '1'
	option ssid 'WhoWhatWhenWhereWifi'
	option hidden '0'
	option key 'password_0'
	option macaddr 'MA:CA:D:RE:SS:16'

config wifi-iface 'guest2g'
	option device 'mt798611'
	option network 'guest'
	option mode 'ap'
	option ifname 'ra1'
	option encryption 'psk2'
	option guest '1'
	option wds '1'
	option isolate '1'
	option disabled '0'
	option macaddr 'MA:CA:D:RE:SS:06'
	option ssid 'WhoWhatWhenWhereWifi-Guest'
	option hidden '0'
	option key 'password_1'

config wifi-device 'mt798612'
	option type 'mtk'
	option band '5g'
	option channel 'auto'
	option htmode 'HE80'
	option txpower '100'
	option country 'US'
	option random_bssid '1'
	option legacy_rates '0'
	option hwmode '11a'

config wifi-iface 'wifi5g'
	option device 'mt798612'
	option mode 'ap'
	option network 'lan'
	option ifname 'rax0'
	option encryption 'psk2'
	option wds '1'
	option isolate '0'
	option ieee80211k '1'
	option bss_transition '1'
	option ssid 'WhoWhatWhenWhereWifi-5G'
	option hidden '0'
	option key 'password_0'
	option macaddr 'MA:CA:D:RE:SS:02'

config wifi-iface 'guest5g'
	option device 'mt798612'
	option network 'guest'
	option mode 'ap'
	option ifname 'rax1'
	option encryption 'psk2'
	option guest '1'
	option wds '1'
	option isolate '1'
	option macaddr 'MA:CA:D:RE:SS:12'
	option disabled '0'
	option ssid 'WhoWhatWhenWhereWifi-5G-Guest'
	option hidden '0'
	option key 'password_1'

config wifi-iface 'wifinet4'
	option device 'mt798611'
	option encryption 'psk2'
	option ifname 'ra2'
	option key 'password_1'
	option mode 'ap'
	option network 'IOT20'
	option ssid 'OpenWrt-IOT-20'

root@GL-MT6000:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option rebind_protection '0'
	option noresolv '1'
	option localuse '0'
	list server '127.0.0.1#3053'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option force '1'
	list ra_flags 'none'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config domain
	option name 'console.gl-inet.com'
	option ip '192.168.222.1'

config domain
	option name 'console.gl-inet.com'
	option ip '::ffff:192.168.8.1'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'disabled'
	option ra 'disabled'

config dhcp 'secondwan'
	option interface 'secondwan'
	option ignore '1'

config host
	option mac 'MA:CA:D:RE:SS:10'
	option ip '192.168.222.38'
	option tag 'device_07'

config host
	option mac 'MA:CA:D:RE:SS:00'
	option ip '192.168.222.35'
	option tag 'device_09'

config host
	option mac 'MA:CA:D:RE:SS:18'
	option ip '192.168.222.16'
	option tag 'device_11'

config host
	option mac 'MA:CA:D:RE:SS:17'
	option ip '192.168.222.29'
	option tag 'device_06'

config host
	option mac 'MA:CA:D:RE:SS:14'
	option ip '192.168.222.18'
	option tag 'device_05'

config host
	option mac 'MA:CA:D:RE:SS:13'
	option ip '192.168.222.19'
	option tag 'device_04'

config host
	option mac 'MA:CA:D:RE:SS:03'
	option ip '192.168.222.20'
	option tag 'device_10'

config host
	option mac 'MA:CA:D:RE:SS:11'
	option ip '192.168.222.17'
	option tag 'device_00'

config host
	option mac 'MA:CA:D:RE:SS:05'
	option ip '192.168.222.15'
	option tag 'device_02'

config host
	option mac 'MA:CA:D:RE:SS:04'
	option ip '192.168.222.14'
	option tag 'device_03'

config host
	option mac 'MA:CA:D:RE:SS:15'
	option ip '192.168.222.5'
	option tag 'device_12'

config host
	option mac 'MA:CA:D:RE:SS:09'
	option ip '192.168.222.30'
	option tag 'device_01'

config host
	option mac 'MA:CA:D:RE:SS:01'
	option ip '192.168.222.4'
	option tag 'device_08'

config dhcp 'IOT20'
	option interface 'IOT20'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'


root@GL-MT6000:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	option input 'DROP'
	option masq '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'
	list network 'secondwan'

config forwarding
	option src 'lan'
	option dest 'wan'
	option enabled '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config include 'nat6'
	option path '/etc/firewall.nat6'
	option reload '1'

config rule 'process_mark'
	option name 'process_mark'
	option dest '*'
	option proto 'all'
	option extra '-m owner --gid-owner 65533'
	option target 'MARK'
	option set_xmark '0x8000/0xc000'

config rule 'process_mark_dns'
	option name 'process_mark_dns'
	option dest '*'
	option proto 'all'
	option extra '-m owner --gid-owner 453'
	option target 'MARK'
	option set_xmark '0x8000/0xc000'

config rule 'process_explict_vpn'
	option name 'process_explict_vpn'
	option dest '*'
	option proto 'all'
	option extra '-m owner --gid-owner 20000'
	option target 'MARK'
	option set_xmark '0x20000/0x20000'

config rule 'wan_in_conn_mark'
	option name 'wan_in_conn_mark'
	option src 'wan'
	option dest '*'
	option set_xmark '0x8000/0xc000'
	option target 'MARK'
	option extra '-m mark --mark 0x0/0x3f00 -j CONNMARK --set-xmark 0x8000/0xc000'
	option enabled '0'

config rule 'lan_in_conn_mark_restore'
	option name 'lan_in_conn_mark_restore'
	option src 'lan'
	option dest '*'
	option set_xmark '0x8000/0xc000'
	option target 'MARK'
	option enabled '0'
	option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark --nfmask 0xc000 --ctmask 0xc000'

config rule 'out_conn_mark_restore'
	option name 'out_conn_mark_restore'
	option dest '*'
	option set_xmark '0x8000/0xc000'
	option target 'MARK'
	option enabled '0'
	option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark --nfmask 0xc000 --ctmask 0xc000'

config include 'swap_wan_in_conn_mark'
	option type 'script'
	option reload '1'
	option path '/etc/firewall.swap_wan_in_conn_mark.sh'
	option enabled '0'

config zone
	option name 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'
	option enabled '1'

config rule
	option name 'Allow-DHCP'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'

config rule
	option name 'Allow-DNS'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'

config include 'vpn_server_policy'
	option type 'script'
	option path '/etc/firewall.vpn_server_policy.sh'
	option reload '1'
	option enabled '1'

config redirect
	option enabled '1'
	option proto 'tcp udp'
	option src_dport '30303'
	option dest_ip '192.168.222.35'
	option dest_port '30303'
	option src 'wan'
	option name 'GL-Ethereum Execution Client'
	option dest 'lan'

config redirect
	option enabled '1'
	option proto 'tcp udp'
	option src_dport '9001'
	option dest_ip '192.168.222.35'
	option dest_port '9001'
	option src 'wan'
	option name 'GL-Ethereum Concensus Client'
	option dest 'lan'

config redirect
	option enabled '1'
	option proto 'tcp udp'
	option src_dport '4001'
	option dest_ip '192.168.222.29'
	option dest_port '4001'
	option src 'wan'
	option name 'GL-IPFS Ports'
	option dest 'lan'

config rule 'sambasharewan'
	option src 'wan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'DROP'

config rule 'sambasharelan'
	option src 'lan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'ACCEPT'

config rule 'glnas_ser'
	option src 'wan'
	option dest_port '6000-6002'
	option dest_proto 'tcp'
	option target 'DROP'

config rule 'webdav_wan'
	option src 'wan'
	option dest_port '6008'
	option dest_proto 'tcp'
	option target 'DROP'

config redirect 'dns_vpn'
	option name 'dns for vpn'
	option src 'lan'
	option src_dport '53'
	option dest 'lan'
	option dest_port '1653'
	option mark '!0x8000/0xc000'
	list proto 'tcp'
	list proto 'udp'
	option enabled '0'

config redirect 'dns_vpn_guest'
	option name 'dns for vpn guest'
	option src 'guest'
	option src_dport '53'
	option dest 'guest'
	option dest_port '1653'
	option mark '!0x8000/0xc000'
	list proto 'tcp'
	list proto 'udp'
	option enabled '0'

config rule 'process_mark_stubby'
	option name 'process_mark_stubby'
	option dest '*'
	option proto 'all'
	option extra '-m owner --gid-owner 410'
	option target 'MARK'
	option set_xmark '0x8000/0xc000'

config include 'vpn_client_deal_leak'
	option type 'script'
	option reload '1'
	option path '/etc/firewall.vpn_client_deal_leak.sh'
	option enabled '1'

config include 'glblock'
	option type 'script'
	option path '/usr/bin/gl_block.sh'
	option reload '1'

config zone
	option name 'IOTZone'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'IOT20'
	option input 'ACCEPT'

config forwarding
	option src 'IOTZone'
	option dest 'wa

Yes, this did turn out to be a big part of what worked for me.

I don't want a solution that requires a second router. (Although I may get more flint2 routers as gifts, the builtin adblock and DNS is pretty great! Way better than other routers I've used).

This is good to know. The firewall rules are starting to make more sense to me.

It turns out I did not need to restart if I used /etc/init.d/network restart.

If VLANs are not needed, then how do I create a new WIFI SSID interface that is sequestered from the rest of the network, but devices within it are allowed to talk to each other and also allowed to talk to the WAN? This needs to be in addition the guest network.

Ultimately I want 3 WIFI interfaces, each with their own SSID:

• One for my "main" LAN.
• One for guests, where they can talk to the WAN, but not each other, and not to the LAN
• One for IOT devices where they can talk to the WAN, each other, but not the LAN.

Seems like VLANs are the only way to accomplish this, but please tell me if I'm wrong.

I think all you need is just something like "copy and paste the guest network".

You will find that the guest network is not at all related to VLAN.

Umm... It's just following your request: "You are wrong".

Forget all the stuff that doesn't apply to MT6000 or outdated. Those will just confuse you. Just try to copy the guest network. Since you can use the CLI, it will be much easier than what you have already done.

ehm... I don't understand sorry

802.11.q is a attachment or etiket on the packet to make it more simplified, where vlan aware devices can route it to other ports, but you need a managed switch which is vlan aware or a aware device for the vlan to work.

many unmanaged switches don't know nothing about this extra few bytes, and some discard it as 'noise', some ignore it and it just works.

this depends on your topology if you go simple like:

one router, you can create a seperated interface and attach it to wireless, in the interface creation you don't need to add a device then because when you select it under wireless settings the wifi phy device automaticly assigns to your network.

but... if you want to involve more routers especially for future proofing for a mesh or roaming, you want to look into vlans.

simply because of encapisulation, you can everywhere reach the vlans and encapisulate the traffic and reduce it to one hop rather than having multiple routers with multiple NAT.

as example at my own topology:

I use one flint 2 as isp router, connected to one 20-30 meter cable which hosts a couple of 10 vlans (I also use it for multi psk/wifi), then from my zyxel managed switch I assign ports, the port for teleivision goes to another 20 meter wire and uses tvnet.

^ all clients show nicely on my isp router, this won't be possible when there was no encapsiulation, now i can also give clients static ip all managed from my isp flint 2 router.

also interesting is that it becomes alot easier to manage also if you deal with iptv with old igmp streams i could simply use igmpproxy to the tvnet interface whilst with the other setup I have less of that freedom.

I just started using this router in the last few days You discovered the same bug I discovered! I basically wanted to do the exact same thing and I learned that when Luci added the 'extra' wifi ssid, it didn't associate it with a radio device.

My current setup is roughly: the 'stock' 2.4ghz wifi for normal activities, the 'guest' wifi for guests, the 5ghz wifi for normal activities and a newly added wifi for 'iot'. Just like you, I had to edit the raw config files. My 'iot' wifi is on 192.168.10.* and i've also changed physical port 5 of the router to be associated with that same 192.168.10.* network. I do NOT use vlans at all.

Trying to remember what I did for the physical port was roughly:

1. I went into Luci and created a new bridge device call 'br-iot'
2. In the raw /etc/config/network file I associated the physical lan port 5 with that bridge also also the wifi with that bridge.

Here's an excerpt from my /etc/config/network:

config device                     
        option name 'br-lan'              
        option type 'bridge'              
        option macaddr '94:xx:xx:xx:xx:86'     
        list ports 'lan1'                      
        list ports 'lan2'                      
        list ports 'lan3'                      
        list ports 'lan4'   
config device                             
        option name 'br-iot'            
        option type 'bridge'              
        option macaddr '92:xx:xx:xx:xx:15'
        list ports 'lan5'  
config interface 'iot_int'              
        option device 'br-iot'          
        option proto 'static'             
        option ipaddr '192.168.10.1'      
        option netmask '255.255.255.0'    
        option ip6assign '60'             
        option isolate '0'  

And here is an excerpt from /etc/config/dhcp:

config dhcp 'iot_int'                                                         
        option interface 'iot_int'                                            
        option start '100'                                                      
        option limit '150'                                                      
        option leasetime '12h'                                                  
        list dhcp_option ''                                                     
        list ra_flags 'none'         

I hope this helps!

I mean, there's no such unmanaged switch which strips off the 802.1Q header only. That's very common misconception on the internet.

Unmanaged switches just store and forward the whole frame. As far as I know, that kind of modification wouldn't be possible.
EDIT: [Really it's not even possible in higher layer managed switches.] => Not true!

If you know a switch that does so, please let me know even just one model. It would be helpful to me. I will check that out and correct my misunderstanding and ignorance!

As soon as there is an 'access' port configured, the 802.1q header will be removed totally. That's pretty common. Maybe there are switches with 'access' ports by default instead of auto-trunking all.

Oh, you are right. This is the first time that I found you say something correct!
I mixed up with something else. I marked the part I was wrong.

Anyway, this is still considered to be true.

I always appreciate being corrected. That way I can be less incorrect, and that's always a good thing. But I'll also ask for clarification if something isn't clear.

I think I understand that if I mostly copy an existing guest wifi-iface entry in the config it will create another one. So that's good. But I'd like clarification on the following: if I clone the wifi-iface entry (with appropriate uniqueness modifications), won't it still be subject to guest wifi rules? Namely: the devices on connected to the new SSID won't be able to talk to each other? Will they be able to see the LAN devices?

More specifically: what do the following entries do?

	option guest '1'
	option wds '1'
	option isolate '1'
	option ieee80211k '1'
	option bss_transition '1'

I see terse docs for some of them in Wi-Fi /etc/config/wireless docs, i.e. I'm still confused about bss_transition and ieee80211k, the docs:

Name	         Description
bss_transition   BSS Transition Management
ieee80211k       Enables Radio Resource Measurement (802.11k) support
wds              This sets 4-address mode

are not very helpful, and there isn't any entry on "guest". Is that a glinet extra?

Given those requirements is that still possible without VLANs?

Glad I'm not just crazy!

In your config, would it still work if you didn't add the physical lan5 port? Based on xize11's comment I think that is still fine because the wifi-device will be what connects you to the network? Is your main LAN also on a 192.168.10.x address? Or maybe a better question: what does the interface config that connects to the br-lan device look like?

I'm also wondering with this setup if its possible to make firewall rules to the main LAN devices can ping IOT devices, but from the IOT device perspective the LAN devices are invisible? Based on my current understanding I think the answer is yes?

Yes, I think I will still go with the VLAN solution as I do plan to add more access points in the future. But this discussion has been very helpful for my understanding.

Yes. In fact, before I got the idea to map lan port 5 to the same network, all I had was the iot wifi. I had a slightly different configuration in the network file.

Just to clarify, my normal router connections are in the 192.168.8.* network. Regular wifi, guest wifi use this network. My IOT wifi and lan port 5 hand out the 192.168.10.*. I also added zone forwarding rules for IOT to LAN and WAN so that my home assistant could get updates from time to time. I plan to put some firewall blocks for cameras and light switches so that it can't call out to the WAN normally - except when I purposefully do firmware updates and such.

Before I added port 5 to 192.168.10.*, this is what my configs looked like:

/etc/config/network:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'
        option macaddr '94:xx:xx:xx:xx:86'
config interface 'iot_int'
        option proto 'static'
        option device 'ra2'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

Note the device for the interface is 'ra2' which is the wireless radio. Also note that lan5 is still part of 'br-lan'. In my final version with port 5 in the IOT, the iot_int device is set to the bridge 'br-iot'

Here was my wireless entry for 'ra2':
/etc/config/wireless

config wifi-iface 'iot'
        option device 'mt798611'
        option mode 'ap'
        option ifname 'ra2'
        option encryption 'psk2'
        option ssid 'myiot_ssid'
        option guest '0'
        option disabled '0'
        option wds '1' 
        option network 'iot_int'
        option wmm '0'
        option hidden '0' 
        option key 'myiotpassword'
        option macaddr '56:xx:xx:xx:xx:46'

Actually I didn't tested but guess isolate is the option. You will easily find out.

Will they be able to see the LAN devices?

That's on firewall. You can copy those setting too.

Given those requirements is that still possible without VLANs?

Yup of course, just like the Guest network.

I will still go with the VLAN solution as I do plan to add more access points in the future. But this discussion has been very helpful for my understanding.

For your learning, I recommend to make it work without VLAN interface at the first time, and then change the bound device like the below.

Actually I'm using VLAN interfaces everywhere. WAN, LAN, Guest, etc., everything is on eth0.xxxx. But it's solely for wired connections, and not at all involved to wireless.

Lastly, I recommend to use the uci command, rather than directly edit the config file. It will be much more helpful for you. Maybe many of your question would be solved.

Try this first:

uci show