Hi everyone,
I bought a Flint 3 to use as an Access Point with VLAN + SSID capabilities.
My setup:
The Flint 3 is in AP mode .
LAN1 (port 7) is used as the uplink to my main router.
I am trying to create an SSID “Wifi-Home” that should be tagged with VLAN 60 towards the router.
Clients connecting to this WiFi SSID do not get an IP address from the router.
I created:
A VLAN interface using an 802.1q device:
eth1.60 (I also tried eth1.1.60 with eth1.1)
Interface VLAN60 using this device
VLAN 60 tagged on:
CPU port (3t)
LAN1 uplink (7t)
The WiFi SSID Wifi-Home is assigned to network VLAN60.
If I untag VLAN 60 on LAN2 and plug a laptop into that port, the laptop receives a correct DHCP lease from the router and internet works.
Also, if I set the VLAN60 interface to DHCP client , the Flint 3 itself successfully receives an IP from VLAN 60.
So VLAN 60 is working on the wired side — only WiFi clients can’t get an IP.
It looks like I am missing some bridge/forward/open configuration to ensure WiFi → VLAN60 → uplink traffic is properly forwarded.
config interface 'VLAN60'
option proto 'none'
option device 'eth1.1.60'
option type 'bridge'
config device
option type '8021q'
option ifname 'eth1'
option vid '60'
option name 'eth1.60'
config switch_vlan
option device 'switch1'
option ports '3t 4 5 6 7t'
option vlan '60'
config device
option type '8021q'
option ifname 'eth1.1'
option vid '60'
option name 'eth1.1.60'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'eth1.1:u*'
option local '0'
config bridge-vlan
option device 'br-lan'
option vlan '60'
option local '0'
list ports 'eth1.1:t'
config wifi-iface 'wifinet12'
option device 'wifi0'
option mode 'ap'
option ssid 'Wifi-Home'
option encryption 'sae-mixed'
option key 'Wifi_Rapida'
option network 'VLAN60'
option macaddr 'E2:B3:35:33:9C:2A'
What configuration am I missing so that wireless clients on Wifi-Home correctly connect to VLAN 60 and obtain a DHCP lease from the upstream router?
If anyone has a working Flint 3 AP configuration with VLAN-per-SSID , I would appreciate seeing it.
I know it can be done, because I did do just that, but I cannot easily get to that device to grab its config. In my case I looked at the config with the flint 3 setup as wifi-router with guest network enabled and basically duplicated the guest network that.
xize11
November 27, 2025, 12:03pm
3
What is the config stanza for:
/etc/config/firewall
/etc/config/dhcp
/etc/config/network (the vlan60 interface not the DSA device to be specific)
P.S best is to mask mac addresses, especially if you decide to use ipv6 some devices assign with their mac making it vulnerable and findable.
This is still a PoC environment to see if it works.
DHCP is the default one because I don’t want the Flint to act as a DHCP server.
Firewall is the default, plus some attempts to allow everything, without any effect.
Full network configuration is below:
/etc/config/dhcp config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '0'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '1'
option filter_a '0'
option confdir '/tmp/dnsmasq.d'
option disabled '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'disabled'
option ra 'disabled'
option ra_slaac '1'
option force '1'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'disabled'
option ra 'disabled'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config domain
option name 'console.gl-inxxx'
option ip '192.168.8.1'
config domain
option name 'consolxxxx'
option ip '::ffff:192.168.8.1'
config dhcp 'secondwan'
option interface 'secondwan'
option ignore '1'
/etc/config/firewall root@GL-BE9300:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option disabled '0'
option synflood_protect '1'
config rule 'wan_drop_leaked_adgdns'
option name 'wan_drop_leaked_adgdns'
option src 'wan'
option proto 'udp'
option dest_port '3053'
option mark '0x0/0xf000'
option target 'DROP'
option enabled '0'
config rule 'wan_drop_leaked_dns'
option name 'wan_drop_leaked_dns'
option src 'wan'
option proto 'udp'
option dest_port '53'
option mark '!0x8000/0xf000'
option target 'DROP'
option enabled '0'
config rule 'guest_drop_leaked_dns'
option name 'guest_drop_leaked_dns'
option src 'guest'
option proto 'udp'
option dest_port '53'
option mark '!0x8000/0xf000'
option target 'DROP'
option enabled '0'
config rule 'guest_drop_leak_adgdns'
option name 'guest_drop_leak_adgdns'
option src 'guest'
option proto 'udp'
option dest_port '3053'
option mark '0x0/0xf000'
option target 'DROP'
option enabled '0'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'VLAN60'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
list network 'wwan'
list network 'secondwan'
option input 'DROP'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
option enabled '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'guest'
option network 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
config forwarding
option src 'guest'
option dest 'wan'
option enabled '1'
config rule
option name 'Allow-DHCP'
option src 'guest'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
config rule
option name 'Allow-DNS'
option src 'guest'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
config include 'nat6'
option path '/etc/firewall.nat6'
option reload '1'
config include 'dns_order'
option type 'script'
option path '/etc/firewall.dns_order'
option reload '1'
option enabled '1'
config include 'qcanssecm'
option type 'script'
option path '/etc/firewall.d/qca-nss-ecm'
config include 'glblock'
option type 'script'
option path '/usr/bin/gl_block.sh'
option reload '1'
config include 'dmz_exclude'
option type 'script'
option path '/etc/firewall.dmz.exclude'
option reload '1'
config include 'security'
option type 'script'
option path '/etc/firewall.security'
option reload '0'
config include
option enabled '1'
option type 'script'
option path '/etc/netifyd/nftables-init'
option fw4_compatible '1'
config rule 'lan_drop_leaked_dns'
option name 'lan_drop_leaked_dns'
option src 'lan'
option proto 'udp'
option dest_port '53'
option mark '!0x8000/0xf000'
option target 'DROP'
option enabled '1'
config rule 'lan_drop_leak_adgdns'
option name 'lan_drop_leak_adgdns'
option src 'lan'
option proto 'udp'
option dest_port '3053'
option mark '0x0/0xf000'
option target 'DROP'
option enabled '1'
config rule 'wgserver_drop_leaked_dns'
option name 'wgserver_drop_leaked_dns'
option src 'wgserver'
option proto 'udp'
option dest_port '53'
option mark '!0x8000/0xf000'
option target 'DROP'
option enabled '1'
config rule 'ovpnserver_drop_leaked_dns'
option name 'ovpnserver_drop_leaked_dns'
option src 'ovpnserver'
option proto 'udp'
option dest_port '53'
option mark '!0x8000/0xf000'
option target 'DROP'
option enabled '1'
config rule 'wgserver_drop_leaked_adgdns'
option name 'wgserver_drop_leaked_adgdns'
option src 'wgserver'
option proto 'udp'
option dest_port '3053'
option mark '0x0/0xf000'
option target 'DROP'
option enabled '1'
config rule 'ovpnserver_drop_leaked_adgdns'
option name 'ovpnserver_drop_leaked_adgdns'
option src 'ovpnserver'
option proto 'udp'
option dest_port '3053'
option mark '0x0/0xf000'
option target 'DROP'
option enabled '1'
config zone
option name 'wan_to_lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wan'
config forwarding
option src 'wan_to_lan'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'wan_to_lan'
/etc/config/network config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdXX:XXXX:XXXX::/48'
config device
option name 'br-lan'
option type 'bridge'
option macaddr 'XX:XX:XX:XX:XX:XX'
list ports 'eth0'
list ports 'eth1.1'
option vlan_filtering '0'
config device
option name 'eth1.1'
option macaddr 'XX:XX:XX:XX:XX:XX'
option isolate '0'
config interface 'lan'
option device 'br-lan'
option proto 'dhcp'
option ip6assign '60'
option isolate '0'
option multicast_querier '0'
option igmp_snooping '0'
config device
option name 'eth0'
option macaddr 'XX:XX:XX:XX:XX:XX'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
option force_link '0'
option ipv6 '0'
option classlessroute '0'
option metric '10'
option disabled '1'
config interface 'wan6'
option proto 'dhcpv6'
option device '@wan'
option disabled '1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '0'
config switch
option name 'switch1'
option reset '1'
option enable_vlan '1'
config switch_vlan 'vlan_lan'
option device 'switch1'
option vlan '1'
option ports '3t 7'
config interface 'VLAN60'
option proto 'none'
option device 'eth1.60'
option type 'bridge'
config device
option type '8021q'
option ifname 'eth1'
option vid '60'
option name 'eth1.60'
config switch_vlan
option device 'switch1'
option ports '3t 4 5 6 7t'
option vlan '60'
config device
option type '8021q'
option ifname 'eth1.1'
option vid '60'
option name 'eth1.1.60'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'eth1.1:u*'
option local '0'
config bridge-vlan
option device 'br-lan'
option vlan '60'
option local '0'
list ports 'eth1.1:t'
xize11
November 28, 2025, 6:03am
5
This seem to be incorect, if upstream has a untagged PVID, it becomes just eth1.
Also because it seem you are creating a dumbap from the looks of it, you can allow everything in zone wan, so input and forward can be set to accept or the whole zone can be removed.
There is only one other issue I see:
the router is unable to find the default route, and since wan port is part of br-lan which is the 'gateway', you need to make sure each created interface has option: default gateway unchecked, please edit vlan60, click on the advanced tab uncheck, that checkbox mean if the interface is a 'wan' interface but by default creation often this is checked, this causes a wan conflict.
With ip r you can verify if the default route points to your upstream router.
If issue still persist maybe someone with experience with swconfig on the Flint 3 can help as I don't own a Flint 3 and I'm aware the port numbering is odd, you want to tag cpu, and tag the wan port, and maybe untag a port for lan if needed, the tutorial can help more in this case.
For Flint3 (GL-BE9300) only.
Describes how to configure a dedicated IoT network on SSH by creating a VLAN (VID 25), a bridge, DHCP, firewall rules, and a separate 2.4 GHz Wi-Fi SSID.
1. Define VLAN 25 on eth1
We create a VLAN subinterface eth1.25 using IEEE 802.1Q tagging.
uci set network.eth1_25=device
uci set network.eth1_25.type='8021q'
uci set network.eth1_25.ifname='eth1'
uci set network.eth1_25.vid='25'
uci set network.eth1_25.name='eth1.25'
2. Create the IoT Bridge
We define a new b…
The issue was that needed to add Firewall Rule, so as a high level steps are:
Change the Router to AP mode.
Activate Luci
in Switch create the VLAN in Switch 1, the Device eth1.XX will be create automatically
Create a Brigde device to bridge eth1.xx with eth0, here you have to associate the FW rule (ex:lan or guest)
config zone
Create the Vlan interface:
Create the Wifi