Flint 3 (GL-BE9300) as AP behind pfSense: multiple SSIDs -> VLAN + Random BSSID

Router
2

Hello,

Topology:

  • Primary Router with Multi-VLANs (LAN) <---> Unmanaged Switch <---> (WAN) BE9300 with Multi-SSIDs
  • Primary Router (LAN) <---> Switch with Multi-VLANs <---> (WAN) BE9300 with Multi-SSIDs

Like yours: pfSense (LAN) <---> (WAN) BE9300 with Multi-SSIDs

Conditions:

  1. The Primary Router or Switch is configured with multiple VLANs, tagged (trunk) (in this example is VLAN 100 and VLAN 2000).
  2. The BE9300 is used as an AP.

Notes:

  1. BE9300 itself has no Internet access, please configure the WAN port on GL GUI with a VLAN ID that provides Internet access.
  2. Since the BE9300 is acting only as an AP, if need isolation between VLANs, please configure on the primary router or layer-3 switch using ACLs (iptables/nftables).
  3. Up to 4 radios per frequency. You can refer to the UCI below to modify the Wi‑Fi settings for the primary and the guest.
  4. BSSID randomization should still be effective, same as with GL original WiFi.
  5. It will persist even after reboot. Roaming need to enable 802.11k/v/r, please refer to this thread. And firmware upgrades will not overwrite these settings.

UCI Action breakdown:

  1. Not need to change the BE9300 network mode (leave it in the default, Router mode) — this makes the BE9300 easier for users to manage.
  2. Create VLAN interfaces on the BE9300 for WAN (like, BE9300 is eth0.x) — note the BE9300 and MT6000 WAN is eth0, others is eth1.
  3. Create network bridges and interfaces on the BE9300 and bind VLAN interface eth0.x to specified network bridge — this will directly pass through the AP's traffic.
  4. Create AP radios (SSIDs) on the BE9300 and bind them to the bridge.
  5. Place the newly created interface into the LAN zone.

SSH to router, execute these commands in one step:

# 1. Add VLAN Virtual Interface
uci set network.vlan100_dev=device
uci set network.vlan100_dev.type='8021q'
uci set network.vlan100_dev.ifname='eth0'
uci set network.vlan100_dev.vid='100'
uci set network.vlan100_dev.name='eth0.100'

uci set network.vlan200_dev=device
uci set network.vlan200_dev.type='8021q'
uci set network.vlan200_dev.ifname='eth0'
uci set network.vlan200_dev.vid='200'
uci set network.vlan200_dev.name='eth0.200'

# 2. Add Bridge 
uci set network.br_vlan100=device
uci set network.br_vlan100.type='bridge'
uci set network.br_vlan100.name='br-vlan100'
uci add_list network.br_vlan100.ports='eth0.100'

uci set network.br_vlan200=device
uci set network.br_vlan200.type='bridge'
uci set network.br_vlan200.name='br-vlan200'
uci add_list network.br_vlan200.ports='eth0.200'


# 3. Add Network Interface
uci set network.vlan100=interface
uci set network.vlan100.proto='none' 
uci set network.vlan100.device='br-vlan100'

uci set network.vlan200=interface
uci set network.vlan200.proto='none' 
uci set network.vlan200.device='br-vlan200'

# 4. Add WiFi SSID Radio
uci set wireless.wifi6g1=wifi-iface
uci set wireless.wifi6g1.device='wifi2'
uci set wireless.wifi6g1.network='vlan100'
uci set wireless.wifi6g1.mode='ap'
uci set wireless.wifi6g1.ssid='GL-Router-vlan100-6G'
uci set wireless.wifi6g1.encryption='ccmp'
uci set wireless.wifi6g1.sae_pwe='1'
uci set wireless.wifi6g1.key='goodlife'
uci set wireless.wifi6g1.wds='1'
uci set wireless.wifi6g1.isolate='0'
uci set wireless.wifi6g1.hidden='0'
uci set wireless.wifi6g1.ifname='wlan24'
uci set wireless.wifi6g1.ieee80211k='1'
uci set wireless.wifi6g1.bss_transition='1'
uci set wireless.wifi6g1.sae='1'
uci set wireless.wifi6g1.acs_6g_only_psc='1'
uci set wireless.wifi6g1.disabled='0'

uci set wireless.wifi6g2=wifi-iface
uci set wireless.wifi6g2.device='wifi2'
uci set wireless.wifi6g2.network='vlan200'
uci set wireless.wifi6g2.mode='ap'
uci set wireless.wifi6g2.ssid='GL Router-vlan200-6G'
uci set wireless.wifi6g2.encryption='ccmp'
uci set wireless.wifi6g2.sae_pwe='1'
uci set wireless.wifi6g2.key='goodlife'
uci set wireless.wifi6g2.wds='1'
uci set wireless.wifi6g2.isolate='0'
uci set wireless.wifi6g2.hidden='0'
uci set wireless.wifi6g2.ifname='wlan25'
uci set wireless.wifi6g2.ieee80211k='1'
uci set wireless.wifi6g2.bss_transition='1'
uci set wireless.wifi6g2.sae='1'
uci set wireless.wifi6g2.acs_6g_only_psc='1'
uci set wireless.wifi6g2.disabled='0'

uci set wireless.wifi5g1=wifi-iface
uci set wireless.wifi5g1.device='wifi1'
uci set wireless.wifi5g1.network='vlan100'
uci set wireless.wifi5g1.mode='ap'
uci set wireless.wifi5g1.ssid='GL Router-vlan100-5G'
uci set wireless.wifi5g1.encryption='psk2+ccmp'
uci set wireless.wifi5g1.key='goodlife'
uci set wireless.wifi5g1.wds='1'
uci set wireless.wifi5g1.isolate='0'
uci set wireless.wifi5g1.hidden='0'
uci set wireless.wifi5g1.ifname='wlan14'
uci set wireless.wifi5g1.ieee80211k='1'
uci set wireless.wifi5g1.bss_transition='1'
uci set wireless.wifi5g1.sae='0'
uci set wireless.wifi5g1.disabled='0'

uci set wireless.wifi5g2=wifi-iface
uci set wireless.wifi5g2.device='wifi1'
uci set wireless.wifi5g2.network='vlan200'
uci set wireless.wifi5g2.mode='ap'
uci set wireless.wifi5g2.ssid='GL Router-vlan200-5G'
uci set wireless.wifi5g2.encryption='psk2+ccmp'
uci set wireless.wifi5g2.key='goodlife'
uci set wireless.wifi5g2.wds='1'
uci set wireless.wifi5g2.isolate='0'
uci set wireless.wifi5g2.hidden='0'
uci set wireless.wifi5g2.ifname='wlan15'
uci set wireless.wifi5g2.ieee80211k='1'
uci set wireless.wifi5g2.bss_transition='1'
uci set wireless.wifi5g2.sae='0'
uci set wireless.wifi5g2.disabled='0'

uci set wireless.wifi2g1=wifi-iface
uci set wireless.wifi2g1.device='wifi0'
uci set wireless.wifi2g1.network='vlan100'
uci set wireless.wifi2g1.mode='ap'
uci set wireless.wifi2g1.ssid='GL Router-vlan100-2.4G'
uci set wireless.wifi2g1.encryption='psk2+ccmp'
uci set wireless.wifi2g1.key='goodlife'
uci set wireless.wifi2g1.wds='1'
uci set wireless.wifi2g1.isolate='0'
uci set wireless.wifi2g1.hidden='0'
uci set wireless.wifi2g1.ifname='wlan04'
uci set wireless.wifi2g1.ieee80211k='1'
uci set wireless.wifi2g1.bss_transition='1'
uci set wireless.wifi2g1.sae='0'
uci set wireless.wifi2g1.disabled='0'

uci set wireless.wifi2g2=wifi-iface
uci set wireless.wifi2g2.device='wifi0'
uci set wireless.wifi2g2.network='vlan200'
uci set wireless.wifi2g2.mode='ap'
uci set wireless.wifi2g2.ssid='GL Router-vlan200-2.4G'
uci set wireless.wifi2g2.encryption='psk2+ccmp'
uci set wireless.wifi2g2.key='goodlife'
uci set wireless.wifi2g2.wds='1'
uci set wireless.wifi2g2.isolate='0'
uci set wireless.wifi2g2.hidden='0'
uci set wireless.wifi2g2.ifname='wlan05'
uci set wireless.wifi2g2.ieee80211k='1'
uci set wireless.wifi2g2.bss_transition='1'
uci set wireless.wifi2g2.sae='0'
uci set wireless.wifi2g2.disabled='0'

# 5. Add Firewall Rule
uci add_list firewall.@zone[0].network='vlan100'
uci add_list firewall.@zone[0].network='vlan200'

# 6. Reboot Router
uci commit
reboot
GL-MT5000 (Brume 3) with GL-BE9300 (Flint 3) AP