Force DHCP of upper subnet?

I have a main router with an Ethernet cord going into the back of the second router’s WAN port. The network on the second router is in a separate subnet.

Is there any way to force a few of the LAN port interfaces on the secondary router to receive IP addresses from the upper subnet? I need those devices to be on the upper network.

Also wondering if there is any way to stop a client on the lower subnet from being routed through the Wireguard tunnel running on the main router.

I think since you have it about multiple interfaces here it reminds me about a situation i had :slight_smile:

I think best is to use vlans to seggrate them further in your network, this way you have not to deal with a dual nat and you can have clients connected like they are connected to your main router.

If you need help let us know :+1:, what are the two routers names?

1 Like

Hi xize11,

Thank you. I couldn’t seem to get the VLAN working the way I wanted, but perhaps you might be able to help. Here is my network topology and what I’m trying to do:

Is this possible? The Flint 2 is the GL-MT6000 and the Flint 1 is the GL-AX1800. I couldn’t seem to get DHCP to serve an IP address from the DHCP scope defined in the VLAN I had set up nor could I get internet access from the port. Would be very grateful if we could make this happen because I need the other few switch ports on the back of the Flint 1 to remain in the main network subnet.

Thank you!

This should be definately possible but I’m stuck on the bridge mode part, what changes did you made here ? :slight_smile: , from the gl docs i read bridge mode is only on non wifi devices.

Since you already made some progress please post the configuration of flint 2 for network, firewall, dhcp from /etc/config/ also please strip all the private parts if they are not needed :+1:

^ also if you rather want to use luci screenshots this may be also fine for luci → network → interfaces → devices → br-lan → vlan filtering, and for luci → network → firewall

You can use ``` to write the code and [details="clickable text"] [/details] to make it expandable.

Hi xize,

Good to know this is a possibility!

To put the Flint 1 into bridge mode/access point mode by going to Network Mode under Network in the GL-iNet GUI. This disables DHCP and NAT functions, but if getting the job done is easier with the Flint 1 in full router mode I can do that too.

Do I need to SSH into the router for the information?

Ah I see :slight_smile: i have never used ap mode before in my setup i use router mode but i don’t think it should make a huge difference, in router mode i think i configurated it the more the same.

You could use WinScp this works similar as ftp but then over ssh :+1:

I have a Mac unfortunately :slightly_frowning_face: Whichever way is easiest, I’d be glad to get the information.

I think best is to use fugu or cyberduck, though ive no experience with both but thats what i see suggested on the winscp forum.

I’ve used Cyberduck before, although not for this purpose. Can you provide a bit of guidance on how to get the information you need via SSH or another method?

best is to use scp, i believe cyberduck supports it too otherwise you might need to install openssh-sftp-server via the plugins this allows you to connect to it.

in cyberduck you probably have a option to setup a server this server is the ip of your router, root is the user and the password is the same as the admin panel :slight_smile:

this will give you a ftp like window, then its just navigating to /etc/config then you can just drag and drop them in the desktop.

I tried to get the information using cyberduck but I kepe getting an “EOF while reading packet” error. I made sure SSH remote access is enabled in the router security settings, but I am still unable to log in :frowning: weird because I seem to be able to SSH in via Terminal.

is there a way to select the amount of connections per chance? try one connection :slight_smile:

or openssh-sftp is not installed in the router.

1 Like

This did the trick! I installed the package, and I can now SSH into the router successfully via Cyberduck. Should I send the information to you via a direct message?

1 Like

No you can sent it here, also for educational purposes maybe other people watch this to for a solution :+1:

Not too certain what information I should leave out, if you don’t mind offering guidance on this.

This can be mac addresses, the exposure of your real ip, vpn endpoints and or keys of a vpn :+1:

Most are in the network configuration.

I just realized that I didn’t SSH into the second router where I want the VLAN, only the main one :confused:

As of right now, I’m still unable to get into the second router. I’m still getting the EOF error even though I installed the openssh packages for both server and client on the second router. Any suggestions? I don’t see a security tab on the older Flint 1 where I can check the box for allowing remote SSH access like there is on the Flint 2.

hmm depending your flint is downstream in your network i would suggest to only show Flint 2 configuration for now, for flint 1 you may want to delete the wan zone or set it to accept for wan in luci, that makes it easier getting in it from upstream :grin:

Since for flint 1 it is only required to use eth0.<vlanid> through luci its not super complex :grinning:, if it may not work well, then it has to be the firewall zone input which need to be set on accept.

Here is firewall:


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'
	list network 'secondwan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'
	option enabled '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'nat6'
	option path '/etc/firewall.nat6'
	option reload '1'

config rule 'block_dns'
	option name 'block_dns'
	option src '*'
	option device 'br-*'
	option dest_port '53'
	option target 'REJECT'
	option enabled '0'

config zone
	option name 'guest'
	option network 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'

config forwarding
	option src 'guest'
	option dest 'wan'
	option enabled '1'

config rule
	option name 'Allow-DHCP'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'

config rule
	option name 'Allow-DNS'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'

config include 'vpn_server_policy'
	option type 'script'
	option path '/etc/firewall.vpn_server_policy.sh'
	option reload '1'
	option enabled '1'

config redirect 'adguard_home'
	option name 'Adguard Home'
	option src 'lan'
	option src_dport '53'
	option dest 'lan'
	option dest_port '3053'
	option proto 'tcpudp'

config redirect 'adguard_home_guest'
	option name 'Adguard Home guest'
	option src 'guest'
	option src_dport '53'
	option dest 'guest'
	option dest_port '3053'
	option proto 'tcpudp'

config zone 'wgclient'
	option name 'wgclient'
	option forward 'DROP'
	option output 'ACCEPT'
	option mtu_fix '1'
	option network 'wgclient'
	option enabled '1'
	option input 'ACCEPT'
	option masq '1'
	option masq6 '1'

config forwarding 'wgclient2wan'
	option src 'wgclient'
	option dest 'wan'
	option enabled '1'

config forwarding 'lan2wgclient'
	option src 'lan'
	option dest 'wgclient'
	option enabled '1'

config forwarding 'guest2wgclient'
	option src 'guest'
	option dest 'wgclient'
	option enabled '1'

config forwarding 'wgserver2wgclient'
	option src 'wgserver'
	option dest 'wgclient'
	option enabled '1'

config forwarding 'wgserver2ovpnclient'
	option src 'wgserver'
	option dest 'ovpnclient'
	option enabled '1'

config rule 'wgserver_allow'
	option name 'wgserver_allow'
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp tcp'
	option family 'ipv4'
	option dest_port '51820'
	option enabled '1'

config zone 'wgserver'
	option name 'wgserver'
	option output 'ACCEPT'
	option mtu_fix '1'
	option network 'wgserver'
	option input 'ACCEPT'
	option masq '1'
	option masq6 '1'
	option enabled '1'
	option forward 'REJECT'

config forwarding 'wgserver2wan'
	option src 'wgserver'
	option dest 'wan'
	option enabled '1'

config forwarding 'lan2wgserver'
	option src 'lan'
	option dest 'wgserver'
	option enabled '1'

config rule 'safe_mode_lan'
	option name 'safe_mode_lan'
	option proto 'all'
	option src 'lan'
	option dest 'wan'
	option target 'DROP'
	option enabled '0'

config rule 'safe_mode_guest'
	option name 'safe_mode_guest'
	option proto 'all'
	option src 'guest'
	option dest 'wan'
	option target 'DROP'
	option enabled '0'

config rule 'safe_mode_mark'
	option name 'safe_mode_mark'
	option src '*'
	option device 'br-*'
	option dest_port '53'
	option set_xmark '0x20000/0x20000'
	option target 'MARK'
	option enabled '0'

config rule 'safe_mode_mark_save'
	option name 'safe_mode_mark_save'
	option src '*'
	option device 'br-+'
	option dest_port '53'
	option set_xmark '0x20000/0x20000'
	option extra '-j CONNMARK --save-mark --nfmask 0x20000 --ctmask 0x20000'
	option target 'MARK'
	option enabled '0'

config rule 'safe_mode_mark_drop'
	option name 'safe_mode_mark_drop'
	option dest 'wan'
	option dest_port '53'
	option mark '0x20000/0x20000'
	option target 'DROP'
	option enabled '0'

config forwarding 'wgclient2lan'
	option src 'wgclient'
	option dest 'lan'
	option enabled '1'

config rule 'sambasharewan'
	option src 'wan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'DROP'

config rule 'sambasharelan'
	option src 'lan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'ACCEPT'

config rule 'glnas_ser'
	option src 'wan'
	option dest_port '6000-6002'
	option dest_proto 'tcp'
	option target 'DROP'

config rule 'webdav_wan'
	option src 'wan'
	option dest_port '6008'
	option dest_proto 'tcp'
	option target 'DROP'

config forwarding 'wgserver2lan'
	option src 'wgserver'
	option dest 'lan'
	option enabled '1'

config include 'gls2s'
	option type 'script'
	option path '/var/etc/gls2s.include'
	option reload '1'

config include 'glblock'
	option type 'script'
	option path '/usr/bin/gl_block.sh'
	option reload '1'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option src 'wan'
	option src_dport '1935'
	option dest_ip '192.168.8.100'
	option dest_port '1935'
	option name 'PS5'
	list proto 'tcp'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'PS5'
	list proto 'tcp'
	option src 'wan'
	option src_dport '3478-3480'
	option dest_ip '192.168.8.100'
	option dest_port '3478-3480'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'PS5'
	list proto 'udp'
	option src 'wan'
	option src_dport '3074'
	option dest_ip '192.168.8.100'
	option dest_port '3074'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'PS5'
	list proto 'udp'
	option src 'wan'
	option src_dport '3478-3479'
	option dest_ip '192.168.8.100'
	option dest_port '3478-3479'

config forwarding 'wgserver2wgserver'
	option src 'wgserver'
	option dest 'wgserver'
	option enabled '0'

config rule 'https_wan'
	option src 'wan'
	option proto 'tcp'
	option dest_port '443'
	option target 'ACCEPT'

config rule 'ssh_wan'
	option src 'wan'
	option proto 'tcp'
	option dest_port '22'
	option target 'ACCEPT'


Here is network:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd59:579c:8d55::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config device
	option name 'lan1'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config device
	option name 'lan2'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config device
	option name 'lan3'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config device
	option name 'lan4'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config device
	option name 'lan5'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.8.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option isolate '0'

config device
	option name 'eth1'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option force_link '0'
	option ipv6 '0'
	option metric '10'
	option disabled '0'

config interface 'wan6'
	option proto 'dhcpv6'
	option disabled '1'
	option device '@wan'

config interface 'tethering6'
	option proto 'dhcpv6'
	option disabled '1'
	option device '@tethering'

config interface 'wwan6'
	option proto 'dhcpv6'
	option disabled '1'
	option device '@wwan'

config interface 'guest'
	option force_link '1'
	option type 'bridge'
	option proto 'static'
	option ipaddr '172.16.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option multicast_querier '1'
	option igmp_snooping '0'
	option isolate '0'
	option bridge_empty '1'
	option disabled '0'

config interface 'wwan'
	option proto 'dhcp'
	option metric '20'

config interface 'secondwan'
	option ipv6 '0'
	option proto 'dhcp'
	option metric '15'
	option force_link '0'

config interface 'secondwan6'
	option proto 'dhcpv6'
	option disabled '1'
	option metric '15'
	option device '@secondwan'

config interface 'modem_1_1_2_6'
	option proto 'dhcpv6'
	option disabled '1'
	option device '@modem_1_1_2'

config rule 'policy_direct_rt'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule 'policy_default_rt_vpn'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config rule6 'policy_direct_rt6'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule6 'policy_default_rt_vpn6'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config interface 'wgclient'
	option proto 'wgclient'
	option config 'peer_2001'
	option disabled '0'

config interface 'wgserver'
	option proto 'wgserver'
	option config 'main_server'
	option disabled '0'

config route
	option interface 'wgserver'
	option type 'local'
	option target '192.168.8.1/32'


Here is dhcp:


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '0'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option noresolv '1'
	list server '127.0.0.1#3053'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '31'
	option leasetime '720m'
	option dhcpv4 'server'
	option dhcpv6 'disabled'
	option ra 'disabled'
	option ra_slaac '1'
	option force '1'
	option ignore '0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config domain
	option name 'console.gl-inet.com'
	option ip '192.168.8.1'

config domain
	option name 'console.gl-inet.com'
	option ip '::ffff:192.168.8.1'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '31'
	option leasetime '720m'
	option dhcpv6 'disabled'
	option ra 'disabled'
	option ignore '0'

config dhcp 'secondwan'
	option interface 'secondwan'
	option ignore '1'

config domain
	option name 'login.router.com'
	option ip '10.10.0.1'

config host
	option mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.8.100'
	option tag 'name'

config host
	option mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.8.115'
	option tag 'name'


1 Like

what you can do is the following:

If you go into advanced configuration/luci → network → interfaces → devices tab.

You can edit br-lan, then click on vlan filtering.

then you click on add you see the vlan number 1 left, make it untagged on all ports.

Untagged means: that a vlan only reach the destination port, you can only have one per port (technically you can define more, but it will only sent one), you can also kinda see it as your default vlan for that port.

Tagged means: it tags a vlan and it can traverse beyond one port, you can have multiple vlans, and also combine them with untagged vlans.

So lets say you create another row with vlan 2 then you can set this one as tagged on the port to the flint 1 and choose to ignore for the rest of the other ports.

Etcetera etcetera.

But don’t save and apply yet, now you need to go back to luci → network → interfaces → interfaces tab and edit lan, then you change the device to br-lan.1 to avoid locking out :slight_smile:

For the other vlans you can create a new interface and cover the new br-lan.<vlan number> you can use any local ip you want aslong its rfc1918

subnetmask is 255.255.255.0 and gateway leave empty, also click on the tab advanced and uncheck Use default gateway checkbox this is so that traffic doesn’t orginate from different interfaces than for wan or vpn, only lan is allowed to follow it.

You can also create a new firewall zone and forward them to wan, you can do that in luci → firewall and then clicking edit on a zone.

Well let me know how far you can come :+1:, its probably a little itimidating but once you know it, it is easy, i wish i could make some screenshots but im on a phone atm :grinning:

Heres a video which can be a really good use :grin: