Full VLAN Segmentation for GL-BE9300 (Wi-Fi 7 + Qualcomm Lithium)

Router
1

Why I'm sharing this with the community
Many of us bought the GL-BE9300 to take advantage of its next-gen hardware (Wi-Fi 7, 10Gbps, IPQ5332), but the Qualcomm SDK is extremely strict. Manually configuring VLANs often breaks Wi-Fi or causes permission errors.
I’ve reverse-engineered the qcawificfg80211 drivers and the system bridge structure to unlock this potential. I believe the hardware should serve the user, and my goal is for everyone to have a segmented, secure, and ultra-fast network without the headache.
:white_check_mark: Full Integration with GL-iNet
This is not a modified firmware; it’s a professional optimization that does not break factory features. You will still have:

  • VPN (WireGuard/OpenVPN): 100% functional.
  • AdGuard Home: Active filtering on all new VLANs.
  • Tailscale: Remote access remains intact.
  • GL.iNet Panel: Full stability and compatibility with native services.
    :warning: SECURITY WARNING
    This script is 100% functional, but the Qualcomm Lithium SDK is very sensitive.
  • Do not modify variables unless you know what you are doing, or the router might enter a crash loop.
  • Risk: A bad internal switch configuration can turn your router into a nice and expensive paperweight (requiring U-Boot recovery).
  • Recommendation: Use it exactly as provided after a Factory Reset.
    Prerequisites
  • Access via SSH.
  • Install an editor: opkg update && opkg install nano.
    The Master Script
    This script configures Port 3 as a Trunk, creates VLANs 10-50, brings up the corresponding Wi-Fi 7 SSIDs, and ensures Firewall isolation.
    Instructions:
  • Create the file: nano setup_vlan.sh
  • Paste the code below. IMPORTANT: Find the line set wireless.wifi_vlan$v.key and change 'YOUR_PASSWORD' to your desired one.
  • Save (Ctrl+O), Exit (Ctrl+X), and run: chmod +x setup_vlan.sh && ./setup_vlan.sh

#!/bin/sh
# Master Script: Reverse Engineering Qualcomm Lithium BE9300
# Configures VLANs 10-50, Wi-Fi 7 SSIDs, and Bridges with persistence

echo "=== 1. Configuring Switch and Bridges (Port 3 Trunk) ==="
uci batch <<EOF
# Switch Config (Port 3 as Trunk, CPU on 6t)
delete network.@switch_vlan[0]
for v in 10 20 30 40 50; do
  add network switch_vlan
  set network.@switch_vlan[-1].device='switch1'
  set network.@switch_vlan[-1].vlan="\$v"
  set network.@switch_vlan[-1].ports='6t 3t'
  
  # The Secret: Create a Layer 2 Bridge for the Qualcomm driver
  set network.VLAN_\$v=interface
  set network.VLAN_\$v.type='bridge'
  set network.VLAN_\$v.ifname="eth1.\$v"
  set network.VLAN_\$v.proto='static'
  set network.VLAN_\$v.ipaddr="192.168.\$v.1"
  set network.VLAN_\$v.netmask='255.255.255.0'
done
commit network
EOF

echo "=== 2. Configuring Wireless (qcawificfg80211 Driver) ==="
uci batch <<EOF
# Create SSIDs linked to bridges (VLAN 50 remains wired-only)
for v in 10 20 30 40; do
  set wireless.wifi_vlan\$v=wifi-iface
  set wireless.wifi_vlan\$v.device='wifi0'
  set wireless.wifi_vlan\$v.network="VLAN_\$v"
  set wireless.wifi_vlan\$v.mode='ap'
  set wireless.wifi_vlan\$v.ssid="GL-BE9300-VLAN\$v"
  set wireless.wifi_vlan\$v.encryption='psk2'
  set wireless.wifi_vlan\$v.key='YOUR_PASSWORD_HERE'
done
commit wireless
EOF

echo "=== 3. Firewall and DHCP (Isolation & WAN) ==="
for v in 10 20 30 40 50; do
    # Firewall Zone
    uci set firewall.vlan\$v=zone
    uci set firewall.vlan\$v.name="VLAN_\$v"
    uci set firewall.vlan\$v.network="VLAN_\$v"
    uci set firewall.vlan\$v.input='ACCEPT'
    uci set firewall.vlan\$v.forward='REJECT'
    uci set firewall.vlan\$v.output='ACCEPT'
    
    # WAN Forwarding
    uci add firewall forwarding
    uci set firewall.@forwarding[-1].src="VLAN_\$v"
    uci set firewall.@forwarding[-1].dest='wan'
    
    # DHCP Server with AdGuard Home support (Option 6)
    uci set dhcp.VLAN_\$v=dhcp
    uci set dhcp.VLAN_\$v.interface="VLAN_\$v"
    uci set dhcp.VLAN_\$v.start='100'
    uci set dhcp.VLAN_\$v.limit='150'
    uci set dhcp.VLAN_\$v.leasetime='12h'
    uci add_list dhcp.VLAN_\$v.dhcp_option="6,192.168.\$v.1"
done
uci commit firewall
uci commit dhcp

echo "=== 4. Restarting services in background ==="
sleep 2
/etc/init.d/network restart > /dev/null 2>&1 &
sleep 5
/etc/init.d/firewall restart > /dev/null 2>&1 &
/etc/init.d/dnsmasq restart > /dev/null 2>&1 &
wifi down && wifi up > /dev/null 2>&1 &

echo "Process finished. The network will stabilize in a few seconds."

FAQ: Frequently Asked Questions

  • Will I lose speed? No. By using native bridges, the Qualcomm chip utilizes its hardware acceleration.
  • Why did my SSH disconnect? This is normal. The router restarts the switch to apply VLANs. Wait 30 seconds and log back in.
  • Can I change the Wi-Fi names? Yes, edit the script where it says ssid=, but keep the rest of the structure intact.
1 Like
2

Hello,

Thank you very much for sharing!

It looks like the placement of your code block delimiter (```) is incorrect, would you mind if I edit the original text and correct it? Or you can re-edit the post to correct the delimiter please.

1 Like
4

Yes, no problem, do what you have to do; have a good day . :slightly_smiling_face:

1 Like
5

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.