GL-BE3600 VLAN and multiple SSID writeup?

Hi there,

I've finally finished the battle of getting my new BE3600 to work as an access point (at full speed) with multiple SSIDs attached to multiple segregated VLANs.

It's a little tricky and took me quite a lot of factory resets and trial and error until I figured it out so if anybody would like me to share my notes, I can

Cheers,
Paul

Wow, please share a guide or docs with us, may help to some new users or potential users who want to configure the VLAN.

Please. if you can write them up, I have a public Wiki I could add them to, credited to your username here.

Absolutely no problem - a very quick note on it is here: Set up multiple SSIDs tagged with VLAN on Slate 7 (GL-BE3600) using DSA - #4 by pabb85

But I'll share my full notes and config files this morning once I get time to sanitise them

In the meantime, I've noted that WiFi breaks if you enable 802.11r "Fast Transition" on this device on WiFi networks you enable it for, if you have multiple SSIDs on the same device... Could this be raised as a bug to be fixed in the next version please?

You're a star, thank you

Okay so here we go - a little about my setup first: I'm running VLANs and doing my inter-VLAN firewalling/routing on a central OPNsense router, I have recently overhauled the network to follow best-practice and not have mixed tagged/untagged networks on any link - so now a link is either an access port (untagged only), or a trunk (tagged only). Although, saying that, the below should work for mixed/hybrid links as well, just tweak where appropriate.

I've seen people try to use the LuCI UI to set this up but it seems to want to reference the VLANs from bridges, and this is failing. What I did was directly edit the config files and reference the vlans directly from the eth0 device for the backhaul while creating a bridge device for the VLAN, then you can set up an interface on this bridge which can be assigned to a WiFi network.

This took quite a bit of trial-and-error and a lot of factory resets, but here's my latest process for setting up the GL-BE3600 with VLAN/multiple-SSID. On this example I'm simply setting the main WiFi (2.4GHz and 5GHz) to one main VLAN (I've left it named as "lan" to avoid any possible errors within scripts, etc, on the device), and another (using a guest WiFi example in the config file but you can add additional ones if you want) WiFi network only on 2.4GHz for IoT devices, connecting to a different tagged VLAN. Finally, I have no mangement interface (web gui) available for any of the WiFi networks - this is attached to a third VLAN (named office) - so WiFi consumers can't access the access point config, but I can manage them from my wired network.

My setup
VLAN Trunk into BE3600 "WAN" port (eth0)
VLAN-10 = office network to manage devices
VLAN-20 = main WiFi network (WiFi on a single SSID over 2.4GHz and 5GHz)
VLAN-40 = IoT WiFi network (single 2.4GHz SSID)
Port marked as "LAN" on device (eth1) set with a static IP and reserved for emergency device management

Steps

• Factory reset (or take fresh BE3600 out of the box)
• Connect to LAN port of device via ethernet using static IP 192.168.8.2 on your computer
• Browse to admin console at 192.168.8.1 and set admin password (this will be your root password for the SSH/SCP stuff in a minute as well)
• Connect WAN port to tagged VLAN port and follow GL.inet setup to establish connection (select Ethernet as backhaul - allow it to fail, go to manual setup for Ethernet, select static, give it the IP, gateway, DNS, and you'll see a VLAN tag option as well - set this VLAN tag entry for your main VLAN you want to use for WiFi) - this should get your first (main WiFi) tagged VLAN set up and connected to the WiFi
• Enable AP mode and reconnect (you'll likely have a different IP for the device, it should show on the screen or you can check your DHCP server logs) - you can now connect through the WAN (tagged VLAN) side as well.
• Use LuCI to set hostname (optional but advised)
• Connect to device with ssh [email protected] (whatever the new IP is for the device)
• Install sftp server (opkg update && opkg install openssh-sftp-server)
• Setup SSH keys with ssh-copy-id [email protected] (optional but makes transferring the files back and forth a little easier if you've having to tweak and tune it multiple times and for maintence tasks)
• Take config files from device with scp [email protected]:/etc/config/wireless ./wireless-new && scp [email protected]:/etc/config/network ./network-new && scp [email protected]:/etc/config/firewall ./firewall-new
• At this point you want to get your config files edited and ready on your local machine - I have included mine below and added comments to explain what I'm doing - I did find that the network and firewall ones are easier to do first from templates and just upload after tweaking them, but the amount of mac addresses in the wireless file that means it seems a bit easier to edit the wireless config file extracted from that exact device rather than work with a template.
• Once you've edited them, and are happy with the IP assignments, VLAN numbers, mac address for the eth1 (LAN ethernet port), etc - upload the firewall and network files with scp network [email protected]:/etc/config/ && scp firewall [email protected]:/etc/config/
• Reboot and test - you should now have the BE3600 connected to and able to communicate with the VLANs
• Connect to device (ssh [email protected]) and check bridges with brctl show, your VLANs should show up here and you should be able to do your ping, wget, iperf, etc, tests to your various VLANs from the device now.
• In this example I wouild now copy on my desktop the copied-over wireless-new file to wireless and amend the option network 'lan' line under section config wifi-iface 'guest2g' to connect instead to iot network, also amend SSIDs if you've been using using temporary ones to test up to now. This may vary on your setup - for now I just wanted an addiitonal 2.4GHz for IoT devices but you can reuse any of your unused guest WiFi networks - remember to set them to enabled (option disabled '0')
• Upload wireless file with scp wireless [email protected]:/etc/config/
• Reboot

That's it! Please let me know if you have any requests for clarificiation, spot any errors or improvements, etc. I have included my (sanitised) config files below, you'll have to update it in places with your IP addresses, your VLAN numbers, your specific desired config, etc.

/etc/config/network

# Leave this here, it is necessary
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

# You may want to update this to match your system, take it from your network-new file
config globals 'globals'
	option ula_prefix 'fde5:X:X::/48'

# Setup VLAN-10 bridge
config device
	option name 'br-office'
	option type 'bridge'
	list ports 'eth0.10'
 
# Setup VLAN-10 interface and assign a static IP for mgmt
config interface 'office'
	option device 'br-office'
	option proto 'static'
	option ipaddr '192.168.X.X'
	option netmask '255.255.255.0'
	option gateway '192.168.X.X'
	list dns '192.168.X.X'

# Setup VLAN-20 bridge
config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.20'

# Setup VLAN-20 interface with no IP - no mgmt from this VLAN/SSID
config interface 'lan'
	option device 'br-lan'
	option proto 'none'

# Setup VLAN-40 bridge
config device
	option name 'br-iot'
	option type 'bridge'
	list ports 'eth0.40'

# Setup VLAN-40 interface with no IP - no mgmt from this VLAN/SSID
config interface 'iot'
	option device 'br-iot'
	option proto 'none'

# Setup physical port on device labelled 'LAN' - update this with the mac from your network-new file
config device
	option name 'eth1'
	option macaddr '94:83:XX:XX:XX:XX'
	option isolate '0'

# Setup 'LAN' port for emergency mgmt of device
config interface 'lan2'
	option device 'eth1'
	option proto 'static'
	option ipaddr '192.168.X.X
	option netmask '255.255.255.0'

# All of the below is default and can stay (although it's mostly not used)
config interface 'wan6'
	option proto 'dhcpv6'
	option device '@wan'
	option disabled '1'

config interface 'guest'
	option force_link '1'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.9.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option multicast_querier '1'
	option igmp_snooping '0'
	option isolate '0'
	option bridge_empty '1'
	option disabled '1'

config rule 'policy_relay_lo_rt_lan'
	option lookup '16800'
	option in 'loopback'
	option priority '1'

config interface 'tethering6'
	option device '@tethering'
	option proto 'dhcpv6'
	option disabled '1'

config interface 'wwan6'
	option device '@wwan'
	option proto 'dhcpv6'
	option disabled '1'

config interface 'wwan'
	option proto 'dhcp'
	option classlessroute '0'
	option metric '20'

config interface 'secondwan'
	option ipv6 '0'
	option proto 'dhcp'
	option metric '15'
	option force_link '0'
	option classlessroute '0'

config interface 'secondwan6'
	option proto 'dhcpv6'
	option device '@secondwan'
	option disabled '1'

config rule 'policy_direct_rt'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule 'policy_default_rt_vpn'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config rule6 'policy_direct_rt6'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule6 'policy_default_rt_vpn6'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config rule 'policy_default_rt_vpn_ts'
	option lookup 'main'
	option priority '1099'
	option mark '0x80000/0xc0000'
	option invert '0'

/etc/config/firewall

# Can leave this as default
config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option disabled '0'

# VLAN-10 FW Rules - Open - allow upstream OPNsense router to manage firewalling
config zone
	option name 'office'
	list network 'office'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

# VLAN-20 FW Rules - Open - allow upstream OPNsense router to manage firewalling
config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

# VLAN-40 FW Rules - Open - allow upstream OPNsense router to manage firewalling
config zone
	option name 'iot'
	list network 'iot'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

# eth1 FW Rules - Open - for emergency mgmt using LAN port on device
	option name 'lan2'
	list network 'lan2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

# Defunct now that the interfaces are bridged?  Included anyway
config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'
	list network 'secondwan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

# Defunct now that the interfaces are bridged?  Included anyway
config forwarding
	option src 'office'
	option dest 'wan'
	option enabled '1'

# Defunct now that the interfaces are bridged?  Included anyway
config forwarding
	option src 'lan'
	option dest 'wan'
	option enabled '1'

# Defunct now that the interfaces are bridged?  Included anyway
config forwarding
	option src 'iot'
	option dest 'wan'
	option enabled '1'

# Defunct now that the interfaces are bridged?  Included anyway
config forwarding
	option src 'lan2'
	option dest 'wan'
	option enabled '1'

# All of the below is default and can stay
config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option network 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'

config forwarding
	option src 'guest'
	option dest 'wan'
	option enabled '1'

config rule
	option name 'Allow-DHCP'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'

config rule
	option name 'Allow-DNS'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'

config include 'nat6'
	option path '/etc/firewall.nat6'
	option reload '1'

config include 'qcanssecm'
	option type 'script'
	option path '/etc/firewall.d/qca-nss-ecm'

config include 'glblock'
	option type 'script'
	option path '/usr/bin/gl_block.sh'
	option reload '1'

config include 'vpn_server_policy'
	option type 'script'
	option path '/etc/firewall.vpn_server_policy.sh'
	option reload '1'
	option enabled '1'

/etc/config/wireless - remember on this one that you're better off taking the file off your device and updating the "option network 'lan'" and other fields rather than trying to use this as a template - there are far too many mac addresses and it's so easy to make a mistake

# Setup 2.4GHz radio device
config wifi-device 'wifi0'
	option type 'qcawificfg80211'
	option channel 'auto'
	option macaddr '94:83:XX:XX:XX:XX'
	option hwmode '11beg'
	option disabled '0'
	option country 'DE'
	option txpower '30'
	option random_bssid '1'
	option band '2g'
	option htmode 'HT40'
	option legacy_rates '0'
	option noscan '0'

# Setup 2.4GHz SSID for the main WiFi, attached to VLAN-20 (network interface: lan)
config wifi-iface 'wifi2g'
	option device 'wifi0'
	option network 'lan'
	option mode 'ap'
	option ssid 'WiFi-name-goes-here'
	option encryption 'psk2+ccmp'
	option macaddr '94:83:XX:XX:XX:XX'
	option factory_macaddr '94:83:XX:XX:XX:XX'
	option key 'XXXXXXXXXXXXX'
	option wds '1'
	option isolate '0'
	option ifname 'wlan0'
	option ieee80211k '1'
	option bss_transition '1'
	option sae '0'
	option hidden '0'

# Setup 5GHz radio device
config wifi-device 'wifi1'
	option type 'qcawificfg80211'
	option channel 'auto'
	option macaddr '94:83:XX:XX:XX:XX'
	option hwmode '11bea'
	option disabled '0'
	option country 'DE'
	option txpower '30'
	option random_bssid '1'
	option band '5g'
	option htmode 'HT160'
	option channels '36,40,44,48'

# Setup 5GHz SSID for the main WiFi, attached to VLAN-20 (network interface: lan)
config wifi-iface 'wifi5g'
	option device 'wifi1'
	option network 'lan'
	option mode 'ap'
	option ssid 'WiFi-name-goes-here'
	option encryption 'psk2+ccmp'
	option macaddr '94:83:XX:XX:XX:XX'
	option factory_macaddr '94:83:XX:XX:XX:XX'
	option key 'XXXXXXXXXXXXX'
	option wds '1'
	option isolate '0'
	option ifname 'wlan1'
	option ieee80211k '1'
	option bss_transition '1'
	option sae '0'
	option hidden '0'

# Setup 2.4GHz SSID for the IoT, attached to VLAN-40 (network interface: iot)
config wifi-iface 'guest2g'
	option device 'wifi0'
	option network 'iot'
	option mode 'ap'
	option ifname 'wlan01'
	option encryption 'psk2+ccmp'
	option key 'XXXXXXXXXXXXX'
	option ssid 'IOT-WiFi-name-goes-here'
	option macaddr '94:83:XX:XX:XX:XX'
	option factory_macaddr '94:83:XX:XX:XX:XX'
	option guest '1'
	option disabled '0'
	option wds '1'
	option isolate '1'
	option hidden '0'

# All the rest are unused by me currently and are marked as "option disabled '1'"
config wifi-iface 'wlanmld2g'
	option device 'wifi0'
	option network 'lan'
	option mode 'ap'
	option macaddr '94:83:XX:XX:XX:XX'
	option factory_macaddr '94:83:XX:XX:XX:XX'
	option ssid 'GL-BE3600-XXX-MLO'
	option encryption 'ccmp'
	option sae '1'
	option key 'XXXXXXXXXXXXX'
	option wds '1'
	option isolate '0'
	option hidden '0'
	option ifname 'wlan02'
	option ieee80211k '1'
	option bss_transition '1'
	option disabled '1'
	option mld 'mld0'

config wifi-iface 'wlanmldguest2g'
	option device 'wifi0'
	option network 'guest'
	option mode 'ap'
	option ifname 'wlan03'
	option encryption 'ccmp'
	option sae '1'
	option key 'XXXXXXXXXXXXX'
	option ssid 'GL-BE3600-XXX-MLO-Guest'
	option macaddr '94:83:XX:XX:XX:XX'
	option factory_macaddr '94:83:XX:XX:XX:XX'
	option guest '1'
	option disabled '1'
	option wds '1'
	option isolate '1'
	option hidden '0'
	option mld 'mld1'

config wifi-iface 'guest5g'
	option device 'wifi1'
	option network 'guest'
	option mode 'ap'
	option ifname 'wlan11'
	option encryption 'psk2+ccmp'
	option key 'XXXXXXXXXXXXX'
	option ssid 'GL-BE3600-XXX-5G-Guest'
	option macaddr '94:83:XX:XX:XX:XX'
	option factory_macaddr '94:83:XX:XX:XX:XX'
	option guest '1'
	option disabled '1'
	option wds '1'
	option isolate '1'
	option hidden '0'

config wifi-iface 'wlanmld5g'
	option device 'wifi1'
	option network 'lan'
	option mode 'ap'
	option macaddr '94:83:XX:XX:XX:XX'
	option factory_macaddr '94:83:XX:XX:XX:XX'
	option ssid 'GL-BE3600-XXX-MLO'
	option encryption 'ccmp'
	option sae '1'
	option key 'XXXXXXXXXXXXX'
	option wds '1'
	option isolate '0'
	option hidden '0'
	option ifname 'wlan12'
	option ieee80211k '1'
	option bss_transition '1'
	option disabled '1'
	option mld 'mld0'

config wifi-iface 'wlanmldguest5g'
	option device 'wifi1'
	option network 'guest'
	option mode 'ap'
	option ifname 'wlan13'
	option encryption 'ccmp'
	option sae '1'
	option key 'XXXXXXXXXXXXX'
	option ssid 'GL-BE3600-XXX-MLO-Guest'
	option macaddr '94:83:XX:XX:XX:XX'
	option factory_macaddr '94:83:XX:XX:XX:XX'
	option guest '1'
	option disabled '1'
	option wds '1'
	option isolate '1'
	option hidden '0'
	option mld 'mld1'

Note: If you get an error like:

* opkg_download: Failed to download https://fw.gl-inet.com/releases/qsdk_v12.5/kmod-4.7/be3600-ipq53xx/Packages.gz, wget returned 5.

...just go into LuCI and make sure the system time is set correctly / force an update from NTP

Also, to bridge the LAN port to the main WiFi VLAN, if you would rather have this instead of an emergency mgmt port - add a line like list ports 'eth1' to the br-lan definition within /etc/config/networks and comment-out the lan2 interface setup and firewall rule

Hi,

Thank you for sharing your solutions and experience!

About this issue, please clarify further:
Without custom config the VLAN and Multiple SSID, only Main WiFi and Guest WiFi are enabled on this router. At this situation it is also multiple SSIDs on the same device, but the SSIDs are different, will WiFi be broken at this time?

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.