GL-MT3000 (Beryl AX) and VLAN's...

Hello everyone... I need help...

I have a router from the my ISP in bridge mode (192.168.1.X) conected to the GL-MT3000 to him. The idea is to create several VLAN's and SSID's associated.

"LAN" - VLAN10 - (192.168.10.X)
"IoT" - VLAN20 - (192.168.20.X)
"Guest" - VLAN30 - (192.168.30.X)

To the GL-MT300 get internet i have to configure a static ip address like (192.168.1.x) in the internet configuration. Then... i have to configure in the "LAN" configuration another subnet like (192.168.X.X) - wich i don't have idea of what to put.

About the VLAN's, i can configure that, based on this video (https://www.youtube.com/watch?v=2R40KE9aUz4&list=WL&index=1)

1. creating a virtual bridge device with bridge VLAN filtering activated on 'lan1', 'VLAN10', 'VLAN20'and 'VLAN30' and with the

. VLAN ID 10 tagged in VLANS10 and lan1
. VLAN ID 20 tagged in VLANS20 and lan1
. VLAN ID 30 tagged in VLANS30 and lan1

2. after that i've created the new interfaces with static IP:

VLAN10 - (192.168.10.4) - gateway - ?
VLAN20 - (192.168.20.4) - gateway - ?
VLAN30 - (192.168.30.4) - gateway - ?

I can create the VLAN's and associated SSID's. The problem is that the VLAN's after it don't have internet access.

so my questions are:

1. to accomplish that do i really must have 5 subnets:

. 192.168.1.X - wan config of GL-MT3000ISP
. 192.168.X.X - lan config of GL-MT3000
. 192.168.10.X - VLAN10
. 192.168.20.X - VLAN20
. 192.168.30.X - VLAN30

2. what gateways should i configure on the VLAN's?

What am i doing wrong?

Thank you very much if anyone can help me...

Paulo S.

Could you post the /etc/config/network and /etc/config/firewall please?

Under normal circumstances you leave the field gateway empty

This is only needed when you want to follow a different route.

Another common issue are the newly created firewall zones make sure these point to wan and the input is set to accept.

Hello... thank you for your response...

Actually i don't have cause i did a reset... Sorry...

By the way, i forgot to mentionthat i want to connect an unmanaged switch to connections only to VLAN10...

There's some guide to follow for this?

Thank you in advance...

in that case you could untag the port as pvid to this switch

But if you plan to involve more vlan over this switch as tagged/trunked traffic some switches can filter them out, i noticed this with some ubiquitti equipment, its better to have a aware managed switch especially if you want the untag ports with the other vlans.

I don't have any firewall rules configured yet...

This is how i've configured the bridge:

still no internet connection... i get the ip adress from the right subnet but no internet...

Hello again...

It's working. It looks that i was needing real a firewall rule!!

Thank you!

Well... it stopped working as i restarted him.

best advise I can give is to post the contents of:

/etc/config/network
/etc/config/dhcp
/etc/config/firewall

it must be some type of configuration error
later you can check it via luci what has been changed

Hello... I've started over again doing several tests to discover in wich par he stops working, I'm trying to 'open' another post less messy...

But i can put the text here:

"Hello everyone... I need help...

I have a router from the my ISP in bridge mode (192.168.1.254) conected to the router GL-MT3000. To get internet on GL-MT3000 i've assigned the ip - 192.168.1.2 on the "internet" separator. Then i've configured on the 'lan' separator the ip - '192.168.10.1'.

My idea is to use an unmanagged swith conected to eth1 of the GL-MT3000 and create 3 VLAN's and SSID's associated like this:

"LAN" - VLAN10 - (192.168.10.X)
"IoT" - VLAN20 - (192.168.20.X)
"Guest" - VLAN30 - (192.168.30.X)

For that, in Lucy and because i can't anyway to activate the option "bridge VLAN filtering" in the default "br-lan", i've created a virtual bridge "VLANS", configured like this:

After this, if i create the interface "IoT" with static address, device "VLAN20", ip adress - 192.168.20.4, default gateway, and DHCP enabled, when i restart GL-MT3000 he gets bricked.

What am i doing wrong?

Should i erase the the default "br-lan", when i create the virtual bridge "VLANS"? Even so doesn't solve the problem..."

P.S. - here are the files content

network:
"
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fdf3:6ce7:2902::/48'

config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
option macaddr '94:83:c4:5e:88:8f'

config device
option name 'eth1'
option macaddr '94:83:c4:5e:88:8f'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option isolate '0'
option ipaddr '192.168.10.1'

config device
option name 'eth0'
option macaddr '94:83:c4:5e:88:8e'

config interface 'wan'
option device 'eth0'
option force_link '0'
option ipv6 '0'
option classlessroute '0'
option metric '10'
option proto 'static'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'
option gateway '192.168.1.254'
list dns '1.1.1.1'
list dns '8.8.8.8'
option peerdns '0'

config interface 'wan6'
option proto 'dhcpv6'
option device '@wan'
option disabled '1'

config interface 'guest'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.9.1'
option netmask '255.255.255.0'
option ip6assign '60'
option multicast_querier '1'
option igmp_snooping '0'
option isolate '0'
option bridge_empty '1'
option disabled '1'

config rule 'policy_relay_lo_rt_lan'
option lookup '16800'
option in 'loopback'
option priority '1'

config interface 'tethering6'
option device '@tethering'
option proto 'dhcpv6'
option disabled '1'

config interface 'wwan6'
option device '@wwan'
option proto 'dhcpv6'
option disabled '1'

config interface 'wwan'
option proto 'dhcp'
option classlessroute '0'
option metric '20'

config rule 'policy_direct_rt'
option lookup 'main'
option suppress_prefixlength '0'
option priority '1100'

config rule 'policy_default_rt_vpn'
option mark '0x8000/0xc000'
option lookup '8000'
option priority '1101'
option invert '1'

config rule6 'policy_direct_rt6'
option lookup 'main'
option suppress_prefixlength '0'
option priority '1100'

config rule6 'policy_default_rt_vpn6'
option mark '0x8000/0xc000'
option lookup '8000'
option priority '1101'
option invert '1'

config rule 'policy_default_rt_vpn_ts'
option lookup 'main'
option priority '1099'
option mark '0x80000/0xc0000'
option invert '0'

config device
option type 'bridge'
option name 'VLANS'
list ports 'VLANS.10'
list ports 'VLANS.20'
list ports 'VLANS.30'
list ports 'eth1'

config bridge-vlan
option device 'VLANS'
option vlan '10'
list ports 'VLANS.10:t'
list ports 'eth1'

config bridge-vlan
option device 'VLANS'
option vlan '20'
list ports 'VLANS.20:t'

config bridge-vlan
option device 'VLANS'
option vlan '30'
list ports 'VLANS.30:t'
"

firewall:
"
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
list network 'wwan'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'DROP'

config forwarding
option src 'lan'
option dest 'wan'
option enabled '1'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'

config include
option path '/etc/firewall.user'

config zone
option name 'guest'
option network 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'

config forwarding
option src 'guest'
option dest 'wan'
option enabled '1'

config rule
option name 'Allow-DHCP'
option src 'guest'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'

config rule
option name 'Allow-DNS'
option src 'guest'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'

config include 'nat6'
option path '/etc/firewall.nat6'
option reload '1'

config rule 'process_mark'
option name 'process_mark'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 65533'
option target 'MARK'
option set_xmark '0x8000/0xc000'

config rule 'process_mark_dns'
option name 'process_mark_dns'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 453'
option target 'MARK'
option set_xmark '0x8000/0xc000'

config rule 'process_mark_stubby'
option name 'process_mark_stubby'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 410'
option target 'MARK'
option set_xmark '0x8000/0xc000'

config rule 'process_explict_vpn'
option name 'process_explict_vpn'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 20000'
option target 'MARK'
option set_xmark '0x20000/0x20000'

config rule 'wan_in_conn_mark'
option name 'wan_in_conn_mark'
option src 'wan'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m mark --mark 0x0/0x3f00 -j CONNMARK --set-xmark 0x8000/0xc000'
option enabled '0'

config rule 'lan_in_conn_mark_restore'
option name 'lan_in_conn_mark_restore'
option src 'lan'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark --nfmask 0xc000 --ctmask 0xc000'
option enabled '0'

config rule 'out_conn_mark_restore'
option name 'out_conn_mark_restore'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark --nfmask 0xc000 --ctmask 0xc000'
option enabled '0'

config include 'swap_wan_in_conn_mark'
option type 'script'
option reload '1'
option path '/etc/firewall.swap_wan_in_conn_mark.sh'
option enabled '0'

config include 'vpn_client_deal_leak'
option type 'script'
option reload '1'
option path '/etc/firewall.vpn_client_deal_leak.sh'
option enabled '1'

config include 'glblock'
option type 'script'
option path '/usr/bin/gl_block.sh'
option reload '1'

config include 'vpn_server_policy'
option type 'script'
option path '/etc/firewall.vpn_server_policy.sh'
option reload '1'
option enabled '1'

config include 'ethernet_ttl'
option type 'script'
option reload '1'
option path '/etc/firewall.ethernet_ttl'

config redirect 'adguard_home'
option name 'Adguard Home'
option src 'lan'
option src_dport '53'
option dest 'lan'
option dest_port '3053'
option proto 'tcp udp'
option mark '!0x8/0x8'
option enabled '1'

config redirect 'adguard_home_guest'
option name 'Adguard Home guest'
option src 'guest'
option src_dport '53'
option dest 'guest'
option dest_port '3053'
option proto 'tcp udp'
option mark '!0x8/0x8'
option enabled '1'

"

dhcp:
"
config dnsmasq
option domainneeded '1'
option boguspriv_old '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option rebind_protection '0'
option filter_aaaa '1'
option noresolv '1'
option localuse '0'
list server '127.0.0.1#3053'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ra_slaac '1'
option force '1'
option dhcpv6 'disabled'
option ra 'disabled'
option ignore '0'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'disabled'
option ra 'disabled'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'

config domain
option name 'console.gl-inet.com'
option ip '192.168.10.1'

config domain
option name 'console.gl-inet.com'
option ip '::ffff:192.168.10.1'

"

Thank you

first remove these, they are invalid first no DSA device hooks into the VLANS bridge, but also using VLANS.30.30 means you tag it from upstream and then you tag it downstream this is a invalid configuration

then under the br-lan section

config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
option macaddr '94:83:c4:5e:88:8f'

you paste for managed vlan:

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth1:u*'

for another vlan not the default one but to passthrough to a other vlan aware device to untag the port you add:

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'eth1:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'eth1:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'eth1:t'

on the section for the lan interface (for the future when using luci, you make sure you don't save and apply at this step otherwise connection with lan is lost):

config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option isolate '0'
option ipaddr '192.168.10.1'

you change it into:

config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option isolate '0'
option ipaddr '192.168.10.1'

be aware I would like to recommend to use tagged vlans above 2 because vlan 2 is often a special vlan, this depends per router but sometimes it is for switch cpu.

now when you have another OpenWrt router on the other side of the line, you want to tag it like eth0.10 (if wan was the eth0 device), this doesn't involve DSA bridging, dhcp can be received by creating a interface with protocol dhcp.

for an aware managed vlan switch, you want to tag port 1, and another port as either untagged with pvid or tagged to passthrough it to again another switch.

do i really need VLAN1 or i can simply stay with VLAN10, VLAN20 and VLAN30?

you can use vlan id 10 but set this to untagged as this is your managed network.

The untagged port means the default network on that port.

After this port this vlan stops to exists.

Tagged means you want the network/vlan to traverse further and then the final port defined in a managed switch or vlan aware device such as a other router untags it.

Managed vlan means the network where you keep all the manageable devices such as other switches responsible for vlan handling and routers.

For security on other untagged ports i.e a switch you don't want to add the managed vlan.

Hello again...

I've uploaded the files and it seem's the bridge is ok... I've configured WiFi but i can't get dhcp to assign an ip adress. I have dhcp active on the correct interface... Any clue to make this work?

Sorry... Thank you for your patience xize11

But you do have dhcp on the ethernet port right?

Did you change the bridge name?

Its best recommend to keep it named br-lan also for gl ui functionality and wifi.

I didin't change the bridge name...

i have vlan ids: 10 (untagged), 20 (tagged) e 30 (tagged).
the interface LAN conected to (br-lan.10) with dhcp active.

the interface IoT conected to (br-lan.20) with dhcp active. with 2 associated wifi's (2g e 5g) actives.

the interface HOME conected to (br-lan.10) with dhcp active. with 2 associated wifi's (2g e 5g) actives.

• i can't get dhcp in neither wifi's

Shouldn't the bridge ports on "br-lan", be 'eth1', 'br-lan.10', 'br-lan.20' and 'br-lan.30' instead of only 'eth1'?

No, this is wrong.

This is when you have another router down stream you want to do that on that router.

You want to configure with a static ip as protocol like:

ip address: 192.168.8.1
Netmask: 255.255.255.0
Gateway: you leave this empty

on another interface:
ip address: 192.168.10.1
Netmask: 255.255.255.0
Gateway: you leave this empty

And you need to create a dhcp server on this one and firewall zone For vlan 20, 30.

on the advanced settings tab only uncheck default gateway, only wan or wwan should have this checked.

Hello again...

I just put everything like you did in the begining and it's working... The only thing is that i only wanted to create 3 vlan's and in that way i got 1 more, the vlan1 but that's ok...

Thank you very much for your time, i reaaly apreciate your great help......

For now the most important is working...

Best regards...

Hello... ( i didn't want to push my luck... sorry... :-))

The vlan0s are working fine abd i wanted to use adguard and the wireguard server to connect from outside to my vlan10...

When i try to use the wireguard server, in openwrt - interfaces , i have an interface called "WGSERVER" with the message: "Unsupported protocol type. - Install protocol extensions..."...

I've already checked and all the protocols are installed and trying to enable the wireguard server trought the interface (not lucy) somehow breaks some configuration...

Any idea?

Thank you...

ah, the gl wireguard is different than OpenWrt's one, so the protocol will fail if you try to install it.

please note for vpn policies this likely will not work with vlans but you can edit their scripts or drop entirely the gl vpn and try to install luci-proto-wireguard and you set this up fully in luci by OpenWrt tutorials and you can use pbr for split tunneling.

Any other idea about securely access home network (vlan10) from outside?

I had before a raspberry pi with pi-hole and pivpn (wireguard) the problem was the lan connection at 100 mbts...