GL-MT5000 (Brume 3) with GL-BE9300 (Flint 3) AP

Hello,

I have just bought myself a Brume 3 hoping to use it as my main router/gateway for it’s VPN speeds whilst keeping my Flint 3 as a L2 switch/AP.

Previously my Flint 3 had my ‘lan’ vlan with 2 ports, a ‘guest’ vlan (really just the guest isolated Wifi network), and an additional vlan for my ‘iot’ with the other 2 ports following the featured guide. My goal would be to keep this set up whilst using the Brume 3 as the L3 router.

Following @bruce’s advice here: Flint 3 (GL-BE9300) as AP behind pfSense: multiple SSIDs -> VLAN + Random BSSID - Routers - GL.iNet Official Forum for the Flint 3 and attempting to use Copilot for the Brume 3 I have managed to set this up so vlan100 is trunked to the Brume 3 for the guest network and recieves the correct IPs, however this doesn’t have access to the internet.

I’m assuming this is to do with AI being awful when setting up my Brume 3 so looking for some advice on how to achieve this. I’m also wondering how many of the Flint 3’s firewall rules need to be enabled when using this setup.

Any help would be much appreciated.

Hi,

Have you configured the VLANs on the Brume3?

Please send us the following configuration files so we can check:
cat /etc/config/network
cat /etc/config/firewall

Hi Bruce, managed to get it working over the weekend, it was an issue with how I’d configured the DHCP servers.

Thanks for the offer to help though!

If possible, could you please share the configuration details for your MT5000/Brume3 and BE9300/Flint3?
This could help more users with similar needs! Thanks!

#MT5000 + BE9300
cat /etc/config/network
cat /etc/config/firewall
#BE9300
cat /etc/config/wireless

Hi,

Sorry for the delayed reply. I have been playing around with it to get it working how I want, mainly in relation to supporting multicast (Macs seem particularly sensitive in this area).

I haven’t managed to get IPv6 working when the Flint 3 is in AP mode so I have stuck to router mode. Network Acceleration also needs to be disabled on the Flint 3 as otherwise it seems to drop VLAN tagging on the connection to the Brume 3. The WAN port also needs to be set as LAN.

I’ll avoid copying the full files are there are a lot of default entries and vpn rules which seem to repopulate but will capture the key additions/changes.

Note 1: This is from my experimentation so I’m sure modifications or simplifications could be made to a lot of this.

Note 2: Hue (IoT) and HomeKit (on LAN) seem to be very temperamental and sometimes a completely unrelated change requires re-adding Hue to HomeKit.

Note 3: When trying to cast from my Mac it can be temperamental, but clicking the cast button in Chrome ~3 times does eventually find my TV

Brume 3

This is the upodated/new parts of my /etc/config/network:

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option isolate '0'
	list ip6class 'wan6'
	list ip6class 'wwan6'
	list ip6class 'tethering6'
	list ip6class 'modem_2_1_6'
	list ip6class 'modem_1_1_6'
	option ipaddr '192.168.1.1'
	option ip6assign '64'
	option device 'br-lan'
	option ip6hint '0001'

config switch
	option name 'switch0'
	option reset '0'
	option enable_vlan '1'

config switch_vlan 'vlan_lan'
	option device 'switch0'
	option vlan '1'
	option ports '0 1 17t'

config switch_vlan
	option device 'switch0'
	option vlan '11'
	option ports '0t 17t'

config switch_vlan
	option device 'switch0'
	option vlan '21'
	option ports '0t 17t'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.11.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option device 'br-guest'
	option ip6hint '0011'

config interface 'iot'
	option proto 'static'
	option ipaddr '192.168.21.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option device 'br-iot'
	option ip6hint '0021'

config switch_port 'port0'
	option device 'switch0'
	option port '0'
	option pvid '1'

config device
	option name 'eth0.11'
	option type '8021q'
	option ifname 'eth0'
	option vid '11'

config device
	option name 'eth0.21'
	option type '8021q'
	option ifname 'eth0'
	option vid '21'

config device
	option type 'bridge'
	option name 'br-lan'
	list ports 'eth0.1'
	option igmp_snooping '1'

config device
	option type 'bridge'
	option name 'br-guest'
	list ports 'eth0.11'

config device
	option type 'bridge'
	option name 'br-iot'
	list ports 'eth0.21'
	option acceptlocal '1'
	option igmp_snooping '1'

My /etc/config/dhcp for the interfaces:

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option dhcpv4 'server'
	option force '1'
	option ra 'server'
	option ra_management '1'
	option ra_default '1'
	option leasetime '480m'
	list ra_flags 'managed-config'
	option ndp 'hybrid'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '1h'
	option ra 'server'
	option ra_default '1'
	option ndp 'hybrid'

config dhcp 'iot'
	option interface 'iot'
	option start '100'
	option limit '150'
	option leasetime '1h'
	option ra 'server'
	option ra_default '1'
	option ndp 'hybrid'

And my firewall rules:

config zone
	option name 'guest'
	option network 'guest'
	option output 'ACCEPT'
	option input 'DROP'
	option forward 'REJECT'
	
config zone
	option name 'iot'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'iot'
	
config rule 'guest_drop_leaked_dns2'
	option name 'guest_drop_leaked_dns2'
	option src 'guest'
	option proto 'udp'
	option dest_port '53'
	option mark '!0x8000/0xf000'
	option target 'DROP'

config rule 'guest_drop_leak_adgdns2'
	option name 'guest_drop_leak_adgdns2'
	option src 'guest'
	option proto 'udp'
	option dest_port '3053'
	option mark '0x0/0xf000'
	option target 'DROP'

config rule 'iot_drop_leaked_dns'
	option name 'iot_drop_leaked_dns'
	option src 'iot'
	option proto 'udp'
	option dest_port '53'
	option mark '!0x8000/0xf000'
	option target 'DROP'

config rule 'iot_drop_leak_adgdns'
	option name 'iot_drop_leak_adgdns'
	option src 'iot'
	option proto 'udp'
	option dest_port '3053'
	option mark '0x0/0xf000'
	option target 'DROP'

config forwarding
	option src 'guest'
	option dest 'wan'
	
config forwarding
	option src 'iot'
	option dest 'wan'
	
config forwarding
	option src 'lan'
	option dest 'iot'

config rule
	option name 'Allow-DHCP'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'

config rule
	option name 'Allow-DNS'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'

config rule 'glipv6_guest_dhcp'
	option name 'Allow-DHCP-IPV6'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'udp'
	option family 'ipv6'
	option dest_port '546-547'

config rule 'glipv6_guest_icmp'
	option name 'Allow-ICMP-IPV6'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'icmp'
	option family 'ipv6'

config rule
	option name 'Allow-IoT-DHCP'
	option src 'iot'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'

config rule
	option name 'Allow-IoT-DNS'
	option src 'iot'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'

config rule
	option name 'Allow-IoT-MLD'
	option src 'iot'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IoT-ICMPv6-Input'
	option src 'iot'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'iot'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IoT-MDNS'
	option src 'iot'
	option dest_port '5353'
	option target 'ACCEPT'
	option proto 'udp'

config rule
	option name 'Allow-IoT-SSDP'
	list proto 'udp'
	option src 'iot'
	option src_port '1900'
	option target 'ACCEPT'

config rule
	option name 'Allow-Casting'
	list proto 'udp'
	option src 'iot'
	option dest_port '32768-61000'
	option target 'ACCEPT'
	option dest 'lan'

Note: I have re-added rules to drop guest leaked dns as the default guest rules on the Brume 3 seem to turn themselves off

To use Chrome’s casting from my Mac I also needed to add additional TTL rules, I haven’t managed to get these to load via the firewall or firewall.user so followed @bruce’s advice here https://forum.gl-inet.com/t/custom-firewall-rules-are-not-loaded-from-luci-after-restart/50391 and added them to /etc/rc.local

# Custom iptables rules to support casting
iptables -t mangle -D PREROUTING -p udp --dport 1900 -j TTL --ttl-set 4 2>/dev/null
iptables -t mangle -D PREROUTING -p udp --dport 5353 -j TTL --ttl-set 4 2>/dev/null
iptables -t mangle -D PREROUTING -d 239.255.255.250 -j TTL --ttl-set 4 2>/dev/null
iptables -t mangle -D PREROUTING -d 224.0.0.251 -j TTL --ttl-set 4 2>/dev/null

iptables -t mangle -I PREROUTING 1 -p udp --dport 1900 -j TTL --ttl-set 4
iptables -t mangle -I PREROUTING 1 -p udp --dport 5353 -j TTL --ttl-set 4
iptables -t mangle -I PREROUTING 1 -d 239.255.255.250 -j TTL --ttl-set 4
iptables -t mangle -I PREROUTING 1 -d 224.0.0.251 -j TTL --ttl-set 4

ip6tables -t mangle -D PREROUTING -p udp --dport 5353 -j HL --hl-set 4 2>/dev/null
ip6tables -t mangle -D PREROUTING -d ff02::fb -j HL --hl-set 4 2>/dev/null

ip6tables -t mangle -I PREROUTING 1 -p udp --dport 5353 -j HL --hl-set 4
ip6tables -t mangle -I PREROUTING 1 -d ff02::fb -j HL --hl-set 4

I have also followed this guide to set up SSDP forwarding from IoT to LAN via smcroute.

I have also configured /etc/avahi/avahi-daemon.confas follows:

[server]
#host-name=foo
#domain-name=local
use-ipv4=yes
use-ipv6=yes
check-response-ttl=no
use-iff-running=no
allow-interfaces=br-lan,br-iot

[publish]
publish-addresses=yes
publish-hinfo=yes
publish-workstation=no
publish-domain=yes
#publish-dns-servers=192.168.1.1
#publish-resolv-conf-dns-servers=yes

[reflector]
enable-reflector=yes
reflect-ipv=yes

[rlimits]
#rlimit-as=
rlimit-core=0
rlimit-data=4194304
rlimit-fsize=0
rlimit-nofile=30
rlimit-stack=4194304
rlimit-nproc=3

Flint 3

I have disabled the firewall, avahi, dnsmasq, and odhcpd services but will include the relevent files for completeness.

/etc/config/network, note LAN ports will need to be changed accordingly:

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'eth1.1'
	option stp '1'

config device
	option name 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.10'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	option ip6assign '64'
	option isolate '0'
	option ip6hint '0001'
	option ip6ifaceid '::1'

config device
	option name 'eth0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch
	option name 'switch1'
	option reset '1'
	option enable_vlan '1'

config switch_vlan 'vlan_lan'
	option device 'switch1'
	option vlan '1'
	option ports '3t 6 7'

config device
	option name 'br-guest'
	option type 'bridge'
	list ports 'eth0.11'
	list ports 'eth1.11'
	option stp '1'

config interface 'guest'
	option proto 'none'
	option isolate '1'
	option bridge_empty '1'
	option device 'br-guest'
	option ip6assign '64'
	option ip6hint '0011'

config switch_vlan
	option device 'switch1'
	option ports '3t'
	option vlan '11'

config switch_vlan
	option device 'switch1'
	option ports '3t 4 5'
	option vlan '21'

config device
	option name 'eth1.11'
	option type '8021q'
	option ifname 'eth1'
	option vid '11'

config device
	option name 'eth1.21'
	option type '8021q'
	option ifname 'eth1'
	option vid '21'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '11'
	option name 'eth0.11'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '21'
	option name 'eth0.21'

config device
	option type 'bridge'
	option name 'br-iot'
	list ports 'eth0.21'
	list ports 'eth1.21'
	option stp '1'

config interface 'iot'
	option proto 'none'
	option device 'br-iot'
	option ip6assign '64'
	option ip6hint '0021'

/etc/config/dhcp :

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '0'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'
	option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option force '1'
	option ignore '1'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ra_management '1'
	option ignore '1'

/etc/config/wireless I did use the default guest network here so I will just include my IoT network:

config wifi-iface 'wifi2giot'
	option device 'wifi0'
	option network 'iot'
	option mode 'ap'
	option ssid 'APPLES'
	option encryption 'psk2+ccmp'
	option key 'PEARS'
	option wds '1'
	option isolate '0'
	option hidden '0'
	option ifname 'wlan05'
	option ieee80211k '1'
	option bss_transition '1'
	option sae '0'
	option disabled '0'
	option mcastenhance '6'
	option igmpmcasten '1'

And finally as when the Flint’s WAN is set to LAN the LED is always flashing. I have disabled the LED in GL-iNet’s settings and have this set as a exceutable in /usr/bin/connection-led to try to restore intended function based on the connection with eth0:

(VIBE CODED)

#!/bin/sh

WHITE="/sys/class/leds/white:system"
BLUE="/sys/class/leds/blue:run"

while true; do
    # Check physical carrier for eth0 (1 = ok, 0 = disconnected)
    CARRIER=$(cat /sys/class/net/eth0/carrier 2>/dev/null)

    if [ "$CARRIER" = "0" ]; then
        # DISCONNECTED: Kill White, Start Slow Blue Blink
        echo none > "$WHITE/trigger"

        # Only set if not already blinking to prevent 'stuttering' the timer
        if ! grep -q "\[timer\]" "$BLUE/trigger"; then
            echo timer > "$BLUE/trigger"
            # 1000ms is the standard GL.iNet "slow" blink
            echo 1000 > "$BLUE/delay_on"
            echo 1000 > "$BLUE/delay_off"
            echo 255 > "$BLUE/brightness"
        fi
    else
        # CONNECTED: Kill Blue, Solid White
        echo none > "$BLUE/trigger"

        if ! grep -q "\[default-on\]" "$WHITE/trigger"; then
            echo default-on > "$WHITE/trigger"
            echo 255 > "$WHITE/brightness"
        fi
    fi
    sleep 2
done

And run it via adding this it /etc/rc.local:

/usr/bin/connection-led &

Hopefully this covers everything, and hopefully it can be of use to people.

Just a follow up post as I can’t edit the one above. Disabling IGMP snooping fixes the Apple HomeKit issues. The updated /etc/config/network is below.

config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option isolate '0'
list ip6class 'wan6'
list ip6class 'wwan6'
list ip6class 'tethering6'
list ip6class 'modem_2_1_6'
list ip6class 'modem_1_1_6'
option ipaddr '192.168.1.1'
option ip6assign '64'
option device 'br-lan'
option ip6hint '0001'

config switch
option name 'switch0'
option reset '0'
option enable_vlan '1'

config switch_vlan 'vlan_lan'
option device 'switch0'
option vlan '1'
option ports '0 1 17t'

config switch_vlan
option device 'switch0'
option vlan '11'
option ports '0t 17t'

config switch_vlan
option device 'switch0'
option vlan '21'
option ports '0t 17t'

config interface 'guest'
option proto 'static'
option ipaddr '192.168.11.1'
option netmask '255.255.255.0'
option ip6assign '64'
option device 'br-guest'
option ip6hint '0011'

config interface 'iot'
option proto 'static'
option ipaddr '192.168.21.1'
option netmask '255.255.255.0'
option ip6assign '64'
option device 'br-iot'
option ip6hint '0021'

config switch_port 'port0'
option device 'switch0'
option port '0'
option pvid '1'

config device
option name 'eth0.11'
option type '8021q'
option ifname 'eth0'
option vid '11'

config device
option name 'eth0.21'
option type '8021q'
option ifname 'eth0'
option vid '21'

config device
option type 'bridge'
option name 'br-lan'
list ports 'eth0.1'
option igmp_snooping '0'

config device
option type 'bridge'
option name 'br-guest'
list ports 'eth0.11'

config device
option type 'bridge'
option name 'br-iot'
list ports 'eth0.21'
option acceptlocal '1'
option igmp_snooping '0'

Great presentation! This will definitely help more people set up Gateway VLAN + AP!