How to set up the VLAN for IoT Wi-Fi on Flint 3(GL-BE9300)

Miles · August 26, 2025, 9:31am

For Flint3 (GL-BE9300) only.
Describes how to configure a dedicated IoT network on SSH by creating a VLAN (VID 25), a bridge, DHCP, firewall rules, and a separate 2.4 GHz Wi-Fi SSID.

1. Define VLAN 25 on eth1
We create a VLAN subinterface eth1.25 using IEEE 802.1Q tagging.

uci set network.eth1_25=device
uci set network.eth1_25.type='8021q'
uci set network.eth1_25.ifname='eth1'
uci set network.eth1_25.vid='25'
uci set network.eth1_25.name='eth1.25'

2. Create the IoT Bridge
We define a new bridge interface br-iot and attach VLAN 25 to it.

uci add network device
uci set network.@device[-1].type='bridge'
uci set network.@device[-1].name='br-iot'
uci add_list network.@device[-1].ports='eth1.25'

3. Configure the IoT Interface
The IoT interface will use a static IP for the gateway.

uci set network.iot=interface
uci set network.iot.proto='static'
uci set network.iot.device='br-iot'
uci set network.iot.ipaddr='192.168.25.1'
uci set network.iot.netmask='255.255.255.0'

4. Enable DHCP for IoT Network
We configure a DHCP server to assign IP addresses to IoT devices.

uci set dhcp.iot=dhcp
uci set dhcp.iot.interface='iot'
uci set dhcp.iot.start='100'
uci set dhcp.iot.limit='150'
uci set dhcp.iot.leasetime='12h'

5. Create IoT Firewall Zone
We define a dedicated firewall zone for IoT, allowing IoT devices to reach the Internet but restricting local traffic.

uci add firewall zone
uci set firewall.@zone[-1].name='iot'
uci set firewall.@zone[-1].input='ACCEPT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci add_list firewall.@zone[-1].network='iot'

6. Set Firewall Forwarding Rules

Allow IoT devices to access WAN
Allow LAN to reach IoT (for smart home management)

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='iot'
uci set firewall.@forwarding[-1].dest='wan'

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='iot'

7. Allow DHCP and DNS for IoT
Firewall rules are added to allow IoT clients to obtain DHCP leases and resolve DNS.

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-DHCP-IoT'
uci add_list firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].src='iot'
uci set firewall.@rule[-1].dest_port='67-68'
uci set firewall.@rule[-1].target='ACCEPT'

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-DNS-IoT'
uci set firewall.@rule[-1].src='iot'
uci set firewall.@rule[-1].dest_port='53'
uci set firewall.@rule[-1].target='ACCEPT'

8. Create IoT Wi-Fi SSID (2.4 GHz)
A new wireless access point GL-Router-IoT is created on the 2.4 GHz radio, bound to the IoT network.

uci set wireless.iot24=wifi-iface
uci set wireless.iot24.device='wifi0'
uci set wireless.iot24.network='iot'
uci set wireless.iot24.mode='ap'
uci set wireless.iot24.ifname='wlan05'
uci set wireless.iot24.ssid='GL-Router-IoT'
uci set wireless.iot24.encryption='psk2+ccmp'
uci set wireless.iot24.key='goodlife'
uci set wireless.iot24.hidden='0'
uci set wireless.iot24.isolate='1'

9. Apply and Reboot
Finally, commit all changes and restart the router.

uci commit
reboot

Result
After reboot, the router will provide:

VLAN 25 on eth1
IoT bridge br-iot with subnet 192.168.25.0/24
DHCP server for IoT clients
Firewall rules allowing IoT → WAN and LAN → IoT
A dedicated 2.4 GHz IoT Wi-Fi SSID GL-Router-IoT

This setup isolates IoT devices while still allowing management access from the LAN.

xplode · August 27, 2025, 10:41am

It will be great if this can be added to GL UI in Future releease. Which can allow you to select vlan number, IP address, wifi name and netork name, Basically the same as in commands but far more simplified.

9b9e69c2-4b75-4420 · August 27, 2025, 5:24pm

It might be advisable to add '[HOW-TO]' the beginning of the title for search discover-ability.

xplode · September 2, 2025, 8:45am

Also it will be good to add set of commands to reverse these changes. Of course full system reset is always a option, but few commands will skip setting up the router from scratch.

9b9e69c2-4b75-4420 · September 2, 2025, 9:00am

xplode · September 3, 2025, 3:52pm

Reverse these settings

Delete the VLAN:
```
uci delete network.eth1_25
```

Delete the bridge:

uci show | grep br-iot
uci delete network.iot.device
uci delete network.@device[3]

Delete the network:
```
uci delete network.iot
```
Delete the DHCP settings:
```
uci delete dhcp.iot
```

Delete the firewall zone, rules, and forwarding:

uci show firewall | grep iot
uci delete firewall.@zone[3]
uci delete firewall.@forwarding[2]
uci delete firewall.@forwarding[3]
uci delete firewall.@rule[19]
uci delete firewall.@rule[20]

Delete the Wi-Fi settings:
```
uci delete wireless.iot24
```
Save abd reboot
```
uci commit
reboot
```

I use uci show to list exact value of @device[x], @zone[x], @forwarding[x], and @rule[x] indexes are dynamic and can vary depending on router’s config,

p.s. Firewall zones, forwarding and rules ere not removed by uci with these commands so i needed to remove them manually from /etc/config/firewall. Same was the situation with bridge device so i removed it from /etc/config/network

9b9e69c2-4b75-4420 · September 3, 2025, 7:00pm

I'll probably end up re-writing this HOW-TO to include renaming the if, zones, forwarding, rules using uci in batch mode. As you noted with the identifiers they're dynamic but can be renamed to be specific. It makes it easier to uci del.

No promises though.

Dallas · September 19, 2025, 4:47pm

Does a How To guide exist to do the same for the Flint 2? If yes, please provide the link (I looked). If no, PLEASE create one. I know it will be VERY helpful for users. Thanks!!!

Dallas · September 20, 2025, 1:23pm

It would be great to have a Category or Tag for How-To articles. And MORE How-To articles.

bruce · September 22, 2025, 8:55am

Yes, already added a tag named "featured" for these HOW-TO articles.

Here you can filter it out:

Neokey · October 1, 2025, 6:30am

Set this up using SSH, everything created fine, but no internet access.

Am I missing something?

Thanks.

Neokey · October 1, 2025, 6:41am

Traced the issue to the VPN, it blocks the connection when it’s on so not sure why it’s blocking this connection?

mitjak9 · October 6, 2025, 5:06pm

Hi. Any chance this functionality will be added to “main” GUI?

Can you please also share how a ETHERNET LAN port can be added to this VLAN?

Thanks!

packetmonkey · October 6, 2025, 8:23pm

Agreed on seeking guidance on port-based vlan assignment for the router rather than tagging on a trunk line. @Miles @bruce Any help on this one? In my case, I have the first LAN port set as WAN2 and would like each of the remaining LAN ports to each be assigned to one defined VLAN each. Edited to add - I don’t need any of the defined vlans to be included in WiFi - I don’t WiFi on the Flint3.

kannanni · October 7, 2025, 1:35pm

hi

can you please post the same instructions needed for Flint 2 ?

xize11 · October 7, 2025, 5:16pm

Please check:

Flint 3 is different I think assuming this tutorial either only shows tagged from wan, or the router has their own invidual ports to the switch which is very rare on routers, therefor since I don't own it, I don't know.

RobWilJas · October 10, 2025, 3:09am

To assign a port to a specific VLAN, you need to untag the correct port. They're numbered weird in the config on the Flint 3. LAN1/WAN2 is port 7, LAN2 is port 6, LAN3 is port 5, and LAN4 is port 4. So, if I wanted my IoT VLAN30 on LAN3, I would untag port 5. Remember port 3 is the CPU and must be tagged in all VLANS, so I would tag port 3 and untag port 5 in the switch config for that VLAN.

uci set network.vlan_iot='switch_vlan'
uci set network.vlan_iot.device='switch1'
uci set network.vlan_iot.vlan='30'
uci set network.vlan_iot.ports='3t 5ut'     **# THIS IS WHERE PORTS ARE SET**

Here is my complete script for creating an IoT VLAN30 with 2.4, 5, & 6Ghz WiFi and LAN3 assigned and no trunks.

uci set network.vlan_iot='switch_vlan'
uci set network.vlan_iot.device='switch1'
uci set network.vlan_iot.vlan='30'
uci set network.vlan_iot.ports='3t 5ut'

uci set network.eth1_30=device
uci set network.eth1_30.type='8021q'
uci set network.eth1_30.ifname='eth1'
uci set network.eth1_30.vid='30'
uci set network.eth1_30.name='eth1.30'

uci add network device
uci set network.@device[-1].type='bridge'
uci set network.@device[-1].name='br-iot'
uci add_list network.@device[-1].ports='eth1.30'

uci set network.iot=interface
uci set network.iot.proto='static'
uci set network.iot.device='br-iot'
uci set network.iot.ipaddr='192.168.30.1'
uci set network.iot.netmask='255.255.255.0'

uci set dhcp.iot=dhcp
uci set dhcp.iot.interface='iot'
uci set dhcp.iot.start='100'
uci set dhcp.iot.limit='150'
uci set dhcp.iot.leasetime='12h'

uci add firewall zone
uci set firewall.@zone[-1].name='iot'
uci set firewall.@zone[-1].input='ACCEPT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci add_list firewall.@zone[-1].network='iot'

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='iot'
uci set firewall.@forwarding[-1].dest='wan'

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='iot'

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-DHCP-IoT'
uci add_list firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].src='iot'
uci set firewall.@rule[-1].dest_port='67-68'
uci set firewall.@rule[-1].target='ACCEPT'

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-DNS-IoT'
uci set firewall.@rule[-1].src='iot'
uci set firewall.@rule[-1].dest_port='53'
uci set firewall.@rule[-1].target='ACCEPT'

uci add firewall rule
uci set firewall.@rule[-1].name='Block-IoT-Intra'
uci set firewall.@rule[-1].src='iot'
uci set firewall.@rule[-1].dest='iot'
uci set firewall.@rule[-1].target='REJECT'
uci set firewall.@rule[-1].proto='all'

uci add firewall rule
uci set firewall.@rule[-1].name='Block IoT WebUI'
uci set firewall.@rule[-1].src='iot'
uci set firewall.@rule[-1].target='DROP'
uci set firewall.@rule[-1].dest_port='22 80 443 8080'

uci set wireless.iot2g=wifi-iface
uci set wireless.iot2g.device='wifi0'
uci set wireless.iot2g.network='iot'
uci set wireless.iot2g.mode='ap'
uci set wireless.iot2g.ifname='wlan30'
uci set wireless.iot2g.ssid='IoT'
uci set wireless.iot2g.encryption='psk2+ccmp'
uci set wireless.iot2g.key='goodlife'
uci set wireless.iot2g.wds='1'
uci set wireless.iot2g.hidden='0'
uci set wireless.iot2g.isolate='1'
uci set wireless.iot2g.disabled='0'
uci set wireless.iot2g.ieee80211k='1'
uci set wireless.iot2g.bss_transition='1'

uci set wireless.iot5g=wifi-iface
uci set wireless.iot5g.device='wifi1'
uci set wireless.iot5g.network='iot'
uci set wireless.iot5g.mode='ap'
uci set wireless.iot5g.ifname='wlan31'
uci set wireless.iot5g.ssid='IoT'
uci set wireless.iot5g.encryption='psk2+ccmp'
uci set wireless.iot5g.key='goodlife'
uci set wireless.iot5g.wds='1'
uci set wireless.iot5g.hidden='0'
uci set wireless.iot5g.isolate='1'
uci set wireless.iot5g.disabled='0'
uci set wireless.iot5g.ieee80211k='1'
uci set wireless.iot5g.bss_transition='1'

uci set wireless.iot6g=wifi-iface
uci set wireless.iot6g.device='wifi2'
uci set wireless.iot6g.network='iot'
uci set wireless.iot6g.mode='ap'
uci set wireless.iot6g.ifname='wlan32'
uci set wireless.iot6g.ssid='IoT'
uci set wireless.iot6g.encryption='sae'
uci set wireless.iot6g.key='goodlife'
uci set wireless.iot6g.wds='1'
uci set wireless.iot6g.hidden='0'
uci set wireless.iot6g.isolate='1'
uci set wireless.iot6g.disabled='0'
uci set wireless.iot6g.ieee80211k='1'
uci set wireless.iot6g.bss_transition='1'

uci commit
reboot

Edit: I should add, if you make VLAN and you can't get an address on the lan port, go into Luci and the switch settings, and just click "save and apply". Then disconnect and reconnect to that port. I don't know why it does that when you set it up via SSH but sometimes it does and it took me a while to figure out.

packetmonkey · October 10, 2025, 3:20am

Thanks, I took some time today to stumble through it myself, but haven’t quite gotten everything ready to replace my current router. The biggest thing I needed was just time to do it all and finally got some. The port numbering is odd, so it took a little plugging and unplugging to map all the ports.

AdamK · November 6, 2025, 4:15pm

Devs plan to add an additional SSID for IoT in a future firmware. But as far as adding this to the main UI, I am not aware of any plans. Perhaps they want to keep a fine line between normal, easy UI usage versus overwhelming advanced settings (ex. LuCI).

oztech74l · November 23, 2025, 4:28pm

I’m pretty sure it doesn’t complicate things by adding a VLAN option on the GL-iNet GUI.
Here’s an example on the Ruckus Unleashed. As you can see, most of the options in the GL-iNet Wireless settings are there too (except it is a radio button instead of drop down menus).