Any chance you can include how to add 5 and 6 mhz to this too?
Will a firmware update break all of these attempts at vlan configuration? Novice question, but I’ve spent many hours working with Copilot and Gemini using both Luci and ssh to configure three separate subnets on different bands and then a fourth using the WiFi 7 MLO setup in the Gl-inet gui only to have it “break” the 2.4 and 5 GHz radios and had to reset the router. I came close but didn’t get there. So if I spend the time and keep at it, is a firmware update coming along that will break it all? If I do and it does I sure hope the gui will be updated to allow easy vlan and firewall creation or at least allow better coordination between Luci and the Gl-inet gui. Shouldn’t it? That’s one of the reasons I bought the Flint 3 instead of a cheaper TP-Link consumer-grade router and after many, many hours of effort I haven’t yet been able to accomplish what I hoped to with the purchase. So for now my TVs, security cams, and data are all sharing the same subnet. Thinking about breaking out my old router and double “nat”ing it. I understand the Flint 2 is much better at this. Why is that so?
I bought the Flint 3 for the same thing, but lucky for me I have a Flint 2, so I’ve reverted back to that and put the Flint 3 back in the box until there is a fix. It’s disgusting how they have released this router with so many issues.
Don’t waste your time with the Flint 3….
1 Like
solución "menos invasiva" es la única que realmente funciona de forma estable en el GL-BE9300.
Guía Maestra: VLAN Trunking en GL-BE9300 (Flint 3)
El método "invisible" y estable
Este tutorial nace de la necesidad de superar las limitaciones críticas del firmware original. Muchos usuarios intentan usar las funciones nativas de GL.iNet para crear SSIDs adicionales o segmentar redes, pero en el modelo BE9300 (SoC Qualcomm), esto suele terminar en desastre.
¿Por qué NO usar los métodos nativos del panel GL.iNet?
Antes de empezar, debemos entender los inconvenientes de usar SSIDs extras o configuraciones de VLAN desde la interfaz web en este router:
* Pérdida total de Wi-Fi: Al intentar crear interfaces inalámbricas adicionales, el driver de Qualcomm a menudo entra en conflicto, causando caídas intermitentes de toda la red inalámbrica.
* DHCP Intocable: El sistema original es extremadamente celoso. Si intentas asignar rangos de IP personalizados a nuevas interfaces desde el panel, el router suele ignorarlos o entrar en un bucle de "No IP asignada".
* Redes Fantasmales: Es común ver que el SSID aparece, pero los dispositivos no pueden conectarse o, si lo hacen, se quedan "Sin Internet" debido a un ruteo interno mal configurado por el software propietario.
* Colapso del Switch: Tocar el "VLAN Filtering" en el bridge nativo desactiva la aceleración por hardware, llevando al router a un estado de saturación y eventual bloqueo (brick).
La Solución: Aplicar una configuración DSA (Distributed Switch Architecture) mediante SSH que sea invisible para el panel de GL.iNet, permitiendo que un AP externo gestione el Wi-Fi mientras el BE9300 hace el trabajo pesado de ruteo de forma estable.
1. Protocolo de Conexión "Físico" (Obligatorio)
El BE9300 tiene un "watchdog" que, si detecta conflictos de IP mientras hay internet, bloquea el acceso SSH (Broken Pipe).
* Desconecta el router de la corriente.
* Desconecta el cable WAN (Internet).
* Conecta tu PC a un puerto LAN y enciende el router.
* ¿Por qué? Esto nos da una ventana de estabilidad total para aplicar cambios sin que el sistema intente "autorrepararse" y nos bloquee.
2. Entendiendo la Arquitectura DSA
El BE9300 no usa los antiguos switch0/1. Al crear subinterfaces sobre eth1 (ej. eth1.6), el tráfico etiquetado viaja por todos los puertos LAN automáticamente. No toques el "VLAN Filtering" en el bridge; la segmentación se hace a nivel de dispositivo físico.
3. Configuración: El "Modo Sigiloso"
A. Creación de Redes y Blindaje (UCI)
Usamos el nombre tr_vlan para que el panel web no lo detecte y no intente borrarlo. El comando delegate='0' es vital para evitar que el router busque internet en estas redes.
uci batch << 'EOF'
set network.tr_vlan6=interface
set network.tr_vlan6.proto='static'
set network.tr_vlan6.device='eth1.6'
set network.tr_vlan6.ipaddr='192.168.6.1'
set network.tr_vlan6.netmask='255.255.255.0'
set network.tr_vlan6.delegate='0'
set network.tr_vlan7=interface
set network.tr_vlan7.proto='static'
set network.tr_vlan7.device='eth1.7'
set network.tr_vlan7.ipaddr='192.168.7.1'
set network.tr_vlan7.netmask='255.255.255.0'
set network.tr_vlan7.delegate='0'
# (Repetir para VLAN 8 [192.168.18.1] y VLAN 9 [192.168.19.1])
commit network
EOF
/etc/init.d/network reload
B. DHCP Fantasma (Inyección de IPs)
Para que el DHCP sea permanente y no sea borrado por el firmware, inyectamos la configuración en un directorio que el sistema no monitorea.
mkdir -p /etc/dnsmasq.d/
cat < /etc/dnsmasq.d/trunk_vlans.conf
interface=eth1.6
interface=eth1.7
interface=eth1.8
interface=eth1.9
dhcp-range=set:vlan6,192.168.6.100,192.168.6.200,12h
dhcp-range=set:vlan7,192.168.7.100,192.168.7.200,12h
dhcp-range=set:vlan8,192.168.18.100,192.168.18.200,12h
dhcp-range=set:vlan9,192.168.19.100,192.168.19.200,12h
EOF
/etc/init.d/dnsmasq restart
4. Firewall: El Túnel a Internet
Debemos permitir que estas nuevas redes "salten" a la zona WAN.
uci set firewall.trunk_zone=zone
uci set firewall.trunk_zone.name='trunk_zone'
uci set firewall.trunk_zone.network='tr_vlan6 tr_vlan7 tr_vlan8 tr_vlan9'
uci set firewall.trunk_zone.input='ACCEPT'
uci set firewall.trunk_zone.output='ACCEPT'
uci set firewall.trunk_zone.forward='ACCEPT'
# Regla de salida a Internet
add firewall forwarding
set firewall.@forwarding[-1].src='trunk_zone'
set firewall.@forwarding[-1].dest='wan'
uci commit firewall
/etc/init.d/firewall restart
5. Resumen de Errores Evitados
* Brick del Switch: Evitado al no activar el filtrado de VLAN en el bridge.
* Broken Pipe SSH: Evitado mediante el blindaje delegate='0'.
* Inestabilidad Wi-Fi: Evitada al delegar los SSIDs a un AP externo profesional, liberando al BE9300 de esa carga.
* Pérdida de Configuración: Al usar el directorio /etc/dnsmasq.d/ y nombres de interfaz no estándar.
6. Test Final
* Conecta el cable WAN (Internet).
* Conecta tu AP a cualquier puerto LAN del BE9300.
* Crea un SSID en tu AP con el VLAN ID 6.
* Conéctate: deberías recibir la IP 192.168.6.X y navegar de inmediato con la máxima estabilidad del SoC Qualcomm.
Nota: Esta es la solución menos invasiva posible. El panel de GL.iNet seguirá funcionando normalmente, AdGuard Home podrá filtrar el tráfico y tus VPNs no se verán afectadas.
I tried flashing an old Linksys ea6350v3 with open-wrt but after two failed attempts I considered myself lucky to be able to bring the Linksys back to life. For now I’m running the Linksys double-natted behind the Flint 3 running my security cams on 2.4 GHz and TVs on 5. The Flint 3, using Luci, did allow me to firewall them off from my computers on 6ghz and triband MLO running on the Flint 3. It’s a temporary solution. I just ordered a Flint 2 on Amazon. It arrives Tuesday. At that point I will either make the Flint 3 an access point running only 6ghz and triband MLO or just return it. I have until the 21st to decide as I only recently bought it. It would make my recent purchase of the tplink BE9300 triband wifi7 MLO pci-e card worthless to return it though. I really wish the Flint 3 had been up to it but it’s obviously not.
I think i got it working… Im going to attempt to remember who to give credit too as well and show my sources:
- Thanks for the OP @Miles … this post has taught me a lot! - everyone else should copy this somewhere and edit a second copy to get going on the second vlan
- A little further down I found a good source from @RobWilJas -thank you too
- Next source and thanks to: https://wickedyoda.com/?p=3147 - much more indepth commands… I compared them a lot to figure out more
So the first thing to note,
- define your network, IE IoT…
- define your wifi name IE ‘things’
- give it a numerical number like 25 or 30… This will be used to define the vlan and ipaddr
- note that the wifi1 or wifi 2 in the wireless mustnt match any other of the radio or other device
Note, not sure, but the ports seem to be static
For adding in 5g and 6g: (this is what i did/would do)
uci set wireless.iot5=wifi-iface
uci set wireless.iot5.device='wifi1'
uci set wireless.iot5.network='iot'
uci set wireless.iot5.mode='ap'
uci set wireless.iot5.ifname='wlan6'
uci set wireless.iot5.ssid='GL-Router-IoT'
uci set wireless.iot5.encryption='psk2+ccmp'
uci set wireless.iot5.key='goodlife'
uci set wireless.iot5.wds='1'
uci set wireless.iot5.hidden='0'
uci set wireless.iot5.isolate='1'
uci set wireless.iot5.disabled='0'
uci set wireless.iot5.ieee80211k='1'
uci set wireless.iot5.bss_transition='1'
uci set wireless.iot6=wifi-iface
uci set wireless.iot6.device='wifi2'
uci set wireless.iot6.network='iot'
uci set wireless.iot6.mode='ap'
uci set wireless.iot6.ifname='wlan6'
uci set wireless.iot6.ssid='GL-Router-IoT'
uci set wireless.iot6.encryption='sae'
uci set wireless.iot6.key='goodlife'
uci set wireless.iot6.wds='1'
uci set wireless.iot6.hidden='0'
uci set wireless.iot6.isolate='1'
uci set wireless.iot6.disabled='0'
uci set wireless.iot6.ieee80211k='1'
uci set wireless.iot6.bss_transition='1'
Hope this helps
I have set up now Wifi for IoT/Main/media with 2.4/5/6ghz BUT i dont know how to set set up MLO… can someone help like @Miles or @RobWilJas (thank you both again)
For MLO, please refer to
Hey @will.qiu - thank you for this. appreciate it. (Ive used here to chat as the other thread is closed and its relevant to this discussion too)
If i wanted to set up the MLO for different vlans
vlan10 - trusted
vlan40 - media
vlan25 - IoT
how does this fit in:
uci set mlo.mld2=wifi-mld
uci set mlo.mld2.disabled='0'
uci set mlo.mld2.bands='2g'
uci add_list mlo.mld2.bands='5g'
uci add_list mlo.mld2.bands='6g'
Is it the same for each one, or do i use it only once?
When adding
uci set wireless.travelmld2g.mld='mld2' / uci set wireless.travelmld5g.mld='mld2' / uci set wireless.travelmld6g.mld='mld2' - i clearly change the travelmld-g to the name of my radio, but does the mld2 change with each vlan? or are they always mld2?
Same for the last bit, obv the ssid matches the ssid of the 3 radios but does the line above change at all?
Which are the variables and which are the constants?
Thanks in advance. Ive just tried one and had to reset the router back… Random Q, whats the UCI command so i can view and edit these amendments so i dont have to keep resetting and having to start way back?
Here are the variables for the configuration:
-
MLD Device Name
uci set mlo.{mld_device_name}=wifi-mld uci set wireless.{mld_device_name}=wifi-mld uci set wireless.travelmld2g.mld='{mld_device_name}'Note:
mld0andmld1are already in use by the Main and Guest Wi-Fi. Each network requires a unique device name. -
Wireless Interface Name
uci set wireless.{wireless_interface_name}=wifi-ifaceFor MLO, you need to add separate sub-Wi-Fi interfaces for the 2.4 GHz, 5 GHz, and 6 GHz bands respectively.
-
Wireless Hardware Device Name (ifname)
uci set wireless.travelmld2g.ifname='{wireless_device_name}'Similarly,
wlanx,wlanx1,wlanx2, andwlanx3are already occupied by the Main Wi-Fi, Guest Wi-Fi, and their respective MLO configurations. -
Associated Network
uci set wireless.{wireless_interface_name}.network='{Network}'Note: This variable defines which logical network interface (usually
lan/guest/youriot) the wireless interface is bridged to.
For a detailed UCI tutorial, please refer to:
Thank you @will.qiu Will! Ill look over it over the next couple days! This is great!