How to set up the VLAN for IoT Wi-Fi on Flint 3(GL-BE9300)

Any chance you can include how to add 5 and 6 mhz to this too?

Will a firmware update break all of these attempts at vlan configuration? Novice question, but I’ve spent many hours working with Copilot and Gemini using both Luci and ssh to configure three separate subnets on different bands and then a fourth using the WiFi 7 MLO setup in the Gl-inet gui only to have it “break” the 2.4 and 5 GHz radios and had to reset the router. I came close but didn’t get there. So if I spend the time and keep at it, is a firmware update coming along that will break it all? If I do and it does I sure hope the gui will be updated to allow easy vlan and firewall creation or at least allow better coordination between Luci and the Gl-inet gui. Shouldn’t it? That’s one of the reasons I bought the Flint 3 instead of a cheaper TP-Link consumer-grade router and after many, many hours of effort I haven’t yet been able to accomplish what I hoped to with the purchase. So for now my TVs, security cams, and data are all sharing the same subnet. Thinking about breaking out my old router and double “nat”ing it. I understand the Flint 2 is much better at this. Why is that so?

I bought the Flint 3 for the same thing, but lucky for me I have a Flint 2, so I’ve reverted back to that and put the Flint 3 back in the box until there is a fix. It’s disgusting how they have released this router with so many issues.

Don’t waste your time with the Flint 3….

I tried flashing an old Linksys ea6350v3 with open-wrt but after two failed attempts I considered myself lucky to be able to bring the Linksys back to life. For now I’m running the Linksys double-natted behind the Flint 3 running my security cams on 2.4 GHz and TVs on 5. The Flint 3, using Luci, did allow me to firewall them off from my computers on 6ghz and triband MLO running on the Flint 3. It’s a temporary solution. I just ordered a Flint 2 on Amazon. It arrives Tuesday. At that point I will either make the Flint 3 an access point running only 6ghz and triband MLO or just return it. I have until the 21st to decide as I only recently bought it. It would make my recent purchase of the tplink BE9300 triband wifi7 MLO pci-e card worthless to return it though. I really wish the Flint 3 had been up to it but it’s obviously not.

I think i got it working… Im going to attempt to remember who to give credit too as well and show my sources:

1. Thanks for the OP @Miles … this post has taught me a lot! - everyone else should copy this somewhere and edit a second copy to get going on the second vlan
2. A little further down I found a good source from @RobWilJas -thank you too
3. Next source and thanks to: https://wickedyoda.com/?p=3147 - much more indepth commands… I compared them a lot to figure out more

So the first thing to note,

1. define your network, IE IoT…
2. define your wifi name IE ‘things’
3. give it a numerical number like 25 or 30… This will be used to define the vlan and ipaddr
4. note that the wifi1 or wifi 2 in the wireless mustnt match any other of the radio or other device

Note, not sure, but the ports seem to be static

For adding in 5g and 6g: (this is what i did/would do)

uci set wireless.iot5=wifi-iface
uci set wireless.iot5.device='wifi1'
uci set wireless.iot5.network='iot'
uci set wireless.iot5.mode='ap'
uci set wireless.iot5.ifname='wlan6'
uci set wireless.iot5.ssid='GL-Router-IoT'
uci set wireless.iot5.encryption='psk2+ccmp'
uci set wireless.iot5.key='goodlife'
uci set wireless.iot5.wds='1'
uci set wireless.iot5.hidden='0'
uci set wireless.iot5.isolate='1'
uci set wireless.iot5.disabled='0'
uci set wireless.iot5.ieee80211k='1'
uci set wireless.iot5.bss_transition='1'

uci set wireless.iot6=wifi-iface
uci set wireless.iot6.device='wifi2'
uci set wireless.iot6.network='iot'
uci set wireless.iot6.mode='ap'
uci set wireless.iot6.ifname='wlan6'
uci set wireless.iot6.ssid='GL-Router-IoT'
uci set wireless.iot6.encryption='sae'
uci set wireless.iot6.key='goodlife'
uci set wireless.iot6.wds='1'
uci set wireless.iot6.hidden='0'
uci set wireless.iot6.isolate='1'
uci set wireless.iot6.disabled='0'
uci set wireless.iot6.ieee80211k='1'
uci set wireless.iot6.bss_transition='1'

Hope this helps

I have set up now Wifi for IoT/Main/media with 2.4/5/6ghz BUT i dont know how to set set up MLO… can someone help like @Miles or @RobWilJas (thank you both again)

For MLO, please refer to

Hey @will.qiu - thank you for this. appreciate it. (Ive used here to chat as the other thread is closed and its relevant to this discussion too)

If i wanted to set up the MLO for different vlans

vlan10 - trusted

vlan40 - media

vlan25 - IoT

how does this fit in:

uci set mlo.mld2=wifi-mld
uci set mlo.mld2.disabled='0'
uci set mlo.mld2.bands='2g'
uci add_list mlo.mld2.bands='5g'
uci add_list mlo.mld2.bands='6g'

Is it the same for each one, or do i use it only once?

When adding

uci set wireless.travelmld2g.mld='mld2' / uci set wireless.travelmld5g.mld='mld2' / uci set wireless.travelmld6g.mld='mld2' - i clearly change the travelmld-g to the name of my radio, but does the mld2 change with each vlan? or are they always mld2?

Same for the last bit, obv the ssid matches the ssid of the 3 radios but does the line above change at all?

Which are the variables and which are the constants?

Thanks in advance. Ive just tried one and had to reset the router back… Random Q, whats the UCI command so i can view and edit these amendments so i dont have to keep resetting and having to start way back?

Here are the variables for the configuration:

1. MLD Device Name

   uci set mlo.{mld_device_name}=wifi-mld
   uci set wireless.{mld_device_name}=wifi-mld
   uci set wireless.travelmld2g.mld='{mld_device_name}'
   

   Note: mld0 and mld1 are already in use by the Main and Guest Wi-Fi. Each network requires a unique device name.

2. Wireless Interface Name

   uci set wireless.{wireless_interface_name}=wifi-iface
   

   For MLO, you need to add separate sub-Wi-Fi interfaces for the 2.4 GHz, 5 GHz, and 6 GHz bands respectively.

3. Wireless Hardware Device Name (ifname)

   uci set wireless.travelmld2g.ifname='{wireless_device_name}'
   

   Similarly, wlanx, wlanx1, wlanx2, and wlanx3 are already occupied by the Main Wi-Fi, Guest Wi-Fi, and their respective MLO configurations.

4. Associated Network

   uci set wireless.{wireless_interface_name}.network='{Network}'
   

   Note: This variable defines which logical network interface (usually lan/guest/your iot) the wireless interface is bridged to.

For a detailed UCI tutorial, please refer to:

Thank you @will.qiu Will! Ill look over it over the next couple days! This is great!

Real architecture of the GL-BE9300 (Qualcomm IPQ5332)

Accelerated VLANs without software bridges or vlan_filtering

Note on authorship and translation
The explanatory text of this post was translated with AI assistance for clarity and readability.
However, the methods, commands, configuration logic, and validation steps are original, derived from hands-on testing in a real network lab on the GL-BE9300 hardware.
All commands shown below are executed and verified on-device.

This post documents a reproducible and hardware-accelerated method to expose VLANs over physical LAN ports on the GL-BE9300 (QSDK / Qualcomm IPQ5332), avoiding common generic OpenWrt configurations that silently disable NSS offloading.

Key points

Do not use vlan_filtering

Do not use software bridges (br-lan.X) for user VLANs

Use direct 802.1Q sub-interfaces (eth1.X)

This is not an alternative approach.
It is the method that preserves Qualcomm NSS acceleration on this platform.

Key concept (read before copying commands)

On the GL-BE9300:

eth1 = internal CPU-facing interface to the hardware switch

eth1. = 802.1Q sub-interface (this is what NSS accelerates)

LAN ports are not interfaces; they are switch members

Port mapping:

GUI port 3 = physical LAN2

Important behavior:

VLANs attached to bridges (for example br-lan.60) disable NSS

VLANs attached directly to eth1.X keep hardware offloading active

Practical example

Create one VLAN with the following properties:

VLAN ID: 60

IP address: 192.168.60.1/24

Exposed only on port 3 (physical LAN2)

Has an associated Wi-Fi SSID

Fully accelerated by Qualcomm NSS

1. Create the 802.1Q sub-interface (hardware layer)

This is the critical step.

Blockquote

uci set network.eth1_60=device
uci set network.eth1_60.name='eth1.60'
uci set network.eth1_60.type='8021q'
uci set network.eth1_60.ifname='eth1'
uci set network.eth1_60.vid='60'

At this point, the Qualcomm NSS engine already recognizes the VLAN path.
Everything that follows is L3 and policy configuration.

2. Create the L3 interface (no bridge)

Blockquote

uci set network.vlan60=interface
uci set network.vlan60.proto='static'
uci set network.vlan60.device='eth1.60'
uci set network.vlan60.ipaddr='192.168.60.1'
uci set network.vlan60.netmask='255.255.255.0'

No bridge. No br-vlan60. This keeps the datapath purely accelerated.

3. Expose the VLAN only on port 3 (physical LAN2)

On the GL-BE9300, LAN ports are members of switch1.

Logical port mapping:

Port 3 → Physical LAN2

Conceptual example (exact numbering may vary by firmware):

Blockquote

uci add network switch_vlan
uci set network.@switch_vlan[-1].device='switch1'
uci set network.@switch_vlan[-1].vlan='60'
uci set network.@switch_vlan[-1].ports='3t'

Explanation:

3t = port 3, tagged

No other ports are members

Result:

VLAN 60 exits only via LAN2

Connecting a managed switch or AP on LAN2 receives a clean tagged VLAN

4. DHCP for VLAN 60

Blockquote

uci set dhcp.vlan60=dhcp
uci set dhcp.vlan60.interface='vlan60'
uci set dhcp.vlan60.start='100'
uci set dhcp.vlan60.limit='150'
uci set dhcp.vlan60.leasetime='12h'

5. Firewall (simple example)

Assuming zone[1] is an isolated or guest zone:

Blockquote

uci add_list firewall.@zone[1].network='vlan60'

No special rules required for NSS compatibility.

6. Wi-Fi SSID associated with VLAN 60 (2.4 GHz example)

Blockquote

uci set wireless.v60_test_2g=wifi-iface
uci set wireless.v60_test_2g.device='wifi0'
uci set wireless.v60_test_2g.mode='ap'
uci set wireless.v60_test_2g.ssid='VLAN60-Test'
uci set wireless.v60_test_2g.encryption='psk2'
uci set wireless.v60_test_2g.key='change_this_password'
uci set wireless.v60_test_2g.network='vlan60'
uci set wireless.v60_test_2g.disabled='0'

Traffic path:

Wi-Fi → VLAN 60 → eth1.60 → port 3 → NSS hardware offload

7. Apply changes safely

Recommended when working remotely:

uci commit network
uci commit dhcp
uci commit firewall
uci commit wireless

(
sleep 2
/etc/init.d/network restart
sleep 5
/etc/init.d/firewall restart
/etc/init.d/dnsmasq restart
wifi reload
) &

Running this in the background avoids SSH lockout during reconfiguration.

Final result

VLAN 60 isolated

Exposed only on LAN2 (logical port 3)

Working Wi-Fi SSID

Qualcomm NSS acceleration active

No vlan_filtering

No software bridges

No impact on AdGuard, VPN, or firewall behavior

Conclusion

The GL-BE9300 is not generic OpenWrt.

On Qualcomm IPQ5332 devices:

Use eth1.X

Avoid software bridges

Keep firewall rules simple

Do this, and NSS stays active.

Use generic wiki recipes with bridges, and the CPU becomes the bottleneck at multi-gigabit speeds.

This is not an experimental workaround.
It is the correct architecture for the IPQ5332 platform.