I am looking for a solution to achieve the following setup without using Luci or flashing custom firmware.
I am a big fan of GL.iNet because the UI is very user-friendly and the routers are of good quality. I currently own the following models: GL-MT3000 (Beryl AX), AXT1800 (Slate AX), GL-BE3600 (Slate 7), GL-X3000 (Spitz AX), and GL-X300B (Collie).
Scenario
The GL.iNet router should connect to an existing router either:
in AP mode (Wi-Fi), or
via the WAN port.
Required SSIDs (5 total)
IoT
CCTV
Staff
Admin
Guest
Configuration rules
IoT (hidden SSID) → Route all traffic through WireGuard Tunnel 1
CCTV (hidden SSID) → Route traffic directly to the internet (no VPN)
Staff (hidden SSID) → Route traffic directly to the internet (no VPN)
Admin (hidden SSID) → Route traffic directly to the internet (no VPN) and only allow access to the router’s admin interface
Guest (visible SSID) → Route all traffic through WireGuard Tunnel 2
Additional requirements
All networks must be fully isolated from each other.
Each SSID should be broadcast on both 2.4 GHz and 5 GHz.
I would like to remove the default Wi-Fi settings from the GL.iNet UI and replace them with the SSIDs above, so the UI stays clean.
I know how to access the router via SSH, but my knowledge is not enough to write the correct configuration commands. Could you please help me with this?
Extra questions
Device load (per SSID)
IoT → up to 20 devices, sending only lightweight MQTT messages
CCTV → up to 3 devices (IP cameras, no cloud storage, local recording only)
Staff → up to 5 devices, but usually only 2 active simultaneously
Admin → at most 1 device, used rarely
Guest → up to 15 devices simultaneously
If I use the GL-X3000 (Spitz AX) with a SIM card, is it possible to route the traffic (only from SSID IoT and SSID Admin) directly over 5G in case the main router (AP mode or WAN connection) goes down?
Which router would you recommend for my use case — (a) with cellular fallback, and (b) without?
Unfortunately there is no way to do what you are describing without going via luci, it will also require a fair bit of work and understanding to achieve, the use of VLANS etc. I'm not entirely sure how many SSIDs can even be broadcast on a per glinet device bases, as I know access points have SSID limits.
That isn't possible. The glinet GUI is hard coded, you won't even see any clients in the clients list unless they are using the standard LAN / WiFi.
I'm hoping that in the future glinet release a mini eco system like other competitors that would make this easier to achieve. For now, if you want to use the current glinet products you are going to have to get in luci and tinker. Something like OPNsense and access points might be more suited for your more advanced typology.
Here is a video explaing how to achieve VLANS and separation, also check out his full channel of videos.
Also the limitation is at 2 or 3 ssids per band, one is given up by guest network, it is very possible the code works against your use case because it wants to change the interface.
Instead what you can do if you feel comfortable to do it, but requires exclusively the use of OP24 and vlans is using multi psk, then based by different password you are sent to the vlan network, currently that is what I'm using at my home, for a dumbap scenario you can use: option vlan_tagged_interface 'eth1'
You can use either the old wpa_psk_file option, or use wifi-vlan and wifi-station.
What doesn't work with multi psk is fast roaming, it requires a special fix/patch work and requires to compile OpenWrt yourself, WPA3/SAE requires list mac 'xxx' inside the wifi-station section and may only works on a even more recenter version of OP24 not sure if GL firmware support that yet.
For vlans I also wrote a up to date tutorial, I also like the videos of onemarcfifty.
