Multiple WLANs/SSIDs able to cross communicate

Hello! I have been trying to search around here as well as other results from Google and just have not found anything that quite fits what I am looking for. It could also be that I don’t know what I should be searching for.

So here is what I want. Total of 3 Wifi SSIDs (Main, IoT, Guest). Out of the box obviously my GL .iNet GL-MT6000 has the Main and Guest WiFi networks set up exactly fine. What I am trying to do is get the IoT SSID to issue it’s own set of IP Addresses, be able to communicate between Main and IoT, and be able to connect to the internet (I’ll attach my super crude drawing below). Ultimately my goal really is just to be able to organize the devices by type using IP Address. All of my non-movable devices like smart speakers and light switches to show up with one range of IP Addresses and then user devices like laptops and tablets to show up in another range.

Should also note that I have a HomeAssistant server (in the picture) that is hardwired via unmanaged switch.

Also below are my redacted config files.

Network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd73:ed4d:a5c1::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config device
	option name 'lan1'
	option macaddr '94:83:c4:a2:ae:b5'

config device
	option name 'lan2'
	option macaddr '94:83:c4:a2:ae:b5'

config device
	option name 'lan3'
	option macaddr '94:83:c4:a2:ae:b5'

config device
	option name 'lan4'
	option macaddr '94:83:c4:a2:ae:b5'

config device
	option name 'lan5'
	option macaddr '94:83:c4:a2:ae:b5'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.8.1'
	option netmask '255.255.0.0'
	option ip6assign '60'
	option isolate '0'

config device
	option name 'eth1'
	option macaddr '94:83:c4:a2:ae:b3'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option force_link '0'
	option ipv6 '0'
	option metric '10'

config interface 'wan6'
	option proto 'dhcpv6'
	option disabled '1'
	option device '@wan'

config interface 'tethering6'
	option proto 'dhcpv6'
	option disabled '1'
	option device '@tethering'

config interface 'wwan6'
	option proto 'dhcpv6'
	option disabled '1'
	option device '@wwan'

config interface 'guest'
	option force_link '1'
	option type 'bridge'
	option proto 'static'
	option ipaddr '172.16.0.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option multicast_querier '1'
	option igmp_snooping '0'
	option isolate '0'
	option bridge_empty '1'
	option disabled '0'

config interface 'wwan'
	option proto 'dhcp'
	option metric '20'

config interface 'secondwan'
	option ipv6 '0'
	option proto 'dhcp'
	option metric '15'
	option force_link '0'

config interface 'secondwan6'
	option proto 'dhcpv6'
	option disabled '1'
	option metric '15'
	option device '@secondwan'

config interface 'modem_1_1_2_6'
	option proto 'dhcpv6'
	option disabled '1'
	option device '@modem_1_1_2'

config rule 'policy_direct_rt'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule 'policy_default_rt_vpn'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config rule6 'policy_direct_rt6'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule6 'policy_default_rt_vpn6'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config interface 'ovpnserver'
	option proto 'ovpnserver'
	option disabled '1'

config interface 'FerrinIOT'
	option proto 'static'
	option device 'br-iot'
	option ipaddr '10.10.20.1'
	option netmask '255.255.0.0'

config device
	option type 'bridge'
	option name 'br-iot'

Firewall


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option flow_offloading '1'
	option flow_offloading_hw '1'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'
	list network 'secondwan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'nat6'
	option path '/etc/firewall.nat6'
	option reload '1'

config rule 'block_dns'
	option name 'block_dns'
	option src '*'
	option device 'br-*'
	option dest_port '53'
	option target 'REJECT'
	option enabled '0'

config zone
	option name 'guest'
	option network 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option name 'Allow-DHCP'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'

config rule
	option name 'Allow-DNS'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'

config include 'vpn_server_policy'
	option type 'script'
	option path '/etc/firewall.vpn_server_policy.sh'
	option reload '1'
	option enabled '1'

config include 'gls2s'
	option type 'script'
	option path '/var/etc/gls2s.include'
	option reload '1'

config include 'glblock'
	option type 'script'
	option path '/usr/bin/gl_block.sh'
	option reload '1'

config redirect
	option enabled '1'
	option proto 'tcp udp'
	option src_dport '443'
	option dest_ip '192.168.1.254'
	option dest_port '8123'
	option src 'wan'
	option name 'GL-HomeAssistant'
	option dest 'lan'

config redirect
	option enabled '1'
	option proto 'tcp udp'
	option src_dport '8123'
	option dest_ip '192.168.1.254'
	option dest_port '8123'
	option src 'wan'
	option name 'GL-HomeAssistant'
	option dest 'lan'

config forwarding 'ovpnserver2wgclient'
	option src 'ovpnserver'
	option dest 'wgclient'
	option enabled '0'

config forwarding 'ovpnserver2ovpnclient'
	option src 'ovpnserver'
	option dest 'ovpnclient'
	option enabled '0'

config rule
	option name 'Allow-DHCP IoT'
	list proto 'udp'
	option src 'IoT'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'Allow-DNS IoT'
	option src 'IoT'
	option dest_port '53'
	option target 'ACCEPT'

config rule 'ovpnserver_allow'
	option name 'ovpnserver_allow'
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option family 'ipv4'
	option dest_port '1194'
	option enabled '0'

config zone 'ovpnserver'
	option name 'ovpnserver'
	option output 'ACCEPT'
	option mtu_fix '1'
	option network 'ovpnserver'
	option input 'DROP'
	option masq '1'
	option masq6 '1'
	option enabled '0'
	option forward 'REJECT'

config forwarding 'ovpnserver2wan'
	option src 'ovpnserver'
	option dest 'wan'
	option enabled '0'

config forwarding 'lan2ovpnserver'
	option src 'lan'
	option dest 'ovpnserver'
	option enabled '0'

config rule 'sambasharewan'
	option src 'wan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'DROP'

config rule 'sambasharelan'
	option src 'lan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'ACCEPT'

config rule 'glnas_ser'
	option src 'wan'
	option dest_port '6000-6002'
	option dest_proto 'tcp'
	option target 'DROP'

config rule 'webdav_wan'
	option src 'wan'
	option dest_port '6008'
	option dest_proto 'tcp'
	option target 'DROP'

config redirect 'adguard_home'
	option name 'Adguard Home'
	option src 'lan'
	option src_dport '53'
	option dest 'lan'
	option dest_port '3053'
	option proto 'tcpudp'

config redirect 'adguard_home_guest'
	option name 'Adguard Home guest'
	option src 'guest'
	option src_dport '53'
	option dest 'guest'
	option dest_port '3053'
	option proto 'tcpudp'

config zone
	option name 'IoT'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'FerrinIOT'

config forwarding
	option src 'IoT'
	option dest 'lan'

config forwarding
	option src 'IoT'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'IoT'

Wireless


config dnsmasq
	option domainneeded '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '0'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'
	option localuse '1'
	option noresolv '1'
	list server '127.0.0.1#3053'

config dhcp 'lan'
	option interface 'lan'
	option start '2148'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'disabled'
	option ra 'disabled'
	option ra_slaac '1'
	option force '1'
	option ignore '0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config domain
	option name 'console.gl-inet.com'
	option ip '192.168.8.1'

config domain
	option name 'console.gl-inet.com'
	option ip '::ffff:192.168.8.1'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'disabled'
	option ra 'disabled'
	option ignore '0'

config dhcp 'secondwan'
	option interface 'secondwan'
	option ignore '1'

config dhcp 'FerrinIOT'
	option interface 'FerrinIOT'
	option start '612'
	option limit '150'
	option leasetime '12h'

Your setup IoT setup should be identical to Guest with only the IP ranges different. If you don’t want to have VLANs and extend it to another AP etc, it also doable from the UI. But from the CLI seems really, really easy. Just copy the Guest configuration rename it to your IoT thing and change the IP ranges. And you do the same for firewall/dhcp.

From your setup, I see an issue with your DHCP. The start is 612, which is obviously wrong. So change this and then try again.

Only issue with just copying the guest is that I want the IoT and Main ‘networks’ to be able to talk to one another.

And yeah the 612 was when I was trying to use 192.168.2.x addresses. So yeah it’s off, could easily just be set to 5220 or something.

1 Like

Routing is your friend.

But since they are different networks they will only be able to talk by unicast, not by broadcast.

Well, Firewall can do this for you.
And in reality, I insist that I don’t see the need for VLANs, especially since you have only one AP/Router

And you want them to talk to each other anyway. So you don’t need VLAN, you don’t need different networks … I am not sure what the ultimate goal behind this idea is because there is no even need for different SSIDs.

1 Like

Its simple but be aware wireless isolation can be problematic in some cases.

What you want is:

lets say you want lan zone to access iot or a few ip from lan into iot.

That is called forwarding, but don’t get confused with port forwarding :+1:

What you want in such case is go into luci → firewall → traffic rules (tab), here you create a new rule:

Name: name it what you want
src: lan
dest iot
destination ip: leave empty if you want access over full iot network this is basically just the same as pointing a zone to the other, or use the ip there, in the advanced tab theres also a option for destination mac.
target(i forgot what it is called in luci): accept

now your devices in lan can always talk from lan → to iot, but never straight from iot → lan, only in rare edge cases you want that:

  • when you deal with multicast/igmp broadcasting like spotify or other things, i often advise to check in tcpdump how the broadcasting origin occurs in alot of cases the router gets used as a proxy to talk between subnets in that case it won’t be a issue, to only forward from src lan → iot, but there might be situations that the iot device need the advertising first, in such case i would make a very limited rule to allow src iot to talk → lan with that src ip or mac :+1:

but this how a proper rule looks like :+1:

If you checkout my original post, the idea is more or less to help organize devices on the network. That way the IoT/SmartHome devices are more easy to spot since they would have a different IP address. Also to try to do it with less regular up keep of static IPs. And to help de-clutter the main network so it’s easier to spot the true end user devices.

If you look at my firewall config, I have exactly that already. It is way down at the bottom of it.

config zone
	option name 'IoT'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'FerrinIOT'

config forwarding
	option src 'IoT'
	option dest 'lan'

config forwarding
	option src 'IoT'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'IoT'

Currently though the IoT is acting like the Guest network though, it has internert access, but I can’t ping anything between IoT and lan.

Do you allow ICMP from LAN to IOT?