PSA - GL.Inet routers do not support VLANs nor firrwall rules

So yeah, the gl.inet firmware that comes with their routers (such as flint 2) does not allow setting up VLANs. Customer support confirmed it to me with this email:

“We apologize, but GL does not currently support VLAN functionality. Users who require VLANs must configure them using custom methods.”

Their firmware is based on a fork of OpenWrt, but apparently there is a bug in the fork and advanced settings (luci) aren’t really configurable. If you try to set up a vlan it will lose connectivity and either reset without applying the settings, or locks you out requiring a factory reset. Ask me how I know.

A related issue is that custom firewall rules are also impossible to configure. This is because on openwrt (including gl.inet’s fork) you can only set firewall rules between different subnets. They don’t work between wired devices within the same ip subnet. So a firewall rule won’t work as a substitute for a vlan, because firewall rules on openwrt/luci gui require vlans in order to work.

This bug in the firmware effects the current, dsa version of openwrt that was forked. It appears from forum posts that in the past vlans were possible, so maybe it is something gl.inet will fix in a future release. Which would be awesome because their firmware is otherwise very functional and user friendly imo. I just wish I knew about the lack or vlan and firewall rules support before spending so much time trying to make it work.

For what it’s worth, i flashed pure openwrt onto the same router and had vlans and firewall rules up and working in short order. The issue is only with gl.inet’s fork/stock firmware, not with openwrt itself. So if you need a vlan or firewall rules on a current gl.inet router that’s your only option at this time.

Huh? That’s odd. I am using VLANs that I set up in LuCi.

Based on other posts I have seen, the problem probably started with the DSA version of openwrt, which was only recently forked by the GL.inet firmware I think last month. This is where you must set up bridge filtering on the main (br-lan) bridge in order to get VLANs to work. So if you have an older version of the firmware it might work fine but if/when you upgrade is when it could become problematic. Also you might want to double check that the VLANs are actually isolated (try to ping) from the main network. When I first set up a VLAN on the router the pre-DSA way (separate interface for the VLAN) it let me do it, but wasn’t actually isolating the VLAN I could still ping it, which led me down the road to trying it using the DSA method and my e-mail with customer support.

Well to be fair I don't call it broken it's one of the two, and depending which platform only one is 9/10 compatible.

For QSDK often swconfig it seem, MTK SDK DSA.

But I do agree on this due the fact they tried to streamline the firmware with both which fails and it is being buggy and glitchy, OpenWrt also don't have both and won't work with both, to those models with swconfig and missing cpu this is a reason it is likely more compatible with DSA anyway.

And for the firewall, meh if they still use iptables that can still be possible, it is even possible to use wrappers for nftables, docker for example also still uses iptables, but their solution may be poor explained, I can understand in the past ipsets from iptables where prefered due to the nature of automatic wildcarding of domains in dnsmasq, but nftables is able to do this to now.

As for being impossible.... I guess you talk about the reasserting of rules?, here is a trick ive abused to just keep the rule but disable, that should prevent it from doing firewall rules, for the firewall zones just create a other network than lan, and basicly don't follow standard namings to avoid automation in scripts.

Anyway ive had my time with the gl firmware, hacking around to my own demands, however by flashing normal OpenWrt you don't need to do these things, I also went to normal OpenWrt and even go as far into compiling images with my own configs for factory resets, with this I can slowly expand my infrastructure with very complicated topology and solutions and on top try new things and then sync it back to factory

On the native 4.x firmware, I noticed this bug that causes what you are experiencing just like I did. I have had VLANs working on my Flint 2 for a while now after I noticed that if I unchecked the VLAN Filtering checkbox and saved and applied, that made my VLAN setup apply and work fine.

False, you can absolutely set up VLANS on GL.inet routers, you just can't do it in GL.inets GUI.

I'm currently running 13 vlans on my flint 3, and I changed the default vlan, all done via SSH.

Setting up by ssh is interesting, though I would wonder what happens during the next gl.inet firmware update, are the changes made by ssh going to be erased?

No, it is stored in UCI. Also easy to backup with configuration backup in LuCi.

I actually just updated firmware yesterday, it went fine, nothing broke. If you want to setup vlans, I and others can help you.

That’s awesome! Could you explain the process of doing it over SSH? I know how to SSH in as root but that’s about it. If you have the commands available to set up the VLANs, and commands to set up the firewall rules for those VLANS to allow DNS/DHCP through to the router device, that would be amazing thanks

Sure. The most important thing is to know that the switch port numbering is very weird with the Flint 3. They're numbered different in the config files than in the Luci GUI, and different again on the physical ports themselves.

Physical LAN1/WAN2 is LAN4 in Luci, and LAN7 in the config files/SSH.

Physical LAN2 is LAN3 in Luci, and LAN6 in the config files/SSH.

Physical LAN3 is LAN2 in Luci, and LAN5 in the config files/SSH.

Physical LAN4 is LAN1 in Luci, and LAN4 in the config files/SSH.

Also, after setting it up in SSH, if you can't get an IP address VIA LAN, you might need to connect to WiFi, then go to Luci > Network > Switch... dismiss the warning, then click "save & apply". I don't know why but I've had to do that sometimes.

I don't know what VLANs you're going to want on what ports, but you have to make sure if you plan to untag a lan port for a vlan, to turn off the untag of that port for the default vlan. You can only have one VLAN untagged per port.

So if you wanted to make an IoT VLAN on LAN2, you have to make sure the main vlan gets turned off on LAN2

SSH [email protected]

Make sure LAN2 (6) isn't untagged for the main network.

uci set network.vlan_lan.ports='3t 4ut 5ut 7ut'

Create VLAN 30 IoT untagged on LAN2 (6)

uci set network.vlan_iot='switch_vlan'
uci set network.vlan_iot.device='switch1'
uci set network.vlan_iot.vlan='30'
uci set network.vlan_iot.ports='3t 6ut'

uci set network.eth1_30=device
uci set network.eth1_30.type='8021q'
uci set network.eth1_30.ifname='eth1'
uci set network.eth1_30.vid='30'
uci set network.eth1_30.name='eth1.30'

uci add network device
uci set network.@device[-1].type='bridge'
uci set network.@device[-1].name='br-iot'
uci add_list network.@device[-1].ports='eth1.30'

uci set network.iot=interface
uci set network.iot.proto='static'
uci set network.iot.device='br-iot'
uci set network.iot.ipaddr='192.168.30.1'
uci set network.iot.netmask='255.255.255.0'

uci set dhcp.iot=dhcp
uci set dhcp.iot.interface='iot'
uci set dhcp.iot.start='100'
uci set dhcp.iot.limit='150'
uci set dhcp.iot.leasetime='12h'

Now setup firewall rules. These rules allow the main LAN to access IoT, but IoT can not access the main LAN. They allow DHCP and DNS, and blocks intra-IoT wifi traffic, and access to the routers webUI via IoT.

uci add firewall zone
uci set firewall.@zone[-1].name='iot'
uci set firewall.@zone[-1].input='ACCEPT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci add_list firewall.@zone[-1].network='iot'

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='iot'
uci set firewall.@forwarding[-1].dest='wan'

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='iot'

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-DHCP-IoT'
uci add_list firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].src='iot'
uci set firewall.@rule[-1].dest_port='67-68'
uci set firewall.@rule[-1].target='ACCEPT'

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-DNS-IoT'
uci set firewall.@rule[-1].src='iot'
uci set firewall.@rule[-1].dest_port='53'
uci set firewall.@rule[-1].target='ACCEPT'

uci add firewall rule
uci set firewall.@rule[-1].name='Block-IoT-Intra'
uci set firewall.@rule[-1].src='iot'
uci set firewall.@rule[-1].dest='iot'
uci set firewall.@rule[-1].target='REJECT'
uci set firewall.@rule[-1].proto='all'

uci add firewall rule
uci set firewall.@rule[-1].name='Block IoT WebUI'
uci set firewall.@rule[-1].src='iot'
uci set firewall.@rule[-1].target='DROP'
uci set firewall.@rule[-1].dest_port='22 80 443 8080'

Now, add WiFi

uci set wireless.iot2g=wifi-iface
uci set wireless.iot2g.device='wifi0'
uci set wireless.iot2g.network='iot'
uci set wireless.iot2g.mode='ap'
uci set wireless.iot2g.ifname='wlan30'
uci set wireless.iot2g.ssid='IoT'
uci set wireless.iot2g.encryption='psk2+ccmp'
uci set wireless.iot2g.key='goodlife'
uci set wireless.iot2g.wds='1'
uci set wireless.iot2g.hidden='0'
uci set wireless.iot2g.isolate='1'
uci set wireless.iot2g.disabled='0'
uci set wireless.iot2g.ieee80211k='1'
uci set wireless.iot2g.bss_transition='1'

uci set wireless.iot5g=wifi-iface
uci set wireless.iot5g.device='wifi1'
uci set wireless.iot5g.network='iot'
uci set wireless.iot5g.mode='ap'
uci set wireless.iot5g.ifname='wlan31'
uci set wireless.iot5g.ssid='IoT'
uci set wireless.iot5g.encryption='psk2+ccmp'
uci set wireless.iot5g.key='goodlife'
uci set wireless.iot5g.wds='1'
uci set wireless.iot5g.hidden='0'
uci set wireless.iot5g.isolate='1'
uci set wireless.iot5g.disabled='0'
uci set wireless.iot5g.ieee80211k='1'
uci set wireless.iot5g.bss_transition='1'

uci set wireless.iot6g=wifi-iface
uci set wireless.iot6g.device='wifi2'
uci set wireless.iot6g.network='iot'
uci set wireless.iot6g.mode='ap'
uci set wireless.iot6g.ifname='wlan32'
uci set wireless.iot6g.ssid='IoT'
uci set wireless.iot6g.encryption='sae'
uci set wireless.iot6g.key='goodlife'
uci set wireless.iot6g.wds='1'
uci set wireless.iot6g.hidden='0'
uci set wireless.iot6g.isolate='1'
uci set wireless.iot6g.disabled='0'
uci set wireless.iot6g.ieee80211k='1'
uci set wireless.iot6g.bss_transition='1'

And finally, commit the changes and reboot

uci commit
reboot

Thank you!!!

You're very welcome!

Glad you got it all sorted.