Segmenting LAN networks on Flint2 - VLANs vs Bridges

Router
1

I have a Flint 2 router running stock Gli-NET firmware 4.8,.4.

I am trying to segment my LAN ports. Goals:

-one interface for "management" connected to a single LAN port and a dedicated SSID assigned to it. This interface should have access to everything.

-one interface with a single LAN port connected to a server running proxmox. This interface should have limited access.

Right now I have a functional system with all LAN ports bridged on br-lan on the main LAN interface, and a long list of firewall rules. I could greatly simplify the firewall rules if I could assign separate interfaces to each LAN port.

I have tried:

-Setting up VLANs following the OneMarcFifty video: https://www.youtube.com/watch?v=qeuZqRqH-ug. With this I am able to achieve connectivity on different subnets on each LAN/VLAN port, but SSIDs assigned to these VLAN-associated interfaces do not function. Under the wireless menu, I add the correct network interface, but even after applying and rebooting, there is no association on the interfaces tab. (No little radio tower icon). I am able to connect to these SSIDs, but there is no internet or network access.

-I also tried just making separate bridge devices for each LAN port and assigning those to separate interfaces. The opposite happens here. The LAN ports that I leave on br-lan remain functional, but the new bridge-interfaces have no connectivity on the associated LAN ports. I am however able to assign SSIDs to these new bridge-interfaces, and the WIFI works according to assigned firewall zones.

These limitations apply even when I assign all test interface the same LAN firewall zone to rule out some sort of firewall issues.

I am stumped. I would really like to get VLANs working, but for my current setup, either solution I think would be fine. If anybody has any idea of what might be going on, please let me know.

2

Step1createbridgedevice
Step1createbridgedevice915×425 34.5 KB

step2
step2723×305 7.57 KB

step3 create interface
step3 create interface636×450 27 KB

step 4 assign firewall
step 4 assign firewall768×297 22.9 KB

step 5 enable dhcp
step 5 enable dhcp793×536 32.4 KB

interface results
interface results515×166 17.2 KB

1 Like
3

Hi,

You may want to draw a detailed network topology and outline your planned configuration, then share your current Flint 2 configuration files so that we—or other forum users—can provide suggestions.

You can SSH into the Flint 2 and run the following commands to retrieve the relevant configuration files:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp

Please make sure to hide sensitive information such as MAC addresses and Wi-Fi SSIDs/passwords.

4

@sto1 I think you may want to choose a routed bridge.

Like you have shown on the pictures.

Only make sure in the advanced tab of the interface you uncheck use default gateway because it isn't going to be behaving as a wan interface, with this checked this interface could overtake wan which is not what you want.

You can add a complete different firewall zone than lan so that lan is isolated from your new firewall zone inside the server network.

You may only choose vlans over a routed bridge when you want to isolate further downwards in your network.

This can mean in two ways:

  1. In proxmox you want more wan like networks to speak to, lets say proxmox, and proxmox_vpn, this currently what I do, proxmox itself listens on the native vlan for management while I also sent 2 tagged vlans for the vms, basically exactly how DSA does it in OpenWrt that is also how it works in proxmox raw config, you get the bridge, and in your vms you can use the vlans inside it.

  2. you want to propegate a vlan to a other switch or aware vlan routers.

But if it stops at only a single network on a port, bridge routing is more than suitable and easier :slight_smile:

5

Setting up a bridge route interface to a single LAN port should be easy, right?!?! Maybe let's start there. Hopefully you can help me figure out why this simple thing isn't working.

The problem with the bridge interface port on single LAN is that the LAN port has no connectivity. I can assign SSID to this interface and the WIFI has connectivity, but the LAN port does not.

Eventually I hope to setup VLANs for further downstream isolation, as well as wifi-vlans and multi-psk to reduce the number of SSIDs, but baby steps.

I will add network drawings and config files below.

6

Can you tell me on which firmware type you attempt this to?

The MTK SDK and QSDK are very limited to wifi settings from luci, I recommend op24 builds for this, also if a change has been made for wifi, atleast that is for the MTK SDK a full router restart is needed to be fully applied.

7

Here is a simplified version of what I am trying to achieve here. Basically I just want each LAN port to have it's own separate interface (or VLAN). I would also like to be able to associate WIFI SSIDs with some of the LAN port interfaces. (So that the individual SSID and the individual LAN port are on the same network subnet).

image
image557×481 34.5 KB

8

Here is my basic network setup currently. It works, but the firewall rules are chaos.

image
image647×430 47.5 KB

9

xize11- This router is running Glinet v4.8.4.

I will deal with the wifi-vlans in the future. That is a whole other problem where the non-proprietary drivers cause significantly slower wifi speeds compared to the stock Mediatek drivers. I did the op24 upgrade in the past and got wifi-vlans and multi-psk working (with your help), but the speeds were so slow I had to abandon that project. Right now I'm okay just having multiple SSIDs. Maybe op25 will have better drivers.

12

/etc/dhcp

config dnsmasq
option domainneeded '1'
option boguspriv_old '1'
option localise_queries '1'
option rebind_localhost '1'
option local '/lan/'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option ednspacket_max '1232'
option confdir '/tmp/dnsmasq.d'
option filter_aaaa '1'
option noresolv '1'
list server 'xxx#3053'
option localuse '0'
option rebind_protection '1'
option dnssec '1'
option domain 'lan'
option localservice '0'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option force '1'
list ra_flags 'none'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'

config domain
option name 'console.gl-inet.com'
option ip '192.168.x.x'

config domain
option name 'console.gl-inet.com'
option ip '::ffff:192.168.x.x'

config dhcp 'secondwan'
option interface 'secondwan'
option ignore '1'

config dnsmasq 'wgclient1'
option domainneeded '1'
option localise_queries '1'
option rebind_protection '0'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.wgclient1'
option ednspacket_max '1232'
option confdir '/tmp/dnsmasq.d.wgclient1'
option port '2153'
option filter_aaaa '1'
option user 'dnsmasq_vpn'
list addnhosts '/tmp/hosts.vpn'
option ignore_hosts_dir '1'
option disabled '1'
option dnssec '1'
option domain 'lan guest wan'
option localservice '0'

config dhcp 'main'
option interface 'main'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'

config dhcp 'iot'
option interface 'iot'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'

config dhcp 'server'
option interface 'server'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'

13

/etc/network/

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr 'xx'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fdd6:01d4:2fc7::/48'

config device
option name 'br-lan'
option type 'bridge'
option macaddr 'xx'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan5'

config device
option name 'lan1'
option macaddr 'xx'

config device
option name 'lan2'
option macaddr 'xx'

config device
option name 'lan3'
option macaddr 'xx'

config device
option name 'lan4'
option macaddr 'xx'

config device
option name 'lan5'

config interface 'lan'
option proto 'static'
option ipaddr '192.168.x.x'
option netmask '255.255.255.0'
option ip6assign '60'
option isolate '0'
option device 'br-lan'

config device
option name 'eth1'
option macaddr 'xx'

config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option force_link '0'
option ipv6 '0'
option classlessroute '0'
option metric '10'

config interface 'wan6'
option proto 'dhcpv6'
option device '@wan'
option disabled '1'

config interface 'guest'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.y.x'
option netmask '255.255.255.0'
option ip6assign '60'
option multicast_querier '1'
option igmp_snooping '0'
option isolate '0'
option bridge_empty '1'
option disabled '0'

config device
option type 'bridge'
option name 'br-main'
option mtu '1500'
option txqueuelen '1000'
option ipv6 '0'

config interface 'main'
option proto 'static'
option device 'br-main'
option netmask '255.255.255.0'
option ipaddr '192.168.z.x'

config rule 'main_static_net'
option gl_vpn_rules '1'
option suppress_prefixlength '0'
option priority '800'
option lookup '9910'
option disabled '0'

config device
option type 'bridge'
option name 'br-server'
list ports 'lan4'

config interface 'server'
option proto 'static'
option device 'br-server'
option ipaddr '192.168.x.x'
option netmask '255.255.255.0'

14

/etc/wireless/

config wifi-device 'mt798611'
option type 'mtk'
option band '2g'
option htmode 'HE40'
option channel 'auto'
option country 'US'
option random_bssid '1'
option disabled '0'
option legacy_rates '0'
option hwmode '11g'

config wifi-iface 'wifi2g'
option device 'mt798611'
option mode 'ap'
option ifname 'ra0'
option encryption 'psk2'
option wds '1'
option ieee80211k '1'
option bss_transition '1'
option ssid 'IoT'
option key 'xx'
option disabled '0'
option isolate '1'
option network 'iot'
option macaddr 'xx'

config wifi-device 'mt798612'
option type 'mtk'
option band '5g'
option channel 'auto'
option htmode 'HE80'
option country 'US'
option random_bssid '1'
option txpower '50'
option hwmode '11a'

config wifi-iface 'wifi5g'
option device 'mt798612'
option mode 'ap'
option ifname 'rax0'
option wds '1'
option ieee80211k '1'
option bss_transition '1'
option key 'xx'
option ssid 'MGMT'
option encryption 'sae'
option macaddr 'xx'
option network 'lan'

config wifi-iface 'guest2g'
option device 'mt798611'
option mode 'ap'
option ifname 'ra1'
option encryption 'psk2'
option guest '1'
option wds '1'
option isolate '1'
option network 'guest'
option ssid 'GUEST'
option key 'xx'
option disabled '1'
option macaddr 'xx'

config wifi-iface 'guest5g'
option device 'mt798612'
option mode 'ap'
option ifname 'rax1'
option guest '1'
option wds '1'
option isolate '1'
option key 'xx'
option network 'main'
option ssid 'xx'
option encryption 'psk-mixed'
option macaddr 'xx'

15

This is fine, except you miss this:

option defaultroute '0'

In luci if you edit the server interface in the advanced settings tab it reflects the use default gateway checkbox which by default is checked, and in uci not lined, by explicitly setting this to 0 it unchecks that checkbox, so this interface does not get seen as a wan type interface, otherwise this could clash with your internet wan connection, you only want wan to be the default route.

All other things look correct here.

this looks correct.

As for the firewall you may want to not put the server interface in lan, instead you want to create a new firewall zone make sure the input is set to ACCEPT and not to drop or reject.

Then you edit the zone, and add the zone to forward to, this must be wan, or wgclient depending what your intentions are, note that for wgclient you need to perform some extra action so that the fwmark is applied, if thats the case just ping me again :+1:

now lets say you want to make the server accessible for lan but lan not visible for server, then you go inside the firewall settings where you defined the zones, there is a tab called traffic rules, please add one and ensure that the source zone is lan, (optionally to restrict further you can limit it to a lan client with source ip or source mac), and as destination zone server, then you just define under action accept.

So this way if you made first contact, the server is allowed to communicate back on the same line, but the server can't be communicating with lan if you didn't iniated contact first.

This page will help you more, and also with wifi, it is important to know you must restart the router so that the wifi works properly and applied.

16

@xize11 You are a champion of knowledge!

What you describe about firewall zones and rules is exactly (part) of what I am trying to achieve. I already have this functionally setup using a bunch of traffic rules for ip addresses of vms, but creating separate interfaces would be much better.

Question: "use default gateway" is checked for the default br-lan interface configured by GliNet. "option default route" is also not specified in this default br-lan interface. This default br-lan network functions without clashing with the wan (I hope!)

Screenshot from 2026-04-22 18-05-32
Screenshot from 2026-04-22 18-05-32536×236 18.3 KB

I similarly have "use default gateway" checked for WIFI-only interfaces, which also work fine. Why do these settings need to be different for user-created interfaces? How does the "use default gateway" setting effect the function of the associated LAN port (but not SSIDs)??

1 Like
17

Ok, I tried making a fresh bridge interface with "use default gateway" unchecked and the suggested /etc/config/network stanza. This result is the same, I can add a wifi SSID to the new mgmt interface and that works, but there is no connectivity at the LAN 5 port.

Procedure:

  1. Create bridge device "br-mgmt"
    Screenshot from 2026-04-22 22-06-48
    Screenshot from 2026-04-22 22-06-48670×833 44.5 KB

    Leave other settings default.
  2. Remove lan5 port from br-lan
    Screenshot from 2026-04-22 22-07-23
    Screenshot from 2026-04-22 22-07-23615×325 22.6 KB
  3. create "mgmt" interface
    Screenshot from 2026-04-22 22-07-49
    Screenshot from 2026-04-22 22-07-49600×563 34.4 KB
  4. uncheck "use default gateway"
    Screenshot from 2026-04-22 22-08-04
    Screenshot from 2026-04-22 22-08-04603×822 47.3 KB

confirm settings in /etc/config/network

config device
option type 'bridge'
option name 'br-mgmt'
list ports 'lan5'

config interface 'mgmt'
option proto 'static'
option device 'br-mgmt'
option defaultroute '0'
option ipaddr '192.168.50.1'
option netmask '255.255.255.0'

18

Have you enabled the DHCP server and firewall zone for this network?
Please check the DHCP Server tab and firewall settings.

Also, try assigning a static IP address to the client device and see if you can access the router via 192.168.50.1.

19

will.qiu - Yes, DHCP server enabled and firewall zone set to "lan"

I tried assigning a static IP to the client device. I can confirm that doing this enables access to the router via 192.168.50.1 when connected lan5 port. There is no internet access to the client device in this arrangement.

DHCP is functional. Assigning a static IP to the client is not required to access the router at 192.168.50.1

20

So the issue is that client devices connected to LAN 4 cannot access the internet?

Please try running the following command on the client device:

# Windows (Command Prompt)
nslookup google.com
tracert 8.8.8.8

# macOS / Linux
nslookup google.com
traceroute 8.8.8.8
21

The issue is...no longer an issue. I know WHAT I did that fixed it, I just don't know WHY it worked. I deleted the default OS wired connection profile, and then created a new one with the same settings. Now I can access the router at 192.168.8.1, 192.168.50.1 and can access the internet all from LAN 5.

Thanks for the help!!!

2 Likes
22

For lan this checkbox is fine, because OpenWrt threat this as a special interface.

But for created interfaces this is not recommended and needs to be unchecked​:+1:

I think the reason OpenWrt defaults it to lan is because of ipv6 since lan often in their documentation is set as designated master, thats the only reason i can think of, but you can experiment with this and check ip r I learned that it can lead to wrong default routing on other non wan like interfaces :slight_smile:

For wireless it is necessary the checkbox keep up bridge is checked, this ensures the wireless phy dsa device can attach itself to the bridge without it being down.

If the issue is still present with no connection, please check the firewall usually on new zones the input part is set to reject or drop it must be set to accept so that dhcp can be received.