Set up multiple SSIDs tagged with VLAN on Slate 7 (GL-BE3600) using DSA

Sapien · June 25, 2025, 1:34am

I’ve been banging my head against this for weeks now and could really use some help. I’m trying to configure my Slate 7 (GL.iNet GL-BE3600) as a dumb access point with multiple SSIDs, each tagged with a different VLAN, passing traffic to my router (which handles DHCP, routing, and firewall). I just need to create multiple SSIDs (e.g., LAN, GUEST), each assigned to its own VLAN ID (1 and 150), and have the Slate 7 bridge them to the Ethernet port.

What I’ve done:

Did a fresh reset of the device (multiple times over the past few weeks).
- Enabled VLAN filtering on br-lan.
- Created VLAN ID 1: tagged on eth0, untagged on eth1.
- Created VLAN ID 150: tagged on eth0, not a member of eth1.
This resulted in the auto-generation of br-lan.1 and br-lan.150 vlan devices.
Then I
- Assigned br-lan.1 to the LAN interface and br-lan.150 to the GUEST interface.
- Attached the two wireless SSIDs to these interfaces.

The device is not doing any DHCP, so both interfaces do not have a static address.

What’s working:

Wired clients (connected to eth1) get internet through the LAN VLAN (1) - My base network - just fine.
Interfaces and bridges show up correctly.
WiFi SSIDs do broadcast but devices cannot connect to it. I did get a successful connection for a few seconds in one of my earlier trials, but I reset that so no clue what I did different then

What’s NOT working:

Wireless clients do not get internet access.
SSIDs are assigned to the right interfaces (which point to the right VLAN bridge devices), but no traffic goes through.
I’ve tried reordering, and even compared it with my GL.iNet Mango (MT300N), where this setup worked (after little effort). But to be fair I only got it to work on the Mango without using dsa, and instead creating vlan and tagging them in the now deprecated Network > Switch tab.

Thanks in advance

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd5:b677:7f8d::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	option macaddr '94:83:c4:ab:e5:e3'
	list ports 'eth0'
	list ports 'eth1'

config device
	option name 'eth1'
	option macaddr '94:83:c4:ab:e5:e3'
	option isolate '0'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'dhcp'
	option ipaddr_old '192.168.8.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option isolate '0'
	option multicast_querier '0'
	option igmp_snooping '0'
	option force_link '1'

config device
	option name 'eth0'
	option macaddr '94:83:c4:ab:e5:e2'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'
	option force_link '0'
	option ipv6 '0'
	option classlessroute '0'
	option metric '10'
	option disabled '1'

config interface 'wan6'
	option proto 'dhcpv6'
	option device '@wan'
	option disabled '1'

config interface 'guest'
	option type 'bridge'
	option proto 'dhcp'
	option multicast_querier '1'
	option igmp_snooping '0'
	option isolate '0'
	option bridge_empty '1'
	option device 'br-lan.150'

config rule 'policy_relay_lo_rt_lan'
	option lookup '16800'
	option in 'loopback'
	option priority '1'

config interface 'tethering6'
	option device '@tethering'
	option proto 'dhcpv6'
	option disabled '1'

config interface 'wwan6'
	option device '@wwan'
	option proto 'dhcpv6'
	option disabled '1'

config interface 'wwan'
	option proto 'dhcp'
	option classlessroute '0'
	option metric '20'

config interface 'secondwan'
	option ipv6 '0'
	option proto 'dhcp'
	option metric '15'
	option force_link '0'
	option classlessroute '0'

config interface 'secondwan6'
	option proto 'dhcpv6'
	option device '@secondwan'
	option disabled '1'

config rule 'policy_direct_rt'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule 'policy_default_rt_vpn'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config rule6 'policy_direct_rt6'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule6 'policy_default_rt_vpn6'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config rule 'policy_default_rt_vpn_ts'
	option lookup 'main'
	option priority '1099'
	option mark '0x80000/0xc0000'
	option invert '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth0:t'
	list ports 'eth1:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '150'
	list ports 'eth0:t*'

/etc/config/wireless

config wifi-device 'wifi0'
	option type 'qcawificfg80211'
	option channel 'auto'
	option macaddr '94:83:c4:ab:e5:e4'
	option hwmode '11beg'
	option country 'US'
	option txpower '30'
	option random_bssid '1'
	option band '2g'
	option htmode 'HT40'
	option legacy_rates '0'

config wifi-iface 'wifi2g'
	option device 'wifi0'
	option network 'lan'
	option mode 'ap'
	option ssid 'GL-Iot'
	option encryption 'psk2+ccmp'
	option macaddr '6E:42:E1:66:75:14'
	option factory_macaddr '94:83:c4:ab:e5:e4'
	option key 'helloiot'
	option wds '1'
	option isolate '0'
	option hidden '0'
	option ifname 'wlan0'
	option ieee80211k '1'
	option bss_transition '1'
	option sae '0'

config wifi-device 'wifi1'
	option type 'qcawificfg80211'
	option channel 'auto'
	option macaddr '94:83:c4:ab:e5:e5'
	option hwmode '11bea'
	option disabled '0'
	option country 'US'
	option txpower '30'
	option random_bssid '1'
	option band '5g'
	option htmode 'HT160'
	option channels '36,40,44,48'

config wifi-iface 'wifi5g'
	option device 'wifi1'
	option network 'lan'
	option mode 'ap'
	option ssid 'GL-Trust'
	option encryption 'psk2+ccmp'
	option macaddr 'CE:4E:07:B1:C2:CF'
	option factory_macaddr '94:83:c4:ab:e5:e5'
	option key 'hellotrust'
	option wds '1'
	option isolate '0'
	option hidden '0'
	option ifname 'wlan1'
	option ieee80211k '1'
	option bss_transition '1'
	option sae '1'

config wifi-iface 'guest2g'
	option device 'wifi0'
	option network 'guest'
	option mode 'ap'
	option ifname 'wlan01'
	option encryption 'psk2+ccmp'
	option key 'helloguest'
	option ssid 'GL-Guest'
	option macaddr '72:68:85:A8:B6:9A'
	option factory_macaddr '96:83:c4:ab:e5:e4'
	option guest '1'
	option wds '1'
	option isolate '1'
	option hidden '0'
	option sae '0'

config wifi-iface 'wlanmld2g'
	option device 'wifi0'
	option network 'lan'
	option mode 'ap'
	option macaddr '6A:BA:28:29:31:22'
	option factory_macaddr '94:83:c4:ab:e5:e6'
	option ssid 'GL-BE3600-5e2-MLO'
	option encryption 'ccmp'
	option sae '1'
	option key 'XFJ4T8X7JQ'
	option wds '1'
	option isolate '0'
	option hidden '0'
	option ifname 'wlan02'
	option ieee80211k '1'
	option bss_transition '1'
	option disabled '1'
	option mld 'mld0'

config wifi-iface 'wlanmldguest2g'
	option device 'wifi0'
	option network 'guest'
	option mode 'ap'
	option ifname 'wlan03'
	option encryption 'ccmp'
	option sae '1'
	option key 'goodlife'
	option ssid 'GL-BE3600-5e2-MLO-Guest'
	option macaddr 'DE:1D:D5:3A:33:E1'
	option factory_macaddr '96:83:c4:ab:e5:e6'
	option guest '1'
	option disabled '1'
	option wds '1'
	option isolate '1'
	option hidden '0'
	option mld 'mld1'

config wifi-iface 'guest5g'
	option device 'wifi1'
	option network 'guest'
	option mode 'ap'
	option ifname 'wlan11'
	option encryption 'psk2+ccmp'
	option key 'goodlife'
	option ssid 'GL-BE3600-5e2-5G-Guest'
	option macaddr '12:78:23:E7:46:E9'
	option factory_macaddr '96:83:c4:ab:e5:e5'
	option guest '1'
	option disabled '1'
	option wds '1'
	option isolate '1'
	option hidden '0'

config wifi-iface 'wlanmld5g'
	option device 'wifi1'
	option network 'lan'
	option mode 'ap'
	option macaddr '26:08:BF:42:E9:63'
	option factory_macaddr '94:83:c4:ab:e5:e7'
	option ssid 'GL-BE3600-5e2-MLO'
	option encryption 'ccmp'
	option sae '1'
	option key 'XFJ4T8X7JQ'
	option wds '1'
	option isolate '0'
	option hidden '0'
	option ifname 'wlan12'
	option ieee80211k '1'
	option bss_transition '1'
	option disabled '1'
	option mld 'mld0'

config wifi-iface 'wlanmldguest5g'
	option device 'wifi1'
	option network 'guest'
	option mode 'ap'
	option ifname 'wlan13'
	option encryption 'ccmp'
	option sae '1'
	option key 'goodlife'
	option ssid 'GL-BE3600-5e2-MLO-Guest'
	option macaddr 'C2:4E:19:C2:CB:10'
	option factory_macaddr '96:83:c4:ab:e5:e7'
	option guest '1'
	option disabled '1'
	option wds '1'
	option isolate '1'
	option hidden '0'
	option mld 'mld1'

xize11 · June 25, 2025, 5:15am

My suspicioun is that eth0 cannot be part of br-lan, this makes sense because this port is seperated from the cpu switch.

You want to tag these straight as:

eth0.150 under a interface, then check on dhcp if it receives dhcp, remove eth0 from br-lan.

Then insert the wan cable in a lan port and then you can do DSA bridge filtering.

You could use eth0 maybe as maintenance port.

I had this situation exactly on the Flint 2

On a different note:

You could try unchecking the local checkbox and see if it then does something when eth0 is still in br-lan, I did not tested this for vlan 150 on the wan port itself, but thinking about this, this checkbox is related to the switch cpu anyway.

Sapien · June 26, 2025, 12:17am

Hi, thanks for the suggestions. I did a full factory reset and have now set it as a dumb ap on a flat network. It's been a busy week, so I'm probably only going to have time to test this weekend. Will keep you posted...