Setup VLANs on GL-MT6000

I would like to setup the GL-MT6000 with 2 VLANs and one new WLAN SSID

  • New WLAN SSID: IoT
  • VLAN 10: LAN 1 and WLAN IoT
  • VLAN 99: LAN 2-5 and existing WLAN that shipped as default

All configuration is done in LUCI and I’m currently connected with a laptop via the default WLAN SSID.

To setup the VLANs:

  • Go to Network → Devices
  • Edit existing br-lan
  • In Bridge VLAN filtering
  • Save
  • Go to Interfaces → lan → Edit
    • On the devices dropdown select br-lan.99
    • Save

To setup WLAN IoT

  • Add new Interface: IoT
    • Static Address
    • Device br-lan.10
    • Set IP Address
    • Enable DHCP
  • Go to Network → Wireless
  • Add a new Wireless SSID
    • Network: IoT

Existing default WLAN SSID of the router is set to “lan” interface

Firewall settings:

  • Existing “lan” configuration
  • Go to Advanced Settings
    • Covered devices: br-lan.99
  • Create a new Firewall rule: IoT
    • Set covered networks as: IoT
  • Go to Advanced Settings
    • Covered devices: br-lan.10

These rules are assigned in Network → Interfaces to the “lan” and “IoT” interfaces respectively.

Now I click Save and Confirm, after 90s it times out and shows the rollback message as I would have lost the connection otherwise, so I assume something is not quite right in my config.
Does anyone know what I need to change to get the setup to work?

Do the changes one by one until you find the issue.
I guess it is because you will lock yourself out since you are connected by VLAN1 (so “no VLAN”)

By default on each new zone the default input is set to drop, please set this to accept for iot.

Now as for the other things i see you use covered devices for the firewall zone.

Its important you may only choose interface names and not generic DSA devices, you can see it reflect aswell if you edit a network interface and click on the tab firewall, so for br-lan.99 which is used by interface lan, lan would be the covered firewall device for that zone.

^ Only if you own a pppoe server or something fancy you might choose the dsa device as cover for a firewall zone like ppp+, though its kinda off design but still works :wink:

I removed the IoT WLAN setup for now, which leaves me to only setup a VLAN for the LAN ports and the existing default WLAN I’m connected to.

Interfaces and Devices



And I removed the Covered devices and set us “unspecified”.

But it still fails, I assume it’s the firewall configuration but i’m not sure I fully understood what you meant @xize11

can you try to remove all forwarding zones from lan and only allow lan → wan just to test ?

also is your iot interface still intact?,

you might need to disable this:

let me explain:

only wan should have a default route defined, and lan interface because lan is a special interface which is your default gateway.

other interfaces are not recommend to have this checkbox defined, because otherwise you can cause a situation interface A, uses gateway from interface B instead of A → WAN/WWAN.

I think this might explain why it does not work.

in rare situations the interface iot with this checkbox checked would be seen as a wan connection which is invalid :slight_smile: