Solved: Best practice for second switch with ap


I want to get my gl-am300m as an second access point in the network, in which already a gl-ar750 is active.
What is the best practice to it? Should I use the WAN port to get the gl-am300m into the network or the LAN port?
or that:

Hoping for a hint.


Should be fine either way…

1 Like

My personal preference is to use the “different” port on a router for the “different” traffic; upstream connectivity on both devices in the port that happens to be labeled “WAN”.

With devices with multiple phys (eth0 and eth1, for example), then you would want to balance the load on the two phys. While I don’t have an AR750, I believe both it and the AR300M are single-phy devices. You can confirm in the network setup if there is only one phy in use, but with two VLANs, such as eth0.1 and eth0.2 configured for “WAN” and “LAN” connectivity.

The switch element in the QCA9531 inside the AR750 is non-blocking, so it’s sufficient and has more than enough bandwidth for all the LAN ports - if needs are simple, it’s more than good enough…

Key thing perhaps on the AR300M as an AP - plug ethernet into the WAN port vs. LAN port, otherwise you might get into a bit of a mess there…

Once set up - configure the AR300M appropriately according to your needs.

You can connect your AR300M’s WAN to AR750’s LAN.

But you have to mind the subnet(both of them is by default). You might need to change one of them.

@mikee01 I assumed, perhaps incorrectly that you were going to use the GL-AR300M as a “dumb AP” and keep all your services running on the AR750. If that’s not the case, there are advantages to only running a single NAT, rather than “daisy chaining” the devices.

At a very high level, you would, on the AR300M

  • Set up a management IP
  • Disable DHCP, DNS, NAT, IP forwarding
  • Bridge the wireless across all ports

This way the AR750 handles “everything” as far as services and routing goes.

If you set up the same SSID(s) on both devices, then your clients can “roam” freely between the two APs without needing to select the “other” SSID, and without the drops that might be caused by DHCP and routing changes if the two routers are using different subnets.

If you need additional help with this, please post again.

Hi to all,

i would prefer to habe the following setup.
My gl-ar750 connects with the wan interface to the dsl router and establishes the vpn connection.
VLANs 1,3 and 5 are tagged on eth1 by using interfaces eth1.3 and eth1.5 an LAN (1). Radio0 should bring up guest network for wifi devices.

Thr gl-am300m has got wan, port and radio0 port. THE GL-am300m should be placed on the second floor of the building to strenghten the wifi signal of the same ssid. The LAN or WAN port should give lan connection to a device on vlan3. But the wifi device shall be in a seperate vlan, like the vlan of gl-ar750.

The best setup for me would be, that there ks no firewalling on the gl-am300m, to enable free routing from and to the lan devices in vlan3.

My preference would be to:

  • Disable all services on the AR300M; all services from the AR750
  • Select one port on the AR750 to be the trunk to the AR300M; run everything as tagged, untagged packets to the switch’s bit bucket (VLAN 4095 or an otherwise unused VLAN)
  • Set up the “WAN” physical port on the AR300M as your trunk; run everything as tagged, untagged packets to the switch’s bit bucket (VLAN 4095 or an otherwise unused VLAN)
  • Set up the other physical ports as desired for wired connectivity to various VLANs, tagged or untagged as your clients (including any additional switches) require
  • Bridge the VLANs within the AR300M as desired across the wireless interfaces
  • Add firewall rules to prevent cross-VLAN forwarding and, if possible for your configuration, disable forwarding at the kernel level

802.11r would be an interesting later experiment, but my experience is that few clients other than iOS support it.

Hi jeffsf!

Sorry for the long pause!
I have a first question upon your statementes:

  • “Disable all services on the AR300M; all services from the AR750” → what do you mean in detail?

Ah, my English wasn’t very clear there. My apologies.


  • Clients can get all the services they need; DHCP, DNS, NTP, gateway forwarding, …
  • The services that the clients need are only running on the AR750
  • There are no duplicates of those services (especially DHCP) on the AR300M

Let me flash one of my routers with stock so, if you need more, I can give some additional detail in the language of the GUI itself later today.

Hi jeffsf!

Thank you for the further description, it is clearer now. I will try it out and give a feedback afterwards!


I ran into config trouble.

  1. wan interface build. eth0 as physical interface
  2. lan interface deleted
  3. creating interface vlan3 stucks, because I got the following error:

Form token mismatch

The submitted security token is invalid or already expired!

In order to prevent unauthorized access to the system, your request has been blocked. Click “Continue »” below to return to the previous page.

I am logged in via the WAN interface working on the luci panel.

Try clearing your page cache in the browser…

That did not the job, on a different computer the same message appears…

I did a reset.
I have got done a bridging of lan an wan port, both are participating in vlan 1 and receiving dhcp from the main router.
following up is the config of the wlan. I will report.

this is my current config, but it does not work, that the device on lan2 gets an dhcp-offer over the network of lan.
Every services like fw, dnsmasq, dhcpd is disabled on the gl-m30m.

config interface ‘loopback’
option ifname ‘lo’
option proto ‘static’
option ipaddr ‘’
option netmask ‘’

config globals ‘globals’
option ula_prefix ‘fdb7:7524:5251::/48’

config interface ‘lan’
option proto ‘static’
option netmask ‘’
option ip6assign ‘60’
option hostname ‘GL-AR300M-3e0’
option _orig_ifname ‘eth1 wlan0’
option _orig_bridge ‘true’
option ipaddr ‘’
option gateway ‘’
option dns ‘’
option ifname ‘eth1.1’

config interface ‘lan2’
option type ‘bridge’
option _orig_ifname ‘eth0.1’
option _orig_bridge ‘true’
option ifname ‘eth0.1 eth1.1’
option proto ‘dhcp’

config switch
option name ‘switch0’
option reset ‘1’
option enable_vlan ‘1’

config switch_vlan
option device ‘switch0’
option vlan ‘1’
option vid ‘1’
option ports ‘0t 1’

If you use firmware 3.x, just change network mode to AP in more settings and connect it to you AR750 and that is OK.


I got an ar300m nand, but the image from GL.iNet download center is rejected (error firmware is not for the hardware).

could it be, that I have got a nor hardware, that is accidently flashed with nand firmware, so that this error message displayed
how do I check the arch by commandline?

→ no, i have checked the kernel log, 128 mb nand memory is active-

Used the .tar file??