VLAN management and client support in stock GUI (Flint 2)

Hi!

I just received the big Flint 2 and everything is fine. Only the management of VLANs seems to be officially lacking.

Indeed, while in LuCi we can create and manage VLANs and manage the devices connected to them, in the stock GliNet GUI none of these options are available and the VLAN functionality just doesn't seem to exist or be taken into account.

Clients connected to networks other than the default ones (the lan and guest) do not even appear in the Client tab. Assigning lan or guest firewall zones to an interface created for a VLAN seems to get around this (even if we use IPs other than the default ones, or so I can tell for guest since it works for me with one other than 192.168.9.1 appearing in Client). So maybe it is hardcoded somehow this part of the code...?

Could you then please add the ability to create/edit/etc VLANs, and to see connected clients of other VLANs?

I think Flint 2 would benefit greatly by having such a useful feature for mid-range users available without necessarily having to resort to external GUIs. And with LuCi you can do everything or almost everything, let's be clear, but personally I think VLANs could very well stay in the stock GUI

Thank you for your valuable opinion.

The VLAN function is indeed very useful for interface configuration, but it may be a high-end function for common consumers.
In addition, the VLAN function is related to too many functions, such as the client management you mentioned, VPN, AGH, Parental Control etc.
I assume it is a huge job for GL GUI.

Anyway, I will collect relevant requirements and submit them to the PM team for evaluation.

I understand, and partly agree. I also understand that it is not immediately implemented.

Nevertheless, it would be great if the team would find the time to implement it sooner or later (both on Flint 2 and the upcoming “Flint 3”). I also saw several posts from other users pointing out its usefulness, so I imagine more than a few could benefit from it.

Thank you in any case for forwarding the request to the team and for your availability!

Agreed. This is a super important feature that most other routers at this price tier include stock.
I regularly see the argument that its not something the average user would use, but i think that's a bit incorrect these days.
People are getting more security conscience everyday, part of which is keeping your home network secure, beyond a simple guest network.

I'll add everyone i know who owns gl-inet gear are typically professionals in tech or tech adjacent industries who have a basic understanding of how to learn these things via the infinite videos and docs available online

I have been considering adding this feature request myself. It is the one thing that is holding me back from pushing it into usage. I cannot afford to have to rebuild every time I upgrade the firmware and need to wipe the settings. Thank you for putting this in @mark3.

A FR would be a great idea!

Btw, what do you mean with rebuild and wipe settings? You mean that at every update we need to recreate vlans, firewall zones, rules, etc trough LuCI?

If so, that is very disappointing...

Edit: I accidentally deleted post, now I'm rewriting it

Not all updates require you to wipe the settings. However, when changing from something like 4.6.x to 4.7.x, it is generally recommended to wipe the settings and start over. That includes the items you mentioned. Given we are getting closer to a GL release of 4.7 based on OP24, I am still waiting for that before replacing my main router with the Flint 2. With a good deal on a Flint 3, I might go that route - no pun intended - instead.

Hi guys,

Please provide me as more information as much as possible, will try to facilitate this to evaluate.

Why use it?
Use scene?
Your current topology?
Some of the competing models?

At home, I use Unifi wireless equipment, so I don't even use the wireless built into the Flint 2. As such, I have my core switch split into VLANs (guest wireless, IoT, DMZ, Internal LAN). I would want my internal LAN to have a dedicated switch port on the router. For the others, I could either trunk the remaining VLANs into a single port on the router or define multiple physical ports with untagged VLANs and let the switch manage the VLANs fully. For a 1 time setup, this is not great but it is workable. If I have to reset the firmware settings, doing this manually will be a pain to remember how to do it each time. And then setting up the firewall manually to allow internet access but not inter-vlan access. Yeah, I could write it all down so I remember it, but I would probably forget where I saved the instructions lol.

In my case, adding a VLAN box to the Network Port Management page, similar to what is available on WAN 1, would be great. Even better if you could add tagged vlans right on that page.

If I am being honest, the real feature would be not to need to reset firmware settings on upgrades but I understand the need if some settings conflict with newer builds. It is just inconvenient and since my current router (some other brand) upgrades without messing up firmware, I have been hesitant to switch.

In my use case:

I'm very security focused, since i have past experience with java and maven i realize im part of a group which is being much more targeted by sophisticated cyber attacks that already has been the case before, sys admins often too, but i think as of today with so many people working at home this count for them to aswell.

So in my case i wanted to build islands with device groups based on brand and isolate them by vlan, if it happens my process of compiling turns malicious i can then isolate the incident and avoid other devices to be infected or to form persistence infections towards my windows machine.

I also use multi psk to sent clients to their own vlans this way i have a very strong control, and what i also can is based on destination ports still allow certain device communications between zones without the smart devices doing the communication first.

also one other thing are the vpn policies, i cannot use gl firmware with this setup, i do advanced routing and split tunneling to make sure things working, not everything works on vpn so i need a good fine control for it please see:

10.234.53.1_cgi-bin_luci_admin_services_pbr1107×881 69.7 KB

Im planning to also make a new vlan for a kickstarter project with a ip kvm, but since i don't know how trusted they can be i vlan it, this way when it is infected it won't be able to infect my machine, sure it can control it, but i can also cut wires

What so fascinating is, that is i use this over one long wire to a switch which manages all these vlans, since i live in a older rented appartment i cannot just drill huge holes for cables.

I can use a vpn server to forward things to my vlan zones and devices, and use vxlans to extend L2 accessibility and push the same vlans from a total other location as one giant switch glueing locations together

^ maybe not all is needed, but home labbing is very fun.

Unfortunately im on mobile now so cannot make a draw.io but ill edit when i have time.

I believe it would be much more convenient to manage VLANs (for LAN, IoT, etc.) directly from the stock GUI instead of relying on LuCI.

Currently, my Flint is connected to a modem that provides the WAN connection, while the Flint itself manages the local network. While it is possible to configure VLANs through LuCI, having the option to do so from the stock GUI would make the process more user-friendly and accessible.

One of the key advantages of managing VLANs via the stock GUI would be the ability to see devices connected to other SSIDs (and thus in other VLANs) listed among the connected Clients. At present, these devices do not appear in the client list.

Keeping LuCI accessible is, of course, essential. However, since VLAN management is already supported by Flint (albeit through LuCI), it feels like a "ghost feature"—present, functional, but not fully integrated into the user experience. Enabling VLAN management in the stock GUI would provide a more complete experience, especially since VLANs work perfectly fine when configured through LuCI.

The main benefit of using VLANs is to separate networks and their connected devices. This separation is useful for cases like segmenting "normal" devices (phones, laptops, etc.) from IoT devices.

At present, the stock GUI allows some degree of separation through predefined networks like "LAN" and "Guest," but this approach is limited. It doesn't offer much in terms of customization—either in the number of VLANs or the options for controlling them.

Suggested Improvements

To make VLAN management more accessible, you could start by:

1. Allowing users to create VLANs directly from the stock GUI.
2. Providing a brief explanation of what VLANs are and why they might be useful.
3. Enabling users to associate an IPv4 address and a zone with each VLAN.
4. Offering basic configuration options, such as:
   • “Isolate the VLAN” — prevent communication with other VLANs.
   • “Allow communication with other VLANs” — allow users to select which VLANs can communicate with one another.
   • “Allow communication between specific devices in different VLANs” — a more granular option to allow communication between specific devices on different VLANs.
5. Displaying also all devices connected to VLANs in the Clients section, along with an indication of which VLAN each device is connected to.

This approach could serve as a foundation for more advanced customization in future updates.

I believe this functionality would be helpful not only for me but for many other users as well. It would also reduce the number of forum searches like “Does Flint 2 support VLANs?” or “How to use VLANs on Flint 2”.

Thank you for your time and consideration. I hope this feedback helps in your evaluation of future updates

I replaced my Synology Synology RT6600ax with the Flint 2 to have more 2.5Gb ports, but I kept my three Synology MR2200ac routers and have them in access point mode. I do not use the WiFi on my Flint 2 since it is in a basement equipment room.

I want to have three wireless networks - primary, guest, and IOT. That's how they were configured on the Synology router. I have not been able to figure out VLAN on the Flint 2, so I currently have a primary network and guest network on my Synology access points. The primary network is not VLAN tagged, so everything is passed to the Flint 2 and it handles DHCP. My guest network is my temporary IOT network. Since it is VLAN tagged, the primary Synology access point handles DHCP and no guest clients appear on the Flint 2.

You (Bruce) may have been the one that replied to my comment on the forum with how to create an additional IOT network on the Flint 2, which worked, but I could not figure out VLAN with the guest network being VID 10 and the IOT being VID 20. I used to enjoy figuring out how to configure things like this, but that is no longer the case. I would love a simple solution, if even an easy to follow tutorial.

Definitely hoping this feature could be implemented.
I greatly disagree on these devices being used by common consumers though. Most of the people I see buying these routers are buying them for security reasons. I personally bought them for the WireGuard and AdGuard functionality between my home router and my travel router, and that's what I recommend them to friends and family for.