VLAN with Flint 2

Routers
1

Hello there,

I want to add a Flint 2 in my Network environment.
I already have a router, a switch and already use VLANs. I want to configure the Flint 2 so that it acts like it's a dumb switch/access point. For now, I only care about some LAN ports. I'll add SSIDs later. I tried several configurations. It alwaya fail when I decide to configure VLANs.

I end up trying the simplest configuration I could imagine.
I connect the Flint 2 on a port of my switch, that is configured like a trunk. Something like this :
VLAN1/untag, VLAN4/tag, VLAN9/tag, PVID:1

I managed to configure DHCP for VLAN1. I know it is not recommended to use VLAN1, but I'm so discouraged that I decided to give it a try.
I connected the Flint 2 WAN port in the port of the switch. It got an address in the network associated with VLAN1.
So far, so good.

Into the GL.iNet/admin panel v4.7.7), I selected Network -> Mode -> Access point.
It works

In LuCI, the device br-lan contains eth1, and the physical ports. So I decide to configure it like this :

VLAN eth1
1 u/*

No other ports, no other VLANs

Then I applied the changes : It failed.
Since, I have to revert back, file /etc/config/network doesn't contains the modifications.

Could someone explains what I did wrong ?

Thanks

1 Like
2

Well I can share my own topology for a dumb switch+ vlan passthrough :slight_smile:

First the most commonly mistake is:

when adding vlans like in your picture, you click on save to close the vlan window this is all fine, but here it goes wrong:

Don't click on save and apply, you have to change the device of interface lan, to br-lan.1.

a second issue i noticed:

Gl firmware is often buggy with this vlan bridge filtering if the add button doesn't respond click on save and then re-navigate, it is a visual ghosting bug. (Fixed in higher openwrt).

third issue i also often made:

If you want to introduce eth1 (wan) to br-lan, you really have to put the wan cable temporary in a lan port, once done then you can use eth1 like lan, prior I thought this was not possible, I had stated in the past the port does not belong to the switch cpu and therefor doesn't work, but it works.

Here is a DSA screen from my own dumbap, note this is not on gl firmware:

Screenshot_2025-07-25-04-32-39-785_com.brave.browser-edit
Screenshot_2025-07-25-04-32-39-785_com.brave.browser-edit1220×1870 199 KB

Screenshot_2025-07-25-04-32-57-268_com.brave.browser
Screenshot_2025-07-25-04-32-57-268_com.brave.browser1220×2712 190 KB

IMG_20250725_043542
IMG_20250725_0435421164×500 131 KB

All other vlans use dhcp or unmanaged as protocol, I use for lan managed only for a static address although in my case this does not benefit me, since my ap is PoE powered and restart anyway if the main router restarts or fails.

IMG_20250725_044436
IMG_20250725_0444361220×2712 225 KB

It is important to note that i specified the gateway field to force it more like a default route (due my knowledge to raw linux), usually you leave it blank when creating new interfaces or editing lan it should work with proto dhcp and unmanaged, and there is a checkbox in advanced tab called default gateway, only check this on lan and wan type interfaces since we have no wan you do it on lan :slight_smile:, on other interfaces we need to uncheck this default checkbox to avoid issues, this way the router can determine better what the gateway is, otherwise it can get stuck on a other interface and cause a loop making the dumbap inaccessible or partly inaccessible, both options seem to do the same with the default routes and that is why only lan/wan type interfaces should have them and other interfaces not.

The maintenance interface is lan5 i just deleted this one from the bridge and added a br-maintenance bridge, this is for when the full device becomes inaccessible i still can wire local access, then I removed wan, stopped dhcp and wan firewall.

Edit:
I also have uci version for compiling my private personal builds, however this might be handy for people who want to do this all in uci, it can be easily read how things are done, click here.

2 Likes
3

Thanks for your answer.

I finally did as you said and now my OpenWRT can use VLANs.
Now I end up something like (not my real configuration, but based on what you posted earlier):

br-lan:

VLAN ID Local eth1 lan1 lan2 lan3 lan4 lan5
1 x u* u* u* u*
50 x t u*
51 x t u*

LAN : br-lan.1

I then tried to configure SSIDs. I tried several things. They all failed.
So I would have another question. How would you assign something like :

  • SSID home : VLAN50
  • SSID guest : VLAN51

I have to admit that I'm really struggling with OpenWRT. While I understand how VLANs work, I'm having a lot of trouble implementing them with OpenWRT.

Thanks

4

how are these interfaces defined like lan without the default gateway checked?, that is good.

Then you only have to click on the tab dhcp server and set it up, without dhcp it would kick most clients.

If interface VLAN50 uses br-lan.50 then it should work, for wireless settings you have to assign interface VLAN50 not br-lan.50.

The firewall zone if created newly, make sure the input of this zone is set to accept so dhcp is allowed for clients, it needs to be forwarded to wan and or wgclient wether which direction you wanna go.

5

I think I didn't ask my question correctly. In fact, I only created VLANs in the "br-lan" and associated "br-lan.1" in the "LAN" interface. I did nothing else (I tried a lot of things, but all failed)

What I want to do is create one SSID called HOME, which should be associated with VLAN #50. And, after that, I'll create another SSID call GUEST and associate it with VLAN #51.
The DHCP/router is on another device (pfsence)

I don't know what device/bridge and/or Interface I need to create. I only know that in the wireless device, I will need to specify a "Network", which is probably a newly created Interface. But I don't know how to create that interface and associate it with a device related to the VLAN #50.

The way I understand my current configuration, is that LAN Interface is linked to "br-lan.1" bridge. It work because in br-lan, I defined VLANs and associated physical LAN ports to these VLANs. But I don't understand how I could associate a SSID with, for example, VLAN #50.

Thanks

6

Okay lets start from the basics then.

So I go make two tutorials one with a wired port and one as routed ap.

Because maybe vlans are not the right terminology for this use case, what you look for is a routed ap.

For Vlan:

click here to open

First lets make vlan50, in this tutorial we assume br-lan.1 already has been assigned to interface lan, if not please edit the lan interface with br-lan.1 or you will not have lan connectivity.

image
image1419×742 48.9 KB

note that we choose to use vlan 50 on port 2, if your situation is different and only require wireless and not a mix between wired maybe vlan isn't the right terminology in that case you could better call this a routed ap.

U means untagged, untagged vlans do not traverse further, basicly there can only one per port and often is the default vlan, or better said the final destination port.

T means tagged, tagged vlans can traverse further meaning that a other vlan aware device can use them towards the destinated port like a switch which then untags it.

To continue we also have to check this checkbox this is to make sure even if no lan port is active the wifi can hook into the bridge because the bridge keeps alive:

image
image1429×529 48.7 KB

now navigate to:

image
image1521×151 16.2 KB

scroll down and click on here:
image

then we fill in:

image
image1384×358 19.4 KB

now you see this:

image
image1423×1167 67.5 KB

you want to fill it in like this:

image
image1405×1168 68.7 KB

note that the ip can be everything, there is a table on the internet called rfc1918 search for it,it can also be 192.168.12.1 for that mather max 254

please look very carefully to the colors of the text, gateway for example is blank (this is auto filled in by openwrt just leave it as is).

now lets navigate to:
image

and uncheck this:
image

this means that OpenWrt doesn't see this interface as a gateway type interface like wwan/wan you don't want this conflict :smiley:

now click here and fill and press enter:

image
image1408×388 50.6 KB

now click on dhcp server and create one:

image
image1449×348 28.4 KB

and now you click on save, then you scroll down and click on save and apply.

great now the network has been set, but the firewall needs some tweaking lets go to the firewall.
luci->network->firewall

it will look close to this:

image
image1563×1258 80.4 KB

and you want to change this:
image

to:
image

click save and apply, then edit vlan52.

you will see this:

image
image1399×1164 96.7 KB

and you want to change it to this:

image
image1405×1173 101 KB

great!, now we got the networking done, dhcp working, and the firewall allows dhcp requests, now we only need to fix wifi, unfortunately this was on proxmox so I had to take my original router as example.

you go to luci->network->wireless, edit the band or add one, adding is not that super special you can look to existing wifi networks to make a example and re-create it.

you will see something like this, please click on network and select vlan52:

image
image1381×1671 295 KB

please note it is important to use lowercase, linux is very case sensitive thus it is better to make interface namings lowercase :slight_smile:

For RoutedAP:

click here to open

For a routed AP it's alot easier, basicly you only want to create a empty bridge where the wireless phy interface hooks on in where it becomes a working device for a interface.

please navigate to luci->network->interfaces.

Then click on the devices tab like here:

image
image1492×220 18 KB

then scroll down and click on
image

Then click on here:
image

and select Bridge device.

please fill it in like this:

image
image1396×1069 71.1 KB

and check the Bring up empty bridge, otherwise issues will happen :slight_smile: , click save.

Now click back on interfaces:

image
image1534×151 18.9 KB

scroll down and add a interface, note we call things vlan here but don't let you get confused here I just copied half from the first tutorial, so just name it something else than vlan :slight_smile:, this has nothing to do with vlans :grinning_face:

scroll down and click on here:
image

then we fill in:

image
image1384×358 19.4 KB

^ note: br-lan.52 doesn't exist, of course we need to use br-iot thats the only difference.

now you see this:

image
image1423×1167 67.5 KB

you want to fill it in like this (yes again, you use br-iot):

image
image1405×1168 68.7 KB

note that the ip can be everything, there is a table on the internet called rfc1918 search for it,it can also be 192.168.12.1 for that mather max 254

please look very carefully to the colors of the text, gateway for example is blank (this is auto filled in by openwrt just leave it as is).

now lets navigate to:
image

and uncheck this:
image

this means that OpenWrt doesn't see this interface as a gateway type interface like wwan/wan you don't want this conflict :smiley:

now click here and fill and press enter:

image
image1408×388 50.6 KB

now click on dhcp server and create one:

image
image1449×348 28.4 KB

and now you click on save, then you scroll down and click on save and apply.

great now the network has been set, but the firewall needs some tweaking lets go to the firewall.
luci->network->firewall

it will look close to this:

image
image1563×1258 80.4 KB

and you want to change this:
image

to:
image

click save and apply, then edit vlan52.

you will see this:

image
image1399×1164 96.7 KB

and you want to change it to this:

image
image1405×1173 101 KB

great!, now we got the networking done, dhcp working, and the firewall allows dhcp requests, now we only need to fix wifi, unfortunately this was on proxmox so I had to take my original router as example.

you go to luci->network->wireless, edit the band or add one, adding is not that super special you can look to existing wifi networks to make a example and re-create it.

you will see something like this, please click on network and select vlan52:

image
image1381×1671 295 KB

please note it is important to use lowercase, linux is very case sensitive thus it is better to make interface namings lowercase :slight_smile:

There are a few issues to note about gl firmware:

  1. the clients menu doesn't work for custom interfaces it listens to (lan,guest).
  2. vpn policies may have incompatibilities.

^ some of these things will be fixed at a later time.

1 Like
7

Thank you!

I was finally able to get the first SSID working with a VLAN.
The main problem was due to LuCI. Too often, after clicking "Save and Apply," LuCI would indicate a problem and revert to the previous configuration. I finally decided, after clicking "Save and Apply," to wait a few seconds, then unplugged the device. After plugging it back in, I found that the configuration worked fine!

Thank you for taking the time to provide specific steps. It helped me realize that one of the tests I had run should have worked.

Now, I feel I can try to move forward to implement the configuration I want.

2 Likes
8

Often on windows i just use ipconfig /release and then ipconfig /renew that should remove current dhcp and force a new dhcp request, then just open a new tab with the router ip it should say applied, the other window has still the cooldown in case it goes wrong it reverts :slight_smile:

9

what does uci mean?

10

uci is a command line utility in OpenWrt to configurate configs.

See: