Vlans dont block routers admin page

Hi!, i have been following the videos and comments posted on this topic [Vlans nightmare Flint 2](https://forum.gl-inet.com/t/flint-2-gl-mt6000-vlans-nightmare/39455)
The goal was to create an IOT vlan with no access to the router admin page. But the Vlan i’ve created still lets me enter the routers admin page. So i don’t know what is wrong.

Firmware 4.5.3
Flint 2

I’ve made these configuration in Luci

  1. i’ve added a new firewall rule for IOT

  2. Then, configured the firewall rule

  3. after that i’ve created a new bridge for the new vlans

  4. I’ve added the vlans. One for IOT and another for Management.

  5. Then i’ve changed the bridge port of the default bridge-lan to the management one br-lan99.99

  6. Then i’ve added the interface for IOT, as far this is just for internet. I don’t want for any device connected here to be able to enter the admin page on the router.

  7. At the end i’ve tried with a computer on the port of IOT vlan (br-lan99.9) and it is connected to the internet. But i can access the ip of the admin page of the router, and also all the traffic seems to be generated on the Management VLAN (br-lan99.99) and not in the IOT one.

i just realized there are to much 9 sorry for that.


  1. What i have made wrong? (LoL)
  2. If i add an Access point (for example Brume) to feed other computer with internet, the IOT config will work?

Really Thanks for your time.

Maybe just enable guest wifi. It will create Interface GUEST

Then add your vlan to the guest interface.

In this way you don’t need to manage the firewall.

Thanks so much Alzhao. Yes probably this is the propper way for a noob.

One more question, by enabling the GUEST wifi zone the GUEST config will not be affected by the admin vlan? i mean the GUEST will remain isolated and with internet no matter the bridge-lan config?

Thanks in advance.

depending on your topology if you still plan using vlans:

you have one port with vlan 9 tagged that is fine, but does it connect to a tagged vlan aware device?:thinking:

Otherwise you might want to use a managed switch in where you can untag this certain tag to a single port and tag it on port 1 (the wan of the network switch) then it will work :+1:, or if you don’t need 99, make 9 untagged on that port.

Unaware vlan devices are devices which cannot talk to tagged packets because it is ment to passthrough in many situations or for things like managed switches, but untagged packets are ment as final destination to a network port, thus meaning the tag will no longer cease to exist after and the devices do not know more than it is just a connection.

^ note that with vlans in OpenWrt its normal the routers ip is accessible probably more for convience/anti lock out reasons i know this because it happens in vpn tunnels it uses, if you don’t like it you need a firewall traffic rule like this:

src: your zone
dest: this device
action: reject or drop

on the other side, maybe you just want to single one port out to be a different network or use the guest network feature, depending on the firmware version there is a option inside the gl ui to disable isolation aswell :+1:, i believe its either called guest or dhcp there should be a checkbox for it.

1 Like