Can't get VLAN working

After weeks of reading, learning and testing I gave up, can't get VLAN configured on my device.

I build up the system from scratch based on the OpenWRT image, using standard br-lan bridge with ports lan 1-4. Hardware is GL.iNet GL-MT6000 Flint 2, OpenWrt 24-10 r2.

I also set up two Wireguard interfaces, the first one building a S2S connection to another network, the second one is to connect from Internet with the mobile phone to the lan.

Until this stage, everything is working well.

What I tried:

But since weeks I´m unable setup the VLANs. After clicking “save and apply” the router always come up with the rollback message.

To start setting up VLANs in parallel to the running system I created a second bridge called br-vlan01.

Configuring the router bridge br-vlan01 just using ports lan 4 and lan5. I setup "VLAN1", "VLAN20"=Invitados, "VLAN30"=IOT and "VLAN40"=Kameras.

In addition to standard lan interface, which is using standard br-lan bridge, I setup 3 separate lan called „Invitados“, „IOT“ and „Kameras“, each with a separate ip-range.
Primary lan is 192.168.50.1/24, the other ones are different from that.

I created some firewall rules for traffic between networks and rules for access to the internet for the 3 VLANs. I also created traffic rules for each of the VLANs for DHCP and DNS.

To test the VLAN setup, I connected my notebook to port 4, configuring just VLAN 20 to untagged, all other VLANs are not member. Everything works well as configured, the Notebook is getting an IP from specified range, Internet access is working, traffic to lan is blocked regarding firewall rule.

Now I want to change from br-lan to br-vlan01.

So I added all ports 1-5 to bridge br-vlan01, set VLAN1 to untagged on each lan port and just on port 5 all VLANs as tagged. On port 1-4 VLANs 20-40 are marked as no member.

20_br-vlan01_02918×561 25.1 KB

On lan-interface I removed br-lan and set to br-vlan01.1 which is VLAN1 in bridge br-vlan01

I unconfigured br-lan so it was shown just as grey in the list.

My Notebook is connected to port4 of the router without any router in the middle and until now everything is working well.

Now I click save and apply.

Applying configuration changes counting down to 0sec
Message in yellow pops up: Failed to confirm apply within 90s, waiting for rollback

Router is not answering to ping. Nothing more happens. So I wait 2 minutes, then I disconnect the router from electricity to restart it, then the new message pops up so I can accept the rollback to get the previous setup without VLANs.

I tried 100 things more, even just extending the basic br-lan bridge with VLANs but it always ends in the result, that I couldn't get an IP from the router so I can't access the web interface. It always ends in a rollback to get my home network working again.

I would appreciate any help and advice on how I can add VLANs to my standard LAN.

Thank you very much!

Are you running GL.iNET's firmware , e.g. the firmware it came with or have you already upgraded to the real OpenWRT 24.10.4 firmware?

This is a DSA model (as are most except for ath79). In DSA, any physical eth port can only be in one bridge, and any VLANs you want to tag on that port will be bridge-vlans inside that same bridge. So don't create new bridges. Instead add VLANs to the existing br-lan. As you do that you will need to give the original LAN a VLAN number, convention is to use 1. Change the lan Interface's Device from br-lan to br-lan.1.

While working on new Ethernet configurations it is advisable to log into the router on wifi. Then you don't lose access. You could even create a wifi-only Interface called something like "admin" just for this purpose.

@egc and @mk24 Thank you for quick reply.
I´m running OpenWRT firmware, not GL.Inet stock firmware.
I will try to understand exactly what you explained me regarding build the bridge. I will create an admin WIFI and start with it. Just one question: At the end, will it be possible to route the primary lan together with different VLANs over one port? One reason I´m asking is because I want to connect another router by one existing lan cable using it as a second access point for different WLANs based on various VLANs.
I will post what happens and if it ends with suggest I will write a howto.

Again, thank you very much for your quick help!

You are welcome maybe this can help:

Hi, again, thank you very much for your help. I tried this as you described before, extending the existing br-lan with VLANs, setting the Interface LAN to br-lan.1, which even doesn´t work for me.

I tried again over Wlan, but I´m sorry to tell you, with the same result as described before.

I also read that DSA just permit one only bridge if you are using VLANs. Respecting this, I always removed the second bridge before clicking save & apply, so the configuration I entered in the LUCI interface in theory looks to respecting this.

However, even if you talked about “don´t create new bridges” I have had a GL.Inet AX3000 which I want to use as an access point. I flashed the latest OpenWRT image to start a testdrive. I added the same VLANs as on the flint2, configured the lan device as br-lan.1. And, surprise, the device accepted the config and worked as expected.

So the only idea I have, that the configuration files of my flint2 might not be 100% which I can´t check through the LUCI interface, even if I´m new in OpenWRT and I have to learn a lot more.

At the earliest opportunity I will reset he flint2, flash a new image and start from scratch, configuring first the VLANs and if this is working well I will add Wireguard stuff etc.

Another problem, maybe someone knows: I have just an old Lenovo Ideapad 510 (Intel Chipset) running Windows 11. In this configuration the system is not finding any OpenWRT WLAN. Each other (from AVM etc.) working well. I tried anything, no result. With Linux the device is finding and connecting to each OpenWRT Wlan. Also, each other device in my home is connecting without any problem to OpenWRT Wlan. Any ideas?

I will update the thread if I´ve got the VLANs well configured at the Flint2

Some more good articles with examples which might help:

Let's take a look at the flint2's network config -- chances are we can identify the problem and recommend the fix:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network

Hi, many thanx again to all your help, I´ve got VLANs up and running. I agree 100% with you @psherman , the best way is to take a look into the configuration files and analyze the problem to fix it and learn from it.

However, because I'm since weeks learning and working to solve this problem I have had to move forward, so I used yesterday a free Sunday to reflash the Flint and to start from scratch.
So, extending the standard br-lan bridge with multiple additional VLANs worked like expected. I could setup varius VLANs, even primary LAN never stopped working, didn´t loose connection from browser to Luci web interface and I´ve got it up and running without problems. Great Even configuring the corresponding D-Link switch to manage tagged and untagged VLANs is no working well as expected. I´m just still struggling a little bit at the moment with some firewall rules regarding some traffic rules within the VLANs and WAN, but I will solve this for sure.

So my conclusion after all this experience, hope this helps other users with the same setup and problem. Maybe I did any misconfiguration in my past tries because I'm new with OpenWRT, going the way by setting up a second bridge and “exchanging” this with the standard br-lan bridge doesn't work on OpenWRT 24.10 with the Flint 2.
Configuring exactly the same VLAN setup from scratch based just on the "br-lan" bridge as it cams preconfigured "out of the box" on a new flashed router, just extending this standard bridge with multiple VLANs works from the beginning on as expected.

Thank you very much again for your help.

Hi Denmik, I have the exact same router, firmware and set up. I had a LOT of trouble getting it to work but finally did just like you. Wish I had your post when I was setting it up a month ago lol. Now that it is set up, I am having issues with the firewall rules. When I set up a firewall rule to allow a specific device ip on the lan to talk to a specific device ip on the vlan, and if the settings are "any" protocol and "any" port, it works. But if I change that rule to specify protocol it stops working. And when I revert the rule back to what it was before, it still doesn't work even though it was working with this same rule not minutes before. Despite reboots still doesn't work. It seems there is something that breaks vlans in openwrt when you try to punch holes in the firewall between the vlans. Are you having this issue too?

Hi, I'm working with Linux since over 30 years, so I'm far with some network setups etc. but I'm new in OpenWRT. I spend for sure hundreds of hours to read and understand OpenWRT and at the end now arriving a stage, exchanging my old AVM Fritzbox with the OpenWRT in my home without having to worry about my wife threatening to divorce me

I have exactly the same problems as you, reading howtos and showing Youtube Videos everything is very logic and I can understand it, but a lot of things are not working as described. Or if I've arrived a stage with a bunch of rules I wanted to have, starting to implement new rules or features like now PBR is braking the setup which worked before. At the moment I would like to learn more about to understand, how I can debug and test real traffic on my system to check, which rules will be accepted, ignored or misinterpreted by OpenWRT.

I'm sorry about, that I can't give you specific advice to your problem with Firewall rules regarding VLANs because this is also one of my unresolved issue.

I've got the guest VLAN isolated with just Internet access, but then the other 2 VLANs should communicate only with the main lan but without Internet access. Before I started with the PBR setup, it works as configured and expected. Since I installed PBR all 3 VLANs have Internet access. Why? I don't know

I got a glimps on how to do this by watching OneMarcFifty video on how to set up batman. I was trying to understand how things works and I managed to do it on the first try. It was surprise to me as I never before used openwrt.

My routers are not connected using lan cables so I’m using batman. Maybe you could watch again his video on batman as I think it is pretty much the same config if you are using lan cables.

You can check this VLAN user guide.

When you figure things out it doesnt seem that hard or difficult to do. Basically you have two routers, one is gateway another is ap. Gateway is the one that is running firewall, dhcp, dnsmasq and dumb ap should have all that services disabled.

Well for what it's worth, I was able to figure out a solution to make the VLAN pinhole exceptions work. You can't just create a firewall rule with a port restriction right away. If you do it won't work. So here's the instrux in Luci:

Go to Network-firewall-traffic rules

1. Add a new rule at the bottom

2. Set protocol to "any"

Set the source zone and IP to be the computer that you want to be able to punch through the VLAN with.

Set the destination zone and IP to the computer you want to be able to talk TO.

Save and apply

3. Test that it works.

4. Now you can edit the rule to add the protocol and ports you want to restrict the pinhole to.

5. Save and apply again, done!

Now somewhere in the process, my VLAN stopped being able to access the WAN... so I have a new problem which is the opposite of your problem because I WANT this particular VLAN to access the internet... I don't think the above instructions caused this problem I don't know when it started to be honest because I haven't checked in a while...

It's just not working anymore no matter what I do, even tried creating a firewall rule expressly allowing all wan traffic through but no dice. Another of the "ghosts" of this new openwrt version 24/DSA I guess... So I deleted the nonfunctional VLAN and created a new one with a different subnet and number, which now works fine.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.