Creating a VLAN for IOT Wifi with a single router

I don't know why this is causing me so much trouble. It seems straightforward, but here we are. I'm going to try to describe what I did and highlight areas in bold where I think I may have made a mistake or have a misunderstanding. I've been at this for several hours, so I'm hoping someone can help.

Setup

Here is my setup. I have a GL-MT6000 (flint2) router that shipped with the gl-inet OpenWRT variant. The WAN ethernet-port is connected directly to the modem. The other LAN ethernet ports are connected to various devices including unmanaged switches which are effectively just increasing the number of ethernet ports on the router. I have a main WIFI SSID already setup for 2G and 5G that connect devices in the LAN. I want all of this to remain the same. I also have the guest WIFI setup for guests.

Based on my understanding, my network topology looks roughly like this:

    ╙── modem
        └─╼ flint2-router-wan
            └─╼ flint2-router
                ├─╼ flint2-router-lan2
                │   └─╼ unmanaged-switch-1
                │       ├─╼ device2
                │       ├─╼ device3
                │       └─╼ device4
                ├─╼ flint2-router-lan3
                │   └─╼ unmanaged-switch-2
                │       ├─╼ device5
                │       └─╼ device6
                ├─╼ flint2-router-lan4
                │   └─╼ device1
                ├─╼ flint2-router-lan5
                └─╼ flint2-router-wifi-ssid1
                    ├─╼ device7
                    ├─╼ device8
                    └─╼ device9

Goal

The new thing I want to do is create a separate SSID that IOT devices can talk to the internet and also talk to each other. This means I can't use the guest network out of the box because it seems to disable devices from communicating within the network and instead just gives them access to the WAN.

From what I understand the way you do this is with a VLAN. My understanding is each new VLAN will require a: device, an interface, firewall rules, and an finally an Wireless SSID.

Steps Taken

I attempted to set this up in LUCI.

Step 1:

I went to Network > Interfaces and then clicked the devices tab. From there I clicked "Add Device Configuration". I changed the following values in the popup:

   Device type: VLAN (802.1q)
   Base device: 'Ethernet Switch "etho0"'
   VLAN ID: 40

Note: this autopopulated

   Device name: br-lan.40

I'm unsure about what the base device is doing here. Other options where 'Ethernet Adapter: "acpli0"', 'Wireless Netwowrk Master "HOME-WIFI" (lan)' (which resolved to ra0), the guest wifi which resolved to ra1, 'Ethernet Switch "etho0"', 'Ethernet Adapter: "eth1" (wan)', 'Bridge: "br-lan" (lan)' . I've also seen other tutorials use a VLAN bridge here, and I don't know if I should be doing that.

Then I clicked "Save & Apply"

Step 2:

I went to Network > Interfaces and then "Add new interface...". I changed the following values in the popup:

   Name: VLAN40
   Protocol: Static address
   Device: br-lan.40

Then I clicked "Create Interface".

From there I changed the popup values:

   IPv4 address: 192.168.40.1
   IPv4 netmask: 255.255.255.0

   # In the "DHCP Server" tab, I clicked "setup dhcp server"

I then clicked "Save". Then I clicked "Save & Apply".

Step 3:

I went to Network > Firewall. Under Zones I clicked "Add", and changed the popup values:

   Name: iot40
   Input: reject
   Output: accept
   Forward: reject
   Covered networks: VLAN40
   Allow forward to destination zones: wan

I then clicked "Save". Then I clicked "Save & Apply".

Step 4:

I then went to Network > Wireless.

I found the radio device I want to add the SSID to, which was "mt798611 Generic 802.11bgnax Channel: 9 (2.452 GHz) | Bitrate: 573 Mbit/s". In the row for "mt798611" I clicked "Add".

I then changed the popup values:

   ESSID: IOT40-WIFI
   Network: VLAN40

   # In the wireless security tab
   Encryption: WPA2-PSK
   Key: <the-wifi-password>

I then clicked "Save". Then I clicked "Save & Apply".

Confusion

And here is where I'm stuck. At this point I would expect to see a IOT40-WIFI SSID come up as an available network to connect to, but I don't see anything. The new row in the Wireless Overview table says: disabled - SSID: IOT40-WIFI | Mode: Master, Wireless is not associated.

(You'll note I've tried this 3 times with different variants still with no success).

I can ping 192.168.40.1, but I have no idea if I set this up correctly. Clearly I messed something up. I would prefer to learn how to do this via the LUCI GUI first, and then learn how to use the config files.

I've also heard that VLANs are only make sense if you have multiple routers, and I'm not sure if that is true. I do plan to connect another router to act as another WIFI access point in the future to improve connectivity far away from the main router, but it seems like the use-case where you setup a VLAN on the main router for an isolated non-guest wifi network is reasonable. Do I have a misunderstanding?

No, that's not necessarily true. But maybe some clarification would be useful:

• The guest wifi tutorial on the OpenWrt wiki isolates the guest network from the lan, but allows it to reach the internet.
• On any wifi network, you can enable the "isolate" option which will obviously prevent wifi devices from talking to each other. This is an option that is not (to my knowledge) suggested within the guest network wiki article.
• You probably want this option disabled anyway, but for clarity: Wifi isolation does not prevent wifi from reaching ethernet devices and vice versa, nor does it control the inter-vlan connectivity (that's handled by the firewall), but it does prevent wifi-wifi connections on the same network.
• The firewall controls inter-vlan routing which means it is how you can allow/prohibit traffic from routing between the networks (lan > IoT, IoT > lan, lan > wan, IoT > wan, etc.).
  • These rules can be as broad or as granular as you want

Anyway, as far as the current configuration is concerned, let's see it in text format:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

I believe the GL-inet router automatically configures the guest network (which I setup using their interface) to isolate, which you'll be able to see in the text config.

The clarification about isolate is useful. I was misunderstanding it. To verify my understanding: on the guest wifi - if no other firewall rules are set - devices will not be able to talk to other guest wifi devices, but they will be allowed to talk to ethernet devices.

It seems like I still want a IOT VLAN so I can simply configure that the anything connected to it, is not allowed to talk to the main LAN. One thing I'm confused about is if I'll need to setup configure an additional VLAN as my "main devices", or what the terminology is for the main LAN if they aren't connected to a VLAN. Can you have the regular LAN and a VLAN at the same time? My guess is yes, but I'm not confident.

In any case, here is the sanitized text config:

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 21.02-SNAPSHOT, r15812+1076-46b6ee7ffc
 -----------------------------------------------------
root@GL-MT6000:~# ubus call system board
{
	"kernel": "5.4.238",
	"hostname": "GL-MT6000",
	"system": "ARMv8 Processor rev 4",
	"model": "GL.iNet GL-MT6000",
	"board_name": "glinet,gl-mt6000",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02-SNAPSHOT",
		"revision": "r15812+1076-46b6ee7ffc",
		"target": "mediatek/mt7986",
		"description": "OpenWrt 21.02-SNAPSHOT r15812+1076-46b6ee7ffc"
	}
}
root@GL-MT6000:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd07:de41:87be::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'
	option macaddr 'MA:CA:D:RE:SS:09'

config device
	option name 'lan1'
	option macaddr 'MA:CA:D:RE:SS:09'

config device
	option name 'lan2'
	option macaddr 'MA:CA:D:RE:SS:09'

config device
	option name 'lan3'
	option macaddr 'MA:CA:D:RE:SS:09'

config device
	option name 'lan4'
	option macaddr 'MA:CA:D:RE:SS:09'

config device
	option name 'lan5'
	option macaddr 'MA:CA:D:RE:SS:09'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option isolate '0'
	option ipaddr '192.168.222.1'

config device
	option name 'eth1'
	option macaddr 'MA:CA:D:RE:SS:08'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option force_link '0'
	option ipv6 '0'
	option classlessroute '0'
	option metric '10'

config interface 'wan6'
	option proto 'dhcpv6'
	option device '@wan'
	option disabled '1'

config interface 'tethering6'
	option device '@tethering'
	option proto 'dhcpv6'
	option disabled '1'

config interface 'wwan6'
	option device '@wwan'
	option proto 'dhcpv6'
	option disabled '1'

config interface 'guest'
	option force_link '1'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.9.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option multicast_querier '1'
	option igmp_snooping '0'
	option isolate '0'
	option bridge_empty '1'
	option disabled '0'

config interface 'wwan'
	option proto 'dhcp'
	option classlessroute '0'
	option metric '20'

config interface 'secondwan'
	option ipv6 '0'
	option proto 'dhcp'
	option metric '15'
	option force_link '0'
	option classlessroute '0'

config interface 'secondwan6'
	option proto 'dhcpv6'
	option device '@secondwan'
	option disabled '1'
	option metric '15'

config interface 'modem_1_1_2_6'
	option proto 'dhcpv6'
	option disabled '1'
	option device '@modem_1_1_2'

config rule 'policy_direct_rt'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule 'policy_default_rt_vpn'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config rule6 'policy_direct_rt6'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule6 'policy_default_rt_vpn6'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config rule 'policy_default_rt_vpn_ts'
	option lookup 'main'
	option priority '1099'
	option mark '0x80000/0xc0000'
	option invert '0'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '20'
	option name 'eth0.20'

config device
	option type '8021q'
	option ifname 'eth1'
	option vid '30'
	option name 'eth1.30'

config interface 'IOT30'
	option proto 'static'
	option device 'eth1.30'
	option ipaddr '192.168.30.4'
	option netmask '255.255.255.0'
	option type 'bridge'

config interface 'IOT20'
	option device 'eth0.20'
	option proto 'static'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'
	option type 'bridge'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '40'
	option name 'br-lan.40'

config interface 'VLAN40'
	option proto 'static'
	option device 'br-lan.40'
	option ipaddr '192.168.40.1'
	option netmask '255.255.255.0'

root@GL-MT6000:~# cat /etc/config/wireless

config wifi-device 'mt798611'
	option type 'mtk'
	option band '2g'
	option htmode 'HE40'
	option channel 'auto'
	option txpower '100'
	option country 'US'
	option random_bssid '1'
	option legacy_rates '0'
	option hwmode '11g'

config wifi-iface 'wifi2g'
	option device 'mt798611'
	option mode 'ap'
	option network 'lan'
	option ifname 'ra0'
	option encryption 'psk2'
	option wds '1'
	option isolate '0'
	option ieee80211k '1'
	option bss_transition '1'
	option ssid 'WhoWhatWhenWhereWifi'
	option hidden '0'
	option key 'password_0'
	option macaddr 'MA:CA:D:RE:SS:18'

config wifi-device 'mt798612'
	option type 'mtk'
	option band '5g'
	option channel 'auto'
	option htmode 'HE80'
	option txpower '100'
	option country 'US'
	option random_bssid '1'
	option disabled '0'
	option legacy_rates '0'
	option hwmode '11a'

config wifi-iface 'wifi5g'
	option device 'mt798612'
	option mode 'ap'
	option network 'lan'
	option ifname 'rax0'
	option encryption 'psk2'
	option wds '1'
	option isolate '0'
	option ieee80211k '1'
	option bss_transition '1'
	option ssid 'WhoWhatWhenWhereWifi-5G'
	option hidden '0'
	option key 'password_0'
	option macaddr 'MA:CA:D:RE:SS:02'

config wifi-iface 'guest2g'
	option device 'mt798611'
	option network 'guest'
	option mode 'ap'
	option ifname 'ra1'
	option encryption 'psk2'
	option key 'password_2'
	option ssid 'GL-MT6000-a77-Guest'
	option guest '1'
	option wds '1'
	option isolate '1'
	option disabled '0'
	option macaddr 'MA:CA:D:RE:SS:07'

config wifi-iface 'guest5g'
	option device 'mt798612'
	option network 'guest'
	option mode 'ap'
	option ifname 'rax1'
	option encryption 'psk2'
	option key 'password_2'
	option ssid 'GL-MT6000-a77-5G-Guest'
	option guest '1'
	option disabled '1'
	option wds '1'
	option isolate '1'
	option macaddr 'MA:CA:D:RE:SS:14'

config wifi-iface 'wifinet4'
	option device 'mt798611'
	option mode 'ap'
	option encryption 'psk2'
	option key 'password_1'
	option network 'IOT20'
	option ssid 'IOT20-WIFI'
	option disabled '1'
	option macaddr 'MA:CA:D:RE:SS:21'

config wifi-iface 'wifinet5'
	option device 'mt798611'
	option mode 'ap'
	option ssid 'IOT30-WIFI'
	option encryption 'psk2'
	option key 'password_1'
	option network 'IOT30'
	option macaddr 'MA:CA:D:RE:SS:04'

config wifi-iface 'wifinet6'
	option device 'mt798611'
	option mode 'ap'
	option ssid 'IOT40-WIFI'
	option encryption 'psk2'
	option key 'password_1'
	option network 'VLAN40'
	option macaddr 'MA:CA:D:RE:SS:12'

root@GL-MT6000:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option rebind_protection '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ra_slaac '1'
	option force '1'
	option dhcpv6 'disabled'
	option ra 'disabled'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config domain
	option name 'console.gl-inet.com'
	option ip '192.168.8.1'

config domain
	option name 'console.gl-inet.com'
	option ip '::ffff:192.168.8.1'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'disabled'
	option ra 'disabled'

config dhcp 'secondwan'
	option interface 'secondwan'
	option ignore '1'

config host
	option mac 'MA:CA:D:RE:SS:11'
	option ip '192.168.222.38'
	option tag 'device_07'

config host
	option mac 'MA:CA:D:RE:SS:00'
	option ip '192.168.222.35'
	option tag 'device_09'

config host
	option mac 'MA:CA:D:RE:SS:20'
	option ip '192.168.222.16'
	option tag 'device_11'

config host
	option mac 'MA:CA:D:RE:SS:19'
	option ip '192.168.222.29'
	option tag 'device_06'

config host
	option mac 'MA:CA:D:RE:SS:16'
	option ip '192.168.222.18'
	option tag 'device_05'

config host
	option mac 'MA:CA:D:RE:SS:15'
	option ip '192.168.222.19'
	option tag 'device_04'

config host
	option mac 'MA:CA:D:RE:SS:03'
	option ip '192.168.222.20'
	option tag 'device_10'

config host
	option mac 'MA:CA:D:RE:SS:13'
	option ip '192.168.222.17'
	option tag 'device_00'

config host
	option mac 'MA:CA:D:RE:SS:06'
	option ip '192.168.222.15'
	option tag 'device_02'

config host
	option mac 'MA:CA:D:RE:SS:05'
	option ip '192.168.222.14'
	option tag 'device_03'

config host
	option mac 'MA:CA:D:RE:SS:17'
	option ip '192.168.222.5'
	option tag 'device_12'

config host
	option mac 'MA:CA:D:RE:SS:10'
	option ip '192.168.222.30'
	option tag 'device_01'

config host
	option mac 'MA:CA:D:RE:SS:01'
	option ip '192.168.222.4'
	option tag 'device_08'

config dhcp 'IOT30'
	option interface 'IOT30'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config dhcp 'IOT20'
	option interface 'IOT20'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config dhcp 'VLAN40'
	option interface 'VLAN40'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

root@GL-MT6000:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	option input 'DROP'
	option masq '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'
	list network 'secondwan'

config forwarding
	option src 'lan'
	option dest 'wan'
	option enabled '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config include 'nat6'
	option path '/etc/firewall.nat6'
	option reload '1'

config rule 'process_mark'
	option name 'process_mark'
	option dest '*'
	option proto 'all'
	option extra '-m owner --gid-owner 65533'
	option target 'MARK'
	option set_xmark '0x8000/0xc000'

config rule 'process_mark_dns'
	option name 'process_mark_dns'
	option dest '*'
	option proto 'all'
	option extra '-m owner --gid-owner 453'
	option target 'MARK'
	option set_xmark '0x8000/0xc000'

config rule 'process_explict_vpn'
	option name 'process_explict_vpn'
	option dest '*'
	option proto 'all'
	option extra '-m owner --gid-owner 20000'
	option target 'MARK'
	option set_xmark '0x20000/0x20000'

config rule 'wan_in_conn_mark'
	option name 'wan_in_conn_mark'
	option src 'wan'
	option dest '*'
	option set_xmark '0x8000/0xc000'
	option target 'MARK'
	option extra '-m mark --mark 0x0/0x3f00 -j CONNMARK --set-xmark 0x8000/0xc000'
	option enabled '0'

config rule 'lan_in_conn_mark_restore'
	option name 'lan_in_conn_mark_restore'
	option src 'lan'
	option dest '*'
	option set_xmark '0x8000/0xc000'
	option target 'MARK'
	option enabled '0'
	option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark --nfmask 0xc000 --ctmask 0xc000'

config rule 'out_conn_mark_restore'
	option name 'out_conn_mark_restore'
	option dest '*'
	option set_xmark '0x8000/0xc000'
	option target 'MARK'
	option enabled '0'
	option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark --nfmask 0xc000 --ctmask 0xc000'

config include 'swap_wan_in_conn_mark'
	option type 'script'
	option reload '1'
	option path '/etc/firewall.swap_wan_in_conn_mark.sh'
	option enabled '0'

config zone
	option name 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'
	option enabled '1'

config rule
	option name 'Allow-DHCP'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'

config rule
	option name 'Allow-DNS'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'

config include 'vpn_server_policy'
	option type 'script'
	option path '/etc/firewall.vpn_server_policy.sh'
	option reload '1'
	option enabled '1'

config redirect
	option enabled '1'
	option proto 'tcp udp'
	option src_dport '30303'
	option dest_ip '192.168.222.35'
	option dest_port '30303'
	option src 'wan'
	option name 'GL-Ethereum Execution Client'
	option dest 'lan'

config redirect
	option enabled '1'
	option proto 'tcp udp'
	option src_dport '9001'
	option dest_ip '192.168.222.35'
	option dest_port '9001'
	option src 'wan'
	option name 'GL-Ethereum Concensus Client'
	option dest 'lan'

config redirect
	option enabled '1'
	option proto 'tcp udp'
	option src_dport '4001'
	option dest_ip '192.168.222.29'
	option dest_port '4001'
	option src 'wan'
	option name 'GL-IPFS Ports'
	option dest 'lan'

config rule 'sambasharewan'
	option src 'wan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'DROP'

config rule 'sambasharelan'
	option src 'lan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'ACCEPT'

config rule 'glnas_ser'
	option src 'wan'
	option dest_port '6000-6002'
	option dest_proto 'tcp'
	option target 'DROP'

config rule 'webdav_wan'
	option src 'wan'
	option dest_port '6008'
	option dest_proto 'tcp'
	option target 'DROP'

config redirect 'dns_vpn'
	option name 'dns for vpn'
	option src 'lan'
	option src_dport '53'
	option dest 'lan'
	option dest_port '1653'
	option mark '!0x8000/0xc000'
	list proto 'tcp'
	list proto 'udp'
	option enabled '0'

config redirect 'dns_vpn_guest'
	option name 'dns for vpn guest'
	option src 'guest'
	option src_dport '53'
	option dest 'guest'
	option dest_port '1653'
	option mark '!0x8000/0xc000'
	list proto 'tcp'
	list proto 'udp'
	option enabled '0'

config rule 'process_mark_stubby'
	option name 'process_mark_stubby'
	option dest '*'
	option proto 'all'
	option extra '-m owner --gid-owner 410'
	option target 'MARK'
	option set_xmark '0x8000/0xc000'

config include 'vpn_client_deal_leak'
	option type 'script'
	option reload '1'
	option path '/etc/firewall.vpn_client_deal_leak.sh'
	option enabled '1'

config include 'glblock'
	option type 'script'
	option path '/usr/bin/gl_block.sh'
	option reload '1'

config zone
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option name 'iot20'

config forwarding
	option dest 'wan'
	option src 'iot20'

config zone
	option name 'iot30'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'IOT30'

config zone
	option name 'iot40'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'VLAN40'

config forwarding
	option src 'iot40'
	option dest 'wan'

Ah. If you’re using their firmware, you need to ask gl-inet. We can’t help you with that firmware. What has resulted from the config is extremely bad for security - i don’t know is that was your action or something wrong with their firmware.

Alternatively, install official openwrt and we can help you here.

[EDIT: Sorry, wrt the security, I had confused this thread with another one. Nevermind that part of the post, but the part about their firmware --> their support channels is still valid]

https://openwrt.org/toh/gl.inet/gl-mt6000

config is extremely bad for security

What about it is bad for security?

FWIW the config without the extra IOT stuff I was trying is:

root@GL-MT6000:~# ubus call system board
{
	"kernel": "5.4.238",
	"hostname": "GL-MT6000",
	"system": "ARMv8 Processor rev 4",
	"model": "GL.iNet GL-MT6000",
	"board_name": "glinet,gl-mt6000",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02-SNAPSHOT",
		"revision": "r15812+1076-46b6ee7ffc",
		"target": "mediatek/mt7986",
		"description": "OpenWrt 21.02-SNAPSHOT r15812+1076-46b6ee7ffc"
	}
}

root@GL-MT6000:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd07:de41:87be::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'
	option macaddr 'MA:CA:D:RE:SS:09'

config device
	option name 'lan1'
	option macaddr 'MA:CA:D:RE:SS:09'

config device
	option name 'lan2'
	option macaddr 'MA:CA:D:RE:SS:09'

config device
	option name 'lan3'
	option macaddr 'MA:CA:D:RE:SS:09'

config device
	option name 'lan4'
	option macaddr 'MA:CA:D:RE:SS:09'

config device
	option name 'lan5'
	option macaddr 'MA:CA:D:RE:SS:09'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option isolate '0'
	option ipaddr '192.168.222.1'

config device
	option name 'eth1'
	option macaddr 'MA:CA:D:RE:SS:08'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option force_link '0'
	option ipv6 '0'
	option classlessroute '0'
	option metric '10'

config interface 'wan6'
	option proto 'dhcpv6'
	option device '@wan'
	option disabled '1'

config interface 'tethering6'
	option device '@tethering'
	option proto 'dhcpv6'
	option disabled '1'

config interface 'wwan6'
	option device '@wwan'
	option proto 'dhcpv6'
	option disabled '1'

config interface 'guest'
	option force_link '1'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.9.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option multicast_querier '1'
	option igmp_snooping '0'
	option isolate '0'
	option bridge_empty '1'
	option disabled '0'

config interface 'wwan'
	option proto 'dhcp'
	option classlessroute '0'
	option metric '20'

config interface 'secondwan'
	option ipv6 '0'
	option proto 'dhcp'
	option metric '15'
	option force_link '0'
	option classlessroute '0'

config interface 'secondwan6'
	option proto 'dhcpv6'
	option device '@secondwan'
	option disabled '1'
	option metric '15'

config interface 'modem_1_1_2_6'
	option proto 'dhcpv6'
	option disabled '1'
	option device '@modem_1_1_2'

config rule 'policy_direct_rt'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule 'policy_default_rt_vpn'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config rule6 'policy_direct_rt6'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule6 'policy_default_rt_vpn6'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config rule 'policy_default_rt_vpn_ts'
	option lookup 'main'
	option priority '1099'
	option mark '0x80000/0xc0000'
	option invert '0'


root@GL-MT6000:~# cat /etc/config/wireless

config wifi-device 'mt798611'
	option type 'mtk'
	option band '2g'
	option htmode 'HE40'
	option channel 'auto'
	option txpower '100'
	option country 'US'
	option random_bssid '1'
	option legacy_rates '0'
	option hwmode '11g'

config wifi-iface 'wifi2g'
	option device 'mt798611'
	option mode 'ap'
	option network 'lan'
	option ifname 'ra0'
	option encryption 'psk2'
	option wds '1'
	option isolate '0'
	option ieee80211k '1'
	option bss_transition '1'
	option ssid 'WhoWhatWhenWhereWifi'
	option hidden '0'
	option key 'password_0'
	option macaddr 'MA:CA:D:RE:SS:18'

config wifi-device 'mt798612'
	option type 'mtk'
	option band '5g'
	option channel 'auto'
	option htmode 'HE80'
	option txpower '100'
	option country 'US'
	option random_bssid '1'
	option disabled '0'
	option legacy_rates '0'
	option hwmode '11a'

config wifi-iface 'wifi5g'
	option device 'mt798612'
	option mode 'ap'
	option network 'lan'
	option ifname 'rax0'
	option encryption 'psk2'
	option wds '1'
	option isolate '0'
	option ieee80211k '1'
	option bss_transition '1'
	option ssid 'WhoWhatWhenWhereWifi-5G'
	option hidden '0'
	option key 'password_0'
	option macaddr 'MA:CA:D:RE:SS:02'

config wifi-iface 'guest2g'
	option device 'mt798611'
	option network 'guest'
	option mode 'ap'
	option ifname 'ra1'
	option encryption 'psk2'
	option key 'password_2'
	option ssid 'GL-MT6000-a77-Guest'
	option guest '1'
	option wds '1'
	option isolate '1'
	option disabled '0'
	option macaddr 'MA:CA:D:RE:SS:07'

config wifi-iface 'guest5g'
	option device 'mt798612'
	option network 'guest'
	option mode 'ap'
	option ifname 'rax1'
	option encryption 'psk2'
	option key 'password_2'
	option ssid 'GL-MT6000-a77-5G-Guest'
	option guest '1'
	option disabled '1'
	option wds '1'
	option isolate '1'
	option macaddr 'MA:CA:D:RE:SS:14'

config wifi-iface 'wifinet4'
	option device 'mt798611'
	option mode 'ap'
	option encryption 'psk2'
	option key 'password_1'
	option ssid 'IOT20-WIFI'
	option disabled '1'
	option macaddr 'MA:CA:D:RE:SS:21'

config wifi-iface 'wifinet5'
	option device 'mt798611'
	option mode 'ap'
	option ssid 'IOT30-WIFI'
	option encryption 'psk2'
	option key 'password_1'
	option macaddr 'MA:CA:D:RE:SS:04'

config wifi-iface 'wifinet6'
	option device 'mt798611'
	option mode 'ap'
	option ssid 'IOT40-WIFI'
	option encryption 'psk2'
	option key 'password_1'
	option macaddr 'MA:CA:D:RE:SS:12'


root@GL-MT6000:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option rebind_protection '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ra_slaac '1'
	option force '1'
	option dhcpv6 'disabled'
	option ra 'disabled'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config domain
	option name 'console.gl-inet.com'
	option ip '192.168.8.1'

config domain
	option name 'console.gl-inet.com'
	option ip '::ffff:192.168.8.1'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'disabled'
	option ra 'disabled'

config dhcp 'secondwan'
	option interface 'secondwan'
	option ignore '1'

config host
	option mac 'MA:CA:D:RE:SS:11'
	option ip '192.168.222.38'
	option tag 'device_07'

config host
	option mac 'MA:CA:D:RE:SS:00'
	option ip '192.168.222.35'
	option tag 'device_09'

config host
	option mac 'MA:CA:D:RE:SS:20'
	option ip '192.168.222.16'
	option tag 'device_11'

config host
	option mac 'MA:CA:D:RE:SS:19'
	option ip '192.168.222.29'
	option tag 'device_06'

config host
	option mac 'MA:CA:D:RE:SS:16'
	option ip '192.168.222.18'
	option tag 'device_05'

config host
	option mac 'MA:CA:D:RE:SS:15'
	option ip '192.168.222.19'
	option tag 'device_04'

config host
	option mac 'MA:CA:D:RE:SS:03'
	option ip '192.168.222.20'
	option tag 'device_10'

config host
	option mac 'MA:CA:D:RE:SS:13'
	option ip '192.168.222.17'
	option tag 'device_00'

config host
	option mac 'MA:CA:D:RE:SS:06'
	option ip '192.168.222.15'
	option tag 'device_02'

config host
	option mac 'MA:CA:D:RE:SS:05'
	option ip '192.168.222.14'
	option tag 'device_03'

config host
	option mac 'MA:CA:D:RE:SS:17'
	option ip '192.168.222.5'
	option tag 'device_12'

config host
	option mac 'MA:CA:D:RE:SS:10'
	option ip '192.168.222.30'
	option tag 'device_01'

config host
	option mac 'MA:CA:D:RE:SS:01'
	option ip '192.168.222.4'
	option tag 'device_08'


root@GL-MT6000:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	option input 'DROP'
	option masq '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'
	list network 'secondwan'

config forwarding
	option src 'lan'
	option dest 'wan'
	option enabled '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config include 'nat6'
	option path '/etc/firewall.nat6'
	option reload '1'

config rule 'process_mark'
	option name 'process_mark'
	option dest '*'
	option proto 'all'
	option extra '-m owner --gid-owner 65533'
	option target 'MARK'
	option set_xmark '0x8000/0xc000'

config rule 'process_mark_dns'
	option name 'process_mark_dns'
	option dest '*'
	option proto 'all'
	option extra '-m owner --gid-owner 453'
	option target 'MARK'
	option set_xmark '0x8000/0xc000'

config rule 'process_explict_vpn'
	option name 'process_explict_vpn'
	option dest '*'
	option proto 'all'
	option extra '-m owner --gid-owner 20000'
	option target 'MARK'
	option set_xmark '0x20000/0x20000'

config rule 'wan_in_conn_mark'
	option name 'wan_in_conn_mark'
	option src 'wan'
	option dest '*'
	option set_xmark '0x8000/0xc000'
	option target 'MARK'
	option extra '-m mark --mark 0x0/0x3f00 -j CONNMARK --set-xmark 0x8000/0xc000'
	option enabled '0'

config rule 'lan_in_conn_mark_restore'
	option name 'lan_in_conn_mark_restore'
	option src 'lan'
	option dest '*'
	option set_xmark '0x8000/0xc000'
	option target 'MARK'
	option enabled '0'
	option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark --nfmask 0xc000 --ctmask 0xc000'

config rule 'out_conn_mark_restore'
	option name 'out_conn_mark_restore'
	option dest '*'
	option set_xmark '0x8000/0xc000'
	option target 'MARK'
	option enabled '0'
	option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark --nfmask 0xc000 --ctmask 0xc000'

config include 'swap_wan_in_conn_mark'
	option type 'script'
	option reload '1'
	option path '/etc/firewall.swap_wan_in_conn_mark.sh'
	option enabled '0'

config zone
	option name 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'
	option enabled '1'

config rule
	option name 'Allow-DHCP'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'

config rule
	option name 'Allow-DNS'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'

config include 'vpn_server_policy'
	option type 'script'
	option path '/etc/firewall.vpn_server_policy.sh'
	option reload '1'
	option enabled '1'

config redirect
	option enabled '1'
	option proto 'tcp udp'
	option src_dport '30303'
	option dest_ip '192.168.222.35'
	option dest_port '30303'
	option src 'wan'
	option name 'GL-Ethereum Execution Client'
	option dest 'lan'

config redirect
	option enabled '1'
	option proto 'tcp udp'
	option src_dport '9001'
	option dest_ip '192.168.222.35'
	option dest_port '9001'
	option src 'wan'
	option name 'GL-Ethereum Concensus Client'
	option dest 'lan'

config redirect
	option enabled '1'
	option proto 'tcp udp'
	option src_dport '4001'
	option dest_ip '192.168.222.29'
	option dest_port '4001'
	option src 'wan'
	option name 'GL-IPFS Ports'
	option dest 'lan'

config rule 'sambasharewan'
	option src 'wan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'DROP'

config rule 'sambasharelan'
	option src 'lan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'ACCEPT'

config rule 'glnas_ser'
	option src 'wan'
	option dest_port '6000-6002'
	option dest_proto 'tcp'
	option target 'DROP'

config rule 'webdav_wan'
	option src 'wan'
	option dest_port '6008'
	option dest_proto 'tcp'
	option target 'DROP'

config redirect 'dns_vpn'
	option name 'dns for vpn'
	option src 'lan'
	option src_dport '53'
	option dest 'lan'
	option dest_port '1653'
	option mark '!0x8000/0xc000'
	list proto 'tcp'
	list proto 'udp'
	option enabled '0'

config redirect 'dns_vpn_guest'
	option name 'dns for vpn guest'
	option src 'guest'
	option src_dport '53'
	option dest 'guest'
	option dest_port '1653'
	option mark '!0x8000/0xc000'
	list proto 'tcp'
	list proto 'udp'
	option enabled '0'

config rule 'process_mark_stubby'
	option name 'process_mark_stubby'
	option dest '*'
	option proto 'all'
	option extra '-m owner --gid-owner 410'
	option target 'MARK'
	option set_xmark '0x8000/0xc000'

config include 'vpn_client_deal_leak'
	option type 'script'
	option reload '1'
	option path '/etc/firewall.vpn_client_deal_leak.sh'
	option enabled '1'

config include 'glblock'
	option type 'script'
	option path '/usr/bin/gl_block.sh'
	option reload '1'

Sorry... I realized I had confused this thread with another one. I didn't review the security of your config in detail, but I'm not seeing any glaring issues. That said, the way that GL-inet firmware works is materially different than official OpenWrt, so you'll need to ask on their forums or install official OpenWrt.

I made a post in the glinet forums as well: https://forum.gl-inet.com/t/creating-a-vlan-for-iot-wifi-with-a-single-router/50324/3

In the meantime, I've noticed that even if I go with the bridge-based vlan setup the same issue happens. I dug around in the config files and noticed in /etc/config/wireless there were quite a few fields that the main wifi networks had that my new iot wifi network did not have. Namely:

option wsd '1'
option ifname 'ra2' # which I chose to be different than existing ra0 and ra1 names
option bss_transition '1'
option ieee80211k '1'
option isolate '0'

When I added these and did a /etc/init.d/network restart the SSID was no longer disconnected, and it showed up on my phone. The phone is refusing to connect to it, so there is some misconfiguration, but this is making progress, and perhaps its an issue with the glinet variant.

Still a lot I have to learn, this is much more flexible than my old netgear router.

Yeah... the details of that configuration are entirely different than the way that official OpenWrt works. We cannot help you with that, but we would be happy to do so if you install OpenWrt from here.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.