GL.iNet MT6000: Issue creating Wi-Fi via vlans

Hi everyone,

I’d highly appreciate your support on enabling Wi-Fi SSID’s for various vlans. Plus some other small related questions.

I’m running the following setup: modem > Opnsense (wan, lan) > MT6000 router with Openwrt 23.05.5 on it

Opnsense is taking care of firewall, routing etc. OpenWRT is acting as the switch including Wi-Fi. No „dumb“ AP so far. MT6000 (OpenWRT) is the only Wi-Fi source for now.

I received amazing support in my previous thread (thanks a lot psherman!!). Compared to the suggested setup I added a mgmt vlan 99.

Ethernet port | vlan:
1 | mgmt 99
2 | dmz 10
3 | user 20
4 | iot 30
5 | ipcam 50
6 | uplink 1

I’m not an expert (yet) as you might guess. Thanks in advance for your patience. :slight_smile:

I have four questions:

  1. mgmt VLAN 99: I’m not sure if this is ideal and how you would set it up. To my knowledge though I should have it as configured so I can reach all other vlans via mgmt vlan. Is there a more elegant solution? I guess it’s most secure to not make this available via Wi-Fi. Otherwise please let me know.
  2. I cannot reach OpenWRT (192.168.1.2) via mgmt vlan. I have to connect directly to its uplink. I manually assign an IP because Opnsense is doing the dhcp.
    Anything wrong with the OpenWRT config? Thinking of „client can only connect via uplink“ or so. Could also be a wrong config somewhere else though.
  3. My main question, as mentioned above: I’d like to add Wi-Fi SSIDs. E.g. „user“ vlan20 (port3) should be accessible via SSID „user“ and be in the same vlan20. Similar to iot, guest and ipcam. Not sure how many Wi-Fis may be created. Would be great to have
    • SSID „user“: vlan 20
    • SSID „iot“: vlan30
    • SSID „guest“: vlan40 (Wi-Fi only, no physical port)
    • SSID „ipcam": vlan50
  4. Once 1+2+3 are done: anything else to fix and/or optimize?

Thank you very much! Your support is highly appreciated.

This is my current config:

ubus call system board

{
	"kernel": "5.15.167",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "GL.iNet GL-MT6000",
	"board_name": "glinet,gl-mt6000",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.5",
		"revision": "r24106-10cc5fcd00",
		"target": "mediatek/filogic",
		"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
	}
}

/etc/config/network

config bridge-vlan
	option device 'br-lan'
	option vlan '99'
	list ports 'eth1:u*'
	list ports 'lan5:t'

config interface 'mgmt'
	option device 'br-lan.99'
	option proto 'none'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan5:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1:u*'
	list ports 'lan5:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'lan2:u*'
	list ports 'lan5:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'
	list ports 'lan3:u*'
	list ports 'lan5:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '40'
	list ports 'lan5:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '50'
	list ports 'lan4:u*'
	list ports 'lan5:t'

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '123'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'eth1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config device
	option name 'lan1'
	option macaddr '123'

config device
	option name 'lan2'
	option macaddr '123'

config device
	option name 'lan3'
	option macaddr '123'

config device
	option name 'lan4'
	option macaddr '123'

config device
	option name 'lan5'
	option macaddr '123'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'dmz'
	option device 'br-lan.10'
	option proto 'none'

config interface 'user'
	option device 'br-lan.20'
	option proto 'none'

config interface 'iot'
	option device 'br-lan.30'
	option proto 'none'

config interface 'guest'
	option device 'br-lan.40'
	option proto 'none'

config interface 'ipcam'
	option device 'br-lan.50'
	option proto 'none'

config device
	option name 'eth1'
	option macaddr '123'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option channel '1'
	option band '2g'
	option htmode 'HE20'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

/etc/config/dhcp

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ignore ‚1'

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip '123::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
 	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

There are no hard rules here... it depends what you want to accomplish. Some people will view the management network in a similar way as the root/super user, while others will prevent that network from doing anything other than accessing the infrastructure hardware. But also, to be clear, this is a question about your Opnsense system configuration since the AP doesn't actually influence this at all.

Wifi can be secure, but it's hard to beat the need for physical access via ethernet.

We'd need to see the config to answer this.

The number of SSIDs possible depends on the chipset... you'll have no problem with the MT6000 with 4 SSIDs.

As long as your network is functioning as you want, I don't think there are any other things you need to do (at least based on your description).

1 Like

I will double check my Opnsense config again. If the problem is still there I will reach out :slight_smile:

Thank you!

I checked many Youtube videos and postings in boards. However, couldn't find a suitable example of a OpenWRT setup that has both the vlans and Wi-Fi in the same device. I rather find (very old) examples with OpenWRT configured switches including vlan plus separate dumb ap which is another device but not running OpenWRT. I think I'm having issues to correctly connect an existing vlan to Wi-Fi on the same device using OpenWRT.

Any chance you could give me a hint on how to configure the 4 SSIDs in my setup? I posted my current config in my first posting. One working SSID setup would also be sufficient and I can then translate it to the other remaining 3.

Thank you very much!

Anybody? :slight_smile:

Sorry it has taken me so long to get back to this.

Fundamentally, I'm not really seeing any issues here, except for one typo:

The last line there (ignore) should look like this:

	option ignore '1'

Otherwise, assuming the upstream is working properly, you'll just add new SSIDs, and link them against the respective networks.

Currently, your wireless file is in the default state, so you'll want to set the country code, SSID, encryption type, and passphrase. The first one is linked against lan. From there, you can create additional SSIDs, linked against guest, ipcam, etc...

Are you having difficulty with that process?