Issues with VLAN's and Guest Wifi

Hi all!

I'm trying my best to learn as I go, so please excuse any misunderstandings on my part.

I've got a glinet mt-6000 router which is running the main wifi and guest wifi just fine. I'm trying to do something very simple - add vlan20 to the guest wifi.

The guest wifi works fine as-is. br-guest is attached to no bridge ports, and goes straight out to the WAN I believe.

I navigate to br-guest --> "Bridge VLAN filtering" and click "enable vlan filtering" and enter "VLAN ID 20" and leave "Local" checked.

After applying this, there's now a greyed out/dark "br-guest.20" 802.1q device, but I can no longer connect to the device (I don't get an IP, and even assigning a manual IP I can't ping the router, or 1.1.1.1)

I feel like I'm doing something very simplistic wrong here, and I'm hoping someone can point me in the right direction - what am I missing? What should I be checking for at this point?

Thank you to anyone who can point me in the right direction!

Edit: Just for context, long term I'm looking to get an AP up and running via ethernet which is why I'm trying to understand VLAN's better. I tend to learn best by "doing", so this was an attempt at a simple setup before moving onto the more complex beast!

So your goal is to attach the guest wifi to ethernet?

• Which port(s) will be assigned to the guest network?
• Are you trunking your main lan and the guest network on the same port(s)?

Let's take a look at your complete config:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

I did something similar on my Flint 2 MT6000 which has extended the Guest interface network to my connected managed switch devices. But, I had to create the br-guest bridge device correctly in the /etc/config/network file and change the Guest interface from a bridge to use the br-guest bridge device instead so I that I could then see the br-guest bridge device in the LUCI GUI devices tab natively.

config device
option name 'br-guest'
option type 'bridge'
option igmp_snooping '0'
…
config interface 'guest'
(REMOVED) option name 'br-guest'
(ADDED) option device 'br-guest'

On my Flint 2, I’m using VLANs created in the LUCI advanced GUI on the br-lan bridge device which are untagged/tagged to my connected managed network switch(s) on LAN2 and LAN3.

(VLAN 1=br.lan) ) I set it up so that VLAN 1 was the default untagged VLAN for the LAN2 and LAN3 ports so that the switch management would be on VLAN 1. I then connected the newly created br-lan.1 device to the br-lan bridge device so that devices connected to my managed switchports that were set to use VLAN 1 untagged would get IP’s from the LAN interface network.

(VLAN 3=br-guest) Then I created VLAN 3 on the br-lan bridge device and tagged LAN2 and LAN3 so it would pass the VLAN 3 to the managed switch(s). I then connected the newly created br-lan.3 device to the br-guest bridge device. So now devices connected to the switchports on the managed switches that are untagged and set to VLAN 3 are connected through the br-guest bridge and get IP’s from the Guest interface.

Also, since I created br-guest bridge device properly in the /etc/config/network file, I then removed LAN4 and LAN5 from the br-lan bridge device, and selected them to be on the br-guest bridge device instead so that the devices connected to these LAN ports would get IP addresses from the Guest network.

BTW, I believe there is a glitch with the ‘Bridge VLAN filtering’ checkbox, so I asked about it on the GL.iNet forums, but there mod’s haven’t responded yet. So try un-checking the box to see if that works.

Sorry for my delay in responding! I was waiting on a managed switch coming which is now in place, so I should be good to set this up.

Here's the output from my main router:

root@GL-MT6000:~# ubus call system board
{
	"kernel": "6.6.63",
	"hostname": "GL-MT6000",
	"system": "ARMv8 Processor rev 4",
	"model": "GL.iNet GL-MT6000",
	"board_name": "glinet,gl-mt6000",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.0-rc2",
		"revision": "r28161-ea17e958b9",
		"target": "mediatek/filogic",
		"description": "OpenWrt 24.10.0-rc2 r28161-ea17e958b9",
		"builddate": "1733226068"
	}
}
root@GL-MT6000:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf8:5aeb:d8fb::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	option macaddr '94:83:c4:a8:8d:6c'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config device
	option macaddr '94:83:c4:a8:8d:6b'
	option name 'lan1.901'

config device
	option name 'lan2'
	option macaddr '94:83:c4:a8:8d:6c'

config device
	option name 'lan3'
	option macaddr '94:83:c4:a8:8d:6c'

config device
	option name 'lan4'
	option macaddr '94:83:c4:a8:8d:6c'

config device
	option name 'lan5'
	option macaddr '94:83:c4:a8:8d:6c'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option isolate '0'
	option ipaddr '192.168.68.1'

config device
	option macaddr '94:83:c4:a8:8d:6a'
	option name 'eth1'

config interface 'wan'
	option force_link '0'
	option ipv6 '0'
	option classlessroute '0'
	option metric '10'
	option proto 'pppoe'
	option password '<redacted>'
	option disabled '0'
	option peerdns '1'
	option username '<redacted>'
	option device 'eth1'
	option vlanid '0'

config interface 'wan6'
	option proto 'dhcpv6'
	option device '@wan'
	option disabled '1'

config interface 'tethering6'
	option device '@tethering'
	option proto 'dhcpv6'
	option disabled '1'

config interface 'wwan6'
	option device '@wwan'
	option proto 'dhcpv6'
	option disabled '1'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.9.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option multicast_querier '1'
	option igmp_snooping '0'
	option isolate '0'
	option bridge_empty '1'
	option device 'br-guest'
	list dns '192.168.9.1'

config interface 'wwan'
	option proto 'dhcp'
	option classlessroute '0'
	option metric '20'

config interface 'secondwan'
	option ipv6 '0'
	option metric '15'
	option force_link '0'
	option classlessroute '0'
	option proto 'pppoe'
	option username '<redacted>'
	option disabled '0'
	option peerdns '1'
	option password '<redacted>'
	option vlanid '901'

config interface 'secondwan6'
	option proto 'dhcpv6'
	option device '@secondwan'
	option disabled '1'
	option metric '15'

config rule 'policy_direct_rt'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule 'policy_default_rt_vpn'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config rule6 'policy_direct_rt6'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule6 'policy_default_rt_vpn6'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config rule 'policy_default_rt_vpn_ts'
	option lookup 'main'
	option priority '1099'
	option mark '0x80000/0xc0000'
	option invert '0'

config rule 'policy_relay_lo_rt_lan'
	option lookup '16800'
	option in 'loopback'
	option priority '1'

config device
	option name 'br-guest'
	option type 'bridge'
	option bridge_empty '1'

config device
	option type '8021q'
	option ifname 'lan5'
	option vid '20'
	option name 'lan5.20'

config interface 'lan5_20guest'
	option proto 'dhcp'
	option device 'lan5.20'

config interface 'br_guest20'
	option proto 'dhcp'
	option device 'br-guest.20'

root@GL-MT6000:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option band '2g'
	option htmode 'HE40'
	option channel 'auto'
	option country 'GB'
	option random_bssid '1'
	option disabled '0'
	option hwmode '11g'
	option path 'platform/soc/18000000.wifi'
	option cell_density '0'

config wifi-iface 'wifi2g'
	option device 'radio0'
	option mode 'ap'
	option network 'lan'
	option ifname 'wlan0'
	option wds '1'
	option isolate '0'
	option ieee80211k '1'
	option bss_transition '1'
	option ssid 'Main Wifi'
	option hidden '0'
	option encryption 'sae-mixed'
	option key '<redacted>'
	option macaddr '0E:42:F2:6E:F8:78'

config wifi-device 'radio1'
	option type 'mac80211'
	option band '5g'
	option channel 'auto'
	option htmode 'HE80'
	option country 'DE'
	option random_bssid '1'
	option disabled '0'
	option hwmode '11a'
	option path 'platform/soc/18000000.wifi+1'
	option channels '36,40,44,48,149,153,157,161'
	option cell_density '0'
	option legacy_rates '0'

config wifi-iface 'wifi5g'
	option device 'radio1'
	option mode 'ap'
	option network 'lan'
	option ifname 'wlan1'
	option wds '1'
	option isolate '0'
	option ieee80211k '1'
	option bss_transition '1'
	option ssid 'Main Wifi'
	option hidden '0'
	option encryption 'sae-mixed'
	option key '<redacted>'
	option macaddr 'C2:BB:4A:70:AE:11'

config wifi-iface 'guest2g'
	option device 'radio0'
	option mode 'ap'
	option ifname 'guest-2.4'
	option guest '1'
	option wds '1'
	option disabled '0'
	option ssid 'Guest Wifi'
	option encryption 'sae-mixed'
	option key 'Guest123'
	option macaddr '7E:25:4A:A9:C8:E7'
	option ocv '0'
	option isolate '1'
	option network 'br_guest20'

config wifi-iface 'guest5g'
	option device 'radio1'
	option mode 'ap'
	option ifname 'wlan1-1'
	option guest '1'
	option wds '1'
	option isolate '1'
	option disabled '1'
	option ssid 'Guest Wifi'
	option encryption 'sae-mixed'
	option key 'Guest123'
	option macaddr '3A:46:5D:8E:B9:27'
	option ocv '0'

root@GL-MT6000:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv_old '1'
	option localise_queries '1'
	option local '/lan/'
	option domain 'local'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option rebind_protection '0'
	option filter_aaaa '1'
	option noresolv '1'
	option localuse '0'
	list server '127.0.0.1#3053'
	option logdhcp '1'

config dhcp 'lan'
	option interface 'lan'
	option dhcpv4 'server'
	option ra_slaac '1'
	option force '1'
	option dhcpv6 'disabled'
	option ra 'disabled'
	option ignore '0'
	option start '10'
	option limit '240'
	option leasetime '720m'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config domain
	option name 'console.gl-inet.com'
	option ip '192.168.68.1'

config domain
	option name 'console.gl-inet.com'
	option ip '::ffff:192.168.68.1'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'secondwan'
	option interface 'secondwan'
	option ignore '1'

config dhcp 'br_guest20'
	option interface 'br_guest20'
	option ignore '1'

root@GL-MT6000:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	option input 'DROP'
	option masq '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'
	list network 'secondwan'

config forwarding
	option src 'lan'
	option dest 'wan'
	option enabled '1'

config rule
	option name 'Allow-DHCP-Renew'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'
	option src 'lan'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config include 'nat6'
	option path '/etc/firewall.nat6'
	option reload '1'

config zone
	option name 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'
	list network 'guest'
	list network 'br_guest20'

config forwarding
	option src 'guest'
	option dest 'wan'
	option enabled '1'

config rule
	option name 'Allow-DHCP'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'

config rule
	option name 'Allow-DNS'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'

config include 'vpn_server_policy'
	option type 'script'
	option path '/etc/firewall.vpn_server_policy.sh'
	option reload '1'
	option enabled '1'

config include 'vpn_client_deal_leak'
	option type 'script'
	option reload '1'
	option path '/etc/firewall.vpn_client_deal_leak.sh'
	option enabled '1'

config rule 'sambasharewan'
	option src 'wan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'DROP'

config rule 'sambasharelan'
	option src 'lan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'ACCEPT'

config rule 'glnas_ser'
	option src 'wan'
	option dest_port '6000-6002'
	option dest_proto 'tcp'
	option target 'DROP'

config rule 'webdav_wan'
	option src 'wan'
	option dest_port '6008'
	option dest_proto 'tcp'
	option target 'DROP'

config rule
	option name 'block-internet-access'
	option src 'lan'
	list src_ip '192.168.68.208'
	option dest 'wan'
	option target 'REJECT'

config redirect 'adguard_home'
	option name 'Adguard Home'
	option src 'lan'
	option src_dport '53'
	option dest 'lan'
	option dest_port '3053'
	option proto 'tcp udp'
	option mark '!0x8/0x8'
	option enabled '1'

config redirect 'adguard_home_guest'
	option name 'Adguard Home guest'
	option src 'guest'
	option src_dport '53'
	option dest 'guest'
	option dest_port '3053'
	option proto 'tcp udp'
	option mark '!0x8/0x8'
	option enabled '1'

config include 'glblock'
	option type 'script'
	option path '/usr/bin/gl_block.sh'
	option reload '1'

And here's my guest router. Please excuse the absolute mess of me trying to figure this out myself with little luck

root@OpenWrt:~# ubus call system board
{
	"kernel": "5.15.167",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "Netgear WAX220",
	"board_name": "netgear,wax220",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.5",
		"revision": "r24106-10cc5fcd00",
		"target": "mediatek/filogic",
		"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
	}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd4b:02f1:c737::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config device
	option name 'eth0'
	option macaddr '94:18:65:4e:28:d9'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.68.2'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.68.1'

config interface 'guest_vlan20'
	option proto 'static'
	option device 'br-lan.20'
	option ipaddr '192.168.9.2'
	option gateway '192.168.9.1'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '20'
	option name 'eth0.20'

config interface 'eth0_20'
	option proto 'dhcp'
	option device 'eth0.20'
	option type 'bridge'

config device
	option type 'bridge'
	option name 'br-vlan20'
	list ports 'br-lan.20'
	list ports 'eth0.20'

config bridge-vlan
	option device 'br-vlan20'
	option vlan '20'
	list ports 'br-lan.20:t'
	list ports 'eth0.20:t'

config interface 'br_vlan20'
	option proto 'dhcp'
	option device 'br-vlan20'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option channel '1'
	option band '2g'
	option htmode 'HE20'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option cell_density '0'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Main Wifi'
	option encryption 'sae-mixed'
	option key '<redacted>'
	option network 'lan'
	option wds '1'
	option ieee80211r '1'
	option mobility_domain '1234'
	option ft_over_ds '1'

config wifi-iface 'wifinet1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Main Wifi'
	option encryption 'sae-mixed'
	option network 'lan'
	option key '<redacted>'
	option ieee80211r '1'
	option mobility_domain '1234'
	option ft_over_ds '1'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Guest Wifi
	option encryption 'sae-mixed'
	option key 'Guest123'
	option network 'br_vlan20'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest_vlan20'
	option interface 'guest_vlan20'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ignore '1'

config dhcp 'eth0_20'
	option interface 'eth0_20'
	option ignore '1'

config dhcp 'br_vlan20'
	option interface 'br_vlan20'
	option ignore '1'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest_vlan20'
	list network 'eth0_20'
	list network 'br_vlan20'

config forwarding
	option src 'guest'
	option dest 'wan'

My setup is as follows:

Main Router LAN4 <-> Managed Switch <-> Access Point (eth0)

Traffic going over eth0 from the Access Point is either going to be "normal" (untagged?) from my normal wifi, or Guest (which I'm trying to get to go over vlan20).

My main network is 192.168.68.0/24, and my guest network is 192.168.9.0/24.

I appreciate any guidance that can be offered on how I should set this up - primarily:

• How do I enable the VLAN's without locking myself out? (I'd assumed that adding a VLAN would be "in addition to" the unmanaged traffic, but it seems to stop me accessing the router at all - and rolls back)
• The VLAN configuration in DSA confuses me, so guidance on how it should look in this config is again appreciated.

Thank you!

Thank you for your guidance and input!

Are you running mixed traffic (untagged and tagged) via one ethernet anywhere, or do you have dedicated ports for guest vs non-guest?

Mixed (a.k.a 802.1q trunks) on the two LAN ports that are connected to my managed switches so that the switchports can be configured on either VLAN 1 (for the br-lan network) or VLAN 3 (for the br-guest network).

VLAN 1 is created on br-lan as the native management and access VLAN with the managed switches so VLAN 1 is untagged on LAN2 and LAN3, and any of the switchports assigned to VLAN 1 will be on the br-lan interface network since I checkmarked br-lan.1 as a device on the br-lan bridge device.

VLAN 3 is created on br-lan and is tagged to the LAN2 and LAN3 ports so that the managed switch(s) can get it, and so that any of the switchports I assign to VLAN 3 will be on the br-guest interface network since I checkmarked br-lan.3 as a device on the br-guest bridge device.

And dedicated since I created br-guest bridge device properly in the /etc/config/network file, I then removed LAN4 and LAN5 from the br-lan bridge device, and selected them to be on the br-guest bridge device instead so that the devices connected to these LAN ports would get IP addresses from the Guest network.

I feel like I've made some progress, but still having problems unfortunately

Access Point:

Guest Wifi --> br_guest20 interface.

br_guest20 interface:
Static IP, connected to device "br-guest"
IPv4 address: 192.168.9.2
IPv4 netmask: 255.255.255.0
IPv4 Gateway: 192.168.9.1
DHCP server - ignore interface
Firewall settings: guest.

Device br-guest:
Device Type: Bridge Device
Device Name: br-guest
Bridge Ports: eth0.20
Bridge VLAN: Enabled, VLAN ID 20, Tagged

Device eth0.20:
802.1q device
Base device: eth0
VLAN ID: 20

port eth0 is connected to LAN4 on Main Router:

Main Router:

Interface: guest
Protocol: Static Address
Device: br-guest
IP: 192.168.9.1
Netmask: 255.255.255.0
Gateway: (WAN IP)

Device br-guest:
Device Type: Bridge
Device Name: br-guest
Bridge Ports: br-guest.20, lan4.20
Bridge VLAN Filtering enabled, VLAN ID 20, Tagged on both br-guest.20 and lan4.20

Device br-guest.20:
Device Type: VLAN (802.1q)
Base Device: br-guest
VLAN ID: 20

Device lan4.20:
Device Type: VLAN (802.1q)
Base Device: lan4
VLAN ID: 20

So far the network is all working fine from the AP through the "main" wifi, but still nothing working on the guest side of things - not able to get an IP address it seems.

Any thoughts on what I'm doing wrong here, or where I'm overcomplicating things?

That configuration looks a bit over complicated to me, and it sure seems like a lot if all you are trying to do is extend just the Guest network on the LAN 4 port. If that’s that case, you shouldn’t need to use VLANs to accomplish that.

As I mentioned above, that checkbox in the LUCI GUI for ‘Bridge VLAN Filtering’ seems to work in reverse when VLANs are configured on the bridge device. So remove the checkbox on the br-guest bridge device and save and apply to see if that resolves it, but it also depends on the complicated way you have everything configured as well.

I believe I do need VLAN's as I'm extending both guest and internal wifi over a single ethernet port. Isn't it the case that I then need VLAN tagging?

I've genuinely spent the best part of over a week trying things and breaking my network repeatedly...I'm about ready to give up

If you're still willing to help and bring me back to basics (What does "simple" look like?) I'd love assistance.

To put it down to basics:

• mt-6000 running as normal, both guest wifi and internal wifi
• wax-220 AP with a single ethernet port, connected to LAN 4 on the mt-6000, carrying both internal traffic and guest traffic

That's really all I'm looking, and somehow making it more complicated than it needs to be

Sorry, I'm not familiar with the wax-220 AP. But I imagine the VLAN IDs of the various AP networks on the AP should be passed to the Flint 2 as long as all of the same VLAN IDs are created and tagged on the Flint 2's bridge device that has the LAN port that connects to the AP. I'm not sure if you AP requires a management VLAN, but that VLAN may need to be configured and untagged on the bridge device of the LAN port that connects to the AP as well.

Also, if the Guest Wireless is not enabled on the Flint 2, then the Guest Interface Network might not be enabled either. I don't know this for sure about the Flint 2, but that is how it works on my GL.iNet AR750S router. Without the Guest wireless enabled on my AR750S, the Guest Interface network didn't work. I had to edit the /etc/config/network file and add the (option disabled '0') line to the (config interface 'guest') section and restart the guest interface so that the Guess Interface Network would be active on my AR750S without the Guest wireless enabled.

Anyway, this is how I got my MT6000 Flint 2 to have both the main LAN and Guest Interface networks on an Ethernet port running GL.iNet 4.7 firmware to be used with my managed switches. Hopefully I didn't forget anything.

1. I ssh'd to the Flint 2 and changed the /etc/network/config file.

   I added this;
   config device
   option name 'br-guest'
   option type 'bridge'
   option igmp_snooping '0'

   I changed one line in the (config interface 'guest') section of the config. I changed the line (option name 'br-guest')
   to (option device 'br-guest').

   I then saved the file. Note, this allowed me to see the br-guest bridge device in the LUCI GUI so I could configure it further.

2. I connected to the Flint 2's LUCI advanced GUI and performed these settings. Note that my two managed switches are connected to the Flint 2's LAN 2 and LAN 3 ports where I wanted both the main LAN and Guest networks available on.

   1. I went to the Network/Interfaces tab and restarted the Guest Interface after making the above changes to the /etc/config/network file.
   2. I went to the Devices tab.
   3. I selected configure on the br-lan bridge device.
   4. On the br-lan device, I selected the Bridge VLAN Filtering tab, and created two VLANs
      VLAN ID 1. To be my native management VLAN with the managed switches.
      VLAN ID 3. To be my Guest network VLAN. Note that I'll put this br-lan.3 device on the Guest Interface Network later, but I created it here so that the two devices connected via Ethernet (the Flint 2 and my managed switches) can see and use it.
   5. I 'untagged' VLAN ID 1 on the LAN 2 and LAN 3 ports so that it would pass VLAN 1 to the managed switches as the native management VLAN.
   6. I 'tagged' VLAN ID 3 on the LAN 2 and LAN 3 ports so that it would allow VLAN 3 with the switches.
   7. I then saved and applied the changes, but had a problem since the LAN Network went down. I eventually figured out that I had to 'uncheck' Enable VLAN filtering for the changes to be applied and everything continue to work. So, there seems to be a problem with the checkbox when VLANs are configured on the br-lan device. The first time I saved the configuration with the Enable VLAN filtering checked, it caused the LAN network to go down and I had to wait 90 seconds for the changes to be reverted.
   8. Still on the Devices tab, I selected 'configure' on the br-lan bridge device again.
   9. On the General Device Options tab of the br-lan device, I selected the dropdown for Bridge Ports and selected the VLAN: "br-lan.1" device to be a member on this bridge. And again, I went to the Enable VLAN Filtering tab and 'unchecked' the Enable VLAN filtering since there seems to be a problem with the checkbox when VLANs are configured on the br-lan device. I then saved and applied. Note that the br-lan bridge device is the default device for the LAN Interface Network so now anything connected to VLAN 1 on the managed switches would get a DHCP IP assignment from the LAN Interface.
   10. Still on the Devices tab, I selected configure on the br-guest bridge device since I could see it in the GUI after making the above changes to the /etc/device/network file.
   11. On the General Device Options tab of the br-guest device, I selected the dropdown for Bridge Ports and selected the VLAN: "br-lan.3" device to be on this bridge. Note that the br-guest bridge device is the default device for the Guest Interface Network so now anything connected to VLAN 3 on the managed switches would get a DHCP IP assignment from the Guest Interface.
   12. I then saved and applied the changes. Note, I probably didn't need to create VLAN 1 as the native VLAN since it's untagged everywhere, but I did anyway to ensure that it all worked.

3. I then setup my managed switches.

   1. I set VLAN 1 untagged on all switchports. (Which was by default anyway since it's the management VLAN for the switches.)
   2. I set VLAN 3 to be untagged on all of the switchports except for the port connected to the Flint 2 which I tagged since it is the trunk port between the managed switch and the Flint 2.
   3. I then set each switchport to their respective VLAN assignments either on VLAN 1 for the LAN Network, or VLAN 3 for the Guest Network.

Also, since I only wanted the Guest Interface Network on the Flint 2's LAN 4 and LAN 5 ports here's what I did. Note that if all I wanted to do was put the Guest network on a LAN port, it wouldn't require any VLANs to be configured at all.

1. In the advanced LUCI GUI, I went to the Network/Interface/Devices tab.
2. I selected configure on the br-lan bridge device.
3. On the General Device Options tab of the br-lan device, I selected the dropdown for Bridge Ports and unselected LAN 4 and LAN 5. And again, since I have VLANs configured on the br-lan device, I went to the Enable VLAN Filtering tab and 'unchecked' the Enable VLAN filtering since there seems to be a problem with the checkbox when VLANs are configured on the br-lan device. I then saved and applied.
4. Still on the Devices tab, I selected configure on the br-guest bridge device since I could see it in the GUI after making the above changes to the /etc/device/network file.
5. On the General Device Options tab of the br-guest device, I selected the dropdown for Bridge Ports and selected the LAN 4 and LAN 5 to be on this bridge. I saved and applied. So now the devices connected to the Flint 2's LAN 4 and LAN 5 ports get a DHCP IP assignment from the Guest Interface.

Please post your latest config, as I had requested previously. It's usually fairly straightforward to fix the issue when we can see the whole story in a few text files.

I've reverted as much as I could as I kept locking myself out of my router and needed it working today. I can try again later, but your guidance (as with everyone else's so far) is appreciated!

Main router (mt-6000):

root@GL-MT6000:~# ubus call system board
/config/dhcp
cat /etc/config/fir{
        "kernel": "6.6.63",
        "hostname": "GL-MT6000",
        "system": "ARMv8 Processor rev 4",
        "model": "GL.iNet GL-MT6000",
        "board_name": "glinet,gl-mt6000",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.0-rc2",
                "revision": "r28161-ea17e958b9",
                "target": "mediatek/filogic",
                "description": "OpenWrt 24.10.0-rc2 r28161-ea17e958b9",
                "builddate": "1733226068"
        }
}
root@GL-MT6000:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdf8:5aeb:d8fb::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        option macaddr '94:83:c4:a8:8d:6c'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'
        option vlan_filtering '1'

config device
        option name 'lan2'
        option macaddr '94:83:c4:a8:8d:6c'

config device
        option name 'lan3'
        option macaddr '94:83:c4:a8:8d:6c'

config device
        option name 'lan4'
        option macaddr '94:83:c4:a8:8d:6c'

config device
        option name 'lan5'
        option macaddr '94:83:c4:a8:8d:6c'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option isolate '0'
        option ipaddr '192.168.68.1'

config device
        option macaddr '94:83:c4:a8:8d:6a'
        option name 'eth1'

config interface 'wan'
        option force_link '0'
        option ipv6 '0'
        option classlessroute '0'
        option metric '10'
        option proto 'pppoe'
        option password '<redacted>'
        option disabled '0'
        option peerdns '1'
        option username '<redacted>'
        option device 'eth1'
        option vlanid '0'

config rule 'policy_direct_rt'
        option lookup 'main'
        option suppress_prefixlength '0'
        option priority '1100'

config rule 'policy_default_rt_vpn'
        option mark '0x8000/0xc000'
        option lookup '8000'
        option priority '1101'
        option invert '1'

config rule6 'policy_direct_rt6'
        option lookup 'main'
        option suppress_prefixlength '0'
        option priority '1100'

config rule6 'policy_default_rt_vpn6'
        option mark '0x8000/0xc000'
        option lookup '8000'
        option priority '1101'
        option invert '1'

config rule 'policy_default_rt_vpn_ts'
        option lookup 'main'
        option priority '1099'
        option mark '0x80000/0xc0000'
        option invert '0'

config rule 'policy_relay_lo_rt_lan'
        option lookup '16800'
        option in 'loopback'
        option priority '1'

root@GL-MT6000:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option band '2g'
        option htmode 'HE40'
        option channel 'auto'
        option country 'GB'
        option random_bssid '1'
        option disabled '0'
        option hwmode '11g'
        option path 'platform/soc/18000000.wifi'
        option cell_density '0'

config wifi-iface 'wifi2g'
        option device 'radio0'
        option mode 'ap'
        option network 'lan'
        option ifname 'wlan0'
        option wds '1'
        option ieee80211k '1'
        option bss_transition '1'
        option ssid 'Main Wifi'
        option encryption 'sae-mixed'
        option key '<redacted>'
        option macaddr '0E:42:F2:6E:F8:78'
        option ocv '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option band '5g'
        option channel 'auto'
        option htmode 'HE80'
        option country 'DE'
        option random_bssid '1'
        option disabled '0'
        option hwmode '11a'
        option path 'platform/soc/18000000.wifi+1'
        option channels '36,40,44,48,149,153,157,161'
        option cell_density '0'
        option legacy_rates '0'

config wifi-iface 'wifi5g'
        option device 'radio1'
        option mode 'ap'
        option network 'lan'
        option ifname 'wlan1'
        option wds '1'
        option isolate '0'
        option ieee80211k '1'
        option bss_transition '1'
        option ssid 'Main Wifi'
        option hidden '0'
        option encryption 'sae-mixed'
        option key '<redacted>'
        option macaddr 'C2:BB:4A:70:AE:11'

root@GL-MT6000:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv_old '1'
        option localise_queries '1'
        option local '/lan/'
        option domain 'local'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option rebind_protection '0'
        option filter_aaaa '1'
        option noresolv '1'
        option localuse '0'
        list server '127.0.0.1#3053'
        option logdhcp '1'

config dhcp 'lan'
        option interface 'lan'
        option dhcpv4 'server'
        option force '1'
        option start '10'
        option limit '240'
        option leasetime '720m'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config domain
        option name 'console.gl-inet.com'
        option ip '192.168.68.1'

config domain
        option name 'console.gl-inet.com'
        option ip '::ffff:192.168.68.1'

root@GL-MT6000:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option input 'DROP'
        option masq '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'
        option enabled '1'

config rule
        option name 'Allow-DHCP-Renew'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
        option src 'lan'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config include 'nat6'
        option path '/etc/firewall.nat6'
        option reload '1'

config zone
        option name 'guest'
        option forward 'REJECT'
        option output 'ACCEPT'
        option input 'REJECT'
        option masq '1'

config forwarding
        option src 'guest'
        option dest 'wan'
        option enabled '1'

config rule
        option name 'Allow-DHCP'
        option src 'guest'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'

config rule
        option name 'Allow-DNS'
        option src 'guest'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'

config include 'vpn_server_policy'
        option type 'script'
        option path '/etc/firewall.vpn_server_policy.sh'
        option reload '1'
        option enabled '1'

config include 'vpn_client_deal_leak'
        option type 'script'
        option reload '1'
        option path '/etc/firewall.vpn_client_deal_leak.sh'
        option enabled '1'

config rule 'sambasharewan'
        option src 'wan'
        option dest_port '137 138 139 445'
        option dest_proto 'tcpudp'
        option target 'DROP'

config rule 'sambasharelan'
        option src 'lan'
        option dest_port '137 138 139 445'
        option dest_proto 'tcpudp'
        option target 'ACCEPT'

config rule 'glnas_ser'
        option src 'wan'
        option dest_port '6000-6002'
        option dest_proto 'tcp'
        option target 'DROP'

config rule 'webdav_wan'
        option src 'wan'
        option dest_port '6008'
        option dest_proto 'tcp'
        option target 'DROP'

config rule
        option name 'block-internet-access'
        option src 'lan'
        list src_ip '192.168.68.208'
        option dest 'wan'
        option target 'REJECT'

config redirect 'adguard_home'
        option name 'Adguard Home'
        option src 'lan'
        option src_dport '53'
        option dest 'lan'
        option dest_port '3053'
        option proto 'tcp udp'
        option mark '!0x8/0x8'
        option enabled '1'

config redirect 'adguard_home_guest'
        option name 'Adguard Home guest'
        option src 'guest'
        option src_dport '53'
        option dest 'guest'
        option dest_port '3053'
        option proto 'tcp udp'
        option mark '!0x8/0x8'
        option enabled '1'

config include 'glblock'
        option type 'script'
        option path '/usr/bin/gl_block.sh'
        option reload '1'

Netgear wax-220 (AP):

 -----------------------------------------------------
 OpenWrt 23.05.5, r24106-10cc5fcd00
 -----------------------------------------------------
root@OpenWrt:~# ubus call system board
 /etc/config/fir{
        "kernel": "5.15.167",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Netgear WAX220",
        "board_name": "netgear,wax220",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "mediatek/filogic",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd3d:03a1:7008::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config device
        option name 'eth0'
        option macaddr '94:18:65:4e:28:d9'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.68.2'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.68.1'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option channel '1'
        option band '2g'
        option htmode 'HE20'
        option cell_density '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option channel '36'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Fake Main Wifi'
        option encryption 'sae-mixed'
        option key '<redacted>'
        option network 'lan'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Main Wifi'
        option encryption 'sae-mixed'
        option wds '1'
        option key '<redacted>'
        option ieee80211r '1'
        option mobility_domain '1234'
        option ft_over_ds '1'
        option network 'lan'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'Main Wifi'
        option encryption 'sae-mixed'
        option wds '1'
        option key '<redacted>'
        option ieee80211r '1'
        option mobility_domain '1234'
        option ft_over_ds '1'
        option network 'lan'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall
config defaults
        option syn_flood        1
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

config rule
        option name             Allow-ISAKMP
        option src              wan
        option dest             lan
        option dest_port        500
        option proto            udp
        option target           ACCEPT


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option dest             wan
#       option proto    tcp
#       option target   REJECT

# block a specific mac on wan
#config rule
#       option dest             wan
#       option src_mac  00:11:22:33:44:66
#       option target   REJECT

# block incoming ICMP traffic on a zone
#config rule
#       option src              lan
#       option proto    ICMP
#       option target   DROP

# port redirect port coming in on wan to lan
#config redirect
#       option src                      wan
#       option src_dport        80
#       option dest                     lan
#       option dest_ip          192.168.16.235
#       option dest_port        80
#       option proto            tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#       option src              wan
#       option src_dport        22001
#       option dest             lan
#       option dest_port        22
#       option proto            tcp

### FULL CONFIG SECTIONS
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port 80
#       option dest             wan
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
#       option target   REJECT

#config redirect
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port         1024
#       option src_dport        80
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp

The "Fake Main Wifi" is a dummy network for me to connect to when I get locked out basically, that is to be removed when I get this working.

My goal setup:

• Main Wifi and Guest Wifi on mt-6000
• (mt-6000) LAN4 <-> eth0 (wax-220)
• Main Wifi and Guest Wifi on wax-220, getting DHCP from mt-6000

I don't know how I keep messing it up so bad, but when adding/applying VLAN's I end up locked out (can't get connected to wifi any more) and needing to reset the wax-220 to defaults.

Right now I don't even have a guest network set up any more, as I planned to start from "as clean" a setup as I could.

Thank you again to you and everyone else offering guidance here.

Maybe you could review this video which is in English, and it’s a good tutorial on VLANs for the OpenWRT version 21 that runs on the Flint 2 out of the box.