Like many others, I am looking for advice on how to configure my network to support a Guest+IOT+Home devices.
I have a GL-MT6000 and a NWA50AX Pro (ZyXEL).
I have watched the OneMarcFifty video (https://www.youtube.com/watch?app=desktop&v=UvniZs8q3eU) which discusses setting up different zones. I followed his steps right up until about 12:30 at which point he dedicates an entire adapter to each zone. I am not sure how he did that (while still maintaining a home wifi device/ssid). Ideally I would like:
MT6000 (All DHCP)
2.4G : Home Lan + Guest
5G : Home Lan
NWA50AX Pro (NO DHCP)
2.4G : IoT
5G : Home Lan
Is this possible to do? I don’t have a lot of regular guests, currently I have no separation between each of my device types and I just use the NWA50AX as an extender (no DHCP).
I appreciate input if anyone has a moment to point me in the right direction.
I would reset everything back to default and watch the above and use DSA for vlans. Intro explains what is happening. Just substitute what you want e.g.
Home - vlan 10
Guest - vlan 20
IOT - vlan 30
You will lock yourself out at least once; just wait 90 seconds and it will revert.
Question:
Is there a way to share the connection between two lans? His videos seem to dedicate on band or port to a specific vlan.
Since this is my home network, would either of the following make sense?
Main Router:
-2.4 Channel: IOT Access
-5 Channel: Private Access
Wireless AP:
-2.4 Channel: Personal AND Guest Access
-5 Channel: Private access
For AP-2.4: Assign to vlan using one of the following (whichever is easier is OK)
-by MAC address
-ESSID Password (I think I found a post where someone assigns vlan based on the password?)
That video was just to help you understand DSA vlans. Yes, you can use the same internet connection. Intervlan routing is also possible via the firewall zones in the luci GUI.
Create vlan 20 for guest/iot/whatever
Add new wireless network/SSID to whichever radio you want and assign vlan 20 to it.
Anyone that joins that network, gets assigned vlan 20.
Focus on the basics before attempting anything more complicated. I would also learn more about vlans in general as well.
iw list
Will tell you how many SSID's your hardware can do.
I am trying to find a guide on how to tag/filter to a vlan based on MAC, but I have not yet been successful. Is there a specific name I should search for? Or guide?
Thank you very much. I am going to do some digging, I don’t yet know what a FreeRadius server is, but I believe I saw some posts which mentioned tagging and did not require it. I’ll read the link and see what I can find.
Well, I don’t know why but I find myself confused by too many menus and terms in Openwrt I consider myself fairly technical, but something about the interfaces and devices just trips me up a bit. I am trying to follow the recommended guides, but I dont care to make things more complicated than necessary and am beginning to think a Radius server or PSK files is overkill. I am considering the following instead and thinking it may be an easier approach:
I am not sure how to extend the DHCP to the Wireless_AP…I’ll give it a go and post my config soon.
EDIT: I think I just answered part of my question…I used the above and mapped the guest and iot wifi to the vlans I setup from the video tutorials…maybe getting warmer….
I have made some progress and think I have a vlan setup with its own wifi access point for my iot. Question though…I use Frigate which is my video system hosted on my only server. I want the cameras on the iot network, but the server on the private network…is there a good way to pass the video feed from the cameras on IoT over to my private network? ie…from 10.10.1.1 to 192.168.1.1? Ideally, I dont want the cameras doing anything but feeding the server the rtsp stream (port 554 or “unicast”)
Use firewall zones and/or poke holes in your firewall to allow intervlan routing.
It is different, but in a few months everything will click. Just avoid hardware using older swconfig vlans; DSA vlans are easy.
Note #1 - put your NVR on the same vlan as your cameras.
Note #2 - simplify your private subnets and have them match your vlans.
e.g. vlan 100 = main = x.x.100.x, vlan 200 = IPcams = x.x.200.x, etc.
@scales11 I feel like you have been greatly helped by @cookiemonster already, but I just want to point out it doesn’t matter which WiFi standard your IoT/Guest networks are on which device. You bind a specific wifi interface to a specific network. Moreover, if you want both LAN and IoT on 2.4GHz (wifi4) on your AP, create two separate wifi interfaces there and bind one to your LAN and another to your IoT interfaces, like:
I may be wrong here, but I suspect your question about VLAN matching by MAC is due to you not realizing you can easily set up multiple wifi interfaces binding to different networks.
I’ve also faced the similar challenge with the IoT-only cameras and the controller for that that can’t be dual-homed and lives on LAN recently and with the suggestion from @psherman I’ve made it work: Unifi protect on main VLAN + 3rd party cameras on IoT VLAN - #6 by psherman . I can’t do any hand-holding while you implement the same, but it’s a starting point where someone else can maybe help you further based on that known-working config.
In your case, if your cameras controller can be moved to IoT, that would be easier to expose just the controller from IoT to your LAN, than exposing multiple cameras from IoT to LAN.
I have received excellent input and help from @cookiemonster and am very appreciative of their patience and guidance. My questions are a result of my lack of familiarity with all the features that Openwrt has to offer.
Your suggestion is also perfectly valid…perhaps I didn’t ask the correct question from the beginning. I was assuming that a vlan was the way to do things, but as you pointed out, there are many ways to accomplish a task!…maybe I am overcomplicating mine.
I’m not familiar with the config file for Openwrt, but have plenty of experience with similar tasks. Frankly, I wonder if, had stuck with the config file I’d have asked less questions! That being said, I have now setup 2 different wifi interfaces and I’m not yet sure whether to bother with the vlans if I keep everything on different subnets.
I am also considering the best approach for my NVR, cameras, and smart devices…I’m not sure my original layout was ideal. Maybe I should describe my use case better…
//------------------------//
I have the following hardware:
-1 router (GL-MT6000) + 1 wireless AP connected via ethernet (ZyXEL NWA50AX Pro)
(Both use mediatek hardware)
Devices which can have un-restricted access to anything:
-Personal computers, tablets, phones, gaming systems
Devices which need access to ONLY LAN things and possibly accessible via VPN
-Server used as a NAS (with docker) is used to stream music, host Frigate(video NVR), fileshare for photos/videos
-Surveillance cameras (I dont want these to have internet access, only access to the local server)
-SmartHome devices (Light bulbs, Google Speakers)
//------------------------//
I think my main question would be this:
Maybe the suggestion is to put the Server + Cameras on their own subnet (or vlan? please forgive me if I’m not using the terms correctly) and then leave whatever ports open to the lan so devices can communicate with them? For example, my smart phone or PC can see the NVR-server webinterface.
Thank you both again for the tremendous help, I understand if I am taking too long to arrive at a conclusion and you are tired of this thread.
Your choice. If you want separation, you want vlans.
All you seem to be missing now is to just watch that original youtube video about firewall zones. Just make sure IOT and NVR_IPCAM vlans can't access WAN. You are just overthinking this.
OT - My advice about IP cameras and NVR being on same vlan is forward looking and for security i.e. "I need this footage for the police!" as opposed to surveillance i.e. "I lost the footage, but I don't care." You are dabbling with frigate so you are likely in the former or will be soon.
Gateway dies + same vlan on separate managed PoE switch = keeps recording
Gateway dies + different vlan on separate managed PoE switch = recording stops
The gateway dying will stop the intervlan routing which is very, very bad for security cameras but maybe okay for surveillance cameras.
I believe I have configured each subnet to be on a separate vlan:
SSID_a, SSID_b, and SSID2 are on 192.168.11.x
guest-SSID_a and guest_SSID_b are on 192.168.2.x
and iot-SSID is on 192.168.3.x
I am trying to achieve the following, however my extender only has one cable and the video seems to reference a "switch" menu which is no longer in the same location?
Is there a config file I could share for either the extender or router that would help?
Is there a different/alternate tutorial to follow for this last step?
If you need help, post the config files from both devices:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
Thanks for the review. I ran those commands, made a couple slight edits and gathered them below. I will also try and read through the DSA link you shared and see if I can piece things together.
BusyBox v1.36.1 (2025-06-23 20:40:36 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 24.10.2, r28739-d9340319c6
-----------------------------------------------------
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.93",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "GL.iNet GL-MT6000",
"board_name": "glinet,gl-mt6000",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.2",
"revision": "r28739-d9340319c6",
"target": "mediatek/filogic",
"description": "OpenWrt 24.10.2 r28739-d9340319c6",
"builddate": "1750711236"
}
}
==============================================================
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '###REMOVED_BY_ME###'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.11.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
config interface 'guest'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option device 'br-guest'
config interface 'iot'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option device 'br-iot'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
config device
option type 'bridge'
option name 'br-iot'
option bridge_empty '1'
list ports 'lan1'
==============================================================
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/18000000.wifi'
option band '2g'
option channel '1'
option htmode 'HE20'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'guest'
option mode 'ap'
option ssid 'SSID_GUEST'
option encryption 'psk2'
option key '###REMOVED_BY_ME###'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/18000000.wifi+1'
option band '5g'
option channel '36'
option htmode 'HE80'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'SSID_a'
option encryption 'psk2'
option key '###REMOVED_BY_ME###'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'SSID_iot'
option encryption 'psk2'
option key '###REMOVED_BY_ME###'
option network 'iot'
==============================================================
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'iot'
option interface 'iot'
option start '100'
option limit '150'
option leasetime '12h'
==============================================================
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config zone
option name 'iot'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'iot'
config forwarding
option src 'lan'
option dest 'iot'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option src 'guest'
option name 'guest dhcp and dns'
option dest_port '53 67 68'
option target 'ACCEPT'
And the Extender:
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.167",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "ZyXEL NWA50AX Pro",
"board_name": "zyxel,nwa50ax-pro",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "mediatek/filogic",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
}
}
==============================================================
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '###REMOVED_BY_ME###'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.11.2'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.11.1'
list dns '192.168.11.1'
==============================================================
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/18000000.wifi'
option channel '3'
option band '2g'
option htmode 'HE20'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'SSID2'
option encryption 'psk2'
option key '###REMOVED_BY_ME###'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/18000000.wifi+1'
option channel 'auto'
option band '5g'
option htmode 'HE80'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'SSID_b'
option encryption 'psk2'
option key '###REMOVED_BY_ME###'
==============================================================
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
==============================================================
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
Before going further, I'd suggest you update your devices -- 24.10.4 is out now. Importantly, your AP is using an EOL version of OpenWrt and you should upgrade to make sure you're using a supported version. Both devices should be updated:
On the main router, move lan1 back in to br-lan, like this:
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
Delete this:
Next, add bridge-VLANs -- I'm going to assume that lan1 should still be dedicated to the iot network and we'll make port lan5 the trunk that goes to the AP:
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:u*'
list ports 'lan5:u*'
config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'lan1:u*'
list ports 'lan5:t'
config bridge-vlan
option device 'br-lan'
option vlan '3'
list ports 'lan5:t'
Now, edit the interfaces to use br-lan.x where the x is the VLAN ID:
Add two new bridges -- this time it's not going to use bridge-VLANs, but rather direct dotted notation within the bridges:
config device
option name 'br-iot'
option type 'bridge'
list ports 'eth0.2'
config device
option name 'br-guest'
option type 'bridge'
list ports 'eth0.3'
And then create two new unmanaged network interfaces:
config interface 'iot'
option device 'br-iot'
option proto 'none'
config interface 'guest'
option device 'br-guest'
option proto 'none'
Finally, create the wifi SSIDs and tie them against the iot and guest networks.
Thank you very much for your patience and help. Your reply is one of the reasons I keep coming back to Openwrt...the strong community. I think these config files may be easier to follow than Luci.
I will review these suggestions and update both my devices later today.
All, sorry for the delayed post. I applied the charges and I think the router is working correctly, but I realized that the AP doesn't have a vlan for the lan. So when I try to link a wireless interface, I must use eth0/lan1 which doesn't seem to work...that is to say that I can see a device trying to connect, but it never seems to get an IP address so it stops. Is the solution to just add the lan vlan?
