Problems with multiple VLAN configuration on Flint 2

BrazenBeaver · April 9, 2026, 9:06pm

Hello everyone,

I'm trying to configure my network on Flint 2 with non-vendor vanilla OpenWrt 25.12.2 r32802-f505120278 installed.

I SSH into the router via a PC wired to LAN1 port of the router.

In principle, here is what I am trying achieve (minus the Wi-Fi setup):

VLAN ID	VLAN name	Subnet	VLANs it can talk to	Has internet access?
10	Management	10.10.10.0/24	All	Yes
20	Trusted	10.10.20.0/24	Media	Yes
30	Guest	10.10.30.0/24	None	Yes
40	Media	10.10.40.0/24	None	Yes
50	IoT	10.10.50.0/24	None	No
60	Surveillance	10.10.60.0/24	None	No

The problem is that after running the commands (below), disconnecting and reconnecting the PC to LAN1, my PC does not receive an IPv4 address (only IPv6), cannot reach the internet nor the router itself. Connecting the PC to other ports of the router seems to work as intended.

What could be the problem? Also, do you have any tips or comments on how I could improve the setup script?

Here are the commands I run:

# Bridge configuration
uci set network.@device[0].name='br-lan'
uci set network.@device[0].type='bridge'
uci set network.@device[0].vlan_filtering='1'

# VLAN setup
uci set network.vlan10=bridge-vlan
uci set network.vlan10.device='br-lan'
uci set network.vlan10.vlan='10'
uci set network.vlan10.ports='lan1:u*'

uci set network.vlan20=bridge-vlan
uci set network.vlan20.device='br-lan'
uci set network.vlan20.vlan='20'
uci set network.vlan20.ports='lan2:u* lan3:u* lan4:u*'

uci set network.vlan30=bridge-vlan
uci set network.vlan30.device='br-lan'
uci set network.vlan30.vlan='30'

uci set network.vlan40=bridge-vlan
uci set network.vlan40.device='br-lan'
uci set network.vlan40.vlan='40'
uci set network.vlan40.ports='lan5:u*'

uci set network.vlan50=bridge-vlan
uci set network.vlan50.device='br-lan'
uci set network.vlan50.vlan='50'

uci set network.vlan60=bridge-vlan
uci set network.vlan60.device='br-lan'
uci set network.vlan60.vlan='60'

# VLAN interfaces
uci set network.lan.device='br-lan.10'
uci set network.lan.proto='static'
uci set network.lan.ipaddr='10.10.10.1'
uci set network.lan.netmask='255.255.255.0'

uci set network.trusted=interface
uci set network.trusted.device='br-lan.20'
uci set network.trusted.proto='static'
uci set network.trusted.ipaddr='10.10.20.1'
uci set network.trusted.netmask='255.255.255.0'

uci set network.guest=interface
uci set network.guest.device='br-lan.30'
uci set network.guest.proto='static'
uci set network.guest.ipaddr='10.10.30.1'
uci set network.guest.netmask='255.255.255.0'

uci set network.media=interface
uci set network.media.device='br-lan.40'
uci set network.media.proto='static'
uci set network.media.ipaddr='10.10.40.1'
uci set network.media.netmask='255.255.255.0'

uci set network.iot=interface
uci set network.iot.device='br-lan.50'
uci set network.iot.proto='static'
uci set network.iot.ipaddr='10.10.50.1'
uci set network.iot.netmask='255.255.255.0'

uci set network.surveillance=interface
uci set network.surveillance.device='br-lan.60'
uci set network.surveillance.proto='static'
uci set network.surveillance.ipaddr='10.10.60.1'
uci set network.surveillance.netmask='255.255.255.0'

# DHCP
uci set dhcp.lan=dhcp
uci set dhcp.lan.interface='lan'
uci set dhcp.lan.start='100'
uci set dhcp.lan.limit='150'
uci set dhcp.lan.leasetime='12h'

uci set dhcp.trusted=dhcp
uci set dhcp.trusted.interface='trusted'
uci set dhcp.trusted.start='100'
uci set dhcp.trusted.limit='150'
uci set dhcp.trusted.leasetime='12h'

uci set dhcp.guest=dhcp
uci set dhcp.guest.interface='guest'
uci set dhcp.guest.start='100'
uci set dhcp.guest.limit='150'
uci set dhcp.guest.leasetime='12h'

uci set dhcp.media=dhcp
uci set dhcp.media.interface='media'
uci set dhcp.media.start='100'
uci set dhcp.media.limit='150'
uci set dhcp.media.leasetime='12h'

uci set dhcp.iot=dhcp
uci set dhcp.iot.interface='iot'
uci set dhcp.iot.start='100'
uci set dhcp.iot.limit='150'
uci set dhcp.iot.leasetime='12h'

uci set dhcp.surveillance=dhcp
uci set dhcp.surveillance.interface='surveillance'
uci set dhcp.surveillance.start='100'
uci set dhcp.surveillance.limit='150'
uci set dhcp.surveillance.leasetime='12h'

# Firewall zones
uci set firewall.@zone[0].name='lan'
uci set firewall.@zone[0].input='ACCEPT'
uci set firewall.@zone[0].output='ACCEPT'
uci set firewall.@zone[0].forward='ACCEPT'

uci add firewall zone
uci set firewall.@zone[-1].name='trusted'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci add_list firewall.@zone[-1].network='trusted'

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='trusted'
uci set firewall.@forwarding[-1].dest='wan'

uci add firewall zone
uci set firewall.@zone[-1].name='guest'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci add_list firewall.@zone[-1].network='guest'

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='guest'
uci set firewall.@forwarding[-1].dest='wan'

uci add firewall zone
uci set firewall.@zone[-1].name='media'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci add_list firewall.@zone[-1].network='media'

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='media'
uci set firewall.@forwarding[-1].dest='wan'

uci add firewall zone
uci set firewall.@zone[-1].name='iot'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='REJECT'
uci set firewall.@zone[-1].forward='REJECT'
uci add_list firewall.@zone[-1].network='iot'

uci add firewall zone
uci set firewall.@zone[-1].name='surveillance'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='REJECT'
uci set firewall.@zone[-1].forward='REJECT'
uci add_list firewall.@zone[-1].network='surveillance'

# Inter-VLAN communication
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='trusted'

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='guest'

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='media'

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='iot'

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='surveillance'

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='trusted'
uci set firewall.@forwarding[-1].dest='media'

# Firewall rules
uci add firewall rule
uci set firewall.@rule[-1].name='Allow-DHCP-DNS-Trusted'
uci set firewall.@rule[-1].src='trusted'
uci set firewall.@rule[-1].proto='tcp udp'
uci set firewall.@rule[-1].dest_port='53 67 68'
uci set firewall.@rule[-1].target='ACCEPT'

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-Ping-Trusted'
uci set firewall.@rule[-1].src='trusted'
uci set firewall.@rule[-1].proto='icmp'
uci set firewall.@rule[-1].target='ACCEPT'

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-DHCP-DNS-Guest'
uci set firewall.@rule[-1].src='guest'
uci set firewall.@rule[-1].proto='tcp udp'
uci set firewall.@rule[-1].dest_port='53 67 68'
uci set firewall.@rule[-1].target='ACCEPT'

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-Ping-Guest'
uci set firewall.@rule[-1].src='guest'
uci set firewall.@rule[-1].proto='icmp'
uci set firewall.@rule[-1].target='ACCEPT'

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-DHCP-DNS-Media'
uci set firewall.@rule[-1].src='media'
uci set firewall.@rule[-1].proto='tcp udp'
uci set firewall.@rule[-1].dest_port='53 67 68'
uci set firewall.@rule[-1].target='ACCEPT'

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-Ping-Media'
uci set firewall.@rule[-1].src='media'
uci set firewall.@rule[-1].proto='icmp'
uci set firewall.@rule[-1].target='ACCEPT'

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-DHCP-DNS-IoT'
uci set firewall.@rule[-1].src='iot'
uci set firewall.@rule[-1].proto='tcp udp'
uci set firewall.@rule[-1].dest_port='53 67 68'
uci set firewall.@rule[-1].target='ACCEPT'

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-Ping-IoT'
uci set firewall.@rule[-1].src='iot'
uci set firewall.@rule[-1].proto='icmp'
uci set firewall.@rule[-1].target='ACCEPT'

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-DHCP-DNS-Surveillance'
uci set firewall.@rule[-1].src='surveillance'
uci set firewall.@rule[-1].proto='tcp udp'
uci set firewall.@rule[-1].dest_port='53 67 68'
uci set firewall.@rule[-1].target='ACCEPT'

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-Ping-Surveillance'
uci set firewall.@rule[-1].src='surveillance'
uci set firewall.@rule[-1].proto='icmp'
uci set firewall.@rule[-1].target='ACCEPT'

# Apply
uci commit
reboot

psherman · April 9, 2026, 9:09pm

The fundamental issue is that you have not reassigned your lan to use br-lan.x where x is the vlan if you want to use for your management or trusted network.

Could you post the entire config in the format as shown below:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

BrazenBeaver · April 9, 2026, 9:42pm

Isn't the assignment of LAN done with this line?

uci set network.lan.device='br-lan.10'

These are the outputs of running everything but the very last line of my script (which reboots the systems and then I lose access to it).

Output of ubus call system board:

{
	"kernel": "6.12.74",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "GL.iNet GL-MT6000",
	"board_name": "glinet,gl-mt6000",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "25.12.2",
		"firmware_url": "https://downloads.openwrt.org/",
		"revision": "r32802-f505120278",
		"target": "mediatek/filogic",
		"description": "OpenWrt 25.12.2 r32802-f505120278",
		"builddate": "1774469393"
	}
}

Output of cat /etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	list ipaddr '127.0.0.1/8'

config globals 'globals'
	option dhcp_default_duid '000490fb8b60627441a08da38427edbd714e'
	option ula_prefix 'fd4f:ab3f:9300::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'
	option vlan_filtering '1'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '10.10.10.1'
	option ip6assign '60'
	option netmask '255.255.255.0'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config bridge-vlan 'vlan10'
	option device 'br-lan'
	option vlan '10'
	option ports 'lan1:u*'

config bridge-vlan 'vlan20'
	option device 'br-lan'
	option vlan '20'
	option ports 'lan2:u* lan3:u* lan4:u*'

config bridge-vlan 'vlan30'
	option device 'br-lan'
	option vlan '30'

config bridge-vlan 'vlan40'
	option device 'br-lan'
	option vlan '40'
	option ports 'lan5:u*'

config bridge-vlan 'vlan50'
	option device 'br-lan'
	option vlan '50'

config bridge-vlan 'vlan60'
	option device 'br-lan'
	option vlan '60'

config interface 'trusted'
	option device 'br-lan.20'
	option proto 'static'
	option ipaddr '10.10.20.1'
	option netmask '255.255.255.0'

config interface 'guest'
	option device 'br-lan.30'
	option proto 'static'
	option ipaddr '10.10.30.1'
	option netmask '255.255.255.0'

config interface 'media'
	option device 'br-lan.40'
	option proto 'static'
	option ipaddr '10.10.40.1'
	option netmask '255.255.255.0'

config interface 'iot'
	option device 'br-lan.50'
	option proto 'static'
	option ipaddr '10.10.50.1'
	option netmask '255.255.255.0'

config interface 'surveillance'
	option device 'br-lan.60'
	option proto 'static'
	option ipaddr '10.10.60.1'
	option netmask '255.255.255.0'

Output of cat /etc/config/wireless:

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option band '2g'
	option channel '1'
	option htmode 'HE20'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option band '5g'
	option channel '36'
	option htmode 'HE80'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
	option disabled '1'

Output of cat /etc/config/dhcp:

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/odhcpd.leases'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
	option piodir '/tmp/odhcpd-piodir'
	option hostsdir '/tmp/hosts'

config dhcp 'trusted'
	option interface 'trusted'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'media'
	option interface 'media'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'iot'
	option interface 'iot'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'surveillance'
	option interface 'surveillance'
	option start '100'
	option limit '150'
	option leasetime '12h'

Output of cat /etc/config/firewall:

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'trusted'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	add_list network 'trusted'

config forwarding
	option src 'trusted'
	option dest 'wan'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	add_list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config zone
	option name 'media'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	add_list network 'media'

config forwarding
	option src 'media'
	option dest 'wan'

config zone
	option name 'iot'
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'
	add_list network 'iot'

config zone
	option name 'surveillance'
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'
	add_list network 'surveillance'

config forwarding
	option src 'lan'
	option dest 'trusted'

config forwarding
	option src 'lan'
	option dest 'guest'

config forwarding
	option src 'lan'
	option dest 'media'

config forwarding
	option src 'lan'
	option dest 'iot'

config forwarding
	option src 'lan'
	option dest 'surveillance'

config forwarding
	option src 'trusted'
	option dest 'media'

config rule
	option name 'Allow-DHCP-DNS-Trusted'
	option src 'trusted'
	option proto 'tcp udp'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'Allow-Ping-Trusted'
	option src 'trusted'
	option proto 'icmp'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCP-DNS-Guest'
	option src 'guest'
	option proto 'tcp udp'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'Allow-Ping-Guest'
	option src 'guest'
	option proto 'icmp'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCP-DNS-Media'
	option src 'media'
	option proto 'tcp udp'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'Allow-Ping-Media'
	option src 'media'
	option proto 'icmp'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCP-DNS-IoT'
	option src 'iot'
	option proto 'tcp udp'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'Allow-Ping-IoT'
	option src 'iot'
	option proto 'icmp'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCP-DNS-Surveillance'
	option src 'surveillance'
	option proto 'tcp udp'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'Allow-Ping-Surveillance'
	option src 'surveillance'
	option proto 'icmp'
	option target 'ACCEPT'

psherman · April 9, 2026, 9:49pm

Try setting this up as list ports 'lan2:u*' and so on. Make the same change (option ports becomes list ports, one port per entry).

BrazenBeaver · April 9, 2026, 10:36pm

Your suggestion seems to have fixed the problem. Thank you very much!

Here is the updated excerpt from my original script:

# VLAN setup
uci set network.vlan10=bridge-vlan
uci set network.vlan10.device='br-lan'
uci set network.vlan10.vlan='10'
uci add_list network.vlan10.ports='lan1:u*'

uci set network.vlan20=bridge-vlan
uci set network.vlan20.device='br-lan'
uci set network.vlan20.vlan='20'
uci add_list network.vlan20.ports='lan2:u*'
uci add_list network.vlan20.ports='lan3:u*'
uci add_list network.vlan20.ports='lan4:u*'

uci set network.vlan30=bridge-vlan
uci set network.vlan30.device='br-lan'
uci set network.vlan30.vlan='30'

uci set network.vlan40=bridge-vlan
uci set network.vlan40.device='br-lan'
uci set network.vlan40.vlan='40'
uci add_list network.vlan40.ports='lan5:u*'

uci set network.vlan50=bridge-vlan
uci set network.vlan50.device='br-lan'
uci set network.vlan50.vlan='50'

uci set network.vlan60=bridge-vlan
uci set network.vlan60.device='br-lan'
uci set network.vlan60.vlan='60'

psherman · April 9, 2026, 11:51pm

Great!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!