Set up bridged lan2 device

Hello dear all,

I'm trying to set up a second wifi for the windows machine. And I followed this howto: https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface?s[]=wireless

But this wasnt working. So I copied the settings from default br-lan to br-lan2, and from wifi to wifi2 and lan to lan2. I used a dhcp server on lan2. Also I copied the firewall rule and added:

config forwarding
        option src 'lan2'
        option dest 'wan'

config rule
        option src 'lan2'
        option dest 'wan'
        option name 'Allow-DNS-lan2'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option src 'lan2'
        option dest 'wan'
        option name 'Allow-DHCP-lan2'
        option dest_port '67'
        option target 'ACCEPT'
        list proto 'udp'

I'm not able to connect with my phone or laptop.

/ # nft list chain inet fw4 forward_lan2
table inet fw4 {
        chain forward_lan2 {
                tcp dport 53 counter packets 0 bytes 0 jump accept_to_wan comment "!fw4: Allow-DNS-lan2"
                udp dport 53 counter packets 0 bytes 0 jump accept_to_wan comment "!fw4: Allow-DNS-lan2"
                udp dport 67 counter packets 0 bytes 0 jump accept_to_wan comment "!fw4: Allow-DHCP-lan2"
                jump accept_to_wan comment "!fw4: Accept lan2 to wan forwarding"
                jump drop_to_lan2
        }
}

Maybe this guest network thing is just the wrong approach, because basically I need the 5GHz wifi for connecting my windows machine. The goal is to give straight firewall rules to windows that should only are allowed to make connections that are ok.

If this lan2 (wifi2) thing is working on the 5Ghz wifi (the second "wifi-port" of the flint2 router), I just want to connect the windows PC with no wifi-card to a third router that is only the repeater of wifi2 from the openwrt flint2. Is that clear? Hopes this makes sense.

The lan2 has the static IP setting:
192.168.224.1
Gateway is wan.

and the wifi2:
192.168.225.1
Gateway is lan2.

I tried to put them on the same subnet, but its not working. Clearly I miss something again, and I dont know where to begin the troubleshooting.

br-lan2 looks fine
lan2 looks fine
wifi2 looks fine
(to me)
not sure about the fw4 settings for dns and dhcp.

Any help would be highly appreciated!

to add more info:

[May 2, 2026, 22:08:10 GMT+2] daemon.notice: netifd: wan6 (2846): Server returned IA_PD status 'Not On Link (This address is not on link)'

[May 2, 2026, 22:16:21 GMT+2] daemon.warn: dnsmasq-dhcp[1]: no address range available for DHCP request via br-lan2

Is the intent that this network will be different than your main lan?

What connections are "ok"? In other words, can you be more specific about your goals with respect to what should be allowed? Internet? access to the other network? access from the other network? etc.?

Maybe you can draw a diagram that shows what you want. A second SSID is fine. I don't understand the "third" router here -- is there a "second" router as well?

Is this ethernet-only PC connected to the flint2 via ethernet? Or is that the purpose of some other router that is using the wifi from the flint2 and providing ethernet to the PC?

Do you want this second network to be present on wifi only or wifi + ethernet?

Let's take a look at your complete config:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

I dont know. Yes, I guess. I have the idea from the wiki for setting up a guest-wifi.

No Access to the network needed. The machine should be blind, except for the ports that steam games use and maybe some IPs for launchers (i.e. Bohemia Interactive, and Co). No other connections to microsoft or third-parties.

Exactly! ISP, Openwrt router are located in one corner of the room. The win-machine is located at the diametral corner. Instead of pulling a cat6 to that place, I just connect it with the repeater of wifi2.

Wifi only. Its exactly the only reason to do it this way.

Sure:

/ # ubus call system board
{
        "kernel": "6.12.74",
        "hostname": "XXX",
        "system": "ARMv8 Processor rev 4",
        "model": "GL.iNet GL-MT6000",
        "board_name": "glinet,gl-mt6000",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "25.12.2",
                "firmware_url": "https://downloads.openwrt.org/",
                "revision": "r32802-f505120278",
                "target": "mediatek/filogic",
                "description": "OpenWrt 25.12.2 r32802-f505120278",
                "builddate": "1774469393"
        }
}

/ # cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        list ipaddr '127.0.0.1/8'

config globals 'globals'
        option dhcp_default_duid '000405a025a0d8cc49b1ba509b4d81c524c0'
        option ula_prefix 'fdff:1e9:7b12::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        list ipaddr '192.168.100.1/24'
        option multipath 'off'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option peerdns '0'
        list dns '149.112.112.112'
        list dns '9.9.9.9'
        option multipath 'off'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option norelease '1'
        option peerdns '0'
        list dns '2620:fe::fe'
        list dns '2620:fe::9'
        option multipath 'off'

config interface 'wifi'
        option proto 'static'
        option ipaddr '192.168.200.1'
        option multipath 'off'
        option gateway '192.168.100.1'

config device
        option type 'bridge'
        option name 'br-lan2'
        option bridge_empty '1'

config interface 'lan2'
        option proto 'static'
        option multipath 'off'
        option device 'br-lan2'
        list ipaddr '192.168.224.1/32'
        option broadcast '192.168.224.255'

config interface 'wifi2'
        option proto 'static'
        option device 'phy1-ap0'
        option multipath 'off'
        list ipaddr '192.168.225.1'
        option broadcast '192.168.225.255'
        option gateway '192.168.124.1'

149.112.112.112
9.9.9.9
Are Quad9 DNS.

/ # cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option band '2g'
        option channel '1'
        option htmode 'HE40'
        option txpower '10'
        option country 'DE'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan wifi'
        option mode 'ap'
        option ssid 'XYZ'
        option encryption 'psk2'
        option key 'yKKKKKZZZTTTZZZ'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option band '5g'
        option channel '136'
        option htmode 'HE40'
        option txpower '3'
        option country 'DE'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'SSIDxy'
        option encryption 'psk2'
        option key 'KEY'
        option network 'wifi2 lan2'

/ # cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ra_preference 'medium'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/odhcpd.leases'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piodir '/tmp/odhcpd-piodir'
        option hostsdir '/tmp/hosts'

config dhcp 'lan2'
        option interface 'lan2'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

 # cat /etc/config/firewall

config defaults
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option synflood_protect '1'
        option drop_invalid '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wifi'

config zone
        option name 'lan2'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'DROP'
        list network 'lan2'
        list network 'wifi2'

config zone
        option name 'wan'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'
        option dest '*'
        option src 'wan'

config rule
        option name 'Allow-Ping'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'
        option dest 'wan'
        option src '*'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option src 'lan'
        option name 'Facebook-BlockIPv4Set'
        option family 'ipv4'
        option ipset 'Facebook-IPv4Set'
        option target 'REJECT'
        option dest 'wan'
        list proto 'all'

config rule
        option src 'lan'
        option name 'Facebook-BlockIPv6Set'
        option family 'ipv6'
        option ipset 'Facebook-IPv6Set'
        option target 'REJECT'
        option dest 'wan'
        list proto 'all'

config rule
        option src 'lan'
        option name 'Google-BlockIPv4Set'
        option family 'ipv4'
        option ipset 'Google-IPv4Set'
        option target 'REJECT'
        option dest 'wan'
        list proto 'all'

config rule
        option src 'lan'
        option name 'Github-BlockIPv4Set'
        option family 'ipv4'
        option ipset 'Github-IPv4Set'
        option target 'REJECT'
        option dest 'wan'
        list proto 'all'
        option enabled '0'

config rule
        option dest 'wan'
        option name 'DebugIPSets'
        option family 'ipv4'
        option ipset 'Debug'
        option target 'REJECT'
        option src 'lan'
        option enabled '0'

config rule
        option src 'lan'
        option dest 'wan'
        option name 'http'
        list proto 'tcp'
        option dest_port '80'
        option target 'ACCEPT'

config rule
        option src 'lan'
        option dest 'wan'
        option name 'https'
        list proto 'tcp'
        option dest_port '443'
        option target 'ACCEPT'

config rule
        option src 'lan'
        option dest 'wan'
        option name 'sftp (VSC)'
        list proto 'tcp'
        option dest_port '115'
        option target 'ACCEPT'

config rule
        option src 'lan'
        option dest 'wan'
        option name 'smtps, imap'
        list proto 'tcp'
        option dest_port '25 465 993 4190'
        option target 'ACCEPT'

config rule
        option src 'lan'
        option dest 'lan'
        option name 'allow-IPP-cups'
        option dest_port '631'
        option target 'ACCEPT'
        option src_port '631'
        option helper 'sane'
        list proto 'tcp'

config rule
        option src 'lan'
        option dest 'wan'
        option name 'ssh'
        list proto 'tcp'
        option dest_port '22 7777'
        option target 'ACCEPT'

config rule
        option src 'lan'
        option dest 'wan'
        option name 'ntp'
        option dest_port '123'
        option target 'ACCEPT'
        list proto 'udp'

config rule
        option src 'lan'
        option dest 'wan'
        option name 'xmpp'
        list proto 'tcp'
        option dest_port '5222'
        option target 'ACCEPT'

config rule
        option src 'lan'
        option dest 'wan'
        option name 'openVPN'
        option dest_port '1194'
        option target 'ACCEPT'
        list proto 'udp'
        option enabled '0'

config rule
        option src 'lan'
        option dest 'wan'
        option name 'wireguard'
        option dest_port '51820'
        option target 'ACCEPT'
        list proto 'udp'
        option enabled '0'

config rule
        option src 'lan'
        option dest 'wan'
        option name 'openPGP Schlüsselserver'
        list proto 'tcp'
        option dest_port '11371'
        option target 'ACCEPT'

config rule
        option src 'lan'
        option dest 'wan'
        option name 'Blocke alles'
        option target 'DROP'
        list proto 'all'

config ipset
        option name 'Facebook-IPv4Set'
        option comment 'Derivate from ASN April 2026'
        option family 'ipv4'
        option loadfile '/etc/luci-uploads/fbipv4.txt'
        option counters '1'
        list match 'dest_net'

config ipset
        option name 'Google-IPv4Set'
        option comment 'Derivate from ASN April 2026'
        option family 'ipv4'
        option loadfile '/etc/luci-uploads/googleipv4-kuk.txt'
        option counters '1'
        list match 'dest_net'

config ipset
        option name 'Github-IPv4Set'
        option comment 'Derivate from ASN April 2026'
        option family 'ipv4'
        option loadfile '/etc/luci-uploads/githubipv4.txt'
        option counters '1'
        list match 'dest_net'

config ipset
        option name 'Facebook-IPv6Set'
        option comment 'Derivate from ASN in April 2026'
        option family 'ipv6'
        option loadfile '/etc/luci-uploads/fbipv6.txt'
        option counters '1'
        list match 'dest_net'

config ipset
        option name 'Debug'
        option comment 'Zum testen'
        option family 'ipv4'
        option loadfile '/etc/luci-uploads/test.txt'
        option timeout '0'
        list match 'dest_ip'

config forwarding
        option src 'lan2'
        option dest 'wan'

config rule
        option src 'lan2'
        option dest 'wan'
        option name 'Allow-DNS-lan2'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option src 'lan2'
        option dest 'wan'
        option name 'Allow-DHCP-lan2'
        option dest_port '67'
        option target 'ACCEPT'
        list proto 'udp'

It's not clear if you want all 4 of your networks (lan, wifi, lan2 and wifi2). But you need to fix the following (or delete a section if you don't want/need it):

The wifi network needs a subnet size specified. I'd recommend using /24, which means changing the ipaddr value to 192.168.200.1/24. You can delete the gateway line (unnecessary to specify, but also the value is incorrect; just delete):

The lan2 network needs the subnet corrected --- currently that subnet allows only for a single address (the router itself) and is thus not going to work. change it to 192.168.224.1/24. Also delete the broadcast line here, too.

This one also has issues:

• remove the device line
• remove the broadcast line
• remove the gateway line
• edit the IP address line to 192.168.225.1/24

Each SSID should only be associated with a single network. Delete one (lan or wifi):

same here... delete either wifi2 or lan2:

You only have DHCP servers for lan and lan2. If you're keeping wifi and wifi2, you probably want DHCP servers for those. Add if relevant:

config dhcp 'wifi'
        option interface 'wifi'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

config dhcp 'wifi2'
        option interface 'wifi2'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

You've got a lot of firewall rules -- I haven't reviewed them. The above fixes will at least get the networks working in general, but the allowances/restrictions may or may not work as desired (again, not reviewed). I think there are rules that probably don't belong.

Hey PSherman,
youre right, I dont need the bridge and the lan2, because I don't bridge any physical ports to software devices. I see, that I dont deeply understand the concept of devices and networks with openwrt.

Wifi2 is now a single network and it works now (no fw settings changed)! Wifi1 is still linked to lan, because fw4 are setting lan -> wan rules. And I fear for changing that, since its running. So in this setup now I can access the lan through the physical ports, which are in the same network as the wifi.

Each SSID should only be associated with a single network. Delete one (lanorwifi):
Why is that?

Thanks for your help!

Is there a reason you have created a second network for wifi1? Yes, they are in the same firewall zone and have the same general policies, but is there a specific reason for running Ethernet on a different subnet than wifi?

Please describe your specific test (source and destination addresses as well as the test method).

If you have more than one network associated with a single SSID, it would create ambiguity as to which subnet that SSID serves. It should be unambiguous by using just a single network.

No specific reason. I just wanted to have maximum control I guess. I'm still learning this s..tuff. I was going from the default settings, so I build up upon that and started learning there.

zones1202×252 21.9 KB

Here theres my zones setup. I think I didnt want to put another zone wifi(1) > wan. I dont know.

so you mean, I could also delete wifi1, right? I dont have any reasons to use it anyways at the moment. Maybe later, when I'm fit with openwrt and all the router stuff I'll just use the router for my work as a sound engineer to connect dante-devices. Maybe then it makes any sense.

e.g. having dante-remotes on the wifi interface and the console with stagebox at the ethernetports to share audio streams. I could spare switches.

Yes, as long as your wifi SSID is configured with the lan network. This is usually preferred such that the wifi and wired networks are on the same subnet (and this is the behavior of the default configuration).

re: Dante and other audio engineering related uses, the key thing for most of that work is latency -- it should be minimized but also made as consistent as possible. Some systems specifically require that they exist on the same subnet, but even for those that don't, keeping everything on the same L2 network means that it doesn't need to rely on the router to actually route the traffic which greatly reduces the latency. Using ethernet wherever possible will ensure that the latency is relatively consistent (and if you need very precise timing, you need to invest in switch gear that is designed with A/V in mind).