I have 3 different groups of devices. Cabling runs through a separate dumb switch for each group. Each dumb switch will be connected to the router in a specific port. I’d like each port to be a separate VLAN that provides a unique DHCP scope to prevent the groups from seeing each other. The cabling is already installed so I’m commited to finding a solution that essentially works with this hardware configuration. I’m using a GL-iNet MT-6000 which seems to have good OpenWRT support. I’ve spent a few days working through it (RTFM), but haven’t figured it out yet. Any help would be greatly appreciated.
Do these 3 different networks also need wifi served by the MT-6000? If so, you will want to use bridge-vlan/DSA syntax. If not, you can simply remove each of the ports from br-lan and use then port directly as the device in the network stanza.
That said, we can guide you through the process and/or review your configs...
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
I won't be using wifi. I ran firstboot yesterday, so my settings are stock.
Here's the output you requested.
ubus call system board
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.93",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "GL.iNet GL-MT6000",
"board_name": "glinet,gl-mt6000",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.2",
"revision": "r28739-d9340319c6",
"target": "mediatek/filogic",
"description": "OpenWrt 24.10.2 r28739-d9340319c6",
"builddate": "1750711236"
}
}
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd3c:413b:3153::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/18000000.wifi'
option band '2g'
option channel '1'
option htmode 'HE20'
option disabled '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/18000000.wifi+1'
option band '5g'
option channel '36'
option htmode 'HE80'
option disabled '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
cat /etc/config/firewall
config defaults
option syn_flood 1
option input REJECT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
# option src lan
# option src_ip 192.168.45.2
# option dest wan
# option proto tcp
# option target REJECT
# block a specific mac on wan
#config rule
# option dest wan
# option src_mac xx:xx:xx:xx:xx:xx
# option target REJECT
# block incoming ICMP traffic on a zone
#config rule
# option src lan
# option proto ICMP
# option target DROP
# port redirect port coming in on wan to lan
#config redirect
# option src wan
# option src_dport 80
# option dest lan
# option dest_ip 192.168.16.235
# option dest_port 80
# option proto tcp
# port redirect of remapped ssh port (22001) on wan
#config redirect
# option src wan
# option src_dport 22001
# option dest lan
# option dest_port 22
# option proto tcp
### FULL CONFIG SECTIONS
#config rule
# option src lan
# option src_ip 192.168.45.2
# option src_mac xx:xx:xx:xx:xx:xx
# option src_port 80
# option dest wan
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
# option target REJECT
#config redirect
# option src lan
# option src_ip 192.168.45.2
# option src_mac xx:xx:xx:xx:xx:xx
# option src_port 1024
# option src_dport 80
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
Ok... the process is pretty simple:
Since you're aiming for 3 networks -- one on each port -- and you have a 5 port device, let's leave ports lan1-lan3 alone and we'll split out the other two.
We'll start in /etc/config/network:
Remove ports lan4 and lan5 from br-lan... it will look like this:
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
Now we'll create 2 new networks with ports lan4 and lan5:
config interface 'lan4'
option device 'lan4'
option proto 'static'
option ipaddr '192.168.4.1'
option netmask '255.255.255.0'
config interface 'lan5'
option device 'lan5'
option proto 'static'
option ipaddr '192.168.5.1'
option netmask '255.255.255.0'
Next, we'll move to /etc/config/dhcp and add DHCP servers for each new network:
config dhcp 'lan4'
option interface 'lan4'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
config dhcp 'lan5'
option interface 'lan5'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
And finally, we'll go to /etc/config/firewall and create new firewall zones. You didn't specify your goals with each with respect to inter-vlan routing and internet access, so we'll just start with a config that puts each in its own zone for flexibility. In this initial config, these networks will be able to reach the router and the internet, but not each other.
config zone
option name 'lan4'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan4'
config zone
option name 'lan5'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan5'
config forwarding
option src 'lan4'
option dest 'wan'
config forwarding
option src 'lan5'
option dest 'wan'
Reboot, and now test each port. Ports lan1-lan3 will operate on the 192.168.1.0/24 network, port lan4 will be on 192.168.4.0/24 and lan5 will be 192.168.5.0/24 -- each with an active DHCP server and access to the router itself and to the internet, but not between each other (this can all be adjusted).
2 Likes
This looks perfect. I'm very new to this. Still learning to navigate through the terminal and create/edit files. It will take me some time to figure this out, but I'll report back once I'm done.
If you prefere a noob friendly editor, then use nano.
You can navigate with the arrow keys and how to save and exit is shown at the footer.
Or if you like to spend 10 minutes to get to learn the vim basics then do this!
Even just knowing how to navigate and how to use instructions for save and quit is gold. Later you discover how to easily jump into a line or search for strings and you wonder why this arcane knowledge got lost with the new generation.
You never have the need to reach out for distraction free writing. Is has been here already 
Dad joke mansplaining aside. Check out nano to get shit done and find your way. Reach out for help or questions if there are any.
Using the settings info you provided, I looked through the GUI and got it entered. I went ahead and created lan3, lan4, and lan5 for my devices, leaving lan1 and lan2 as orginally configured. The one thing that seems to be missing on the output below is option dhcpv4 'server'; however, I'm pulling the correct IP addresses and I have internet access. I still need to figure out the manual editing process to add that last option, but here's the network, dhcp, and firewall output. If anything is off, please let me know.
root@OpenWrt:~# cat /etc/config/network
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd3c:413b:3153::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
config interface 'lan3'
option proto 'static'
option device 'lan3'
option ipaddr '192.168.0.1'
option netmask '255.255.255.0'
config interface 'lan4'
option proto 'static'
option device 'lan4'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
config interface 'lan5'
option proto 'static'
option device 'lan5'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'lan3'
option interface 'lan3'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'lan4'
option interface 'lan4'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'lan5'
option interface 'lan5'
option start '100'
option limit '150'
option leasetime '12h'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'lan3'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan3'
config zone
option name 'lan4'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan4'
config zone
option name 'lan5'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan5'
config forwarding
option src 'lan3'
option dest 'wan'
config forwarding
option src 'lan4'
option dest 'wan'
config forwarding
option src 'lan5'
option dest 'wan'
This is actually an optional parameter.
So now you actually have 4 networks. But yes, everything looks good. Is it working to your satisfaction?
Looks and works perfectly. I can't thank you enough. It's very much appreciated.
Awesome. Glad to hear it.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! 
1 Like
I was able to fix it in the GUI using the settings I was kindly provided. Now that I have it fixed, I can see that I DEFINITELY need to practice in the terminal. I've used nano a bit in Linux, but I didn't know if it was included in OpenWrt. Trying to learn some of the secondary skills while trying to solve a problem on a deadline is certainly not the most conducive environment for learning. Thanks for helping.
1 Like
It's not included by default, but super easy to install. You will find that the vi editor is pre-installed. IMO, this is worth learning, at least for the basics, because it gives you the easy ability to edit files directly.
Especially here. All of the information I found as I was researching before I posted on the forum was almost all terminal. I see now that my logic was flawed as I started. I wasn't really looking for a vlan, but separate lans within my router. I very obviously don't do this much. When you are struggling to learn the basic logic of a device, it makes it that much harder to find the correct settings to adjust. It seems the terminal commands aren't exactly represented one-to-one in the GUI. If you are a n00b like me, you just get lost right off the bat. Familiarity with those basic terminal skills is grossly underrated.
A useful but import to remember fact:
What you see in Luci is almost always that's what's in the UCI config files in etc config.
There are special modules which also display data in realtime but afaik all config pages are just displaying what's in the files and sometimes not everything can be done via Luci and you have to edit the UCI files anyway.
Yes. Some nuance (which might seem pedantic) that is often lost:
- VLANs technically only apply to ethernet (and in some cases virtual interfaces) where there will be more than one subnet assigned. Such a port is known as trunk port.
- To keep the traffic marked and separate, VLANs use 802.1q tagging.
- When you have multiple subnets, one per physical port, you don't actually need to use VLANs.
- However, if you were to two or more ethernet ports and/or wifi+ethernet, you would need to use bridge-VLANs (for DSA devices like yours) in order to setup the multiple networks, despite the fact that you're only using one network per physical ethernet port. (your first network works with the normal bridge, but if you needed a second (+) bridge, you'd accomplish that by converting to the bridge-vlan construct).
In addition, the term VLAN is often used colloquially to mean multiple subnets, even when it is a configuration like yours with a 1:1 mapping of subnets to ports. Even I'm guilty of using the term when it's not technically accurate.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.