Two networks, one router

I have a Gl.iNet router, and I want to create a separate network for IOT devices so I can control access between networks. Any help to achieve this would be greatly appreciated.

I already have setup an extra bridge and interface for the IOT network, so that everyone on LAN(10.0.1.0/16) can communicate with each other and the router(10.0.0.1), and everyone on IOT(10.10.0.0/24) can communicate with each other and the router(10.0.0.1). The issue arises when I try to connect the two. I have tried different solutions, but none have worked, and I don't know which method would be correct, or even if I have configured the networks correctly.

I also don't know if I should be using VLANs for the physical interfaces or separate wifi networks for wifi devices, but it seems to work with everything connected to the LAN network.

My primary goal with this is to be able to access IOT devices from LAN, but nothing should be able to connect from IOT to LAN except maybe a couple devices I specify if I need to.

Why are you using a /16? Seems unnecessary and is generally bad practice.

What do you mean by this?

Depends...
Do you need ethernet connectivity on these networks, wifi, or both?

Are there multiple routers/APs involved here, or just one device?

Let's review your config:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Yes 10.0.1.0/16 overlaps 10.0.0.1 which is not going to work. In general around the home, /24 networks should be used since that keeps the numbering simple.

Then you would create an iot firewall zone and allow forwarding lan-->iot but not iot-->lan. IoTs are usually allowed unrestricted access to the Internet (forward iot-->wan) but you can restrict it if desired.

I wanted to use /23 just for fun mostly, but the normal router interface(not luci) only had options for /24 and /16, so I just chose /16, put the dhcp server within a /23 subnet, and didn't think much about it.
I seem to have missed something earlier though, is it true that 10.0.1.0-10.0.2.255 is not a possible /24 subnet?

By connecting the two, I just mean allowing traffic between them somehow.

I do need ethernet connectivity, but wifi may not be needed. Is it enough to assign the two ports on my router I need to the IOT bridge and interface(and remove them from the LAN Bridge and interface), or do I need to use VLANs?

There is only one router involved, and only integrated antennas.

{
        "kernel": "5.4.238",
        "hostname": "GL-MT6000",
        "system": "ARMv8 Processor rev 4",
        "model": "GL.iNet GL-MT6000",
        "board_name": "glinet,gl-mt6000",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02-SNAPSHOT",
                "revision": "r15812+1085-46b6ee7ffc",
                "target": "mediatek/mt7986",
                "description": "OpenWrt 21.02-SNAPSHOT r15812+1085-46b6ee7ffc"
        }
}
root@GL-MT6000:~# cat /etc/config/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
config globals 'globals'
        option ula_prefix 'fd90:66d8:b95a::/48'
config device
        option name 'br-lan'
        option type 'bridge'
        option macaddr 'redacted'
        option igmp_snooping '1'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'
config device
        option name 'lan1'
        option macaddr 'redacted'
config device
        option name 'lan2'
        option macaddr 'redacted'
config device
        option name 'lan3'
        option macaddr 'redacted'
config device
        option name 'lan4'
        option macaddr 'redacted'
config device
        option name 'lan5'
        option macaddr 'redacted'
config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        option isolate '0'
        option ipaddr '10.0.0.1'
        option netmask '255.255.0.0'
config device
        option name 'eth1'
        option macaddr 'redacted'
config interface 'wan'
        option device 'eth1'
        option force_link '0'
        option ipv6 '0'
        option metric '10'
        option classlessroute '0'
        option proto 'dhcp'
        option type 'bridge'
config interface 'wan6'
        option proto 'dhcpv6'
        option device '@wan'
        option disabled '1'
config interface 'tethering6'
        option device '@tethering'
        option proto 'dhcpv6'
        option disabled '1'
config interface 'wwan6'
        option device '@wwan'
        option proto 'dhcpv6'
        option disabled '1'
config interface 'guest'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.9.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option multicast_querier '1'
        option isolate '0'
        option bridge_empty '1'
        option disabled '0'
        option igmp_snooping '1'
config interface 'secondwan'
        option ipv6 '0'
        option proto 'dhcp'
        option metric '15'
        option force_link '0'
        option classlessroute '0'
config interface 'secondwan6'
        option proto 'dhcpv6'
        option device '@secondwan'
        option disabled '1'
        option metric '15'
config rule 'policy_direct_rt'
        option lookup 'main'
        option suppress_prefixlength '0'
        option priority '1100'
config rule 'policy_default_rt_vpn'
        option mark '0x8000/0xc000'
        option lookup '8000'
        option priority '1101'
        option invert '1'
config rule6 'policy_direct_rt6'
        option lookup 'main'
        option suppress_prefixlength '0'
        option priority '1100'
config rule6 'policy_default_rt_vpn6'
        option mark '0x8000/0xc000'
        option lookup '8000'
        option priority '1101'
        option invert '1'
config rule 'policy_default_rt_vpn_ts'
        option lookup 'main'
        option priority '1099'
        option mark '0x80000/0xc0000'
        option invert '0'
config rule 'policy_relay_lo_rt_lan'
        option lookup '16800'
        option in 'loopback'
        option priority '1'
config interface 'IOT'
        option proto 'static'
        option device 'br-iot'
        list ipaddr '10.10.0.0/24'
config device
        option type 'bridge'
        option name 'br-iot'
        option macaddr 'redacted'
        option txqueuelen '1000'
        option mtu6 '1500'
        option bridge_empty '1'
        option mtu '1500'
config route
        option netmask '255.255.255.0'
        option target '10.10.0.0'
        option interface 'lan'
config route
        option interface 'IOT'
        option target '10.0.1.0'
        option netmask '255.255.254.0'
        option disabled '1'
config interface 'wgclient'
        option proto 'wgclient'
        option config 'peer_1009'
        option disabled '1'
config interface 'wwan'
        option proto 'dhcp'
        option classlessroute '0'
        option metric '20'
        option mtu '1500'
config interface 'ovpnserver'
        option proto 'ovpnserver'
        option disabled '1'
root@GL-MT6000:~# cat /etc/config/wireless
config wifi-device 'mt798611'
        option type 'mtk'
        option band '2g'
        option htmode 'HE40'
        option hwmode '11g'
        option random_bssid '1'
        option legacy_rates '1'
        option channel '13'
        option country 'NO'
config wifi-iface 'wifi2g'
        option device 'mt798611'
        option mode 'ap'
        option ifname 'ra0'
        option wds '1'
        option ieee80211k '1'
        option bss_transition '1'
        option key 'redacted'
        option ssid 'Dragon'\''s Lair'
        option encryption 'sae-mixed'
        option igmp_snooping '1'
        option network 'lan'
        option macaddr 'redacted'
config wifi-device 'mt798612'
        option type 'mtk'
        option band '5g'
        option channel 'auto'
        option legacy_rates '0'
        option hwmode '11a'
        option htmode 'HE160'
        option random_bssid '1'
        option country 'NO'
config wifi-iface 'wifi5g'
        option device 'mt798612'
        option mode 'ap'
        option ifname 'rax0'
        option wds '1'
        option ieee80211k '1'
        option bss_transition '1'
        option encryption 'sae'
        option key 'redacted'
        option ssid 'Dragon'\''s Lair'
        option igmp_snooping '1'
        option network 'lan'
        option macaddr 'redacted'
config wifi-iface 'guest2g'
        option device 'mt798611'
        option network 'guest'
        option mode 'ap'
        option ifname 'ra1'
        option encryption 'psk2'
        option guest '1'
        option wds '1'
        option isolate '1'
        option ssid 'Peasant Stream'
        option hidden '0'
        option key 'redacted'
        option igmp_snooping '1'
        option macaddr 'redacted'
config wifi-iface 'guest5g'
        option device 'mt798612'
        option network 'guest'
        option mode 'ap'
        option ifname 'rax1'
        option encryption 'psk2'
        option guest '1'
        option wds '1'
        option isolate '1'
        option igmp_snooping '1'
        option ssid 'Peasant Stream'
        option key 'redacted'
        option macaddr 'redacted'
root@GL-MT6000:~# cat /etc/config/dhcp
config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_localhost '1'
        option local '/lan/'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option rebind_protection '0'
        option domain 'ts.net lan'
        option filter_aaaa '1'
        option confdir '/tmp/dnsmasq.d'
config dhcp 'lan'
        option interface 'lan'
        option dhcpv4 'server'
        option leasetime '720m'
        option start '257'
        option limit '505'
        list dhcp_option '6,1.1.1.1,1.0.0.1'
        list ra_flags 'none'
        option force '1'
        option ignore '0'
config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
config domain
        option name 'console.gl-inet.com'
        option ip '10.0.0.1'
config domain
        option name 'console.gl-inet.com'
        option ip '::ffff:10.0.0.1'
config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'disabled'
        option ra 'disabled'
config dhcp 'secondwan'
        option interface 'secondwan'
        option ignore '1'

What do you mean by it overlapping? I know 10.0.0.1 is a part of that subnet, but does that matter when the dhcp server doesn't use that address? I still have access to 10.0.0.1 from the 10.10.0.0/24 subnet.

Is there a particular problem with a network like that other than confusing addresses?

Also, apparently my LAN is just 10.0.0.1/16, and IOT is 10.10.0.0/24. I have no idea why I can access 10.0.0.1 when connected with a 10.10.0.x address, especially when all other devices are unreachable.

I think I have the firewall configured correctly according to what you're saying, so I guess the issue is probably elsewhere.

So you are using the GL-Inet fork of OpenWrt, which is considerably different than official OpenWrt. As such, you need to ask for help on their forums because their version materially changes the way that the firmware functions.

That said, the MT6000 is very well supported by the official OpenWrt project. So you can install 24.10 (from here) and we can help you in that context.

Meanwhile, you didn't answer a key question:

This is typically governed by the input rule in the firewall configuration. If input is allowed from a given network/zone, it means that the host on that network are allowed to connect to the router itself. In the case of the 10.0.0.1 address, that is the router itself, even though it is an address it holds for another network. When the router has multiple addresses, you can think of it like a set of nicknames to which the router will respond.

Is there a big advantage to installing pure openwrt instead of the normal firmware? I have wire guard setup, and it seemed to be much easier to use on the gl.inet version.
I'm also a little scared of messing something up when flashing a new firmware. I can just use the option to flash new system firmware, right? Is the config backup file compatible between the two?

I probably answered a little vaguely, but I do not have multiple routers or APs, only the MT6000.

I'm a little confused about the router address. A router address is the same thing as a gateway address, right? Am I setting the gateway address when I set the IP address in the interface, so 10.0.0.1 and 10.10.0.1 is the router adress for each network respectively?

I can access 10.0.0.1 from both networks, but 10.10.0.1 is not reachable from any of them, is that because the WiFi and ethernet is connected to the LAN network?

I just remembered I have at least one device I would like to have connected to an IOT wifi network. I didn't manage to make another SSID in addition to the normal and guest network, is that not something that should be possible, or is that maybe a Gl.iNet limitation?

I'm probably biased when I say "yes" -- I much prefer the official OpenWrt experience. It has the same (probably more) flexibility, but does not have the extra weight of trying to be a monolithic do-everything firmware. You can customize the image pre-flash, or you can install additional packages post-flash, but the standard/default image is fairly minimal... less resource intensive and you get to choose what you want/don't want. Further, it is unadulterated, so the characteristics of its operation are known and well documented.

It is fair to say that the GL-Inet firmware does what it needs to, and it is a simple solution for many users -- it's got a lot pre-installed with a fairly friendly interface and presets/wizards to get everything running. But, they make a lot of changes, so things fundamentally work differently.

I would say that OpenWrt is better suited to the enthusiast who knows or wants to learn networking and linux vs the GL-Inet firmware which is more catered to those less inclined to mess around with this stuff for fun. However, that doesn't mean that official OpenWrt is out of reach -- IMO, it's not hard to learn/configure.

WG is easy to setup on official OpenWrt. You mention "easier" -- I'm not sure if you have a true comparison point that was painful for you, or if that's just an impression, but it's fairly straight foward and we can help you.

Noted. Thanks.

Perspective. From the perspective of your router -- the MT6000 itself -- the gateway would typically be the upstream router that provides connectivity to the MT6000. From the perspective of your downstream devices (computers, phones, etc.), the gateway is your router. And the router itself can hold multiple addresses.

Generally speaking, you do not need to (and should not) enter the gateway address into the downstream network interfaces on the OpenWrt router. It should only exist on the upstream. There are exceptions, of course. But this also is how official OpenWrt works... I can't speak to GL-Inet's fork.

I seem to recall that you had a subnet overlap... that would cause the problem for sure. But, wifi vs ethernet has no relevance here. And, with the GL-Inet fork, I can't really guarantee that things are going to work as would be expeced with official OpenWrt.

That would be a question for gl-inet or their forums. On official OpenWrt, it's really easy to do all this.

Yeah, it looks like I'm best served installing plain openwrt at this point. I think the gateway problem is probably a Gl.iNet thing as well. It seems the Gl.inet firmware is just not made to support more than one network and 2 WiFi networks. I'm a Linux nerd anyways, so it should be fine. Most of my hesitation comes from the openwrt documentation being so hard to understand when I only use the Web interface.

You do have a point regarding WG, I haven't been able to properly try to set it up in LuCI, especially because I got server and client confused when I set it up last time. I was thinking it would make sense to set it up as server, since it would be sending all outbound device traffic to the vpn, but I was of course supposed to just log on to the vpn as a client.

The gateway question was hard to formulate correctly exactly because of what you were explaining lol. It seems I did have the correct understanding.

I fixed the subnet overlap, and it didn't make a difference, so I'm thinking it's because the gl.inet firmware doesn't work with more than one LAN.

Yeah, I thought so, but this router has made me question everything I know😂

You've been of great help, thanks a lot. I'll see when I have time to flash new firmware and reconfigure the router, hopefully that fixes all my problems, and I hope this thread can be of help to someone in a similar situation to me as well.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.