VLan on GL-MT6000

Hello to you all,

Over the years my network grew. It used to be one PC and a printer. Now even the dishwasher wants internet access, there are tablets from the kids and all kind of devices use the network I cant keep track. A while ago I did buy a OpenWrt capable router.

What I want

1. one part with dirty PC's tablets and so on.
2. Another part will be the part where my personal (hopefully) clean PC's will be running.
3. On the clean network there needs to be a MasterPC to config the router, access points, switch and printer (on the dirty network)
4. The IP camera's may only access a SBC (Single Board Computer, something like a Pi). On the SBC there is some software controlling the camera's. All PC's may access the SBC, but may not access the camera's.

Well at least that's the idea. I'll try to achieve this one step a time, and testable, I hope not to stop /kill the network for days. I did buy a new managed switch. I hope to connect some old Raspberry Pi SBC's (Pi-A and Pi-B) to the managed switch and test If I can ping, login to them with SSH, SSH to Pi-A and ping PI-B, SSH from the Master-PC to Pi-A to Pi-B etc. Or ssh to Pi-B and see I cannot ssh / ping to Pi-A.

Here is a picture I made:

Screenshot at 2025-05-09 09-01-551045×772 41.6 KB

Nope
Below is what I did read and what I did try. However I get a rollback because some settings are wrong. I started with the managed switch connected, The Master-PC on the managed switch. For Now I have the Master-PC on the un-managed switch. As I want to start with a VLan on Lan1. I thought maybe only Lan1 is not accessible anymore when the IP range goes from 192.168.0.x to 192.168.10.x

What I did
I did read this Mini tutorial:

In the end there is part 4 which looks like the best starting point for me:

Device
I did manage to add a device using LuCi Network>>Interfaces>>Device

I did see a youtube, (need to find the link can get back on this one) in the video 802.1q was chosen, however there are more options:

1. 802.1ad
2. MAC Vlan
3. Virtual Ethernet

is 802.1q okay?

Interface
I did add an interface Network>>Interface
Here I get to choose the: gateway and the firewall zone. I could argue that if the switch in the router is named br-lan and VLan10 is named br-lan.10, they both can use the same firewall. But I must not define a separate gateway for VLan10 (now the gateway points to the modem). But I am not sure. LuCi tell's me Vlan10 is Up and running. I did not add a separate VLan for the 'old dirty network'. Do I need to add a new interface for VLan ID 1?

Rollback
When I eddit the bridge vlan filtering save and apply then I get the rollback openwrt tell's askes me if I want to put back the latest settings which did work.

I can ssh into the router and do cat network:

root@GL-MT6000:/etc/config# cat network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd3e:4d9b:5272::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	option macaddr '94:83:c4:a7:60:d0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config device
	option name 'lan1'
	option macaddr '94:83:c4:a7:60:d0'

config device
	option name 'lan2'
	option macaddr '94:83:c4:a7:60:d0'

config device
	option name 'lan3'
	option macaddr '94:83:c4:a7:60:d0'

config device
	option name 'lan4'
	option macaddr '94:83:c4:a7:60:d0'

config device
	option name 'lan5'
	option macaddr '94:83:c4:a7:60:d0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.0.2'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option isolate '0'

config device
	option name 'eth1'
	option macaddr '94:83:c4:a7:60:ce'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option force_link '0'
	option ipv6 '0'
	option classlessroute '0'
	option metric '10'
	option vlanid '0'
	option peerdns '1'

config interface 'wan6'
	option proto 'dhcpv6'
	option device '@wan'
	option disabled '1'

config interface 'tethering6'
	option device '@tethering'
	option proto 'dhcpv6'
	option disabled '1'

config interface 'wwan6'
	option device '@wwan'
	option proto 'dhcpv6'
	option disabled '1'

config interface 'guest'
	option force_link '1'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.9.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option multicast_querier '1'
	option igmp_snooping '0'
	option isolate '0'
	option bridge_empty '1'
	option disabled '1'

config interface 'wwan'
	option proto 'dhcp'
	option classlessroute '0'
	option metric '20'

config interface 'secondwan'
	option ipv6 '0'
	option proto 'dhcp'
	option metric '15'
	option force_link '0'
	option classlessroute '0'

config interface 'secondwan6'
	option proto 'dhcpv6'
	option device '@secondwan'
	option disabled '1'
	option metric '15'

config interface 'modem_1_1_2_6'
	option proto 'dhcpv6'
	option disabled '1'
	option device '@modem_1_1_2'

config rule 'policy_direct_rt'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule 'policy_default_rt_vpn'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config rule6 'policy_direct_rt6'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule6 'policy_default_rt_vpn6'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config rule 'policy_default_rt_vpn_ts'
	option lookup 'main'
	option priority '1099'
	option mark '0x80000/0xc0000'
	option invert '0'

config interface 'Vlan10'
	option proto 'static'
	option device 'br-lan.10'
	option ipaddr '192.168.10.1'
	option broadcast '192.168.10.255'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '10'
	option name 'br-lan.10'
	option macaddr '94:83:C4:A7:60:D3'
	option mtu '1500'

cat dhcp

root@GL-MT6000:/etc/config# cat dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '0'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'disabled'
	option ra 'disabled'
	option ra_slaac '1'
	option force '1'
	option ignore '0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config domain
	option name 'console.gl-inet.com'
	option ip '192.168.0.2'

config domain
	option name 'console.gl-inet.com'
	option ip '::ffff:192.168.0.2'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'disabled'
	option ra 'disabled'

config dhcp 'secondwan'
	option interface 'secondwan'
	option ignore '1'

config dhcp 'Vlan10'
	option interface 'Vlan10'
	option start '100'
	option limit '150'
	option leasetime '12h'

cat firewall

root@GL-MT6000:/etc/config# cat dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '0'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'disabled'
	option ra 'disabled'
	option ra_slaac '1'
	option force '1'
	option ignore '0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config domain
	option name 'console.gl-inet.com'
	option ip '192.168.0.2'

config domain
	option name 'console.gl-inet.com'
	option ip '::ffff:192.168.0.2'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'disabled'
	option ra 'disabled'

config dhcp 'secondwan'
	option interface 'secondwan'
	option ignore '1'

config dhcp 'Vlan10'
	option interface 'Vlan10'
	option start '100'
	option limit '150'
	option leasetime '12h'

I hope you can help, thanx!

It looks to me like you are taking on a lot all at once.

I would recommend planning what separated environments you need (ie, the VLANs) and where you need each to have access ports (ie, the physical lan ports that are attached to a specific VLAN). Then start by converting your current untagged (non-VLAN) environment into a tagged environment. It looks like you will probably need a trunk connection between the router and the switch too, so you'll need to take into account any requirements of the switch too.

Once you have that working then you can add the additional VLANs you have planned, and then create the firewall rules that will allow the restricted connections between the VLANs that you want.

I found this video by OneMarcFifty very helpful: https://www.youtube.com/watch?v=qeuZqRqH-ug

Hello rmappleby, thank you for the reply.
I agree it is a lot.
My first idea was to. For now use one port of the router lan1 connected this one to the managed switch, and see if the managed switch can see the different Vlan's. The old network will stay on the unmanged switch. The IP-camera's server is already running. I already have some hardware etc. Some hardware is old. Like I can use a raspberry Pi 1. But for this purpose is fine. For doing a ping or a ssh to test if I can or cannot connect it is fine. Thank you for the link I will have a look this evening.

A quick sneak preview question. Nor I use no VLan. I use the IP 192.168.0.xxx for all the pc's on the network. Do I also need to make a new interface for this old network? At this link

I see at point 4 only one interface defined. I will check the video now thaks!

This may not be the cause of your Rollback, but before you Save and Apply on the Bridge that causes it to Rollback with the VLAN’s configured, try unchecking the bridge’s ‘Enable VLAN filtering’ box to see if it applies then.

I’m using the native GL firmware and I have to leave the Bridge VLAN filtering box unchecked whenever applying changes to a Bridge device that has my VLAN’s configured on it, and I’ve heard others that are running the latest vanilla OpenWRT are experiencing the similar problem with that checkbox.

hello DaWeav, thanks for you replay. I did not try that one yet. I thought it was needed. Do I lose some functionality not using the Enable VLan filtering? Now I remember I could not use the latest version of the firmware. Just an hour ago I did a factory reset and when logging into LuCi it also mentioned a rollback. That was before setting anything in LuCi the text some some comment on devining eth0 in another way

It appears you are using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

1. Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
2. Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
3. Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

It is needed, but on the native GL firmware, it sure seems to me that the LUCI Advanced GUI for the Enable VLAN filtering checkbox is backwards after watching what it writes in the network file for the Bridge device when checked and unchecked.

To be clear, that checkbox is not truly required on the official OpenWrt. Specifically, it seems to be implicitly enabled when bridge-vlans are present, even when the checkbox is unchecked (and thus the line is not present in the config). In the many (~hundreds) of configs I have helped with, I've never needed to advise that the option be enabled.

However, that may or may not be true about the GL-inet firmware. For help with their firmware, the discussion should be on their forums. Official OpenWrt, on the other hand, can be supported here and runs very well on those devices.