VLAN+SSID+VPN on Flint 2, running OpenWRT 24.10: VLAN Filtering Rolls Back, LAN Cuts Out, Fallback Fails

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi all — I’m building a VLAN-segmented home network on a GL.iNet Flint 2 running official OpenWRT 24.10.1 (r28597-0425664679) with LuCI 25.103.51521~2ac26e5.

I'm running into critical issues when applying VLAN filtering, including:

Core Problems

  1. Fallback port (LAN1) with static IP (192.168.100.1) fails to respond, whether LAN1 is in or outside of br-lan (tried both as ChatGPT suggested both at different times, lol)
  2. After saving VLAN filtering rules, LAN drops entirely — PC gets a self-assigned IP, no DHCP
  3. Meanwhile (also after saving VLAN filtering rules), LuCI's 90-second rollback triggers. The rollout wipes out all bridge VLAN filtering rows

Intended System

Device GL.iNet Flint 2
OpenWRT 24.10.1 (official)
LuCI 25.103.51521~2ac26e5
VLAN config via Bridge VLAN Filtering on br-lan
VPN config intended via WireGuard using vpn-policy-routing or pbr

Intended Network

VLAN Interface SSID Name Subnet Purpose LAN Port VPN?
10 core_novpn apple 192.168.10.0/24 Private trusted devices (no VPN) LAN3–5 :cross_mark:
20 core_vpn banana 192.168.20.0/24 VPN-routed trusted devices :white_check_mark:
30 iot crouton 192.168.30.0/24 Isolated IoT :cross_mark:
40 iot_p2p dogpatch 192.168.40.0/24 Gaming/TV with local LAN access LAN2 :cross_mark:

SSID Layout

  • 2.4 GHz:
    • crouton (VLAN 30)
    • dogpatch (VLAN 40)
  • 5 GHz:
    • apple (VLAN 10)
    • banana (VLAN 20)

Wired Port Plan

LAN Port Role VLAN Notes
LAN1 Fallback port Static IP 192.168.100.1, no DHCP
LAN2 Gaming device 40 Untagged on VLAN 40
LAN3–5 Trusted devices 10 Untagged on VLAN 10

Firewall & VPN Plan

  • Each VLAN/interface has a dedicated firewall zone
  • IoT (iot) is isolated via zone + AP isolation
  • iot_p2p allows intra-VLAN communication
  • core_vpn will route through WireGuard via vpn-policy-routing or pbr

Any insights into common mistakes while setting up fallback ports and VLAN filtering would be a huge help. I've already bricked the router twice :hot_face: :rofl:, and once i even though I had to UART it bc the reset mechanism was unreliable.