Date Published: 2025-08-01
First of all, I am not responsible for any mistakes, damages, or anything else that happens as a result of your using my guide. It is a guide; use it to learn from.
This guide walks you through the setup of VLANs on a GL.iNet Flint 3 (GL-BE9300) router using OpenWRT’s UCI system. It includes:
Configuring VLAN 20 (Guest) for trunking only
- Fixing DHCP and firewall setup
- Creating a new VLAN 30 (IOT) with internet-only access and full intra-VLAN isolation
📌 Section 1: Clean Up VLAN 20 (Guest)
We assume VLAN 20 already exists and is used for the guest Wi-Fi network, passed through trunk port 3.
✅ Step 1: Update VLAN 20 to remove all untagged physical ports
uci set network.vlan_guest.ports='3t 6t'
uci commit networkThis configuration:
- Keeps
3t: your trunk uplink to the switch - Keeps
6t: CPU interface (for routing/firewall/DHCP) - Removes physical ports from being untagged members
✅ Step 2: Reboot router
Use this instead of network restart, which may break things:
reboot📌 Section 2: Troubleshooting DHCP or Interface Issues
If DHCP fails or br-guest is misconfigured:
- NOT REQUIRED/OPTIONAL:
Ensure/etc/config/networkuseseth1.20as theoption devicefor theguestinterface. - Remove or fix any broken
br-guestreferences:
uci delete network.br-guest
uci commit network- Verify DHCP setup in
/etc/config/dhcp:
uci show dhcp.guestShould look like:
dhcp.guest=dhcp
dhcp.guest.interface='guest'
dhcp.guest.start='50'
dhcp.guest.limit='240'
dhcp.guest.leasetime='720m'📌 Section 3: Create VLAN 30 (IOT)
This VLAN is designed for IoT devices with internet access only and no communication between each other.
✅ Step 1: Create VLAN 30 switch config
uci set network.vlan_iot='switch_vlan'
uci set network.vlan_iot.device='switch1'
uci set network.vlan_iot.vlan='30'
uci set network.vlan_iot.ports='3t 6t'Trunk it on port 3, connect to downstream AP/switch if needed.
✅ Step 2: Create subinterface for VLAN 30
uci set network.eth1_30='device'
uci set network.eth1_30.name='eth1.30'
uci set network.eth1_30.type='8021q'
uci set network.eth1_30.ifname='eth1'
uci set network.eth1_30.vid='30'✅ Step 3: Create the IOT interface
uci set network.iot='interface'
uci set network.iot.device='eth1.30'
uci set network.iot.proto='static'
uci set network.iot.ipaddr='192.168.30.1'
uci set network.iot.netmask='255.255.255.0'✅ Step 4: Enable DHCP for IOT
uci set dhcp.iot='dhcp'
uci set dhcp.iot.interface='iot'
uci set dhcp.iot.start='100'
uci set dhcp.iot.limit='150'
uci set dhcp.iot.leasetime='12h'✅ Step 5: Create the IOT firewall zone
uci add firewall zone
uci set firewall.@zone[-1].name='iot'
uci set firewall.@zone[-1].network='iot'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci set firewall.@zone[-1].masq='1'
uci set firewall.@zone[-1].mtu_fix='1'✅ Step 6: Allow IOT to access WAN
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='iot'
uci set firewall.@forwarding[-1].dest='wan'✅ Step 7: Allow DHCP & DNS on IOT
uci add firewall rule
uci set firewall.@rule[-1].name='Allow-IOT-DHCP'
uci set firewall.@rule[-1].src='iot'
uci set firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].dest_port='67-68'
uci set firewall.@rule[-1].target='ACCEPT'
uci add firewall rule
uci set firewall.@rule[-1].name='Allow-IOT-DNS'
uci set firewall.@rule[-1].src='iot'
uci set firewall.@rule[-1].proto='tcp udp'
uci set firewall.@rule[-1].dest_port='53'
uci set firewall.@rule[-1].target='ACCEPT'✅ Step 8: Block intra-VLAN traffic (device-to-device)
uci add firewall rule
uci set firewall.@rule[-1].name='Block-IOT-Intra'
uci set firewall.@rule[-1].src='iot'
uci set firewall.@rule[-1].dest='iot'
uci set firewall.@rule[-1].target='REJECT'
uci set firewall.@rule[-1].proto='all'✅ Final Step: Commit and Reboot
uci commit
rebootDo not use /etc/init.d/network restart on this model — it causes script errors.
✅ Done!
You now have:
- VLAN 20 (guest) properly trunked
- VLAN 30 (iot) with DHCP, internet, isolation, and firewall