Welcome to the GL.iNet community guide

This guide walks you through every setting on your GL.iNet modem in the same order you see them in the admin panel. Each option is explained in plain language, with example values (placeholders only—never use your real passwords or network names here).

Where a setting affects either speed or security, you’ll see a clear recommendation and the reason why.

INTERNET

Settings for your main internet (WAN) connection: how the modem connects to your ISP and gets online.

  • WAN / Connection type — How the modem gets an IP (DHCP, PPPoE, static, etc.). Match what your ISP requires.
  • Example — Often DHCP for home fibre/cable; PPPoE if your ISP gave you a username and password.
Security — If you use PPPoE, keep the password only in the modem; don’t share it. Prefer WPA2/WPA3 on Wi‑Fi.

WIRELESS

Wi‑Fi for 5 GHz and 2.4 GHz. Names and passwords below are placeholders—replace with your own only in the modem UI, never in public.

5 GHz Wi‑Fi

Enable Wi‑Fi
Turn 5 GHz Wi‑Fi on or off. Use ON for best speed where supported.
TX Power
Transmit power (e.g. Max, Medium). Higher = longer range, more interference; lower = less range, often cleaner signal.
Wi‑Fi Name (SSID)
Network name others see. Example placeholder: Your-5GHz-Network-Name.
Enable Randomized BSSID
Changes the access point’s identifier to reduce tracking. Recommendation: turn ON for privacy.
Wi‑Fi Security
Use WPA2-PSK or WPA3 if available. Avoid WEP and open networks.
Wi‑Fi Password
Use a strong, unique password. Example placeholder: •••••••• (set your own in the modem).
SSID Visibility
Shown = visible in scan lists; Hidden = not shown (slightly more obscure, not real security).
Wi‑Fi Mode
e.g. 11a/n/ac/ax. “ax” = Wi‑Fi 6 for best speed; allow older modes if you have older devices.
Bandwidth
e.g. 80 MHz. Wider = faster; narrower = better in crowded areas.
Channel
Auto lets the modem pick; or set a fixed channel to avoid neighbours’ interference.

2.4 GHz Wi‑Fi

Same types of settings as 5 GHz: Enable, TX Power, SSID (e.g. placeholder Your-2.4GHz-Network-Name), security (WPA2/WPA3), password, visibility, mode (e.g. 11b/g/n/ax), bandwidth (e.g. 20/40 MHz), channel.

Speed vs security — For speed: 5 GHz, 80 MHz, Wi‑Fi 6 (ax). For security: WPA3 or WPA2-PSK, strong password, Randomized BSSID ON. Best: enable both 5 GHz and 2.4 GHz with strong security.
Tips — Use WPA3 or WPA3-SAE if your modem offers it (stronger than WPA2). Keep Randomized BSSID ON for privacy. Use a long, random Wi‑Fi password (16+ characters). For guests, use a separate Guest Wi‑Fi with its own SSID and password and keep client/AP isolation ON. Hiding the SSID is weak security; keeping it shown is fine.

CLIENTS

List of devices connected to your modem (IP, MAC, name). Use this to see who’s on the network and to apply parental controls or QoS per device.

  • No personal data is shown in this guide; in your modem you’ll see your own devices.

CLOUD SERVICES

GoodCloud

GL.iNet's remote management: access and manage your router from elsewhere. Convenient but adds a cloud dependency.

AstroWarp

Another cloud/remote feature from GL.iNet. Check the modem’s help for current description.

Security — Enabling cloud access means your modem is reachable from the internet. Use a strong admin password and only enable if you need remote access.

VPN

VPN Dashboard, OpenVPN and WireGuard client/server. Use Client to send your traffic through a VPN provider; use Server to let you connect back home securely.

  • VPN Dashboard — Overview and status of VPN.
  • OpenVPN Client / Server — Classic, widely compatible VPN.
  • WireGuard Client / Server — Modern, fast VPN with simpler config.
Speed vs securityWireGuard is usually faster and simpler; OpenVPN is very well tested and supported everywhere. For best speed with good security: prefer WireGuard when your provider supports it.

NETWORK

Multi-WAN

The modem can use several internet links (Ethernet, Repeater, Tethering, Cellular).

Interface Status Track
Monitors each link (e.g. via ping). Use Sensitivity Options to tune when a link is considered down.
Mode
Failover — Use one link; if it fails, switch to the next (reliability). Load Balance — Use multiple links at once for more total bandwidth (speed). Note: a single connection (e.g. one video stream) usually still uses one link.
Interface Priority
Order of interfaces (e.g. Ethernet first, then Repeater, Tethering, Cellular). Drag to reorder.
Recommendation — Prefer Failover for stability and predictable behaviour; use Load Balance when you need maximum throughput and understand that per-connection speed may not double.
Tips — For security, keep Failover (one path at a time; simpler and more predictable). Use Load Balance only when you need extra bandwidth and accept traffic over multiple ISPs. Priority: Ethernet first, then Repeater, Tethering, Cellular (or drag to match your main link). Sensitivity: Medium is a good default; High for faster failover (e.g. streaming), Low if your link is unstable.

LAN

Local network and DHCP. Use private ranges only (e.g. 192.168.x.x, 10.x.x.x).

Router IP Address
Modem’s IP on the LAN. Example: 192.168.8.1 (typical; your subnet may differ).
Netmask
e.g. 255.255.255.0 for a /24 subnet.
AP Isolation
When ON, Wi‑Fi clients cannot talk to each other. Good for guest networks; leave OFF for normal home use.

DHCP Server

Automatic IP assignment for devices. If you disable it, you must set IPs manually on each device.

Enable
ON = modem gives out IPs; OFF = you assign static IPs yourself.
Start / End IP Address
Range, e.g. 192.168.8.100192.168.8.249. Must be in the same subnet as the router IP.
Lease Time
How long a device keeps an IP (e.g. 720 minutes). Shorter = more churn; longer = stable.
Gateway / DNS Server 1 & 2
Optional. If empty, devices usually get the router as gateway and use the modem’s DNS (e.g. AdGuard Home if enabled).
Tips — For securest DNS for all clients, set DNS Server 1 = 1.1.1.1 and DNS Server 2 = 1.0.0.1 (Cloudflare), or 9.9.9.9 and 149.112.112.112 (Quad9). That gives every device encrypted-capable DNS by default. Keep AP Isolation Off on your main LAN (so devices can see each other for casting/NAS); use On only for a separate guest or IoT SSID.

Address Reservation

Assign a fixed IP to a device by MAC address. Good for servers, printers, or port forwarding. Devices may need to reconnect to get the new IP.

Guest Network

Separate Wi‑Fi for guests, often with AP isolation. Use a different SSID and password from your main network.

Tips — Keep AP Isolation On so guest devices cannot talk to each other or your main LAN. Turn Block WAN Subnets On (if available) so guests can only reach the internet, not your internal subnets (e.g. 192.168.8.x).

DNS

Domain name resolution. If AdGuard Home or another app is enabled, it may act as DNS; otherwise you can set upstream servers here or in APPLICATIONS → AdGuard Home.

Rate limit
Requests per second per client (e.g. 20). 0 = no limit. Helps prevent abuse.
Subnet prefix length (IPv4 / IPv6)
Used for rate limiting. Defaults e.g. 24 (IPv4), 56 (IPv6).
Enable DNSSEC
Validates DNS replies. Recommendation: ON if your upstream DNS supports it (better security).
Blocking mode
How to respond for blocked domains: Default (0.0.0.0 / ::), REFUSED, NXDOMAIN, Null IP, or Custom IP. Default is fine for most.
Blocked response TTL
How long clients cache blocked replies (e.g. 10 seconds).
Tips — For securest: turn DNS Rebinding Attack Protection On; set Override DNS for all clients On; use Manual DNS with e.g. 1.1.1.1 / 1.0.0.1 (Cloudflare) or 9.9.9.9 / 149.112.112.112 (Quad9). If you use a VPN, set Allow Custom DNS to Override VPN DNS Off so VPN DNS is used inside the tunnel. Enable DNS over TLS/HTTPS if the modem offers it.

Ethernet Port

Settings for the physical Ethernet ports (speed/duplex, VLANs if supported).

IPv6

When enabled, the WAN can get an IPv6 address (e.g. via DHCPv6). You can also set it in Ethernet settings.

Enabled IPv6
Toggle IPv6 on or off.
LAN Mode
e.g. NAT6. Defines how IPv6 is used on the LAN.
DNS acquisition method
Automatic — From ISP. Manual DNS — You choose (e.g. Cloudflare, AdGuard) for privacy/filtering. Manual is recommended for more control.
Note — Some features (Firewall, GoodCloud, OpenVPN DCO) may not support IPv6 yet. If you rely on them, check before enabling IPv6.

IGMP Snooping

Listens to IGMP and builds Layer 2 multicast forwarding so only hosts that joined a multicast group get that traffic (e.g. for IPTV).

Enable
Turn IGMP Snooping on or off.
Version
IGMPv3 is compatible with v1/v2. Use v3 by default; switch only if you have issues.

Network Mode

Router, Access Point, Repeater, or Bridge. Defines whether the modem routes, extends Wi‑Fi, or only bridges.

Drop-in Gateway

GL.iNet feature to act as a transparent gateway (e.g. for VPN or ad-blocking) without changing the rest of the network topology.

Tips — Turn On when the modem is behind another router and you want all client traffic to use this modem’s VPN, AdGuard, or DNS. Turn Off when this modem is your only router (direct to ISP).

FLOW CONTROL

Parental Control

Restrict access by device or schedule (e.g. block certain sites or time windows). Configure per client; no personal data is used in this guide.

SECURITY

Port Forwarding

DMZ

DMZ exposes one device to the internet: all inbound traffic can be sent to that device. Use only if you need it (e.g. a game or server); it increases attack surface.

Enable DMZ
ON = one LAN device receives all forwarded inbound traffic. Keep OFF unless you understand the risk.

Port Forwarding rules

Forward specific ports (e.g. 80, 443, 8080) to a LAN device by IP and port. Needed for hosting servers or some games. If two rules conflict on external port, the higher-priority rule wins.

Security — Only forward ports you actually need to a device you trust. Prefer disabling DMZ and using explicit port forwarding instead.
TipsNever forward ports 22 (SSH), 80, 443, 8080, 8443 to your router or main PC. Forward only the exact port(s) needed, to one device IP (use reservation). Prefer a VPN (e.g. WireGuard server) on the modem to reach home from outside instead of opening ports. Keep Full Cone NAT Off (symmetric/restricted is stricter; Full Cone lets any internet host use an open mapping). Keep SIP ALG Off unless a VoIP provider requires it (it often breaks calls).

Management Control

Who can access the modem’s web interface (e.g. from LAN only, or restrict by IP).

NAT Mode

How NAT is applied (e.g. symmetric vs full-cone). Usually default is fine unless you have specific requirements.

Tips — Set a strong admin password. Turn Force HTTPS On and disable login from WAN (HTTPS/SSH Remote Access Off) so the web UI is only reachable from your LAN. Set Allow Ping from WAN Off. Enable SSH only if you need it; use a non-standard port (e.g. 2222) to reduce scans. Keep firmware updated.

APPLICATIONS

  • Plug-ins — Extra features you can install on the modem.
  • Dynamic DNS — Update a hostname with your current public IP (useful if your IP changes).
  • Network Storage — Use attached USB storage for file sharing.
  • AdGuard Home — DNS-level ad/tracker blocking. When ON, it can act as DNS and use custom upstream servers (see below).
  • Tailscale / ZeroTier — Mesh VPN / overlay networks for secure access between your devices.
  • Tor — Route traffic through the Tor network for anonymity.

AdGuard Home — DNS settings

When AdGuard Home is enabled, configure upstream DNS and query behaviour here.

Upstream DNS servers
One server per line. Examples: 8.8.8.8, 9.9.9.9, or encrypted: tls://unfiltered.adguard-dns.com, https://.... Use TLS/HTTPS for privacy.
Query handling
Load-balancing — One upstream at a time, chosen by performance. Parallel requests — Ask all at once, use first reply (faster, more traffic). Fastest IP — Wait for all, return fastest IP (can improve connectivity, slower DNS).
Recommendation — For security/privacy: use tls:// or https:// upstreams and enable DNSSEC if available. For speed: parallel requests can reduce latency; load-balancing is a good default.
TipsDNS over QUIC (DoQ) is not in the router’s Manual DNS list; you can use it by setting AdGuard Home’s upstream to e.g. quic://dns.adguard-dns.com in the AdGuard dashboard. AdGuard DNS blocks ads/trackers; Cloudflare 1.1.1.1 is fast with no blocking (use 1.1.1.2/1.0.0.2 for malware blocking). In Manage Sources, use only official or trusted plug-in sources; remove unknown ones.

SYSTEM

  • Overview — Status, uptime, firmware version.
  • Admin Password — Change the password for the web admin. Use a strong, unique password.
  • Upgrade — Firmware updates. Keep the modem updated for security and features.
  • Scheduled Tasks — Reboot or other tasks on a schedule.
  • Time Zone — Set correctly so logs and schedules are accurate.
  • Reset Firmware — Factory reset. Erases your settings; use only when needed.
  • Log — System and connection logs. Clear or export if you need to; avoid sharing logs that might contain private info.
  • Advanced Settings — Extra low-level options. Change only if you know what they do.
Security — Change the default admin password, keep firmware updated, and don’t expose the admin interface to the internet unless necessary.
TipsUpgrade: use “Common upgrade” (download the .img/.bin and SHA256 from GL.iNet); use “U-Boot” only for recovery. Connect via Ethernet during upgrade; don’t power off. Backup before upgrading (e.g. System → Advanced → Go to LuCI → Backup, or via SSH sysupgrade -b). Optional: scheduled reboot (e.g. weekly at night) for stability. For more options, use SSH (UCI, /etc/config/) or install LuCI.