GL-BE3600 Router Configuration

Last Updated: 2025-12-26
Status: Production
Source: network-infrastructure.md + network inventory

---

Overview

The GL-BE3600 router (GL-iNet Slate 7) is the core network infrastructure device for the Bluefly-Agents network. This document provides complete configuration details and the factory reset playbook.

---

Router Specifications

• Product: GL.iNet GL-BE3600 (Slate 7)
• URL: https://www.gl-inet.com/products/gl-be3600/
• Device ID: xa1b1d2
• Dynamic DNS: https://xa1b1d2.glddns.com
• MAC Address: 94:83:C4:C1:B1:D2
• Hostname: gl-be3600
• Local IP: 192.168.8.1
• Tailscale IP: 100.116.110.123
• Tailscale Device ID: ndRxB1mxgp11CNTRL
• Tailscale Domain: gl-be3600.tailcf98b3.ts.net
• Role: Subnet router for agent network
• Subnet: 192.168.8.0/24 (Bluefly-Agents network)

---

Network SSIDs

BlueflySecure (SSID 1 - Required)

• Purpose: Computer/workstation network
• Security: WPA3
• Client Isolation: OFF
• Admin Access: Allowed
• Tailscale: Enabled

Bluefly-Agents (SSID 2 - Required)

• Purpose: Agent network (dedicated agent infrastructure)
• Security: WPA3
• Client Isolation: OFF
• Admin Access: Allowed
• Tailscale: Enabled
• Subnet: 192.168.8.0/24

Bluefly-Agent-Guest (SSID 3 - Optional)

• Security: WPA2/WPA3 mixed
• Client Isolation: ON
• Block Router Access: Enabled
• Tailscale: Disabled

---

GL.iNet "Factory Reset Hardened" Playbook

Use this once, then never touch random toggles again.

This playbook provides step-by-step instructions for configuring the GL-BE3600 router from factory reset to hardened production configuration.

Step 0 Factory Reset

1. Reset device to factory defaults
2. Update firmware to latest version
3. Reboot device

Step 1 WAN Configuration

• Mode: Router
• WAN Source: Hotel Wi-Fi / Ethernet / Phone
• MAC Clone: Optional (only if captive portal issues)

Step 2 LAN / SSIDs

SSID 1 (Required): BlueflySecure

• Purpose: Computer/workstation network
• WPA3 security
• Client isolation: OFF
• Admin access: Allowed

SSID 2 (Required): Bluefly-Agents

• Purpose: Agent network (dedicated agent infrastructure)
• WPA3 security
• Client isolation: OFF
• Admin access: Allowed
• Subnet: 192.168.8.0/24

SSID 3 (Optional): Bluefly-Agent-Guest

• WPA2/WPA3 mixed
• Client isolation: ON
• Block router access
• No Tailscale

Step 3 Firewall

• UPnP: OFF
• Port Forwards: NONE
• WAN Admin Access: OFF

Step 4 DNS

• Use: Cloudflare (1.1.1.1 / 1.0.0.1)
• Enforce DNS: ON (recommended)

Step 5 Tailscale (Critical)

In Tailscale (Beta) screen:

This is non-negotiable.

Step 6 Reboot

Reboot once. Do not "tune".

---

Current Configuration Status

Tailscale Settings

Network Configuration

• Local IP: 192.168.8.1
• Subnet: 192.168.8.0/24
• Dynamic DNS: https://xa1b1d2.glddns.com
• Firewall: UPnP OFF, No port forwards
• DNS: Cloudflare (1.1.1.1 / 1.0.0.1)

---

Security Checklist

• UPnP disabled
• No port forwards
• WAN admin access disabled
• DNS enforced (Cloudflare 1.1.1.1)
• Tailscale Funnel OFF
• Tailscale exit node OFF
• WPA3 security on all SSIDs
• Subnet routing properly configured

---

Troubleshooting

Router Not Accessible

1. Check Tailscale connection: tailscale ping 100.116.110.123
2. Verify router is online in Tailscale admin
3. Check local network connection
4. Verify router IP: 192.168.8.1

Subnet Routing Not Working

1. Verify subnet routing is ON in router Tailscale settings
2. Check route is approved in Tailscale admin
3. Verify subnet: 192.168.8.0/24
4. Test connectivity: ping 192.168.8.1 from Tailscale device

DNS Issues

1. Verify DNS is set to Cloudflare (1.1.1.1 / 1.0.0.1)
2. Check "Enforce DNS" is ON
3. Test DNS resolution: nslookup google.com 1.1.1.1

---

Related Documentation

• Router README - Router documentation index
• SSID Configuration - WiFi network details
• Firewall Rules - Security configuration
• Network Overview - Complete network architecture
• Tailscale Documentation - Tailscale integration