[ho1Aetoo]

You must be registered in the forum and logged in to see the attachments!

The thread is valid for all newer firmware builds ≥ r52217

At the moment the thread is mainly for Atheros routers with 2 CPU ports like:
NETGEAR R7800, XR500, XR450, R7500, R7500V2, ASROCK G10, LINKSYS EA8500, D-Link DAP-3662, DIR-862L, TP-LINK Archer C7 v1-3, TL-WR1043ND v2, Comfast CF-WR650AC, Buffalo WZR-450HP2 etc...

The settings also work on Marvel routers like: WRT1200AC, WRT1900AC, WRT1900ACV2, WRT1900ACS, WRT3200ACM, WRT32X

If you have old CLI VLAN settings then remove them first or reset the router.

It is advantageous if you have a working WLAN connection when configuring the switch.
If you lock yourself out and the LAN ports no longer work, you can still connect to the router via WiFi.

The screenshots are from my R7800, so the port assignment shown via "swconfig dev switch0 show" may differ on other devices.

The "switch config tab" received a small update and the CPU ports are now configurable.
Finally VLANs can be configured via GUI on routers with multiple CPU ports.

The screenshot shows the "default configuration"

[ho1Aetoo]

Simple VLAN 7 tagging on the WAN port.
No other settings are necessary.

(change the 7 to the desired VLAN ID)

[ho1Aetoo]

"assign WAN port to switch"

If you have configured the router as WAP and don't need a WAN port you can assign the WAN port to the LAN.

[ho1Aetoo]

two connected WAN ports
works like a 2 port switch in front of the router

(no it is not a "dual-WAN")

[ho1Aetoo]

Simple LAN side port VLAN
Port 1-3 are in VLAN1
Port 4 is in VLAN3

By default all interfaces are bridged with br0
But you can assign e.g. VLAN3 to br1 and bridge it with a guest WLAN etc.

(small hint: if the CPU ports are tagged then VLAN interfaces are created automatically)

[ho1Aetoo]

a second variant to tag the WAN port
In this example it is not done by the switch but by the processor.

This variant requires a bit more resources but has the advantage that the switch allows non-tagged traffic to pass through and you can access e.g. the WebIF of the modem.

I use VLAN7 again as an example

[ho1Aetoo]

Trunk-Port Link between Main-Router and Wireless-Access-Point (WAP).

The regular LAN and the guest network are transported via the Trunk-Port.
The DHCP Server and DNS Server are located on the Main-Router

Main-Router:

WAN-Port = WAN
Port 1-3 = LAN
Port 4 = Trunk

Wireless-Access-Point:

WAN-Port = LAN
Port 1-3 = LAN
Port 4 = Trunk

[ho1Aetoo]

Net Isolation

The settings shown in the screenshots are sufficient.

The GUI setting "Net Isolation" isolates interfaces from br0
This means that no connection between br0 <-> br1 is possible.

However, if you have created several new bridges and want a more finely controlled isolation, manual firewall settings are necessary.

As already mentioned, "Net Isolation" only isolates against br0, which means that br1 and br2 are not isolated from each other, for example

Manual firewall rules for isolation.
Insert the firewall rules in the "Diagnostics.asp" tab. (for a trunk port setup with a WAP, the rules are placed on the main router!).

Full isolation - short version

[ho1Aetoo]

reserved for further examples

[ho1Aetoo]

reserved for further examples