[ho1Aetoo]

You must be registered in the forum and logged in to see the attachments!

The thread is valid for all newer firmware builds ≥ 54429

At the moment the thread is mainly for Broadcom routers with 1 CPU port, but the settings also work for other routers with 1 CPU port.

Note: on Broadcom routers the interfaces eth1 + eth2 are the WLAN radios and not LAN interfaces
The VAPs (Virtual Access Points) on this router are called wl0.1 wl0.2 etc

If you have old CLI VLAN settings then remove them first or reset the router.

It is advantageous if you have a working WLAN connection when configuring the switch.
If you lock yourself out and the LAN ports no longer work, you can still connect to the router via WiFi.

The screenshots are from egc's E2000, so the port assignment shown via "swconfig dev switch0 show" may differ on other devices.

The "switch config tab" received a small update and the CPU port is now configurable.

The screenshot shows the "default configuration"

[ho1Aetoo]

Simple VLAN 7 tagging on the WAN port.
No other settings are necessary.

(change the 7 to the desired VLAN ID)

[ho1Aetoo]

"assign WAN port to switch"

If you have configured the router as WAP and don't need a WAN port you can assign the WAN port to the LAN.

[ho1Aetoo]

two connected WAN ports
works like a 2 port switch in front of the router

(no it is not a "dual-WAN")

[ho1Aetoo]

Simple LAN side port VLAN
Port 1-3 are in VLAN1
Port 4 is in VLAN3

By default all interfaces are bridged with br0
But you can assign e.g. VLAN3 to br1 and bridge it with a guest WLAN etc.

(small hint: if the CPU ports are tagged then VLAN interfaces are created automatically)

[ho1Aetoo]

Trunk-Port Link between Main-Router and Wireless-Access-Point (WAP).

The regular LAN and the guest network are transported via the Trunk-Port.
The DHCP Server and DNS Server are located on the Main-Router

Main-Router:

WAN-Port = WAN
Port 1-3 = LAN
Port 4 = Trunk

Wireless-Access-Point:

WAN-Port = LAN
Port 1-3 = LAN
Port 4 = Trunk

[ho1Aetoo]

Net Isolation

The settings shown in the screenshots are sufficient.

The GUI setting "Net Isolation" isolates interfaces from br0
This means that no connection between br0 <-> br1 is possible.

However, if you have created several new bridges and want a more finely controlled isolation, manual firewall settings are necessary.

As already mentioned, "Net Isolation" only isolates against br0, which means that br1 and br2 are not isolated from each other, for example

Manual firewall rules for isolation.
Insert the firewall rules in the "Diagnostics.asp" tab. (for a trunk port setup with a WAP, the rules are placed on the main router!).

Full isolation - short version