The wiki has lots of guides that explain how. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
It seems that you don't understand the interfaces which is probably causing the rest of your trouble. By default this router should have the WAN port in vlan1, the 4 LAN ports in vlan0, the wireless is its own interface (run nvram get wl0_ifname to find out the interface name), and a bridge br0 with vlan0 and the wireless interface in it.
Creating bridges works perfectly fine from the GUI if you're using any build from the last year, but you should really need to anyways unless you're trunking to another device. Instead of moving port 4 to vlan2 and bridging it with the wifi, you can just leave it in vlan0 which is already bridged with the wifi. Just move ports 1-3 to vlan2 on the VLAN page, save, and reboot. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Instead of moving port 4 to vlan2 and bridging it with the wifi, you can just leave it in vlan0 which is already bridged with the wifi. Just move ports 1-3 to vlan2 on the VLAN page, save, and reboot.
Ok, ill give that a try.
And i am positive that i have the iptables rules correct, but can you double check these?
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I FORWARD -i vlan2 -o br0 -j DROP
Where vlan2 is the private network with ports 1,2,3 and br0 is the bridge between vlan 0 (port 4) and the WiFi radio.
Those two iptables rules drop all packets that intended to hop subnets, yes?
Both IP's are assigned to the router itself and although the IP is associated with a certain interface, the traffic never actually goes out the interface to reach any of the router's own addresses. If you really wanted to deny access to a subnet including the router's own IP for an interface, you would specify a destination (-d) instead of an out interface (-o). _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
The reason i ask is because the people i'm setting this up for will want to "check" that theses rules work. I looked up the man page for iptables and verified the two rules; i trust that they will work. But the people i'm setting this up for might not.
If they decide to do the same 'check' i did, i'll need to have an explanation ready.