You don't appear to have a lan2 zone defined in your firewall configuration.
In addition, you don't appear to have the subnet 192.168.12.0/24 represented in your network configuration.
That does not segregate the networks and there is no security. You need to use separate ports, or VLANs on the same port "trunked" to a managed switch to direct the two networks to their separate devices.
The configuration you posted is even further broken as the router won't be able to route anything from the VPN to the .12 network because you have not assigned a .12 IP in any router interface. The router doesn't even know there are devices with .12 IPs.
1 Like
Yes. This are my problems.
Hou have I to define the lan2 zone if I have only one physikal interface?
I dont know too how have I to define the subnet without a seckond internal lan interface. After my trys I nedded ma backup.
What can I take from your example above? I see there are two internal LAN adapters planned. I only have one.
Using VLANs.
Do I need a second device, a managed switch, or can I do this with the configuration in the openWRT router?
If the router has only two Ethernet sockets (one for WAN, one for LAN) then, in addition to the router, you'll also need a switch which is capable of VLAN segregation. A bog-standard unmanaged switch won't cut it. Alternately, several routers are available with multiple Ethernet sockets, built-in switches, and are supported by OpenWRT.
Fortunately, just this very afternoon someone resurrected an old thread in which several choices of VLAN-capable switch are discussed:
1 Like
On further reflection, a bog-standard unmanaged switch might be suitable, if you don't care about security between LAN1 and LAN2 and if the unmanaged switch doesn't mangle any VLAN tags. If all you care about is layer 3 routing, but not isolating the layer 2 detail, you might be able to achieve your objective.
However, I would not recommend this approach, on the assumption that you want discrete subnets for a reason. I further assume that the reason is security, especially given your original question about controlling access for certain hosts.
Thanks. I think I understand. The security between the LAN networks is important to me. Now I have bought a Fritzbox 7362SL. It has 4 LAN ports. Thanks for the support.