Create separate subnet

My router is a PC with 3 eth ports.
-eth1 is my WAN
-eth2 is my LAN 192.168.2.1/24 with DHCP enabled.

I would like to enable eth3 to have a separate subnet 192.168.3.1/24 with DHCP enabled. The 2 subnets should not be able to see each other. Both subnets should have access to the Internet. eth3 should have a traffic shape of 20Mbps/3Mbps down/up. How do i achieve that, please?

To better assist you, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

I have created the second subnet on a different interface and it has access to the Internet. At the moment both subnets can access each other. Also there is not any traffic shape to the second subnet (192.168.2.0/24) and there is not any DHCP on that interface as well.


root@APU_orange: ~ $ **ubus call system board**
{
        "kernel": "5.15.137",
        "hostname": "APU_orange",
        "system": "AMD G-T40E Processor",
        "model": "PC Engines apu1",
        "board_name": "pc-engines-apu1",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "x86/64",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}

root@APU_orange: ~ $ **cat /etc/config/network**

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd56::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.1'

config interface 'WAN_pppoe'
        option proto 'pppoe'
        option device 'eth0'
        option username 'xyz'
        option password 'abc'
        option ipv6 '0'

config interface 'WG_server'
        option proto 'wireguard'
        option private_key ''
        option listen_port '61820'
        list addresses '10.14.0.1/24'

config wireguard_WG_server
        option description 'A_mobile'
        option public_key ''
        list allowed_ips '10.14.0.3/21'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config interface 'Modem_check'
        option proto 'static'
        option ipaddr '192.168.178.27'
        option netmask '255.255.255.0'
        option device 'eth0'

config interface 'Subnet2_2_1'
        option proto 'static'
        option device 'eth2'
        option ipaddr '192.168.2.250'
        option netmask '255.255.255.0'
root@APU_orange: ~ $ **cat /etc/config/dhcp**

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        list server '192.168.1.1#5353'
        option noresolv '1'

config dhcp 'lan'
        option interface 'lan'
        option dhcpv4 'server'
        option leasetime '2m'
        option start '161'
        option limit '31'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'


config host
        option name 'retropie'
        option mac 'B8:27:EB:18:27:92'
        option ip '192.168.1.243'




config host
        option mac 'B8:27:EB:21:BB:E5'
        option name 'RPI-vpn'
        option dns '1'
        option ip '192.168.1.251'

config host
        option name 'raspberrypi'
        option mac 'B8:27:EB:37:4E:3A'
        option ip '192.168.1.241'

root@APU_orange: ~ $ **cat /etc/config/firewall**

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'WG_server'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'Modem_check'
        list network 'WAN_pppoe'
        list network 'wan'
        list network 'Subnet2_2_1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option src 'wan'
        option src_dport '41820'
        option dest_ip '192.168.1.251'
        option dest_port '41820'
        option name 'Server_PI'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Wireguard_Router'
        option src 'wan'
        option src_dport '61820'
        option dest_port '61820'
        option dest_ip '192.168.1.1'

config redirect 'dns_int'
        option name 'Intercept-DNS'
        option src 'lan'
        option src_dport '53'
        option proto 'tcp udp'
        option target 'DNAT'
        option family 'any'

Try the following, no guarantee it will work, make a backup of config just in case

Assuming the port you want to activate is eth2 you put something like the following in /etc/config/network

config device
        option name 'br-guest'
        option type 'bridge'
        list ports 'eth2'

config interface 'guest'
        option device 'br-guest'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option ipaddr '192.168.3.1

Next step setup DHCP, in /etc/config/dhcp add:

config dhcp 'guest'
        option interface 'guest'
        option dhcpv4 'server'
        option leasetime '60m'
        option start '150'
        option limit '100'

Next step add to the firewall:

config zone
        option name 'guest'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'wan'

You might want to set input to REJECT and only allow DHCP and DNS

I do not see anywhere speed limits

Did you install sqm?