I would just congratulate with @Knomax for having proposed a real DMZ solution, even if in practice this is usually required for higher security to physically sit between WAN and LAN networks by also splitting them with additional firewalls. In the end you should have WAN<-firewall->DMZ<-firewall->LAN, but your solution based on VLANs is fine for consumer/SOHO purposes.
Of course as you all may know already, the usual consumer "virtual DMZ" is just a general static port-forward fallback (i.e. "do PAT to that host if no other static PAT rules are defined") plus some extra firewall exceptions, and that has absolutely nothing to do with DMZ, even if consumer device vendors insist in improperly abusing the DMZ term. This fake "DMZ" where all ports are forwarded to a single static host is all you need to get a game console to think it is working without a NAT in the middle. You don't need the real DMZ. All you need is that rule as suggested by @mindwolf above I think @Knomax should remove the 1-65535 forward rule from his otherwise perfect guide as it has nothing to do with DMZ and creates confusion.
edit: If you are curious to know how a commercial consumer DMZ is done in openwrt-based routers here is an example https://github.com/FrancYescO/tch_firmware_extracted/blob/AGTHP_2.2.1_003_CLOSED/lib/functions/dmz.sh
edit 2: In a typical real DMZ you have all - multiple - DMZ members to be publicly addressable with their own IPs with no NAT performed. This is what usually happens on enterprise networks where you get many IPs assigned by the ISP. It is the same for IPv6 even for consumer networks. In that sense, having a host in DMZ means to have no NAT issues for that host, and that's why consumer devices implements such fake "virtual DMZ" features where all traffic is simply statically PAT'd after NAT to a single host in the usual LAN zone. A proper way of achieving 1:1 mapping of public addresses to DMZ hosts (and therefore no NAT issues for them) would be to [a] statically NAT or [b] directly assign them unique public addresses.
For instance, in the awesome @Knomax solution we have each DMZ host in the 192.168.0.0/24 subnet. and public address is released via PPPoE.
- option [a] - Assuming we need to map a dedicated public IP to an xbox at 192.168.0.42, we need to bring up a second PPPoE connection to get a second wan IP, then install mwan3 to instruct the openwrt router to use this second interface for the xbox only, and finally NAT everything coming from this second IP to 192.168.0.42. Then you also buy a playstation on 192.168.0.43, so you create a third wan interface, configure mwan3 to use that third wan for playstation only and finally do static NAT from such interface to 192.168.0.43
- option [b] - You also enable PPPoE relay (aka passthrough) on the openwrt router for the DMZ zone only (!!) such that each xbox/playstation is also capable of getting their public IP on their own.
The second option is simpler, I often see it being improperly used in home gateways where it is allowed from the main LAN zone too (unbelievably insecure….). I usually discourage this since this hardly gets optimal performance due to transiting via main router cpu for PPPoE relaying (thus no hw-nat probably) causing latency spikes depending on main cpu load. There also exists an equivalent DHCP relay for non-PPPoE based services where DHCP relay daemon takes care of creating necessary routing entries automatically, however I'm not sure how this actually works.
The first option is my favorite. You get the best results and works for both PPPoE and DHCP based deployments. I have also seen static NAT options in some commercial consumer home routers but this usually relates to their single main wan connection so enabling it is simply useless for this case.
So, build a real DMZ like @Knomax described in the first post, then find your preferred way of statically mapping your public addresses to hosts in DMZ (xbox, playstation, webserver, ecc.).
- consumer home routers do it "virtually" for a single host at time with poor general static PAT fallback rules (they call it DMZ, it is not DMZ thou), you have an openwrt router … try doing something better!
- go for option [b] if you don't feel comfortable configuring static NAT or mwan3, it's a good starting point
- go for option [a] if you are ambitious