Again the idea is.......
Depending on your use case, if you want SRV and CCTV to ONLY have remote access, you ONLY need VLAN to keep them on the WAN side. If you want them to have local access or both remote and local access, you have to use VLAN to bring them to the LAN side, but then separate LAN's using interfaces and firewall zones.
If you want CCTV to be remote access only, you don't need interfaces or firewall zones for it, just VLAN
If you want SRV to have local access, you do need interfaces and firewall zones for it, and have it on the VLAN for LAN side.
Also, the idea of showing us your interfaces is so we can see that your LAN interfaces have different addresses and that you have a separate interface for anything you don't want guests to access...but it looks sufficient by the color codes...
You only need to hide the addresses for WAN and WAN6, even then, if you have a modem on the other side of WAN, then those addresses are also private. Also, ensure that the physical methods that guests connect to the network are only paired with the LAN interface (not SRV). Addresses like 10.x.x.x and 172.x.x.x and 192.168.x.x are all private addresses and does not reveal your public address to us.
you can read about that here:
As for your function and security question, there is no difference between two VLANS where:
- one attaches WAN to cctv
- one attaches WAN to eth0
Compared to a single VLAN where: cctv and eth0 are attached to WAN
The difference is, the way you had it before on VLAN 4 was:
- cctv was attached to eth1
and since the interfaces define eth1 as the LAN side, that places any device attached to eth1 as a LAN device (aka being served by the router internally/locally). Consequently, since the WAN interfaces have the WAN firewall zone, and are attached to eth0, anything else attached to eth0 are on the WAN side (aka treated as remote/external to the network).
TLDR: you want your WAN interfaces to be on eth0 and LAN interfaces to be on eth1.
You could reverse all that if you wanted, but it's that way by default and doesn't make a difference, as long as everything is consistent. The difference between eth0 and eth1 is arbitrary in the virtual environment (the effect of reversing eth0 and eth1 to LAN and WAN in the physical world would be reversing/changing the order of the physical ports, plugging each device in a different ethernet port, and that would make it all the same). But, it is VLAN setup that decides which devices are virtually attached to eth0 and eth1. All it does is represent two different sides of the routing space, WAN and LAN, and which devices are on which. You could for example, not have a WAN port at all (where the source of internet could be wireless only instead of ethernet) by placing every port in the VLAN page to be attached to eth1.
VLAN has a feature where you can separate every device by a managed tag ID that is a number attached to every ethernet packet that is sent between devices, this is part of the 802.11Q standard. I assume that you are not using the VLAN ID tagging outside of the single router, and if that its the case, then your only use case is to separate devices from eth0 and eth1. Because you only have two physical ethernet interfaces, eth0 and eth1, you can achieve this by using only 2 VLANs in the virtual switch. In your case, you can also combine VLANs 1 and 3 and remove VLAN 3 as well. And like I said before, you can combine VLANs 2 and 4 into one, and its the same thing.
Imagine it like this: you have a completely separate physical switch, and in that switch you connect the Internet (true WAN), the routers WAN, and the CCTV. No one on the LAN side of the router can talk to the modem (or other internet source device), nor can they talk to the CCTV (unless you do port forwarding, removal of firewall, etc...). This would be the same as having TWO separate physical switches that are connected to each other, and also connected to these 3 different things, including the router on the WAN side. That's effectively what you're doing by having so many VLANs (unless you want to use 802.11Q tagging). It doesn't make a difference though, just a little more efficient.
VLAN is essentially designed so that you can set any ethernet port to do whatever you want it to do...which includes separate every single device from each other if you want...
So in your case i'm pretty sure you can just have two (unless you are using tag IDs 1 through 4):
- VLAN1: eth1, LAN1, LAN2, LAN3
- VLAN2: eth0, LAN4, WAN
So what's your real goal? Do you simply want the router, CCTV, and SRV to all have internet access, but separately? Then you just need VLANs
More complicated than that? then it gets complicated... lol