Need help with VLAN

Hello all, I need help on the steps to configure OpenWRT.

I went to network > switch. I configured 4 VLANS, VLAN 1 untagged to port 1 (off the other ports). VLAN 2 untagged port 2 (off the others). etc...

Then I went to interfaces, I created device br-VLAN2, bridge port eth0.2. Afterwards interface with adress 192.168.2.2 (VLAN3 has a br-VLAN3 with adress 192.168.3.2).

I wish the openWRT to use addresses 192.168.X.2

Up to that point it seemed to work, I can connect a laptop to port 3 for example and it can see and ping openWRT. Now the laptop uses gateway 192.168.3.2 but no internet

The internet is on VLAN2 with adress 192.168.2.1

so considering I have 4 VLANs (one of each port) and 4 devices br-VLANx with interfaces 192.168.x.2 then how can I:

1 - All the Vlans should use 192.168.2.1 as internet gateway.
2 - All computers on one Vlan are isolated from the computers on a different vlan
3 - define a specific computer to access all computers on all vlans.

If you can answer just question 1 it will already be a good starting point.

Thanks a lot !

I can probably help you get going... but we'll need more information.

• Is this the main router, or is this just an AP/switch on your network?
  • if this is not the main router, does the main router support VLANs and are they configured there? Is that device running OpenWrt?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

It's not the main router. I have a router offering internet access at address 192.168.2.1 but the router doesn't support vlans. The router is a Bell Home Hub 3000 so I can't install openWRT on it. I would set the openWRT at address 192.168.2.2 and coordinate the VLANs.

I have a L2 switch that supports VLANs and a bunch of dumb switches.

ubus call system board
{
	"kernel": "5.10.176",
	"hostname": "OpenWrt",
	"system": "Broadcom BCM5357",
	"model": "Unknown Board",
	"board_name": "0xF550:42",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.4",
		"revision": "r20123-38ccc47687",
		"target": "bcm47xx/mips74k",
		"description": "OpenWrt 22.03.4 r20123-38ccc47687"
	}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc7:8b8**********e::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 5t'

config switch_vlan
	option device 'switch0'
	option ports '2 5t'
	option vlan '3'

config switch_vlan
	option device 'switch0'
	option ports '3 5t'
	option vlan '4'

config device
	option name 'eth0.3'
	option type '8021q'        <---  should I config the devices like this (802.1q) or as a bridge ?
	option ifname 'eth0'
	option vid '3'
	option mtu '1500'
	option macaddr 'C0:C1:C0:**********'

config interface 'VLAN3'
	option proto 'static'
	option device 'eth0.3'
	option netmask '255.255.255.0'
	option ipaddr '192.168.3.2'

config device
	option type 'bridge'
	option name 'VLAN4'
	list ports 'eth0.4'
	option bridge_empty '1'
	option mtu '1500'
	option macaddr 'C0:C1:C0**************'

config interface 'VLAN4'
	option proto 'static'
	option device 'VLAN4'
	option ipaddr '192.168.4.2'
	option netmask '255.255.255.0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config device
	option type 'bridge'
	option name 'br-VLAN2'
	list ports 'eth0.2'
	option bridge_empty '1'
	option mtu '1500'
	option macaddr 'C0:C1:C***********'

config interface 'lan2'
	option proto 'static'
	option device 'br-VLAN2'
	option ipaddr '192.168.2.2'
	option netmask '255.255.255.0'
	option gateway '192.168.2.1'

root@OpenWrt:~# cat /etc/config/wireless
cat: can't open '/etc/config/wireless': No such file or directory
root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

I have redacted the MAC adddress the rest I don't mind. The current configuration isn't good, I have been playing with the configs trying stuff Right now each vlan is configured in a different way. Also I haven touched the default lan. Pretty sure the network>switch config is good, one Vlan on each port serves me very well, I have several dumb switches and I will connect one onto each port and have physical separated vlans (no need to share ports). But the devices and interfaces not sure and I don't know how to make them use internet on Vlan2.

I haven't touched the firewall. Also didn't setup DHCP, no need as I use fixed ip

This doesn't look like it is anything supported by the official OpenWrt project. Did you install OpenWrt onto this device, or was it preloaded?

I installed it myself. It's a Linksys E2500 v1. I opened it and jtag it to be able to install openWRT. It seems to work pretty well up to date. The wireless is disabled, but it's okay for my needs. I just need a router to separate the 4 VLANs and route the communication between the VLANs (isolate all the Vlans, but they should be able to accès internet on vlan2, and 1 machine on Vlan2 should be able to access all the machines on all the vlans, this is my ideal configuration)

I'm good with electronics and computers on general, but I have a low/medium knowledge with networks. I have never configured Vlans, so I'm unsure what should I do to make it work. If you can simply write the general steps in an easy way I should be able to configure:

1 - in network> switch configure vlans
2 - in network > interfaces>devices create bridge devices
3 - in network >interfaces create the lans and set the ip adresses of each network
4 - ????

Strange... I wonder why the model information is missing.

Nevertheless, a few things:

1. You should upgrade to the latest (23.05.4) before we start configuring the device. During the upgrade, uncheck the 'keep settings' box (or if on the command line, use the -n argument) to reset the device to defaults during the upgrade process.
2. This device is not really suitable for wifi due to the Broadcomm 47xx chipset which is just barely supported within OpenWrt (due to the fact that the drivers were not opensourced by Broadcomm). As such, it's fine as a managed switch, but don't do anything with wifi (you'll be really unhappy).
3. It is an older device, so don't expect a ton in terms of bandwidth when routing (which is necessary for your configuration since the upstream router doesn't have VLAN support). It will work, but keep your expectations in check with respect to the actual routed speed of of the downstream networks.

Once the upgrade is complete, post the default config files and we'll go from there.

Of course the bandwitch of an old router will be poor. If's ok. I expect the computers on VLAN2 to directly access the internet, so they will not use openWRT. The devices on VLAN1 will be my Iot, so they just need to access home assistant instance on VLAN2. VLAN3 will use the bandwich, there are 10 asic miners on it, so even if the router is old I expect it will be enought to route those 10 asics and occassionally the iot devices who call home assistant.

The home assistant is on a NAS with plex, that will be accessed by all the computers on VLAN2, so I think it's best if the NAS stays on VLAN2. I have a big netgear L2 switch that is able to do port segmentation of the lans, so I will define 4 VLANS on the switch and assign specific ports of the switch to each VLAN. Then OpenWRT can use 4 wires from the 4 ports into the VLAN segments of the switch and basically route VLAN3 to use VLAN2 internet. If I managed to configure just VLAN2 and VLAN3 to separate the asics it will be a good enought starting point for me. So please guide for the bare minimum, no need for help with the netgear L2 switch, it's easy to configure the VLAN segmentation on it.

I need to do some segmentation of my home network because computers+ asics + iot devices = small network performance issues. just for information, currently there are 65 devices plugged at my house...

The info below is straight after the firmware upgrade. I just set the password of the unit and touched nothing at all. It's strange it says model E2500 v3, I have a v1 I'm pretty sure about it, but anyway it works so I don't mind.

ubus call system board
{
	"kernel": "5.15.162",
	"hostname": "OpenWrt",
	"system": "Broadcom BCM5357",
	"model": "Linksys E2500 V3",
	"board_name": "0xF550:42",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.4",
		"revision": "r24012-d8dd03c46f",
		"target": "bcm47xx/mips74k",
		"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
	}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd28:aacd:0abf::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 5t'

root@OpenWrt:~# cat /etc/config/wireless
cat: can't open '/etc/config/wireless': No such file or directory
root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall

Ok... things look better now, but it is odd that your device is apparently coming up as a v3 even though you said it is a v1. Did you flash the v1 imgae file (the one I linked earlier)?

Anyway, now we can start getting to work... just one more thing that we need to clarify... what should each port do, functionally. For example (making this up):

• wan: vlan 2/upstream network connection
  • wan IP 192.168.10.2/24, upstream gateway 192.168.10.1
• lan 1: vlan 1 untagged - 192.168.1.0/24
• lan 2: vlan 3 untagged - 192.168.3.0/24
• lan3: trunk, vlans 1, 2, 3, all tagged
• lan4: trunk, vlan 1 untagged, vlans 2, 3 tagged

yes I installed the firmware on the link you gave me.

Wan: unused
lan1: 192.168.1.2 vlan1
lan2: 192.168.2.2 vlan2
lan3: 192.168.3.2 vlan3
lan4: 192.168.4.2 vlan4

Internet is offered by a router in 192.168.2.1

lan1 machines are isolated, they can't access internet, but they can access Home assistant on 192.168.2.100

lan3 machines can access internet (192.168.2.1) but see no one else outside of vlan3

a single machine (my laptop on lan2) can access all the machines on all the lans

Great... thanks for the new info.

One caveat -- I don't know the mapping of the logical ports to the physical ports, so it is possible that things won't be assigned to the right physical ports. If that happens, it's not a big deal to fix it. I'll assume that logical port 0 = lan 1... logical port 3 = lan4.

First thing we'll do is delete the wan/wan6 interfaces:

Now we'll create new networks called vlan2 - vlan4:

config interface 'vlan2'
	option device 'eth0.2'
	option proto 'static'
	option ipaddr '192.168.2.2'
	option netmask '255.255.255.0'
	option gateway '192.168.2.1'
	list dns '192.168.2.1'

config interface 'vlan3'
	option device 'eth0.3'
	option proto 'static'
	option ipaddr '192.168.3.2'
	option netmask '255.255.255.0'

config interface 'vlan4'
	option device 'eth0.4'
	option proto 'static'
	option ipaddr '192.168.4.2'
	option netmask '255.255.255.0'

And we'll edit the lan to 192.168.1.2:

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'

Now we'll setup the VLANs on the switch with what is hopefully the correct port mapping. This involves editing VLANs 1 and 2, and adding 3 and 4:

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 5t'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '2 5t'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '3 5t'

Next, in the DHCP file, we'll add DHCP servers for VLANs 3 and 4:

config dhcp 'vlan3'
	option interface 'vlan3'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'vlan4'
	option interface 'vlan4'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

We'll create a new firewall zone for VLAN 2 in the firewall file:

config zone
	option name 'vlan2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'vlan2'
	option masq '1'

And, for getting things started (with the fewest variables), we'll set VLANs 3 and 4 in the lan firewall zone (this won't achieve the isolation, but will help us prove that everything is working; we'll isolate later):

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'vlan3'
	list network 'vlan4'

And finally, we'll add a forward:

config forwarding
	option src 'lan'
	option dest 'vlan2'

Reboot and test the following:

• each port is assigned properly by plugging a computer into each port in sucession.
  • Ports 1, 3, and 4 should be associated with VLAN 1, 3, and 4 respectively, and there should be a DHCP server enabled on each of those.
  • Port 2 should not have a DHCP server, so your computer will not get an address.

If the ports are wrong, we can fix them... just note what you see on each port.
If all is good, connect port 2 to the upstream router and then test that routing is working as expected from the other 3 networks.

Once that's all set, we can talk about isolation.

Things are going pretty well thanks a lot !!

The commands you sent me didn't seem to work on ssh, at least not directly. So I used the web interface to configure everything. I deleted the lan(br-lan) interface as well as wan and wan6 and configured vlan1 to vlan4. Also I did a firewall vlans rule to foward vlan1, vlan3 and vlan4 towards vlan2. Also I don't wish DHCP on the vlan1, 3 and 4 as all my computers use fixed ip's and external DNS (8.8.8.8, 8.8.4.4)

Overall it works very well, computers on vlans can now access internet witch is very good. So, could you teach me a little about isolation please ?

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd28:aacd:0abf::/48'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 5t'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '2 5t'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '3 5t'

config interface 'vlan2'
	option proto 'static'
	option device 'eth0.2'
	option ipaddr '192.168.2.2'
	option netmask '255.255.255.0'
	option gateway '192.168.2.1'

config interface 'vlan3'
	option proto 'static'
	option device 'eth0.3'
	option ipaddr '192.168.3.2'
	option netmask '255.255.255.0'

config interface 'vlan4'
	option proto 'static'
	option device 'eth0.4'
	option ipaddr '192.168.4.2'
	option netmask '255.255.255.0'

config interface 'vlan1'
	option proto 'static'
	option device 'eth0.1'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'

root@OpenWrt:~# cat /etc/config/wireless
cat: can't open '/etc/config/wireless': No such file or directory
root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'vlan2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'vlan2'

config zone
	option name 'vlans'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'vlan1'
	list network 'vlan3'
	list network 'vlan4'

config forwarding
	option src 'vlans'
	option dest 'vlan2'

Right... they weren't commands, rather direct edits to the text config files.

Great!

Sure. But I'm going to ask you to define your goals, first. I know you had mentioned it a bit previously, but can you recap here what each VLAN should do. For example (making this up):

• VLAN 1: no internet access, can access VLAN 3 and VLAN 4, but not VLAN 2. Can reach the router itself.
• VLAN 3: has internet, cannot reach any other networks (internet only). Cannot reach the router.
• VLAN 4: has internet, can reach all networks. Cannot reach the router

If there are more granular rules, let's get those defined, too.

Once we have this fully defined, we can create the zones, forwards, and rules as needed.

VLAN1 - Iot devices, can only reach Home Assistant on 192.168.2.100 can't reach nothing else
VLAN3 - Asic Miners - can only reach internet. Can't reach nothing else
VLAN4 - Reserved for future use, no special configuration for the time being.
VLAN 2 - Several computers, they can't see VLAN1 nor VLAN3 nor VLAN4 except for a single computer(my personal laptop) who should be able to reach everyone everywhere(for example visit the asic web pages). Also home asistant 192.168.2.100 should be able to see Vlan1 as the iot devices will live there.

This should cover most of my needs. Althrough I have a port redirection on one machine. If I moved the machine to Vlan3 for example I guess I should direct the port fowarding towards OpenWRT and make a second port fowarding on OpenWRT towards the machine ?

Again thanks a lot for the help

I'm going to assume that your IoT devices have methods by which you can set the network configuration. Many basic IoT devices (think smart light bulbs and the like) do not have this provision, so you may change your mind about this later.

Be sure to delete this since we'll be putting each vlan it its own zone:

Ok... let's put this in its own firewall zone. We'll prohibit access to the router itself (including DHCP and DNS) based on the above. You can always add a DHCP server and the appropriate provisions, if required. But for now, we'll make this simple:

Add this:

config zone
	option name 'iot'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'vlan1'

config rule
	option name 'iot-to-ha'
	option src 'iot'
	option dest 'vlan2'
	list dest_ip '192.168.2.100'
	option target 'ACCEPT'

Add this:

config zone
	option name 'miners'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'vlan3'

config forwarding
	option src 'miners'
	option dest 'vlan2'

config rule
	option name 'miners-to-internet'
	option src 'miners'
	option dest 'vlan2'
	list dest_ip '192.168.2.0/24'
	list proto 'all'
	option target 'REJECT'

[EDIT: corrected a typo; previously it was list dest_ip '192.168.2.024' but this has been fixed: list dest_ip '192.168.2.0/24'-- the slash was missing]

This doesn't need to be assigned to a zone at this point. You'll be deleting the vlans zone, so this will be unassigned. That's fine.

This isn't directly possible because your upstream router doesn't have the ability to install static routes (my in-laws have the Bell Home Hub 3000... I've looked -- this feature doesn't exist). Without static routes, there is no way to tell the HH3000 where to send (route) traffic destined for the networks that are used in VLANs 1, 3, and 4. This is why masquerading must be enabled, too.

You could setup port forwards, if you wanted. In that situation, you'd access devices behind your OpenWrt router (from VLAN2/upstream) at address 192.168.2.2 with the port number used for the port-forwarding. That is your only option.

I putted the traffic rule 'miners-to-internet' as you stated, it seemed to do nothing, no effect. I then modified and wrote list dest_ip '192.168.2.0/24' then suddently all the vlan3 devices can't access anymore internet. Also devices on vlan2 can't see anymore devices on vlan3. So I added a second rule:

config rule
	option name 'vlan2-to-vlan3'
	list proto 'all'
	option src 'vlan2'
	option dest 'vlan3'
	option target 'ACCEPT'

Then all the vlan3 devices can access internet (but also all devices on vlan2)... so it's not doing what I would like. For simplicity sake, let's concentrate only on vlan3. I have tryed this:

config zone
	option name 'vlan3'
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'
	list network 'vlan3'

config forwarding
	option src 'vlan3'
	option dest 'vlan2'

config rule
	option name 'vlan3-to-internet'
	option src 'vlan3'
	option dest 'vlan2'
	option target 'ACCEPT'
	list proto 'all'
	list dest_ip '192.168.2.1'

but devices on vlan3 can see all devices on vlan2, so it's not truly isolated. On the other hand devices on vlan2 can't see devices on vlan3.

My guess about what's happening is that devices can contact 192.168.2.1 wich happens to be the DHCP server, so my guess it's that he serves the devices on vlan2 to vlan3 ? so I can't truly isolate VLAN2 and VLAN3...

humm...

Let's actually see the complete firewall file.

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'vlan2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'vlan2'

config zone
	option name 'vlan3'
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'
	list network 'vlan3'

config forwarding
	option src 'vlan3'
	option dest 'vlan2'

config rule
	option name 'vlan3-to-internet'
	option src 'vlan3'
	option dest 'vlan2'
	option target 'ACCEPT'
	list proto 'all'
	list dest_ip '192.168.2.1'

Change output to ACCEPT:

Then delete this:

And if you want to make sure that your miner devices cannot reach anything else (other than the internet), add this rule:

config rule
	option name 'block miners to upstream network'
	option src 'vlan3'
	option dest 'vlan2'
	list dest_ip '192.168.2.0/24'
	list proto 'all'
	option target 'REJECT'

Note: I just corrected a typo -- previously the dest_ip field had '192.168.2.024 -- it should have been 192.168.2.0/24.

Below is my config after the changes. But the devices on vlan3 can still visit vlan2 devices (opposite doesn't work). my guess is that 192.168.2.1 is serving them to vlan3 ?

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'vlan2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'vlan2'

config zone
	option name 'vlan3'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'vlan3'

config forwarding
	option src 'vlan3'
	option dest 'vlan2'

config rule
	option name 'block vlan3 to vlan2'
	list proto 'all'
	option src 'vlan3'
	option dest 'vlan2'
	list dest_ip '192.168.2.0/24'
	option target 'REJECT'

This shouldn't be possible. Did you restart the router? How are you testing? Is this the complete firewall file?