Same network being VLAN on one interface and being untagged on the other?

Some-Dinosaur · April 12, 2025, 9:30pm

Hello,
I am trying to set up a few networks to be forwarded to my access point. I have no idea how to tackle this. I feel like I just don't understand how it works and I'm misusing it all the way.

I have 4 networks:

Lan (access to WAN and Internal)
VPN Lan (access to VPN and Internal)
Internal (no access to WAN or VPN)
Guest (access to VPN, no access to LAN)

My attempt has been to create 4 bridge devices, for each of these networks:

br-lan
br-vpnlan
br-internal
br-guest

Each of these would have Bridge VLAN filtering. So for example, I want Lan to be available directly on eth0 and through VLAN on eth3 so I made it look like this. Notice the Untagged on eth0 and Tagged on eth3:

Then if I want to add Guest to the eth3 I'd just set uo Bridge VLAN filtering to the br-guest?

_bernd · April 12, 2025, 9:44pm

If your devise supports DSA then you only need and should have a single bridge interface. And of course with vlan bridge filtering enabled.
Then you create 4 vlans, one for each of your networks. Of course you need dhcp pools yadda yadda.
Each vlan can be assigned to it's own firewall zone and rules between these zones are then created as usual.

Some-Dinosaur · April 12, 2025, 9:52pm

I have no idea what most of this means... But I think I feel what you're saying. You say I had better make a single Bridge device and create Interfaces based on VLAN numbers I assigned in the mothership bridge device?