- You've got both VLANs connected to br-lan: remove VLAN2 from it, then create a new interface (e.g. "LAN2") with just VLAN2 in it and give it IP-address 192.168.2.1 or similar.
- Create a new firewall-zone for LAN2 and disable forwarding from LAN<->LAN2
- Create a new firewall-rule for LAN2 to allow forwarding from LAN2 to
!192.168.1.0/24-- the exclamation-mark inverses that rule, ie. it basically says "allow forwarding to anything except to the 192.168.1.0/24-network" - You need to add a static route on your main router for 192.168.2.0/24, with 192.168.1.2 as the gateway.
- Add a firewall-rule for LAN-zone to allow forward from
!192.168.1.0/24to LAN2-zone, or allow forwarding from any to LAN2, if you want to be able to connect from LAN to LAN2, but not vice versa.
1 Like