The server is already in a separate VLAN: the "main bridge" (br-lan) uses the main wifi and 3 out of 4 ports in the router, and is assigned an own VLAN, firewall zone "lan" and the subnet 192.168.1.0. The server is on a different bridge with the 4th port and a separate wifi, the 192.168.2.0 subnet, a separate firewall zone and a separate VLAN.
I hope I gave you enough details. Could you please elaborate a bit more on your proposal? As I said my networking skills are quite basic (actualy I'm impressed I even managed to get this far...)
Thank you both @dlakelan and @vgaetera for your support. I ended up convincing myself that the best thing to do is to put the server in my same subnet, and achieving filtering through the bridge interfaces. I'll open a new thread for that.
EDIT: apparently my idea is not possible (see How to share the same subnet across two bridge interfaces? - #4 by psherman) so @dlakelan if you could please elaborate a bit more it would be great.
1 Like
The proposal is a little complicated I guess.
I'm thinking on the server create two tagged vlans, one for it's current DMZ or whatever and one for the LAN where you want to provide services. Then on the router you tag packets on the Ethernet port it's connected to. Finally, if you want to be able to filter stuff you would need to actually use tagged packets in a different vlan and bridge that with the LAN in a Linux bridge otherwise the switch will bridge them unfiltered.
Yeah, way beyond my skills I think.
I am reasoning about a simpler solution as said in the other thread (and I will try to keep even simpler by throwing the server in the same firewall zone and creating a rule to block every outgoing traffic from the server to other lanncloent except the only few that I will allow with another rule)