Hi, I'm struggling to figure out how to make a VLAN to isolate all the devices connected to a given ethernet port from the rest of my LAN. I have OpenWRT installed on an Archer C7 which acts as the gateway for my network, i.e. my ISP-provided modem is in bridge mode connected to its WAN port, and everything else is connected to its LAN ports.
What I tried was to change the default VLAN configuration in /etc/config/network FROM
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
ports '0t 2 3 4 5'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
TO
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
ports '0t 3 4 5'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '3'
ports '0t 2'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'lanseparete'
option type 'bridge'
option ifname 'eth1.3'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
Where port 0 is the CPU for eth1 on my device, and VLAN2 is the one preconfigured for WAN. I also checked the changes in the LuCi interface and made sure that all the settings for the lanseparate interface were identical to the lan interface except for of course the 'eth1.x' ifname and IP address, so it should have been able to do DHCP correctly. Lastly, I made the same firewall zone forwarding rule for lanseparate=>wan as existed already for lan=>wan.
I'm not sure what logs or config files would be useful to help troubleshoot this, but the apparent error I'm getting is seen in the LuCi window for Interfaces, where lanseparate fails to start and gives the error "Network device is not present". Of course, trying to connect to the ethernet port in lanseparate, my device just doesn't get assigned an IP address.
I feel like I've misunderstood something about how VLANs can be configured, and possibly whether this is something my hardware can do? In that case, is there a nice way to define some firewall rules with a list of IP addresses which cannot send or receive any packets from any unlisted addresses on the LAN subnet besides the gateway?
Thanks.