Assign VPN to second LAN?

Software SW help
,
1

I’d like to create a decided, always-operational VPN LAN, by assigning port 4, port 6, and eth2 (assigned to VLAN 2 by default) to a separate subnet.

I’m a networking n00b, so I was hoping to get someone with more experience to check my work before I do something that is going to cause me a lot of head aches.

Thus far, I have an operational, operational VPN client and guest WiFi network.

Current settings

OpenVPN

I have the OpenVPN client configured and functioning as expected.

Additions to /etc/config/network:

config interface 'vpn_interface'
    option proto 'none'
    option ifname 'tun0'

Additions to /etc/config/firewall:

config zone
	option name 'vpn_zone'
	option input 'REJECT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option network 'vpn_interface'

config forwarding
	option src 'lan'
	option dest 'vpn_zone'

Guest network

Additions to /etc/config/network:

config interface 'guest_interface'
	option _orig_ifname 'wlan1'
	option _orig_bridge 'false'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

Additions to /etc/config/dhcp:

config dhcp 'guest_interface'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'guest_interface'
	list dhcp_option '6,192.168.2.1'

Additions to /etc/config/firewall:

config zone
	option name 'guest_zone'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'guest_interface'
	option input 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'guest_zone'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '5353'
	option name 'Allow Guest DNS Access'
	option src 'guest_zone'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'Allow Guest DHCP Access'
	option src 'guest_zone'

Proposed settings

Changes to /etc/config/network:

# remove eth2 from 'lan'
config interface 'lan'
	option force_link '1'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option _orig_ifname 'eth0 wlan0' #changed
	option _orig_bridge 'true'
	option ifname 'eth0' # changed

#add eth2 to guest; bridge connection
config interface 'guest_interface'
	option _orig_ifname 'eth2 wlan1' # changed
	option _orig_bridge 'true' # changed
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option type 'bridge' # new
	option ifname 'eth2'  # new

Changes to /etc/config/firewall:

# forward the guest network's traffic to the VPN
config forwarding
	option src 'guest_interface' 
	option dest 'vpn_zone'

Questions

  1. Do I need to tag the VLAN ports? I’m thinking ‘no’ as each VLAN is assigned to its own Ethernet port (eth0 and eht2).
  2. Do I need to bridge the connections? I added this to the guest_interface. What does bridging do?
  3. Are there any other changes that I need to make?