By using two bridges, one for each LAN (say LAN1 LAN2) or one LAN on a bridge and one LAN by itself, there is no need for VLANS.
They will be separated. In firewall rules if your last forward rule is DROP ALL else, then your are good to go.
If you dont have this rule then simply state LAN1 to LAN2 drop and d LAN2 to LAN1 drop.
Create new Bridge
Name: mybridge
(and keep VLAN filtering option oFF for now)
Vlan config (dont use vlan1 very confusing bad idea)
VLAN10 - company
VLAN20 - private
Bridge port config
eth2-10
interface: mybridge
Standard stuff:
ip addresses (for ex. address: 192.168.10.1/24 network: 192.168.10.0 inteface: mybridge)
ip pool (dhcp-work (192.168.10.2-192.168.10.100)
ip DHCP Server: DHCP (link to VLAN interface as required and IP pool), DHCP Network (as required format for address here is 192.168.10.0/24),
Go back to Bridge menu and select to the right the VLAN Tab
Double click on bridge name or add bridge name if not there,
add VLANs (10, 20)
add the bridge itself as tagged (mybridge)
add all physical ports containing at least one VLAN (2-10)
(just to be clear there is only one bridge entry under this tab, in this case, so you use the add lines feature to add a single column of entries so to speak.)
Go back to the Bridge Tab on the Bridge Menu
double click on the Bridge name itself
Select the VLAN tab in the popup menu and select filtering (checkmark in the box).
If all is good, then its safe to UNDO Safe mode and try out the setup.
one WAN means a simple masquerade rule assuming its a dynamic WANIP.
add chain=srcnat out-interface=wan action=masquerade
For firewall rules;
Depends
a. drop all else rule at end of forward chain you are good to go.
b. No such rule then you will need a VLAN10 to VLAN20 drop rule and a VLAN20 to VLAN10 drop rule.
