So I'm trying to tie this up at home out of curiosity, how does one do properly the following configuration (on RB750GL / RB951G-2HnD):
To get the main question out of the way: Why? Because it's really convenient, what one could consider out of the box features for any IoT home, and technically not all that complex.
And I'm not looking for static configurations where one uses dedicated ports for tagging, etc, because all this can surely flow peacefully in parallel.
Simple config:
Ethernet1 = WAN (public subnet, x.x.x.x/24)
Rest = LAN (private subnet 192.168.x.0/24, etc)
Normal untagged LAN traffic should be NAT:ted to WAN (for basic clients, laptops, etc)
LAN tagged VLAN44 traffic (on other switch) should be bridged to WAN (for IPTV, servers, etc)
This is all simple, you just bridge WAN and VLAN44 interfaces and SRC-NAT LAN clients.
But... some (non bridged) WAN IP's ports need port forwarding (DST-NAT) to LAN clients (including, but besides UPnP).
So, obviously I still want to retain "normal" firewall functionality (like DST-NAT) for non bridged traffic which doesn't seem possible if WAN interface is bridged (not master) to VLAN44 (which bridging basically "brakes" and use IP firewall slows down)
And then there is the additional bonus of getting hairpin NAT for LAN clients trying to access WAN IP's.