It’s only posted here at the moment. Please feel free to use it any way you like. I had a lot of trouble when I first tried your method, then noticed that you’d configured vlan2 with ifconfig rather than assigning it to the bridge and letting vlan2 float like the private net. Once I made that change it was pretty easy.

Since the policies in DD-WRT and most other similar packages are all ACCEPT, it is difficult to do this with the router in gateway mode. Changing that takes most of the rules out of the table and makes it pretty easy to just append rules. It also removes most of the nat rules which aren’t just the way they should be.

My rules above are pretty skimpy. I’ve added more in my real installation, right where the PING rule is…. that one obviously is not really needed but does make debugging easier. A lot of rules can be stuck in to firewall the DMZ and control packets that are not correct ! -syn NEW, etc… but for clarity I left all that stuff out.

I’m going to post this it in the DD-WRT forum but having a clean article would be nice for people as well.

Best regards,

Michael