VLAN Detached Networks - Linksys E2500
From DD-WRT Wiki
 General Info
|DD-WRT Port||Hardware/GUI Port|
 Default VLANs
 WAN <-> VLAN2
By default the WAN interface is assigned to VLAN2. This must remain true. It's able to be modified via both GUI and CLI, but doing so causes unpredictable results. Also, there is an nvram variable wan_default set to vlan2. Modifying this variable has no effect even after committing and rebooting. So often times when using Apply Results from the GUI, the WAN interface gets set back to VLAN2. I assume a reboot sets it back to VLAN2 as well. Again, bottom line is leave the WAN assigned to VLAN2.
 LAN <-> VLAN1
By default the LAN interface is assigned to VLAN1. This can be changed, but leaving it as-is is much simpler because the default br0 bridge that bridges wireless and LAN defaults to bridging wl0 with VLAN1. Also, any changes made in the GUI Setup -> Basic Setup -> RouterIP section will be applied to VLAN1. Bottom line, leave whatever ports your considering your LAN assigned to VLAN1 to keep yourself sane.
My goal was to move ports (as labeled on the router) 1 and 2 to my LAN and ports 3 and 4 to the DMZ. My initial plan was to make my LAN network 192.168.1.0/24 and my DMZ 10.10.0.1/24. That may be possible. At one point I did have that set up and I was able to pass traffic from the LAN to the DMZ. I don't know if DMZ traffic could access the WAN. I think the DD-WRT intention is that all the VLANs be within the 192.168.0.0/16 space. Things went much easier once I went that route. I wound up with the DMZ set to 192.168.10.0/24.
 Split the VLANs
First with VLAN1 and VLAN2 already spoken for, I found it made the most sense to use VLAN0 for the DMZ.
First I tried via the GUI at Setup -> VLANs. However, even after rebooting, checking the CLI, I found that the changes didn't take, so via the CLI:
nvram set vlan0ports="2 3 5"
nvram set vlan1ports="0 1 5*"
nvram set vlan2ports="4 5"
I found that even though the GUI changes didn't actually reassign the ports, they are as equally important as the CLI assignments so that the later GUI config to come is possible, makes sense, matches reality, etc., etc..
From this point out, all config can be done via the GUI.
 Assign Networks
Setup -> Basic Setup -> WAN Connection Type. Set to DHCP or whatever is appropriate for your set up.
Setup -> Basic Setup -> Router IP. Set IP (192.168.1.1) and Netmask (255.255.255.0).
Setup -> Networing -> Port Setup. Change VLAN0 to unbridged and set the IP (192.168.10.1) and Netmask (255.255.255.0).
Administration -> Commands -> Firewall. Type in:
iptables -I FORWARD 7 -j ACCEPT -i vlan0 -o vlan0
And click Save Firewall.
I don't know for sure that this is absolutely necessary, but there is a similar rule for br0, so I added it in just in case. I think it might let ports 3 and 4 talk to one another.
 Port Forwarding
A DMZ wouldn't be very useful if wasn't publicly accessible, so set up port forwarding at: NAT / QoS -> Port Forwarding -> Forwards.
All outbound traffic is already allowed just like it is for the LAN.
--jicit 02:52, 25 May 2014 (CEST)