subscribe to our Youtube


14455 questions

17168 answers


0 members

We are migrating to our new platform at Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
872 views 4 comments
by anonymous
Hello to everybody,

I describe here my requirements:
1. i have an internal network. (Interface eth0) This interface should be trusted and belongs to the bridge interface.

2. the 2nd network should be a public network (interface eth0.3), which is strictly separated from my 1st interface.

The devices which are in the public net should get a DHCP address from the LAN interface eth0.3 and a free access to the internet. Nothing more.

Unfortunately I find setting up the firewall rules, very confusing and complex.
I have found an item at my Public Interface LAN2 under FIREWALL SETTINGS--> Create/ Assign firewall-zone. But there I do not get further.

How do I set up the firewall rules correctly on a RUTX09 ?
I would be pleased about a deteaillierte guidance. (step by step)

Thank you very much.
Kind regards

2 Answers

0 votes
by anonymous
Good day, Harris

From your query explanation and requirements, I understand you want to enable a private internal network with no internet access and a public IPv4 network on your RUTX09 router. Please confirm whether I'm right, missing something, or misunderstanding everything at all. Also, it would be helpful if you send us a detailed diagram of your network scenario to have a better picture and scope of the solution.

You could use the following app to do it:

I look forward to reading your answer.

by anonymous
Good evening Adevis,
Thank you for the feedback.
I need a public network that does not have access to the bridge but can access the Internet. (2 separate networks) I hope this is explained in a way that is easy to understand.
I can't easily set this on the RUTX09. Somehow the firewall is not quite as self-explanatory. Many greetings

by anonymous

Hi Harris,

Thanks for explaining again. We will divide the following instructions into three phases: VLAN setup, Interface configuration, and Firewall settings.

1. VLAN setup: 

First, separate your network segments by using Port-based VLANs. Refer to the link below for a detailed configuration setup:

By Reading your query, I will safely assume you are using the VLAN 3 for your public network.

Image example for this configuration:

2. Interface configuration:

After creating your VLANs and adding them to the intended ethernet ports, create a new LAN interface for your public network. 


In your case, assign to your LAN Ipv4 address your first available IPv4 address from your pool. Then, go to physical settings, turn bridge mode on and select only the "eth0.3" interface. To finish, enable the DHCP server in your LAN interface accordingly to your pool size.

DHCP server config:

Leave the other settings by default.

Links to images reference:

Public LAN:

Private LAN bridge mode:

3. Firewall settings:

On your WebUI, follow this path: Network > Firewall > General Settings > Zones. You will see two rules previously created by default. Click on the pencil to edit the "LAN => WAN" zone Forwarding rule. Verify your current covered networks, and select only your private network. (This will not allow your host from different networks to reach each other)

Default rules:

Private LAN forwarding rule:

Now you will have to create a new zone forwarding rule. 

New Public LAN forwarding rule:

Create a new zone forwarding rule by clicking on the ADD button. Choose to Accept all three policies (Input, Output, Forward). Select your public LAN as a covered network and add your WAN zone to allow forward to destination zones. Save the changes and continue.

Check the image in the link:

Next, select the current WAN Zone forwarding rule, click on edit and select Advanced settings. You will see two fields about restricting masquerading from sources and destinations; type in both fields your public network (This will prevent your WAN from masquerading as your LAN traffic). Furthermore, if you don't want your private network to have Internet connectivity, add this network to the mentioned fields.

Image reference:

Lastly, you can verify that the host from different networks can not reach each other. Also, check your internet connectivity from your public network works as expected. However,  be aware that your ISP has to confirm they did the necessary internal routing configuration for your public network to be reachable from the outside.

You may find this link helpful to check your LAN public network IP address connection.

I hope the steps above help to solve your query. I will keep an eye on your comments.


0 votes
by anonymous

Hello Adevs,
thank you very much for your feedback. I have been working on this configuration for a few days now. But unfortunately I don't get any further. :-(
I send you again the configuration as I need it, with some screenshots. I hope you can help me with this. :-)
I need 2 networks on my router. Once a network what is for internal purposes, where I have built a VPN into the headquarters. In this network are my workstations, printers, etc are built.
The other network runs independently of my VPN and is for guests, IoT devices or the WLAN. (the guest network has nothing to do with a public network from the provider). The two networks must be separate from each other and are set as "untrusted".

The devices in the bridge (company network) are sent to the VPN via a network route.So this is only about the devices that are in the guest LAN

The IoT devices and WLAN devices should only receive a DHCP address and then be allowed to access the Internet without a firewall filter. (In the guest network)

I have here the RUTX09 which runs over a mobile SIM card. This makes the dial-up to the Internet.  
Here are the screenshots:Interfaces:

Firewall Settings:

DHCP Settings:

I hope it was clear what my requirements are.

is this configuration possible with the RUTX09 ?
I have not managed so far and is all a little too complex with the RUTX09.

I would be glad about your help.
Many thanks and greetings


by anonymous

Hi Harris

You can do something similar to the instructions above. The procedure is still the same:

1.VLAN Set-up:

Create one additional VLAN for your guest network and assign it to a LAN port. (One VLAN for your Company network and another one for your Guest network)

VLAN config:

2.New Interface Configuration:

Go to network interfaces and add a new interface: "Guest_LAN." In "General Settings," assign the private static IP address; in "Physical Settings," turn on bridge mode and only select the eth0.X (X is the number of your VLAN). In "Firewall Settings," remove the firewall zone by selecting "Unspecified" and finish with configuring the DHCP server. 

Interface config:

DHCP server config:

3.Firewall Settings:

Select the firewall tab and add a new zone for your "Guest_LAN." Choose to Accept all three policies (Input, Output, Forward). In "Covered Networks," select your "Guest_LAN"; in the section "INTER-ZONE FORWARDING," allow forward to destination zones your WAN and save your configuration.

Now, select the WAN Zone forwarding rule; in "INTER-ZONE FORWARDING," add your "Guest_LAN" to the field "Allow forward from source zones"  and click on "Save & Apply."

Zones configuration:

Please bear in mind the RUTX09 has no WIFI modules, so you won't be able to get a WIFI built-in solution on your device.

If you followed the steps above, you should get:

No communication between the host from different networks (Company network - Guest network)

The hosts belonging to the Guest Network will receive IP addresses via DHCP.

The hosts in the Guest network should have internet access.

I hope this information helps you out.