Hi Harris,
Thanks for explaining again. We will divide the following instructions into three phases: VLAN setup, Interface configuration, and Firewall settings.
1. VLAN setup:
First, separate your network segments by using Port-based VLANs. Refer to the link below for a detailed configuration setup:
https://wiki.teltonika-networks.com/view/RUTX09_VLAN#Port_Based
By Reading your query, I will safely assume you are using the VLAN 3 for your public network.
Image example for this configuration:
https://community.teltonika-networks.com/?qa=blob&qa_blobid=11672508814214920976
2. Interface configuration:
After creating your VLANs and adding them to the intended ethernet ports, create a new LAN interface for your public network.
https://wiki.teltonika-networks.com/view/RUTX09_Interfaces#General_Setup:_Static
Note:
In your case, assign to your LAN Ipv4 address your first available IPv4 address from your pool. Then, go to physical settings, turn bridge mode on and select only the "eth0.3" interface. To finish, enable the DHCP server in your LAN interface accordingly to your pool size.
DHCP server config:
https://wiki.teltonika-networks.com/view/RUTX09_LAN#DHCP_Server
Leave the other settings by default.
Links to images reference:
Public LAN:
https://community.teltonika-networks.com/?qa=blob&qa_blobid=2169562981460646163
https://community.teltonika-networks.com/?qa=blob&qa_blobid=15841913627977246973
https://community.teltonika-networks.com/?qa=blob&qa_blobid=12215602944591583129
Private LAN bridge mode:
https://community.teltonika-networks.com/?qa=blob&qa_blobid=3152447666515571568
3. Firewall settings:
On your WebUI, follow this path: Network > Firewall > General Settings > Zones. You will see two rules previously created by default. Click on the pencil to edit the "LAN => WAN" zone Forwarding rule. Verify your current covered networks, and select only your private network. (This will not allow your host from different networks to reach each other)
Default rules:
https://community.teltonika-networks.com/?qa=blob&qa_blobid=7775776178430269212
Private LAN forwarding rule:
https://community.teltonika-networks.com/?qa=blob&qa_blobid=16633558136746246764
Now you will have to create a new zone forwarding rule.
New Public LAN forwarding rule:
Create a new zone forwarding rule by clicking on the ADD button. Choose to Accept all three policies (Input, Output, Forward). Select your public LAN as a covered network and add your WAN zone to allow forward to destination zones. Save the changes and continue.
Check the image in the link:
https://community.teltonika-networks.com/?qa=blob&qa_blobid=8504197240293762454
Next, select the current WAN Zone forwarding rule, click on edit and select Advanced settings. You will see two fields about restricting masquerading from sources and destinations; type in both fields your public network (This will prevent your WAN from masquerading as your LAN traffic). Furthermore, if you don't want your private network to have Internet connectivity, add this network to the mentioned fields.
Image reference:
https://community.teltonika-networks.com/?qa=blob&qa_blobid=3035097831282684378
Lastly, you can verify that the host from different networks can not reach each other. Also, check your internet connectivity from your public network works as expected. However, be aware that your ISP has to confirm they did the necessary internal routing configuration for your public network to be reachable from the outside.
You may find this link helpful to check your LAN public network IP address connection.
https://whatismyipaddress.com/
I hope the steps above help to solve your query. I will keep an eye on your comments.
Regards.