in WLan Planet Linux OpenWRT OpenSource ~ read.

Break the Switch into separated ethernet ports / VLANs

At first ... I'm not responsible, if you brick your router by using this documentation. If your fear it would be possible, stop HERE!

The following NVRAM-Settings need to take place:

!/bin/sh

Port 0 into WAN, 5 Router themselv

nvram set vlan1hwname=et0
nvram set vlan1ports="0 5"

Port 2, 3 and 4 into LAN, 5 Router themselv

nvram set vlan0hwname=et0
nvram set vlan0ports="2 3 4 5*"

Port 1 into DMZ, 5 Router themselv

nvram set vlan2hwname=et0
nvram set vlan2ports="1 5*"

Static IP-Address for DMZ-IF

nvram set dmz_ifname=vlan2
nvram set dmz_proto=static
nvram set dmz_ipaddr=172.18.20.5
nvram set dmz_netmask=255.255.255.0

save all the stuff

nvram commit

To bring automatically up the dmz-if, you need to add ifup dmz with:

# sed "s/ifup lan/ifup lan@    ifup dmz/" \
		/etc/init.d/S40network | tr '@' 'n' > /etc/init.d/S40network

To allow traffic forwarded by the new if, you will maybe add for example the following into /etc/firewall.users:

!/bin/sh

DMZ=$(nvram get dmz_ifname)

Allow Forward from DMZ into WAN

iptables -A FORWARD -i $DMZ -o $WAN -j ACCEPT

Allow Forward from DMZ into LAN

iptables -A FORWARD -i $DMZ -o $LAN -j ACCEPT

Allow Forward from LAN into DMZ

iptables -A FORWARD -i $LAN -o $DMZ -j ACCEPT

But it will be better to specify exactly, what services are allowed from and into DMZ!