in WLan Planet Linux OpenWRT OpenSource ~ read.

Break the Switch into separated ethernet ports / VLANs

At first ... I'm not responsible, if you brick your router by using this documentation. If your fear it would be possible, stop HERE!

The following NVRAM-Settings need to take place:

#!/bin/sh
#Port 0 into WAN, 5 Router themselv
nvram set vlan1hwname=et0
nvram set vlan1ports="0 5"
#Port 2, 3 and 4 into LAN, 5 Router themselv
nvram set vlan0hwname=et0
nvram set vlan0ports="2 3 4 5*"
# Port 1 into DMZ, 5 Router themselv
nvram set vlan2hwname=et0
nvram set vlan2ports="1 5*"
# Static IP-Address for DMZ-IF
nvram set dmz_ifname=vlan2
nvram set dmz_proto=static
nvram set dmz_ipaddr=172.18.20.5
nvram set dmz_netmask=255.255.255.0
# save all the stuff
nvram commit

To bring automatically up the dmz-if, you need to add ifup dmz with:

# sed "s/ifup lan/ifup lan@    ifup dmz/" \
        /etc/init.d/S40network | tr '@' 'n' > /etc/init.d/S40network

To allow traffic forwarded by the new if, you will maybe add for example the following into /etc/firewall.users:

#!/bin/sh
DMZ=$(nvram get dmz_ifname)
#Allow Forward from DMZ into WAN
iptables -A FORWARD -i $DMZ -o $WAN -j ACCEPT
#Allow Forward from DMZ into LAN
iptables -A FORWARD -i $DMZ -o $LAN -j ACCEPT
#Allow Forward from LAN into DMZ
iptables -A FORWARD -i $LAN -o $DMZ -j ACCEPT

But it will be better to specify exactly, what services are allowed from and into DMZ!