I have a Turris Omnia.

I'm hoping to create two separate networks, lan0 (192.168.1.*) and lan1 (192.168.2.*), that resemble this diagram:

r/openwrt - Create two LANs?

My goal is to have a "always on" VPN running on lan1 that I can join at will by selecting the LAN4 port on the router or joining the dedicated WiFi network.

The challenging part seems to getting the DNS and firewall settings to work.

Is this possible? Any advice is appreciated.

** edit 1 **

I think the issue is related to the lan and lan1_interface interfaces in my network configuration. I think I need to fix the _orig_ifname in both and not sure what to do about bridging (or how to configure it).

Also, I don't think the dhcp_option is set correctly for lan1_interface in the dhcp file. What does option 6 do?

I've included my current configuration for completeness. What do I need to change?

Is there a way to add comments to these files? Perhaps using an # or //?

/etc/config/wireless: 

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'soc/soc:pcie-controller/pci0000:00/0000:00:02.0/0000:02:00.0'
	option htmode 'VHT80'
	option disabled '0'
	option txpower '23'
	option country 'US'

config wifi-iface
	option device 'radio0'
	option mode 'ap'
	option disabled '0'
	option encryption 'psk2+tkip+aes'
	option key '[REMOVED]'
	option network 'lan'
	option ssid 'Turris'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option country 'US'
	option hwmode '11g'
	option path 'soc/soc:pcie-controller/pci0000:00/0000:00:01.0/0000:01:00.0'
	option htmode 'HT20'
	option disabled '0'
	option txpower '19'

config wifi-iface
	option device 'radio1'
	option mode 'ap'
	option disabled '0'
	option encryption 'psk2+tkip+aes'
	option key '[REMOVED]'
	option network 'lan1_interface'
	option ssid 'Turris [VPN]'

/etc/config/dhcp: 

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'
	option nonwildcard '0'
	option domain 'lan'
	option port '5353'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	list dhcp_option '6,192.168.1.1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'

config dhcp 'lan1_interface'
	option interface 'lan1_interface'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,192.168.2.1'

/etc/config/network: 

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd22:91e8:0e0f::/48'

config interface 'wan6'
	option ifname '@wan'
	option proto 'none'
	option noserverunicast '1'

config interface 'lan'
	option ifname 'eth0 eth2'
	option force_link '1'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option _orig_ifname 'eth0 eth2 wlan0 wlan1'
	option _orig_bridge 'true'

config interface 'lan1_interface'
	option _orig_ifname 'wlan1'
	option _orig_bridge 'false'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config interface 'vpn_interface'
	option ifname 'tun0'
	option proto 'none'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6'
	option vid '2'

config interface 'wan'
	option proto 'dhcp'
	option ifname 'eth1'

/etc/config/firewall: 

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config include
	option path '/etc/firewall.user'

config include
	option path '/usr/share/firewall/turris'
	option reload '1'

config include
	option path '/etc/firewall.d/with_reload/firewall.include.sh'
	option reload '1'

config include
	option path '/etc/firewall.d/without_reload/firewall.include.sh'
	option reload '0'

config zone
	option name 'wan'
	option network 'wan wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config zone
	option name 'vpn_zone'
	option network 'vpn_interface'
	option input 'REJECT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'

config zone
	option name 'lan'
	option network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan1_zone'
	option network 'lan1_interface'
	option output 'ACCEPT'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option dest 'vpn_zone'
	option src 'lan1_zone'

config forwarding
	option dest 'wan'
	option src 'lan1_zone'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fe80::/10'
	option src_port '547'
	option dest_ip 'fe80::/10'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '5353'
	option name 'Allow Guest DNS Access'
	option src 'lan1_zone'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'Allow Guest DHCP Access'
	option src 'lan1_zone'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'