    For WRT54LG for example: Is it possible to have a vpn tap connection mapped to a physical lan-port while the other physical ports on the router function as the local lan with dhcp, wireless and internet coming from local WAN connection.

    Anything plugged into the VPN tap port should receive IP address and internet from the dhcp server in the other end of the vpn-tunnel and not be able to access the local lan or internet in any way. Vise versa the local lan on the other ports should not be aware of the vpn-tap connection.

    In the current tomato firmwares I've tried, it seems that the vpn tap connection is automatically linked to the br0 lan interface, regardless of VLAN settings etc.

    Any help appreciated!
    1) make new br interface (br1) on basic -> network page withour DHCP.
    2) make new VLAN with mapped only one physical LAN port and bridge with new br1 interface
    3) in VPN setup uncheck "Server is on the same subnet" (because this checkbox bridge tap to br0 by default) and set IP manually
    4) create a small script:
    change tap11 to your tap iface of course :) Save script somewhere (jffs, opt) In my example it will be: /opt/etc/ and add execute right:
    chmod +x /opt/etc/
    5) now add this script to custom VPN configuration:
    This will execute script and add tap11 to br1 after establish vpn connection.
    Thanks a lot! Seems to work.
