Hi !

After i read a lot of posts and i got no replies to mine here is my "solution" to get it working (i set it up with an alix2c3)

==== /etc/config/network============
config 'interface' 'lan'
        option 'ifname' 'eth0'
        option 'proto' 'static'
        option 'ipaddr' '192.168.62.254'
        option 'netmask' '255.255.255.0'
config 'interface' 'lan2'
        option 'ifname' 'eth2'
        option 'proto' 'static'
        option 'ipaddr' '192.168.63.254'
        option 'netmask' '255.255.255.0'
config 'interface' 'wan'
        option 'ifname' 'eth1'
        option 'proto' 'dhcp'
=================================

its to complicated to post her the complete file just copy the lines with $LAN and change its to $LAN2
============ /etc/init.d/firewall============
config_get LAN lan ifname
config_get LAN2 lan2 ifname
----------------------------------
config_get LAN_MASK lan netmask
config_get LAN2_MASK lan2 netmask
config_get LAN_IP lan ipaddr
config_get LAN2_IP lan2 ipaddr
LAN_NET=$(/bin/ipcalc.sh $LAN_IP $LAN_MASK | grep NETWORK | cut -d= -f2)
LAN2_NET=$(/bin/ipcalc.sh $LAN2_IP $LAN2_MASK | grep NETWORK | cut -d= -f2)
----------------------------------
# allow
iptables -A FORWARD -i $LAN -o $LAN -j ACCEPT
[ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
# LAN2
iptables -A FORWARD -i $LAN2 -o $LAN2 -j ACCEPT
[ -z "$WAN" ] || iptables -A FORWARD -i $LAN2 -o $WAN -j ACCEPT
-------------------------------------
then
                [ -z "$WAN" ] || iptables -t nat -A POSTROUTING --src $LAN_NET/$LAN_MASK -o $WAN -j MASQUERADE
                [ -z "$WAN" ] || iptables -t nat -A POSTROUTING --src $LAN2_NET/$LAN2_MASK -o $WAN -j MASQUERADE
fi
-------------------------------------
## for routing between LAN and LAN 2
export WAN
export LAN
export LAN2
============================
and in /etc/firewall.user
================================================
iptables -A forwarding_rule -i $LAN -o $LAN2  -j ACCEPT
iptables -A forwarding_rule -i $LAN2 -o $LAN   -j ACCEPT
================================================

@ Developers => i'm not the script wizzard but maybe it's possible to do this in /etc/init.d/firewall with a for in loop ..... (when lan devices are numbered LAN_1 LAN_2 and so on.... then it can be used with a log of subnets

ciao gerd