Firewall/NAT

                   ( Modem) 192.168.1.254
                            |
                  Netgear VPN Router - 192.168.7.0
                            |
                   -----------------------------------------------------
private ip (wan) | (ue0)                                                 |
  Monowall (strictly for guests)                company workstations
                            |
--------------------------------------
|                                               |
 em0 (LAN) (private LAN)            ue1  (opt1) (private LAN)
  192.168.2.*                                       192.168.3.*
 with dhcp                                                    with dhcp
laptop1                                                    laptop2

my goal is to have more than 250 dhcp leases.

If I Bridge opt1 with lan1 everything works. but i'm limited to 248 leases.
so my setup is with the diagram above, I cant get laptop2 connected to the internet, no pings, but I do get dhcp ip addresses and I can ping 192.168.7.1 and 192.168.1.254

is something wrong in adv outbound, proxy arp, or firewall rules ? thanks
or do I need to take something out/ add?

System: Static routes
Interface Network Gateway Description 
LAN  192.168.1.0/24  192.168.1.254     edit route   
LAN  192.168.7.0/24  192.168.7.1     

Services: Proxy ARP
Interface Network Description 
WAN  192.168.1.0/24      edit network   
OPT1  192.168.3.0/0      edit network   
WAN  192.168.7.0/24   


Firewall: Rules
OPT1
    Proto Source Port Destination Port Description 
  *  OPT1 net  *  *  *  opt source   
  *  *  *  *  *  opt any   
 
Firewall: Rules
LAN
    Proto Source Port Destination Port Description 
   *  LAN net  *  *  *  Default LAN -> any   
 
Firewall: Rules
WAN
Proto Source Port Destination Port Description 
   *  *  *  *  *     
  TCP/udp  *  *  WAN address  *  (wan dest)


Firewall: NAT: Outbound
 Interface Source Destination Target Description 
 WAN  192.168.2.0/24  *  *
 OPT1  192.168.3.0/24  *  192.168.2.1
 WAN  192.168.3.0/24  *  192.168.2.1 

or if I can perform lan bridging with different subnets or additional ips.

I am not sure I understand the reason to add an OPT1 interface.

If the reason is that you want a larger network (more than the 253 usable IP addresses in a /24 network) then why not just make the LAN network larger, say /23, /22, /21 etc.?

wow, I learned something new, didn't know I could do that just by changing the net mask bit.

But the reason I was trying to separate these subnets out, is because, eventually I will have 5 access points with captive portal ( each connected via opt1, opt2, opt3, opt4, opt5 ). But first I am just trying to bridge 2 lans (lan and opt1) first just to get it to work. I would like to set it so that each access point can't access any other access points' connections or devices. If you have any better ideas, I'm open to suggestions, I may be going at this wrong.

thanks

The primary reason to add interfaces is to have separate networks that can not access each other, or in access each other in limited ways.

But you didn't mention this at first, you just said you needed more IP addresses. So that's why I suggested one larger network by relaxing the subnet bit.

But back to separate networks. Add interfaces, defining a unique network for each. Then all you need to add firewall rules for each interface. First add rules to block access to the other networks, one rule for each. The finally add a rule to allow traffic to any destination - this being the only remaining unblocked network - the internet. This last rule must be last in the list, below all the blocking rules.

If you are bridging, you essentially have one network, so not a real point.  If you are routing it makes sense...

And if you want a larger subnet, you also may want to use 172.16.x.x addresses.  Some equipment and devices have problems with supernetting.