[ASUSWRT 5.0] VLAN Support

[xTerminator]

I'm plan on setting up a new router soon - ASUS RT-BE88U (All-in-one, no external switch) and I plan to use VLANs for better segmentation and security (Since the router supports it). My current plan is as follows:

• VLAN 2 (10.0.2.0/24): For my NAS.
• VLAN 3 (10.0.3.0/24): For IoT devices (like a TV or smart devices).
• VLAN 1 (10.0.1.0/24): For personal devices (PCs, phones, etc.).

My goal is to keep the NAS on a separate VLAN (VLAN 2) but allow specific devices on the other VLANs to connect to services like Plex hosted on the NAS, or DSM (NAS WebUI). I want to restrict other traffic between VLANs.

Can I achieve this with official firmware by configuring the VLANs on ports of the router from the WebUI, and then configure iptables to allow for Inter-VLAN routing ? Example:

# Flush existing rules
iptables -F
iptables -X

# Default policies
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Allow established connections
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow specific IoT device to access Plex
iptables -A FORWARD -s 10.0.3.50 -d 10.0.2.100 -p tcp --dport 32400 -j ACCEPT

# Allow specific PC to access DSM (HTTP and HTTPS)
iptables -A FORWARD -s 10.0.1.20 -d 10.0.2.100 -p tcp --dport 5000 -j ACCEPT
iptables -A FORWARD -s 10.0.1.20 -d 10.0.2.100 -p tcp --dport 5001 -j ACCEPT

# Block all other traffic from IoT VLAN to NAS VLAN
iptables -A FORWARD -s 10.0.3.0/24 -d 10.0.2.0/24 -j DROP

# Block all other traffic from PC VLAN to NAS VLAN
iptables -A FORWARD -s 10.0.1.0/24 -d 10.0.2.0/24 -j DROP

Not sure if there's an alternative approach, or would I need custom firmware for this like Merlin ?