I'm trying a variation of a slightly overcomplicated (but fun) network setup. I've got a Unifi AP offering two SSIDs, one on the default VLAN and the other on VLAN 2. VLAN 2 gets internet access via a VPN to the US.

If I setup a completely separate subnet etc. for VLAN 2 it's all fine - separate DHCP server gives out a different DNS server to clients on that wifi network so all the geolocation stuff works beautifully and everything I connect to via VLAN 2 thinks I'm in the USA.

The only pain with this is that various Apple devices won't talk to each other properly when they're not on the same subnet. So I'm trying to figure out a way to bridge the two VLANs while keeping the packets tagged in some way.

My first attempt didn't really work. I added VLAN 2 to the main bridge, and added a bridge NAT (dstnat chain) that marks packets originating from the VLAN as "mark-us". Then in the IP firewall I've got a mangle rule which picks up all the mark-us packets and adds a "strongvpn" routing mark. the IP firewall NAT has a rule to masq strongvpn to the VPN. Additionally, I've got two NAT rules which look for routing mark strongvpn and change TCP & UDP to address fields from the local router to the VPN service's DNS server.

One of the notable effects of all this was a very slow network, which I guess means I've made packets go flooding around the place.

Any thoughts on how to achieve this?