Simple: How to assign two IP Subnets to one interface?

[andrew]

Hello and sorry for the newbie question!
I have to be a jack of all trades, and thus master of none.
Judging from the forum search and google, everyone and their dog seems to do multi-WAN these days. Yet no one seems to want two /24 on one physical router port.

Current scenario:
Typical plain SoHo setup with 1 WAN interface that has 1 public IP that is NATed, and 1 LAN interface with 1 /24.

Goal:
To add another /24 to the same LAN port. To have more adresses, and also the possibility to put different types of devices on different subnets and isolate them except for the nessessary traffic.

Additional info:
1. It needs to be those 2 /24s because there is a site-2site IPsec VPN, and the local subnet(s) need to be unused on the other end. So this VPN partner handed out these 2 subnets that weren't yet used by their other partners. Giving us one /16 is against their policy for just ~300 IPs.
2. If the router had one more port, I could just assign 1 subnet to one physical port and be done. But there's only one port for both subnets.

Trial&error so far:
I expected to be able to simply assign multiple subnets to the interface in the interface settings. Sorta like every OS lets you assign multiple single IPs to a NIC. But thats not possible there.

Then I thought maybe virtual IPs might be the solution under BSD/OPNsense. So I tried to create an IP alias for the whole subnet. But IP aliases are really just for single IPs it seems. "Type" is locked to "single adress".
Using mode "other" instead of "IP alias" lets me add a /24 but doesn't seem to be what I need. From the wiki: "The other type won’t respond to ICMP ping messages or reply to ARP requests, it merely is a definition of an address (or range) which can be used in NAT rules."

Then someone else suggested to just turn the two /24s into one /23. "Genious" I thought (if the other end could set up the VPN with this subnet)!
But if I'm not mistaken, 192.168.1.0/23 actually goes from 192.168.0.1 to 192.168.1.254, right?
But the assigned subnets are 192.168.1.0/24 and 192.168.2.0/24!
Which is currently breaking my brain, because if i calculate it for 192.168.2.0/23, then it goes nicely from 192.168.2.1 to 192.168.3.254.


What is the correct approach to this under BSD/OPNsense?
The more I think about it, the less I seem to understand it.

[allebone]

You need to remove the IP addressing on the physical interface you want to use so its like a blank physical interface, and then create 2 different vlans that reside ontop of this physical interface - one for the .0.1/24 range and one for the .2.0/24 range.

Then you have two separate networks on top of a single port. You probably are going to want to configure a way in to do this (eg a wireguard connection) because you will be disrupting the LAN when you do this as Im guessing LAN is currently bound to the physical interface. However 2 vlans on top of an interface dont support that so you will be removing the ip addressing on the lan interface and recreating it as a vlan in order to complete this. This will leave you with no connection to the box from the lan for a short period of time so if no accommodation is made for that you are locking yourself out.

so your end result will be a physical interface that is blank : eg em2
then 2 different vlans on top of that will be something like Vlan5 on em2 and Vlan7 on em2.
This means 2 virtual interfaces now reside on top of a physical interface and are physically distinct (separated by vlan tag). Now 2 networks can be manipulated via normal firewall rules on the IP sec connection. devices behind this can be either in one network or the other on the LAN side by configuring vlan as appropriate on your switch.

P