a) ether1 connected to cable ONT (WAN) – dynamic IP
b) ether2 (192.168.2.2) connected to CSS326 switch (192.168.2.3)
c) ether3 connected to Verizon FIOS router (192.168.2.1) acting as a MOCA bridge (I think that’s the correct terminology) so that ethernet traffic can pass via coax to set top boxes
I have a bridge interface (named: bridge) that currently includes ether1 and ether2.
I was thinking that in order to isolate traffic as effeciently and effectively as possible between (1) the FIOS router and STB’s connected to it and (2) the CSS326 and connected LAN devices would be to keep the FIOS router on a separate heX port (ether3).
Does this make sense?
Would I need to make a separate bridge that includes ether1 and ether3?
I understand there are multiple ways to achieve this (FIOS into CSS326 and port isolation; FIOS into CSS326 and firewall rules, for example).
I’m with @tdw on this. You don’t talk about vlans, so I assume that when you say ether1 and ether2 are part of the same bridge, that you mean they are part of the same broadcast domain. And it isn’t clear how you could have a dynamic and static address on the same “bridge” interface. I don’t even know if ROS has “peth” (pseudo ethernet) interfaces like the EdgeRouters.
So to your question “Does this make sense?” if you meant it in the “is what I am asking clear to you?” the answer is no. If you meant it as “Does what I am trying to do make sense?” I can’t say, because I don’t understand what you are trying to do.
Edit: Sorry, I got you mixed up with someone else, so I am not sure you know anything about Edgerouters.
Since you are familiar with the EdgeRouters, perhaps this will help. The bridge device in the hEX is very similar to the switch0 device on the ER-X. The bridge can be like a “dumb switch” when vlan-filtering is off, or like a vlan-aware switch0 when vlan-filtering is turned on. And the hEX /interface vlan devices created under the bridge are like vif devices under switch0 on the ER-X.
So perhaps if you can describe the problem you are trying to solve, someone can provide an answer.
Thank you, guys, for the help in framing the question.
Here’s a second try.
Right now:
heX ether1 is wired to the FIOS ONT and gets it’s IP dynamically from Verizon;
heX ether2 is wired to a CSS326;
heX bridge includes ether1 and ether2, and is 192.168.2.2
FIOS router is wired to a port on the CSS326 and is 192.168.2.1
I have port isolation configured on the CSS326 such that the FIOS router can only communicated with the hex (it cannot communicate with any devices on any other ports of the CSS326).
I’m wondering if it might make more sense to wire the FIOS router into the heX port ether3 and let the heX keep the traffic between the FIOS router and my LAN separate?
My understanding is that because ‘bridge’ does not includes ether3, the heX will not pass traffic between bridge and ether3 unless routing and/or firewall rules allow.
I can’t even imagine how I would accomplish this with VLANs (the FIOS router is not VLAN-aware).
The problem is you dont state the requirements separate from the configuration.
You need to dumb it down…
You have three WANS… great.
Is one primary, one secondary, one tertiary.
In other words from a general sense what are they for.???
Then more specifically what are the requirements from the user perspective.
source-list of users need to go out WANX
Subnets A and B need to go out WANY
All servers are on LAN Subnet C and should only be accessed on WANZ.
You have successfully stated nothing, other than WAN1 is not to be used for any LAN users and is solely to feed set top boxes, which I presume are TV devices.
I still have no clue as to the relationship of wan2 and wan3
Is one primary and the other backup.
Are they being shared between users…
Are some users/subnets only to use a specific wan ??
I cannot help further or make myself any clearer. Good luck!
Version A is how things are now. It works, but the FIOS router and the set top cable boxes are on the same broadcast network as all my LAN devices (connected to the CSS326).
I would like to separate into 2 broadcast networks: Broadcast network 1 (FIOS router and set top cable boxes) and broadcast network 2 (devices connected to CSS326).
/interface bridge
add name=bridge vlan-filtering=yes frame-types=admit-only-vlan-tagged
# frame types property in preceeding line refers to bridge interface,
# not to bridge the switch-like entity
/interface bridge port
add bridge=bridge ingress-filtering=yes interface=ether1 pvid=100
add bridge=bridge ingress-filtering=yes interface=ether2 pvid=200
add bridge=bridge ingress-filtering=yes interface=ether3 pvid=200
/interface bridge vlan
add bridge=bridge tagged=ether1,ether3 vlan-ids=6
add bridge=bridge tagged=bridge untagged=ether1 vlan-ids=100
add bridge=bridge tagged=bridge untagged=ether2,ether3 vlan-ids=200
/interface vlan
add interface=bridge name=vlan100 vlan-id=100
add interface=bridge name=vlan200 vlan-id=200
/interface list members
add list=WAN interface=vlan100
add list=LAN interface=vlan200
Ports ether1 and ether3 will be switched for VLAN 6 (IP TV). Ports ether2 and ether3 will be switched for LAN (untagged on both ports). The untagged traffic over ether1 will be WAN. Bridge will be tagged member of VLANs 100 and 200 (to be able to interact with both LAN and WAN), but won’t be member of VLAN 6 (no need to interact with it).
Then add WAN config (DHCP client, etc.) to interface vlan100.
Add LAN config (IP address, DHCP server, etc.) to interface vlan200.
Note that VLANs 100 and 200 will be internal to your hEX so you could use any pair of VIDs (except 6, it’s better to avoid using 1 as well). These two VLANs are only needed to “partition” bridge into two parts (LAN and WAN).
Default firewall rule set would fit the setup above just fine.
And then there’s the VLAN setup. Do I understand correctly that the VLAN exists exclusively internal to the heX? And that the VLAN is what separates the broadcast domains by port (ether2 vs. ether3)?
I am finding it difficult to understand how the commands below allow packets originating on ether1 to pass (as addressed) to ether2 and ether 3, but packets originating on either ether2 or ether3 to be allowed to pass only to ether1.
What is the purpose of having the FIOS router connected to the hex at all.
That is the missing piece for me. You have fios connected already to set top boxes.
Why involve the hex or switch???
You have two separate internet connections correct?
The set top boxes need internet access for various functions. That Inet access is delivered over the coax. Hence, the Fios router (or another moca adapter) is needed.
sorry more confused then ever diagram shows two internet connections and yet you say there is only one the fios, and yet you show a cable modem from verizon …
Okay lets say I think its like this
You only have one internet connection from a cable modem from verizon, they also provide a fios router.
The router is important because it has coax for set top boxes…
My question is does the fios have other ports like ethernet and they provide you a private IP…
Do you have any control over this fios router, aka select what lans it has… etc…
How does the hex get internet then if the fios router is involved???
Doe internet come in one vlan and tv on another vlan?
Out from their modem come 2 cables: Coax and ethernet (RJ45, twisted pair, catX).
The coax at this point carries TV.
That coax gets distributed (in a trunk and tap/splitter kind of way) to:
a) Verizon’s router (model G3100); and
b) A bunch of set top boxes.
The G3100 has an RJ45 WAN port for internet access that is not being used.
It also has 4 RJ45s (logically, a switch), for devices or downstream switch.
The connectivity between the G3100 and the STBs (which need IP addresses and now get them via DHCP from the heX) provides internet access (all via coax) to the STBs and is necessary for online program guides, DVR, On-Demand stuff. Internet access is provided to the G3100 by a cable from one of its LAN ports to a port on the CSS326.
I have full control of the G3100 – I assigned its IP address, etc.
Now, back up to the modem:
A cat6 cable connects the modem to the heX.
A cat6 cable connects the heX to the CSS326, where all my devices are connected.
@anav, I agree with you 100%, when he “clarified” things, he must have taken his example from Google home, which often gives an incomplete answer, then asks “would you like more context?”, and if you reply “yes”, it just repeats the same thing over again, with no additional information. Compare Post #1 with the the “clarification” in post #5. To me the only difference is the formatting.
Note that even though he is talking about vlans in that thread, I am still not convinced that the “concept” of what vlans are has “clicked” yet for him. What he is currently using for separation is port-isolation in the CSS326, which a different concept than vlans; it is limiting for each switch-port, what other switch-ports can be forwarded to. This is like asymmetrical subsets of the same broadcast domain, more like overlapping circles in a venn diagram, where there is a non-empty intersection. Additionally, port isolation has no significance off the switch, any thing past the switch is either included of excluded.
Vlans are different in that the broadcast domains for vlans have no overlap (intersection). And vlans can extend beyond the switch border, since tags can carry the “membership credentials” with the ethernet frame.
It is very unclear to me what the purpose of the Hex is.
And I thought I would let others know about the other thread, because he is currently using only port-isolation the keep things separate, because he has a single ip subnet.
Yes, my (almost working) bridge config example is meant to replace whatever you have there now. As long as your config is really covering only what’s on the diagram you posted.
Frankly @OP lost me with regards to wanted configuration … and I’m with @anav here: it would be great if @OP clearly stated desired layout and forget about current setup … which seems to be inadequate anyway so why bother explaining it?
I have not taken my words or concepts or anything from any web site (including Google Home).
Post #16 was intended to more fully explain my setup – which it did.
The heX is the one and only device performing as a router at my location. The G3100 only acts as a bridge between twisted pair and coax for the STBs.
Yes, I have another thread talking about Vlans and my setup. And, yes, Vlans have not yet clicked. But, I do have an understanding that port isolation is not the best way to accomplish my goal – hence the current thread.
Would it be more helpful to explain from a functional perspective what I want to achieve or from a network layout perspective?
