Thank you, guys, for the help in framing the question.
Here’s a second try.
Right now:
- heX ether1 is wired to the FIOS ONT and gets it’s IP dynamically from Verizon;
- heX ether2 is wired to a CSS326;
- heX bridge includes ether1 and ether2, and is 192.168.2.2
- FIOS router is wired to a port on the CSS326 and is 192.168.2.1
- I have port isolation configured on the CSS326 such that the FIOS router can only communicated with the hex (it cannot communicate with any devices on any other ports of the CSS326).
I’m wondering if it might make more sense to wire the FIOS router into the heX port ether3 and let the heX keep the traffic between the FIOS router and my LAN separate?
My understanding is that because ‘bridge’ does not includes ether3, the heX will not pass traffic between bridge and ether3 unless routing and/or firewall rules allow.
I can’t even imagine how I would accomplish this with VLANs (the FIOS router is not VLAN-aware).