CRS310-8G+2S to split WAN connection

ahnow · Thu Mar 14, 2024 12:46 am

have a CRS310-8G+2S that needs to go between my fiber modem and 4 routers to split the WAN connection between the routers (technical requirement). Our current (non-MikroTik) switch does this perfectly fine and is quite simple to setup (very similar as bulleted below). MikroTik is a new space for me so I need clarity on how to achieve this. The alternative is to get 4 fiber pairs in the building with 4 fiber modems...not an option.

I need to:

configure sfpplus1 for the incoming fiber (WAN).
ether2 configured for existing MGMT network (connect to another switch for remote access via infrastructure).
ether3 configured for existing MGMT network (direct/local access to switch)
the static IP of the switch should be 172.19.89.118/25.
ether4-8 separate LAN ports (as bridge) that connect to the 4 routers for WAN access. Each router gets its IP via DHCP from the ISP.
of course, ether4-8 bridge ports cannot access MGMT ports (ether2/3)
MGMT can only talk MGMT traffic, no other ports/networks

My current configuration is below. At some point, the switch is somehow changed from switch mode to router mode; maybe this is expected based on the config or could there be a bug? And, the QuickSet info like static IP etc isn't retained after restoring a backup. Normal? Please provide a brief explanation along with any commands/directions you suggest to provide a better grasp of how to configure this properly.

Thank you!

# 2024-03-13 15:31:47 by RouterOS 7.14.1
# software id = 4SEN-RUF3
#
# model = CRS310-8G+2S+
# serial number = [REMOVED]
/interface bridge
add name=MGMT_BRIDGE
add admin-mac=[REMOVED] auto-mac=no comment=defconf name=bridge
/interface list
add name=MGMT
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridge comment=defconf disabled=yes interface=ether1
add bridge=MGMT_BRIDGE comment=defconf interface=ether2
add bridge=MGMT_BRIDGE comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
/ip neighbor discovery-settings
set discover-interface-list=none protocol=""
/interface list member
add interface=ether2 list=MGMT
add interface=ether3 list=MGMT
add disabled=yes interface=ether1 list=WAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=sfp-sfpplus1 list=WAN
add interface=sfp-sfpplus2 list=LAN
/ip address
add address=172.19.89.118/25 comment=defconf interface=ether2 network=\
    172.19.89.0
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=drop chain=input in-interface=!MGMT_BRIDGE protocol=icmp
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=172.19.89.0/25
set ssh address=172.19.89.0/25
set api disabled=yes
set winbox address=172.19.89.0/25
set api-ssl disabled=yes
/ip ssh
set host-key-size=1024 strong-crypto=yes
#error exporting "/ipv6/nd/prefix" (timeout)
/system clock
set time-zone-name=America/Vancouver
/system identity
set name=FIBWAN
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=ca.pool.ntp.org
/system routerboard settings
set boot-os=router-os
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

Thu Mar 14, 2024 1:03 am

At some point, the switch is somehow changed from switch mode to router mode

Magically? All by itself? No.

The CRS310 is not a great router even within its limitations, and certainly not at the speeds implied by "fiber". It is, by far, best used as a smart switch.

I think what you want is to remove all the =WAN stuff and bridge sfp-sfpplus1 together with the other LAN-side ports and let the proper routers behind it sort matters out.

Leave the MGMT ports off the bridge to create private LANs outside the WAN-side collision domain.

ahnow · Thu Mar 14, 2024 1:26 am

Thanks for the feedback. Agreed - use only as a switch and that is the intention. I have routers doing what routers should do, and not have the switches do that.

To my understanding, I’ve already achieved what you’ve recommended, so I’m trying to understand that if I have done it correctly, why does the switch keep going to router mode? I’m not setting up VLANs, networks, DHCP etc.

Like I said, maybe my implementation of what I’m trying to do isn’t right. Hence, I’m looking for the correct path.

Thu Mar 14, 2024 1:43 am

There aren't any hidden "modes" here. Every variable behavior in a RouterOS device is configurable. If your switch behaves like a router, it is because you told it to do that.

I think you can get your expressed intent with as little as this:

/interface bridge
add admin-mac=[REMOVED] auto-mac=no comment=defconf name=bridge
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
/ip address
add address=172.19.89.118/25 comment=defconf interface=ether2 network=172.19.89.0
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=172.19.89.0/25
set ssh address=172.19.89.0/25
set api disabled=yes
set winbox address=172.19.89.0/25
set api-ssl disabled=yes
/ip ssh
set host-key-size=1024 strong-crypto=yes
/system clock
set time-zone-name=America/Vancouver
/system identity
set name=FIBWAN
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=ca.pool.ntp.org
/system routerboard settings
set boot-os=router-os
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

I think you also need an IP address assignment of some kind on ether3, and I'd use bridge firewall rules (not IP firewall!) to keep SSH, WinBox, and WebFig hidden from the WAN side rather than rely on the weak subnet restrictions you have on those services, but these are refinements, not immediate go/no-go essentials.

Diff that with your current config to see what I've removed as unnecessary, wrong, and/or confusing.

Feel free to tell me how I've overstepped or otherwise gotten things wrong. You are, after all, the local expert on your own needs.

ahnow · Thu Mar 14, 2024 2:07 am

Excellent. I’ll give this a whirl in the next few hours and confirm if your (simplified) suggestion solves this for me, and follow up with necessary details accordingly.

Thanks!

anav · Thu Mar 14, 2024 3:15 am

I see this similarly (except using basic math if you have four routers you need four ports 4,5,6,7 [ including port 8 would make 5 there tangent

]
I will take a stab at this for grins and giggles......... Not an expert so it could be useless.

a. the switch is connected to the network via the management port ether2.
The question though for me is this coming into the switch as a VLAN or untagged traffic????

b. the switch allows a local person to access the management network on the local port on ether3

c. the sffpplus port is the trunk port leading to the FIBER MODEM. Same question is this supplied over a VLAN by the ISP??

d. Ports 4 - 7,sfpplus1 are bridged as they are what the routers get their WAN from etc..........

e. will make an assumption that you get fixed WANIPs from the provider ...... lets say.
150.15.130.67/32 - 150.15.130.70/32

/interface ethernet
set [ find default-name=ether1 ] name=offbridge-Emerg-Access
set [ find default-name=ether2 ] name=Remote-Management-Port
set [ find default-name=ether3 ] name=Local-Management-Port ???? { not sure how to deal with this }

/interface vlan
add name=MGMT_VLAN interface=ether2 vlan-id=22 comment="Base network" { depends much on if the traffic is coming in tagged or untagged }
add name=WAN-VLAN interface=bridge vlan-id=10 comment="WAN network" { simply used to connect traffic flow }

/interface bridge
add admin-mac=[REMOVED] auto-mac=no comment=defconf name=bridge

/interface bridge port
add bridge=bridge comment=defconf interface=ether4 pvid=10
add bridge=bridge comment=defconf interface=ether5 pvid=10
add bridge=bridge comment=defconf interface=ether6 pvid=10
add bridge=bridge comment=defconf interface=ether7 pvid=10
add bridge=bridge comment=defconf interface=sfp-sfpplus1 pvid=10
/ip address
add address=172.19.89.118/24 comment=defconf interface=ether2 network=172.19.89.0 { depends on whether or not traffic is coming in tagged or untagged.
add address=172.19.89.119/24 comment=Static IP assigned to port interface=ether3 network=172.19.89.0 { probably wrong }
add address=10.20.30.1/24 interface=offbridge-Emerg-Access network=10.20.30.0

/ip bridge vlan
add bridge=bridge tagged=bridge untagged=ether4 vlan-id=10
add bridge=bridge tagged=bridge untagged=ether5 vlan-id=10
add bridge=bridge tagged=bridge untagged=ether6 vlan-id=10
add bridge=bridge tagged=bridge untagged=ether7 vlan-id=10
add bridge=bridge tagged=bridge untagged=sfpplus1 vlan-id=10

/interface list
add name=wanrouters
/interface list member
add interface=ether4 list=wanrouters
add interface=ether5 list=wanrouters
add interface=ether6 list=wanrouters
add interface=ether7 list=wanrouters

/interface bridge filter
add action=drop chain=forward in-interface=ether4 mac-protocol=ip src-address=!150.15.130.67/32
add action=drop chain=forward in-interface=ether5 mac-protocol=ip src-address=!150.15.130.68/32
add action=drop chain=forward in-interface=ether6 mac-protocol=ip src-address=!150.15.130.69/32
add action=drop chain=forward in-interface=ether7 mac-protocol=ip src-address=!150.15.130.70/32
add action=drop chain=forward in-interface-list=clients out-interface-list=wanrouters

NOTE: What this does is effectively ensure a one to one dedicated mapping from fiber and provided IPs to specific PORT and thus router.
So for example in the first rule, any traffic coming across ether4, not originating from 150.15.130.67 will get dropped etc...
The last rule ensures that none of the ISPs can cross talk across ports.

Thu Mar 14, 2024 3:51 am

using basic math if you have four routers you need four ports 4,5,6,7 [ including port 8 would make 5 there tangent

I have no idea what point you're trying to make, anav. I didn't use the word "four" in either of my replies above, and I don't see anything that can be counted to 4 but should be 5.

The closest guess I have is where I show ether2 and ether3 as not on the bridge, implicitly putting more ports on the bridge than the five ports strictly necessary, but there the count is eight, not four or five; six copper and two fiber.

Care to enlighten me?

/interface bridge port
add bridge=bridge comment=defconf interface=ether4 pvid=10…

I'm not seeing any reason to involve VLANs here at all. OP didn't say, but presumably these two "management" access ports (ether2 and ether3) are single-link, with no need for further propagation of a VLAN boundary down the line. For that, taking the port off the bridge and using it bare is fine.

/interface bridge filter…

This is useful, but in case the OP isn't clear about it, this isn't what I was referring to above with my comment about bridge filtering rather than IP subnet filtering or IP firewalling. There also needs to be something like this in there:

/interface bridge filter
add action=drop chain=input in-interface-list=!MGMT mac-protocol=ip dst-port=80

…where MGMT contains ether2 and ether3, keeping all other ports from talking to port 80 on the switch. Ditto for WinBox and SSH. This is far stronger than "set www address=172.19.89.0/25"; IPs can be spoofed.

ahnow · Thu Mar 14, 2024 4:03 am

Thanks for attempting anav.

To clarify, no VLANs, and tangent is correct, nothing down the line.

Agreed - not planning to leave IP services filtered at IP level, so will proceed with hardening that at some point.

anav · Thu Mar 14, 2024 5:03 am

No worries,
If not useful so be it.

@tangent, did you read the first line of the OPs first post??
have a CRS310-8G+2S that needs to go between my fiber modem and 4 routers to split the WAN connection between the routers (technical requirement). Our current

He goes on to state in another line
ether4-8 separate LAN ports (as bridge) that connect to the 4 routers for WAN access. Each router gets its IP via DHCP from the ISP.

What you failed to point out to the OP is that ports 4-8 would entail 5 WANs and 5 routers, and thus I am saying its actually only ether4 to ether 7. Basic math.
Finally in your config you list the ports as such /interface bridge port where you list ether4-8 and sfpplus1, not sure why you list sfpplus2 though either. ??

Thu Mar 14, 2024 5:15 am

What you failed to point out to the OP is that ports 4-8 would entail 5 WANs and 5 routers

You're missing the point of my configuration, then. It puts the fiber modem and the four downstream routers into a single broadcast domain on purpose. Each router broadcasts a DHCP request, the fiber modem forwards it to the ISP, and the destination MAC on the reply gets the answer back to the appropriate router. From that point on, routing rules and ARP take over.

Your addition of bridge filtering to keep these four routers from babbling at each other and from creating a DMZ between them is on-point here, but not essential, because these streams commingle again as soon as they meet back up on the other side of the fiber modem.

you list the ports as such /interface bridge port where you list ether4-8 and sfpplus1, not sure why you list sfpplus2 though either. ??

The reason is simple: what else am I going to do with them? Maybe the OP will later wish to add a fifth downstream router. Who can say?

Leaving these presently-unused ports off the bridge entirely would be confusing, because that puts them on par with the two ports we purposefully left off the bridge.

I could've marked them disabled or added a "comment=not-used" to make a distinction between these cases, but that gets us into local documentation conventions, and I saw no need to have a bikeshedding discussion about the matter in this thread.

Ultimately, this is an area where we should let the OP please themselves. Their choice is immaterial here.

Thu Mar 14, 2024 9:12 am

Instead of bridge filtering to keep the routers from chatting across the shared broadcast domain, port isolation might be a better plan:

/interface ethernet switch port-isolation
set ether4 forwarding-override=sfp-sfpplus1
set ether5 forwarding-override=sfp-sfpplus1
set ether6 forwarding-override=sfp-sfpplus1
set ether7 forwarding-override=sfp-sfpplus1

That's untested, but what I think it says is that ingress traffic from the per-router legs is forced out the fiber port. Ingress traffic on the other ports (fiber and MGMT) isn't affected.

anav · Thu Mar 14, 2024 3:48 pm

Understood but it was material, one should not have floating unused ports on any configuration unless one knows that they will be used in the future.
Thus if the OP had stated 4 now and possibly more WANS later, all the power to you, otherwise, its junk and security wise poor design.

Caveat I have no experience with such setups and I happened to see a similar thread awhile back and thought it might be applicable.
I dont know what concerns one would have with a COMMON bridge among four hungry routers vying for WANIPs and not knowing how they would conform or not conform, let me to suggest, the method which makes it hard and fast what router will get what IP.......... Again, as I stated at the start, could be useless.

ahnow · Thu Mar 14, 2024 4:36 pm

Thank you both for all the replies, which have all shaped my understanding better with how MikroTik works.

As for unused ports, they are left out intentionally as I do not require use of them, so they are disabled at the physical interface.

Regarding port isolation, etc., I am not sure which direction I will go. Right now, all 4 routers are on one broadcast domain, and since they serve different subnets, including public-facing sites/services, they will need to talk to each other. However, if there is a lot of useless chatter between them, port isolation may be the way to go, but I’ll have to dig into this further.

If I went the bridge filter route, WinBox does not have a dst-port option, unless it’s buried or it only exists in the CLI which I doubt..?

At this point, things seem to work based on the way I originally intended/posted, and the reason it didn’t work before was because of one button, “OK” in Quick Set.

I’ve worked in networking for many years but still pull a novice move once in a while; switching to new gear doesn’t help. I haven’t read a ton of MikroTik documentation yet which could be a problem…

Where I went wrong:
So, I found out the hard way that clicking OK in Quick Set, without making changes, actually reapplies/reconfigures some things under the hood, rather than acting like a close button when nothing has been changed like some products behave. Essentially, it’s like a mini configuration wizard. Clicking OK is what causes the router to switch from Bridge mode to Router mode (my apologies for referring to it as Switch mode earlier - long days).

I have configured the switch the same way from the ground up, multiple times, and the results have been consistent, but it’s a new day and I am about to go through it again. Once I reach satisfying results, I can post the config used to accomplish this.

anav · Thu Mar 14, 2024 5:20 pm

Quick set should be avoided for sure...........
The idea of the bridge filter rules was to ensure the assignment sticks ( wan1 to R1 etc.........).
My guess is that intended traffic between WANIPs, should not affected as the traffic would go to the ISP provider and then return, vice attempt to connect/shortcut within the Router or the switch, aka should go out to modem and perhaps infrastructure somewhere at the ISP and then back. Just guessing though....

ahnow · Thu Mar 14, 2024 5:42 pm

anav - gotcha on the bridge filter rules, and that makes total sense, and I think you're correct on the in and out with the ISP.

As for dropping input to the switch IP services, it seems something isn't quite right with the CLI example...perhaps an oversight but I may have it figured out:
Incomplete

/interface bridge filter
add action=drop chain=input in-interface-list=!MGMT mac-protocol=ip dst-port=80

This command returns the error:

failure: ports can be specified only when ip-protocol is tcp or udp

So, I left as is and added the IP protocol, and it accepted:
Potentially fixed

/interface bridge filter
add action=drop chain=input in-interface-list=!MGMT mac-protocol=ip ip-protocol=tcp dst-port=80

Assuming this is correct, I also assume this can repeated for the other IP services? Otherwise, please correct where I've gone wrong.

Thanks!

anav · Thu Mar 14, 2024 5:48 pm

No idea what you are doing now LOL.........
I was strictly looking at the IPs to Routers work.
You want each RX to send traffic from its assigned IP,
You want each RX to only respond to arp requests for itself. ( maybe blocking arp requests to any other address than the allotted one is a better approach ?? )

If DHCP is involved ( assuming not dynamic though but statically set ), then one would have to address not blocking UDP traffic on port 67,68

ahnow · Thu Mar 14, 2024 7:22 pm

That's my intention to drop port 80 access to the switch input from anything on the WAN side, and I'd repeat for ssh and WinBox...

ahnow · Fri Mar 15, 2024 6:10 am

To elaborate, we’re talking about 2 different bridge rules.

The first one was for blocking IP services on the bridge so that IP filtering only wasn’t the only “security” for it.

The second topic was referring to possibly using bridge filters or port isolation to cut down the traffic between routers pre-modem/ISP.

I can wait on the port isolation for now and implement it if needed down the road. But the IP services filters should be done now, so I’m looking to ensure the current filter example I last provided is correct for the proper protection.

Fri Mar 15, 2024 6:37 am

Yes, I did inadvertently leave off the TCP qualifier.

WebFig, WinBox, and SSH are all TCP-only protocols. If that's all that's listening on the router, that's all you need to block.

But maybe you want something more generic like this:

/interface bridge filter
add action=drop chain=input in-interface-list=!MGMT

In other words, the only ports allowed to talk directly to the switch are the MGMT ports. Whether that's a wise choice is your call.

ahnow · Fri Mar 15, 2024 6:53 pm

Thanks for clarifying tangent. I do prefer the simple bridge filter you suggested as there is no reason to be so granular at this point, though I am a proponent for being as explicit as possible.

As noted, here is the final configuration that works the way I need it:

# 2024-03-15 09:20:26 by RouterOS 7.14.1
# software id = 4SEN-RUF3
#
# model = CRS310-8G+2S+
# serial number = [REMOVED]
/interface bridge
add name=MGMT_BRIDGE
add name=WAN_BRIDGE
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=sfp-sfpplus2 ] disabled=yes
/interface list
add name=WAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge filter
add action=drop chain=input comment="Drop input from non-MGMT" \
    in-interface-list=!MGMT
/interface bridge port
add bridge=WAN_BRIDGE interface=ether1
add bridge=MGMT_BRIDGE interface=ether2
add bridge=MGMT_BRIDGE interface=ether3
add bridge=WAN_BRIDGE interface=ether4
add bridge=WAN_BRIDGE interface=ether5
add bridge=WAN_BRIDGE interface=ether6
add bridge=WAN_BRIDGE interface=ether7
add bridge=WAN_BRIDGE interface=ether8
add bridge=WAN_BRIDGE interface=sfp-sfpplus1
add bridge=WAN_BRIDGE interface=sfp-sfpplus2
/ip neighbor discovery-settings
set discover-interface-list=none protocol=""
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=MGMT
add interface=ether3 list=MGMT
add interface=ether4 list=WAN
add interface=ether5 list=WAN
add interface=ether6 list=WAN
add interface=ether7 list=WAN
add interface=ether8 list=WAN
add interface=sfp-sfpplus1 list=WAN
add interface=sfp-sfpplus2 list=MGMT
/ip address
add address=172.19.89.118/25 interface=ether2 network=172.19.89.0
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=172.19.89.0/25
set ssh address=172.19.89.0/25
set api disabled=yes
set winbox address=172.19.89.0/25
set api-ssl disabled=yes
/ip ssh
set host-key-size=1024 strong-crypto=yes
/system clock
set time-zone-name=America/Vancouver
/system identity
set name=FIBWAN
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=ca.pool.ntp.org
/system routerboard settings
set boot-os=router-os
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

So, what does this do?

ether2 and ether3 are bridged for accessing the existing MGMT network and local access to the switch, but no access to the other switch ports.
ether1, ether4-8, and sfp-sfpplus1 are all bridged on the WAN bridge, providing internet access to all routers, but not the MGMT ports or switch input.
ether1 and sfp-sfpplus2 physical interfaces are disabled. This allows for ether1 to act as a backup if fiber goes down. sfp-sfpplus2 is not needed at the moment.
No VLAN configurations required, no IP firewall filter rules used (obviously).
Connectivity and speed tests confirm full bandwidth in use over the sfp-sfpplus1 interface.

I conclude this to be successful, and I appreciate all the input received!

anav · Fri Mar 15, 2024 8:23 pm

Sweet, KISS, thanks for the feedback.

Sat Mar 16, 2024 12:37 am

/interface bridge
add name=MGMT_BRIDGE
add name=WAN_BRIDGE

This risks a huge performance hit. The CRS310 is among the majority of devices that supports only one hardware-offloaded bridge per switch chip. By configuring two bridges, you're giving RouterOS freedom to offload the ether2+ether3 bridge and do everything else in software, shoving all packets through the CRS310's small ARM CPU!

(There are exceptions, with which you can do fun things.)

This is why I left those two ports off the bridge in the first place. As I understood your needs, they're independent back-doors into the switch for management reasons, thus don't need to be bridged at all. This is also why I wrote that bridge filtering rule in terms of an interface list, not a bridge interface name.

If I'm overlooking something and you really need two bridges, I advise you to mark ether2 and ether3 as hw=no to ensure that RouterOS doesn't pick the wrong bridge to offload. Pushing management traffic through the CPU isn't a huge problem.

ahnow · Sat Mar 16, 2024 12:49 am

Thanks for that valuable input. I wasn’t aware of that so I can disable the hardware offloading for the MGMT_BRIDGE.

If I don’t bridge 2&3, what would you advise I do?

Sat Mar 16, 2024 12:55 am

Exactly as in my post #4 above: leave them off the bridge (singular) entirely.

The only reason to bridge them together at all is if the hosts visible thru ether2 and ether3 have to intercommunicate through this switch. If instead those hosts do nothing other than talk to the switch, they don't need to be bridged together at all, making the CPU vs hardware offload question go away entirely.

ahnow · Sat Mar 16, 2024 1:10 am

If understand you correctly, if ether2 and ether3 only talk to the switch and nothing else, then I don’t need to use a bridge per the performance hit you mentioned.

But because I have the switch connected to an existing management network via ether2, I would need to use the bridge because the traffic on that port is passing through the router to the rest of the management infrastructure, and ether3 gives local access to it.

Or…am I not really getting what you’re trying to say?

ahnow · Sat Mar 16, 2024 1:13 am

I think I see your point. I would just have to configure ether3 as a separate interface on the switch with its own IP for the management network.

The only thing is I would need DHCP working on it when locally connected with a laptop. Maybe I’m spacing something on this.

Sat Mar 16, 2024 1:54 am

You might need to add a drawing to this thread, because one of us is confused, maybe both.

There's nothing stopping you from putting multiple DHCP clients and servers on a CRS310.

As best I can discern from your prose description, you can get everything you want by putting a DHCP client directly on the bare ether2 port to give the switch a static reservation in the management-net IP scheme, and a DHCP server on ether3 to produce a separate IP subnet for use by a walk-up laptop connection.

No additional bridges required.

ahnow · Sat Mar 16, 2024 2:29 am

I think I follow you here. I’ll plan to attempt what you’re describing, Monday. Having a hands-on/visual to what you’re saying will help me better, meaning I have to configure it myself and see the behaviour of both ports for it to really dial in.

Thanks for the follow ups. I’ll chime in after my attempts.

Sat Mar 16, 2024 2:36 am

The important thing to realize is that "bridge" in this context is another way of saying "Ethernet switch", and there's no reason for a host plugged into the walk-up ether3 port to see hosts down the ether2 leg, nor vice versa.

Contrast the singular bridge in this configuration, where we want all four router ports to see the WAN fiber port and vice versa. They're switched together in a single broadcast domain, modulo the bridge filtering we've been discussing.

In the case of ether3, you end up with a 2-party network: the CRS310 on one side and the laptop on the other.

The ether2 case is more complicated, but for our purposes, it's also a 2-party network: the CRS310 and the management switch downstream. The fact that the latter fans out to some number of other hosts is immaterial; we don't need an additional bridge on the CRS310, because its ether2 port is an endpoint for the management network, not a further traffic distribution point.

ahnow · Sat Mar 16, 2024 2:44 am

Great explanation, that really helps. And honestly, I considered taking that approach in the beginning but ignorantly decided a bridge might be the way to go based on a lot of articles online heavily emphasizing the use of them.

Anyway, appreciate your insight!

CRS310-8G+2S to split WAN connection

CRS310-8G+2S to split WAN connection

Re: CRS310-8G+2S to split WAN connection

Re: CRS310-8G+2S to split WAN connection

Re: CRS310-8G+2S to split WAN connection

Re: CRS310-8G+2S to split WAN connection

Re: CRS310-8G+2S to split WAN connection

Re: CRS310-8G+2S to split WAN connection

Re: CRS310-8G+2S to split WAN connection

Re: CRS310-8G+2S to split WAN connection

Re: CRS310-8G+2S to split WAN connection

Re: CRS310-8G+2S to split WAN connection

Re: CRS310-8G+2S to split WAN connection

Re: CRS310-8G+2S to split WAN connection

Re: CRS310-8G+2S to split WAN connection

Re: CRS310-8G+2S to split WAN connection

Re: CRS310-8G+2S to split WAN connection

Re: CRS310-8G+2S to split WAN connection

Re: CRS310-8G+2S to split WAN connection

Re: CRS310-8G+2S to split WAN connection

Re: CRS310-8G+2S to split WAN connection

Re: CRS310-8G+2S to split WAN connection

Re: CRS310-8G+2S to split WAN connection

Re: CRS310-8G+2S to split WAN connection

Re: CRS310-8G+2S to split WAN connection

Re: CRS310-8G+2S to split WAN connection

Re: CRS310-8G+2S to split WAN connection

Re: CRS310-8G+2S to split WAN connection

Re: CRS310-8G+2S to split WAN connection

Re: CRS310-8G+2S to split WAN connection

Re: CRS310-8G+2S to split WAN connection

Who is online