Hello Everybody,

I am planning to use 109 as a Router by bridging my SP ADSL2+ Netcomm router to 109.
From the doc it's not quite clear why we need a master port, so I have removed all the port from master slave thing. I will be configuring VLAN's on individual physical ports one of which will be a trunk port connecting to my KVM Host. Ether1 connects to the SP Netcomm modem-router and so will be the internet/WAN port that will be NATing.
Just wanted to know if this scenario is right and that the outgoing packets to Internet will be NAT-ed and if you have any tips.

Thanks!!
Albert

The Master/Slave ports is the switch function

While you can use the CRS as a router, the CPU is very weak and you will not get great results depending on your needs. Since port 1 is your WAN, I'd make port 2 the master to all other ports. This allows you to take advantage of the switch chip and run layer 2 communications at wire speed.

While you can use the CRS as a router, the CPU is very weak and you will not get great results depending on your needs. Since port 1 is your WAN, I'd make port 2 the master to all other ports. This allows you to take advantage of the switch chip and run layer 2 communications at wire speed.

Thanks mpreissner for your advice which was very helpful in understanding how the CRS works. I have other virtual routers in my KVM environment connecting to software bridges though I am planning to install OpenvSwitch. So this 109 will only be NATing to the Internet and will be the main firewall (I hope filtering would not be heavy for the CPU! ).

Regarding master port, I am planning to use VLAN's rather than port segregation using master-slave ports. I did not find the doc clearly explains using VLANs with master-slave ports. Can you point to docs that explain this feature clearly? or can you give a small example? will be great help.
Also if I remove master port configuration does that mean - for switching I will have to use bridge which will be slower than hardware switching?

Thanks!

Yes, if you remove the master/slave configuration, it's the same as directly connecting the port to the CPU. Unfortunately, in the CRS, all ports share a singe 1 gbps link to the CPU, so it's a major bottleneck. Using bridging on a CRS is not advisable.

The key to working with the CRS is proper config. For a VLAN to be routable, you need to create the VLAN on the Master port interface (done through the "Interfaces > VLAN" menu). From there, you'll want to go into the Switch VLAN config. In the "interface > ethernet > switch > vlan" menu, you define all the VLANs you want on your switch (you can make some non-routable if you like by not also adding them to the Master port), and you identify on which ports those VLANs are valid. Next, if you want to treat any untagged traffic as tagged, you need to do ingress vlan translation (basically sets the default VLAN ID for untagged traffic). Finally, you want to do egress VLAN tagging for any trunk or hybrid ports where the endpoints actually send tagged traffic.

Remember, only VLANs that you want to actually route will need to be created on the Master port as well (and linked/tagged on switch1-cpu). For example, I have a dedicated VLAN on my CRS for iSCSI traffic. I use out-of-band management for the endpoints that use that VLAN, so I don't need or want any routes into that VLAN for security reasons. So that VLAN only exists through the "interface > ethernet > switch" menu group, and not at the "interface > vlan" menu group.

Yes, if you remove the master/slave configuration, it's the same as directly connecting the port to the CPU. Unfortunately, in the CRS, all ports share a singe 1 gbps link to the CPU, so it's a major bottleneck. Using bridging on a CRS is not advisable.

The key to working with the CRS is proper config. For a VLAN to be routable, you need to create the VLAN on the Master port interface (done through the "Interfaces > VLAN" menu). From there, you'll want to go into the Switch VLAN config. In the "interface > ethernet > switch > vlan" menu, you define all the VLANs you want on your switch (you can make some non-routable if you like by not also adding them to the Master port), and you identify on which ports those VLANs are valid. Next, if you want to treat any untagged traffic as tagged, you need to do ingress vlan translation (basically sets the default VLAN ID for untagged traffic). Finally, you want to do egress VLAN tagging for any trunk or hybrid ports where the endpoints actually send tagged traffic.

Remember, only VLANs that you want to actually route will need to be created on the Master port as well (and linked/tagged on switch1-cpu). For example, I have a dedicated VLAN on my CRS for iSCSI traffic. I use out-of-band management for the endpoints that use that VLAN, so I don't need or want any routes into that VLAN for security reasons. So that VLAN only exists through the "interface > ethernet > switch" menu group, and not at the "interface > vlan" menu group.

Thanks mpreissner for this! I will get back to you once I implement this solution.