Adding a network on an ethernet port

TheFz · February 4, 2022, 9:43am

Hello everyone.
On an HAP AC2 I am currently running the following configuration:

ether1			192.168.1.128/32	WAN	-> to the ISP's router
bridge1(ether2)		192.168.4.0/24		LAN	-> private LAN
ether3			192.168.2.0/24		LAN	-> public LAN to which I control access to the private one with firewall rules.

ether3, the public LAN, is not in the bridge.

/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 disabled=yes interface=ether3
add bridge=bridge1 disabled=yes interface=ether4
add bridge=bridge1 disabled=yes interface=ether5
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1

Everything works. Machines on both LANs get routed to the outside internet and the private one can reach only the IPs on the private LAN that I put into an address list.
But my problem is: I forgot what I did to add the second public interface with its own subnet, separated from the bridge; that was almost a year ago.
I remember I went that way to be able to distinguish its interface in firewall rules, because if I remember correctly if an interface is part of a bridge you can’t call it by its name but have to refer to the bridge.

What I am seeking to do is this: on, let’s say ether4, create its own subnet 192.168.3.0/24 and DHCP server and pool, separated from the bridge, and routed.
Whatever I do I seem to miss something because if I connect to the port, I get a IP from the .3.0 pool but absolutely no route to any other network in the router, let alone internet.

Thanks in advance.

bpwl · February 4, 2022, 10:13am

Well “disable port” is one way to remove an interface from the bridge. I find just removing that disabled port line a cleaner solution.

If you don’t get an IP route, check your DHCP server “Networks” setup. Default Gateway and DNS server should be defined there (192.168.3.1) . There is even a button for DHCP server setup that will create the DHCP server, Network and Pool step by step.

holvoetn · February 4, 2022, 12:11pm

I prefer to remove instead of disable when using other subnets.
Avoids misunderstandings later on.

Add address on that port.
Add network for subnet.
Add DHCP server on that port (make sure to define a separate pool).
Check routings if needed.

Or … use THE button

TheFz · February 4, 2022, 6:02pm

Thanks to everyone.

I didn’t use THE button but I did the same steps manually. I will flush all configuration to that port and do it again properly.
My guess is that it’s a routing issue because I get an IP/subnet/gateway but no traffic. Default GW for that port is the port’s IP itself, but after that I don’t know how to check if the firewall is routing correctly.

So it is correct to remove the interface/pool/subnet from the bridge to just have it routed? Thanks.

bpwl · February 4, 2022, 6:26pm

Depending on your firewall rules, ether4 may need to be member of the “LAN” interface list , just like etther3 and bridge1.

TheFz · February 10, 2022, 11:54am

Well, I used THE button and then checked this, I had no matching Network as you said! Problem solved by creating the appropriate one.
Its gateway must indeed be the port’s IP itself.
Thanks to all!