Have been using Routerboard for my home network for quite some time, but this configuration I need has me stumped!
I’m introducing a second internet connection, and switching between is just a matter of connecting to a different wireless network.
I want everything to be in the same subnet so that the network continues to work the same as it currently does with discovery of devices.
I’m trying to get two DHCP pools running on separate interfaces for the same subnet (192.168.10.0/24). Each DHCP server provides a different gateway depending on which port you connect to:
On eth4: 192.168.10.10 - 192.168.10.100 (eth4 has IP address 192.168.10.1)
On eth5: 192.168.10.110 - 192.168.10.200 (eth5 has IP address 192.168.10.101)
I have created a bridge for each interface, as it was the only way I could assign each DHCP pool to it. The configuration works, and you’re assigned an address within the pool with a different gateway (dhcp option 3). However I cannot bridge eth4 & eth5 together to make it a seamless network.
When I bridged eth4 & eth5 and tried to assign the DHCP server to the interfaces, I was told the config was invalid because they were slaves.
I’m aware that I’ll need to drop DHCP traffic between the two ports to prevent the two servers interfering but is the above setup going to be possible?
You shouldn’t need any of this. Just bridge everything in LAN together and have one common dhcp server on bridge. Then you can match packets from devices connected to selected interface (which is part of bridge) using bridge filter, and it’s possible to give them packet marks, e.g.:
The same packet mark is visible in “/ip firewall”, so you can use it to mark routing and make it use second internet connection. I didn’t test it thoroughly, but quick test says it works.
Other way could be with bridge’s “Use IP Firewall” option, it would allow you to match by incoming bridge port directly in “/ip firewall”. But I don’t like this much, because it interferes with all bridged traffic.
Sounds simple ISH, but what are the real requirements and by that I mean described in terms of not a configuration but in use cases.
User Groups:
I want a group of users separated from another group of users.
I want both groups to be able to access the internet.
I want both groups to access a server that is separated from both groups
I want one group to have access to a\ the other groups colour printer
I dont want the server to have access to the internet
I dont want the printer to have access to the internet
Environment:
I have two ISP connections (one dynamic cable, one dynamic fiber)
I have one MT router
I have two managed switches
Users have PCs
One networked printer
One SErver PC
Network Control:
I want one group of users to ONLY use ISPA
I want the other group of users to ONLY use ISPB
If ISP A becomes not available I want to ???
If ISP B becomes not available I want to ???
I want two users in group A to have priority over available bandwidth to internet
I want one user in Group B to have priority over available bandwidth to internet
depending on ??? might need to state VIP from group A have higher priority over VIP users in group B, then everybody else.
Network Diagram to illustrate…
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Based on a complete set of requirements the RIGHT DESIGN can be formulated.
The requirement is, based on my understanding of first post, to have two WANs, switch between them by connecting to different wireless network, but at the same time keep only one common LAN for everything. A little unusual, but why not.
Exactly this. I want users to choose between the fast but potentially unreliable LTE connection, or use the slower but more reliable fixed line. They don’t have the ability to change configuration settings, so either plugging in to a different ethernet port or switching to a different wireless network keeps it very simple for them.
For anavs benefit:
User Groups:
One group of users on a ‘flat’ single-subnet network. Users can see all devices and have unrestricted network access.
Environment:
Two connections - LTE fast but maybe unreliable, fixed line which is slow but reliable.
RB750g currently in use as a single-WAN router, and RB750r2 used for testing.
Users should connect to the “fast” network by default but if there is a problem users can manually change to the other.
Users connect with laptops, phones, tablets. Other network devices include smart speakers, TVs, etc.
Two wireless access points provide the separate connections via each port on the RB750.
Network Control:
Users can choose whichever gateway they once simply by changing their wifi or wired connection. No restriction within the LAN.
No need for a network diagram I hope - it’s a blank canvas right now!
@mark - So basically by having ports marked on a switch for example, and by use of wifi SSID, the aim can be accomplished. Tres cool!
Awesome glad the solution works for you… sometimes sob gets lucky LOL
@sob What can I say, I have higher standard/expectations of requirements.
For example you had no clue as to the different ISP functionality which is actually important in driving the requirements…
A new requirement was articulated (he wants the user to be able to select which ISP to use to access the internet).
He further clarifies how he thinks it should be done.
(so either plugging in to a different ethernet port or switching to a different wireless network keeps it very simple for them).
All important information that may lead one to have a completely different design approach.
In this case perhaps not, but from an process point of view, an incomplete understanding and an attempt to then provide an assumed config is simply poor engineering.
In any case, the puzzle is clearer LOL.
Would you be able to give some guidance on the necessary firewall rule? I’ve got the packet mark configured, but am stuck now with the action to take with the firewall / routing.
It should, but I wouldn’t use it, action=route is shorcut which doesn’t leave you any options.
For example, you may want to have failover. If device is connected to wlan or ethernet port used for WAN2 and WAN2 goes down, it would be convenient if WAN1 was used instead, without the need to reconnect elsewhere. For that you’d need different routing tables (regular dual-WAN config) and you’d mark routing:
Or you may want even more advanced config (well, probably not, but it would be possible) with some ports forwarded to device from WAN1 and would want those to work even when device would be connected to WAN2 wlan or ethernet port. For that you’d need the full config with marking connections and everything, such as PCC example. Ignore the fact that PCC is load balancing which you don’t want, but the actual PCC is only those two rules with per-connection-classifier option, the rest applies to any slightly advanced dual-WAN config. In that case you’d use packet marks set by bridge filter only as starting point to mark connections:
Just as an update to this… (I know, it’s been a while…)
The packet marking works and with the gateway set by DHCP to 192.168.10.1, but the packet marking configured to re-route data from a specific interface to 192.168.10.2 (a separate router) I can ping the outside world from a PC connected to the network.
However, the general performance of the internet is really poor.
I am using a basic RB hEX lite for testing this configuration out, but it’s just not usable. I don’t know if the packet marking has a performance impact but from the testing I have carried out so far I do not think this is going to be viable.
Just one basic question, have you disabled the action=fasttrack-connection rule in chain=forward of /ip firewall filter? Fasttracking bypasses mangling (and most other stages of packet processing in firewall) for most of packets belonging to the fasttracked connections, so those which evade mangling take the wrong route, and those few which don’t are sufficient to maintain the connection but the throughput is heavily affected.
If the action=fasttrack-connection rule is not active, the reason is really that the hEX lite CPU is too weak for the purpose.
Disabling the rule won’t change anything about connections already fasttracked, so use newly established connections to test the speed after disabling the rule.