I want to “divide” a router into two WAN<->LAN routers with some connectivity between the LAN’s.
The router i want to do this with is a RB4011iGS+RM because of it CPU power.
So, eg. port 1-5 are in one group and 6-10 are in the other group.
port 1 WAN, ports 2-5 LAN for Clients (with some switches and AP attached), can connect to DMZ
port 6 WAN, ports 7-10 LAN as DMZ.
Since most of the routers have a dedicated WAN port, which is marked on the case, i am in doubt.
Like the Hex S has port 1 as WAN and the other ports a LAN, does this mean that this is a hardware or is it just a convenience marking on the case.
Is this a doable or do i have to buy two routerboards for this (like Hex S)?
You cannot divide routers as in making “virtual routers” like you can on some other branches, but you can easily do what you want.
There is nothing stopping you from having 2 or more WAN-connections, and then have different subnets (connected to different ports) that routes to different gateways.
And firewall rules that stops traffic between the two internal subnets.
WAN / LAN differentiation is only in the configuration (interface list membership) Don’t mind the print on the box, that’s just the default configuration. Every and all interfaces can be WAN or LAN.
The RB4011 is nice to split in 2 separate routers, as it has 2 switches (https://i.mt.lv/cdn/product_files/RB4011iGSplusRM_180903.png). So you make a second bridge, and configure the bridges (with IP address, DHCP server, NAT, subnet routing) each handling one switch, as 2 separate routers. You need a firewall rule to avoid routing between the 2 bridge/LAN’s, as RouterOS always does routing between interfaces if not on the same bridge. NAT and IP route are not defined on the bridge but must be double defined and be interface or subnet dependent.
I am doing essentially what you are trying to do with a RB750Gr3 (Hex) with my normal internet as port 1, and a ham radio network as a second WAN when happens to be a VLAN on port 4. Works fine. Does require a little care in routing tables, and of course firewall rules to keep the intended traffic separated - and in my case sometimes allowed. One difference in my case is that the router is performing ZERO switch function - the router only routes. Every port on the router is connected to a CSS326 switch which is using multiple VLANs and performs all switch functions.
I am not using xvo’s suggestion to use VRF (did not know about it), but I will be doing some reading…
