do I loose one port 1 on RB450G/RB850Gx2 if it is used as master for 2-5 switch group? Can I use port 1 as uplink?
I have 4 servers x 2 nic each = 8ports, 4 ports will be visible to the internet behind firewall and 4 ports should be in subnet to be connected to another location, and switch between that 4 ports.
So there are 2 scenarious:
need to brigde 2 locations: each has 4 servers, can I use pair of RB450G/RB850Gx2 to bridge that locations?
need transparent firewall for 4 servers, this means 1 port will be uplink and 4 servers should be transparent for internet.
Can i combine both cases using for example RB2011iL-RM or RB1100AHx2. in this case I have only one uplink and need 4port transparent firewall with switch between them and 4ports for router bridge and switch together.
If you set port 1 as the master port for 2-5 then they will basically operate as a 5 port switch. What type of firewalling are you trying to do? You will get wirespeed if you use the master-port setting, but firewalling will be heavily restricted (e.g. mostly all of it won’t work) since when using master port the switch chip is handling the data and the main CPU never sees the packets. If you really need firewall you should figure out what features you need… you can do some on the switch chip if that works enough for what you need… you could also use master-port 2 for 3-5 and then bridge it with port 1 and use the bridge filter if that will cover your firewall needs… You can also use the ip-filter feature on the bridge settings if you need even more filtering using the bridge.
Looking at this you can see that if you set “switch all ports” then all 5 ports run through the switch chip… if not 2-5 go to the chip and 1 goes direct to the CPU.
Thank you for answer,
I need general purpose firewall for public servers, of course linux firewall on server will be enabled as well, but I have fiewall option on router board why don’t use them both?
and there is following: “Interfaces for which the ‘master’ port is specified become inactive - no traffic is received on them and no traffic can be sent out.”
so I wonder if I have 4 servers and one uplink + one master port where router CPU is communicating to switch: this is 6ports together!!!
I dont understand, if I need 1 port for communication between router and switch, then this means I cant anymore connect server to that port, correct?
for example if I need bridge 2 locations with switch between 4 servers each side, does this gone work? Of course I can bridge everything, but in this case there will be no switching between servers…
It just depends what you need. That section of the manual is poorly worded. Basically what they are trying to say is that if you set the ports 2-5 to master-port ether1 then you should no longer reference ether2-ether5 anywhere on the config. So if you have a DHCP server… you would put it on ether1 and not ether2. Does that make sense? What it really means is that when you set the master port you basically remove that port from the usable pool… from the CPU perspective ether2-ether5 set to master port ether1 means you have a SINGLE ether1 port that is connected to a switch…
Does that make sense?.. if you want to firewall them you can either use the switch rules… if that covers your needs or what is more likely going to work is to bridge ether1 and ether2 and the set ether3-5 to ether2 master port… then use the bridge filters or the ip filters (with bridge setting use ip filter enabled)…
Just realize that doing that will cause ALL traffic from ether1 to ether2-ether5 to traverse the main CPU. Thus it won’t be wirespeed any more.
correct, I want exactly “bridge ether1 and ether2 and the set ether3-5 to ether2 master port… then use the bridge filters or the ip filters”, and question is can I plug into maser - ether2 port something like server? or only ports ether3-5 remains usable?
You will use ports ether01 and ether02 whenever you reference anything inside of routeros (e.g. firewall rules, etc)…
Anything you plug into ether02, ether03, ether04, and ether05 will operate as if it was plugged into a switch that is plugged into the routeros CPU via port “ether02”…
