Forward multiple WANs inside LAN with VLANs

bigman · December 2, 2024, 9:33am

Hello,

I have one hEX router that is connected to two isp routers, one in ether1(with ip 10.250.10.x/24) and the other in ether5(with ip 10.251.10.x/24). I have to forward this traffic and ips to a switch that is configured to receive vlan10,20 and 30 in port 1 of the switch and through ether4 of the router.

The hex should also give ip 10.252.10.x/24 in vlan30 with a DHCP server. All the ports are bridged (eth1 to eth5). I dont have to make it the links redundant or load balanced.

I have tried setting static ips for interfaces ether1 and ether5, and tagging the bridge, ether1 and ether4, the same for ether5. I could forward one ip(10.250.10.x) all the way to the switch with vlan 1 but not after configuring the vlans.

Thank you

sindy · December 2, 2024, 3:11pm

Your description is pretty confusing to be honest. Normally I’d say you just need to make the hEX a bridge that has ether1 as an access port to VLAN 10, ether5 as an access port to VLAN 20, and ether4 as a trunk where VLANs 10, 20, and 30 are all tagged, and you need to create an /interface vlan for VLAN 30 and attach an IP address and DHCP server to it (it is not possible to have a DHCP server without an own address). But in such a scenaro, there is no need to assign addresses from 10.250.10.0/24 and 10.251.10.0/24 to the hEX itself - there must be some other router connected to VLANs 10 and 20 somewhere beyond that other switch where these addresses live.

anav · December 2, 2024, 3:26pm

Concur, confusing explanation is an understatement… Need a least a detailed diagram to sort out context.
Impossible to define requirements…and thus OP should
a. identify all users/devices ( internal/externals and admin)
b. identify all traffic they require

bigman · December 3, 2024, 9:14am

Thank you for your replies, i’m sorry for the confusion ill try to make it clear. I have followed the steps Cindy suggested
Bridge configuration

Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, HORIZON
#   INTERFACE  BRIDGE      HW   PVID  PRIORITY  HORIZON
;;; defconf
0   ether2     LAN-Switch  yes     1  0x80      none   
;;; defconf
1 I ether3     LAN-Switch  yes     1  0x80      none   
;;; defconf
2 I ether4     LAN-Switch  yes     1  0x80      none   
;;; defconf
3 I ether5     LAN-Switch  yes     1  0x80      none   
4 I ether1     LAN-Switch  yes     1  0x80      none

VLANs in the bridge

Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
#   BRIDGE      VLAN-IDS  CURRENT-TAGGED  CURRENT-UNTAGGED
;;; added by pvid
0 D LAN-Switch         1                  LAN-Switch      
                                          ether2          
1   LAN-Switch        10   ether1, ether4                               
2   LAN-Switch        20   ether5, ether4                               
3   LAN-Switch        30  LAN-Switch, ether4

VLANs in interfaces

Columns: NAME, MTU, ARP, VLAN-ID, INTERFACE
#   NAME     MTU  ARP      VLAN-ID  INTERFACE 
0   vlan10  1500  enabled       10  ether1    
1   vlan20  1500  enabled       20  ether5    
2 R vlan30  1500  enabled       30  LAN-Switch

I have configured a DHCP server that gives the ip 10.252.10.1/24 in R3.

After i connect a device to a port that i have vlan10 untagged in the switch it gets no ip, where i have vlan30 or 1 tagged it gets the vlan30 ip or the bridge ip.

I have attached a simple view of the topology.

Thanks again.

sindy · December 3, 2024, 10:42am

That’s not what I had in mind.

Remove the two /interface vlan named vlan10 and vlan20, these are IP interfaces allowing the router part of the hEX itself to access those VLANs which according to your drawing is not necessary.

Under /interface bridge port, change the pvid for ether1 and ether5 to 10 and 20, respectively.

bigman · December 3, 2024, 11:07am

Thank you, i have removed the vlans in the interface as you suggested and added them in the bridge.

Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, HORIZON
#   INTERFACE  BRIDGE      HW   PVID  PRIORITY  HORIZON
;;; defconf
0   ether2     LAN-Switch  yes     1  0x80      none   
;;; defconf
1 I ether3     LAN-Switch  yes     1  0x80      none   
;;; defconf
2   ether4     LAN-Switch  yes     1  0x80      none   
;;; defconf
3 I ether5     LAN-Switch  yes    20  0x80      none   
4   ether1     LAN-Switch  yes    10  0x80      none

#   NAME     MTU  ARP      VLAN-ID  INTERFACE 
0 R vlan30  1500  enabled       30  LAN-Switch

I have tagged on vlan10 ether1(where i get the ip 10.250.x.x) and ether4(connection to switch). It is still not able to receive ip from the isp1 router.

Heres most of the config:

/interface bridge
add admin-mac=D4:03:C4:CC:FD:20 auto-mac=no comment=defconf name=LAN-Switch \
    vlan-filtering=yes
/interface vlan
add interface=LAN-Switch name=vlan30 vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp_pool1 ranges=10.10.10.2-10.10.10.254
add name=dhcp_pool2 ranges=10.252.10.51-10.252.10.250
/interface bridge port
add bridge=LAN-Switch comment=defconf interface=ether2
add bridge=LAN-Switch comment=defconf interface=ether3
add bridge=LAN-Switch comment=defconf interface=ether4
add bridge=LAN-Switch comment=defconf interface=ether5 pvid=20
add bridge=LAN-Switch interface=ether1 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set rp-filter=strict tcp-syncookies=yes
/interface bridge vlan
add bridge=LAN-Switch tagged=ether1,ether4 vlan-ids=10
add bridge=LAN-Switch tagged=ether5,ether4 vlan-ids=20
add bridge=LAN-Switch tagged=LAN-Switch,ether4 vlan-ids=30
/interface list member
add comment=defconf interface=LAN-Switch list=LAN
add interface=ether1 list=WAN
/ip address
add address=10.10.10.1/24 interface=LAN-Switch network=10.10.10.0
add address=10.252.10.1/24 interface=vlan30 network=10.252.10.0
/ip cloud
set update-time=no
/ip dhcp-server
add address-pool=dhcp_pool1 interface=LAN-Switch name=dhcp1
add address-pool=dhcp_pool10 interface=vlan30 name=dhcp2
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.252.10.0/24 gateway=10.252.10.1

I have to deploy this system on wednesday. Thank you

erlinden · December 3, 2024, 11:23am

Where is your DHCP client?

sindy · December 3, 2024, 11:45am

Your descriptions are still confusing, what does “I have tagged on vlan10 ether1” mean? If R1 does not send and expect VLAN-tagged frames with VID 10, you need ether1 on the hEX to be an access port to VLAN 10; to do that, it is not enough to set pvid under /interface bridge port to 10 but you must also remove ether1 from the tagged list for vlan-ids=10 under /interface bridge vlan.

anav · December 3, 2024, 12:22pm

Impossible to define requirements…and thus OP should
a. identify all users/devices ( internal/externals and admin)
b. identify all traffic they require

without referring to any config speak.
Also details on your wans separately
How many. Public or private IP, static or dynamic,
Detail which wan is primary and which one is secondary, or are you aiming for load balancing between the two.
Or perhaps most out one WAN and some user out the other WAN only.

bigman · December 3, 2024, 1:16pm

Yeah thats seems to be it now its fully functional, i get ips to my switch from R1 and R2. Thank you very much sindy. Heres the final config

/interface bridge port
add bridge=LAN-Switch comment=defconf interface=ether2
add bridge=LAN-Switch comment=defconf interface=ether3
add bridge=LAN-Switch comment=defconf interface=ether4
add bridge=LAN-Switch comment=defconf interface=ether5 pvid=20
add bridge=LAN-Switch interface=ether1 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=LAN-Switch tagged=ether4 vlan-ids=10
add bridge=LAN-Switch tagged=ether4 vlan-ids=20
add bridge=LAN-Switch tagged=LAN-Switch,ether4 vlan-ids=30
/interface list member
add comment=defconf interface=LAN-Switch list=LAN
add interface=ether1 list=WAN
/ip address
add address=10.10.10.1/24 interface=LAN-Switch network=10.10.10.0
add address=10.252.10.1/24 interface=vlan30 network=10.252.10.0

Thank you again. Solved.