heX with VLANs and trunk to a Router on a Stick (a transparent proxy) with PBR

sysconfig · February 2, 2019, 1:49am

I’m trying to setup a rather unusual configuration on my heX (RB750Gr3):

[internet] - [DSL Router] 		 [heX :1]
                        		[heX :2] - untagged - [PC]
			 		[heX :3] - 
					[hex :4] - vlan 10 - [trunk] - [eth0.10 transparent Proxy]
					[hex :5] - vlan 20 - [trunk] - [eth0.20 transparent Proxy]

on a heX I need a PBR rule which redirects all TCP traffic to dst.port 80+443 from the port 2 to the transparent proxy (to its eth0.10 interface), which is a “router on a stick” - a PC with only one NIC and two VLANs. The HTTP/HTTPS traffic is processed on the transparent proxy and sent back using eth0.20 interface.

I fount a configuration example with an additional swith, but I wonder if it can be done with heX alone.

mkx · February 2, 2019, 12:04pm

It can be done.

“router on a stick” (let’s call it proxy) with the two VLANs should actually be connected to only one ether port on hEX. Let’s say it’ll be ether5
by default hEX has bridge with all ports but ether1 as members. You should remove ether5 from that bridge
configure VLAN interfaces on ether5:

/interface vlan
add interface=ether5 name=e5v10 vlan-id=10
add interface=ether5 name=e5v20 vlan-id=20

configure IP addresses for both VLANs

/ip address 
add interface=e5v10 address=<router VLAN10 address>/24
add interface=e5v20 address=<router VLAN20 address>/24

ideally both proxy’s IP addresses will be in different LAN subnets, both different than “normal” LAN subnet.
You can use smaller subnets for proxy’s interfaces if you want (I don’t see any benefit in doing it though, there are enough “standard sized” private subnets available)
after that you construct firewall filter/nat/mangle rules using IP addresses (of the client PC, both proxy’s addresses, …)

sysconfig · February 5, 2019, 10:33pm

Thank you, it worked!