Internet sharing in a VLAN

RouterOS General
1

Hi,

I have a CRS125 which is segregating my LAN to several VLANs and sharing internet connection (with NAT) for those. I would like to have internet connection in a VLAN to share for some devices directly (without NAT). What I have been tested so far is:

Option 1: Set up a VLAN interface. Assing VLAN for switch-cpu and port which is connected to my internet provider. Made ingress VLAN tagging for internet port. VLAN interface had DHCP client and masquerading all LAN traffic to internet. This was working but performance was really poor. I was able achieve only 0.2Mbit/s bandwidth from my full 250Mbit/s connection

Option 2: Had 2 physical ports connected to internet provider. Port 1 was for normal internet traffic (NAT etc.) and Port 2 was connected to a VLAN (with ingress VLAN tagging). This was also working, I was able to spread pure L2 level internet connection to my LAN devices. However, there came probably some ARP problems, since both ports were connected to same gateway device of my internet provider. This caused disturbances in both connections.

I don’t know what was the issue with Option 1. I didn’t found any logical reason for it. How should I proceed - any ideas?

2
  1. I don’t get how your Option 1 differs from the previous state (where there is NAT between the VLAN uplink and any other device, so only the CRS itself has an address from the ISP).
  2. CRS are primarily switches with some weak routing capability, but 0.2 Mbit/s cannot be explained by weak CPU unless something else was wrong there - otherwise the results would hav had to be equally poor in the previous state.
  3. There is nothing wrong about having one VLAN for the internet uplink and have multiple devices with DHCP clients connected to that VLAN via other ports of the CRS if the ISP is mentally ready to give you multiple IPs on that link. But I didn’t get the remark regarding “both ports being connected to the uplink” - what I assume is that both these ports are made access ports to the WAN VLAN, one of them is connected to the ISP gear, and to the other one the external client device is connected. So no loops, no ARP problems.

So post drawings of current state, Option 1 and Option 2 (a photo of a handmade one is sufficient), maybe it will explain Option 1 and Option 2 clearer than the text description.