IP from WAN subnet on port

RouterOS General
1

I would like to know whether the following configuration is possible with a hEX:

ether1 is connected to an existing 192.168.200.0 subnet
ether2-4 works as a switch for the same network, so connected device could for example use the existing dhcp server and would then run in the 192.168.200.0 subnet
ether5 connected device runs inside a new 192.168.201 subnet which is firewalled against the .200 subnet with only a few allowed ports.

Thanks!

2

It is possible.

You want ports ether1-ether4 switched (members of same bridge … set “WAN” IP setup on bridge interface). These ports (together with bridge interface) should be members of WAN interface list.
Port ether5 would be stand-alone port, member of LAN interface list and LAN IP settings set directly on this interface.

My suggestion: proceed with the following steps (in this particular order not to lock yourself out of device):


  1. upgrade ROS (and routerboot) to some recent (either stable or “long term”) version
  2. reset device to factory default
  3. disconnect device from WAN not to get hacked while you change things
  4. connect to device via ether2-4 using MAC connection (winbox)
  5. remove ether5 from bridge
  6. move LAN IP config from bridge to ether5 (that includes IP address and DHCP server)
  7. add ether5 to LAN interface list (if it’s not already)
  8. disconnect from device and re-connect via ether5 (you’ll be dealing with the rest of config from now on and it’s vital that connectivity via ether5 works at this point). You should be able to connect to device either via IP or via LAN.
  9. remove ether2-ether4 and bridge from LAN interface list
  10. move WAN IP setup from ether1 to bridge interface (what exactly depends on WAN type, default is DHCP client)
  11. add ether1 to bridge
  12. add ports ether2-ether4 and bridge to WAN interface list

At this point ports ether1-ether4 are switched WAN interfaces (it doesn’t matter which port connects to ISP and which is used by other WAN-connected devices) and ether5 is your LAN.

Default firewall largely depends on proper interface list membership and if you maintain them properly, you don’t have to change firewall settings (due to changes in interface topology).

3

I followed your idea and it’s working just perfect.

Thanks!

4

Great.

You can mark my post above as solution to your problem.