"multiport vlans" or bridged interfaces?

jkugler · October 16, 2009, 11:04pm

Howdy! I’m coming from the OpenWRT world, so my understanding of vlans might be completely broken. From the OpenWRT docs:

For instance, if you wish to have 3 vlans, like one 3-port switch, 1 port in a DMZ, and another one as your WAN interface, use the following configuration :

config switch “eth0”
option vlan0 “1 2 3 5*”
option vlan1 “0 5”
option vlan2 “4 5”

>
> Three interfaces will be automatically created using this switch layout : eth0.0 (vlan0), eth0.1 (vlan1) and eth0.2 (vlan2). You can then assign those interfaces to a custom network configuration name like lan, wan or dmz for instance.

I wish to do something similar with the RouterBoard 750.  I notice from the VLAN docs (and from experimentation) you can only have one port in a vlan, thus making an exact duplication of the above impossible.

Basically, I just wish to have three segments: WAN (external internet connection), LAN (local network), and DMZ (externally facing servers).

What is the best way?

Initially I was thinking two master ether interfaces with one slave each, but then it bounced me back saying only one master is allowed.  Then I thought about doing something like this:

```text
 #    NAME                   MTU   MAC-ADDRESS       ARP        MASTER-PORT                 SWITCH
 0 R  ether1-gateway         1500  00:0C:42:5A:03:22 enabled
 1 R  ether2-local-master    1500  00:0C:42:5A:03:23 enabled    none                        switch1
 2  S ether3-local-slave     1500  00:0C:42:5A:03:24 enabled    ether2-local-master         switch1
 3  S ether4-local-slave     1500  00:0C:42:5A:03:25 enabled    ether2-local-master         switch1
 4    ether5-dmz             1500  00:0C:42:5A:03:26 enabled    none                        switch1

And then assign ether5 the same IP as ether1, and do ARP proxying (this is similar to how I’m doing it now).

Also, I thought I might set ether2-5 to master-port=none and then make port 2 and 3 part of bridge1, and 4 and 5 part of bridge2, and then route between them as needed, NAT bridge1 to ether1 (WAN), etc. This seems to be closer to the idea of the OpenWRT “vlans” above.

Suggestions? You can probably tell routing isn’t my strong suit…but I’ve managed to get this far.

Oh: another question. Any utility for translating shorewall rules to RouterOS rules?

vegard · October 17, 2009, 6:59am

Not sure I understand exactly what you want to achieve. Are you trying to use the 750 as a switch, tagging a number of VLANs on the wan interface? If so, just add the VLANs you need with the wan port as the interface. Then create one bridge for the LAN, one bridge for the DMZ and add the corresponding VLAN to the bridge, along with the physical LAN and DMZ interfaces.

jkugler · October 19, 2009, 8:57pm

Well, I want to use it as a router, but grouping the ports. In other words, I want to put ports into addressable groups for the purpose of firewall rules, router rules, etc. I guess I’ll just have one local lan port and one dmz port, and route manually.

I have more questions about this, but I’ll post under another subject.