I just received my new CRS125. I hate to admit it… I’ve got my two 1100AHs, and they work great, but this is the first switch/router nit I’ve had where I need to use the switch and router parts, and I’m stumped. So, some basic questions:
Assume the 1100s are doing their routing work, but one of the LAN ports on the 1100 goes around to various VlAN capable switches including this CRS. If I leave it as a switch, I get it – but:
What is the master port for? (Port 1). I assume that’s what I’d think of as a port “outside” of the switch which is purely IP and used, for example, for management?
If I wanted to have say, 8 ports as routable ports, and 16 ports as a switch, do I need to run TWO cables, one to a routable port and one to a switch port? Or, do I just leave everything as a switch and trust routing to work at layer 3?
I’m looking to set up a guest Wifi network on wlan0, complete with DHCP and firewall rules, and use the rest of the unit as a switch. Any ideas?
The master-port is how you configure the switch settings. So for example if you have 24 ports all with the master port set to none… then all of the ports will operate independently.
If on the other hand you set all of the ports (2 to 24 + SFP) to master-port ether1 then the whole thing will operate as a switch.
You can do anything you want between those two…
E.g. if you wanted to use it as a home router you could set ports 3 to 24 + SFP to master port = ether2 and then leave ether1 with master-port none.
Does that make sense? Think of it similarly to a bridge except that the processing happens on the switch chip instead of in the main CPU.
2/3) What exactly would you like to do? Do you have a diagram? To answer you bluntly NO… you shouldn’t have to run two cables to the same switch from any given item (unless your bonding interfaces, which also has some bugs and limitations on the CRS currently - not sure when this will be fixed)
For 3 do you want to have ether1 be the gateway port?..
Right now there are some bugs with the CRS switch chip which should be fixed in 6.12 or 6.13. That limits the switch chip a little bit.
Inter— RB1100AH ----- CRS24------
Main Router |||| |
switch wlan0
Assume the RB1100 has static WAN addresses and NATs all of its internal LAN ports. The LAN side of the IPs are on the subnet 10.0.0.0/16. I have a series of non-switched interfaces on the 1100. Ex:
P1 WAN-Cable
P2 WAN-DSL
P3 DMZ
P4 Test
P5 LAN
Each has its own IP ranges subnets etc. So on P5, everything beyond it is internal LAN on 10.0.0.0/16. That goes through a series of switches today. Now one of those switches will be the CRS-24. I’d like to have the LAN ports divided as follows:
P1-P12 switched ports bridged to the incoming LAN. Any can be a master port
P13-P24 Individual ports that either have tunnels from the RB1100 or are NATed routed on to the 10 space.
wlan0 A separate interface, with its own DHCP server to serve guest wireless clients who will be NATed into either LAN space or tunneled back to the RB1100 as a protect guest network.
So if I follow, I can do the following:
CCR-lan-bridge is a bridge I create Can I give the bridge an IP and treat it as master?
CCR-P1-P12 are added to lan-bridge
CCR-P13-P24 are left as individual interfaces
CCR-wlan0 is an individual interface
DHCP servers and CCR-wlan0
Use firewall rules to masquerade traffic from CCR-wlan0 to CCR-lan-bridge
Use firewall rules to make sure that anything coming from CCR-wlan0 can only go to default
I’d personally set it up with VLANs since otherwise you will be double natting… Basically what I would do is create as many VLANs as you want on the 1100… trunk that over to port 1 on the CRS… set ports 2 to 12 to master off of port 1… then set it up so the vlans break out to the individual interfaces… e.g. vlan10 to P13.. etc…
Right now you’ll have to do it with bridges if you want it done securely.. if not we can do it with the switch chip…
Want me to make an example of the important parts of the config?
Wish I could use VLANs, but not every switch in this environment is really VLAN friendly. I just removed them for the sake of the discussion, so I really have no choice but to double NAT at the moment…