I want to bridge my wan port to select ports so I can directly use wan IPs to each server, but at the same time, I still want to have local clients (and wireguard clients to access the local clients) behind the firewall and NATed. Any ideas how to achieve this? Is this doable?
It can certainly be done but how you’ll do it depends on your network topology.
If the servers are directly connected to the router you could remove the server ports from the LAN bridge, create another bridge that includes your WAN port and then add the server ports to that bridge.
So I made another bridge that includes the server directly connected the router with WAN and I am able to get an IP. However, my wireguard clients, are not able to get internet access anymore unless I remove the ether1 (wan facing) interface out of the bridge
Start off with posting a network drawing so we know what you are trying to do. Next is post your configuration.
To export and paste your configuration (and I’m assuming you are using WebFig or Winbox), open a terminal window,
and type (without the quotes) “/export hide-sensitive file=any-filename-you-wish”. Then open the files section
and right click on the filename you created and select download in order to download the file to your computer.
It will be a text file with whatever name you saved to with an extension of .rsc. Open that file in your favorite
text editor and redact any sensitive information if desired / needed. Then in your message here, click the code
display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks
like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
You should rather do a firewall (NAT) rule:
If someone is reaching public IP via a specific port than router should direct traffic to a server. Remember that it should stay “safe” because it’s public.
If you’re using public domain for it - look up for so called “hairpin” rule for computers inside the network trying to reach it by domain.
For Wireguard clients… Again, firewall rule.
If you are looking for some “help me for real” than:
Start off with posting a network drawing so we know what you are trying to do. Next is post your configuration.
I should clarify that this is for hosting, each client gets an IP address and the hypervisor allows them to enter firewall rules so I didn’t think it’s necessary to go through the router. I made another post a couple weeks ago detailing this but it seems that what I was trying to achieve wasn’t impossible, as I thought I could give an IP or rather a pool of IP addresses directly to the server while going through the router.
I will post configuration setup when I get home
I do something similar on my home RB5009 to directly bridge my ISP’s IPTV box to the ISP WAN so I 1) don’t have to bother with multicast routing and b) can keep the ISP controlled IPTV box out of my private LAN. I can’t not provide a direct config export as my actual setup is more complicated (WAN goes to tagged trunk as my IPTV box is on another floor connected to a switch providing an untagged WAN access port):
Let’a assume your WAN is on ether1, ether2 is a bridged WAN port and ether3-8 are “normal” NATed LAN ports. With WAN on VLAN10 and LAN on VLAN20:
All on one bridge:
- Add ether1 and ether2 as access ports on VLAN10 (PVID10)
- Add ether3-ether8 as access port on VLAN20 (PVID20)
- Add a VLAN10 bridge interface for the CPU WAN port
- Add a VLAN20 bridge interface to the bridge for LAN CPU port
- Add CPU bridge WAN interface as tagged to VLAN10
- Add CPU bridge LAN interface as tagged to VLAN20
- Now you can setup WAN/LAN NAT as usual between bridge VLAN10 and VLAN20 CPU interfaces (add bridge VLAN10 to WAN interface list and bridge VALN20 interface to LAN interface list)
Now ether3-8 are LAN ports as usual, while ether2 is directly bridged to WAN.
Depending on your actual device you obviously have to adapt ether/SFP port numbers and if you expect high traffic on bridged WAN port a device with HW offload for VLAN filtering is recommended.
So two bridges ( LAN and WAN) where IPTV box is connected to the WAN bridge at ether2?
Its not clear to me if the provider is already providing internet on WANX and IPTV on WANY, which I would assume its normal.
Or
is your ISP supplying both internet and IPTV on different subnets on the same line untagged??
No. Just different VLANs on the same bridge. One for WAN (10), one for LAN (20).
ether1/2 as access (untagged ports) for WAN(10), ether3-8 as access port on LAN (20).
With WAN/LAN NAT routing happening btw. CPU bridge interfaces for 10 and 20 VLANs.
This works because my ISP uses no special VLANs for IPTV. IPTV runs untagged same as internet, but using special (and undocumented) IPV4 multicast addresses managed with IGMP.
If the IPTV box would use special VLANs, this setup would still work by adding ether1/2 as tagged ports for the appropriate IPTV VLAN ids to the same single bridge (so HW offloading works for all port/VLANs)
As I understand it, the original post is about providing VPN on the bridged WAN port, so most likely no VLANs involved.
I guess what I am saying is why bother using the second bridge for the WAN and not just vlans…
I suspect maybe the bridge connects the incoming WAN to the IPTV box at layer 2 where as a specific and separate VLAN would not… ???
Or do you need other RoS settings to make this happen??
Not sure where our disconnect is here.
Yes, it is about bridging the IPTV box on L2 to the ISP WAN, same as the dedicated IPTV port of the original ISP CPE would do. Special VLANs or not (of course in case of special tagged VLANs, assuming all tagged VLANs are properly configured to be forwarded btw. the bridged WAN ports without touching them tags).
In my understanding “bridging/routing at same time” means normal routing btw. different VLANs, while bypassing routing on L2 for certain VLANs/Ports. All on teh same bridge for L2hw to be working if available.
No disconnect just confirming…