Second external IP from WAN routed to eth4

MatsK · December 1, 2018, 12:53am

My ISP allows up to 5 addresses from my fiber-box (1 ethernet port). So if i put a regular switch right after then I can plug in up to 5 devices each getting a public external IP via DHCP.

My config now is: WAN eth1 has a bridge to the other ports, and a vlan-interface is added to eth1 with a separate bridge to my IP-TV.

What I want to accomplish is have a external ip on eth4 so I can connect the ISP-supplied router (zyxel, which has telephone ports) so it gets a external IP from my ISP’s DHCP server.

Current setup is: that I have a switch right after the fiber-box and from the switch I connect both the zyxel and my RB2011 (so both get public IP’s). Can I get rid of the switch and plug the zyxel to port 2?

ISP → eth1
Eth2 → IP-TV (vlan 845)
Eth4 → allows zyxel to request external IP from ISP DHCP

I have googled for two nights straight, is it even possible to do it this way?

mkx · December 1, 2018, 1:11pm

You’re already dealing with VLANs, so you could do the following:

Add all 10 ports to the same bridge and start using VLANs (at least internally on RB2011) for all network segments in game
configure eth1 port as hybrid: untagged VLAN=X for WAN and tagged VLAN=845 for IPTV (connect to ISP)
configure eth2 port as untagged access port for VLAN=X (connect zyxel to this one)
configure eth3 … ethN as access port for VLAN=Y (this will be your LAN)
configure ethZ as (tagged or untagged) port for VLAN=845 (connect IPTV receiver here; exact configuration depends on receiver’s requirements)
create vlanX and vlanY interfaces for VLANs X and Y correspondingly on bridge
configure WAN (whichever method appropriate for ISP, I’ll assume DHCP client) on vlanX interface
configure LAN (IP address, DHCP server, NAT, …) on vlanY interface
configure WiFi on RB2011 with vlan-mode=use-tag vlan-id=Y and make it member of common bridge
update interface lists (include vlanX and vlanY, possibly remove eth1 and eth2, to reflect correct use intention (WAN, LAN)
inspect and update firewall rules and NAT rules
enable vlan-filtering on bridge

Vhen deciding on vlaue of X and Y above (VLAN IDs for WAN and LAN), avoid use of VLAN ID=1.

sindy · December 2, 2018, 1:28pm

The 2011 doesn’t have the most powerful CPU on the market, so for the IPTV part, I’d be all for using the switch chip forwarding rather than the software bridge functionality, saving the CPU resources for the other traffic.

Now leaving the IPTV aside for a while, having ether1 and ether4 bridged together and attaching a DHCP client to the bridge should be sufficient for the purpose - to get one address from the ISP for the Mikrotik itself and the other ones to be available to other devices connected to ether4.

To have tagless traffic bridged between ether1, ether4 and an L3 interface of the Mikrotik, and traffic tagged with 845 forwarded from ether1 to ether2 and untagged there on egress, you have to permit VLANs 0 (representing the tagless frames) and 845 in the configuration of switch1; VLAN 0 would be permitted on ports ether1,ether3,ether4,ether5 and switch1-cpu and VLAN 845 on ether1 and ether2 only. Then, you would set vlan-mode to secure at ether1, ether2 and ether4, and set default-vlan-id to 845 at ether2, keeping it at the default 0 everywhere else.

In the bridge-wan configuration, you just make ether1 and ether4 member ports of the bridge and set hw=yes so that the CPU would not ask the switch chip to send every ingress packet to it, and attach the DHCP client to the bridge itself.

If you want to use ether3 and ether5 as member ports of bridge-lan, you have to set hw=no on them because only one bridge can benefit from the “hardware acceleration” on the switch chip. ether6 to ether10 are on another switch chip so they can stay with hw=yes.

MatsK · December 3, 2018, 7:26pm

So much amazing help, will get to work as soon as I can get the family to bed Thanks in advance

Will keep you updated