Using RB750Gr3 (hEX) for multiple separate LANs with DHCP

Sithspawn · November 13, 2019, 12:37am

I’ve tried several nights now to get this to work but I’m… just stupid I guess It’s utterly embarrasing, I am a Linux engineer I have no problem getting this to work on a Linux box or a FortiGate but here I don’t understand what is happening. I believe I have made correct settings but now I’m too tired to be 100%.

I’ve separated all 5 ethers, and trying to get to get to this first step:

ether1 - WAN (dhclient)
ether2 - dhcp (172.16.0.0/24)
ether3 - dhcp (10.0.0.0/8)
ether4 - dhcp (192.168.0.0/24)
ether5 - either bridged with ether4, or dhcp (192.168.128.0/24)

After this, I obviously will need to firewall stuff for access from LAN to LAN, firewalling incoming/outgoing etc etc. But I can’t even get this to work reliably.

Ether1 works, no problem. Ether2-5 has issues no matter what I try. I’ve tried using bridges for everything, but then dhcpserver on ether3 fails. If not using bridges, ether2 breaks. It’s always one of the ports, or bridges, that seem to fail. I started using the web interface, have now switched to Winbox.

I’ve tried reading the manual but I can’t find much info on multiple dhcpservers on ports/bridges, using the hex without bridges etc. What am I missing? I even drew a diagram in LibreOffice for this

Q: Should I always use a bridge even if there is only one interface or just use “raw” ethers?

Q: Is there a DHCPserver limit in some way?

anav · November 13, 2019, 2:54pm

Please post your config
/export hide-sensitive file=yourmostrecentconfing (could be any name)

I like using vlans on a bridge where the bridge does not have any DHCP type functions.
Its simply the conduit for all the traffic (hosting the vlans).
For me it clearly separates traffic at layer 2 and thus clearly identifies for simpleton me, what firewall (layer3) rules are needed in the mix.
Since I use drop all else rules in both INPUT and FORWARD chains, no traffic is passed in any direction unless specifically allowed in FW rules prior to drop rules.

Sob · November 13, 2019, 4:50pm

You can have as many dhcp servers as you want. Well, there’s probably some limit, but four are possible for sure. Post the config as suggested.

@anav: Individual interfaces are fine, they are separated too. Vlans are good when you plan to do future changes and you want it flexible, joining different ports, working with tagged vlans, etc. But don’t use them just for fun, especially if your device can’t do them in hardware. I tried such config for my new home router (HEX S) and performance hit is massive (edit: it’s not that bad, but let’s say significant).

anav · November 16, 2019, 6:41pm

Point taken, you should have asked me before HEX purchase as I quickly realized that for a complex home setup they are underpowered.