I need to separate three LANs on single router switch. eth3 and eth 5 are must bridge/switch 192.168.1.0 LAN, eth 7 and eth 9 must bridge/switch 192.168.2.0 LAN, rest of eth ports must bridge/switch 192.168.100.0 LAN. And those LANs must not reach each other. I configured eth3 and eth5 to bridge 1, eth7 and eth9 to bridge 2. And added bridge1 to vlan10, bridge 2 to vlan 20, but I created VLan in interface section( interface–>VLAN). Today I found Vlan in switch section. Which one is better? Switch VLAN or interface VLAN?
And I am configuring firewall on Ethernet ports. For example eth 1 will allow only TCP 80 and TCP 443 port, rest of TCP ports will be rejected. How do I implement "rest of TCP ports rejected on webfig?
You first statement is not helpful.
Is the device acting as a router or NOT? Is it attached to your ISPs modem.
If so its not really a switch but a router with switching capabilities like most routers.
If its purely acting as a switch then you can do what you want with setup but there are preferred methods for RoS setups for switches, or you can use SwOS with the switch I believe.
Just to confirm.
You do not need more than one subnet per port (like two or more vlans on a single port).
If not then you dont really need vlans.
You can assign three bridges (each with its own dhcp settings etc.)
OR
You can assign one bridge and use vlans (each vlan has its own dhcp settings) [my preference]
but suggest first you do the research and reading…
Find your device and figure out what is best.
I would not use this device for routing unless my internet speeds were really low and it didnt matter.
If your internet speeds are high, better bet is to buy a hex router and let it handle dhcp and internet communication and send one cable to your switch and let the switch handle all the inter user/ device /traffic communications (that way the router is mainly for assigning IP and letting traffic flow back and forth from the internet, while the switching does all the high power switch work for the devices/users behind the switch if that makes sense. I am assuming that is the purpose of the device mainly handling a lot of internal traffic that is within the control of the switch → users to internal servers etc…)
eth3 and eth5 are members of same LAN (switching traffic between ports) - LAN1: 192.168.1.0/24 (I’m guessing subnet mask)
eth7 and eth9 are members of LAN2: 192.168.2.0/24
ethX (other than 3,5,7,9 and WAP port) are members of LAN3: 192.168.100.0/24
One can do it using 3 bridges, but the thing is: only one of bridges can be HW offloaded. If traffic between pairs eth3/eth5 and eth7/eth9 is not big, then these two bridges should be set with hw=no on member ports to ensure that the “big” bridge (spanning most ports) will get HW offloaded.
IP setup in this case would go directly to all 3 bridge interfaces.
One can do it using VLANs and switch chip. The basic idea is to have three VLANs configured on switch chip, each of VLANs acting same role as each of bridges in previous paragraph. Make sure that switch chip - CPU interconnect (switch port named switch1-cpu) is tagged member of all VLANs so that ROS (CPU) will be able to interact with all VLANs (needed for routing). On the SW side one would then add all ether ports to same bridge (and make sure no VLAN-related settings are done under /interface bridge). Those VLANs will be entirely internal to CRS2xx device and will effectively partition switch into 3 separate (on L2) switches. The manual to be used for configuring VLANs on switch chip is this one.
IP setup in this case would need corresponding VLAN interfaces (/interface vlan) anchored on common bridge.
In both cases it is necessary to configure IP firewall to block connections between different IP subnets according to requirements. Without it connections between subnets will be possible - not because L2 setup would bleed traffic between them but because you’re using CRS2xx as router and router by default forwards packets between its L3 interfaces (interfaces which have IP address set) unless that’s blocked using some other mechanism (OK, could be routing filters as well, but on device with statefull firewall enabled it’s easier to block that traffic using a few simple firewall filter rules).
[edit] the above is what would work on ROS v6. I guess ROS v7 would run same configuration just fine, I’m not sure about switch chip config though. As @anav already wrote: this device is essentially ethernet switch with (low performance) L3 capability. As such I wouldn’t run ROS v7 on it unless the device is used as a lab test device to test v7.
/ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip pool add name=dhcp_pool4 ranges=192.168.0.2-192.168.0.254
/ip pool add name=dhcp_pool5 ranges=192.168.1.2-192.168.1.254
/ip pool add name=dhcp_pool6 ranges=192.168.2.2-192.168.2.254
/interface ethernet switch port set 1 default-vlan-id=30 vlan-header=always-strip vlan-mode=secure
/interface ethernet switch port set 2 default-vlan-id=30 vlan-header=always-strip vlan-mode=secure
/interface ethernet switch port set 3 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
/interface ethernet switch port set 4 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
/interface ethernet switch port set 5 vlan-mode=secure