I am using a hex poe router for my home.
sfp interface connect to WAN
eth1-2 is local lan network
eth3-4 connect to IP cams using POE
eth5 is a trunk interface connects to a Cisco AP. Create a vlan interface (vlan80) under eth5. Cisco AP has two VLAN, one is a default vlan, the other is vlan80.
I created a bridge (bridgeLAN) for eth1-2 and eth5, I created another bridge (bridgeIoT) for eth3-4 and vlan80.
sfp interface wan port is not in any bridge.
bridgeLAN and bridgeIoT are using different IP scope and address pools.
Right now everything works fine. Only ports under bridgeLAN shows hardware offloading.
bridgeLAN cannot talk to bridgeIoT which is what I want. If I need to allow hosts in bridgeIoT to talk to bridgeLAN, I need to create firewall rules. So the traffic between two bridges are L3 routing using CPU, right?
After I read wiki couple times, I am not really understand the ‘new’ bridge and VLAN concept. My questions are:
If I want to enable hardware offloading for all LAN ports (eth1-5), only one bridge is allowed to create?
If I bridge eth1-5, create VLAN interface under that bridge, how can I isolate the traffic between local LAN and local IoT network?
The WAN port does not need to join any bridge, right?
If I want to enable hardware offloading for all LAN ports (eth1-5), only one bridge is allowed to create?
Correct
If I bridge eth1-5, create VLAN interface under that bridge, how can I isolate the traffic between local LAN and local IoT network?
Create 2 Vlan’s on bridge, one for LAN and another for IoT, then create FW rules to prevent routing between them
The WAN port does not need to join any bridge, right?
Correct
Thanks, @CZFan
I followed the wiki and thought about the configuration below. Haven’t tested in production yet. Would you please help take a look? Appreciate your time.
I want to achieve eth5-ap trunk port leads to Cisco AP which has vlan10 (native) and vlan80. eth1 and eth2 in vlan10, eth3 and eth4 in vlan80.
And I am thinking which port I should connect to will not lock me out during the configuration change.
/interface bridge
add name=bridge1 vlan-filtering=no
Kind of related to this. In my case, both of my routers are used EXCLUSIVELY for routing. Each physical port is either a trunk carrying multiple VLANs to a smart switch, or a specific LAN that is going to a switch. Never does the same LAN appear on more than one physical port.
Is there any reason under this case to use a bridge? I have never created one. Using an RB750r2 and a RG750Gr3.
@k6ccc … I wouldn’t create a bridge in case you described.
In one of my installations I’ve just the opposite: even physical interface carrying WAN is a part of the bridge. Reason is that ISP provides IPTV via a VLAN and I’m just carrying that VLAN through that particular LAN. The WAN gets its own VLAN and is terminated in the router itself.
So yes, one has to consider needs and possibly implement the least complicated of solutions.
I might add … I see bridge as a sort of switch. That view somehow helps me to decide which interfaces belong to it and which don’t.
If one needs to switch (forward unfiltered and unchanged) traffic between interfaces (either physical or VLAN or any other), then it makes sense to create a bridge (or two). If traffic needs to be routed/filtered, then use of bridge would be counter-productive as one would have to prevent bridge from forwarding packets “behind rouer’s back”. Sure there are ways of doing it, but why bother?
When considering dilemma: to create single bridge or more of them, it should be noted that currently only one bridge can have HW offload active. Using second (third, …) bridge comes with performance penalty and due to that it’s better to separate traffic by using VLANs. That might be a bit messy if one isn’t used to VLANs. Plus current implementation of VLAN-related bridge settings in ROS is IMHO slightly confusing. Use of several bridges would be a more straight-forward way of solving certain tasks and will become feasible when the performance limitation will get removed.
Hex poe doesn’t support hw-offloading on bridge with vlan filtering enabled.
So it may sound strange, but in your situation it can be better to leave things as they are - bridgeLAN will have hw offloading and bridgeIoT will have vlan filtering.
The other possibility is to build the configuration not based on /bridge menu, but on the /switch menu - QCA8337 switch chip itself is vlan capable.
Yes, you must bind DHCP, etc services to the relevant vlan, but you must also provide access to the CPU for these services which you do by adding the bridge as tagged else the services won’t work
Thanks CZFan and xvo
The reason I am looking for HW offloading is my two IP cams have constant traffic (15Mbps) from vlan80 to NAS (NAS only has one NIC and not support trunk interface) in vlan10. The Cams are physically installed outside of my house so I want to put them in a separated ‘untrusted’ vlan.
HEX POE CPU usually around 5%-8% in current setup.
I want to see if enable HW offloading on all ports will reduce CPU a little bit.
I know create different bridges is quite straight forward for the logical network segregation. The bridge VLAN concept is a bit confusing. If HEX POE does not support HW offloading when enable bridge vlan filtering, then I just listen to xvo’s suggestion - leave the current setup.
I’m confused again. In my installation where I use a few VLANs, my bridge doesn’t know anything about VLANs. Indeed I configure most of things in /interface ethernet switch part, including VLANs, so my bridge is actually a dummy switch. I just create vlan interfaces for any VLAN I need to have L3 access from router CPU (and I make sure switch-cpu is also member of given VLAN).
As @florid already created vlan10 and vlan80 interfaces (and set IP addresses to them), I guess he could also bind DHCP server(s) to the very same interface(s) and it should work?
If you remove the switch-cpu (in switch vlan config) or bridge (in bridge vlan config) from your vlan config, DHCP, etc services will stop working on the Vlan’s if DHCP service / server is running on this device
i am using hex poe rb960pgs. The configuration is not exported from the device. But I drafted according to wiki page. I planned to have the experts check the configuration before implementing change to my router. Right now it is not necessary as I will just keep the existing setup.
