I have a weird network topology that I am trying to get working. I connect to my ISP via a wireless dish on a mast. It gets its power via a PoE injector. I connect to it via ether1 of a RB5009UPr+S+. I have a need to add a NetMetal AX to the mast and multiplex the single cable from ether1. In other words, I want WAN and part of the LAN on ether1. I think I can handle any security issues, if I could just easily configure the NetMetal.
I bought a nano switch, powered by the same PoE injector, with PoE out on its other ports. The switch will power the ISP dish and the Netbox AX. It works to the extent that CapsMan finds and provisions the NetMetal but Winbox cannot connect to it. (I did have to put CapsMan on all interfaces for it to find the NetMetal.) I am trying to connect Winhox with the Mac address because I don’t want a DHCP client on the NetMetal. Mac Telnet can connect to the Netmetal to configure it but want to use Winbox.
I have tried various things, such as putting a static IP address on the NetMetal, creating a route to it via ether1, etc. but failed at every turn. Long story short, why can CapsMan and Mac Telnet access the device via its mac address, but Winbox cannot?
Could it be something in the netmetal Ax configuration? (mac-winbox settings? interface lista?)
Or could it be the settings of the RB5009? (firewall filter rules?)
You should post your configuration of both (anonymized) so that it can be checked by some of the more expert members.
Instructions are here (though the screenshots are of the old forum it doesn’t change much):
If your WAN is provided by the wireless dish, I assume your ether1 is configured as a WAN interface, meaning it’s a standalone port on RB5009 with a WAN IP. This means that ether1-Nano link is in its own L2 broadcast domain. CapsMan and MAC Telnet work for you because those connections are initiated from the router itself. WinBox is coming from your LAN segment, which is in a different L2 domain.
If I understand you correctly, you need to have two (or more) VLANs: one for WAN, one (or more) for LAN on NetMetal. I don’t think you can do it with the Nano Switch since it’s a dumb switch.
Another way would be to configure NetMetal as a router with its own DHCP and firewall, then you could manage it via IP with WinBox. But it would still be a non-standard (potentially undesired) configuration with WAN and RB-to-NetMetal_LAN connections sharing the same L2 segment. Creating separate L2 segments with VLANs is the proper way to do it, as long as other security implications are taken care of.
Anserk, thanks for the explanation and suggestions. I will look into VLANs but have spent years avoiding them. I went down the nano switch path to avoid pulling an additional cable to the mast location. An additional cable might be the simplest solution but I will try to get over my VLAN phobia.
I agree, using the same cable is nice, which is one of the reasons why VLANs exist. You may still be able to use NanoSwitch along with VLANs since according to this post (https://community.ui.com/questions/Nanoswitch-pass-VLAN-Tags/737e279a-e001-4651-be50-d502fbc6aeef), it will pass VLAN tags despite being an unmanaged switch. I don’t know if there is an outdoor switch with PoE pass-through and VLAN support.
With that being said, you should be able to get it working even with your existing setup.
Put a static IP on ether1 on RB5009 from a subnet that you don’t use elsewhere, e.g. 192.168.15.1/24.
Put a static IP on NetMetal from this subnet, e.g. 192.168.15.2/24.
Add a static default route on NetMetal with 192.168.15.1 as the gateway.
(You can actually use /31 on both ends, but you don’t really need to save IP addresses with private ranges).
This will allow you to connect to NetMetal via WinBox from your LAN behind RB5009. Such configuration is not ideal and certainly non-standard but will work in a pinch. If you want the LAN segment behind NetMetal to work, there is additional work required.
Thanks for the additional info. I had gone down the path you suggested but I think I forgot to put a route on the NetMetal to the gateway. I could see there were packets going to the Netmetal but none coming back.
To complete the overall network design, the intent of the NetMetal is to improve my outside wifi coverage and also to be part of a wireless link to another building. At the other end of that wireless link will be a wAP AX, which will be wired to a hAP AX3 for wifi in that building.
I will continue trying to get the ether1 multiplexing working but also exploring pulling more cables.