I have a RB750Gr3. I have it configured as default and would like to use a couple of the ethernet interfaces to serve as part of a second bridge, that would effectively work as a unmanaged switch on the WAN interface.
I’ve tried setting up a second bridge called bridge-WAN (as opposed to bridge-LAN), and added ether1-3 as ports of this interface. The bridge was setup with defaults, except with no protocol mode. Physically connecting ethernet1 to a network with internet access and a DHCP service, the router receives an IP address and can ping to the internet, and other appliances connected to 2 and 3 do so too.
But while my WAN port is a member of this bridge, it seems the NAT masquerading doesn’t work since any appliance in the LAN isn’t able to connect to the internet or other addresses in the WAN network.
But while my WAN port is a member of this bridge, it seems the NAT masquerading doesn’t work since any appliance in the LAN isn’t able to connect to the internet or other addresses in the WAN network.
first advice is… if you don’t have any urgent need to bridge wan interfaces - i think they are better left in routing mode (easier to do nat, firewalls etc).
the second part is,
do you have any default route to the internet pointing to that bridged wan gateway?
at least show us your drawing and config - so that forum members can help you?
i think the bridge nat config and ip route print should be ok.
The requirements are poorly worded and a network diagram would go a long way to help provide context.
First identify all the user(s)/device(s) and groups of users/devices
Second identify all the traffic needs of the above what they need to be able to do.
DO NOT TALK about the config at all when identifying requirements, its simply traffic flows.
From there a config design can be forumulated… The network diagram gives us context, expected subnets and equipment being used.
Without showing the actual configuration you ended with we can only guess.
My guess: default config (firewall, NAT, …) relies on proper interface list membership … the essential being WAN interface list. For the innocent children, seeing “WAN” might seem some magic word, but it isn’t, it’s just a name. And interface list membership has to be manually updated. So guess: you did not add bridge-WAN interface to WAN list.
But again … just guessing.
I have this issue as well and my need for the WAN-bridge is to eliminate a point of failure using a dedicated switch for DMZ functionality. This location is 6 treacherous hours from the nearest support technician and the property can not tolerate an outage of any extended length.
Please note: sfp+1 is the primary uplink to carrier CPE and should be the masquerade interface(or IP) for all LAN vlan NAT outbound to the Internet
