Please don’t throw stones, it’s rude and I bruise easily.
Standard wisdom dictates : WAN interface on seperate hardware port from LAN interface (right?)
Were a dummy (like the author of this post) to create a VLAN for the WAN interface on the same hardware port as the LAN interface (LAN either being in it’s own VLAN or on the base ethernet port) and then to configure WAN WITH IP information from ISP with appropriate default Tik config to establish and define WAN / LAN interface lists and default drop when !LAN config on Firewall including MASQ SRCNAT for outgoing traffic …
Would this be dangerous?
NMAP shows similar output when run against WAN on dedicated ethernet as it does when run against NMAP with WAN on VLAN config on but then again, I’m not claiming to be an expert, including at using NMAP.
Are there any security concerns I am not aware of that I should be aware of in this config?
As long as the WAN is on a separate VLAN from the rest of the LAN (not only on the router, but also on the VLAN aware switch that the port is connected to), there is no problems with what you described. It’s common for router-on-a-stick configurations.
Tik A - Everything works, VLANS, Supernet, Failover, etc … I’m not worried (moreso than usual)
Tik B - Everything works, VLANS, Supernet, Failover, etc … but I’m concerned there may be an unknown unknown at play.
ISP 2 should have been installed in the same premises as Tik B but as a result of Murphy … ISP 2 arrived
before ISP 1 and it hasn’t been moved (yet) but recently the need has arisen to have Tik A (and it’s associated
VLANs and Clients) talk to the internet on an IP distinct from Tik B (and it’s associated VLANS and Clients)
for both the connections to ISP 1 and ISP 2.
EDIT : … and also for purposes of separating incoming connections for WireGuard to have each of Tik A and Tik B have their own configurations.
2 Primary Companies, several smaller companies (same group) on 2 sides of a street, ~10 Buildings, ~16 Switches, ~18 Aps, redundant Fiber Optic and PTP Microwave backhaul for LAN with a fat stack of Wired & Wireless Clients on it (Industrial Laser Cutting Machines, Time & Attendance, Access Control, IoT, Camera and NVR Equipment, Security & Alarm Systems linked to Cloud, you name it, it is there, plus On-Prem Servers, Backup, etc)
Previously both Companies were using (poop) LTE connectivity at both sides Tik A and Tik B
We joined the primary networks (which had been setup as exact duplicates of eachother, down to the static IPs, I kid you not) and everything in between.
We sourced in FTTB (Tik A) and Microwave (Tik B) and then Microwave arrived before FTTB by 12 months and was installed at Tik A (better power redundancy at the time)
FTTB and Microwave are currently connected to Tik A with all traffic for the entire campus going out from Tik A.
Microwave will be moved to Tik B in the next few months subject to viability testing.
Then I need to get VRRP up.
My duties :
As mentioned, everything works and has worked leading up to now, but now there is a fresh requirement to get Tik A doing traffic for Primary Company 1 and Tik B for Primary Company 2 using both the FTTB and Microwave (Installed at Tik A) with failover for both Companies as the area is a technologists nightmare (FTTB will die on say a Monday morning mid production run, and then Microwave will die the next day over lunch, depending on Murphy’s sense of humour)
To be frank, its way beyond my imagination or skill set.
I would attempt to split and simplify.
Its not even clear to me how the two routers are connected ( is their a fiber cable under the road etc ).
WHy would you want them connected anyway if its two different companies and two different needs.
