I have two wans with working PCC load balancing. I wanted to change the configuration so that with only one ethernet cable and a managed swicth I can separately transport both wan2 and use the remaining switch ports as LAN. Can you recommend a guide or some basic information?
- if ether10 of the 3011 is a member port of a bridge, hook an /interface vlan with vlan-id=100 to that bridge, otherwise add it directly to ether10. Let’s name it wan2-100 for simplicity.
- move all the IP address configuration from the current etherX acting as WAN2 to wan2-100 you’ve added above. Also modify all firewall rules that refer to etherX as in-interface or out-interface to refer to wan2-100. If etherX is the interface on any /interface list member rows, change all these rows to read interface=wan2-100 as well.
- on the Netgear, permit tagged VLAN 100 on ether1, and make ether5 an access port to VLAN 100.
- finally, move the cable from etherX of the 3011 previously acting as WAN2 to ether5 of the Netgear.
hi sindy, thanks for your reply;
the eth10 port is now working as a load balancing wan2,
when I go to hook the vlan100 I will have to assign to the vlan created a static ip of the same class that I have now on WAN2?
In the netgear switch will the untagged ports be connected to the LAN bridge?
Tonight after a backup, I will start to do some tests.
If the ether10 itself currently acts as WAN2, do you want ether2..ether4 of the netgear to extend some existing LAN bridge of the 3011? Or will it be a separate LAN segment? The necessary changes on the 3011 depend on the answer.
I would like the netgear to have 3 ports connected to the 3011 LAN bridge.
post your config
/export hide-sensitive file=anynameyouwish
OK. So let’s assume you’ve started from a default configuration, where ether2..ether10 were member ports of a bridge named bridge, and you’ve just removed ether10 from that bridge and used it as WAN2.
So as I wrote above
/interface vlan add name=wan2-100 interface=bridge vlan-id=100
/ip address set [find interface=ether10] interface=wan2-100
/ip route rule set [find interface=ether10] interface=wan2-100
/ip dhcp-client set [find interface=ether10] interface=wan2-100
/interface pppoe-client set [find interface=ether10] interface=wan2-100
/interface list member set [find interface=ether10] interface=wan2-100
/ip firewall raw set [find in-interface~“^ether10$”] in-interface=wan2-100
/ip firewall raw set [find out-interface~“^ether10$”] out-interface=wan2-100
/ip firewall mangle set [find in-interface~“^ether10$”] in-interface=wan2-100
/ip firewall mangle set [find out-interface~“^ether10$”] out-interface=wan2-100
/ip firewall filter set [find in-interface~“^ether10$”] in-interface=wan2-100
/ip firewall filter set [find out-interface~“^ether10$”] out-interface=wan2-100
/ip firewall nat set [find in-interface~“^ether10$”] in-interface=wan2-100
/ip firewall nat set [find out-interface~“^ether10$”] out-interface=wan2-100
/interface bridge port add bridge=bridge interface=ether10
After this, the tagless frames of the LAN bridge will pass tagless through ether2..ether10, and frames tagged with VID 100 will pass tagged through all of these ports. If you insist that tagged frames must not egress from ether2..ether9, you have to first define /interface bridge vlan add vlan-ids=100 bridge=bridge tagged=bridge,ether10 and then allow VLAN filtering on the bridge using /interface bridge set bridge vlan-filtering=yes, but doing so disables switch chip forwarding on the 3011 so think twice whether you really need it. I’m almost sure that on a 3011 in particular, you can accomplish this using the VLAN configuration of the switch chips instead, but that’s a separate can of worms.
On the Netgear, ether2..ether4 must be access ports to VLAN 1 (the default setting), ether5 must be set as an access port to VLAN 100, and ether1 must be a hybrid port where VLAN 1 is untagged and VLAN 100 is tagged.
So go to the Advanced VLAN settings and add VLAN 100; then go to VLAN membership, choose VLAN 1 and remove port 05 from it; then choose VLAN 100, choose port 05 and add it as untagged, then choose port 01 and add it as tagged. Last, in Port PVID configuration, set the PVID of 05 to 100 (untagging on egress and tagging on ingress are configured separately on this device).
@anav
here is my configuration
testvlan.txt (15.1 KB)
@sindy
I wasn’t able to do much this morning especially with the vlan on the switch, I’ll try again with the directions you wrote above
So before copy-pasting my script above, rename ether10-WAN2 to ether10.
Then copy-paste that script except the last row.
Instead of the last row, use /interface bridge port enable [find interface=ether10].
@sindy
the ip provided by the LTE router to the WAN2 of the 3011 is dynamic and when I connect it to the eth5 of the netgear it will be maintained even when passing as VLAN100 ?
Yes, if everything else works properly, there will be no problem. However, the configuration you’ve posted shows that a static address is assigned to WAN2:
/ip address
…
add address=192.168.9.2/24 interface=ether10-WAN2 network=192.168.9.0
So what have I missed?
Also, take care about changing the autoenableWAN2 script. But if this script is needed to force the LTE device to behave properly, it won’t fulfil this purpose any more as the ether5 of the Netgear will stay physically up even if you disable the wan2-100 interface on the 3011.
you’re right, I’m the one who got lost 
I am confused on the purpose of the bridge networks (which seems to provide DHCP for all the RB3011 ports) and then there is vlan10.
Probably fine, except I would do it differently
Vlan10 as defined to the bridge and vlan20 also defined to the bridge, to cover off what is going to the bridgfe ports which is still not clear…
For both vlans define address, dhcp server, dhcp server network and pools, in this way the bridge does nothing but bridging (clean)
such that etherport1 on the switch, a trunk port, carries vlan10?, vlan20 and vlan100 to the RB3011 from the netgear switch.
vlan100 is attached to port5 as untagged on the switch pvid 100 assigned to eth5
vlan 20 is untagged for ports 2,3,4 they need pvid 20 assigned.
the only port with the default of pvid=1 on the netgear switch will be the trunk port (eth1).
This works well on all my switches, netgear, tplink, dlink etc…
In any case once the vlan10 and rest of network the bridge currently dishes out is understood it will fall out naturally.
The other reasons I suggest this is that most brands of vlan devices dont encompass the bridge concept and thus mirroring the standard vlan setup is easier to do when using them in the mix.
@anav
the vlan10 that you see in my configuration is used to reach the management interface of the two ubiquity access points that I have, and should keep separate data traffic from the management traffic, I do not know if it is set correctly also because from each android wifi client I can reach the configuration screen of the access points and this should not happen if not enabling the vlan on the android devices.
It’s a misunderstanding. The fact that the subnet 172.16.10.0/24 lives in a dedicated VLAN does not mean that devices in other subnets cannot reach devices in 172.16.10.0/24, as the very purpose of a router is to forward traffic among subnets. To selectively prevent forwarding of some traffic types, you have to use firewall rules.
Other than that, you’ve posted the configuration of the GS105E without any question or statement. The configuration is correct (except that if you want to connect one of the Ubiquiti devices to it, you have to add VLAN 10 as well), but what was the purpose of posting it?
As SIndy writes, you need to complete your network diagram to understand what you are doing.
Where are the ubiquit access points, what else is attached to ports 3,4,5
I understand what you are doing a bit better now with vlan10 being the management vlan.
The netgear switch itself should have an IP address on the vlan10 network.
The ubiquit access points are odd ducks from what I gather, depending upon model, they require a hybrid port,
the managment traffic untagged and the rest of the vlans tagged.
If this is the case then the switch will have to be setup appropriately and I am not familiar with hybrid on netgear but will research.
However I suspect that if the ubiquite expects untagged traffic and tagged vlans to arrive at its door, then you will set pvid of port to 10 and then also tag the port for vlans 20,100 for the wlans associated.
Also can you confirm what is attached to the RB ports and more specifically any access points that can read vlan tags, any other managed switches or all DUMB devices that cannot read vlan tags??
@sindy
The purpose of publishing it is to get your feedback on whether I have configured the switch correctly. It was just the configuration of the switch that was not working , I will try again tonight.I am now testing the switch with the image configuration and I can reach vlan10 anyway.
@anav
On the 3011 from ports 2—>9 there are connected 2 accesspoints a miniserver for home automation and clients computers. Client computers are connected to the netgear switch on ports 2,3,4.
Again… when something is connected to port 02 of Netgear, it gets an IP address from 10.0.0.0/24 because that port is an access one to VLAN 1 which is tagless at port 01 of the GS105E and at ether2..ether10 of the 3011. When it attempts to establish a connection to an address in 172.16.10.0/24, it finds out that the destination is not in the same subnet, so it determines the MAC address of the gateway (10.0.0.1) and sends the packet to it. And the router receives this packet and forwards it to 172.16.10.x, sending it from its VLAN 10 interface.
To prevent this, add another rule to the end of chain forward of your firewall filter:
/ip firewall filter add chain=forward in-interface=bridge out-interface=vlan10 action=drop