Hello
My Home Network is one BIG Network and i need to separate it into three parts. (Sub-Net)
I think i need VLANs, but i am not 100% sure.
AND there are so many different locations to "define" VLAN IDs that i got realy confused wich location to use.
attached is an vague graphic
i need:
WAN (Internet, with PPPoE)
LAN_123 (this is the "Main network", NAT-Intenet)
LAN_89 ("isolated" Network)
LAN_57 ("isolated" Network)
only SOME Computer from LAN_89 or LAN_57 should be able to talk to some Computers on LAN_123 (IPv4)
maby someone can give mit some hints what i NEED and DONT NEED .. (bridges? how many? VLAN yes/no?)
have an HEX PeO
thank you
WAN NAT Bridge and VLAN yes/no
You do not have the required permissions to view the files attached to this post.
Re: WAN NAT Bridge and VLAN yes/no
I don't know if this helps you. I am new to mikrotik. I got 5 vlans (me (yes I deserve my own vlan), family, kids, office, guest) working over a root ap (hap-ac2) running capsman and one cap (cap-ac).
I followed this guide (https://www.youtube.com/watch?v=1ZJ-pM89N7o) to set up vlans and dhcp server on the root ap. Note this is an older guide, I believe ROS did not have the bridge vlan filtering feature when it was made. The bridge setup may not be as efficient as it could be with the new ROS version.
Then you need to set the firewall to segregate the vlans and set the exceptions (ie: printers are accessible from all vlans).
I don't know yet the settings of how to trunk vlans between mikrotik units with wired connections. My wireless capsman backbone between AP1 and AP2 seems to do it automatically.
I followed this guide (https://www.youtube.com/watch?v=1ZJ-pM89N7o) to set up vlans and dhcp server on the root ap. Note this is an older guide, I believe ROS did not have the bridge vlan filtering feature when it was made. The bridge setup may not be as efficient as it could be with the new ROS version.
Code: Select all
/interface bridge
add admin-mac=CC:2D:E0:C2:A5:1E auto-mac=no comment="Default Bridge" name=bridge1
add fast-forward=no name="bridge2 - Fam"
add fast-forward=no name="bridge3 - Guest"
add fast-forward=no name="bridge4 - Kids"
add fast-forward=no name="bridge5 - Office"
add fast-forward=no name="bridge6 - Staff"
"(note: I don't know what impact enabling or disabling fast-forward has, the guide did not enable it, so I did not)"
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
"(note: I am not sure whether I need use-ip-firewall-for-vlan, but I enabled it)"
/interface bridge port
add bridge=bridge1 comment="Default Config" interface=ether2-master
add bridge=bridge1 comment="Default Config" interface="wlan1 - 2.4g"
add bridge=bridge1 comment="Default Config" interface="wlan2 - 5g"
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge="bridge2 - Fam" interface="wlan4 - Family"
add bridge="bridge2 - Fam" interface="VL 202 Fam"
add bridge="bridge3 - Guest" interface="wlan3 - Guest"
add bridge="bridge3 - Guest" interface="VL 201 Guest"
add bridge="bridge4 - Kids" interface="wlan7 - Kids"
add bridge="bridge4 - Kids" interface="VL 203 Kids"
add bridge="bridge5 - Office" interface="wlan5 - Office"
add bridge="bridge5 - Office" interface="VL 204 Office"
add bridge="bridge6 - Staff" interface="wlan6 - Staff"
add bridge="bridge6 - Staff" interface="VL 205 Staff"
/interface vlan
add interface="wlan3 - Guest" name="VL 201 Guest" vlan-id=201
add interface="wlan4 - Family" name="VL 202 Fam" vlan-id=202
add interface="wlan7 - Kids" name="VL 203 Kids" vlan-id=203
add interface="wlan5 - Office" name="VL 204 Office" vlan-id=204
add interface="wlan6 - Staff" name="VL 205 Staff" vlan-id=205
/ip pool
add name="Pool - Default" ranges=192.168.88.100-192.168.88.199
add name="Pool - Guest" ranges=192.168.201.100-192.168.201.199
add name="Pool - Fam" ranges=192.168.202.100-192.168.202.199
add name="Pool - Kids" ranges=192.168.203.100-192.168.203.199
add name="Pool - Office" ranges=192.168.204.100-192.168.204.199
add name="Pool - Staff" ranges=192.168.205.100-192.168.205.199
/ip address
add address=192.168.88.1/24 comment="Default Config" interface=ether2-master network=192.168.88.0
add address=192.168.201.1/24 interface="bridge3 - Guest" network=192.168.201.0
add address=192.168.202.1/24 interface="bridge2 - Fam" network=192.168.202.0
add address=192.168.203.1/24 interface="bridge4 - Kids" network=192.168.203.0
add address=192.168.204.1/24 interface="bridge5 - Office" network=192.168.204.0
add address=192.168.205.1/24 interface="bridge6 - Staff" network=192.168.205.0
/ip dhcp-server
add address-pool="Pool - Default" disabled=no interface=bridge1 name="DHCP Server 1 - Default"
add address-pool="Pool - Fam" disabled=no interface="bridge2 - Fam" name="DHCP Server 2 - Fam"
add address-pool="Pool - Guest" disabled=no interface="bridge3 - Guest" name="DHCP Server 3 - Guest"
add address-pool="Pool - Kids" disabled=no interface="bridge4 - Kids" name="DHCP Server 4 - Kids"
add address-pool="Pool - Office" disabled=no interface="bridge5 - Office" name="DHCP Server 5 - Office"
add address-pool="Pool - Staff" disabled=no interface="bridge6 - Staff" name="DHCP Server 7 - Staff"
/ip dhcp-server network
add address=192.168.88.0/24 comment="Default Config" dns-server=192.168.88.1 gateway=192.168.88.1 netmask=24
add address=192.168.201.0/24 dns-server=8.8.8.8 gateway=192.168.201.1 netmask=24
add address=192.168.202.0/24 dns-server=8.8.8.8 gateway=192.168.202.1 netmask=24
add address=192.168.203.0/24 dns-server=8.8.8.8 gateway=192.168.203.1 netmask=24
add address=192.168.204.0/24 dns-server=8.8.8.8 gateway=192.168.204.1 netmask=24
add address=192.168.205.0/24 dns-server=8.8.8.8 gateway=192.168.205.1 netmask=24
Then you need to set the firewall to segregate the vlans and set the exceptions (ie: printers are accessible from all vlans).
I don't know yet the settings of how to trunk vlans between mikrotik units with wired connections. My wireless capsman backbone between AP1 and AP2 seems to do it automatically.
Re: WAN NAT Bridge and VLAN yes/no
yes, helps a lot..
am i right that:
everey bridge is a separated sub-net, an there is per default no communication possible between this sub-nets
and the firewall makes the communication possible..
or is it the other way round
the firewall blocks the communication (with "drop all" or somthing similar?)
and
"bridge vlan filtering"
this my "main Problem" ..
i would prefer the "new/better method" but most info i find uses "old method"
and for me newbee both "sound" the same (add "vlan to brige" and "bridge vlan filtering"..)
but "bridge vlan filtering" is a "Layer2 forwarding" feature (that confuses me, dont know if the firewalls rules are used on it..)
some "guide" with an example (comparing "old" and "new" method would be very helpfull)
i am still not sure if i need VLAN at all..
and
am i right that your "main network" has no VLAN ID?
am i right that:
everey bridge is a separated sub-net, an there is per default no communication possible between this sub-nets
and the firewall makes the communication possible..
or is it the other way round
the firewall blocks the communication (with "drop all" or somthing similar?)
and
"bridge vlan filtering"
this my "main Problem" ..
i would prefer the "new/better method" but most info i find uses "old method"
and for me newbee both "sound" the same (add "vlan to brige" and "bridge vlan filtering"..)
but "bridge vlan filtering" is a "Layer2 forwarding" feature (that confuses me, dont know if the firewalls rules are used on it..)
some "guide" with an example (comparing "old" and "new" method would be very helpfull)
i am still not sure if i need VLAN at all..
and
am i right that your "main network" has no VLAN ID?
Re: WAN NAT Bridge and VLAN yes/no
1. everey bridge is a separated sub-net, an there is per default no communication possible between this sub-nets
and the firewall makes the communication possible..
or is it the other way round
the firewall blocks the communication (with "drop all" or somthing similar?)
2. "bridge vlan filtering"
this my "main Problem" ..
i would prefer the "new/better method" but most info i find uses "old method"
3. and for me newbee both "sound" the same (add "vlan to brige" and "bridge vlan filtering"..)
but "bridge vlan filtering" is a "Layer2 forwarding" feature (that confuses me, dont know if the firewalls rules are used on it..)
some "guide" with an example (comparing "old" and "new" method would be very helpfull)
1. I have that same question. If every vlan is on a DIFFERENT bridge, how are they communicating at all? I don't understand this. It is not the firewall that is facilitating communication. Every VLAN by default can see WAN and each other. It is the FIREWALL RULE that blocks communication between VLANS. How does each vlan see each other and see WAN when they are on different bridges? I don't know and will conduct some testing to understand this.
2. Same, most youtube or guides I see uses the old method. I just came across this https://wiki.mikrotik.com/wiki/Manual:C ... with_VLANs, but I haven't gone through it yet. Update: I can confirm, you should follow this guide, this has the new ROS settings with bridge vlan filtering. I will be changing my vlan settings to follow this guide.
3. I agree some use case examples of the old way vs the new way would be nice.
-----
This is my firewall rule
The rule to block inter-vlan routing is rule 7-14. Allows first, then drops. I disabled fasttrack to see what impacts it makes (none so far, but my network load and intnet bandwidth is limited).
-----
Network professionals may correct me if I am wrong here. I use vlans because:
1. One vlan (broadcast domain) can have multiple subnets. However a dhcp server in a brd-domain cannot give out different subnet addresses for clients in that brd-domain. Subnets after the first have to use static ip.
2. If 2 different users are on different subnets in the same vlan, one can manually change his ip and access the other subnet.
3. If they are on diff vlans, one can chg his ip but cannot access the other subnet because the two LANs are on physically different switches (think of vlans this way). Even if they are both on 192.168.10.x, they cannot see each other because they are on different switches.
The main network 88.x is on native untagged vlan of 1. Managed switches that handle vlans usually default to vlan id 1 for all ports in a flat setting (acting like.a regular unmanaged switch).
Technically I think you can have one subnet with the dhcp server giving out addresses to clients in different vlans. So ip 88.10 is in vlan 1 (ether2), 88.11 is on vlan 2 (ether3). I've never done it this way and I haven't come across anyone that has.
You do not have the required permissions to view the files attached to this post.
Re: WAN NAT Bridge and VLAN yes/no
@asphri ... part 1 (questions):
1. router will forward IP traffic between (V)LANs on which it has IP address defined. So if two (V)LANs need to communicate, there should be router that has connectivity (physical and VLAN) to both subnets and it needs IP address defined in both subnets.
Firewall can limit some of this connectivity if so desired.
3. There are some examples in this forum, you need to search for them.
@asphri ... part 2:
Logically different VLANs are same as different LANs ... only that they are sharing same passive (and dumb active) network infrastructure. If you keep this in mind, the rest of dillemas are easy.
1. (IP) subnet is layer3, while DHCP service is actually layer2 (with some hooks to L3). Which means that there can only be one DHCP server in single L2 broadcast domain (actually there can be many DHCP servers, but they need to cooperate for consistent address distribution to clients). However that DHCP server can serve different subnet addresses ... although this is not easy configurable for dynamic leases (and doesn't make much sense), it can be done for static leases (including default gateway, DNS server etc.).
2. Correct ... as long as the other subnet is sharing same (V)LAN. So it doesn't make much sense to have more than one subnet in same (V)LAN.
3. Correct
The last thought about dhcp server giving addresses for different VLANs: if I uderstand it correctly it doesn't make sense. While multiple IP subnets can share same L2 network it can not be the opposite way. If, say, 192.168.88.10/24 and 192.168.88.11/24 are not in the same L2 network, then they will not be able to connect each other (even though they would both be configured with correct gateway addresses) as the basic assumption is that devices within same IP subnet can communicate with each other without using a (L3) gateway.
1. router will forward IP traffic between (V)LANs on which it has IP address defined. So if two (V)LANs need to communicate, there should be router that has connectivity (physical and VLAN) to both subnets and it needs IP address defined in both subnets.
Firewall can limit some of this connectivity if so desired.
3. There are some examples in this forum, you need to search for them.
@asphri ... part 2:
Logically different VLANs are same as different LANs ... only that they are sharing same passive (and dumb active) network infrastructure. If you keep this in mind, the rest of dillemas are easy.
1. (IP) subnet is layer3, while DHCP service is actually layer2 (with some hooks to L3). Which means that there can only be one DHCP server in single L2 broadcast domain (actually there can be many DHCP servers, but they need to cooperate for consistent address distribution to clients). However that DHCP server can serve different subnet addresses ... although this is not easy configurable for dynamic leases (and doesn't make much sense), it can be done for static leases (including default gateway, DNS server etc.).
2. Correct ... as long as the other subnet is sharing same (V)LAN. So it doesn't make much sense to have more than one subnet in same (V)LAN.
3. Correct
The last thought about dhcp server giving addresses for different VLANs: if I uderstand it correctly it doesn't make sense. While multiple IP subnets can share same L2 network it can not be the opposite way. If, say, 192.168.88.10/24 and 192.168.88.11/24 are not in the same L2 network, then they will not be able to connect each other (even though they would both be configured with correct gateway addresses) as the basic assumption is that devices within same IP subnet can communicate with each other without using a (L3) gateway.
Re: WAN NAT Bridge and VLAN yes/no
all examples here work with ONE bridge?
https://wiki.mikrotik.com/wiki/Manual:I ... s_Ports.29
is there a simple "rule" when more than one bridge is neded?
https://wiki.mikrotik.com/wiki/Manual:I ... s_Ports.29
is there a simple "rule" when more than one bridge is neded?
Re: WAN NAT Bridge and VLAN yes/no
My guess is that with vlan-filtering it is possible to deal with all simple and most not-so-simple cases by using single bridge. Possible exempt from this rule would be not-so-simple configuration on RB with more than one switch chip where use of appropriate number of bridges would allow to use HW offload.
Re: WAN NAT Bridge and VLAN yes/no
all examples here work with ONE bridge?
https://wiki.mikrotik.com/wiki/Manual:I ... s_Ports.29
is there a simple "rule" when more than one bridge is neded?
Correct me if I am wrong, you shouldn't ever need more than one bridge (when it comes to setting multiple vlans) with ROS 6.4.1+. This is how other switches operate when it comes to the prevailing standards.
-----
I've converted my multiple bridges (1 vlan per bridge, plus the default bridge) setting to one bridge for all vlans and the default lan, with vlan filtering.
My use case is capsman (with my cap serving multiple vlans: guest, kids, office, etc) with the choice of "capsman forwarding" (all traffic flows through capsman), rather than "local forwarding" (local cap traffic are routed and served locally at the cap). I am still not 100% regarding capsman-fwding vs local-fwding and when I should choose which.
Port setting on my hap-ac2:
ether1 = wan
ether2-5 = native untagged vlan 1 (default lan)
trunk to cap(s)= wlan2-5g
Note on wlan2-5g interface:
1. It carries the default lan and vlans, just like a trunk between switches.
2. I am testing wireless trunking.
Experts pls correct me if parts of my code is in error.
Code: Select all
/interface vlan
add interface=bridge1 name="VL 201 Guest" vlan-id=201
add interface=bridge1 name="VL 202 Fam" vlan-id=202
add interface=bridge1 name="VL 203 Kids" vlan-id=203
add interface=bridge1 name="VL 204 Office" vlan-id=204
add interface=bridge1 name="VL 205 Staff" vlan-id=205
"Pre-6.4.1 ROS: separate bridges per vlan"
/ip pool
add name="Pool - Default" ranges=192.168.88.100-192.168.88.199
add name="Pool - 201 Guest" ranges=192.168.201.100-192.168.201.199
add name="Pool - 202 Fam" ranges=192.168.202.100-192.168.202.199
add name="Pool - 203 Kids" ranges=192.168.203.100-192.168.203.199
add name="Pool - 204 Office" ranges=192.168.204.100-192.168.204.199
add name="Pool - 205 Staff" ranges=192.168.205.100-192.168.205.199
/ip dhcp-server
add address-pool="Pool - Default" disabled=no interface=bridge1 name="DHCP Server 1 - Default"
add address-pool="Pool - 202 Fam" disabled=no interface="VL 202 Fam" name="DHCP Server 2 - Fam"
add address-pool="Pool - 201 Guest" disabled=no interface="VL 201 Guest" name="DHCP Server 3 - Guest"
add address-pool="Pool - 203 Kids" disabled=no interface="VL 203 Kids" name="DHCP Server 4 - Kids"
add address-pool="Pool - 204 Office" disabled=no interface="VL 204 Office" name="DHCP Server 5 - Office"
add address-pool="Pool - 205 Staff" disabled=no interface="VL 205 Staff" name="DHCP Server 7 - Staff"
"Pre-6.4.1 ROS: Interface set to the different the vlan bridges"
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 netmask=24
add address=192.168.201.0/24 gateway=192.168.201.1 netmask=24
add address=192.168.202.0/24 gateway=192.168.202.1 netmask=24
add address=192.168.203.0/24 gateway=192.168.203.1 netmask=24
add address=192.168.204.0/24 gateway=192.168.204.1 netmask=24
add address=192.168.205.0/24 gateway=192.168.205.1 netmask=24
/interface bridge
add admin-mac="your-device-mac" auto-mac=no name=bridge1 vlan-filtering=yes
"Pre-6.4.1 ROS: No bridge vlan filtering.
If using old method with new ROS, you do not need to enable bridge vlan filtering, as each vlan is on its own bridge.
Bridge vlan filtering is needed only when multiple vlans are assigned to the same bridge."
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface="wlan1 - 2.4g"
add bridge=bridge1 interface="wlan2 - 5g"
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
"Pre-6.4.1 ROS: separate bridges assigned to each vlan interface"
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
"Note: I don't know what use-ip-firewall-for-vlan does. Enabled it because it sounds like I should."
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether2,ether3,ether4,ether5 vlan-ids=201,202,203,204,205
"This single line links everything together. Do or die. Make or break. Yeah baby or hasta la vista baby.
I tagged my ports wrong and locked myself out. I had to factory reset. Good thing I had backup."
Coming into Mikrotik right now is harder than normal because when you need to setup vlans, as in many best-practice setups, you have the old vs new (pre/post ROS 6.4.1) way of setting up your bridge. As a new user many of the guides I see online/youtube use the old way and I had to work out myself whether and when I needed bridge-vlan-filtering enabled.
To clarify once more for new users, you need bridge-vlan-filtering when this is the condition (you have multiple vlans tagged to one bridge):
I might make a new thread to be helpful to other newbies. Again, I am a new user (only a few days into mikrotik). Everything I say, experts pls correct if I am mistaken.
----
I've just had an epiphany. As a new user, I had to fit the concept of mikrotik's "bridge" into my world view. I believe I have it. Think of a bridge as a managed switch. In my hap-ac2 with 5 ethernet ports I can have a:
1. 5-port managed switch (ether1-5 = bridge1)
2. Wan-router and 4 port-switch (ether1 = wan, ether2-5 = bridge1)
3. A 2 and a 3 port switch (ether1,2,3 = bridge 1, ether 4,5 = bridge2)
4. 6-port managed switch where the 6th port is a wireless interface (eth1-5 & wlan1 = bridge1)
5. ...whatever combination you can imagine
You do not have the required permissions to view the files attached to this post.
Re: WAN NAT Bridge and VLAN yes/no
I think running a firewall and not understanding every line, is not a good idea.
at the moment im still very confused..
my question about "are bridges linked togehter" seems to answered here:
viewtopic.php?t=70256#p358426
i am still not sure if i need VLANs for my Sub-Networks
i am still not sure if if need more than one bridge (because of DHCP server, clients..)
main difference seens to be, that every bridge gets its own MAC-Adresse (not sure when i need this)
at the moment im still very confused..
my question about "are bridges linked togehter" seems to answered here:
viewtopic.php?t=70256#p358426
i am still not sure if i need VLANs for my Sub-Networks
i am still not sure if if need more than one bridge (because of DHCP server, clients..)
main difference seens to be, that every bridge gets its own MAC-Adresse (not sure when i need this)
Re: WAN NAT Bridge and VLAN yes/no
You only need VLANs if you wish to have multiple segregated layer2 (ethernet) networks connected to a single port. In your case your have four distinct networks on four distinct ethernet ports so your scenario is possible without VLANs.
ether2 - set ip address, create ip pool for dhcp, dhcp server & network for 192.168.123.0/24
ether3 - set ip address on 192.168.89.0/24 network
ether4 - set ip address on 192.168.57.0/24 network
ether5 - set ip address, create ip pool for dhcp, dhcp server & network for 192.168.100.0/24
ether3 & ether4 require static addresses on the 192.168.57.0/24 & 192.168.89.0/24 networks so static routes added to the two 'DHCP-Server Router' on those networks direct traffic for 192.168.123.0/24 to those addresses set on ether3 & ether4. If communications between the networks is always initiated from a device on the 192.168.123.0/24 network you could use NAT on the Mikrotik instead of having to setup static routes.
create firewall rules to block unwanted traffic in to and out of ether3 & ether4
ether2 - set ip address, create ip pool for dhcp, dhcp server & network for 192.168.123.0/24
ether3 - set ip address on 192.168.89.0/24 network
ether4 - set ip address on 192.168.57.0/24 network
ether5 - set ip address, create ip pool for dhcp, dhcp server & network for 192.168.100.0/24
ether3 & ether4 require static addresses on the 192.168.57.0/24 & 192.168.89.0/24 networks so static routes added to the two 'DHCP-Server Router' on those networks direct traffic for 192.168.123.0/24 to those addresses set on ether3 & ether4. If communications between the networks is always initiated from a device on the 192.168.123.0/24 network you could use NAT on the Mikrotik instead of having to setup static routes.
create firewall rules to block unwanted traffic in to and out of ether3 & ether4
Re: WAN NAT Bridge and VLAN yes/no
bridge in ROS has two personalities. First one is, as @ashpri nicely described, a managed switch (but unlike "normal" switch bridge ports can be other than ethernet ports).
Second personallity is a network device (similarly to ethernet ports, wlan devices, LTE devices, VLAN interfaces, ...). This interface can take L3 address (IP address) and can support L2 and L3 services (DHCP, DNS, ... ), but for that it needs MAC address. MAC addresses in single L2 broadcast domain (single LAN subnet) have to be unique. It is quite clever idea to grab MAC address of one of member ports as it should not happen that a packet would exit bridge through one port and return through another port (many protocols are designed to deal with such loops). But it doesn't need to be this way, bridge MAC can be just any MAC address which otherwise will not be used in the same LAN. Random MAC would do in 99.999% of cases but it's awkward if device's MC address changes after every reboot while it is supposed to take static DHCP lease. So it's fine to reuse MAC address which won't be used by other devices for sure (such as of bridge member port).
And to @RoLe77's dilemma: think of routerboard as two distinct boxes: a router and firewall.
Traditionally routers were devices with many interfaces and would forward traffic between all configured interfaces according to routing rules (which were essentially: which interface should transmit this packet?) and dropping a packet was not desired.
Traditionally firewalls were devices with two interfaces and would take a packet from one interface and transmit it through the other interface ... if they didn't decide to drop the packet. They never decided about which interface to se for transmiting the packet, it was always "the other one".
With ROS devices, both functions are merged into one package. The package contains one logical router with many interfaces and (logically again) number of firewalls, which logically reside between each L3 interface pair. L3 interface is the one with L3 (IP) address.
Router in ROS will try to send every packet to appropriate interface thus connecting any LANs and WANs with each other. Firewall, if set-up, will limit that to only traffic allowed. FW configuration in ROS can very much hide this plurality, specially when using interface lists.
Second personallity is a network device (similarly to ethernet ports, wlan devices, LTE devices, VLAN interfaces, ...). This interface can take L3 address (IP address) and can support L2 and L3 services (DHCP, DNS, ... ), but for that it needs MAC address. MAC addresses in single L2 broadcast domain (single LAN subnet) have to be unique. It is quite clever idea to grab MAC address of one of member ports as it should not happen that a packet would exit bridge through one port and return through another port (many protocols are designed to deal with such loops). But it doesn't need to be this way, bridge MAC can be just any MAC address which otherwise will not be used in the same LAN. Random MAC would do in 99.999% of cases but it's awkward if device's MC address changes after every reboot while it is supposed to take static DHCP lease. So it's fine to reuse MAC address which won't be used by other devices for sure (such as of bridge member port).
And to @RoLe77's dilemma: think of routerboard as two distinct boxes: a router and firewall.
Traditionally routers were devices with many interfaces and would forward traffic between all configured interfaces according to routing rules (which were essentially: which interface should transmit this packet?) and dropping a packet was not desired.
Traditionally firewalls were devices with two interfaces and would take a packet from one interface and transmit it through the other interface ... if they didn't decide to drop the packet. They never decided about which interface to se for transmiting the packet, it was always "the other one".
With ROS devices, both functions are merged into one package. The package contains one logical router with many interfaces and (logically again) number of firewalls, which logically reside between each L3 interface pair. L3 interface is the one with L3 (IP) address.
Router in ROS will try to send every packet to appropriate interface thus connecting any LANs and WANs with each other. Firewall, if set-up, will limit that to only traffic allowed. FW configuration in ROS can very much hide this plurality, specially when using interface lists.
Re: WAN NAT Bridge and VLAN yes/no
yes as i found out that "bridge is also a network device " i tought , why did they do this? why not add somthing like "a virtual default interface"...
for me most things are now much clearer..
except one thing: as you can see in graphic in #1 post.. there are DHCP Servers on 192.168.57.x and 192.168.89.x
this is some Layer2 thing, so i am worrid that they are not separate from each other (and the 192.168.123.x network)
if i "bridge all things together"
so ether3 and ether4 are not on the bridge (is this enough?)
sorry for asking, this is my last question, will try this all out over weekend...
for me most things are now much clearer..
except one thing: as you can see in graphic in #1 post.. there are DHCP Servers on 192.168.57.x and 192.168.89.x
this is some Layer2 thing, so i am worrid that they are not separate from each other (and the 192.168.123.x network)
if i "bridge all things together"
so ether3 and ether4 are not on the bridge (is this enough?)
sorry for asking, this is my last question, will try this all out over weekend...
Re: WAN NAT Bridge and VLAN yes/no
As @tdw already wrote for your particular case bridge is not needed at all as every router port is member of different L3 network and even if connectivity between those subnets is needed, it must be achieved by routing not switching (remember, bridge is kind of switch). So not to suffer some unexpected phenomenon later it's handy to have those subnets separated on L2 as well (one good reason is that this allows better control over DHCP leases).
If the example would be slightly different by e.g. using two ether ports per subnet, then one possibility would be to use single bridge and L2 separation could be achieved by using VLANs internally - in a sense that all ports are configured as access ports for appropriate VLAN with bridge vlan-filtering set to yes. IP addresses would be assigned to appropriate vlan interfaces (while in your example without using bridge the IP addresses should be assigned to appropriate ether interfaces).
If the example would be slightly different by e.g. using two ether ports per subnet, then one possibility would be to use single bridge and L2 separation could be achieved by using VLANs internally - in a sense that all ports are configured as access ports for appropriate VLAN with bridge vlan-filtering set to yes. IP addresses would be assigned to appropriate vlan interfaces (while in your example without using bridge the IP addresses should be assigned to appropriate ether interfaces).
Re: WAN NAT Bridge and VLAN yes/no
>be slightly different by e.g. using two ether ports per subnet,
so this "small change" has huge consequence on how to configure the router..
as im am testing now some configurations, is there a easy way to test "L2 separation"? (with "L2 separation" i mean separated "broadcast domain"s ?!)
am i right that
ether3 and ether4 are "L2 Separated" in config1 and config2, but not in config3 (even if i use different Bridges)
config1:
ether1
ether2
ether3
ether4
config2:
bridge: with Port: ether1, ether2
ether3
ether4
config3:*
bridge: with Port: ether1, ether2
bridgeA: with Port: ether3
bridgeB: with Port: ether4
* in config3, all bridges get same MAC, that makes me a little bit "nervouse"
so this "small change" has huge consequence on how to configure the router..
as im am testing now some configurations, is there a easy way to test "L2 separation"? (with "L2 separation" i mean separated "broadcast domain"s ?!)
am i right that
ether3 and ether4 are "L2 Separated" in config1 and config2, but not in config3 (even if i use different Bridges)
config1:
ether1
ether2
ether3
ether4
config2:
bridge: with Port: ether1, ether2
ether3
ether4
config3:*
bridge: with Port: ether1, ether2
bridgeA: with Port: ether3
bridgeB: with Port: ether4
* in config3, all bridges get same MAC, that makes me a little bit "nervouse"
Re: WAN NAT Bridge and VLAN yes/no
ether3 and ether4 should be L2 separated in all 3 examples. The only ports not L2 separared are ether1 and ether2 in examples 2 and 3.
As to bridge's MAC addresses: as said it doesn't matter as long as networks with those bridges are L2 separated. It would become a problem if you would connect ether2 and ether3 by UTP cable in your example 3. But to be on safe side, you can manually set bridge MAC addresses to different values. To avoid randomly selecting same values you can take as base highest MAC address on your RB (it'll probably be on last wifi ir on last ether port depending on RB port configuration) and increment it by one for each bridge.
As to bridge's MAC addresses: as said it doesn't matter as long as networks with those bridges are L2 separated. It would become a problem if you would connect ether2 and ether3 by UTP cable in your example 3. But to be on safe side, you can manually set bridge MAC addresses to different values. To avoid randomly selecting same values you can take as base highest MAC address on your RB (it'll probably be on last wifi ir on last ether port depending on RB port configuration) and increment it by one for each bridge.