I have a configuration in which I'm sharing my internet connection with a few others who are remote using STX links.

My topology is as follows:

RB2011UAS --Ethernet-- STX1 Client Mode --Nstream Wireless-- STX2 AP Mode --Nstream Wireless-- STX3 Client Mode

I have remote clients connected to both STX2 and STX3 using switches connected to the Ethernet ports of both STX2 and STX3. I'm using Nstream between the STX Radios in bridge mode. The RB2011UAS has the DHCP server on 192.168.89.x which provides the network access for the remote clients. The separate 192.168.88.x network is used for local clients on the RB2011UAS and the firewall does not allow traffic originating on the 89 subnet to terminate on the 88 subnet.

All this works as desired.

It turns out that the client location for STX3 is high on a hill and I want to install a HDHomeRun TV tuner at that location to bring broadcast TV back to the RB2011UAS 88.x LAN but wish to have the HDHomeRun tuner on the 88 subnet.

Question: If I place a RB750 (or a WRT54GS running DD-WRT) at the STX3 location, can I successfully configure this network to add a VLAN to the network so that the 89.x network continues to work as it does now (untagged LAN for clients at both STX2 and STX3) while transporting a VLAN over the Nstream links to the RB750 (or WRT54GS running DD-WRT) so that it can be broken out and connected to the HDHomeRun TV tuner?

If so, is there a pointer to how to configure the RB2011UAS and RB750 for a port that has both native LAN traffic and VLAN traffic?

Thanks.

Question: If I place a RB750 (or a WRT54GS running DD-WRT) at the STX3 location, can I successfully configure this network to add a VLAN to the network so that the 89.x network continues to work as it does now (untagged LAN for clients at both STX2 and STX3) while transporting a VLAN over the Nstream links to the RB750 (or WRT54GS running DD-WRT) so that it can be broken out and connected to the HDHomeRun TV tuner?

If so, is there a pointer to how to configure the RB2011UAS and RB750 for a port that has both native LAN traffic and VLAN traffic?

I think the way of least resistance would be to leave your current setup as-is, insert an RB750 at the remote site as suggested above and create a EoIP tunnel between the remote RB750 and the locally kept RB2011. On the RB750 create a bridge and assign the EoIP interface as a slave/port. On the RB2011 assign the EoIP interface to the bridge-local bridge. That bridge is part of the default configuration which I assume is partially still in place.

jayd2k: Thanks for the suggestion. I'll try it. (Nice diagram, by the way. Exactly correct.)

jayd2k: Thanks for the suggestion. I'll try it. (Nice diagram, by the way. Exactly correct.)

Thinking about it, you're currently operating multiple ip subnets on top of the same broadcast domain.

Without having a transparent firewall in-place everyone may just switch to 192.168.88.0/24 by changing his ip address.

IMHO implementing dynamic routing (e.g. via OSPF) and assign dedicated subnets would be the cleanest way (also in terms of firewalling).

If that isn't what you want then you should at least consider placing a router at STX2 as well and configure transparent firewalling on all routers to prevent subnet hopping.

Transparent firewalls eliminate the need for an EoIP tunnel and furthermore allow for filtering ethernet broadcasts as well.

It is actually a bit different than I described. Right now I'm using the 88.x subnet on the wireless link only because the HDHomeRun is something I need on my local 88.x LAN broadcast domain. I also provide internet to those remote sites, right now on 88.x, but I'd prefer to put them on my "guest" lan of 89.x, while keeping the HDHomeRun on my 88.x broadcast domain.

I'm not worried about an intentionally malicious user at the remote sites, but would still like to not have them on my local LAN.

It is actually a bit different than I described. Right now I'm using the 88.x subnet on the wireless link only because the HDHomeRun is something I need on my local 88.x LAN broadcast domain. I also provide internet to those remote sites, right now on 88.x, but I'd prefer to put them on my "guest" lan of 89.x, while keeping the HDHomeRun on my 88.x broadcast domain.

I'm not worried about an intentionally malicious user at the remote sites, but would still like to not have them on my local LAN.

The safest but also most reliable way would be to put up dynamic routing + ip filtering.

You could still use an EoIP tunnel between RB2011 and RB750 (at STX3) as described earlier.

Actually, I think that the EOIP tunnel needs to go from the RB2011 to the RB750, not the STX3. Thanks again for the advice.