So, I have a dilemma. I'd like to move by main firewall to a separate building away from where my WAN comes in but I only have a single ethernet cable linking the two buildings.
I currently run a VLAN trunk between the buildings using the new Bridge VLAN filtering method. The WAN comes in to an area where noise is an issue so don't want to run a new CCR there but the other building is not a problem for noise.
The top diagram is the current setup and the bottom is an example of what I'm looking for:-
Ideally the WAN would come in to the HAP AC at port 1, this would somehow be passed though to the CCR in building 2 where the WAN interface will be, all firewall rules, DHCP server, DNS etc will be on the CCR. The LAN's and VLAN's will also be setup on here and the VLAN's/LAN's will also pass back to the HAP AC in building 1 where LAN clients will also be. Clients exist in building 1 and 2 across all VLAN's as well as Wireless devices in different VLAN's in both buildings.
Question 1: Is this a safe and sensible thing to do? My gut instinct is that it's not a great Idea but if some way a the WAN can be securely transported across the same physical cable as the LAN VLANS then could it be ok?
Question 2: How best could this be achieved. I'd like to keep the bridge vlan filtering setup if possible for the LAN side. One possible way I thought of would be to set up bridge VLAN filtering as normal, create an extra VLAN for the WAN as normal and then somehow pass EOIP over that VLAN to create the link.
Any ideas would be appreciated. Hope this all makes sense.
Pass WAN over VLAN
You do not have the required permissions to view the files attached to this post.
Re: Pass WAN over VLAN
vlan = virtual lan, so what you try to do is not out of the ordinary. Instead of using another physical cable you use vlan instead.
To achieve what you want:
mark the wan interface on hap as (to-be) as access port for wan vlan: so untagging on egress, and tagging on ingress for WAN interface
configure bridge to pass on over trunk
don't pass anywhere else.
Question is what kind of bandwidth do you have on WAN, as trunk (ehternet cable) might become a bottleneck?
To achieve what you want:
mark the wan interface on hap as (to-be) as access port for wan vlan: so untagging on egress, and tagging on ingress for WAN interface
configure bridge to pass on over trunk
don't pass anywhere else.
Question is what kind of bandwidth do you have on WAN, as trunk (ehternet cable) might become a bottleneck?
Re: Pass WAN over VLAN
Thanks, on the CCR, does the WAN interface need to be a physical port or just a VLAN interface for example?vlan = virtual lan, so what you try to do is not out of the ordinary. Instead of using another physical cable you use vlan instead.
To achieve what you want:
mark the wan interface on hap as (to-be) as access port for wan vlan: so untagging on egress, and tagging on ingress for WAN interface
configure bridge to pass on over trunk
don't pass anywhere else.
Question is what kind of bandwidth do you have on WAN, as trunk (ehternet cable) might become a bottleneck?
Re: Pass WAN over VLAN
OK, so I've done as follows and I've gone wrong somewhere. I'm doing this all in GNS3 at the moment. I set up a fake internet router on 1.1.1.1:-
Code: Select all
interface ethernet
set [ find default-name=ether5 ] name=ISP
/ip address
add address=1.1.1.1/30 interface=ISP network=1.1.1.0
/ip dhcp-client
add interface=ether1
/system identity
set name=ISPCode: Select all
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether1 pvid=100
/interface bridge vlan
add bridge=bridge1 tagged=ether5,bridge1 untagged=ether1 vlan-ids=100
/system identity
set name=B1Code: Select all
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether1 pvid=100
/interface bridge vlan
add bridge=bridge1 tagged=ether5,bridge1 untagged=ether1 vlan-ids=100
/ip address
add address=1.1.1.2/30 interface=ether1 network=1.1.1.0
/system identity
set name=B2Once I can get this working I can add the other LAN VLANS.
Any help appreciated.
You do not have the required permissions to view the files attached to this post.
Re: Pass WAN over VLAN [SOLVED]
Try this
On B1
/interface bridge vlan
add bridge=bridge1 tagged=ether5,bridge1 untagged=ether1 vlan-ids=100
On B2:
/interface bridge vlan
add bridge=bridge1 tagged=ether5,bridge1 untagged=ether1 vlan-ids=100
/interface vlan
add interface=bridge1 name=v100 vlan-id=100
/ip address
add address=1.1.1.2/30 interface=v100 network=1.1.1.0
Note on B2: in this config, there is no need for bridge on B2, just vlan straight on ether5 would suffice. in the final config you'll probably need bridge for the other vlans
On B1
/interface bridge vlan
add bridge=bridge1 tagged=ether5,bridge1 untagged=ether1 vlan-ids=100
On B2:
/interface bridge vlan
add bridge=bridge1 tagged=ether5,bridge1 untagged=ether1 vlan-ids=100
/interface vlan
add interface=bridge1 name=v100 vlan-id=100
/ip address
add address=1.1.1.2/30 interface=v100 network=1.1.1.0
Note on B2: in this config, there is no need for bridge on B2, just vlan straight on ether5 would suffice. in the final config you'll probably need bridge for the other vlans
Re: Pass WAN over VLAN
Ok, that worked. I tried every other alternative except that. I couldn't work out if that would be secure or not. Later I will try and add all "LAN" vlans and see how I get on. Thanks. I'll update once I've had a chance to try it.Try this
On B1
/interface bridge vlan
add bridge=bridge1 tagged=ether5,bridge1 untagged=ether1 vlan-ids=100
On B2:
/interface bridge vlan
add bridge=bridge1 tagged=ether5,bridge1 untagged=ether1 vlan-ids=100
/interface vlan
add interface=bridge1 name=v100 vlan-id=100
/ip address
add address=1.1.1.2/30 interface=v100 network=1.1.1.0
Note on B2: in this config, there is no need for bridge on B2, just vlan straight on ether5 would suffice. in the final config you'll probably need bridge for the other vlans
Re: Pass WAN over VLAN
BTW, in real world, not on CHR in GNS3, you'll probably will want, depending on bandwidth, to use vlan filtering of /interface switch chip, as this will be in hardware. the vlan-filtering in bridge is only on CRS3xx in hardware.
Re: Pass WAN over VLAN
Ok, so I set up a rough configuration, apart from setting up ingress-filtering and frame-type, is there anything major I have missed?
B1:-
Code: Select all
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="WAN passthroughs to B2" name=\
ether1-wan-in
set [ find default-name=ether2 ] name=ether2-vlan10-access
set [ find default-name=ether3 ] name=ether3-vlan20-access
set [ find default-name=ether5 ] name=ether5-trunk-to-b2
/interface bridge port
add bridge=bridge1 interface=ether5-trunk-to-b2
add bridge=bridge1 comment="WAN passthrough to b2" interface=ether1-wan-in \
pvid=100
add bridge=bridge1 interface=ether2-vlan10-access pvid=10
add bridge=bridge1 interface=ether3-vlan20-access pvid=20
/interface bridge vlan
add bridge=bridge1 comment="WAN Passthrough VLAN" tagged=ether5-trunk-to-b2 \
untagged=ether1-wan-in vlan-ids=100
add bridge=bridge1 tagged=ether5-trunk-to-b2 untagged=ether2-vlan10-access \
vlan-ids=10
add bridge=bridge1 tagged=ether5-trunk-to-b2 untagged=ether3-vlan20-access \
vlan-ids=20
/system identity
set name=B1
B2:-
Code: Select all
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-vlan-10-access
set [ find default-name=ether2 ] name=ether1-vlan-20-access
set [ find default-name=ether5 ] name=ether5-trunk-to-b1
/interface vlan
add comment="WAN Passthrough VLAN" interface=ether5-trunk-to-b1 name=WAN \
vlan-id=100
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20
/ip pool
add name=vlan10 ranges=172.16.10.100-172.16.10.200
add name=vlan20 ranges=172.16.20.100-172.16.20.200
/ip dhcp-server
add address-pool=vlan10 disabled=no interface=vlan10 name=vlan10
add address-pool=vlan20 disabled=no interface=vlan20 name=vlan20
/interface bridge port
add bridge=bridge1 interface=ether5-trunk-to-b1
add bridge=bridge1 interface=ether1-vlan-10-access pvid=10
add bridge=bridge1 interface=ether1-vlan-20-access pvid=20
/interface bridge vlan
add bridge=bridge1 comment="WAN Passthrough VLAN" tagged=\
ether5-trunk-to-b1,bridge1 vlan-ids=100
add bridge=bridge1 tagged=bridge1,ether5-trunk-to-b1 untagged=\
ether1-vlan-10-access vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether5-trunk-to-b1 untagged=\
ether1-vlan-20-access vlan-ids=20
/ip address
add address=1.1.1.2/30 comment=\
"WAN IP is allocated on b2 - connection passed through via b1" interface=\
WAN network=1.1.1.0
add address=172.16.10.1/24 interface=vlan10 network=172.16.10.0
add address=172.16.20.1/24 interface=vlan20 network=172.16.20.0
/ip dhcp-server network
add address=172.16.10.0/24 gateway=172.16.10.1
add address=172.16.20.0/24 gateway=172.16.20.1
/ip firewall address-list
add address=172.16.10.0/24 list=lan
add address=172.16.20.0/24 list=lan
/ip firewall filter
add action=drop chain=forward dst-address-list=lan src-address-list=lan
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
/system identity
set name=B2
You do not have the required permissions to view the files attached to this post.
Re: Pass WAN over VLAN
B2
copy-paste error -> name=ether1-vlan-20-access
since vlan 100 is passed to bridge1, I would setup the vlan interface on bridge not the ether5 directly (haven't verified if there would be a difference)
/interface vlan
add comment="WAN Passthrough VLAN" interface=ether5-trunk-to-b1 name=WAN \
vlan-id=100
otherwise looks fine
copy-paste error -> name=ether1-vlan-20-access
since vlan 100 is passed to bridge1, I would setup the vlan interface on bridge not the ether5 directly (haven't verified if there would be a difference)
/interface vlan
add comment="WAN Passthrough VLAN" interface=ether5-trunk-to-b1 name=WAN \
vlan-id=100
otherwise looks fine
Re: Pass WAN over VLAN
Good spot!B2
copy-paste error -> name=ether1-vlan-20-access
since vlan 100 is passed to bridge1, I would setup the vlan interface on bridge not the ether5 directly (haven't verified if there would be a difference)
/interface vlan
add comment="WAN Passthrough VLAN" interface=ether5-trunk-to-b1 name=WAN \
vlan-id=100
otherwise looks fine
Regarding the second part, are you saying that’s the bit you would change or what you would change it to?
So on b2 Set it to:-
Code: Select all
/interface vlan
add comment="WAN Passthrough VLAN" interface=bridge1 name=WAN \
vlan-id=100Appreciate your help!
Re: Pass WAN over VLAN
What I meant indeed. I guess the advantage would be that bridge would already have done the security (vlan filter) checks.
Re: Pass WAN over VLAN
Works just fine. Thanks.What I meant indeed. I guess the advantage would be that bridge would already have done the security (vlan filter) checks.
Ok, so hopefully final question, with regards your comment on "use vlan filtering of /interface switch chip", how exactly would the configuration change to what I've posted above. Thanks.
Re: Pass WAN over VLAN
There's a topic on differences between VLAN setup on bridge vs. VLAN setup on switch ... I've posted config for both cases for the same real-life usage case.
Re: Pass WAN over VLAN
what he said 
Re: Pass WAN over VLAN
Thanks. Reminds me of when I did vlans on an old CRS. Don’t know why, I thought that method was unique to the CRS line.There's a topic on differences between VLAN setup on bridge vs. VLAN setup on switch ... I've posted config for both cases for the same real-life usage case.
I presume with the CCR1009-7G-1C-1S+ I’d need to use the bridge method as it has no switch chip but for the other devices use the switch chip method?
Re: Pass WAN over VLAN
Your presumption is correct.I presume with the CCR1009-7G-1C-1S+ I’d need to use the bridge method as it has no switch chip but for the other devices use the switch chip method?
Who is online
Users browsing this forum: Bing [Bot], trmns and 31 guests