I'm with @tdw on this. You don't talk about vlans, so I assume that when you say ether1 and ether2 are part of the same bridge, that you mean they are part of the same broadcast domain. And it isn't clear how you could have a dynamic and static address on the same "bridge" interface. I don't even know if ROS has "peth" (pseudo ethernet) interfaces like the EdgeRouters.Does this make sense?
/interface bridge
add name=bridge vlan-filtering=yes frame-types=admit-only-vlan-tagged
# frame types property in preceeding line refers to bridge interface,
# not to bridge the switch-like entity
/interface bridge port
add bridge=bridge ingress-filtering=yes interface=ether1 pvid=100
add bridge=bridge ingress-filtering=yes interface=ether2 pvid=200
add bridge=bridge ingress-filtering=yes interface=ether3 pvid=200
/interface bridge vlan
add bridge=bridge tagged=ether1,ether3 vlan-ids=6
add bridge=bridge tagged=bridge untagged=ether1 vlan-ids=100
add bridge=bridge tagged=bridge untagged=ether2,ether3 vlan-ids=200
/interface vlan
add interface=bridge name=vlan100 vlan-id=100
add interface=bridge name=vlan200 vlan-id=200
/interface list members
add list=WAN interface=vlan100
add list=LAN interface=vlan200
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
One bridge, configured something like this:
Code: Select all/interface bridge add name=bridge vlan-filtering=yes frame-types=admit-only-vlan-tagged # frame types property in preceeding line refers to bridge interface, # not to bridge the switch-like entity /interface bridge port add bridge=bridge ingress-filtering=yes interface=ether1 pvid=100 add bridge=bridge ingress-filtering=yes interface=ether2 pvid=200 add bridge=bridge ingress-filtering=yes interface=ether3 pvid=200 /interface bridge vlan add bridge=bridge tagged=ether1,ether3 vlan-ids=6 add bridge=bridge tagged=bridge untagged=ether1 vlan-ids=100 add bridge=bridge tagged=bridge untagged=ether2,ether3 vlan-ids=200 /interface vlan add interface=bridge name=vlan100 vlan-id=100 add interface=bridge name=vlan200 vlan-id=200 /interface list members add list=WAN interface=vlan100 add list=LAN interface=vlan200
Ports ether1 and ether3 will be switched for VLAN 6 (IP TV). Ports ether2 and ether3 will be switched for LAN (untagged on both ports). The untagged traffic over ether1 will be WAN. Bridge will be tagged member of VLANs 100 and 200 (to be able to interact with both LAN and WAN), but won't be member of VLAN 6 (no need to interact with it).
Then add WAN config (DHCP client, etc.) to interface vlan100.
Add LAN config (IP address, DHCP server, etc.) to interface vlan200.
Note that VLANs 100 and 200 will be internal to your hEX so you could use any pair of VIDs (except 6, it's better to avoid using 1 as well). These two VLANs are only needed to "partition" bridge into two parts (LAN and WAN).
Default firewall rule set would fit the setup above just fine.
What is the purpose of having the FIOS router connected to the hex at all.
That is the missing piece for me. You have fios connected already to set top boxes.
Why involve the hex or switch???
You have two separate internet connections correct?
sorry more confused then ever diagram shows two internet connections and yet you say there is only one the fios, and yet you show a cable modem from verizon ......................................
Okay lets say I think its like this
You only have one internet connection from a cable modem from verizon, they also provide a fios router.
The router is important because it has coax for set top boxes...........
My question is does the fios have other ports like ethernet and they provide you a private IP..........
Do you have any control over this fios router, aka select what lans it has.................. etc.......
How does the hex get internet then if the fios router is involved???
Doe internet come in one vlan and tv on another vlan?
@anav, I agree with you 100%, when he "clarified" things, he must have taken his example from Google home, which often gives an incomplete answer, then asks "would you like more context?", and if you reply "yes", it just repeats the same thing over again, with no additional information. Compare Post #1 with the the "clarification" in post #5. To me the only difference is the formatting.sorry more confused then ever diagram shows two internet connections and yet you say there is only one the fios, and yet you show a cable modem from verizon ......................................
That does not correspond to any diagram you have posted. Unless you had a typo in the first part and called the G3100 the "their modem" in the part of your post above where I put "---snip---"Verizon provides a coax cable to my premises.
That coax connects to their modem.
Out from their modem come 2 cables: Coax and ethernet (RJ45, twisted pair, catX).
The coax at this point carries TV.
That coax gets distributed (in a trunk and tap/splitter kind of way) to:
a) Verizon's router (model G3100); and
b) A bunch of set top boxes.
--- snip--- now you contradict youself as follows:
Now, back up to the modem:
A cat6 cable connects the modem to the heX.
A cat6 cable connects the heX to the CSS326, where all my devices are connected.
Does that clarify?
What evidence do you have that indicates the traffic from the set top boxes is causing a problem? Same with the "internet connected televisions".I want to minimize unnecessary traffic on my LAN created by the set top boxes being in the same broadcast domain as all other devices.
Also want to make sure that the traffic between the internet and the set top boxes does not negatively impact internet access speed/throughout/reliability at LAN devices.
Future desire: Achieve the same for the internet connected televisions. They are now devices on the LAN connected to switch ports and in the same /24 subset and same broadcast network.
OP, from your post, it seems you have limited networking experience. Is that fair to say?
If so, let’s start at the beginning:
A standard at home setup would consist of internet -> modem -> router -> switch.
You state you have internet -> modem -> router - > switch and router. Having a router behind another router is odd for a “typical” home setup and in most cases won’t work unless the router has been reconfigured to be a simple switch.
Question 1: Why are you using the Verizon router? Is it for extra switch ports? Limitations due to CAT5/CAT6 cabling? Nobody here cares about the coax… it doesn’t play a part.
Question 2: What is the general concern about the cable boxes? Why do you want to isolate them?
Answers to question 2 could be: “I don’t trust the telemetry on these devices” or “Looking at the network I noticed a high volume of traffic going to all ports on the LAN side” or “Looking at the network I noticed they use a high volume of traffic out to the internet”.
Depending on your answers, VLANS might not be the correct solution For example, let’s say, you notice when the cable boxes are connected to your network they flood the network slowing other devices down. That could be a multicast issue and while VLANs could help, I wouldn’t consider it the correct solution.
I think everyone here is trying to help but confused and stuck on the “why”. I know I am. Part of that confusion is coming from your answers or more specifically your explanations to questions to which I’m not sure you fully grasp (which is fine because we are all here to learn from/help others) but stating you don’t understand is the critical part of the equation.
Ahh okay thats the part I dont get, why does the fios need an internet connection from the switch via the hex. That makes no sense since it has what it needs, (Im assuming) the set top box signal/tv stream from the coax side? That would be most unusual.
I think understanding this requirement better would help solve the issues........
Ahh I see what has happened.
Originally the cable modem fed the FIOS router with both.
Now you have injected the hex into the picture to gain control of internet (and not deal with fios router for internet/networking stuff) but still trying to preserve the TV.
Most folks I know have dumped STB and verizon and use internet TV
This brings us to the next question, is there anything specific the tvsetop boxes need on the internet side of things. Clearly they were not getting a public IP through the fios but did they need to have a specific DHCP address?
What I would think of doing, at the hex is simply create such a subnet and VLAN that only goes to the setup boxes and have separate vlans for the users on your network.
home, guest wifi, iot devices, etc...............
One set of devices at a time.
1. Do the set top boxes need specific IP addresses or could they use any subnet lan address aka instead of 192.168.2.100 could it be 10.10.10.2.55.
In other words the limitations or constraints if any are not obvious.
2. How do you propose to ensure the TV setup boxes can reach verizon servers? I am assuming all they need is general internet access and the set top boxes know where to send requests on the WWW.
3. Next the TVs, well they have nothing to do with verizon when you start talking netflix, etc, they simply need an internet connection.
Thus thats an internal matter at the TV to select source. Assuming your TV has coax in from set top box and an ethernet connection for wired home or perhaps wifi to home network ???
Confirm
a. how TV connects to internet currently
b. how TV connects to STB currently
/interface bridge
add name=bridge vlan-filtering=No { Change to Yes after configuring everything else }
/interface vlan
add interface=ether1 name=VLAN-ISP vlan-id=6
add interface=bridge name=vlanHome-100 vlan-ids=100
add interface=bridge name=vlanSTB-200 vlan-ids=200
add interface=bridge name=vlanOther-300 vlan-ids=300
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2 pvid=200 { to fios coax switch }
add bridge=bridge ingress-filtering=yes frame-types=admit-only-tagged interface=ether3 { to managed switch }
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=200
add bridge=bridge tagged=bridge,ether3 vlan-ids=100,300
/interface list members
add list=WAN interface=VLAN-ISP
add list=WAN interface=ether1
add list=LAN interface=vlan100
add list=LAN interface=vlan200
add list=LAN interface=vlan300
/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface=vlanHome-100
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment="drop all else"
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN