Community discussions

MikroTik App
 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

1 bridge or 2?

Mon Nov 28, 2022 2:39 pm

I have a heX with connections as follows:

a) ether1 connected to cable ONT (WAN) -- dynamic IP

b) ether2 (192.168.2.2) connected to CSS326 switch (192.168.2.3)

c) ether3 connected to Verizon FIOS router (192.168.2.1) acting as a MOCA bridge (I think that's the correct terminology) so that ethernet traffic can pass via coax to set top boxes

I have a bridge interface (named: bridge) that currently includes ether1 and ether2.

I was thinking that in order to isolate traffic as effeciently and effectively as possible between (1) the FIOS router and STB's connected to it and (2) the CSS326 and connected LAN devices would be to keep the FIOS router on a separate heX port (ether3).

Does this make sense?

Would I need to make a separate bridge that includes ether1 and ether3?

I understand there are multiple ways to achieve this (FIOS into CSS326 and port isolation; FIOS into CSS326 and firewall rules, for example).

Thank you.
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: 1 bridge or 2?

Mon Nov 28, 2022 3:02 pm

A port can only be a member of one bridge.

Your description seems inconsistent, you say ether1 and ether2 are bridged but ether1 is the WAN, ether2 and ether3 have the same subnet.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: 1 bridge or 2?

Mon Nov 28, 2022 3:27 pm

Does this make sense?
I'm with @tdw on this. You don't talk about vlans, so I assume that when you say ether1 and ether2 are part of the same bridge, that you mean they are part of the same broadcast domain. And it isn't clear how you could have a dynamic and static address on the same "bridge" interface. I don't even know if ROS has "peth" (pseudo ethernet) interfaces like the EdgeRouters.

So to your question "Does this make sense?" if you meant it in the "is what I am asking clear to you?" the answer is no. If you meant it as "Does what I am trying to do make sense?" I can't say, because I don't understand what you are trying to do.

Edit: Sorry, I got you mixed up with someone else, so I am not sure you know anything about Edgerouters.
Since you are familiar with the EdgeRouters, perhaps this will help. The bridge device in the hEX is very similar to the switch0 device on the ER-X. The bridge can be like a "dumb switch" when vlan-filtering is off, or like a vlan-aware switch0 when vlan-filtering is turned on. And the hEX /interface vlan devices created under the bridge are like vif devices under switch0 on the ER-X.

So perhaps if you can describe the problem you are trying to solve, someone can provide an answer.
Last edited by Buckeye on Mon Nov 28, 2022 4:11 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 1 bridge or 2?

Mon Nov 28, 2022 4:02 pm

 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

Re: 1 bridge or 2?

Mon Nov 28, 2022 5:18 pm

Thank you, guys, for the help in framing the question.

Here's a second try.

Right now:

1) heX ether1 is wired to the FIOS ONT and gets it's IP dynamically from Verizon;
2) heX ether2 is wired to a CSS326;
3) heX bridge includes ether1 and ether2, and is 192.168.2.2
4) FIOS router is wired to a port on the CSS326 and is 192.168.2.1
5) I have port isolation configured on the CSS326 such that the FIOS router can only communicated with the hex (it cannot communicate with any devices on any other ports of the CSS326).

I'm wondering if it might make more sense to wire the FIOS router into the heX port ether3 and let the heX keep the traffic between the FIOS router and my LAN separate?

My understanding is that because 'bridge' does not includes ether3, the heX will not pass traffic between bridge and ether3 unless routing and/or firewall rules allow.

I can't even imagine how I would accomplish this with VLANs (the FIOS router is not VLAN-aware).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 1 bridge or 2?

Mon Nov 28, 2022 6:16 pm

The problem is you dont state the requirements separate from the configuration.

You need to dumb it down..........

You have three WANS................ great.

Is one primary, one secondary, one tertiary.
In other words from a general sense what are they for.???


Then more specifically what are the requirements from the user perspective.
source-list of users need to go out WANX
Subnets A and B need to go out WANY

All servers are on LAN Subnet C and should only be accessed on WANZ.
 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

Re: 1 bridge or 2?

Mon Nov 28, 2022 6:42 pm

Only 1 WAN: The connection to the FIOS ONT.

The Fios router is only being used to pass Ethernet traffic to the set top boxes.

The requirement is just to have things set up efficiently and effectively.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 1 bridge or 2?

Mon Nov 28, 2022 7:54 pm

You have successfully stated nothing, other than WAN1 is not to be used for any LAN users and is solely to feed set top boxes, which I presume are TV devices.

I still have no clue as to the relationship of wan2 and wan3
Is one primary and the other backup.

Are they being shared between users......
Are some users/subnets only to use a specific wan ??

I cannot help further or make myself any clearer. Good luck!
 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

Re: 1 bridge or 2?

Mon Nov 28, 2022 10:03 pm

I'm trying! I really am!

Here's a diagram.

Version A is how things are now. It works, but the FIOS router and the set top cable boxes are on the same broadcast network as all my LAN devices (connected to the CSS326).

I would like to separate into 2 broadcast networks: Broadcast network 1 (FIOS router and set top cable boxes) and broadcast network 2 (devices connected to CSS326).

212-network.JPG
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: 1 bridge or 2?

Mon Nov 28, 2022 10:26 pm

One bridge, configured something like this:
/interface bridge
add name=bridge vlan-filtering=yes frame-types=admit-only-vlan-tagged
# frame types property in preceeding line refers to bridge interface,
# not to bridge the switch-like entity
/interface bridge port
add bridge=bridge ingress-filtering=yes interface=ether1 pvid=100
add bridge=bridge ingress-filtering=yes interface=ether2 pvid=200
add bridge=bridge ingress-filtering=yes interface=ether3 pvid=200
/interface bridge vlan
add bridge=bridge tagged=ether1,ether3 vlan-ids=6
add bridge=bridge tagged=bridge untagged=ether1 vlan-ids=100
add bridge=bridge tagged=bridge untagged=ether2,ether3 vlan-ids=200
/interface vlan
add interface=bridge name=vlan100 vlan-id=100
add interface=bridge name=vlan200 vlan-id=200
/interface list members
add list=WAN interface=vlan100
add list=LAN interface=vlan200

Ports ether1 and ether3 will be switched for VLAN 6 (IP TV). Ports ether2 and ether3 will be switched for LAN (untagged on both ports). The untagged traffic over ether1 will be WAN. Bridge will be tagged member of VLANs 100 and 200 (to be able to interact with both LAN and WAN), but won't be member of VLAN 6 (no need to interact with it).

Then add WAN config (DHCP client, etc.) to interface vlan100.
Add LAN config (IP address, DHCP server, etc.) to interface vlan200.

Note that VLANs 100 and 200 will be internal to your hEX so you could use any pair of VIDs (except 6, it's better to avoid using 1 as well). These two VLANs are only needed to "partition" bridge into two parts (LAN and WAN).

Default firewall rule set would fit the setup above just fine.
 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

Re: 1 bridge or 2?

Mon Nov 28, 2022 11:21 pm

I really wish this wasn't the case, but this is above my understanding.

Your code starts by adding an interface named bridge that has vlan-filtering enables for frame-types 'admit-only-vlan-tagged'

Does this bridge replace the existing bridge I have which is set up like this? Or does it add the vlan parameters to it?

/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
Similar question for the the ports of 'bridge':

/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
And then there's the VLAN setup. Do I understand correctly that the VLAN exists exclusively internal to the heX? And that the VLAN is what separates the broadcast domains by port (ether2 vs. ether3)?

I am finding it difficult to understand how the commands below allow packets originating on ether1 to pass (as addressed) to ether2 and ether 3, but packets originating on either ether2 or ether3 to be allowed to pass only to ether1.

One bridge, configured something like this:
/interface bridge
add name=bridge vlan-filtering=yes frame-types=admit-only-vlan-tagged
# frame types property in preceeding line refers to bridge interface,
# not to bridge the switch-like entity
/interface bridge port
add bridge=bridge ingress-filtering=yes interface=ether1 pvid=100
add bridge=bridge ingress-filtering=yes interface=ether2 pvid=200
add bridge=bridge ingress-filtering=yes interface=ether3 pvid=200
/interface bridge vlan
add bridge=bridge tagged=ether1,ether3 vlan-ids=6
add bridge=bridge tagged=bridge untagged=ether1 vlan-ids=100
add bridge=bridge tagged=bridge untagged=ether2,ether3 vlan-ids=200
/interface vlan
add interface=bridge name=vlan100 vlan-id=100
add interface=bridge name=vlan200 vlan-id=200
/interface list members
add list=WAN interface=vlan100
add list=LAN interface=vlan200

Ports ether1 and ether3 will be switched for VLAN 6 (IP TV). Ports ether2 and ether3 will be switched for LAN (untagged on both ports). The untagged traffic over ether1 will be WAN. Bridge will be tagged member of VLANs 100 and 200 (to be able to interact with both LAN and WAN), but won't be member of VLAN 6 (no need to interact with it).

Then add WAN config (DHCP client, etc.) to interface vlan100.
Add LAN config (IP address, DHCP server, etc.) to interface vlan200.

Note that VLANs 100 and 200 will be internal to your hEX so you could use any pair of VIDs (except 6, it's better to avoid using 1 as well). These two VLANs are only needed to "partition" bridge into two parts (LAN and WAN).

Default firewall rule set would fit the setup above just fine.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 1 bridge or 2?

Mon Nov 28, 2022 11:41 pm

What is the purpose of having the FIOS router connected to the hex at all.
That is the missing piece for me. You have fios connected already to set top boxes.
Why involve the hex or switch???

You have two separate internet connections correct?
 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

Re: 1 bridge or 2?

Mon Nov 28, 2022 11:43 pm

The set top boxes need internet access for various functions. That Inet access is delivered over the coax. Hence, the Fios router (or another moca adapter) is needed.
What is the purpose of having the FIOS router connected to the hex at all.
That is the missing piece for me. You have fios connected already to set top boxes.
Why involve the hex or switch???

You have two separate internet connections correct?
 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

Re: 1 bridge or 2?

Mon Nov 28, 2022 11:55 pm

1 internet connection: FIOS
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 1 bridge or 2?

Tue Nov 29, 2022 1:29 am

sorry more confused then ever diagram shows two internet connections and yet you say there is only one the fios, and yet you show a cable modem from verizon ......................................

Okay lets say I think its like this
You only have one internet connection from a cable modem from verizon, they also provide a fios router.
The router is important because it has coax for set top boxes...........

My question is does the fios have other ports like ethernet and they provide you a private IP..........
Do you have any control over this fios router, aka select what lans it has.................. etc.......

How does the hex get internet then if the fios router is involved???
Doe internet come in one vlan and tv on another vlan?
 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

Re: 1 bridge or 2?

Tue Nov 29, 2022 1:55 am

Okay, we're making progress now.

Verizon provides a coax cable to my premises.

That coax connects to their modem.

Out from their modem come 2 cables: Coax and ethernet (RJ45, twisted pair, catX).

The coax at this point carries TV.

That coax gets distributed (in a trunk and tap/splitter kind of way) to:
a) Verizon's router (model G3100); and
b) A bunch of set top boxes.

The G3100 has an RJ45 WAN port for internet access that is not being used.

It also has 4 RJ45s (logically, a switch), for devices or downstream switch.

The connectivity between the G3100 and the STBs (which need IP addresses and now get them via DHCP from the heX) provides internet access (all via coax) to the STBs and is necessary for online program guides, DVR, On-Demand stuff. Internet access is provided to the G3100 by a cable from one of its LAN ports to a port on the CSS326.

I have full control of the G3100 -- I assigned its IP address, etc.

Now, back up to the modem:

A cat6 cable connects the modem to the heX.

A cat6 cable connects the heX to the CSS326, where all my devices are connected.

Does that clarify?

sorry more confused then ever diagram shows two internet connections and yet you say there is only one the fios, and yet you show a cable modem from verizon ......................................

Okay lets say I think its like this
You only have one internet connection from a cable modem from verizon, they also provide a fios router.
The router is important because it has coax for set top boxes...........

My question is does the fios have other ports like ethernet and they provide you a private IP..........
Do you have any control over this fios router, aka select what lans it has.................. etc.......

How does the hex get internet then if the fios router is involved???
Doe internet come in one vlan and tv on another vlan?
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: 1 bridge or 2?

Tue Nov 29, 2022 6:42 am

sorry more confused then ever diagram shows two internet connections and yet you say there is only one the fios, and yet you show a cable modem from verizon ......................................
@anav, I agree with you 100%, when he "clarified" things, he must have taken his example from Google home, which often gives an incomplete answer, then asks "would you like more context?", and if you reply "yes", it just repeats the same thing over again, with no additional information. Compare Post #1 with the the "clarification" in post #5. To me the only difference is the formatting.

This is evidently a continuation of this thread Vlans and export config with a more detailed diagram in post #10

Note that even though he is talking about vlans in that thread, I am still not convinced that the "concept" of what vlans are has "clicked" yet for him. What he is currently using for separation is port-isolation in the CSS326, which a different concept than vlans; it is limiting for each switch-port, what other switch-ports can be forwarded to. This is like asymmetrical subsets of the same broadcast domain, more like overlapping circles in a venn diagram, where there is a non-empty intersection. Additionally, port isolation has no significance off the switch, any thing past the switch is either included of excluded.

Vlans are different in that the broadcast domains for vlans have no overlap (intersection). And vlans can extend beyond the switch border, since tags can carry the "membership credentials" with the ethernet frame.

It is very unclear to me what the purpose of the Hex is.

And I thought I would let others know about the other thread, because he is currently using only port-isolation the keep things separate, because he has a single ip subnet.
Last edited by Buckeye on Tue Nov 29, 2022 9:09 am, edited 1 time in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: 1 bridge or 2?

Tue Nov 29, 2022 8:59 am

Frankly @OP lost me with regards to wanted configuration ... and I'm with @anav here: it would be great if @OP clearly stated desired layout and forget about current setup ... which seems to be inadequate anyway so why bother explaining it?
 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

Re: 1 bridge or 2?

Tue Nov 29, 2022 1:35 pm

Gentlemen:

I have not taken my words or concepts or anything from any web site (including Google Home).

Post #16 was intended to more fully explain my setup -- which it did.

The heX is the one and only device performing as a router at my location. The G3100 only acts as a bridge between twisted pair and coax for the STBs.

Yes, I have another thread talking about Vlans and my setup. And, yes, Vlans have not yet clicked. But, I do have an understanding that port isolation is not the best way to accomplish my goal -- hence the current thread.

Would it be more helpful to explain from a functional perspective what I want to achieve or from a network layout perspective?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 1 bridge or 2?

Tue Nov 29, 2022 2:37 pm

functional!
 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

Re: 1 bridge or 2?

Tue Nov 29, 2022 2:46 pm

I want to minimize unnecessary traffic on my LAN created by the set top boxes being in the same broadcast domain as all other devices.

Also want to make sure that the traffic between the internet and the set top boxes does not negatively impact internet access speed/throughout/reliability at LAN devices.

Future desire: Achieve the same for the internet connected televisions. They are now devices on the LAN connected to switch ports and in the same /24 subset and same broadcast network.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: 1 bridge or 2?

Wed Nov 30, 2022 5:20 am

Verizon provides a coax cable to my premises.

That coax connects to their modem.

Out from their modem come 2 cables: Coax and ethernet (RJ45, twisted pair, catX).

The coax at this point carries TV.

That coax gets distributed (in a trunk and tap/splitter kind of way) to:
a) Verizon's router (model G3100); and
b) A bunch of set top boxes.
--- snip--- now you contradict youself as follows:
Now, back up to the modem:

A cat6 cable connects the modem to the heX.

A cat6 cable connects the heX to the CSS326, where all my devices are connected.

Does that clarify?
That does not correspond to any diagram you have posted. Unless you had a typo in the first part and called the G3100 the "their modem" in the part of your post above where I put "---snip---"

It is foolish to give answers when we don't understand the problem.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: 1 bridge or 2?

Wed Nov 30, 2022 5:37 am

I want to minimize unnecessary traffic on my LAN created by the set top boxes being in the same broadcast domain as all other devices.

Also want to make sure that the traffic between the internet and the set top boxes does not negatively impact internet access speed/throughout/reliability at LAN devices.

Future desire: Achieve the same for the internet connected televisions. They are now devices on the LAN connected to switch ports and in the same /24 subset and same broadcast network.
What evidence do you have that indicates the traffic from the set top boxes is causing a problem? Same with the "internet connected televisions".

Unless these are using multicast, the switches won't replicate the unicast traffic once they have learned the mac addresses. Review this Everything Switches do - Part 1 - Networking Fundamentals - Lesson 4 from Networking Fundamentals
 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

Re: 1 bridge or 2?

Wed Nov 30, 2022 5:44 am

I give up.
 
tuxaluxalot
just joined
Posts: 4
Joined: Sat Oct 09, 2021 7:13 pm

Re: 1 bridge or 2?

Wed Nov 30, 2022 12:09 pm

OP, from your post, it seems you have limited networking experience. Is that fair to say?

If so, let’s start at the beginning:
A standard at home setup would consist of internet -> modem -> router -> switch.

You state you have internet -> modem -> router - > switch and router. Having a router behind another router is odd for a “typical” home setup and in most cases won’t work unless the router has been reconfigured to be a simple switch.

Question 1: Why are you using the Verizon router? Is it for extra switch ports? Limitations due to CAT5/CAT6 cabling? Nobody here cares about the coax… it doesn’t play a part.

Question 2: What is the general concern about the cable boxes? Why do you want to isolate them?
Answers to question 2 could be: “I don’t trust the telemetry on these devices” or “Looking at the network I noticed a high volume of traffic going to all ports on the LAN side” or “Looking at the network I noticed they use a high volume of traffic out to the internet”.

Depending on your answers, VLANS might not be the correct solution For example, let’s say, you notice when the cable boxes are connected to your network they flood the network slowing other devices down. That could be a multicast issue and while VLANs could help, I wouldn’t consider it the correct solution.

I think everyone here is trying to help but confused and stuck on the “why”. I know I am. Part of that confusion is coming from your answers or more specifically your explanations to questions to which I’m not sure you fully grasp (which is fine because we are all here to learn from/help others) but stating you don’t understand is the critical part of the equation.
Last edited by tuxaluxalot on Thu Dec 01, 2022 3:46 am, edited 1 time in total.
 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

Re: 1 bridge or 2?

Thu Dec 01, 2022 2:10 pm

tuxaluxalot,

Thank you for kind words and efforts to help --- I am grateful to you and everyone else here who have helped and continue to try to help.

I actually have a substantial amount of networking experience. I'm perfectly fine admitting my weaknesses (and I have many) -- I am totally failing to understand VLANs, for example, and I readily admit that I only know the very basics of firewalls.

My set up is as you describe but there are relevant additional details (coax being one of them):

Internet and TV come in via coax to a modem (we'll call it that, but it is somewhat more -- it's basically an ONT but coax instead of optical)
Out of the modem comes both Internet connectivity (ethernet cable) and TV (on coax)
The ethernet is wired to the heX
The coax coming out of the modem is wired to the G3100 (original FIOS router now only being used to route Internet over coax)
The heX is wired to the CSS326 switch.
The G3100 is wired to a port on the CSS326 so it can get the Internet access to combine and make available via coax to the set top boxes.

Now, for anyone reading this: There is no need for unpleasant comments about my repeating myself, or for providing (insignificant) conflicting details. It serves no good purpose. This is the setup. This is a correct setup. This is the setup that works. There very well might be better setups.

My concern is that the traffic passing between the set top boxes and the Internet does not need to be on the same broadcast domain, nor in any way accessible to or from any other devices. So my thinking is why not completely separate them -- in the name of security and LAN performance.

OP, from your post, it seems you have limited networking experience. Is that fair to say?

If so, let’s start at the beginning:
A standard at home setup would consist of internet -> modem -> router -> switch.

You state you have internet -> modem -> router - > switch and router. Having a router behind another router is odd for a “typical” home setup and in most cases won’t work unless the router has been reconfigured to be a simple switch.

Question 1: Why are you using the Verizon router? Is it for extra switch ports? Limitations due to CAT5/CAT6 cabling? Nobody here cares about the coax… it doesn’t play a part.

Question 2: What is the general concern about the cable boxes? Why do you want to isolate them?
Answers to question 2 could be: “I don’t trust the telemetry on these devices” or “Looking at the network I noticed a high volume of traffic going to all ports on the LAN side” or “Looking at the network I noticed they use a high volume of traffic out to the internet”.

Depending on your answers, VLANS might not be the correct solution For example, let’s say, you notice when the cable boxes are connected to your network they flood the network slowing other devices down. That could be a multicast issue and while VLANs could help, I wouldn’t consider it the correct solution.

I think everyone here is trying to help but confused and stuck on the “why”. I know I am. Part of that confusion is coming from your answers or more specifically your explanations to questions to which I’m not sure you fully grasp (which is fine because we are all here to learn from/help others) but stating you don’t understand is the critical part of the equation.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 1 bridge or 2?

Thu Dec 01, 2022 2:19 pm

Ahh okay thats the part I dont get, why does the fios need an internet connection from the switch via the hex. That makes no sense since it has what it needs, (Im assuming) the set top box signal/tv stream from the coax side? That would be most unusual.

I think understanding this requirement better would help solve the issues........
 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

Re: 1 bridge or 2?

Thu Dec 01, 2022 2:27 pm

Whew! I am so glad we have closed in on the clarity problem.

The stb’s need internet access as well as tv to come in on the co-ax. It’s standard setup for Verizon FIOS.



Ahh okay thats the part I dont get, why does the fios need an internet connection from the switch via the hex. That makes no sense since it has what it needs, (Im assuming) the set top box signal/tv stream from the coax side? That would be most unusual.

I think understanding this requirement better would help solve the issues........
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 1 bridge or 2?

Thu Dec 01, 2022 2:38 pm

Ahh I see what has happened.

Originally the cable modem fed the FIOS router with both.
Now you have injected the hex into the picture to gain control of internet (and not deal with fios router for internet/networking stuff) but still trying to preserve the TV.
Most folks I know have dumped STB and verizon and use internet TV :-)


This brings us to the next question, is there anything specific the tvsetop boxes need on the internet side of things. Clearly they were not getting a public IP through the fios but did they need to have a specific DHCP address?

What I would think of doing, at the hex is simply create such a subnet and VLAN that only goes to the setup boxes and have separate vlans for the users on your network.
home, guest wifi, iot devices, etc...............
 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

Re: 1 bridge or 2?

Thu Dec 01, 2022 3:51 pm

Yes!

After learning about the MT routers it became crystal clear that they are light-years better than the G3100. Hence, the plan (achieved in great part with your previous help) was to replace the G3100's in the role of router with the heX.

I have dumped STBs at other locations, but not quite ready for that at this (my main) location.

The STBs each get a private IP -- 192.168.2.100, 101, 102, 103 in my case. They do not need to communicate with any other devices on the LAN (not the TVs which are also connected to the LAN, some via wifi and some wired; nor any other devices). They simply need Internet access to Verizon's servers.

The TVs are the same -- they need an IP address (private), and they only need Internet access (to various servers such as Netflix, Amazon, etc.)

I think (for whatever that's worth) that a solution of creating a separate network off the heX for the G3100, STBs (and hopefully TVs) makes sense. But, despite lot of efforts to help me, I am progressing very slowly towards being able to fully understand VLANs.

BTW, I bought an R5009 and extra heX and have a couple of unused computers and would happily set up a test network to play with (as you and others have previously suggested).

Ahh I see what has happened.

Originally the cable modem fed the FIOS router with both.
Now you have injected the hex into the picture to gain control of internet (and not deal with fios router for internet/networking stuff) but still trying to preserve the TV.
Most folks I know have dumped STB and verizon and use internet TV :-)


This brings us to the next question, is there anything specific the tvsetop boxes need on the internet side of things. Clearly they were not getting a public IP through the fios but did they need to have a specific DHCP address?

What I would think of doing, at the hex is simply create such a subnet and VLAN that only goes to the setup boxes and have separate vlans for the users on your network.
home, guest wifi, iot devices, etc...............
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 1 bridge or 2?

Thu Dec 01, 2022 4:11 pm

One set of devices at a time.
1. Do the set top boxes need specific IP addresses or could they use any subnet lan address aka instead of 192.168.2.100 could it be 10.10.10.2.55.
In other words the limitations or constraints if any are not obvious.

2. How do you propose to ensure the TV setup boxes can reach verizon servers? I am assuming all they need is general internet access and the set top boxes know where to send requests on the WWW.

3. Next the TVs, well they have nothing to do with verizon when you start talking netflix, etc, they simply need an internet connection.
Thus thats an internal matter at the TV to select source. Assuming your TV has coax in from set top box and an ethernet connection for wired home or perhaps wifi to home network ???
 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

Re: 1 bridge or 2?

Thu Dec 01, 2022 4:15 pm

1) Any private IP subnet should work.

2) I don't know the protocols or ports used, but I believe 'general internet access' by the STBs is what they need.

3) Yes, when the TVs need access to Verizon-specific connectivity, it goes through the STBs. For other services, 'general internet access' is what they need.

One set of devices at a time.
1. Do the set top boxes need specific IP addresses or could they use any subnet lan address aka instead of 192.168.2.100 could it be 10.10.10.2.55.
In other words the limitations or constraints if any are not obvious.

2. How do you propose to ensure the TV setup boxes can reach verizon servers? I am assuming all they need is general internet access and the set top boxes know where to send requests on the WWW.

3. Next the TVs, well they have nothing to do with verizon when you start talking netflix, etc, they simply need an internet connection.
Thus thats an internal matter at the TV to select source. Assuming your TV has coax in from set top box and an ethernet connection for wired home or perhaps wifi to home network ???
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 1 bridge or 2?

Thu Dec 01, 2022 4:27 pm

Confirm
a. how TV connects to internet currently
b. how TV connects to STB currently
 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

Re: 1 bridge or 2?

Thu Dec 01, 2022 4:30 pm

TVs each have 2 forms of connectivity:

1) Coax to STB
2) Wifi or Ethernet cable to switch for direct (non-STB) access to Internet


Confirm
a. how TV connects to internet currently
b. how TV connects to STB currently
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 1 bridge or 2?

Thu Dec 01, 2022 9:58 pm

This is your general starting point.........
/interface bridge
add name=bridge vlan-filtering=No   { Change to Yes after configuring everything else }
/interface vlan
add interface=ether1  name=VLAN-ISP  vlan-id=6
add interface=bridge  name=vlanHome-100  vlan-ids=100
add interface=bridge name=vlanSTB-200  vlan-ids=200
add interface=bridge name=vlanOther-300 vlan-ids=300
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2 pvid=200  { to fios coax switch }
add bridge=bridge ingress-filtering=yes frame-types=admit-only-tagged  interface=ether3  { to managed switch }
/interface bridge vlan
add bridge=bridge tagged=bridge  untagged=ether2  vlan-ids=200
add bridge=bridge tagged=bridge,ether3  vlan-ids=100,300
/interface list members
add list=WAN interface=VLAN-ISP
add list=WAN interface=ether1
add list=LAN interface=vlan100
add list=LAN interface=vlan200
add list=LAN interface=vlan300
For firewall rules....... this give you the isolation you require.......
/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface=vlanHome-100 
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment="drop all else"
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
.........

If you need any access between vlans you need to add them before the drop all rule.

Who is online

Users browsing this forum: Google [Bot] and 43 guests