Reply
New Member
Posts: 4
Registered: ‎08-09-2017

Exposing WAN over different switches (VLAN?)

Hi All,

 

maybe a stupid question for some, but I'm struggeling with below setup I want to accomplish with my edgerouter(s):

 

We have our internet from our TV provider, and as most, they offer a router that combines the services....

So we have 1 router from our ISP with 4 ports. Each of these ports can be used for Internet and\or TV services for the digiboxes that we have from our TV provider. 

 

This means that for some devices in a room, 2 cables are needed (1 for my home network, and 1 direct connected to the TV-digibox).

 

I would like to combine however the connectivity over multiple edgerouters.... 

So first edgerouter connected to ISP over DHCP.... and expose the "cloud" to other ports on this edgerouter or other edgerouter upstream in order to be able to plug in the TV-digibox into the edgerouter so that they still get an IP from the ISP router.....

 

I am not a full noob, yet have some (low) level knowledge of VLAN's and trunk ports, yet need some help to get on my way....

 

In the end, I would have one central Edgerouter and 3 more edgerouters (as switch) on 3 locations where I require both connections....

 

end goal is to save out (or avoid) extra cabling..... !!!! 

(and to have the fun of configuring this and learning from it... ;-)

 

thanks for putting me on the correct way....

 

 

Established Member
Posts: 1,606
Registered: ‎03-02-2016
Kudos: 364
Solutions: 118

Re: Exposing WAN over different switches (VLAN?)

[ Edited ]

I suspect that your TV service is provided over a VLAN. Find out the VLAN ID as your ISP provides service. Then you just need one EdgeRouter to connect to your modem, and VLAN-aware switches in each room. Mirror the VLAN settings your ISP needs and you should be set. If you tell us who your provider is, someone might already know the correct settings.

New Member
Posts: 4
Registered: ‎08-09-2017

Re: Exposing WAN over different switches (VLAN?)

hi Gfunkdave,

 

first of all, thanks for your advice allready...

 

My provider is telenet in Belgium, so guessing the chance will be small to find another that has tried the same ...;-).

 

The Proider is also not realy willing to disclose their settings \ VPN...

 

have tried mirroring the uplink port via an edgerouter and sniffing via wireshark after connecting one of the TV boxes, yet no such luck....

They must be working with thier owne VLAN or something, as the box gets 2 IP's. One "in-home 169.*" IP and one "telenet private 10.*" IP.

 

Now I hear you comming "if it has an in home IP, why bother".... here's why.... The provider looks at everything behind their (inhouse) router as Inhome.... yet do not have a configurable firewall, and only allow for 4 devices to be connected..... (which isn't nearly enough).....

 

so hoping there may be someone else out there that pulled this off with Telenet in Belgium, but feeling kinda alone in the dessert... ;-)

 

cheers,

 

Davy

Veteran Member
Posts: 5,669
Registered: ‎03-24-2016
Kudos: 1518
Solutions: 649

Re: Exposing WAN over different switches (VLAN?)

 

To find out VLAN, hook up a set top box to an ER port, and run tcpdump on that port

This might show VLAN being used

Highlighted
New Member
Posts: 4
Registered: ‎08-09-2017

Re: Exposing WAN over different switches (VLAN?) (TELENET - BE)

@16againthanks... did something similal, yet without VLAN results.... 

After a lot of reading I have made some steps (I think... ;-)

 

It appears the following:

The digiboxes do not work with VLAN.... It appears they work with some kind of MAC recognition and get assigned 2 IP's based on the router....

I have drawn a diagram in a standard setup:

image.png

I have been able to set it up as follows (with some basic tampering and lookup of other posts

!!!! lots of kudo's to these posters..... (several on different fora)

 

So it looks like this:

image.png

!!! and it seems to work as such..... ;-) (at least for now)

 

With following config (for now):

ADVISE IS WELCOME !!! ;-)

firewall {
    all-ping disable
    broadcast-ping disable
    group {
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    receive-redirects disable
    send-redirects disable
    source-validation disable
    syn-cookies disable
}
interfaces {
    ethernet eth0 {
        description Internet
        duplex auto
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        address 192.168.1.1/24
        description MGMT
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        description SWITCH
        mtu 1500
        switch-port {
            interface eth0 {
                vlan {
                    pvid 30
                }
            }
            interface eth1 {
                vlan {
                    pvid 30
                }
            }
            interface eth2 {
                vlan {
                    pvid 10
                }
            }
            vlan-aware enable
        }
        vif 10 {
            address 10.10.10.1/24
            description DATA
            mtu 1500
        }
        vif 30 {
            address dhcp
            description WAN
            mtu 1500
        }
    }
}
protocols {
    static {
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name VLAN10 {
            authoritative disable
            subnet 10.10.10.0/24 {
                default-router 10.10.10.1
                dns-server 10.10.10.1
                dns-server 8.8.8.8
                lease 86400
                start 10.10.10.40 {
                    stop 10.10.10.200
                }
                unifi-controller 10.10.10.2
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0.10
            listen-on switch0.30
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description "LAN to Telenet"
            outbound-interface switch0.30
            source {
                group {
                }
            }
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name ubnt
    login {
        user ubnt {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
    traffic-analysis {
        dpi enable
        export enable
    }
}

 

next step is offcourse to setup firewall for the 10.10.10.0/24 range 

... and here I'm stuck again..... :-(

 

any good pointers here?

 

 

New Member
Posts: 4
Registered: ‎08-09-2017

Re: Exposing WAN over different switches (VLAN?) (TELENET - BE)

Another update for those interested...

 

currently testing with following setup including firewall:

firewall {
    all-ping disable
    broadcast-ping disable
    group {
        network-group Home {
            description "internal home network"
            network 10.10.10.0/24
        }
        network-group TelenetDigiboxRange {
            description "Range used for Digiboxes of telenet"
            network 10.199.0.0/16
        }
        network-group TelenetHomeRange {
            description "home range for telenet devices"
            network 192.168.99.0/24
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    name VLAN10_Local {
        default-action accept
        rule 1 {
            action drop
            description "Drop invalid state"
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    name VLAN10_WAN {
        default-action accept
        rule 1 {
            action drop
            description "Drop invalid state"
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    name WAN_VLAN10 {
        enable-default-log
        rule 1 {
            action accept
            description "Allow established/related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Drop invalid state"
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
        rule 3 {
            action accept
            description "allow NEW from telenet digiboxes"
            log disable
            protocol all
            source {
                group {
                    network-group TelenetDigiboxRange
                }
            }
            state {
                established disable
                invalid disable
                new enable
                related disable
            }
        }
        rule 4 {
            action accept
            description "Allow NEW from telenet Home"
            log disable
            protocol all
            source {
                group {
                    network-group TelenetHomeRange
                }
            }
            state {
                established disable
                invalid disable
                new enable
                related disable
            }
        }
    }
    receive-redirects disable
    send-redirects disable
    source-validation disable
    syn-cookies disable
}
interfaces {
    ethernet eth0 {
        description Internet
        duplex auto
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        address 192.168.1.1/24
        description MGMT
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        description SWITCH
        mtu 1500
        switch-port {
            interface eth0 {
                vlan {
                    pvid 30
                }
            }
            interface eth1 {
                vlan {
                    pvid 30
                }
            }
            interface eth2 {
                vlan {
                    pvid 10
                }
            }
            vlan-aware enable
        }
        vif 10 {
            address 10.10.10.1/24
            description DATA
            firewall {
                in {
                    name VLAN10_WAN
                }
                local {
                    name VLAN10_Local
                }
                out {
                    name WAN_VLAN10
                }
            }
            mtu 1500
        }
        vif 30 {
            address dhcp
            description WAN
            mtu 1500
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface switch0.10
    wan-interface switch0.30
}
protocols {
    static {
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name VLAN10 {
            authoritative disable
            subnet 10.10.10.0/24 {
                default-router 10.10.10.1
                dns-server 10.10.10.1
                dns-server 8.8.8.8
                lease 86400
                start 10.10.10.40 {
                    stop 10.10.10.200
                }
                unifi-controller 10.10.10.2
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0.10
            listen-on switch0.30
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description "LAN to Telenet"
            outbound-interface switch0.30
            source {
                group {
                }
            }
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name ubnt
    login {
        user ubnt {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat enable
        ipsec enable
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
    traffic-analysis {
        dpi enable
        export enable
    }
}

 

To date its working fine (for 3 days now)..... 

once this works, next steps are:

- add firewalling to VLAN 30 (certainly to local)

- look at routing cross the VLANS (UPNP, DLNA)

 

cheers

 

Davy

Reply