Reply
New Member
Posts: 6
Registered: 2 weeks ago

move wan conf to vlan

I am trying to make a change thats more complex than anything i have ever done before... Right now i have an edgerouter lite

 

ETH0 is WAN 1

ETH1 is WAN 2

 

ETH0 and ETH1 are loadballanced.

 

ETH2 is LAN connected to a Dlink managed switch with 2 vlans.

 

I would like to move the 2 wan connections to the dlink switch using vlans (vlan7 and vlan8) somehow but keep all my load ballancing. I am sure you are asking why bother if everything is working and the short reason is both of my WAN's are fixed wireless radios and require POE injectors,  my dlink switch is a GS110TP POE switch and I hope if i can move the fixed wireless radios to the switch i could ditch the POE's.

 

If any one has any suggestions i would apreshete the help. Below is my current config:

 

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group PRIVATE_NETS {
            network 192.168.0.0/16
            network 172.16.0.0/12
            network 10.0.0.0/8
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    modify balance {
        rule 10 {
            action modify
            description "do NOT load balance lan to lan"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            modify {
                table main
            }
        }
        rule 20 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth0
                }
            }
            modify {
                table main
            }
        }
        rule 30 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth1
                }
            }
            modify {
                table main
            }
        }
        rule 110 {
            action modify
            modify {
                lb-group G
            }
        }
    }
    name Guest_In {
        default-action accept
        description "Guest to lan/wan"
        rule 1 {
            action drop
            description "drop guest to lan"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            log disable
            protocol all
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name guest_local {
        default-action drop
        description "guest to router"
        rule 1 {
            action accept
            description "allow dns"
            destination {
                port 53
            }
            log disable
            protocol tcp_udp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description WAN
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description "WAN 2"
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        address 192.168.1.1/24
        description Local
        duplex auto
        firewall {
            in {
                modify balance
            }
        }
        speed auto
        vif 1 {
            address 192.168.100.1/24
            description "Management VLAN"
        }
        vif 2 {
            address 192.168.200.1/24
            description "Guest VLAN"
            firewall {
                in {
                    name Guest_In
                }
                local {
                    name guest_local
                }
            }
        }
    }
    loopback lo {
    }
}
load-balance {
    group G {
        interface eth0 {
        }
        interface eth1 {
        }
        lb-local enable
        lb-local-metric-change disable
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name guest {
            authoritative disable
            subnet 192.168.200.0/24 {
                default-router 192.168.200.1
                dns-server 8.8.8.8
                dns-server 8.8.4.4
                lease 86400
                start 192.168.200.100 {
                    stop 192.168.200.199
                }
            }
        }
        shared-network-name mgmt {
            authoritative disable
            subnet 192.168.100.0/24 {
                default-router 192.168.100.1
                dns-server 8.8.8.8
                dns-server 8.8.4.4
                lease 86400
                start 192.168.100.15 {
                    stop 192.168.100.55
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth2
            listen-on eth2.1
            listen-on eth2.2
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
        rule 5002 {
            description "masquerade for WAN 2"
            outbound-interface eth1
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    host-name ubnt
    login {
        user admin {
            authentication {
                encrypted-password 
                plaintext-password ""
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipsec enable
        ipv4 {
            forwarding enable
            gre enable
            pppoe enable
        }
        ipv6 {
            forwarding enable
            pppoe enable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
 
 
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.10.7.5127970.181001.1054 */
 

 

Emerging Member
Posts: 198
Registered: ‎09-13-2018
Kudos: 35
Solutions: 12

Re: move wan conf to vlan

If you do something like this, you shouldn't need to change your ERL config at all.  You would need 2 PoE capable ports, and two more that doen't have to be PoE ports.  The key is to use untagged "access" vlans on the switch with 2 ports in vlan7 and two in vlan 8.  Then plug eth0 into one of the vlan 7 ports (does not need PoE) and radio into the PoE port in vlan7, same with eth1 and vlan8.

 

The 2, two port vlans are just acting like PoE power injectors.

 

PoE Switch & Vlans.png

New Member
Posts: 6
Registered: 2 weeks ago

Re: move wan conf to vlan

I really wish I had bought the bigger switch seeing your diagram this looks like it would be easy to configure the way you explained it but i dont have enough ports on the switch i bought for the two extra ports and the computers on my lan. Is there a way i could pass the 2 WANS and the vifs over the ETH2 on the single cable im using to trunk vif2.1 and vif2.2 to the switch now?

 

Thanks again!

Shane

Veteran Member
Posts: 7,039
Registered: ‎03-24-2016
Kudos: 1822
Solutions: 802

Re: move wan conf to vlan

For sure you can move those 2 WANs onto VLANs on eth2.  

This takes lots of reconfiguration and also has other drawback:   It limits the total throughput.

Now you can simultaneously up- and download 1 Gb/s

In new situation all traffic hits same eth2 wire twice, limiting total up/down throughput combined to 1Gb/s (like 500/500)

Highlighted
New Member
Posts: 6
Registered: 2 weeks ago

Re: move wan conf to vlan

I am not worried about limiting the speed by putting everyrthing on one cable as my WISP only gives me 15mb each, the two are for redundancy not speed. 

 

Is there by a chance or any sort or pointer any one could give me on moving the wans to a vlan on eth2?

 

let me know and thanks!

Shane

Reply