Hi.
I need your help for some changes I'm planning to do in my home network. At the moment I'm using one hap ac as a router and AP at home. I have additional guests network working over 2.4 wi-fi interface and a pptp client to my office.
I'm planning to get a 1 Gbit fiber optic internet at home and I'm going to use a SFP module with the hap ac. But because I don't want to drill additional holes in the walls, I'm going to move it in place where the fiber will enter my home and I will use a LAN cable that is already there to power it up with PoE and send the signal back at his original place where I'll use hap ac^2.
I want to setup the new hap ac^2 to be the main router with all the firewall rules, DHCP servers, WI-fi settings and so on in it, and to use the old hap ac only as a convertor of the signal fiber <-> LAN, but I also want to use his wi-fi as AP to expand my wi-fi signal for all 3 wi-fi networks - my 5 GHz, 2.4 GHz and the guests network.
I want to keep only the minimum rules for security in the hap ac's firewall and let hap ac^2 to do all the work.
How can I do that?
Re: Using router as bridge and AP
Please correct me if I'm wrong, I would:
1) create a brdige on the hAP-ac and place the SFP and a network port in it
2) create a bridge on the hAP-ac and place the wireless interfaces together with a (different) port in it -> connect this with the hAP-ac2
3) configure the hAP-ac2 as a normal wifi router
But this would require two network cables, which can be replaced by a single network cable by using VLAN's
1) create a brdige on the hAP-ac and place the SFP and a network port in it
2) create a bridge on the hAP-ac and place the wireless interfaces together with a (different) port in it -> connect this with the hAP-ac2
3) configure the hAP-ac2 as a normal wifi router
But this would require two network cables, which can be replaced by a single network cable by using VLAN's
Re: Using router as bridge and AP
As @erlinden already hinted, VLANs are your friends ... you'll have to make ethernet cable between hAP ac and hAP ac2 trunk with two VLANs, one will be internet and the other LAN.
As the hAP ac features a very decent switch chip while its CPU is not very fast, you better configure VLANs on switch chip. I'll assume that sfp1 will be used for internet (untagged from ISP's side) and ether1 will be used as trunk port for connection towards main router. ether2-ether5 will be part of LAN in my example. In my example, VLAN VID=100 will be used for WAN and VLAN VID=200 will be used for LAN.
When entering the setup, connect to ether5, enable safe mode and enter the configuration. When dealing with VLANs it's too easy to lock yourself out ... and not even MAC winbox helps there as one locked self out on L2 level (in switch chip).
If you still have connectivity after entering the setup above, exit safe mode. Then plug your computer to one of ports ether1-ether4, reconnect to hAP ac, enter safe mode and proceed with this setup:
Proceed with configuring WiFi (SSID, PSK, ...).
The VLAN-related setup on hAP ac2 (main router) should be done the new school way with vlan-filtering on bridge. I'll assume ether1 will be used to connect to hAP ac (so tagged trunk port). The rest of ports will be access ports for LAN ... Connect to ether5, enable safe mode and go:
After that, if you still have connectivity, exit safe mode, connect your computer to one of ether2-ether4 and proceed with this part of config:
Then move whatever services for LAN from interface bridge to interface vlan200 ... those services likely include DHCP server and perhaps some more.
If your firewall is at default, which uses interface lists named LAN and WAN, then you're good. Check interface list membership for dynamic interfaces (such as PPPoE).
The above configuration example doesn't deal with complex wireless setups ... if you want to run multiple SSIDs (e.g. for guest access), you'll simply introduce additional VLAN ... and possibly change firewall filter rules to separate guest subnet from home subnet.
As the hAP ac features a very decent switch chip while its CPU is not very fast, you better configure VLANs on switch chip. I'll assume that sfp1 will be used for internet (untagged from ISP's side) and ether1 will be used as trunk port for connection towards main router. ether2-ether5 will be part of LAN in my example. In my example, VLAN VID=100 will be used for WAN and VLAN VID=200 will be used for LAN.
When entering the setup, connect to ether5, enable safe mode and enter the configuration. When dealing with VLANs it's too easy to lock yourself out ... and not even MAC winbox helps there as one locked self out on L2 level (in switch chip).
Code: Select all
# Note: Don't try to set vlan-filtering=yes on this bridge, it's not that kind of setup
/interface bridge
add name=bridge # admin-mac=<MAC of ether1> or localy-administered MAC
/interface bridge port
add bridge=bridge interface=sfp1
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wlan1
/interface ethernet switch port
# in principle one would have to use port numbers, not port names. I've no idea how are port numbers on hAP ac ...
# The code below might work. If it doesn't, find out the port numbers and substitute port names with corresponding port number.
set ether1 vlan-mode=secure # no default-vlan-id on ether1, it should be all tagged trunk
set ether2 vlan-mode=secure default-vlan-id=200 vlan-header=always-strip
set ether3 vlan-mode=secure default-vlan-id=200 vlan-header=always-strip
set ether4 vlan-mode=secure default-vlan-id=200 vlan-header=always-strip
set sfp1 vlan-mode=secure default-vlan-id=100 vlan-header=always-strip
/interface ethernet switch vlan
add independent-learning=yes ports=sfp1,ether1 switch=switch1 vlan-id=100
add independent-learning=yes ports=switch1-cpu,ether1,ether2,ether3,ether4,ether5 vlan-id=200
/interface vlan
add interface=bridge name=vlan200 vlan-id=200
/ip address
add address=<hAPac's LAN IP> interface=vlan200 network=<LAN network address>
/interface wireless
set [ find default-name=wlan1 ] vlan-mode=use-tag vlan-id=200
If you still have connectivity after entering the setup above, exit safe mode. Then plug your computer to one of ports ether1-ether4, reconnect to hAP ac, enter safe mode and proceed with this setup:
Code: Select all
/interface ethernet switch port
set ether5 vlan-mode=secure default-vlan-id=200 vlan-header=always-strip
set switch1-cpu vlan-mode=secure
Proceed with configuring WiFi (SSID, PSK, ...).
The VLAN-related setup on hAP ac2 (main router) should be done the new school way with vlan-filtering on bridge. I'll assume ether1 will be used to connect to hAP ac (so tagged trunk port). The rest of ports will be access ports for LAN ... Connect to ether5, enable safe mode and go:
Code: Select all
/interface bridge port
set [ find interface=ether1 ] frame-types=admit-only-vlan-tagged ingress-filtering=yes
set [ find interface=ether2] frame-types=admit-only-untagged-and-priority-tagged pvid=200 ingress-filtering=yes
set [ find interface=ether3] frame-types=admit-only-untagged-and-priority-tagged pvid=200 ingress-filtering=yes
set [ find interface=ether4] frame-types=admit-only-untagged-and-priority-tagged pvid=200 ingress-filtering=yes
set [ find interface=wlan1 ] frame-types=admit-only-untagged-and-priority-tagged pvid=200 ingress-filtering=yes
set [ find interface=wlan2 ] frame-types=admit-only-untagged-and-priority-tagged pvid=200 ingress-filtering=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 vlan-ids=100
add bridge=bridge tagged=bridge,ether1 untagged=ether2,ether3,ether4 vlan-ids=200
/interface vlan
add interface=bridge name=vlan100 vlan-id=100
add interface=bridge name=vlan200 vlan-id=200
/ip address
add address=<router's LAN IP> interface=vlan200 network=<LAN network address>
# add/move WAN config - static IP, DHCP client, PPPoE client, ... to interface=vlan100
/interface list member
remove [ find list=LAN ]
remove [ find list=WAN ]
add interface=vlan100 list=WAN
add interface=vlan200 list=LAN
Code: Select all
/interface bridge port
set [ find interface=ether5] frame-types=admit-only-untagged-and-priority-tagged pvid=200 ingress-filtering=yes
/interface bridge
set [ find bridge=bridge ] vlan-filtering=yes
If your firewall is at default, which uses interface lists named LAN and WAN, then you're good. Check interface list membership for dynamic interfaces (such as PPPoE).
The above configuration example doesn't deal with complex wireless setups ... if you want to run multiple SSIDs (e.g. for guest access), you'll simply introduce additional VLAN ... and possibly change firewall filter rules to separate guest subnet from home subnet.
Re: Using router as bridge and AP
Thank you for your answers. The new hap ac^2 is arriving tomorrow so in the weekend if I have time I'll try your suggestions and let you know the results.
Re: Using router as bridge and AP
@mkx I've started to do setup the hap ac, but the sfp module is not in the switch port list. The documentation for HAP ac says that the switch is for eth1-5. Do I need to setup the VLAN different way?
PS. I still don't have the fiber optic and the SFP module - I want to prepare the network before I call the ISP. Can this be a problem with the setup?
PS. I still don't have the fiber optic and the SFP module - I want to prepare the network before I call the ISP. Can this be a problem with the setup?
Re: Using router as bridge and AP
Ah, indeed sfp1 is not connected to switch chip. And this requires some change in configuration. I was about to revise the configuration for hAP ac I posted in my previous post. But then I realized that performance-wise it doesn't make sense to stick to the switch-chip-centric setup as all internet traffic has to pass RB's CPU, WiFi traffic ditto. The only remaining benefit of employing switch chip for VLAN stuff would be in case there were some computers connected to the hAP ac using UTP cables ...
So you'd better construct setup similar to the one on hAP ac2 ... using single bridge, making sfp1 access port for VLAN VID=100. The rest of setup will be more or less identical on both RBs.
So you'd better construct setup similar to the one on hAP ac2 ... using single bridge, making sfp1 access port for VLAN VID=100. The rest of setup will be more or less identical on both RBs.
Re: Using router as bridge and AP
I did some bandwidth tests between the two routers with Tools-> Bandwidth test - default settings TCP.. All I've got was 150 Mbits between the two routers. The hap ac's CPU load was 100%. Even with all firewall and nat rules disabled. And I'm thinking should I purchase 1gbit if I can't use it.
I'm thinkingn to use CAPsMAN for the both routers to setup the 3 wi-fi networks - the 2.4 GHz, the 5 GHz and the one for the guests.
I'm thinkingn to use CAPsMAN for the both routers to setup the 3 wi-fi networks - the 2.4 GHz, the 5 GHz and the one for the guests.
Re: Using router as bridge and AP
The only UTP connections for the HAP ac is going to be the link between it and the new HAP ac^2. All other devices - computers, TV and so on are going to be connected to the HAP ac^2
Re: Using router as bridge and AP
If you ran bandwidth test on the routers themselves ... then this is bogging hAP ac's CPU (it's single core).
hAP ac, doing (mainly) bridging, should be capable of throughput exceeding 500 Mbps ... but might have hard time to reach full Gbps though. Depends on traffic mix. hAP ac2 as router should be capable of reaching full Gbps (depending on FW rules) but it's going to sweat. If you'll push its wireless at the same time, then CPU is likely going to be bottleneck on hAP ac2 as well.
In short: don't expect miracles from sub-$100 devices.
hAP ac, doing (mainly) bridging, should be capable of throughput exceeding 500 Mbps ... but might have hard time to reach full Gbps though. Depends on traffic mix. hAP ac2 as router should be capable of reaching full Gbps (depending on FW rules) but it's going to sweat. If you'll push its wireless at the same time, then CPU is likely going to be bottleneck on hAP ac2 as well.
In short: don't expect miracles from sub-$100 devices.