Community discussions

MikroTik App
 
gabrielebellini
just joined
Topic Author
Posts: 11
Joined: Thu Apr 06, 2023 7:38 pm

hEXs switch/bridge configuration on uncommon hardware configuration

Fri Apr 07, 2023 6:17 pm

Hello all,
I'm trying to find the best way for connecting my home to the internet and I'd like to have your expert opinion.
DSL/FTTC/FTTH is not an option for me, so I pay a wireless ISP subscription which needs a wireless CPE installed on roof. Since I share the connection with neighbors (PtP link), another wireless AP is on the same roof.
I bought an hEXs (which will be installed inside the house) and I'd like to configure it in best possible way. The major constraint is that only *one* ethernet cable runs from hEXs to roof.
Having clear the concept and benefits of using VLANs, I'd like to implement such scenario:
scheme.png
with trunk on ether1 (hEXs to roof managed switch) and using VLANs (tagged in other trunk and untagged on access ports) on other ports ether2 to 5.
I read docs and I know that ether2 to 5 can and should be bridged (and then VLANs applied) thus having the benefits of hardware offload, but how ether1 port can be treated in this context? Should I add it to the single bridge, having all ports on same bridge?
Or should I simply create same VLANs on ether1, or again another bridge (consisting of single ether1 port) and adding VLANs on it?
Is there a best solution which can take advantage of hEXs features, maximizing throughput between interfaces and avoiding CPU overload due to not optimal configurations?
Any idea/suggestion/criticism to my scheme is really appreciated!
Thank you to anyone who can give me any hints.
You do not have the required permissions to view the files attached to this post.
 
accarda
Member Candidate
Member Candidate
Posts: 214
Joined: Fri Apr 05, 2019 4:06 pm
Location: Italy

Re: hEXs switch/bridge configuration on uncommon hardware configuration

Mon Apr 17, 2023 8:21 am

Hi,
better approach would be to have all ETH1-5 within the same single bridge and then define ETH1 and ETH2 for tagged traffic and the other for untagged as in your scheme, using bridge VLAN filtering.
This would be possible as with Ros7 the switch chip MT7621 is now supporting bridge VLAN filtering without loosing L2HW on all ports, so then you can take such benefit in your setup.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hEXs switch/bridge configuration on uncommon hardware configuration

Mon Apr 17, 2023 3:25 pm

No point in use capsman for one access point. Overhead on the config and cpu for nothing.
 
gabrielebellini
just joined
Topic Author
Posts: 11
Joined: Thu Apr 06, 2023 7:38 pm

Re: hEXs switch/bridge configuration on uncommon hardware configuration

Tue Apr 18, 2023 3:24 pm

Thank you accarda for your precious suggestions. I'll follow the single ETH1-5 bridge suggestion and VLAN tagging (trunks and access ports) as needed. And regarding anav suggestion: yes, you're right. I didn't draw it on scheme but I'll use at least 2 cAPs, so I hope the use of CAPsMAN will be useful in this case.
Thank you again.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hEXs switch/bridge configuration on uncommon hardware configuration

Tue Apr 18, 2023 3:27 pm

For me, I would only consider capsman in two cases.

Fiver or more Capacs, and/or I needed to do blocking of wifi users from the same vlan wired LAN ( L2 blocking ) ( not available in standard forward chain rules).
My CAPAC are configured identically and simply with vlans, easy and fast.
 
erlinden
Forum Guru
Forum Guru
Posts: 2626
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: hEXs switch/bridge configuration on uncommon hardware configuration

Tue Apr 18, 2023 4:33 pm

My CAPAC are configured identically and simply with vlans, easy and fast.
Identical, except for frequency settings (and MAC address) I hope?
 
gabrielebellini
just joined
Topic Author
Posts: 11
Joined: Thu Apr 06, 2023 7:38 pm

Re: hEXs switch/bridge configuration on uncommon hardware configuration

Tue Apr 18, 2023 5:35 pm

The idea behind CAPsMAN was to use one single configuration to spread over two or more cAPs, all with the same configuration, that is: different WLANs (SSIDs) each one bridged to its specific VLAN (inter VLAN routing + firewall rules on same hEXs). Without going into details, is this configuration achievable (in a home environment with only 30 Mbit WAN bandwidth) or does someone have alternative or more suitable architectures to follow?
Thank you again!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hEXs switch/bridge configuration on uncommon hardware configuration

Tue Apr 18, 2023 5:53 pm

My CAPAC are configured identically and simply with vlans, easy and fast.
Identical, except for frequency settings (and MAC address) I hope?
Pretty much!
each capac also uses ether2 as an off bridge emergency or config access port.
That way if the capac needs adjustment and is off line for whatever reason I can access it directly with a laptop (wall or low ceiliing) or if not accessible I ensure I run a cable from ether2 to a place where I can access the cable and plug into laptop.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hEXs switch/bridge configuration on uncommon hardware configuration

Tue Apr 18, 2023 5:55 pm

capsman as I stated add overhead to the CPU and is overly complex for your requirements, it adds no functionality that you really need as described.
Thus I find most beginners spend much time pulling their hair out trying to figure it out, instead of concentrating on more core fundamentals of RoS learning
such as firewall rules, vlans and bridges and IP routes.
 
gabrielebellini
just joined
Topic Author
Posts: 11
Joined: Thu Apr 06, 2023 7:38 pm

Re: hEXs switch/bridge configuration on uncommon hardware configuration

Tue Apr 18, 2023 7:43 pm

capsman as I stated add overhead to the CPU and is overly complex for your requirements, it adds no functionality that you really need as described.
Thus I find most beginners spend much time pulling their hair out trying to figure it out, instead of concentrating on more core fundamentals of RoS learning
such as firewall rules, vlans and bridges and IP routes.
Thank you for your suggestion. I'll follow your idea and put aside CAPsMAN configuration.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hEXs switch/bridge configuration on uncommon hardware configuration

Tue Apr 18, 2023 7:47 pm

Can you describe what is coming in on ether1?

I imagine one flow of traffic is from the CPE, is that a specific tyipe of wan connection.
etherent, pppoe, or converted from CPE to a private IP address.

Why is the neighbouts Ptp link coming in your router. I thought it would be CPE to their antenna to their house, VERY very confusing.........

It looks like you have ether2 going to a managed switch, ether3 not used, ether4 going to a PC or local lan device and ether5 going to smart AP

How many lan subnets do you need.
home lan (and home wifi)
guest wifi
IOT or media WIFI

etc........
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hEXs switch/bridge configuration on uncommon hardware configuration

Tue Apr 18, 2023 7:49 pm

Recommend doing all your config off bridge on ether3 as its not currently used.
viewtopic.php?t=181718
 
gabrielebellini
just joined
Topic Author
Posts: 11
Joined: Thu Apr 06, 2023 7:38 pm

Re: hEXs switch/bridge configuration on uncommon hardware configuration

Wed Apr 19, 2023 2:10 am

Can you describe what is coming in on ether1?

I imagine one flow of traffic is from the CPE, is that a specific tyipe of wan connection.
etherent, pppoe, or converted from CPE to a private IP address.

Why is the neighbouts Ptp link coming in your router. I thought it would be CPE to their antenna to their house, VERY very confusing.........

It looks like you have ether2 going to a managed switch, ether3 not used, ether4 going to a PC or local lan device and ether5 going to smart AP

How many lan subnets do you need.
home lan (and home wifi)
guest wifi
IOT or media WIFI

etc........
You're right, I missed out lot of details on my first post: Ether1 should be a trunk of 2 VLANs, ending on a trunk port on RB260GS switch on roof (let's say VLAN 10 and VLAN 20). VLAN 10 will be used for connecting WAN interface of hEXs to the CPE on roof (PPPoE connection), VLAN 20 will be used to assign a dedicated interface on hEXs to the neighbors network (including wireless pair of device for PtP link on roof), allowing proper isolation between my and their network. Other VLANs will be used for guests Wifi, IoT Wifi, Home Wifi, Home Ethernet and so on. Let's say a maximum of 10 VLANs (each with its interface on hEXs) should be implemented.
Another trunk port (Ether2 on scheme) will bring all needed VLANs toward another managed switch, on ground floor, allowing other devices to be connected. 2 cAPs will be used on each floor (and optionally a third cAP outside) for implementing all the mentioned WLANs.
So, generally speaking, I'd like to configure the hEXs device as a bridge with inter VLAN routing/firewalling and trunk ports for spreading all the needed VLANs to the switches where the single network devices need to be connected (untagged ports).
Thank you for your help!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hEXs switch/bridge configuration on uncommon hardware configuration

Wed Apr 19, 2023 4:11 am

Still a bit of a jumbled entity.

What I am interpreting is that you only have
ONE CPE connection (one internet connection).
You have one ethernet cable to the roof area where another switch is located.
On this cable you want to run the WAN connection to the hex.
On this cable you want to run a separate private network that will go to your neighours house via a WIFI link of sorts.
Besides the neighbours subnet you have need for 4 local subnets
home & home wifi / guest wifi / iot wifi / management WIFI ( strictly used for all smart devices to get their IP - and only the admin will be able to access from his IP address on the home subnet )

As noted above, ether3 would make a great and safe offbridge access to do the config........

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

All very doable suggest reading Para C. ---> viewtopic.php?t=182373

I have similar add more switches and vlans etc...

On the 260GS, ether1 is tagged for vlan10,20,99 ether2 is tagged for vlan10 and ether3 is untagged for vlan20
(vlan99 being a management vlan and the subnet where the 260GS gets its IP address).
 
gabrielebellini
just joined
Topic Author
Posts: 11
Joined: Thu Apr 06, 2023 7:38 pm

Re: hEXs switch/bridge configuration on uncommon hardware configuration

Thu Apr 20, 2023 1:42 am

Still a bit of a jumbled entity.

What I am interpreting is that you only have
ONE CPE connection (one internet connection).
You have one ethernet cable to the roof area where another switch is located.
On this cable you want to run the WAN connection to the hex.
On this cable you want to run a separate private network that will go to your neighours house via a WIFI link of sorts.
Besides the neighbours subnet you have need for 4 local subnets
home & home wifi / guest wifi / iot wifi / management WIFI ( strictly used for all smart devices to get their IP - and only the admin will be able to access from his IP address on the home subnet )

As noted above, ether3 would make a great and safe offbridge access to do the config........

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

All very doable suggest reading Para C. ---> viewtopic.php?t=182373

I have similar add more switches and vlans etc...

On the 260GS, ether1 is tagged for vlan10,20,99 ether2 is tagged for vlan10 and ether3 is untagged for vlan20
(vlan99 being a management vlan and the subnet where the 260GS gets its IP address).
Yes, one CPE for internet connection (shared with my neighbors): one WAN and different LANs with proper isolation between them and internet access.

Your guide is simply amazing! Exactly what I was looking for as a newbie in Mikrotik world! All the hints on where to focus on for having a well configured network environment. Better than tons of introductory articles and videos on RoS that don't give a whole view of the configuration like your guide. I'll use it as reference guide and share here my results!
Thank you again!

Who is online

Users browsing this forum: gigabyte091 and 14 guests