WAN Switch ports on 3100

paulcdb

Hmm, i’m surprised I can’t find anyone using the switch ports on the 3100 for servers connected with a /29 network.

I’ve read the netgate documentation on configuring them but I switched the LAN (Now MVNETA2) and WAN (now MVNETA0) ports round since it sounded like the MVNETA1 is linked to MVNETA0 which I thought would make the switch work.

So lets say my /29 is 4.3.2.1/29, the WAN has 4.3.2.1 and I have a honeypot at 4.3.2.2 connected to the 1st switch port. Can someone explain if I can make the switch act like a switch so WAN routes to the server so I don’t have to mess with NAT anymore and I can ping 4.3.2.2 without NAT. I’ve even tried allowing all traffic to 4.3.2.2 but just can’t get it to respond.

Do I need OPT interface enabled?
Does OPT1 need an IP to work as just a switch?

Think I’ve tried every combination I can think of but as usual I’m probably missing something stupid and end up kicking myself!

stephenw10

No, to do that you would need to bridge WAN (mvneta2) with either LAN (mvneta1) for all the switch ports or a VLAN that just connects to some of the switch ports. Then they would be in the same layer 2 so could both use addresses from the /29.
Otherwise you would add addresses from the /29 as VIPs on the WAN and forward that traffic to internal servers.

You could reassign WAN to be mvneta1, the NIC connected to the switch, and then put the WAN link and other servers in the switch ports. But there would be no filtering of traffic to those servers.

Steve

paulcdb

@stephenw10 Thanks for the quick reply but still can't see what i'm doing wrong.

I can ping both PI's from each other so the IP's and switch are good, I just can't ping them from pfSense (either mvneta1, no IP set though, or nvneta0)

mvneta0 (WAN) and mvneta1 (OPT) as BRIDGE0 members
mvneta0 has IP address

Do I need to change any of the advanced settings like edge, autoedge?
or set BRIDGE0 as an interface? Although I did try and still couldn't ping the PI's.

Guessing the VLAN setting under switches can be left disabled and with the default VLAN's? I've never had much luck with bridging stuff. lol

Screenshot 2023-08-21 at 09.40.17.png

stephenw10

Ok, so you have reassigned all the interfaces there, which is fine as long as the external ports are actually connected to what you think they are.

Your WAN is PPPoE which eliminates using the /29 directly on the WAN via the switch.

I assume the main PPPoE WAN connection is working as expected?

Is the /29 routed to you via some other public IP or supplied directly on the WAN?

Steve

paulcdb

I'll try it in the morning since I got no energy to go into the loft ans move cables again but...

I guess move WAN to mvneta1 if PPPOE still works (Switch ports) with the other 3 PI's with public IP's... and forget the bridging crap. lol

I only really need 3 of the 5 IP's. So WAN and 3 public IP's via the switch and I guess put the AREDN stuff on the OPT (mvneta0)

Just means a trip to the loft to move cables again! :(

stephenw10

Nope if you're using a PPPoE WAN connection you cannot use the switch on WAN directly.

What you can do here depends on how your ISP is providing the /29 to you. Since it looks like you're in the UK I'd guess they are providing the /29 dircetly on the PPPoE and not routing it via some other IP?
If so that limits what can be done.