Bridge between LANs _only_wired_

Hi all.

I want a public LAN and a private one. It is security-privacy measure. I don’t want, for example, that the surveillance cameras might be hacked.
So this is the sketch of what I want to achive:
Pub priv networks

I think is possible to plug the eth0 WAN port in a network (say 192.168.x) and plug eth1 LAN port to other network (192.168.2.x).
My GL.Inet GL-MTN300-V2 will do the DHCP server for 192.168.2.x and it will be the gateway for that LAN.
Can it do some port filtering? In the beginning I imagined to use an old raspberry, but then I figured out that this device has been made just for this kind of jobs.

For what I read in the past 3Ds it should be possible (beside that they are focused in wifi->wired, while I don’t want wifi at all), but how?

Thanks for any help

The device can do that, but configuring it to do that will be fun! You have to re-do the firewall rules and possible disable NAT/Masquerade.

Can you create static routes on your modem? In case you can, you can disable NAT/Masquerade. Otherwise you will be doing port-forwarding on the GL-inet for the devices in 192.168.2.x.

Thanks for the prompt reply.

Can you create static routes on your modem

No, I just checked; the modem can just create static reserved IP based on the MAC address but nothing about routes.

So I connect the WAN cable port to the 192.168.1.x switch and the LAN cable port to the 192.168.8.x switch (from now on is useless to call the private network 192.168.2.x, just leave it as it is).

  1. Then I have to configure the modem to do a virtual server for port 80 to the GL’s IP in the network 192.168.1.x and then set the GL to do port forwarding the port 80 to what? Several machines use port 80, but I can do port-forwarding to just one.
  2. Postgres reply to port 5432 will be on a different machine, but ther is only a postgres server, it is not a problem with port-forwarding.
  3. How to deal with port 22, it has to do port-forwarding only from my local static IP?

You have to re-do the firewall rules

How to do that? I guess that this answer will answer to the questions 1-3, too.

Am I on the right track?

I couldn’t give you the correct answer before I knew if NAT would be enabled or not.

Given it is enabled you will need to do the port-forwarding section: https://docs.gl-inet.com/en/3/setup/mini_router/firewall/

You can only route 1 external port once. So if you have a devices 192.168.2.2 and 192.168.2.3 both needing port 80, you can only have 1 of them on external port 80.
The port forwarding for this could be:

Rule #1:
Internal IP: 192.168.2.2
External Ports: 80
Internal Ports: 80

Rule #2:
Internal IP: 192.168.2.3
External Ports: 81
Internal Ports: 80

This way 192.168.2.2:80 is reachable on 192.168.1.X:80 and 192.168.2.3:80 is reachable on 192.168.1.X:81 (X being the IP given to the GL Inet). Same would apply to port 22. You gotta pick another port and remap it to 22.

The restricting of access can only be done under the “advanced GUI”: https://docs.gl-inet.com/en/3/setup/mini_router/more_settings/#advanced

In the advanced GUI under Network -> Firewall -> Tab “Traffic rules” you can setup rules which block all traffic except traffic coming from the allowed IPs. Be careful with the firewall rules, you can block more than you might want! The order of the rules is important! Allow then block, not block and never reach allow.

It looks too easy to be real :slight_smile:

On monday the electricians will come: until that I can’t do anything.

I’ll write again in few days, in the meanwhile: thanks