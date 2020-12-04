An ER-X has a managed switch which runs its eth1-3 ports. The ER-X CPU and routing hardware has only two Ethernet ports. Eth0 is one of them, and should always be used as the WAN port. The other CPU Ethernet port is connected to the managed switch alongside the eth1-3 external Ethernet ports. You use the VLAN settings of the managed switch to set up the ports so that they can be on the same or different VLANs for whatever network you are designing. So if you are not already using all the ER-X switch ports, you just need to set up one of them for the rental studio connection that is on a separate VLAN from the CPU switch port and is firewalled so that it can not access any of the other ports except the WAN port. And your network connected to the other ethx port(s) should be firewalled so that it has no access to the rental studio connection.

So a suggested setup would be:

eth0 = WAN

eth1 = your home network, VLAN 100 - connected to your switch

eth2 = unused?, your home network, VLAN 100 - could be used to connect something directly to the ER-X instead of to your switch

eth3 = VLAN 101 - connected to the rental studio

In your firewall, VLAN 100 and VLAN 101 should not be able to talk to each other, but both should talk to WAN.

The ER-X switch setup would have:

CPU switch port: VLAN 100 and VLAN 101 both passing through unchanged (no VLAN tags added or deleted).

eth1 switch port: VLAN 100, VLAN tag removed

eth2 switch port: VLAN 100, VLAN tag removed

eth3 switch port: VLAN 101, VLAN tag removed