Surely you mean between the router and all devices? You should not be using a traditional switch between ONT and router.
1gbs router on a 2.5gbs network?
- Thread starter vian_siu
- Start date
- Status
Surely you mean between the router and all devices? You should not be using a traditional switch between ONT and router.
Associate
- Joined
- 18 Oct 2025
- Posts
- 37
- Location
- East Ayrshire
That's wrong, all LAN devices should be on the LAN side of your router, and not exposed to the WAN side at all.
ONT > Router > LAN stuff (including switch). Anything on the same network will talk to each other at 2.5 Gbps through the switch, the only time traffic hits the router's interface is talking to the WAN, or talking to another VLAN if you have multiple.
Unless you've got a managed switch and use it as a WAN switch, the router (more specifically the firewall/NAT portion of it) should always be the boundary between WAN and LAN traffic.
Last edited:
Associate
- Joined
- 18 Oct 2025
- Posts
- 37
- Location
- East Ayrshire
Why?
Because that's how networks should operate. Exposing LAN traffic to the WAN side is a security issue and may actually cause network issues.
Associate
- Joined
- 18 Oct 2025
- Posts
- 37
- Location
- East Ayrshire
If anything it has improved my network. PS5 ping is now 14 when it was 17-20. iPhone 16 is recording 1600 on WiFi more regularly rather than 1200-1300.
Associate
- Joined
- 18 Oct 2025
- Posts
- 37
- Location
- East Ayrshire
The switch is only passing the WAN VLAN from the ONT to the router — no LAN devices are connected on the WAN side. The router still handles NAT, DHCP and firewall. The switch just acts as a pass-through/multiplexer for my MoCA backhaul and multi-gig links before the router.
I don't even know how it's working, the router should have a WAN port and a LAN port (or multiple, depending on the model). The WAN would go into the ONT, the LAN into a switch or devices. Unless you have dedicated WAN and LAN VLANs set up on the switch it doesn't make any sense to me. Even then there is zero benefit in doing it this way versus industry accepted methods. WAN switches make sense in specific use cases, and a traditional home network is not such a use case.
Associate
- Joined
- 18 Oct 2025
- Posts
- 37
- Location
- East Ayrshire
I think there’s some confusion.
There are no LAN devices on the WAN side at all.
It’s simply:
ONT → (dumb unmanaged) switch → WAN port of router
The switch is only aggregating physical links (including MoCA backhaul runs) before the router. It’s not routing, doing DHCP, or exposing LAN devices. Only the router pulls the PPPoE/DHCP session from the ONT.
In other words, the switch is acting like a media converter/patch panel before the firewall — not replacing it.
Router still does:
NAT
Firewall
DHCP
LAN/WAN separation
This is actually a common approach in structured networks when the router needs to sit elsewhere or when multiple uplinks need to feed back to the same point.
There are no LAN devices on the WAN side at all.
It’s simply:
ONT → (dumb unmanaged) switch → WAN port of router
The switch is only aggregating physical links (including MoCA backhaul runs) before the router. It’s not routing, doing DHCP, or exposing LAN devices. Only the router pulls the PPPoE/DHCP session from the ONT.
In other words, the switch is acting like a media converter/patch panel before the firewall — not replacing it.
Router still does:
NAT
Firewall
DHCP
LAN/WAN separation
This is actually a common approach in structured networks when the router needs to sit elsewhere or when multiple uplinks need to feed back to the same point.
Last edited:
Associate
- Joined
- 18 Oct 2025
- Posts
- 37
- Location
- East Ayrshire
The router WAN port is 2.5G, but all the LAN ports on it are only 1G. So if I connected the MoCA and internal backhaul to the router LAN ports, the entire internal network would be limited to a theoretical 1 Gbps (though the EE tech is bit smarter than that).
By putting a multi-gig switch before the router (WAN side only), I solve two things:
• The router still handles PPPoE/NAT/firewall/DHCP as normal
• All internal LAN traffic (MoCA 2.5G, WiFi 7 AP backhaul, 2.5G/10G switches, etc.) runs at full multi-gig speed without ever touching the 1G LAN ports on the router
This is a standard structured/multi-gig design. The switch isn’t routing — it’s just aggregating physical links at full speed before handing WAN traffic to the router.
I’ll see if I can get ChatGPT to do me a drawing.
By putting a multi-gig switch before the router (WAN side only), I solve two things:
• The router still handles PPPoE/NAT/firewall/DHCP as normal
• All internal LAN traffic (MoCA 2.5G, WiFi 7 AP backhaul, 2.5G/10G switches, etc.) runs at full multi-gig speed without ever touching the 1G LAN ports on the router
This is a standard structured/multi-gig design. The switch isn’t routing — it’s just aggregating physical links at full speed before handing WAN traffic to the router.
I’ll see if I can get ChatGPT to do me a drawing.
Associate
- Joined
- 18 Oct 2025
- Posts
- 37
- Location
- East Ayrshire
Code:
INTERNET
|
[ Openreach ONT ]
|
(2.5G / 10G Ethernet)
|
┌──────────────────────────┐
│ Core Multi-Gig Switch #1 │ <— L2 aggregator
│ (4×2.5G + 2×10G) │
└──────────────────────────┘
| |
| +--> [ EE Router ]
| (WAN 2.5G in, LAN ports unused)
| ^
| | Router does:
| | NAT / Firewall / DHCP
|
+--> [ MoCA 2.5 adapter ]
(on core switch; LAN traffic)
(coax split)
_______/ \_______
/ \
[ EE Wi-Fi 7 Satellite ] [ Charlie’s Room Switch ]
(Back-Door; MoCA BH) |
| +--> Charlie’s PC/Laptop
[ Back-Door Local Switch ]
|
(Cat6a uplink)
|
[ EE Wi-Fi 7 Satellite ]
(Garage/Annexe; Cat6a BH)
|
[ Garage/Annexe Switch ]
|
PS5
Notes:
• Router LAN ports are intentionally unused to avoid 1G bottleneck.
• Multi-gig LAN↔LAN stays on the switch fabric (2.5G/10G).
• Wi-Fi >1G works because satellites use MoCA/Cat6a backhaul and internal multi-gig backplane.
• Router only handles WAN↔LAN (NAT/Firewall/DHCP), not LAN↔LAN.
• Total switches:
#1 Core (near ONT)
#2 Back-Door local switch
#3 Garage/Annexe switch
#4 Charlie’s room switch
Last edited:
No, they won't. That's not how networking works.
If you have:
ONT <> Router <> 2.5 GbE switch <> clients. The clients all share the same L2 network (or broadcast domain/subnet if you will). Typically 192.168.1.0/24 or similar. All of the clients on the 192.168.1.0/24 network will talk to each other at 2.5 GbE speed if they have a 2.5 GbE LAN port. The only time the clients reduce their speed to 1 Gbps is:
1) they talk to a device on another VLAN, ie 10.0.0.0/24 (because this traffic will be routed through your router's 1 GbE interface)
2) they talk to a device which only has a 1 GbE port
3) they talk to the internet (if your router has a 1 GbE LAN port
If the EE hub (or whatever terrible name they've given it) has a 2.5 GbE LAN port then the devices can talk >1Gbps. The Smart Hub Pro has 4x 2.5 GbE LAN ports and is provided with EE's 1.6 Gbps FTTP tier.
What I suspect is happening in your case is your devices hanging off the 2.5 GbE switch are talking to the internet over IPv6 but I still don't fully understand how that would work because EE uses PPPoE authentication which your router provides. But since that's not got anything off it's LAN ports I don't get how your LAN devices are able to talk to the internet.
While you're on ChatGPT, ask it if putting an unmanaged switch in between your ONT and router is a good idea when LAN clients are on it.
Associate
- Joined
- 18 Oct 2025
- Posts
- 37
- Location
- East Ayrshire
I did. ChatGPT says it’s fine in this case.
Associate
- Joined
- 18 Oct 2025
- Posts
- 37
- Location
- East Ayrshire
Chat GPT says.
“
“Putting an unmanaged multi-gig switch between the ONT and the router WAN is a valid design as long as:
In fact, this design is common in structured and multi-gig networks because it avoids the 1 Gbps bottleneck of consumer router LAN ports. The core switch becomes the high-speed fabric, and the router remains the security boundary. This is essentially a ‘router-on-a-stick’ design with a multi-gig core.”
“
“Putting an unmanaged multi-gig switch between the ONT and the router WAN is a valid design as long as:
- The router still handles PPPoE/DHCP and gets the public IP
- No LAN devices bypass the router’s firewall/NAT
- The switch is only acting as a Layer 2 aggregator
In fact, this design is common in structured and multi-gig networks because it avoids the 1 Gbps bottleneck of consumer router LAN ports. The core switch becomes the high-speed fabric, and the router remains the security boundary. This is essentially a ‘router-on-a-stick’ design with a multi-gig core.”
Associate
- Joined
- 18 Oct 2025
- Posts
- 37
- Location
- East Ayrshire
You told me to ask it and, now that you don’t like the answer, it’s wrong.
We’ll agree to disagree.
Last edited:
Associate
- Joined
- 2 Sep 2013
- Posts
- 2,334
I think I've read/heard of devices that can run it's services across the WAN port instead of over it's LAN port connections, but from what I remember my quick perusal of such info, it suggested that only specific types of devices (usually higher end business models) have such functionality.
Are you saying the EE devices is capable of this natively?
Are you saying the EE devices is capable of this natively?
It's hurting my head thinking about this still don't get what it fixes.
I'm with Chris on this one the 2.5gb switch LAN side is the correct way to set it up. Any 2.5gb devices will communicate at 2.5gb as long as they are on the same VLAN.
I have a layer 3 switch so even my different VLANS only communicate via the switch and not the router.
Last edited:
Associate
- Joined
- 18 Oct 2025
- Posts
- 37
- Location
- East Ayrshire
Smart Hub Pro isn’t running LAN traffic “through” the WAN port – it still keeps WAN and LAN logically separate, as it should.
The key is understanding the internal design:
- The WAN port is connected to the router’s internal switching fabric at multi-gig speed (2.5 Gbps).
- The LAN ports are each 1 Gbps PHYs hanging off that same fabric.
- The Wi-Fi radios also connect to that internal fabric – and they’re multi-gig capable (1.6–3+ Gbps internally)
So even though the physical LAN ports are 1 Gb, the internal backplane is much faster, which is why Wi-Fi can exceed 1 Gb on the Pro.
In my setup:
Instead of forcing all backhaul through the 1 Gb LAN ports, I feed the backhaul (MoCA and Cat6a) into a multi-gig switch fabric first. The router still sits between WAN and LAN logically (handles PPPoE / NAT / firewall), but the LAN side never has to pass through the 1 Gb LAN ports on the router.
This is the same principle used in UniFi / MikroTik / pfSense / SMB routers:
- Router = gateway & firewall
- Switch = core network fabric
- Backhaul = multi-gig paths that avoid 1 Gb bottlenecks
The EE Smart Hub Pro just happens to have:
2.5 Gb WAN (good)
1 Gb LAN ports (theoretical bottleneck if used directly but not really in practice)
I just prefer to bypass the LAN ports and let the switch handle the LAN at full speed. I have tried it both ways, and the way I’m doing it now has had a very marginal improvement in my real world use.
TL;DR – The EE router isn’t doing anything wild, I just tried to design the network like an enterprise one:
Router = edge, Switch = core.
Most people treat the router as the core.
- Status