These posts have lived rent free in my head all Saturday.
OK?...
Which puts your 'LAN' upstream of the router's WAN port, as confirmed by your own network diagram and directly contradicting your first claim. Your diagram clearly shows your WiFi and other LAN clients connected over the MOCA backhaul to the L2 switch, to which your router is also connected via its WAN port. If your LAN devices are plugged into the unmanaged L2 switch, and the router's WAN port is also plugged into the switch, you've completely flattened the layer 2 network (ISP/ONT, LAN and 'WAN') into one single broadcast domain. You have also, then, contrary to your assertion, put the LAN devices on the router's WAN side.
Assuming your EE Hub even allows RFC1918 traffic on the WAN interface, and will permit DHCP and NAT to be run via WAN (which I've never seen?) you'd still need either the switch to be a managed layer 3 switch (to tag LAN traffic on its own VLAN, and/or to act as a L3 router) or else to assign a logical subinterface on the router's physical WAN interface, separate to the ppp0 subinterface, to allow the router to then serve DHCP, SNAT and DNAT to the 'LAN' subnet via arp with the firewall turned off (or otherwise configured to allow bogons/martians).
Even in that case, with the completely flat broadcast domain you're flooding the fully flat network with arp/broadcast traffic (including the ONT and ISP), and you're going to experience PPPoE drops and likely a MAC ban for abuse from the Openreach side. You're also leaving your local devices wide open to sniffing, malware can easily own your entire network, and they are directly exposed to WAN independent of the 'sideways' connected router and firewall device. Running router on a stick will also cut the port's physical throughput as traffic travels through it twice, defeating the multigig objective. So yes, there's definitely some confusion here.
- Can you confirm your switch is definitely an unmanaged L2 switch with no VLAN tagging or other L3 features?
- What OS is your router running, and how have you configured DHCP and NAT to run via the physical WAN interface (which is what you have connected to the switch, and by extension both your MOCA LAN links/clients and the ONT/ISP)?
- Are you assigning static addresses to the 'LAN' clients manually, relying on link-local addressing, or otherwise running DHCP and NAT through the physical WAN if via the switch - which is also directly interfaced to the wider Internet?
We know similar setups are technically feasible (albeit with VLAN tagging and router on a stick topology), but on a standard EE router with a dumb L2 switch, no logical subinterfaces and no ability to set a secondary RFC1918 subnet? Help us understand your physical, logical and routing setup because this doesn't make sense. And yes, I also asked AI (Grok and Gemini) and both agree with
@ChrisD. and I.
This I don't understand. You're using the right words but how you're saying them doesn't make sense. You just described a collapsed core network but your own topology is anything but.
Enterprise aren't running L2 switches at the network edge, which is what you're physically describing. Edge routers sit at the edge of each (sub)network and core routers sit at the core of the larger overarching network (depending on which network topology you're actually using - usually collapsed core in resi or SMB environments). Core
switches sit at the core of the (local) network, behind their edge (or core) router, and have access switches sub-connected to them in turn. So of course as we zoom out the topology, ISPs and larger campuses will have core routers above each of the edge routers, but that's 'turtles all the way down' and it still starts and ends with a router. If you can forget about ChatGPT for a moment and simply break down your logical setup and the overarching topology (i.e. the network architecture and the way you've engineered it) we might understand. As it stands, nothing you said makes sense.
