Maybe question is a bit silly, but I do not really understand why by default is create bridge interface only with one physical interface on it. I use LEDE on WRT1900ACS and network configuration of 'lan' interface looks like this:
Is there any good reason of having bridge interface which comprises of only one interface, in my case 'eth0'? Eth0 actually has 4 physical ports and they are all binded by vlan. What is the reason to have it in bridge config? I could easily remove it, but was thinking if there was any hidden reason behind that? Haven't really found any good explanation on this in official documentation. Any ideas?
That bothered me as well. At least as I now understand it, if you're going to bridge over an interface, you can't also assign an address to that interface in Linux. You have to assign it to the pseudo-interface of the bridge.
If I've got an interface that I'm not going to bridge, then yes, it works fine by assigning the address to the interface itself. That's how I handle my management interface.
Ok, it makes sense then. I never use LAN and WiFi in bridged mode, so means that I just need to remove 'bridge' option from eth0. I always route packets between LAN and WiFi.
It is due to non-standard setup I use. I do not have LAN wires going all over the apartment, so all equipment is using WiFi. On the other hand, I have NAS server connected to LAN (different subnet than WiFi) and I want to have only restricted access to it. Only SMB protocol and SSH, nothing more. So, it is easier with routing. I could of course use 'bridge' firewall to filter packets to it, but I thought routing is more 'correct' way. I do not really want to use firewall for bridge. For me bridge is something where everything is allowed between bridged ports. That's why I choose different subnet and routed packets to LAN.
I guess the more usual way would be to set up a VLAN for the NAS and other security sensitive devices. then you can bridge regular LAN + WiFi and just have the security sensitive stuff on a separate VLAN with routing. Still it's not wrong to do it your way, just maybe less usual.
That's effectively the way I handle it on my router -- it, along with the internal firewall, decide which subnets/prefixes have access to each other, to local services, and to the outside world, not my APs.
I like the solution proposed by using vlan. I guess I do my way, just because LAN is not used for anything else. Otherwise vlan approach would be the only solution.