Can a physical interface be added to two different bridges?

For example, the current bridge configuration is as follows:
`bridge name bridge id STP enabled interfaces

br-lan 7fff.40d63cdb8962 no eth0.1
eth0.2
wlan0`
Can I still create a bridge br0?include eth0.1 and eth0.2

No each interface can only be in one bridge. VLAN instances are separate interfaces though, that is eth0.1 and eth0.2 are separate.

What are you trying to do? Why not move eth0.2 into the existing br-lan so it is with eth0.1? Or (this seems like it is a swconfig device) just reconfigure the switch.

I want to add eth0.1 and eth0.2 to br-lan by configuring two bridge interfaces. The br-lan configuration address is 192.168.1.1; Then add eth0.1 and eth0.2 to br0, configure the address 192.168.2.1 for br0, and realize that the address of br-lan can be modified to any network segment, but the address of br0 cannot be modified

This would defeat the entire purpose of VLANs and would merge the two networks in an uncontrolled and unpredictable manner.

In plain words, what are you trying to achieve (end result, at the network + port level; don't worry about how the bridges will come together).

1 Like

I want to implement a feature where the LAN port address of OpenWRT can be modified no matter what, and I can access the device through the pre-set interface. For example, eth0.1 and eth0.2 can be added to br-lan, and the address of br-lan can be changed to any network segment, such as 192.168.1.1 or 192.168.3.1. But at the same time, eth0.1 and eth0.2 are added to br0, which is set to 192.168.2.1 and cannot be modified. No matter what network segment address br-lan is modified to, I can access 192.168.2.1 from the LAN port

This doesn't make any sense -- it's not how OpenWrt (and bridges in general) work.

Well, for starters, it's wrong to add these two VLANs to the same bridge. As I said before, it defeats the purpose of VLANs entirely. It's like spending effort to separate your trash into recycling, compost, and general garbage and then dumping them all into the same truck for them to mix back together again.

Next, the bridge is not what holds the address. The network interface has an address -- it is an L3 interface, wereas the bridge is an L2 construct which doesn't have a purpose for an address. So When you say that you can't modify the address of the bridge, it doesn't quite make sense.

Finally, I'm not sure how you're trying to change the address, but it absolutely can be changed. There are some guardrails to prevent people from getting locked out. Take a look at this quick page which describes the correct way to change the address of an interface.

I don't understand what you're trying to do here and what you're expecting to happen.

Previously, I asked what you wanted to happen on an interface and port level. Not the bridge. I was hoping for more specifics like (just making this up_:

  • Port 1 - backup management port
  • Port 2 - 192.168.2.0/24 subnet
  • Port 3 - 192.168.3.0/24 subnet
  • Port 4 - some otehr subnet that may be changed at any time.

Back to this...

  1. What exactly do you mean "no matter what," and under what circumstances do you expect to be changing the lan address? Generally speaking, this isn't something you want to randomly change... it can be done, of course, but it can create headaches if you have a moderate to large network (devices will not have connectivity and the like until they get an address on the new subnet).
  2. When you say "pre-set interface" -- are you talking about a physical port? Or something else? Often, people who need a failsafe method to access their router will set aside one physical port that they know they can always use to connect to the router and administer it.

So... can you try to better explain the broad-strokes intent and topology you want to achieve?

1 Like

Example config from a pre-DSA device:

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.1'
	option device 'br-lan' #<--- note whats numbered

Are you doing this for tagging purposes (there's a recommended solution for this) - or another reason?

If you insist on this config - this statement is unclear. You would only configure an address for the bridge once they're added.

1 Like

I just want to solve a problem: any OpenWRT device has a fixed management address that can be accessed from a specified LAN member interface or all LAN interfaces. This way, even if the LAN address is changed by someone, I can still use this fixed management address to access the OpenWRT device without knowing it.

Make a second network, and all will be fine. By default, the router will listen at that address for inbound web or ssh connections. This will mean that the router will be accessible at that address unless the network to which it is connected has a firewall input rule set to drop or reject.

Who else do you expect to be changing the address?

3 Likes

how to make a second network?

Besides myself, other members of the laboratory also modify the LAN IP address (br lan) of the router

You can have multiple addresses on one interface. The only security this offers is obscurity though. If someone on the lan knows that there are other IPs besides the DHCP advertised one, they can reach the router.

To add an additional address, create an aliased interface.

config interface 'lan_adm'
    option device '@lan'
    option proto 'static'
    option ipaddr '192.168.2.1/24'

This IP will be reachable through the same L2 paths (Ethernet, wifi, etc.) as lan. It also has the same firewall permissions as lan.

For actual security you need to create a separate isolated L2 path such as eth0.3 which is switched to a dedicated port, or a separate wifi AP interface with a password that only authorized administrators know.

Wait till someone shows you ipv6 link local addresses....
Or just configure a dedicated management interface like multiple people already suggested it...

My two cents:

  • If somebody can change the router's LAN address, they can also change the management address.
  • Normally, the router's address is the gateway / DNS announced by the DHCP server.

It seems to me that we are focusing on a convoluted solution for a problem that is somewhere else...

I completely agree with this sentiment. They could even change the management pasword!

This boils down to a simple question: do you trust that all the people who will have access to administer this router will do so in good faith? That is to say that if they are making changes, they will never be intending to lock others out or do anything that is otherwise malicious in nature? And, beyond that, will they be knowledgeable enough about networking in general and OpenWrt specifically to have a low likelihood of misconfiguring the router as to obviate any "management" connection methods you setup?

This was another thing I was thinking, and I agree here, too. You don't necessarily need a dedicated management address in most cases, since you can easily figure out what the router's address is by looking at the DHCP supplied information on a client machine.

Let's take a few steps back -- what is the purpose of this router? Why will users be changing its configuration? And can those users be trusted?

Another option to consider would be to use a device that offers a local keyboard & display (like a Pi or other SBC, or an x86 system) -- then you don't need to know the address, just the password.

1 Like

This seems to be the solution I'm looking for, but I set it up on OpenWrt 18.06 and it didn't take effect. Is the setting method different for 18.06

Woah... that's old. 18.06 has been EOL and unsupported for many years. It has many known security vulnerabilities. You should be using a modern release -- 23.05 is the currently supported version.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.