I created 4 VLAN on my fb4040, each VLAN provides its own ip subnet and some firewall rules that I created keep the networks apart, e.g. my pc and guest devices. This is working, as far as I can tell. (Keeping fingers crossed…)
For each network device there is an option to turn it into a bridge, so that a physical network port is not connected to eth0.101 any more, but to br-lan, etc. I am sorry if my description does not use the correct terms, but I’m sure you will know what I mean.
Is there any advantage or disadvantage turning the 4 virtual network devices into bridge devices? Any security issues I should know about?
If I understand this correct, bridge mode is needed in any case as soon as I want to open a wifi network with the same ip subnet as the wired network, so that wifi and cabled devices on this network can see each other. Or did I misunderstand this part?
I’d be very thankful if someone with more knowledge like me could explain this issue to a no-professional network manager.
Switch part of router directly forwards between bridge ports and vlans with help of dsa offload. If you take that out of picture only path between ports is router CPU.
bridge fdb | grep offload
AA:BB:CC:AA:BB:CC dev phy1-ap3 offload master br-lan
BB:CC:DD:EE:FF:GG dev eth4 offload master br-lan
I am still confused. I know 2 meanings of “DSA”: a German role playing game and the “digital service act”, another glorious smoke grenade to sell censorship to the people by another name that suggests security. But I guess neither one is applying here, right?
This is built into the kernel as a way to make Ethernet switching hardware appear in abstract to be a collection of independent named ports connected directly to the CPU. Thus it is not necessary to engage in "switch configuration" (swconfig). Building bridge(s) in the kernel should result in any available switch hardware being configured to actually switch packets in hardware whenever possible (i.e. LAN port to LAN port), offloading the CPU.
DSA only affects Ethernet. Switching from an Ethernet port to a WiFi AP for example is still done by software in the kernel.
Hmmm….let’s see if I finally got it right: turning each VLAN device into a bridge does not bring any disadvantage, it has no security issues, but it is necessary if I want to combine two networks or two of the switch’s ports and it lowers the stress on the CPU.
