I have been using DSA for a while now with no issues whatsoever, and I am using two different subnets:
One trusted zone for my known secure devices
One untrusted zone for IOT devices, TVs, and a server. Devices within that network cannot communicate with each other, and cannot connect to devices in the trusted zone either. They can ONLY connect to the internet.
I have it setup as per the "Multiple bridged networks" configuration (one bridge for each zone), but from what I understand I can set it up via the "Multiple networks using VLANs" configuration as well. Now my question is: What are the differences? In terms of functionality, performance or anything I might be forgetting?
I know it's a bit of a strange question, since everything works just fine in its current configuration. But I am always interested in learning more. So if multiple solutions can be used, I am very much interested to see exactly what the differences are. Thank you very much in advance
I've actually decided to go the multiple bridges way with DSA on mvebu/WRT1200AC though failed badly.. spent 4 hours troubleshooting why the second bridge is not bringing up its interfaces, to find there is a bug in 21.02 with DSA causing mutliple bridges apparently don't work yet with DSA as documented.
I have the same problem decribed here DSA with two VLAN on one Network. I thought I just do it wrong but it seems as if I'm not the only one with this problem.
On 19.07.8 I created an interface (DMZ) where I could easily add multiple VLANs to the interface (which itself created a bridge).
I installed kmod-br-netfilter to separate the bridge ports on the bridge (so they could not talk to each other, which is what I wanted)
I added some traffic rules so that the pi-hole on one port/VALN was accessible on port 53, the reverse proxy on 80 and 443, the mail server on 25, 587.
As the bridge with kmod-br-netfilter did not allow direct connection, only the desired ports have been accessible even for the other devices in the same network / interface.
Now in 21.02 I did not get something like this working.
Are you sure this is a actual bug and not a feature with the more modern and standardized 21.02?
Interfaces and firewall is at L3 routing and VLAN filtering is done at L2 level.
And you want multiple L2 bridges on a single L3 routing interface?
In 19.07 L2 and L3 was a mess without any real distinction what so ever.
"Multiple bridged networks" can pass through VLAN-tagged frames as is (VLAN filtering is disabled), while "Multiple VLANs on a single bridge" cannot.
I'm not sure I understand what you mean by this, could you please explain? Are you referring to the situation where some port, e.g. "lan1", is a member of a bridge, "br-lan", and it receives a packet with the vlan tag 20? Will that packet get forwarded to other ports on the same bridge? What if some of those other ports are vlan devices, e.g. "lan2.30" is also a member of "br-lan"?
Many DSA devices only support a single bridge (specifically only one bridge per switch chip; most multi-port routers only have a single switch chip). This means that you should typically only have a single bridge, and then use bridge-VLANs to define the VLANs and port membership.
It is no better, no worse than swconfig from a security standpoint. Both are secure.
Provided that things are configured properly, both swconfig and DSA will not allow VLAN hopping.
Years ago, I saw a quote that always stuck with me:
Stupid computers. They always do what I tell them to do, not what I want them to do!
So to answer your question, it depends on the configuration error. From a pragmatic standpoint, the system does not have any way to understand your 'intent' insofar as security or anything else. So if you do something that reduces security in the typical use case, it doesn't know if you've done something accidentally or intentionally. Let's say that you accept input on the wan firewall zone (default is input = reject) -- that would be very bad if the upstream network is untrusted (such as the internet), but may be perfectly fine and even desirable if you have a fully trusted network upstream of your OpenWrt router.
Bottom line: DSA is simply a different way (vs swconfig) to address the switch chip and physical ports in a multi-port router. It has no impact on security nor does it prevent configuration errors... it's a new method and new syntax, but the rest is up to you to understand and implement properly.
