Dynamically change interfaces between LAN/WAN

I am working on a mobile product that has some unusual requirements.

The product has:
4 ethernet ports (currently 1 WAN and 3 WAN)
Wifi 2.4Ghz and 5GHz
LTE router

On normal operation, the 4 ethernet ports are used for LAN communication with multiple computers, and the wifi network is in Access Point mode, the clients connected to it can access some of the devices on the LAN.
The LTE router is in the WAN zone, with the default WAN configuration. It is used for telemetry reports.

Occasionally, one of the LAN devices will be disconnected, and replaced with a connection to another network. For instance the office LAN. A use case would be to update the system or to download stored data directly on the office LAN instead of going through the LTE.

Is there a way of allowing this transition of an ethernet port from being connected to a computer in the LAN that has a static IP to requesting an Office LAN IP via DHCP?

Additionally, I would like to set up a firewall in the LAN, blocking everything except a handful ports that I know are used in the LAN, regardless of whether all the ports are connected to the internal computers or one of them has been switched to the Office LAN mode.

I don't think the device itself will be able to tell what network is connected to the lan ports, so the best I can think of is a script to run from, say /root/scripts the UCI commands for /etc/config/network and /etc/config/firewall per case, commit the changes, and ifup the interfaces. You can then add this script in Luci under Custom Commands for ease of access.

Would it be possible to have two interfaces per switch port? One with a static IP, and the other with Dynamic IP waiting for a network with DHCP server?

Not at the same time, unless the were tagged VLANs. But tagged VLANs won’t work in this context because you need the network untagged on the port since the next connected device is not going to test with VLANs.

Ok thank you, I will try to prepare the scripts with the UCI commands.

If the other end of the cable speaks LLDP... You can say where you are connected. But I assume it will get messy with the dynamic reconfiguring of the interfaces... Or there is no LLDP then I also don't see a sane option how to detect it.

It's ok, it was a long shot.
And I have no control over the different LANs where they will connect our product.

Regarding my second question:

I would like to set up a firewall in the LAN, blocking everything except a handful ports that I know are used in the LAN, regardless of whether all the ports are connected to the internal computers or one of them has been switched to the Office LAN mode.

This is my current /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd70:b000:2cab::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	option macaddr '30:3D:51:11:1C:1D'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	option metric '100'
	list ipaddr '192.168.42.1/24'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface '5G'
	option proto 'qmi'
	option device '/dev/cdc-wdm0'
	option auth 'none'
	option delay '20'
	option pdptype 'ipv4v6'
	option metric '500'

config device
	option name 'wan'
	option macaddr '30:3D:51:11:1C:1F'

config interface 'wwan'
	option proto 'dhcp'
	option metric '200'

Since all my interfaces are on the bridge interface, afaik firewall rules will not affect them.

How could I do this? Remove the bridge interface and add 4 static IP interface for each of the lan ports?

Is it possible that the lan ports are dumb switched at hardware level and I can't isolate the traffic in any way?

This is the output of ls -l /sys/class/net

lrwxrwxrwx    1 root     root             0 Dec 12 16:24 br-lan -> ../../devices/virtual/net/br-lan
lrwxrwxrwx    1 root     root             0 Jan  1  1970 eth0 -> ../../devices/platform/1e100000.ethernet/net/eth0
lrwxrwxrwx    1 root     root             0 Jan  1  1970 lan1 -> ../../devices/platform/1e100000.ethernet/mdio_bus/mdio-bus/mdio-bus:1f/net/lan1
lrwxrwxrwx    1 root     root             0 Jan  1  1970 lan2 -> ../../devices/platform/1e100000.ethernet/mdio_bus/mdio-bus/mdio-bus:1f/net/lan2
lrwxrwxrwx    1 root     root             0 Jan  1  1970 lan3 -> ../../devices/platform/1e100000.ethernet/mdio_bus/mdio-bus/mdio-bus:1f/net/lan3
lrwxrwxrwx    1 root     root             0 Jan  1  1970 lan4 -> ../../devices/platform/1e100000.ethernet/mdio_bus/mdio-bus/mdio-bus:1f/net/lan4
lrwxrwxrwx    1 root     root             0 Jan  1  1970 lo -> ../../devices/virtual/net/lo
lrwxrwxrwx    1 root     root             0 Dec 13 10:12 tun0 -> ../../devices/virtual/net/tun0
lrwxrwxrwx    1 root     root             0 Jan  1  1970 wan -> ../../devices/platform/1e100000.ethernet/mdio_bus/mdio-bus/mdio-bus:1f/net/wan
lrwxrwxrwx    1 root     root             0 Dec 12 16:24 wlan0 -> ../../devices/platform/1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/net/wlan0
lrwxrwxrwx    1 root     root             0 Dec 12 16:24 wlan1 -> ../../devices/platform/1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0/net/wlan1
lrwxrwxrwx    1 root     root             0 Dec 12 16:24 wwan0 -> ../../devices/platform/1e1c0000.xhci/usb2/2-1/2-1:1.4/net/wwan0

If the traffic goes through the bridge device, you can filter.
https://wiki.nftables.org/wiki-nftables/index.php/Bridge_filtering

Why not request a button/slider from the vendor, so you could use that to reconfigure one of the LAN ports to WAN port?

The product is quite big, weighing over 30kg and it's main functionality has nothing to do with networking.
This ethernet switching is secondary to its purpose and does not deserve a button for each of the ports. I will have them trigger this action via the API of the product.

Do you have the budget for a second router?
Configure one of them with all your wan uplinks. Install a routing daemon, and also on the 2nd. The 2nd is then just used for the client PCs or what so ever is connected...

Budget is not a problem but space/size is.

I think having to manually trigger the change via our API is not a deal breaker. I am preparing a web interface where the customer can indicate when it does it.

I will also disable the DHCP on the LAN, so even if they don't trigger the change, it will not mess with the customer's LAN DHCP.

Of course, those 30kg mobile products which have nothing to do with networking can get pesky.

Nowhere did I suggest that, but whatever, good luck in your endeavour.

Somewhat off-topic, but how does Windows recognize networks, and can that logic be applied here? AFAIK, neither OWrt nor consumer routers/APs advertises LLDP by default, but Windows can somehow recognize a LAN over both wired and wireless connections.

To elaborate: if you connect to a LAN, it will show a name like Wired network, Wired network 2, etc. But if you connect to the SSID from the same LAN, it will automatically rename Wired network 2 to the SSID.

I personally would like to see on Linux desktop side on NetworkManager or networkd, but I don't understand the logic. Does anyone know about Microsoft's documentation on this matter?

Most operating systems that are designed as "client" devices (and not servers) will be configured as DHCP clients for their network connectivity, unless the user changes it to static or PPPoE. Windows (AFIAK) doesn't do any magic detection to change the entire operating mode of the port, but it does (sometimes annoyingly) attempt to identify a trusted vs untrusted network. The mechanism for this would be to determine if it has an RFC1918 IP address -- if not, automatically treat the connection as untrusted. If it does have an RFC1918 address, it may also do some additional checks like the MAC of the router to determine if it has seen this network before (i.e. your home or office), whereas new MACs may be considered untrusted because the assumtpion may be that it may be a network at a hotel, cafe, etc.

The OP is asking for a port to automatically detect if it should be used as a LAN or a WAN port based on what it is connected to. That is a considerably different thing than what Windows does -- here, you're presumably talking about the difference between bridging the port with several other ports and/or wifi (i.e. the lan) which will be treated as trusted and may also have a DHCP server enabled vs putting the port into a completely different interface that operates as a DHCP client and is treated as untrusted.

While I can think of some potential logic that could attempt to detect this, it is far from fool-proof and would almost certainly cause more problems that it would solve.

Instead, I think the best method would be to use a script that changes the function of the port. This could be triggered by simply running the script via SSH, or even using a physical button/switch (via GPIOs) or a button added to LuCI.