Individual physical ports as devices

I am trying to understand how I can set up certain things differently for different physical Ethernet ports on my WDR3600. My Luci devices list looks like this:

If I drill into the br-lan device, it looks like this: the bridged devices are the ports included in the VLAN eth0.1. If I look at this, it has as the base device eth0:

The output of swconfig for this VLAN is:

        vid: 1
        ports: 0t 2 3 4 5

If I want to do something different for a certain port, for example set a firewall rule to forward DNS requests from Ethernet port 1 (number "2" in swconfig), do I have to do the following, or is there a simpler way?

  1. Create a new VLAN that consist of "0t 2"
  2. Create a new interface that consists of the VLAN created in (1)
  3. Create a firewall zone that consists of the interface created in (2)
  4. Set DNS forwarding rules for the new zone?

Yes in the switch you'd make a separate VLAN for each port, so they can be independently accessed as eth0.x. When two or more ports are in the same switch VLAN, the switch will hardware switch packets between them and the CPU will not see those packets. This is usually a desirable feature for example a PC and a NAS plugged into two LAN ports communicate at full gigabit speed without the router CPU.

1 Like

Thanks mk24. I am just trying to understand the taxonomy for ports, devices and interfaces. In /etc/config/network I see:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

The value 'eth0.1' does not appear anywhere else in the file, so I assume that either it exists by default or it is created when you define a VLAN with number 1? If it is the latter, then does that mean that you could have

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '2 0t'

config device
        option name 'Port 1'
        list ports 'eth0.3'

...or is there another way of creating a device, as opposed to a VLAN, which is one of the physical ports on the switch? It seems wrong to create a VLAN, which involves both the port and the CPU, when what you are trying to achieve is a way to refer to only the physical port when setting rules in the firewall.

Sorry if I am getting confused, I am trying to learn this stuff so I don't make mistakes.

The eth0 CPU port is wired to port 0 of the switch chip. The eth0.X notation tells the CPU to emit packets with tag X through the wires to the switch chip. A packet sent from eth0.1 will arrive at the switch tagged 1, and if there is a switch_vlan numbered 1 containing port 0t, (as the default configuration has) the packet will be accepted into that VLAN and switched to be offered to any of the other ports in that VLAN. The packet does not exist in any other switch VLANs since it does not have a matching tag.

So expanding this system consists of adding new switch_vlans with unique numbers, port 0t in each to connect the CPU, then making networks connected to eth0.N where N is the new number.

OK. And, since I am warned about having ports untagged in multiple VLANs, I assume I have to take a port out of one VLAN if I am putting it into another. That means that I can't do what I hoped to do, have all the ports behave the same from a DHCP point of view and be on the same subnet, but via the firewall set up that DNS traffic from a specific physical port gets redirected. Is there another way to achieve this? Why is it not possible to refer to the physical ports as devices, only to all four of them as a bridged group?

Yes you have one external port each VLAN, to break up the hardware switching to each other, and force all traffic to the CPU including a tag of which VLAN (port) it came from.

To retain multiple ports in one network, attach them back together with a software bridge of eth0.2 eth0.3 etc whatever you want to combine. Then the CPU will see every packet and the firewall might inspect it on a per-port basis.

Although I'm not sure if this will work since in a software bridge the only thing that holds a layer 3 IP address is the bridge itself, so I don't know if the firewall can be attached specifically to eth0.3 for example when that port is controlled by a bridge. You may need to have a separate network and routing between the networks.

Right, so the price to pay for having the firewall inspect traffic going out to the WAN is that you lose the ability for inter-port traffic (which for DNS filtering purposes does not need to be inspected) to travel fast without passing the CPU. Pity.

Thanks for your help, you have advanced my understanding.