Is WAN on a switch VLAN a security risk?

TLDR: I set up the WAN / WAN6 interfaces on the main switch using an untagged VLAN. Any risks in this approach?

So I had a spare EA8500 router I donated to my step-daughter as she just moved out and was hooking up cable internet. I reset it, and updated with 21.02.3 - then proceeded to set it up wifi, dns, etc. When it didn't work for her, I took it back, tried again (xfinity asked her to reset her router... ugh) and again it wouldn't work. I went over there and found that the eth1 port didn't seem to function correctly - it had trouble pulling addresses via dhcp. I originally purchased the device used, employed it as an AP/mesh node, and never used eth1. After many struggles I deemed the port damaged - since I've never had any issues like this with OpenWRT on multiple devices.

I proceeded to create a new VLAN for WAN on the main 4-port switch, and assigned it untagged to port 4, with no tagged traffic - and tagged on CPU, no other ports as VLAN members for this one. LAN of course is tagged on CPU and untagged on the other 3 switch ports. I assigned the eth0.x device to the WAN/WAN6 interfaces and called it a day.

Immediately it worked, and she has not had any issues.

Is there any inherent security risks to this approach? Obviously I've told her to to only plug the modem into port 4 if she ever needs to disconnect it.

Some switches are not configured correctly during power on / boot.

You should test what happens to the switch at power on/reboot

3 Likes

+1 to @mbo2o's comment. Specifically, some switches initially come up as a basic dumb/unmanaged switch until they are set with the desired VLAN configuration. In many cases this is a short time, and the risk is minimal. However, if another device that is connected to the switch happens to request a DHCP lease at exactly the right (wrong) time, it could possibly grab the ISP provided/public IP. When the router is rebooted, any devices directly connected to that internal switch will experience port bouncing and will request a DHCP lease. Devices connected via another switch with constant power would probably not request a lease at the exact time of the router rebooting, but that becomes purely a matter of the statistical probability.

In the case of a cable modem, this is unlikely to be an issue if only the router is power cycled. But if everything is turning on at once (say after a power outage, or other event where the modem + router are power cycled), the cable modem's learned MAC address (and thus DHCP leases) could go to a system that is supposed to be downstream of the router.

2 Likes

Thanks - never considered how the switch acts during startup.
I think the risk is pretty low that this could affect this application since there are no other ethernet devices (for now).
Worst-case scenario is that if there are other things plugged in, the modem may need a reboot before wifi works, and any other plugged devices will have to be replugged. And for a super brief moment, another device could be exposed directly to the internet until the router VLANs are up.