My device only have one ethernet port, I want to let it auto switch WAN/LAN, How to configure?

My device only have one ethernet port, I want to let it auto switch WAN/LAN, How to configure?
For now, I have to modify the /etc/config/network manually, like

config interface 'lan'
        option type 'bridge'
        option bridge_empty '1'
        option proto 'static'
        option ipaddr ''
        option netmask ''
        option ip6assign '60'
        option ifname 'eth0 usbnet0 '

config interface 'wan'
        option proto 'dhcp'
        option metric '1'
        option ifname 'eth1'  #there is no eth1 in my device


config interface 'lan'
        option type 'bridge'
        option bridge_empty '1'
        option proto 'static'
        option ipaddr ''
        option netmask ''
        option ip6assign '60'
        option ifname 'usbnet0'

config interface 'wan'
        option proto 'dhcp'
        option metric '1'
        option ifname 'eth0'

Maybe you can explain what you want to achieve?
Because the way you are trying to implement it is not ideal.


What's "usbnet0"?

I mean, if I use a network cable connect to a Router(this Router use PPPOE connect to internet), then my device can get a IP by DHCP, and share the network via WIFI; at this time, the ethernet port function is "WAN"
If I use a network cable connect to PC, PC can get IP from my device. at this time the ethernet port function is "LAN"

"usbnet0" is another interface, just ignore it.

I try to set wan's ifname to "br-lan", and connect it to Router, but my phone connect to my device via WIFI, the phone's IP is "192.168.31.xx", just like connect to Router directly.
This is not what I ask for...........

And in this scenario what are you going to do with the router? Is it connecting upstream as a wireless client?

Better edit your posts and append your comments or you'll soon reach the daily limit of answers.

My device have another way to connect to Internet: 4G-LTE
So if the PC connect to my device's ethernet port, the PC can use 4G-LTE connect to internet.
And when my device connect to a Router via ethernet port, the "option metric '1'" will worked, the WAN's priority is higher than 4G-LTE.
I hope my words can be understand..

I understand what you want, however the device you have chosen is quite limited and OpenWrt doesn't have any network profiles kind of thing.
So the solution that could work with you is to have the ethernet port only wan with lower metric, the LTE with higher metric and use Wifi to connect your PC.

Thanks for reply.
As I know, some Routers like TP-LINK, HuaWei have a function: ethernet port auto switch, just like what I want.
I mean in these Routers, when user connect a WAN network cable to ethernet port, this port will auto configure to WAN function; when connect a LAN network cable, it will auto switch to LAN, no need user configure anything.
So they must implement this function by code, not change by the configure or uci command, right?

You could try to develop script to do this... I haven't tried this so I don't know if it would work as expected, but could be a cool experiment... some super rough pseudo-code:

if physical ethernet link up:
   wait [timeout period]
   if DHCP address issued:
        set ethernet port to LAN w/ DHCP enabled, restart network

Some questions/issues with my idea are:

  1. default to ethernet as WAN and switch to LAN after DHCP timeout -- probably okay, but I could see this as a security risk or potentially impacting the upstream network if this falsely triggers
  2. I don't know if the physical link up is easily detected in hotplug.d or somewhere else (since it is not necessarily the same as ifup which implies the interface fully configured and running)
  3. you would probably need to restart the network which might re-trigger the ethernet physical up signal and create a loop. if this were to happen, you could set a flag in /tmp and make an outer if statement to prevent the loop.
  4. you could have the script either issue UCI commands to the network config or swap between two config files > /etc/config/network; but you need to ensure that the proper 'default' configuration is always loaded at boot (maybe an init script with early execution).
  5. When switching to LAN mode, if the WAN/DHCP timeout exceeds the timeout of the connected device DHCP request, you may have to manually trigger the DHCP request on the connected device, or wait for it tooretry.

Conceptually this should work, but I have no idea if it would from a practical perspective. That said, if you get something working well, it could be worth making the script/package generally available .

It is possible, I have one use case as a travel router. You will need to install macVlan

mac=$(cat /sys/class/net/eth0/address|sed -r "s/^../1a/")
ip link add link eth0 wan address $mac type macvlan && ip link set wan up
sleep 15
if [ -z "$(ip addr show dev wan scope global 2>/dev/null | awk '/inet6? / {split($2,var,"/"); print var[1]}')" ]; then
ip link del dev wan
mac=$(cat /sys/class/net/eth0/address|sed -r "s/^../2a/")
ip link add link eth0 lan address $mac type macvlan && ip link set lan up

If the device has some unused button (like WPS button) wouldn't be safer to configure that button to do the switch between LAN and WAN to that single eth port?
Either I failed to see the name of the device or it's just not posted so I can't check if it actually has some sort of button for WPS, wireless on/off, etc. As result everything I will write is kinda generic.

I'm paranoiac when it comes to security so I'd rather have manual control over such change. I wouldn't really like to start giving my internet to the entire WAN.
Some bad actor might just trick the auto-switch between LAN and WAN.

Main issue is that if the ISP that supposed to give the internet on the WAN port is having issues (his DHCP/PPPOE servers are offline) the auto-switch will assume the single eth port is not supposed to be a WAN and will switch it to LAN and at this point it can end up sharing my internet to the rest of the WAN something that wasn't supposed to do....
Due to ISP problems a check for DHCP/PPPOE can fail and at this point the auto-switch will just assume it's connected to LAN when in fact it's still connected to WAN.

Even checking the mac at the other side is not exactly that safe. It won't be a first when 2 devices have the same mac (because you can software change that mac...).

I'd rather have the things secured on my side than assume that the ISP might be using managed switches that well isolate the clients connected to them. Won't be a first when ISP clearly say his switches isolate the clients and when I start a DHCP server on the WAN interface I happy see several DHCP requests to my DHCP server and I happy see them getting IPs from my DHCP server...

There is another problem like how is that single eth port configured during entire boot process. Because if it's acting like LAN it can be a bad thing. If TFTP recovery via bootloader is allowed on that eth port at boot then a bad actor can overtake/brick the device; this particulat example is extremely bad, because the manual control by using a button is happening after OpenWRT has booted, but is not affecting the bootloader, so while OpenWRT will assume it's WAN bootloader will assume it's LAN; and in such case you basicaly need another device in front of it to filter the TFTP port.

1 Like

Where is the security issue when there is only one physical port? The user is in full control which cat5 cable gets plug into the port.

You plug the ISP cable in your single eth port. You don't know at this point if the ISP on the cable is up or down. Bad luck ISP is down. If you make the auto-switch based on DHCP/PPPOE in such case that auto-switch will switch that single eth port to LAN. You will happy handle DHCP on that WAN port because OpenWRT assumes it's LAN. And from this moment it's all about the ISP infrastructure to defend you something that you don't control.
I can make an even worst scenario here. You already have an device connected to ISP and that ISP is using DHCP to give the ip. At this moment you assume ISP is up and running. So you decide to plug the cable in that single eth port device (in this particular case I assume you have 2 cables from the ISP so you still have one connection that you know it's working). But between the moment when the first device got the ip via DHCP from the ISP and the moment when you plugged the cable in your particular 1 eth port device ISP DHCP started to malfunction and it no longer answer to DHCP requests (your already connected device doesn't need it yet) but rest is fine in your ISP case, your 1 eth port device will think it's connected to LAN if it uses DHCP to check if it's connected to WAN or LAN while in fact it's connected to WAN.

And yes if the device has TFTP recovery via bootloader an electrical power cut can easily get your device bricked. You have the ISP eth cable connected when the power cut happens. Your device boots faster than ISP internet routing devices, ISP switches on the other hand boot faster than your device, ISP switches don't have client isolation (bad configured, configuration got corrupted due to the power cut, ISP just doesn't care to implement client isolation, etc), some hacked devices that is in direct connection (done by the ISP switches) with your device is happy tftp some trash, your device will happy flash it because assume it's safe, enjoy bricked device.
We don't know what device it is. I know a particular device that was sold in 3 versions having the same hardware 1) router 2) repeater/ap 3) some sort of vpn tunnel device, from interface you can't cross-flash it but you can cross-flash it using tftp (you can flash what crap you want actually, it doesn't check anything, it just happy flash it). So I will just assume the worst case.

The same electrical power cut happening when your OpenWRT has that eth set as WAN will make OpenWRT set that eth as LAN if your OpenWRT boots faster than ISP routing is starting (in my particular case in such situation my OpenWRT router is booting faster compared to ISP re-linking, basicaly my OpenWRT after booting has to wait 3-7 minutes for ISP re-linking, and bad part is that ISP switch (in front of my router) is up before my router has finished booting (in that particular ISP switch there are 10+ neighbours routers and they care so much about the security of their devices that 2 wireless networs have no encryption, 1 is on wep, and 2 wpa get compromise to brute-force dictionary attack (some years ago I wanted to see how secure are my neighbours wireless networks, don't worry they haven't changed the passwords (all 5 had unchanged admin passwords and when trying to connect to router it was even telling me the name of the device...)), so at least 5 devices that are a bad joke (I doubt any of remaining neighbours router is running OpenWRT (mentality around is plug it, do some basic setup to get it running and forget it exist, even equipment from ISP is the same situation, taking into consideration ISP doesn't have UPS it's risky to remote flash it cause a power cut will brick the device, ISP had UPS-s years ago but their battery died and they removed them...) and some of the devices are actually old (even if by a miracle the owner did firmware update it's no longer receiving updates for years (on my main router if I return to stock firmware and connect to internet in 15 minutes I totaly lose control of the router, I can't even access the web interface, but internet is working, that's how secure is a 10 years old device running stock firmware (without OpenWRT there would had been no IPv6 support on my 10 years old router (DD-WRT doesn't have IPv6 for it) and I would had basicaly had to trash a device that can still be used)))); and yes that ISP switch doesn't do any client isolation between the clients connected to it, it only does on the uplink (at some point it was the normal PPPOE connection and ISP was giving a secondary LAN ip and you could see the neighbours from the entire town on that secondary LAN IP...))...).
An UPS/generator will not really help you if that power cut last longer than what that UPS/generator can do.

I even have a relative that had the wireless network without any encryption until last year. Keep in mind it's a wireless g router so I can happy assume that my relative has run that wireless network without any encryption. Router username/password was default one. I only managed to make my relative use encryption on that router. Couldn't make my relative understand that she's using a device with known security problems. I offered a router with OpenWRT for free (without updates done on the router situation wasn't great, but still better than current one) and my relative refused my offer. Nothing I can do in such situation. And we are talking about a relative here and I failed, ask yourself what are my chances to make a stranger understand...
Another relative has OpenWRT 15.05 on the router. I will ignore the fact that is running an old OpenWRT version. It's still better than the stock firmware that has actively used exploits. Main problem is that the router had no root password. Because that relative asked me to fix some problems on his pc I basicaly had access to the wireless network. Due to the lack of a root password I had access to the entire router configuration. And from this moment it's all about that person intentions.
Asking them to put a password? Some years ago I installed Windows on the pc of the gf of one of my friends, he asked me so I happy helped. I asked the girl to tell me an admin password and to note it because I will not remember it. She told me the password and noted it. You know what happened 6 months later? She called me and ask me for the admin password... You can bet I didn't remembered it. I asked her to tell me that password and to note it so she can can know it when she will needed it. Me having the passwords of the people I help at some point is gonna become hard to handle, a security risk. Technically speaking there is no reason for me to make and keep such a list.
Such a device can easily become compromised. And if your devices think that single eth port is LAN when in fact it should be WAN you just ask for troubles because 1 single compromised device that can access your device is enough to cause troubles.

The entire idea is that you don't control when the ISP has problems, when a power cut happens, how long it will take for ISP devices to re-link.

My idea with a button to do the change is somehow better. At least after a power cut it will still assume it's WAN. Bad part is that you always need to know how you let it set. Maybe use a led to show the status... I'd rather buy an used router that supports OpenWRT than deal with a 1 eth port device for a wan/lan case.
The tftp bootloader recovery on the other hand is outside OpenWRT control... For this part you basicaly need another device in front of you router to filter it. And if you put another device in front of your router (device that clearly has at least 2 eth ports) maybe you can just use that device do the routing and let that eth port on your 1 eth port device be always LAN...

L.E.: Let's assume I'm the ISP. Let's assume I used DHCP to provide internet. If I will see a device that is not mine acting as DHCP server I would blacklist it from the closest node to that device. In such a case when the 1 eth port device is thinking it's connected to LAN but it's connected to WAN in reality will end up blacklisted in the managed switch it connects. So you will basicaly end up without any connection. From my point of view I'm dealing with a device that is not working properly and I wouldn't want to see it causing problems on my network. DHCP server on WAN port is a big NO for me. If it will happen a couple of times I will no longer remove the blacklist because I have to force you to change the device because you clearly don't want to understand. Sorry but there is just no other way when the other side refuses to undersand/just doesn't care.

L.E. 2: Someone might complain that probing the wireless security of my neighbours is not legal. We use encryption to prevent unwanted access to the wireless network. The fact that 2 failed to a simple brute-force dictionary attack is plain bad. I supposed to not even be capable to do it fast because that ap supposed to temp blacklist me after several failed attempts, but I was never blacklisted. At this point it's not only user mistake it's also an issue with the stock firmware (devices were running stock firmware, probably the version that was on installed when the device was bought).
Based on the legislation in my country in the worst case I'm in the grey area. In other countries might be illegal.
As long as I know I don't do anything malicious on the neighbour router I have no moral issues with it.
And with wireless someone with bad intentions can do it from outside the building. That's the big problem.

L.E. 3: Entire problem is that you can't just assume that all devices outside your control are safe or that all people have only good intentions. I prefer "Better safe than sorry.". even if i might push it to extremes.
Long post cause I kinda exagerated with some examples of how bad security is in some cases (either due to user fault (no password, weak encryption, easy to hack password, not updating the firmware) or stock firmware bugs).

i have no bad intentions. I just want to improve some things that's all. I know some people think that I might have something with them when I write some things. Reality is that I just want to point some of the things that maybe they missed, we are humans and we all do mistakes, we miss things. :slight_smile:
I'm that type of person that prefer to be told why I did something wrong with details. It helps me understand what exactly I did wrong to improve. Just telling me I did something wrong won't help me because I won't know what exactly I did wrong or how I did it wrong.


I think it would be better for OP to use two different config files for this purpose. Just copy/paste the files and reload the network for changes to apply. For example: lan.config and wan.config. Issue the command: cp lan.config /etc/config/network ; service network reload for making the port LAN accessible and cp wan.config /etc/config/network ; service network reload for WAN.

With @sammo's suggestion, there may be some security risk as has been suggested above but OP needs to make a choice if it is worth it. I would go with the config files option because it should be easy and can also be done with a script but writing two short commands would not be a hassle though.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.