OpenWrt One - swapping eth0 and eth1

OpenWRT One has the WAN using 2GB ethernet (eth0) and the LAN using 1GB ethernet (eth1)

I currently have a home-office network setup where the WAN connection is dual DSL over copper -- not even 1GB and not likely to be any time soon -- so I'm thinking the faster interface will be far more useful on the LAN side.

It looks utterly trivial to edit /etc/config/network to
swap 'eth0' with 'eth1' everywhere:

    config interface 'wan'
	    option device 'eth1'  #instead of eth0
    config interface 'wan6'
	    option device 'eth1'  #instead of eth0
    config device
	    option name 'br-lan'
	    list ports 'eth0'  #instead of eth1

while /etc/config/firewall, which only references 'wan', 'wan6' and 'lan', seems to have no reason to care which of eth[01] is which.

Seems to me this either Just Works or it instantly bricks everything (in which case I get to learn more about recovery),

but here's the real question:

Is there some lower level reason NOT to do this,

e.g., am I opening up some huge security hole because there's stuff at the kernel level that hardens eth0 against external attacks but doesn't do the same for eth1?

Or will this horribly confuse something else that I need to worry about?
(e.g., I do see the "config led" stanzas in /etc/config/system also refer to eth[01], so I'm guessing if I don't edit those too, I'll have the wrong sets of lights flashing in response to traffic, which will be hilarious but otherwise harmless)

Update: The above modification to /etc/config/network appears to work; it did not, in fact, brick my router. I was also able to reflash a sysupgrade with "Keep settings" and I could reconnect without having to move the cable. So yay; thank you all.

The one weirdness is that the LED names are evidently tied to the physical locations of the ports, so swapping the names in network brought the LEDs along for the ride and there was no need to edit system. Not unexpected, but having them be named (and continue to be named) for the the higher level interfaces (wan, lan) in the original configuration is unfortunate and confusing.

E.g.,
amber:lan should really be named amber:eth1, since it's the amber light on the eth1 port, regardless of which interface that port is carrying, Likewise

mdio-bus:0f:green:wan should be named mdio-bus:0f:green:eth0 or maybe just green:eth0,

but I have no idea how these names get assigned (guessing it's in the kernel somewhere?)

Is this worth a bug report?

I think it's safe and you are right /etc/config/network is the only file you need to touch

when booting into failsafe-mode/recovery-mode those ports are not swapped eg: your recovery lan port will be connected to modem bypassing your firewall exposing your network but lacking any configuration to do so. so when troubleshooting, you need to disconnect wan, swap cable, boot into failsafe.

so when troubleshooting, you need to [remember to] disconnect wan, swap cable, boot into failsafe.

and I'm guessing the only way to avoid that is custom firmware that has my version of /etc/config/network already in place with the ports swapped?

fair enough.

yeah, that would require custom firmware.

I’ve powered my OO by POE this way since pretty well day one.

Not really. Standard Sysupgrade will carry it over. You could also use the Files directive in Firmware Selector/Owut, or just restore from Backup.

I’ve powered my OO by POE this way since pretty well day one.

just so I'm clear about what this means:
(1) You're getting your power from your ISP modem via your WAN interface (i.e., without needing the USB battery cable hooked up),
and
(2) you have your ports swapped, so this is actually the 1G port that's doing this for you (and thus, presumably, both ports can do POE assuming this is something people normally expect the WAN port to be able to do -- sorry, POE is new to me).
?

I used a spare port from an 801.3af/at POE switch to 2.5G eth0 as br-lan. Only the 2.5G port can power the device from POE.

1G eth1 becomes wan that is connected to the ISP device in bridged mode. You can use any 802.3af/at adapter to power the 2.5G. eth1 is not powered.

Your It Just Works thought was spot on.

OP updated (! hm does this comment system notify people about edits?)

Fail-safe mode and sysupgrade are two different things. So in order to have swapped ports in openwrt Fail-safe mode you need custom firmware.

Yes. Depending on how I if/want notifications.

I responded to your first post regarding swapping the eth0/eth1 ports before I saw any of your multiple updates.

Of course they are different. I said Failsafe Mode does not require custom firmware. My remarks pertaining to Sysupgrade et al was to indicate methods that would allow the network eth0/eth1 swap to persist over upgrades.

As I said before, Failsafe Mode does not require custom firmware.

It's quite easy to manage the swapped eth0/eth1 ports on the OO when invoking Failsafe Mode.

When Failsafe Mode is invoked, it has two general uses. (1) Allow you to gain access to correct an errant configuration or (2) in the alternative to call Soft Factory Reset by issuing firstboot && reboot to restore the initial OOB configuration. Your last option is to simply reflash a pristine firmware.

If you connect a serial cable on an OO and trigger Failsafe mode, the device will boot to a minimal configuration.

By using the serial console you get direct access to the OO. The network interface configuration is no longer an issue.

If you do not need to issue firstboot, it's a simple matter of modifying your network config to reflect the correct Lan/Wan port assignments:

• mount_root
• correct any abherrent configurations needed
• vi /etc/config/network and verify/edit your port assignments.
• reboot

If you do need to call firstboot to restore the OOB configuration, you call firstboot and then follow the same process to mount the root fs, edit your network config, and then reboot.