While looking for a cheap router which supports OpenWRT I stumbled across this comment on the Wiki page of the TP-Link Archer C50 (https://openwrt.org/toh/tp-link/archer-c50) which was added about one month ago by @frollic: The C50v4 is leaking LAN traffic through WAN port during boot, due to lack of port isolation.
I'm wondering if this applies to all devices using the MediaTek MT76* SoCs, because I also found this GitHub ticket: https://github.com/openwrt/openwrt/issues/5625
It's very old but it seems like the bug itself is still present based on the info from @frollic.
I'd expect that the internal switch doesn't route any packages until the VLAN setup is done after booting up. Has someone more information about that?
In theory, most/all devices with devices with uBoot should let you add something to the start-up boot scripts, that will configure the switch for port isolation via some register write at early boot. Openwr proper later in the bootup will then set the final desired switch config.
In practice, you'd need an uBoot with the appropriate commands enabled, the knowledge what to poke with what value to get port isolation for your specific IC, and updated boot script variables to activate PortIso at early boot. That can probably also be encoded in the recipe for all future installs of Openwrt on that device if somebody makes a PR.
That should shorten the window of time for the leak to something very short, but maybe doesn't eliminate it entirely.
I guess, the best solution would be if the switch-IC had some way to store a flag, that indicates "Port-Isolation-On-At-PowerUp". Somebody else here probably knows a lot more about the above.
You are overgeneralizing. There are few bad devices, 5 years or older. Booting oem too clien%s get dhcp address from wan then choke with invalid config. I got one device as you read in doc post.