Questions about DSA

1 Is it possible for LAN ports to communicate without CPU stepping in? Like, the frames get forwarded by switch and not going through CPU port so the CPU knows nothing about those frames?
2 If 1 is true, then how does OpenWrt know whether a frame needs to be examined (maybe by a firewall?) before forwarding? I mean, is there a switch or something that I can toggle to disable/enable direct LAN communication?
3 Is wireless chip connected to the switch or CPU? I mean, if it's connected to CPU then the data must go like wifi - CPU - switch - LAN, which means the kernel would know the data frame anyway, right?

A home router does usually have a SoC (System on Chip) that is pretty much everything you talk about in one chip and only PCB connections to the actual RJ45 connectors or wifi modules.

Unless you have a 19” rack with a firewall, router, DHCP server, a switch and a business class access point on the wall or roof it is all the same thing and most is only software solutions on a home router.

But a “switch” usually doesn’t run packages within the same vlan back to the firewall for “checking”. Based on active broadcast model it sends the package directly to the receiver and maybe everyone else on the same vlan.

But there is a billion ways to build the hardware and different hardware have different hardware capabilities and your question is not really that hardware specific?

Yeah I am looking at my old wrt32x but yeah I'm asking about home routers not any specific model.

So if I want to firewall the LAN traffic, can I achieve this by setting VLAN for each port?

I'm asking this because I heard that there is a thing called CPU port. If it's pure software then using 1 CPU port shouldn't hurt any performance cuz you know.. it's software? But last time I checked, using 1 port would only allow 1Gbps bandwidth total in all directions while 2 ports allow 1Gbps full duplex. (cuz it requires 2Gbps CPU in/out)

  1. Yes, traffic between ports on the switch doesn't touch the CPU. You can add two switch ports to a bridge and don't set up any networking (create an unmanaged connection) on the system. Even if you set up networking, traffic between switch ports won't flow through the cpu.

  2. Traffic between two ports on a switch doesn't flow through the cpu and isn't filtered (except when you set both ports as isolated - then no traffic flows between the ports).

  3. Wireless NIC is not a part of the switch. CPU processes all frames (with different levels of offload depending on the wifi driver), and in any case CPU can inspect any traffic between ethernet and wifi clients and also between two wifi clients (as openwrt by default doesn't do low-level bridging between wifi stations).

1 Like

CPU is physically connected to the switch via a media independent interface (MII), often RGMII (1GBps), SGMII (1GBps), HSGMII (2.5GBps), so there is finite bandwidth between the switch and the CPU.

1 Like

Yes, but the current OpenWrt DSA driver implementation only utilises one of the two CPU ports.

1 Like

I got the following from the log so I assume that there's 2 RGMII connections and OpenWrt is only using 1.

[   13.961470] mvneta f1070000.ethernet eth0: configuring for fixed/rgmii-id link mode
[   13.973196] mvneta f1070000.ethernet eth0: Link is Up - 1Gbps/Full - flow control off

If that is true ... May it be the cause of CPU core #0 being busy while #1 being totally idle?

There have been attempts to get it into the tree, but things were still in a state of flux upstream.

Check your IRQ distribution, offhand guess would be WIFI. DSA will not matter much unless you have a high bandwidth, symmetrical link.

1 Like

I see. Honestly DSA kinda looks worse to me than the old swconfig.. unintuitive, less functionality, worse performance... lol don't know why we made the change?

Yeah lots of softirq. I have tons of traffic continuously due to video data transfered between local hosts and also remote VPN.

I think you have my 3 questions answered. Just a little bit follow-up though. Does bridging the lan1~4 make enough for isolating lan from wan?
like

config device 'br_lan'
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

So the lan1~4 will be tagged VLAN1 and wan will be tagged VLAN2 implicitly?

Yes, wan would be isolated from lan1-4, but it won't be based on 802.1q vlans, instead DSA configures the switch to forward packets between ports lan1-4 and not between them and wan. Also, with some exceptions, DSA uses switch vendor-specific tags on packets so it knows which port the packet arrived on so it can locally differentiate packets received by the cpu.

Because DSA has more functionality than swconfig:

  • you can have multiple independent bridges on the same switch without even using 802.1q VLANs
  • you can have q-in-q or use 802.1ad tags
  • it's way easier to detect link status changes on ports
  • you can add (any number of) ports from multiple switches, real physical ethernet interfaces, virtual ethernet interfaces, wifi interfaces, etc to the same bridge
  • if the switch supports bonding/teaming modes you request, you can configure them the same way you would real nics

Regarding "one cpu port", it really is unfortunate that some implementations only utilize a singe CPU port, but DSA should support what you want generally: Affinity of user ports to CPU ports

This means that it should be possible to set static user port <-> cpu port affinity but also do bond/team on all cpu ports if the switch supports it.

Additionally, some more modern devices (MT797x for example) have 2.5Gbps MII between the CPU and the switch even if they only have gigabit wan/lan ports.

Finally, some (for example MT7621) devices have a switch which can directly send traffic from one of the ports (for example WAN port) to another MII while keeping most of the the traffic delivered to the main MII. This is similar to the Affinity linked above but less flexible.

1 Like

Nice to know! I kinda get it... DSA is modeling things by the concept of bridges! Users would need to create all kinds of bridge configurations to get what they want.

Thank you guys for the info! It's pretty clear now. :tada: :clinking_glasses:

1 Like

Not necessary, you don’t need a bridge. You can have a bridge or many bridges if you want to. But you can run every port isolated also.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.