Hi, my first post 
When buying a router for OpenWRT how do you determine if a router has built-in LAN interfaces, for creating multiple subnets? For example, D-Link DIR882 has this feature, but Linksys MR8300 does not. Would prefer to have multiple isolated subnets
Hi steve34,
According to the following page, the MR8300 has five network ports and is VLAN capable. In the technical data of the devices supported by OpenWRT, you can read that well.
2 Likes
Hi Michi
Thank you for your reply. It sounds like MR8300 supports assigning interfaces to each individual LAN port, as the device supports VLANS, but it has to be done manually?
Some devices though have the multiple LAN interfaces automatically added during installation, ie the user does not have to create. Looking at the hardware spec is it possible to differentiate between devices that include the multiple LAN interfaces automatically during OpenWRT installation, and those that have to be manually added and configured by way of VLANS?
I might be wrong, but I believe the difference relates to some routers having a built-in hardware switch? Looking at the hardware spec am not sure which item to check.
yes, just keep in mind the different device categories:
1.There are the typical 5-port home WiFi routers:
- those with OpenWRT DSA support. Those use VLAN for cross-device logical segmentation and DSA for router-local segmentation. DSA makes them ports look as if these are separate physical ports, but its just logical segmentation.
- those without OpenWRT DSA support. Those use VLAN IDs for both router-local and cross-device logical segmentation
- a few rare very old devices have neither VLAN nor DSA support
Currently you need to read the release notes of 22.03.0 and 21.02.0 to identify the DSA-supported chip series.
In all 3 cases, all available ports are in use in an OpenWRT default config. 1 for WAN, the remaining n-1 for the default LAN zone. Both DSA and VLAN-capable devices allow segmentation, just config flavor for it is different.
2.there are x86 routers
those have no built-in switch and instead have physically separated network cards. Even if based on 2 or 4 port NIC cards, those have physically separated NIC chips for each port and are just packed on the same single slot PCB.
Only 2 NIC ports are in use on a default OpenWRT out-of-the-box installation, 1 for WAN, 1 for LAN, these 2 ports are sometimes choosen a bit random. You have to manually add the remaining n-2 NICs and reassign ports as needed in config.
Device-local segmentation is done by manually reassigning these physical ports (each being represented by a distinct config port).
VLAN config is also available, but only needed for cross-device logical segmentation.
3.then there are IoT-based devices like the raspberry pi.
those usually have 0 or 1 physical NIC and no switch.
You usually add additional NICs via USB adapters.
From then on segmentation and VLAN support is the same as with x86.
Overall, high level logical network subnet config for all variants is done the same, just the low level port config for device-local segmentation differs due to the described physical hardware differences.
4 Likes
For ipq40xx, like this device, and an interest in VLAN setups, really ignore 22.03.x and before in favour of current master snapshots, which got DSA support recently (as the old swconfig drivers in 22.03.x and earlier are pretty 'special' and broken for that, while DSA just works properly).
1 Like
IIRC MR8300 does not currently have any snapshot builds because the kernel partition is too small. It's being worked on though (there's a PR for it).
1 Like
You need to be careful using a lot of routers for VLANs; the boot loader usually configures the switch to have all ports open, before the OS loads. During that time, all your VLANs will leak.
2 Likes
That's indeed another advantage of x86_64 routers, which usually come with dedicated ethernet cards per port - no chance for leakage.
2 Likes
Hi @jaredoconnor this is an interesting point. Reminds me of the days consumer routers were, and probably still are, hacked during boot. Because routers don't have dedicated hardware ports like an ethernet card in x86_64 are they less secure than x86_64? Which routers, or which scenario, is likely to lead to a situation where network config data is leaked during boot?
The CPU architecture isn't really relevant; you can get ARM and MIPS boards, for example, that have multiple NICs. You could probably also argue that x86/64 is generally less secure, these days, due to all the Intel hardware vulnerabilities.
The issue I mentioned shouldn't have any bearing on whether the router itself can be hacked during boot. The issue is that all the ethernet ports will be on one VLAN, until the OS boots and configures the switch. VLANs are usually used to separate devices, for security reasons and so on. Thus, if all your devices are exposed to each other, during boot, it's probably not a good thing.
There was a time when incompetent router manufacturers would bridge the WAN port, during boot. That issue shouldn't be a concern these days, unless someone really screwed up. For completeness though, that created two big security issues:
-
Your entire LAN could be exposed to the WAN, without a firewall or NAT to protect it.
-
Your router itself could be remotely compromised, because the bootloader could have a network recovery/provisioning process and that is exposed to the WAN.
Unfortunately, all these problems are largely undocumented. The only way to know if a given device has these issues is to test it yourself. Generally speaking, you should assume that all consumer grade routers will bridge all LAN ports, during boot. Most managed switches should not do this, but I'm sure some do. FWIW, I use Netgear GS308T switches (running OpenWrt) and they seem to be OK; port 1 is open during boot, for recovery purposes, so I just don't put untrusted devices on that port.
I always recommend that people get separate devices for routing, WiFi and switching, for reasons like this.
1 Like