Struggling to understand switching and physical interfaces

I'm trying to get to grips with OpenWRT on my WDR3600, but I'm getting really confused as to all this switching and bridging business.

Shouldn't every port on the back be a physical interface (e.g. eth1, eth2) to then be managed individually by the system? I don't understand why an access port on the switch is has to be eth0.1 because then that means it's tagged? If I wanted a trunk port on eth1 for example, wouldn't I do eth1.1 etc?

I'm also not understanding why there needs to be a br-lan interface. I'm not interested in bridging to my WLAN and I want to enforce port isolation along with using only certain ports to be able to manage the system with.

Any help in understand this would be greatly appreciated!

As far as I understood, most plastic boxes only have this embedded switch gismos. I don't know how they actually be called. But the physical ports are not real separated ports.
This leads somehow to:

On the default openwrt config, its untagged on the physical/logical port and only tagged on the "cpu port".

That's the/one reason why the default is vlan 1 on lan and vlan 2 on wan. To have two "separate" networks.

If you mean by trunk port a port with one or more tagged vlans, then you would want to set a port as tagged.


Vlan 17 and 23 tagged on LAN1 (Archer C7v5 where the CPU is port0)
config switch_vlan                                                     
    option  device          'switch0'                                  
    option  vlan            '17'                                        
    option  ports           '2t 0t'

config switch_vlan                                                     
    option  device          'switch0'                                  
    option  vlan            '23'                                        
    option  ports           '2t 0t'

See also for some/more details.

That's just the default. The default usecase for most people is to have even only a single "LAN" where wired and wireless clients meet.

As far as I understood, on a plastic box, without "real" NICs the only way is to cheat by (ab-)using VLANs. For instance, assign LAN1 VLAN17 untagged, LAN2 VLAN18 untagged, and so on.

config switch_vlan
        option device 'switch0'
        option vlan '17'
        option ports '2 0t'

config interface 'lan1'
        option ifname 'eth0.17'
        option proto 'static'

Not to mention that either you disable the firewall service or adjust the config. And regarding wireless. I'm not quiet sure, how.... but you need to set option network anyway but this does not need to be a bridge...
The following is untested....

# /etc/config/network
config interface 'wlan_foo_if'
    option proto static

# /etc/config/wireless
config wifi-iface 'wlan-foo'
    option network 'wlan_foo_if'

Your device has a CPU with just one ethernet port (eth0), connected to a switch with 5 ports facing outwards (WAN and LAN1 to LAN4). OpenWrt (specially since version 21.02) hide this fact from the user, and everything is configured seamlessly by UCI.

If you want to access each external port individually from the CPU, and considering that there is just one ethernet connection between the CPU and the switch, then you need to use VLANs. But only the traffic between the CPU and the switch gets tagged; external traffic remains untagged.

Most users want to bridge their WLANs with their LAN, so the default configuration creates a bridge on LAN, where the WLAN can attach.

1 Like

Thanks, I've had a look at a few diagrams and managed to get a basic switch configuration going without a bridge. The next step is to set up the WAN interface and route the traffic.

Am I right in thinking that a config without a bridge just uses the switch chip, whereas a bridge is processed in the CPU? Since routing would be done in the CPU would I be able to firewall things there?

I'd also like to firewall some traffic on the same VLAN which goes through the switch, would I have to move over to a bridge config if I wanted to do this?

I think everything which is not on the same vlan and therefor covered by a bridge, is going through the cpu. (On this plastic boxes with embedded switches. On an x86 box with just a bunch of NICs, everything is going through the CPU. The other options is to have expencive gear which is supported by switchd, then many things can be offloaded to the ASIC by the kernel, but this mostly done with Cumulus or Sonic, and the like.)

Sure, traffic from one (linux network) device/interface to another can be firewalled. See --in-interface and --out-interface for iptables; or for nftables it is meta iifname and meta oifname. But booth can only be used on FORWARDING. On the nat-table, before or after the/a routing decision only one of both can be used.

To firewall traffic on the same VLAN / between interfaces on a bridge you will need (legacy) ebtables or use nftables which provides filtering for arp, bridge family and netdev.

Does this help?

I think if I understand the diagrams correctly I will need to configure a bridge in order to firewall on the same VLAN as without a bridge the traffic doesn't reach the CPU and just gets handled by the switch?
I noticed before that a bridge has a VLAN section in the config too, what is the difference between the VLAN config on the switch page and configuring the VLANs on the bridge?

I've just actually tried to create a static route but it seems I can only do so on interfaces? I've created only one interface for the management VLAN as I only want the switch to be managed from that. It looks like I can create 'unmanaged' interfaces and then select these in the routing section?