Support for RTL838x based managed switches

That was also my thinking. 32MB in total should be fine. IMHO I'm not a fan of running advanced L3+ stuff on a switch. Routing offloading is non-functional anyway right now.

If the failover is easy might be another story. For my Zyxel device, both partitions would end up with an rt-loader in place which you usually only flash once and never change again if not necessary. So to have an easy/good failover could be a potential feature extension for rt-loader. This would add more complexity but allows us to shape this how we want it. Different sizes of the dual-partitions with the main partition taking most of the space and the recovery one being very minimal, or whatever.

32MB devices could work for basic switching (and lets be honest, besides testing routing from an academic standpoint, the CPUs on realtek targets are not enough for modern routing). I have web UI with luci-app-lldpd as well as the prometheus-node-exporter setup with 22MB free out of 32MB.

Bigger question is how can this be integrated with boot processes so that a failed upgrade results in a reboot to the old partition? We can of course use a serial cable on the console but once we have gone that far we may as well reflash and restore the config.

Especially so if we start gutting out some of the default packages that simply don't make sense on a layer-2 device (firewall4, nftables, dnsmasq, odhcpd, and so on). If you want to use LuCI, you currently have to play a lot of games to do this, as luci-light has a dependency on luci-app-firewall, which sucks in a ton of stuff in that list. I've been poking around at this on and off for the past year on my AP with a luci-layer2 "collection" that keeps all the device management modules, but makes all WAN, DNS, DHCP and other layer-3+ capabilities purely add-ons.

Yeah, filtering out all the luci dependencies to remove firewall4 from my GS1900-10HP was a bit of a pain. luci-light is really not so light.

It is pretty ugly, isn't it? My current recipe is roughly this, with my luci-layer2 package comprising the "adds". (I should PR it, so anyone interested can play with it and I can get some feedback...)

• remove:
  • luci
  • luci-light
  • firewall4
  • dnsmasq
  • odhcpd-ipv6only
• add:
  • luci-mod-admin-full
  • luci-theme-bootstrap
  • rpcd-mod-rrdns
  • uhttpd
  • uhttpd-mod-ubus

nftables is a dependency of both firewall4 and dnsmasq, so gets dropped implicitly; likewise for a bunch of nft libs and kmods.

EDIT

Even with firewall4 and a bunch of luci packages the usage can be kept to only 10MB or so on 25.10 rc5, assuming I am not grossly misinterpreting the partition allocation on this 32MB HPE JG921A:

root@hpe-1920-8g-poe:~# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                 3.3M      3.3M         0 100% /rom
tmpfs                    58.8M    284.0K     58.6M   0% /tmp
/dev/mtdblock9           23.1M    692.0K     22.4M   3% /overlay
overlayfs:/overlay       23.1M    692.0K     22.4M   3% /
tmpfs                   512.0K         0    512.0K   0% /dev

root@hpe-1920-8g-poe:~# apk info
apk-mbedtls
attendedsysupgrade-common
base-files
busybox
ca-bundle
cgi-io
dropbear
ethtool
firewall4
fstools
fwtool
getrandom
jansson4
jshn
jsonfilter
kernel
kmod-crypto-crc32c
kmod-crypto-hash
kmod-gpio-button-hotplug
kmod-lib-crc32c
kmod-nf-conntrack
kmod-nf-conntrack6
kmod-nf-flow
kmod-nf-log
kmod-nf-log6
kmod-nf-nat
kmod-nf-reject
kmod-nf-reject6
kmod-nfnetlink
kmod-nft-core
kmod-nft-fib
kmod-nft-nat
kmod-nft-offload
libblobmsg-json20260213
libc
libcap
libevent2-7
libgcc1
libiwinfo-data
libiwinfo20230701
libjson-c5
libjson-script20260213
liblua5.1.5
liblucihttp-ucode
liblucihttp0
libmbedtls21
libmnl0
libncurses6
libnftnl11
libnl-tiny1
libsensors5
libsysfs2
libubox20260213
libubus-lua
libubus20251202
libuci20250120
libuclient20201210
libucode20230711
libudebug
libustream-mbedtls20201210
lldpd
lm-sensors
logd
lua
luasocket
luci-app-firewall
luci-app-lldpd
luci-app-package-manager
luci-base
luci-lib-nixio
luci-lib-uqr
luci-light
luci-mod-admin-full
luci-mod-network
luci-mod-status
luci-mod-system
luci-proto-ipv6
luci-proto-ppp
luci-ssl
luci-theme-bootstrap
mtd
nano
netifd
nftables-json
odhcp6c
openwrt-keyring
owut
procd
procd-seccomp
procd-ujail
prometheus-node-exporter-lua
prometheus-node-exporter-lua-hwmon
prometheus-node-exporter-lua-netstat
prometheus-node-exporter-lua-openwrt
prometheus-node-exporter-lua-realtek-poe
px5g-mbedtls
realtek-poe
rpcd
rpcd-mod-file
rpcd-mod-iwinfo
rpcd-mod-luci
rpcd-mod-rpcsys
rpcd-mod-rrdns
rpcd-mod-ucode
sysfsutils
terminfo
uboot-envtools
ubox
ubus
ubusd
uci
uclient-fetch
ucode
ucode-mod-fs
ucode-mod-html
ucode-mod-log
ucode-mod-math
ucode-mod-ubus
ucode-mod-uci
ucode-mod-uclient
ucode-mod-uloop
uhttpd
uhttpd-mod-lua
uhttpd-mod-ubus
urandom-seed
urngd
usign
zlib

The dual-boot possibilities we have right now are rather bad, usually it's only a failed image check which triggers switching to the other partition. That should be both the case for devices running U-boot, and those that run Zyxel stuff (Bootbase + BootExtension). But as said, this is rather useless IMO.

Just some wild thoughts:
We could implement something simple, a boot counter somewhere in memory that is read by U-boot/rt-loader and if it is exceeded, it'll switch to the other partition. This counter needs to be reset by a small userspace script. With this, we could cover cases where the kernel is in a crash loop.

The case where Linux boots fine but our networking doesn't work is a bit trickier but a small userspace script could also do some checks and if some fail, trigger a reboot but don't clear the counter.

Then, there's also pstore and https://github.com/openwrt/openwrt/pull/22177 where dual-boot/pstore support is expected to included then.

nftables is essential in one of my uses cases for switches, but only for the INPUT queue.
I wouldn't even think of using a switch as a passthrough firewall/router due to the lack of processing power. However, restricting the number of devices being allowed to connect to LuCI is important for defense-in-depth. Obviously, the best path is to have a separate management VLAN and to provide no access to the management interface from the user VLAN (great for office environments), but this is probably a bit unrealistic for a home network.

It is, and there are often other recovery methods. Usually, I try to keep a dual image layout if possible, but I gladly sacrifice it if there is an alternative recovery method (e.g. TFTP) for more/enough flash space. On the ZyXEL GS1920 there was no other choice as there is only a 16MiB flash chip.

I am also going to use both partitions on the XikeStor SKS7300 series because there is an RJ45 console port and it comes with a console cable out of the box (and network works in U-Boot). The HPE JG92x switches also have a standard console port.

And then there are devices where it's just useless to only use one image slot: The TP-Link SG2452P is such an example. While there are two partitions for the rootfs, only one kernel is present. The second image will never boot with an OpenWrt kernel.

To be honest, I find a dual image design rather useless on an embedded device, especially when running OpenWrt. Sure, things can go wrong, but if you dare to install OpenWrt, you should be able to hook up serial console for recovery. Thinking back how often I've had to attach serial for recovery on my production devices, this tends towards zero. The exception are devices that lack another way to return back to stock, but I don't remember any.

I couldn't resist buying a Zyxel GS1900-8HP Rev B2.
@cryator did I understand you correctly that the B1 firmware image works well for switching, but you need to adjust the PoE config to get power on all ports?

Oh, I fully expect there are many cases where this is true, but my aim is to give those who want to strip things down the ability to do so without all sorts of work. (It's a lot easier to say apk add firewall4 when needed than it is to figure out how to apk del <a bunch of stuff> && apk add <some other stuff>.)

Management VLAN for all devices is exactly one of my use cases for managed switches at home.
Currently at 9 subnets at home.

Yes, everything except PoE worked out of the box. I have it running the just released 25.12.0 and it is working fine for me.

Has someone tried flashing a EWS2910P-FIT ?
It seems that the file format is different from the "non-fit" EWS2910P. (bix vs imag)
I also connected the serial port as mentioned in the wiki, but there is a key protecting the uboot commandline:

Enter correct key to stop autoboot:  0 

So they seem to have added some security unfortunately. Someone has more info on this variant?
The sticker on the case says v1, the PCB says v3. I'd trust the PCB silkscreen

Some light binwalking seems to indicate this is just a tar file. Probably with a custom header prepended?

The archive itself contains a .bix file and a list of supported devices, so these should be Realtek too:

EWS2910P-FIT    MagicNumber 0x83030500  8380_2fib_1g    44194,22,1,83
EWS7928P-FIT    MagicNumber 0x83031500  838X            44194,22,1,84
EWS7928FP-FIT   MagicNumber 0x83031600  838X            44194,22,1,85
EWS7952P-FIT    MagicNumber 0x83032501  8393            44194,22,1,86
EWS7952FP-FIT   MagicNumber 0x83032601  8393            44194,22,1,87
EWS2910FP-FIT   MagicNumber 0x83030600  8380_2fib_1g    44194,22,1,113
EWS7928P-FITv2  MagicNumber 0x83131500  838X            44194,22,1,84
EWS7928FP-FITv2 MagicNumber 0x83131600  838X            44194,22,1,85
EWS7952P-FITv2  MagicNumber 0x83132501  8393            44194,22,1,86
EWS7952FP-FITv2 MagicNumber 0x83132601  8393            44194,22,1,87

Maybe try "a" "c" "p"

Hi @svanheule

Indeed I had a further look, but there the annoying 64 byte header. So I had AI figure it out and create a tool to make valid imag files. And low and behold, the image actually worked! The only (? ) problem remaining now is to flash a non-recovery image. Since I get this message in Luci: System running in recovery (initramfs) mode. even after flashing a sysupgrade image.

I'm a bit worried/puzzled about this message in the serial console:

Cannot parse config file '/etc/fw_env.config': No such file or directory
Failed to find NVMEM device

But the file seems to be there, and its contents look reasonable:

root@OpenWrt:~# cat /etc/fw_env.config 
/dev/mtd1 0x0 0x10000 0x10000 
root@OpenWrt:~# cat /proc/mtd 
dev:    size   erasesize  name
mtd0: 00080000 00010000 "u-boot"
mtd1: 00010000 00010000 "u-boot-env"
mtd2: 00010000 00010000 "u-boot-env2"
mtd3: 00d60000 00010000 "rootfs_data"
mtd4: 00200000 00010000 "jffs2-log"
mtd5: 00800000 00010000 "firmware"
mtd6: 003b0000 00010000 "kernel"
mtd7: 00450000 00010000 "rootfs"
mtd8: 001b0000 00010000 "rootfs_data"
mtd9: 00800000 00010000 "firmware2"

@plappermaul this works as uboot password, thanks!

You can find the tool at: https://github.com/rubenbe/engenius-ews2910p-fit-openwrt

Summary: a LOT of progress, but more info is certainly appreciated, thanks!

See https://openwrt.org/toh/linksys/lgs352c#images Take the LGS310C recipe and adapt to your needs. linksys-image and belkin-header should be your friend.

Thanks! This is the package format indeed!
In the end I managed to boot in non-failsafe mode by modifying the uboot boocmd a bit to have the same offsets as userspace: A dirty way, but it worked

setenv bootcmd "sf probe 0;sf read ${freemem} 0x1000000 0x800000;bootm ${freemem}"

Only my POE is not functional yet.

Hi. I wondering if I can simply disable firewall on my JG924A or is that necessary to firewall is running?
Thanks for reply.