Swconfig -> DSA : is it correct? Security problem?

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi all,

I am (finally!) making the switch between the old style swconfig and the new DSA. It is for a Netgear R7800.

I am essentially leaving the initial configuration:

/etc/config/network

config interface 'loopback'
    option device 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fdae:7d09:711b::/48'

config device
    option name 'br-lan'
    option type 'bridge'
    list ports 'lan1'
    list ports 'lan2'
    list ports 'lan3' 
    list ports 'lan4'

config interface 'lan'
    option device 'br-lan'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'

config interface 'wan'
    option device 'wan'
    option proto 'dhcp'

This works and I am able to access the internet. However, I am confused as to how that works. I do not define the device “wan” anywhere, and yet the wan interface works. Does the new DSA style config automatically create any undeclared device?

In addition, I read this guide, and was very surprised to see this config:

config device
	option type 'bridge'
	option name 'br0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

2 things surprise me about this:

  1. It seems unnecessary to add the wan ports to the device, since we get internet access without adding wan to the device (as shown by my config)

  2. It seems very unsafe to create a direct bridge between lan and wan?

2

The wan port is a device simply called wan
When used as a single port in a network interface, it is, itself, the device. (A bridge is a device that contains ports, but ports are basically the word used for devices within a bridge device).

This article doesn’t really apply to your situation.

Unnecessary in your situation, yes. May apply to others, though.

When using bridge VLANs, it is safe to add the wan port to the bridge. The VLANs are what keep the flows separated at layer 2. However, this is not necessary or relevant for your config which isn’t using VLANs.

2 Likes
3

Thanks for your answer.

This article doesn’t really apply to your situation.

The article states:

If you are upgrading your router to a firmware version that uses DSA, you should read this page.

so I thought it would apply to me. But I guess the article is focused on VLANs. I’ll try to amend the wiki if I find how, to help others.

When used as a single port in a network interface, it is, itself, the device. (A bridge is a device that contains ports, but ports are basically the word used for devices within a bridge device).

In the previous swconfig style, the wan interface was configured like this:

config interface 'wan'
	option proto 'dhcp'
	option device 'eth0.2'

it seems that the new firmware simply renames eth0.2 to wan. So it is NOT the case that the configuration automatically creates an undefined device. It’s just that the wan device is created by the firmware. Do I understand that correctly?

Thanks!