What's left to do before bridge port isolation works again?

I was trying to get isolation working on the stable release 22.03.5 but it appears that DSA changes have stopped that function from working. I see a patch for the latest RC1 23.05 but it's not working yet on an Edgerouter x sfp and wondering what is left to do and if we'll see it working in the next stable candidate.

I can't answer the core question about if/when DSA switch-port isolation can be a thing... In general, L2 isolation on the same network is not a common featue for the switches inside routers (at least, it's not commonly exposed). Obviously you had apparently had success in earlier versions of OpenWrt with the ER-X, so it must be possible in this particular case. What I don't know is if DSA has provisions for this mechanism (or what it takes to make it so). Another question would be how universally this could be supported, and if not universal, what happens when switch chips don't support isolation? If it's not supported, does it cause a problem? and from the consistency standpoint, how does a user know if their device supports this mode or not (does OpenWrt accept the config but silently fail? Does the DTS or other deep config prevent it or throw errors to syslog when it is used on an unsupported device, etc.).

Anyway, you may be able to use the bridge firewall. I'm not sure if this will actually work, and I know there are some quirks around this technique, but may be worth a try.

Meanwhile, I typically recommend a proper managed switch (rather than a router with a built-in switch) since port isolation is a specific feature of many managed swiches (not typically available in entry level, but by small business tier and above, it's pretty common). Part of the reason is that the switch may "leak" on power cycling (although, IIRC, the ER-X had this issue in the past but has been fixed in the latest bootloader). Another reason is the more granular control that is possible on real switches.

1 Like

Thanks for the explanation. I'd already tried to find a solution using bridge firewall rules ages ago but failed and was hoping this may be coming down the pipe.