Question about LAN/WAN isolation

Hi all

I have a BPI-R1, and just as your have described in the wiki, the WAN and LAN is separated with VLAN instead of layer 2 isolation, the BCM chip’s configurement will be reset once it reboot, and U-Boot will flush configurements when boot. Though I have fixed by modifying uboot and add a flash memory, it still ugly.

Now I have seen BPI-R2 is using a new ethernet chip. Will the LAN and WAN be isolated?

I’m hoping that the WAN and LAN are isolated on every boot time, and unless I have configured specifically to forward the packets, they should be isolated during the whole boot time and not connected.

Thanks.

Hi!

As I see in driver of switch (MT7530) WAN and LAN ports are not physically isolated. Datasheet for switch IC is unfortunately unavailable.

Here I’m proposing to add second PHY with copper Ethernet and SFP connector. This would also fix WAN isolation issue.

Best regards,

Karol

in fact, the mt7530 dsa will take every port as the independent net devices. you can use brctl to make each port into port bridge group as software bridge had been done. the isolation process is done in boot time. which should be satisfying with your need.

where is those idea you’re getting from?

Great, so the security problem is solved. However I found some potential performance issues.

If those 5 ports are treated as independent net devices, what I will see in ifconfig is something like enp5s0, enp5s1, ..., enp5s4. And if so, the only way to forward layer 2 packets is by using software bridge, which might cause a heavy load on CPU. Do you think I can use something like swconfig to make some ports are layer 2 connected, so packets between these ports would be treated by the switch chip instead of CPU?

[quote=“Karol_Bizewski, post:2, topic:3822, full:true”]Here I’m proposing to add second PHY with copper Ethernet and SFP connector. [/quote]

Seems not easy. The problem might not be the layout. The problem is:

  1. Different ISP may have their own FTTH configs, which might be their secret, and you can not use their SFP link unless using there own fiber modem. However this can be bypassed using some other techniques, such as flash dumping or solder a pair of TTL lines from the board. The real problem might be:
  2. If it will be used as an WAN port for a NAT router, I don’t think the CPU can hold such a large amount traffic. On the last generation (BPI-R1), I have tested and the speed seems limited at around 20MiB/s under NAT mode. Hardware NAT is a possible solution.

Actually, I REALLY want those developers can add an FPGA chip between the switch chip and one of the Ethernet ports. If so, maybe we can write an hardware NAT module.

the first thing i want to say is dsa is not fully supported in linux 4.4 the sinovoip has, but it is added in LEDE tree. you could refer to BPI-R2 Openwrt/LEDE source code release

dsa only reuses the same command brctl to take more abstraction between software/hardware bridge. if you make bridges between net devices exported by dsa. the data routing would be on going in the hardware internally in switch, offloading cpu. so that this is called hardware bridge.

great idea :slight_smile: but please stop the crazy idea going on :slight_smile:

MediaTek chips seemed to have HARDWARE NAT between cpu ports. maybe it will be got support in the near future. let’s keep calm and stay tune

the information is I got from https://github.com/lede-project/source/blob/master/target/linux/mediatek/patches-4.9/0056-net-mediatek-add-hw-nat-support.patch

As You wrote, separation is done by firmware at booting, so there is no physical isolation, and as Silver_Bullet said, it still ugly.

Different ISP may have their own FTTH configs, which might be their secret, and you can not use their SFP link unless using there own fiber modem. However this can be bypassed using some other techniques, such as flash dumping or solder a pair of TTL lines from the board

People are already working on GPON access:

https://pierrekim.github.io/blog/2016-11-01-gpon-ftth-networks-insecurity.html

https://lafibre.info/remplacer-livebox/configuration-routeros-mikrotik-pour-livebox/24/

http://forum.sfptotal.com/viewtopic.php?t=83

If it will be used as an WAN port for a NAT router, I don’t think the CPU can hold such a large amount traffic. On the last generation (BPI-R1), I have tested and the speed seems limited at around 20MiB/s under NAT mode. Hardware NAT is a possible solution.

The point is to use MT7623 HNAT for GPON, where bandwith can reach >500Mbps. HNAT for MTK is coming… :slight_smile:

Actually, I REALLY want those developers can add an FPGA chip between the switch chip and one of the Ethernet ports. If so, maybe we can write an hardware NAT module.

For me, that is too exotic. Who will maintain FPGA code and linux support? Propably, looking at current HNAT support, support would be very limited…

So at least we can get isolation under default unconfigured status. Though it might be ugly, at least this is more security than before.


That is okay…I don’t have much old code so it would not be a really hard choice…


Great. I’ll check it.


Yeah I know…I mean, under this situation, using devices from the ISP is not a bad choice since those ISP guys may using ACS to update settings in the ONU.

However, if you are planning to connect the board to a dedicated line or something would have a stable config environment, that would be great to have a SFP on it.


For fun and hacking, lol.

It seems, that R2 already has some code for HNAT:

#if defined(CONFIG_RA_HW_NAT)  || defined(CONFIG_RA_HW_NAT_MODULE)
    #include <net/ra_nat.h>
#endif

SFP GPON ONT works just as a simple bridge beside it does also authorization to OLT (look at one of link I sent) all other things like VLANs, routing, NAT, PPPoE etc is done on connected router, like R2.

So, I’m looking for router with SFP connector for GPON. Beside R2 (if HW team would add SFP) I’m considering also ClearFog Base

But, beside it is slightly higher price than R2, I don’t know state of it’s HWNAT, what is (IMO) must-have at GPON speeds.

Not far away to 1Gbps throughput for NAT :slight_smile:

1 Like

Am not a geek like ya’all and am not sure if I post in the right thread but here goes. I have 3 ISP connections which I would like to combine to get an aggregated bandwidth. If one link goes down, the other two should still function so that I have connectivity although at a degraded performance. I do need an alarm though that a link is down. Most importantly, ECMP is sought to take full advantage of the aggregation. While most of the functions are available at the OS/firmware level (open source) with options to customize, I find it hard to get the required hardware.

The BPI-R2 fits my bill but I’d like to switch the LAN/WAN capability - i.e., use the 4 ports for WAN and 1 port for LAN. Is this possible? Will running VyOS or DD-WRT or Mikrotik etc. provide me the possibility to do that on the R2 platform or is it something that needs to be designed/separated at the hardware level?

Currently there is no way to access the 4 ports of “lan”-site because you have only 1 interface for that.

If we get vlan-functionality working this may be possible