I have a BPI-R1, and just as your have described in the wiki, the WAN and LAN is separated with VLAN instead of layer 2 isolation, the BCM chip’s configurement will be reset once it reboot, and U-Boot will flush configurements when boot. Though I have fixed by modifying uboot and add a flash memory, it still ugly.
Now I have seen BPI-R2 is using a new ethernet chip. Will the LAN and WAN be isolated?
I’m hoping that the WAN and LAN are isolated on every boot time, and unless I have configured specifically to forward the packets, they should be isolated during the whole boot time and not connected.
in fact, the mt7530 dsa will take every port as the independent net devices. you can use brctl to make each port into port bridge group as software bridge had been done. the isolation process is done in boot time. which should be satisfying with your need.
Great, so the security problem is solved. However I found some potential performance issues.
If those 5 ports are treated as independent net devices, what I will see in ifconfig is something like enp5s0, enp5s1, ..., enp5s4. And if so, the only way to forward layer 2 packets is by using software bridge, which might cause a heavy load on CPU. Do you think I can use something like swconfig to make some ports are layer 2 connected, so packets between these ports would be treated by the switch chip instead of CPU?
[quote=“Karol_Bizewski, post:2, topic:3822, full:true”]Here I’m proposing to add second PHY with copper Ethernet and SFP connector.
[/quote]
Seems not easy. The problem might not be the layout. The problem is:
Different ISP may have their own FTTH configs, which might be their secret, and you can not use their SFP link unless using there own fiber modem. However this can be bypassed using some other techniques, such as flash dumping or solder a pair of TTL lines from the board. The real problem might be:
If it will be used as an WAN port for a NAT router, I don’t think the CPU can hold such a large amount traffic. On the last generation (BPI-R1), I have tested and the speed seems limited at around 20MiB/s under NAT mode. Hardware NAT is a possible solution.
Actually, I REALLY want those developers can add an FPGA chip between the switch chip and one of the Ethernet ports. If so, maybe we can write an hardware NAT module.
the first thing i want to say is dsa is not fully supported in linux 4.4 the sinovoip has, but it is added in LEDE tree.
you could refer to BPI-R2 Openwrt/LEDE source code release
dsa only reuses the same command brctl to take more abstraction between software/hardware bridge. if you make bridges between net devices exported by dsa. the data routing would be on going in the hardware internally in switch, offloading cpu. so that this is called hardware bridge.
Different ISP may have their own FTTH configs, which might be their
secret, and you can not use their SFP link unless using there own fiber
modem. However this can be bypassed using some other techniques, such as
flash dumping or solder a pair of TTL lines from the board
If it will be used as an WAN port for a NAT router, I don’t think the
CPU can hold such a large amount traffic. On the last generation
(BPI-R1), I have tested and the speed seems limited at around 20MiB/s
under NAT mode. Hardware NAT is a possible solution.
The point is to use MT7623 HNAT for GPON, where bandwith can reach >500Mbps.
HNAT for MTK is coming…
Actually, I REALLY want those developers can add an FPGA chip between
the switch chip and one of the Ethernet ports. If so, maybe we can write
an hardware NAT module.
For me, that is too exotic. Who will maintain FPGA code and linux support?
Propably, looking at current HNAT support, support would be very limited…
So at least we can get isolation under default unconfigured status. Though it might be ugly, at least this is more security than before.
That is okay…I don’t have much old code so it would not be a really hard choice…
Great. I’ll check it.
Yeah I know…I mean, under this situation, using devices from the ISP is not a bad choice since those ISP guys may using ACS to update settings in the ONU.
However, if you are planning to connect the board to a dedicated line or something would have a stable config environment, that would be great to have a SFP on it.
SFP GPON ONT works just as a simple bridge beside it does also authorization to OLT (look at one of link I sent)
all other things like VLANs, routing, NAT, PPPoE etc is done on connected router, like R2.
So, I’m looking for router with SFP connector for GPON.
Beside R2 (if HW team would add SFP) I’m considering also
ClearFog Base
But, beside it is slightly higher price than R2, I don’t know
state of it’s HWNAT, what is (IMO) must-have at GPON speeds.
Am not a geek like ya’all and am not sure if I post in the right thread but here goes. I have 3 ISP connections which I would like to combine to get an aggregated bandwidth. If one link goes down, the other two should still function so that I have connectivity although at a degraded performance. I do need an alarm though that a link is down. Most importantly, ECMP is sought to take full advantage of the aggregation.
While most of the functions are available at the OS/firmware level (open source) with options to customize, I find it hard to get the required hardware.
The BPI-R2 fits my bill but I’d like to switch the LAN/WAN capability - i.e., use the 4 ports for WAN and 1 port for LAN. Is this possible? Will running VyOS or DD-WRT or Mikrotik etc. provide me the possibility to do that on the R2 platform or is it something that needs to be designed/separated at the hardware level?