I’m wondering what the technical differences between two RJ45 WAN and LAN ports are. I know (I think) the usual “high-level” differences that are usually described: e.g. you attach the ISP modem to the WAN port and all the traffic coming and going from and to the outside of the LAN is routed through the WAN port by the way of the modem.
However I want two attach two different modems — one fiber and one 4G — to the main router (the modems are actually routers themselves but I would use them just as modems) to be able to switch on the fly between the two kind of internet connections.
If I assign two different static IPs to the modems and I attach them to two LAN ports on the main router (thus ignoring the WAN port) I can switch on the fly by simply changing the gateway at host-level in this way:
ip route add default via Y dev X
Where Y is the IP of the wanted modem and X is the network adapter of the host.
This simple scheme seems to work but I’m wondering what I’m losing by not using the WAN port.
Am I losing NAT and all firewall capabilities? And if this is the case, since I’m using openwrt on the main router, would it be, at least in principle, possible to configure it so that NAT and firewall are applied to the two LAN ports for the modems?
The technical difference is that packets between two LAN ports can and usually will bypass the actual router.
In the context of home wireless routers, even though the router has multiple physical LAN ports, usually they’re bridged together at chip level (like a standalone Ethernet switch) and the router’s OS treats all of them like a single interface. So depending on what destination MAC address is on your packets, the switch either sends them upwards to the CPU… or straight out to another port, bypassing the OS.
Other than that, however, there really isn’t much of a difference. Only the stock firmware is preconfigured to treat them differently (e.g. DHCP client on one side and a DHCP server on the other), but OpenWRT is usually more flexible and can go whichever way.
This simple scheme seems to work but I’m wondering what I’m losing by not using the WAN port. Am I losing NAT and all firewall capabilities?
Yes – you’re basically bypassing the router proper and only using it as an Ethernet switch + WiFi access point. (As described in the last section.) Because it is no longer the specified “gateway” of your hosts, it performs no routing, and practically doesn’t even see the packets as they take the switch shortcut out through the modem’s port.
On the other hand, I’m pretty sure that in your scheme the other two modems are, in fact, being used as routers. Your
ip route command literally says “use Y as the router”.
(If they were pure modems, you wouldn’t use their IP address as gateway address – you would use the address of a device further upstream, at your ISP’s network.
That would be plausible if the LAN devices actually got public IP addresses directly from the ISP or if the ISP itself agreed to NAT your 192.168.x addresses. As it is in your examples, however, your modems actually have to perform NAT for everything to work. They’re routers.)
since I’m using openwrt on the main router, would it be, at least in principle, possible to configure it so that NAT and firewall are applied to the two LAN ports for the modems?
It should be, but I believe it depends on the specific hardware.
I think that at least with OpenWRT, most switch chips can be grouped/ungrouped in any way you wish. So if you want to split the group into two separate networks, you should be able to do that (this may involve assigning some specific VLAN tags to make the chip understand what you want). But no 100% guarantee.
There are, however, routers which explicitly list this as a feature even with their stock firmware. In those it is absolutely possible.
(And if you do this, they in essence become “WAN ports”, no matter what they’re labelled or colored as.)