[TheSoftwareGuy]

I’m really curious, as someone with little knowledge of these kinds of security considerations, why is it bad to have the wan port and the lan ports bridges?

[somepig]

some ISPs will happily assign public IPs to any hardware address that sends a DHCP request. This means while the network segments are bridged, all local devices are potentially obtaining public IP addresses and are exposed to the internet at large.

This is problematic if you have home network devices with vulnerabilities or services running on hosts with the assumption that the host will only ever be on a private network (unauthenticated file servers, etc)

There is also an issue with the number of devices exposed to the ISP -- many will issue an address to the first device they see on a link, then ignore all other devices until the lease expires or is released. That means your PS4 may get a lease before the espressobin's Linux takes over, and the ISP will ignore the subsequent dhcp request from the espressobin.

[zrail]

wan = outside firewall

lan = inside firewall

You don't want to bridge them because then it just bypasses the firewall.

[cassianoleal]

That's not true.

LAN traffic is still going through the router, where the firewall supposedly runs.

Regardless of other devices having a public IP, if the router blocks forwarding packets (which is one of the main functionalities of a firewall), then the device(s) behind it are just as protected as if they had private IPs.

It's just a bit easier to setup forwarding as it doesn't require NAT, and it's also easier to open up by accident but having a public IP does not bypass the firewall.

[jankeymeulen]

Depends, a typical use case of this device would be a router, or a firewall, so the point GP makes is very much valid.

[somepig]

the entire reason the devices get public a public IP is because the firewall effectively isn't there. from the time u-boot inits the topaz chip, until linux controls the chip, it behaves like a dumb ethernet switch.