BPI-R1 5 GbE Ethernet ports

On the BPI-R1 the BCM53125 (a simple switch IC that features two RGMII GbE host ports and 5 GbE PHYs and can be configured through MDIO to separate traffic through VLANs) interconnects by default all 5 Ethernet ports and the A20 SoC. This means we can not speak about a true WAN port and LAN ports since all the ports are connected at network layer 2 by default. Since the A20 SoC features only one single RGMII interface no other mode of operation is possible.

This might raise serious security risks since while the device boots or when it is in bricked state or booted without SD card or when VLAN configuration hasn't been setup correctly or a simple bug exists in the b53 driver then the BCM53125 always acts as a primitive layer 2 switch forwarding Ethernet frames between all external Ethernet ports (not differentiating between the so called WAN port and the 4 LAN ports). This is nothing one would expect from a device advertised as routerboard.

If one tries to use the BPI-R1 as a (NAT) router without a separate firewall between WAN and the BPI-R1 then it depends largely on the ISP's infrastructure whether this is not that good or an absolute no-go from a security point of view since all sorts of attacks against devices behind the so called LAN ports can be triggered from behind the WAN port. In case you're not sure what that means you should simply treat the WAN port as another LAN port and use a separate USB to Ethernet adapter to be connected to WAN. Only in this mode the BPI-R1 might reliably work as a router.