as a quick and dirty workaround... without rebuilding the bootloader images.... i fiddle with uboot "switch" command
switch phy_write 1 0 0 0xffff
to disable the ports at boot, just by prepending to bootcmd variable. so even if there is no microsd card available or filesystem or kernel image is corrupt, the ports gets deactivated and no traffic ist forwarded.
so you can use
setenv bootcmd 'switch phy_write 1 0 0 0xffff;for target in ${boot_targets}; do run bootcmd_${target}; done'
but the "2 seconds timeout prompt" is still there, so you have a small window of 2-3 seconds at boot time, where lan/wan still gets forwarded/bridged.... and if uboot itself hangs (memory timing or instability of powersource ).. there is still the problem of forwarding traffic until manually triggered hard reset or shutdown.
also if you enter the uboot console, switch forwarding is still active. so your first command in console should be.
switch phy_write 1 0 0 0xffff
if you dont won't to set wan port down, use 2 or 3 for the lan0 and lan1.