Allow management only on a specific ethernet port using VRF

Brain2000 · November 10, 2024, 5:18pm

I saw someone asking about setting up a management that only runs on a specific ethernet port (http://forum.mikrotik.com/t/allow-management-only-on-a-specific-lan-port/113097/1)
The previous topic was locked and I couldn’t improve upon the answer, so I am making a new post.

I believe there is a better way than just using the firewall to limit access to a specific ethernet port for management. I like full separation when it comes to security, where possible. In this case I found that by using a VRF, not only do you fully isolate management to a specific ethernet port, but you can also separate that ethernet port out so it can be accessed in case you mess up the bridge… oh say… while trying to set up Mesh (no-one ever blocks their bridge at least five times when setting up Mesh).

For this exercise I will use the HAP AX2 ether5 interface (opposite side of the physical WAN interface).

First we will create a management VRF, which we will then assign to ether5, assign a new IP address to ether5, and finally turn on management services on this new VRF.
For added benefit, we will also remove ether5 from the bridge so it can still be accessed in case you lock up your bridge (don’t forget to assign it to the LAN interface list so the firewall won’t block).
For those new to VRF, it is a complete separate routing/forwarding table, which is how we get the isolation.

In this case I’m going to assign the ip services www and winbox to the management VRF, but you can set them however you would like.
Just remember, if you are currently hooked to the router through something besides ether5, and you change the management service that you are currently using, you will need to plug into ether5 to continue. I always recommend using safe-mode when making edits, just in case.

/ip/vrf
add interfaces=ether5 name=management

/interface/bridge/port
remove [ find interface=ether5 ]

/interface/list/member
add interace=ether5 list=LAN

/ip/address
add address=192.168.88.1/24 comment=Management interface=ether5 network=192.168.88.0

/ip/services
set www vrf=management
set winbox vrf=management

spippan · November 10, 2024, 8:04pm

but be aware, as for now, it would not be possible to resolve DNS queries in the VRF “management” with DNS servers set in “IP > DNS > Servers” (according to MT support this is known and will be addressed somewhen in the future)

DNS upstream only resides in the “main” VRF in router OS up until 7.16.1 as by now