I am configuring new Mikrotik and I am totally confused about PVID 1 on Bridge.
I’ve been reading about it for the last two days and I see some people recommend changing this value while others are firm that this should not be changed.
My scenario:
I have new Mikrotik switch. For now I am only using L2 vlans (L3 will come in the future).
I work for the city. Our switches will be installed on the streets in cabinets where someone can break into and have physical access to switch. So my fear is not for remote connection but I am thinking about cases where someone intentionally tries to plug their laptop into ports.
Out of the box all 16 ports are part of a bridge. The bridge has PVID of 1 and all 16 ports are untagged for vlan 1. Meaning I can connect to any port of the switch and I can access Winbox by MAC.
I configured Interface Vlan 200 and assigned IP 10.200.200.254 which is managemet vlan. I configured ether 1 as trunk tagging vlan 200 and ether 1 only accepts tagged traffic meaning in theory I should be able to connect to management IP only through trunk (unless I untag any of the rest of ether ports with vlan 200 which I am not doing of course).
I see this sentence “If PVID for ether1 and bridge1 matches (by default, it does match with 1), then access to the device is allowed using untagged traffic from ether1 because of the feature that dynamically adds untagged ports to the bridge VLAN table”
which is true, I tested it. Any ports that are not explicitly changed to any other vlan are still able to connect to Winbox because by default these ports are untagged vlan 1 and bridge has pvid of 1.
So my question is what is the best practice of securing my switch in case of physical access by unwanted person.
Why changing bridge pvid to another number is not suggested?
I have couple of ideas and please help my choose the best one or suggest something I didn’t think about
Simply disable unused ports configured as untagged vlan 1
Configure bridge to only accept frame types Vlan tagged
Use firewall to accept winbox traffic only on trunk port
Configure IP services winbox to only accept traffic from certain IP but that still doesn’t block MAC access I believe
Any port not being used should be
a. disabled preferably OR
b. at least removed from bridge
c. the bridge itself retain default pvid but set frame-types=admit-only-vlan-tagged.
d. on ports being used, ensure ingress-filtering is enabled and frame types set as required ( either vlan tagged, OR priority-and-untagged )
What i recommend probably not appropos for these switches is create an offbridge port for local emergency access.
So remove ether24 from /interface bridge port settings.
Modify the following entry /ethernet
set [ find default-name=ether24 ] name=OffBridge24
Give it an Ip address /ip address
add address=192.168.77.1/30 interface=OffBridge24 network=192.168.77.0
Add it to the Interface List Members /interface list
add name=TRUSTED
/interface list member
add interface=vlanManagement list=TRUSTED
add interface=OffBridgde24 list=TRUSTED
Now you should be able to plug your laptop into ether24, change the IPV4 settings on the laptop to 192.168.77.2, then using winbox enter the router with username and password.
Do all the initial config here as well!
Note the netmask of 30 on the address only allows two addresses to work on the router, .1 and .2.
Couple of questions though, will configuring ether24 as trusted port offBridge prevent accessing winbox through MAC instead of IP?
Just to satisfy my curiosity why is it considered a bad practice to change Bridge PVID? If it’s a bad practice why is this option still available?
also add /ip neighbours discovery
set interface-list=TRUSTED
The option to change the pvid of the bridge exists because in some niche situations it may be required.
I would say its rare but I dont know enought to state what weird setups this would make sense for.
IDK if “bad practice” per se. BUT… changing it you’ll lose some “automatic” behaviors in VLAN bridging, especially if starting “confused”.
NOW… if you’re truly using only VLANs on bridge (i.e. NOT using bridge as a Layer3 IP interface, as is often recommended), then changing the bridge interface’s pvid= SHOULD have NO effect. So in that sense if your ONLY using VLANs, as recommend the @pcuite’s VLAN scheme, it be a good test to make sure you were only using VLANs on bridge.
Personally I’d leave it as 1, you’ll have less problems, not more.
But if you change the Mac winbox Port, that will need to be bruteforced (while - generally speaking - a network scanner will be faster (at least if you play along the rules and do not ab- or per- use a public IP for the access interface).
Mac Winbox Is the protocol used, so if you deny access or stop the service you cannot use winbox
only webfig (the web interface) that works via IP/browser but that Is much more inconvenienti than Winbox.
Remember that anyway the attacker will need user (please NOT admin) and password to login.
Who are you trying to protect against? Someone that just wants free internet, or someone that has skill and motive?
The best thing you can do is to provide the best physical protection possible, and perhaps an alarm when the cover is opened.
About all you can do is try to detect when someone gains access, because with physical access, all bets are off. You can put deterrents in place to discourage casual attacks, but remember that the switch has a serial console port, and that’s the easiest way in.
