Hi,
I got the new PoE Switch CSS610-8P-2S+IN and there seem to be a bug in the GUI that prevents me from (re-)enabling the DHCP & PPPoE snooping settings. Let me explain.
Reset Configuration; go to system tab DHCP & PPPoE Snooping Trusted Ports are all checked. Everything is fine.
System tab: disable and enable Watchdog, just do something to be able to get the “Apply All” Button. Then click the “Apply All” Button. All looks good.
Go to any other tab and back to the System tab: In DHCP & PPPoE Snooping all Trusted Ports are unchecked.
And the Switch blocks my DHCP Server on the SFP1 Port.
Also I cannot enable the Trusted Ports. I checked them all, pressed the “Apply All” Button, all looks good, but after switching tabs the Trusted Ports are all unchecked.
A reset configuration re-enables the DHCP Trusted Ports.
Unable to duplicate on any of my three CSS326-24G-2S+RM switches running SwOS 2.13 or with my CRS326-24G-2S+RM that is running SwOS 2.13
What version of SwOS are you running?
Hello,
We can confirm this DHCP & PPPoE snooping software problem. It is specific to the CSS610-8P-2S+IN model and SwOS Lite 2.15 version.
Please contact MikroTik support via Support Help Desk System (https://mikrotik.com/support) to solve this issue until the new SwOS Lite version is released.
This seems like a problem only in GUI. As a workaround, I’ve managed to fix it by inspecting the request in the browser and re-sending it with the correct values.
For trusted ports, look for i13 field in the request and change the value to a hexadecimal bit mask of ports you want to be checked. You can get the correct value by changing temporarily mikrotik discovery protocol and inspecting the value sent (field i08), then just copy it over to the i13. Remember to pad it to full 1, 2 or 4 bytes (2, 4 or 8 chars), otherwise you’ll get an unexpected result.
For the add information option, just pass 0x01 in the field i14 to switch it on.
Remember that you have to manually fix the whole request when changing anything on this page that is above those fields (changing password, managing backup or rebooting the device is not affected)
@gwynbleidd thanks for that info. I also wondered, if I could just save/backup the configuration, edit the values as you described, and then load the patched backup file up to the switch.
Note that the switch backup is not exactly overly human readable. It’s not binary, but it’s not plain text. I have little doubt that with a fair amount of effort, it could be reverse engineered. May or may not be easy.
Edit:
I didn’t contact support yet. And I was kind of surprised by @gwynbleidd detailed information. But I could just modify i13 to create a bitmask for the trusted ports …
Edit2:
i08 is 0x03ff which is 0000 0011 1111 1111
So it is 10 '1’s one for each port …
Edit3:
The bit order seems to be reverse to the GUI, bit0 = ehernet 1 … bit 10 = sfp2
Edit4:
Well it did what it was supposed to do. It blocked PPPoE and DHCP from those ports.
But what I actually wanted to do is to restrict admin access to the switch to exclude port 1 and 2. As simple as that. I still don’t know how to do that.
Not officially.
I have: “2.15 (built at Thu Mar 10 2022 07:58:58 GMT+0100 (Central European Standard Time))”
Not sure what 2.15p is.
The GUI says: “ERROR: Could not determine latest version, probably no internet connection. Use manual upgrade.”
SwOS does not seem to get as many updates as RouterOS .
I have not contacted support yet since this is a low priority thing for me. But I might get impatient soon.
Yes that’s what DHCP snooping means I suppose.
I just did a reset, and then you can change the other settings, and it is fine, as long as you don’t change the things in the system tab.
Please share what you’ve learned from the support guys. Thanks.
Blocking admin access is done by the “Allow From Ports” option in “General” section. Simply uncheck ports that shouldn’t have access to admin interface.
Remember that bug still affects DHCP settings, so you’ll have to fix them manually after changing anything on this page.
Blocking admin access is done by the “Allow From Ports” option in “General” section. Simply uncheck ports that shouldn’t have access to admin interface.
Remember that bug still affects DHCP settings, so you’ll have to fix them manually after changing anything on this page.
Yes. I want to limit the switch getting its ip from Ports 1 and 2 as well. That’s why I tried DHCP snooping.
My idea was to use ports 1 & 2 as a “wire” connection, just providing power to both ports,
but preventing admin access to the switch, and getting its IP from those 2 ports.
I don’t believe that disallowing admin access to the switch removes the capability to get a DHCP address from that port. One of those things I likely could test if needed… I set mine to static because there are several VLANs on each switch and it could randomly get addresses from any one of several VLANs.
Yes VLANs and static IP are good and valid options. I am not a network engineer by trade, so I don’t know what best practices are.
I would prefer to have 1 port as dedicated management port, for admin access and IP …
So if I isolate one port, put it on a separate VLAN, and use this one as a trusted port, it should work …
But I am still waiting for a SwOS update. My version is from March …
I seems like RouterOS gets more frequent updates.
Yes, RouterOS gets far more attention than SwitchOS. I have five permanently installed Mikrotik switches at my house. All are on 2.13 except one old RB260 that can’t take the 2.x firmware. All are carrying multiple VLANs and the static IP is on a dedicated management VLAN. Admin access is limited to the port used for a VLAN trunk on each switch and on a couple of them, also a dedicated port on the management VLAN. Other than VLANs, I’m not doing anything fancy. The only real issue I have had with any of them was a bug that was fixed several years ago that resulted in the switch dropping all except small packets (standard pings would work, but normal traffic packets would not).
