I’m running Home Assistant and a CRS320. I’ve implemented an SNMP switch that lets my turn on/off my son’s internet access on a schedule or manually. I’ve cobbled together the Mikrotik side and it works but I’m just wondering if there’s a better/simpler way that I should be aware of. I don’t want to just shutdown the interface because that PC has an iSCSI connection for additional storage and interrupting it could corrupt things. It also prevents monitoring if the PC is on or off.
I planned to use bridge filters until I realised that would slow everything (?) down to CPU speed by punting everything from the switch chip to CPU. So I’ve tried to use switch rules instead.
The first rule (when enabled) drops any packets to the router’s MAC so it prevents internet access but doesn’t affect local access.
The second rule is to drop any packets from private (randomised) MAC addresses on a VLAN he shouldn’t have access to - yes, this is an arms race! …but it’s also good practice for me in hardening networks.
/interface ethernet switch rule
add comment=ChildInternetSwitch dst-mac-address=C4:F7:D5:12:34:56/FF:FF:FF:FF:FF:FF new-dst-ports="" ports=ether6 switch=switch1
add comment="Drop private MAC addresses from WiFi on VLAN1" new-dst-ports="" ports=ether2,ether16 src-mac-address=02:00:00:00:00:00/02:00:00:00:00:00 switch=switch1 vlan-id=1
I can’t directly enable/disable the rule using SNMP - or at least I’ve not found it, if I can! So I’ve set up a script to toggle the rule and that can be triggered by SNMP. For a single on/off switch, it only lets me tweak one OID so it had to be a single script, not two. The script also toggles a dummy bridge interface just so it’s status can be read using SNMP (unlike the rule directly). That way, the SNMP switch shows the current status as well as allowing it to be toggled.
/system script
add dont-require-permissions=yes name=ChildInternetToggle owner=admin2 policy=read,write source="/interface/ethernet/switch/rule\r\
\n:foreach r in=[find where comment=\"ChildInternetSwitch\"] do={\r\
\n :if ([get \$r disabled]) do={\r\
\n /interface ethernet switch rule enable \$r\r\
\n /interface bridge disable [find name=ChildInternetStatus]\r\
\n } else={\r\
\n /interface ethernet switch rule disable \$r\r\
\n /interface bridge enable [find name=ChildInternetStatus]\r\
\n }\r\
\n}\r\
\n"
On the Home Assistant side, the SNMP switch is set up in configuration.yaml as it isn’t yet supported in GUI. The on/off payload is 1 for both since it just runs the script to toggle between states.
switch:
- platform: snmp
name: Child Ethernet
host: 10.0.0.253
version: "2c"
community: write-community
baseoid: 1.3.6.1.2.1.2.2.1.7.27
payload_on: 1
payload_off: 2
command_oid: 1.3.6.1.4.1.14988.1.1.8.1.1.3.4
command_payload_on: 1
command_payload_off: 1
My understanding is that this won’t interfere with performance - especially whent the rule is turned off and in particular for other ports. Have I over-thought this or is there a better way of doing it?
Thanks in advance.
Gareth