How to effectively configure 6 hEX units ?

olivier2831 · August 19, 2019, 4:24pm

Hello,
I need to configure 6 hEX PoE UNITS as basic “VLAN enabled switches”.

Configuration details i need to set, are:

custom settings:
fixed private address (eg 192.168.1.221/24) replacing factory-set 192.168.88.1/24
common settings:
do not act as DHCP or DNS server
no DNS cache
ether1 belongs to LAN interface list
no IP forwarding
no firewall rule of any kind (NAT, filtering)
all ethernet being untagged member of VLAN1 and tagged member of VLAN2
uploading two SSH key files to admin user
setting admin’s password

I’ve read about /import and /export commands but those seem not so easy to use.

How would you proceed ?

best regards

Steveocee · August 22, 2019, 3:24pm

Configure 1 how you want it.
Do an /export and then do a full reset on the others and import the .rsc file you made from the first one.

mkx · August 23, 2019, 5:16am

Which would cover all but last two OP’s points (SSH keys and password) … those two are only possible to automate by using (binary) backups which should not be used to transfer config between different units (even if they are same model). Or is password setting actually possible from scripts (only /export doesn’t export that detail) so the script could be hand-modified to deal with this OP’s point as well?

olivier2831 · August 26, 2019, 3:05pm

What about a dedicated Python script that connects to Mikrotik box through SSH and even reads config though NAPALM or alternatives :
you can copy SSH key files,
you can use different SSH logins as appropriate.

Has someone followed this route ? If positive, is it something that you recommend ?

Amm0 · August 26, 2019, 5:19pm

If you have a configuration you like and /export out, I’d look at learning NetInstall. It would let you upload your .rsc and the same version packages on all units. Then if you need more in the future, you can use NetInstall to make sure you have the same version. See “Configure script” comment in https://wiki.mikrotik.com/wiki/Manual:Netinstall – also, NetInstall will cause the “reset” button on each unit to go YOUR customized bridged configuration.

Amm0 · August 26, 2019, 6:11pm

Also, you mention “uploading two SSH key files to admin user”…that part is the more tricky I think. Since the export wouldn’t include those.

So for the certificates, Other might have a better idea for that…but one way is to just put the desired public key on a local web server, then include the following EXAMPLE commands at/near the bottom the export’ed script:
0. :delay 10s

/tool fetch url=“https://LOCAL_WEBSERVER/my_public_ssh_key” file=my_public_ssh_key to download the desired cert from a local web server that has the public key file available via HTTP.
/user ssh-keys import public-key-file=my_public_ssh_key user=admin

Finally, if you really want it to act like a switch, at a high level, you want avoid the traffic going through the CPU. There are two ways to do this:

“Bridge Hardware Offloading” with "VLAN filtering"under (“Bridge” in WinBox) - see https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_VLAN_Filtering -
“Switch_Chip_Features” (“Switch” in WinBox) - see https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features but basically you add the VLANs you using and then set the egress/ingress tag/untag using the settings under /interface ethernet switch or Switch section in WinBox

I think for the HeX PoE, you’d want to he use the “Switch” method to set the VLAN tagging/untagging. If you use “VLAN Filtering” in the “Bridge” settings, it would likely disable hardware offload which work but performance be less than line speed on the HeX PoE. The Switch Chip setting would keep the VLAN stuff going a line speed…but yeah you read https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features a couple times.

The Switch configuration would be export in a /export file=filename.rsc, and still be imported via NetInstall.