I love the technique of keeping a port off-bridge – and very much appreciate the continuous reminders here.
I understand it involves:
Removing the port from the bridge
Assigning an IP address in a network not otherwise used by the device
Adding that port to the LAN interface list
What I don’t understand is why the IP assigned should be in a network size of /30
My thinking is that if I lose connectivity and have to resort to using an offbridge port, it will be all I can handle to remember (1) which port is offbridge and (2) that the IP assigned to the port is 192.168.88.1. I would, without a doubt, at times think I can assign the PC connected to that port 192.168.88.10 or 192.168.88.100
Follow up question: I’ve gone ahead and done that to almost all the MT devices I support, but some devices has a total of 2 ethernet ports, some have 5, some have 8, and many have connected devices such that the open ports (those currently without a device connected) vary – some 5-port devices have ether3 unused and some have ether5 unused. How do you rememer which is the offbridge port?
Always use the lowest non-WAN port, is a simple aide-memoire.
Remembering your address in the /30 is immaterial if you use DHCP there. I rashly use /29.
I did not set up a DHCP server for the offbridge network. That would indeed work to solve the problem of remembering the offbridge port’s IP address as well as the question of assigning the correct IP to the connected PC. Great advice!
In my instructions I give, one of the first steps is naming the ethernet port.
/interface ethernet
set [ find default-name=ether4 ] name=OffBridge4
Comments and/or smart nomenclature help you remember what you have done.
This is always available, no memorizing required
Subnet mask… /24 yields IP addresses .0 through .255 where typically .0 is the network and 255 broadcast, so 256 total hosts and 254 useable IPs (1-254)
Subnet mask.. /30 yields IP addresses .0 through .3 so a total of 4 hosts and only 2 useable IPs (1,2)
Since I always define the address of the interface on the router like so /ip address
add address=192.168.55.1/30 interface=OffBridge4 network=192.168.55.0
We are left with ONE useable IP only for any other devices, and that is 192.168.55.2
I do indeed like naming or including a comment, but I think the name or comment might be better off being “OffBridge” without the ethernet port number at the end.
For one thing, if I lose access, I can’t refer to the name or comment to see what ether port it is.
Secondly, I can see a value in having the the same name or comment across different devices.
As for the /30, I still don’t see the value of limiting the usable IPs to 1, thereby requiring that you remember 192.168.55.2. If that’s what you’ve always used, it’s easy to remember, but hardly intuitive and not easy to otherwise remember. Handing out a DHCP takes the human factor out of it.
I do like the idea of setting up a DHCP server for the OffBridge port in the same network as the OffBridge port.
Something like this:
/interface ethernet
set [ find default-name=ether7 ] comment=OffBridge poe-out=off
/ip address
add address=192.168.88.1/24 interface=[/interface/find where comment~"OffBridge"] network=192.168.88.0
/ip pool
add comment=offbridge-dhcp-server name=offbridge-dhcp-server ranges=192.168.88.2-192.168.88.200
/ip dhcp-server
add address-pool=offbridge-dhcp-server comment=offbridge-dhcp-server interface=[/interface/find where comment~"OffBridge"] name=offbridge-dhcp-server
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=1.1.1.1 gateway=192.168.88.1 netmask=24
I tried to figure out how to use the CLI to remove the port with the comment=OffBridge from the bridge, but I couldn’t make it work.
I tried the following but it does not work:
/interface bridge port remove [/interface/find where comment~"OffBridge"]
Completely useless all of this.
If the device does not provide a specific MGMT port Just leave the last non-poe port or the last poe if there are only poe (trivial rule, one for all) for MGMT purpose.
There is absolutely no need to put IP in the port, VLAN and other frills, MAC WinBox does everything else without having to worry about the firewall, port group or other bullshit.
Just trivially leave the MAC WinBox active exclusively on the MGMT port.
I understand: The grown-ups here discuss grown-up topics like:
Quad-WAN multi-router load balancing, 10000Gbe ports, 1000-site 4000-VLAN connectivity, Wifi 9 specs, the port-facing-router-upward-!blockchain-src-tagging-third-component in the functional/logical diagrammatic visualization of frame flows across 4-natted VLANs, etc.
And here I come along asking how to remember an IP address and to only talk to me about VLAN in terms of an analogy to choo choo train.
Just remember that when ROS v.8 comes out all configuration will be done telepathically, with the first version requiring all configurations to be done by the admin thinking only in analogic terms of cars, limited to 2 parameters: Color and max-theoretical-speed.
Rextended, its very easy for less-experienced persons, including myself, to have vlan-filtering anxiety, when things blow up unexpectedly. This removes that anxiety. Also how to get rid of lets say the default subnet without causing major issues, is sometimes daunting. This removes that problem. Just because you no longer or never had these issues doesnt mean they are not real, and that they do not happen, so I respectfully decline to entertain your input as particularly useful this time. Please do not let that dissuade you from providing input on future posts.
Joseph, I prefer simplicity above all else and security.
There is no need for dhcp and in fact now you are giving a person a vector into the router because if they plug into that port, then they will get an IP address an access right away to the device.
Not that someone is going to break into the house and do so, etc, but the concept remains the same and its just a security practice to keep honed. Also, why go to all the extra config trouble as less config is better generally speaking for all that I do. As for not understanding a /30 mask, that has nothing to do with MT or RoS. That is on you for attempting to use a more sophisticated device without doing your homework and learning basic networking. I can say that because Ive failed to do the same and realized I had to learn it, whether I like it or not, and its not up to others to change their good practices, due to my lack of knowledge.
As always, thank you for the perspective and insight!
This, to me, is a classic example of something I deal with every single f-ing day:
The more I learn about a topic (law, medicine, business, technology), the more I learn how incorrect my previous understanding was. Unfortunately, if the process (of acquiring a deeper understand of something every day that is followed continuously by an ever-deeper understanding of the same topic) repeats and continues without cessation, we are susceptible to a permanent, and, of course, unpleasant form of cognitive dissonance.
I truly do understand and agree with your simplicity and security above all else perspective!
And, I really do have pretty good understanding of netmasks and blocks. Leaving the tech-savvy home invader scenario out of this for now (looking at you CIA/NSA/FBI), I still think that a /24 is better, even without DHCP on that port because I can easily see a situation where I’m locked out, go to site with a laptop and don’t have DHCP client enabled on the laptop, but I do know that I use 192.168.88.x as the management/offbridge network.
Perhaps I’m thinking about ‘simplicity’ in a broader way: There is simplicity in the config, but also simplicity in the actions or behavior required in the event of a lock-out. If I have to show up to a site, I’m already a little aggravated (no one’s paying me for this! I could be napping!). If the entirety of my actions to gain access to the MT device include plugging an ethernet cable into one of the open ether ports (labeled by jaclaz’s hand-dandy RJ45 plug in labels) and making sure that the laptop is DHCP enabled, then that is pretty darn efficient – and simple!
If essentially the purpose of having a “console” port via serial (built-in or USB), when there is one, or a MGMT port,
is to get out of trouble if there is a error in the configuration, but it must not be accessible from “elsewhere”,
using WinBox via MAC address on the MGMT port (or putty on console/dongle), serves the purpose…
On my way the IP/DHCP configuration of your computer’s network card does not matter.
Then you could always set the reset/mode/wps button,
which in case there is no ethernet port connected resets the software to the last configuration that was working.
I'm not getting between you and anav....errr...I mean, I'm not well-versed enough to comment intelligently on this debate....
I will say that you did make me realize that it would be wise to enable MAC WINBOX on those offbridge ports. That appears to require adding the OffBridge port to the admin/management/trusted/manage interface list (and making sure that MAC WINBOX is enabled for that interface list).
you can have 50 of these: