You all know far more than I do, but I just don’t understand the reluctance to use a DHCP server.
(1) Adding it is simple, (2) with nothing connected to the port it is, with respect to putting a load on the device, disabled, and (3) it removes all the possible problems associated with APIPA or having to remember a simple or complex or intuitive or common IP address (or block). The only possible problem I can think of is it being a security issue – but, if someone has physical access to the router, whether there is a DHCP server running or not will not stop her.
Referencing the idea that the group that will find the most value from OffBridge is everyone other than the top power-users, it would seem to me that the default instructions should include the DHCP option, with an explanation that the implementer of OffBridge has the option to not create a DHCP server and instead create a small IP block assigned to the OffBridge port.
Sure, it Is rare but It can happen, that’s why I added 10.10.10.10/24 to the post-it I keep in the left drawer of my desk ( the fucsia one where I wrote the password I use for all my devices, not to be confounded with the yellow one with the credentials for my home banking and the PIN of the credit card).
Great point that Winbox will reveal the IP on the OffBridge interface. Indeed, I think this fact might completely obviate the question of whether to enable a DHCP server on OffBridge.
What do you mean by “I never put one IP on mgmt port?” Will Winbox discover the device if connected to the OffBrigde ethernet port and that port does not have an IP address assigned to it?
If so, then (I think) setting up OffBridge just got even easier: (1) Remove ether5 from bridge, (2) enable ip neighbor and mac-winbox for OffBridge (or list that includes OffBridge).
Which are not-so-casually steps x1 and x2, swiftly followed by this text intermission:
actually red in the original post to give it more visibility.
In Winbox the device will be detected, it’s MAC will be visible and the IP will come out as 0.0.0.0.0, and you can connect to the device clicking on the MAC.
Besides what it says specifically about me, perhaps this is an example of why the instructions need to be as limited as possible when it comes to options, alternatives, and choices. Conciseness, brevity, and precision might be the order of the day to reduce confusion and ambiguity.
To be accurate, unless you can find other posts, I could only find the first reported mentions from posts in MAR 22. ( as user 404 LOL)
However I started it calling it OffBridge to give it a more formal nomenclature. It was always part of my set of New User Helper Documents from long ago probably circa 2020ish?? however it was not as organized by name.
SETUP OF WIRED AND WIFI DEVICES
(common to Routers/Switches/APs using RoS - where a spare port or spare wlan/vwlan may be available).
Remove spare etherport (lets use 5) from the bridge and in the case of a capac (two ports - use ether2).
Give it a new name ether5-access
Give it an IP address that does not conflict with any other subnets on the LAN or any remote subnets etc.... lets use 192.168.5.1/24 network 192.168.5.0
Add ether5-access to the trusted interface as a list member. It could be a trusted vlan, could the management vlan, could be LAN etc...... (router only)
For the Switch/AP scenario, if not already done, create an interface called Manage or base etc. (you may already have one so can just use that). -add ether5-access as a list member (switch)
-add vwlan-access as a list member (AP)
-add vlan XX (the trusted or management vlan or subnet) as a list member (normally should already exist)
Add the interface list Manage or whatever it is called on your device as the entry in IP neighbours
Add the interface list Manage or whatever it is called on your device under tools mac server WINMACSERVER
Note: On an MT Device not doing routing, normally, the ONLY interface required is the "Manage" interface (no wan, no lan, no IP DHCP, no firewall rules etc.)
NOTES:
A. If you have delineated subnets/IP addresses in the IP Services of WINBOX, be sure to add 192.168.5.0/24 to the "Available From" column.
B. If you have delineated subnets/IP address in System Users, be sure to add the 192.162.5.0/24 to the "Allowed Addresses"
{In both cases, A and B. you can use the single IP address you intend to use for such access, if desired, such as 192.168.5.5.}
WIFI ONLY
8. Define a Virtual WLAN, lets call vwlan-access from an existing WLAN.
9. DO NOT attach it to the bridge.
10. Provide the usual wifi config parameters, SSID, Security profile etc........
11. Ensure steps 3,5-7 are completed above.
DONE!!
Note1: It is assumed for switches/APs that an IP route has been created with dst-address=0.0.0.0/0 with gateway being the IP gateway of trusted subnet/vlan
Note2: For Routers, it is assumed that the trusted interface list is used to allow the admin access to the router (input chain) and thus this new connection will automatically be included, otherwise you will need to create in input chain rule to allow ether5-access to the router. (router only)
Bumping this - I had to hit my offbridge port recently and it saved my bacon so much, so thanks for that.
It WAS However a total PAIN finding my USB-C to ethernet dongle and fumbling in my cupboard under the stairs.
I have ether5 off the bridge, and I use DHCP for ease.
If i wanted to add Wifi to this - what is the best way? should I create a new ssid and then create a new bridge that contains only the new wifi interface plus ether5, and then move my DHCP config to that new bridge?
Well, put that ethernet adapter in a more reachable place.
Seriously, I have no idea whether adding an offbridge wifi interrface is a good idea.
Making a second bridge is often frowned upon by more experienced people because it might "confuse" the fasttrack/whatever and remove it from the "main" bridge.
On the other hand you don't really-really have to put this other offbridge interface into a bridge (just like your ether5 is not part of any bridge) as it would be only an "access" port to the router/ap.
But cannot say if your new SSID/virtual interface (which should be a "slave" to the "real", "master" one) can work by itself (or it is affected by its "master" being part of the bridge).
I agree. it could even be attached to a patch cable and left plugged into the port on the router.
The idea is to have something that will work in case other things don't, and that includes wifi. It still isn't as "foolproof" as a serial console port, but most home routers don't have a serial port built in any more, even the "ultimate heavy-duty home lab router" (aka RB5009) is oddly missing a serial console port.
You are correct, the USB port can be used with USB to serial adapters to provide serial access to the RB5009, and a USB port is more flexible than a serial console port. The RB4011 had a serial console, but no USB. The RB3011 had USB, Serial Console and buzzer, but 2 vs 4 core processor.
But with recent laptops, also without serial ports, you then need to configure two USB adapters back to back, along with the problem of configuring the serial adapter on the RB5009 side.
Also, the USB isn't available in the early boot portion, so it isn't equivalent to a serial console.
MikroTik screwed up when they didn't include a serial console on the RB5009. Every other "Lab" router (RB2011, RB3011, RB4011) did have serial consoles, the RB5009 was the first to drop it. (but other things have also been dropped, like piezo beeper). They realized the mistake and added a serial console to the L009, although due to lack of front panel space it is on the side, which makes it a bit less convenient to access, especially in a rack. But I am glad they did add to the L009, as having a serial console on a lab router is very useful.
Yeah, I love the RB5009 but I think the form factor that was forced by the idea of having 4 units in 1U of rack space has some disadvantages that show up. It would probably have been better to just use a 10” rack form factor for people who love that, and thus have slightly more space. Also because there weren’t any other products, like a switch for example, that used the same form factor or double-height version of it, which could have been nice in a combination with the RB5009.
Also it seems that many MikroTik products do not start with a specification of what features and ports will be available, but rather they find some interesting SoC or define some cute form factor, and THEN they see what this chip or housing can offer in a product.
Fair, but these things inevitably get misplaced and for home use I would compromise on ‘forum agreed best practice’ for a bit of convenience as long as I can still reach the device
Your point on the wifi interface is a good one - but my assumption (not based on actual testing yet!) is that it would not be impacted by this
I have since added an extra wifi interface (just kept it clean, did not bother with a bridge) with it’s own DHCP and otherwise same config as I have for my ether5
Works fine, even if frowned upon and not fully standalone due to wifi dependence. I’ve yet to break the actual wifi though, and I can still use ether5 if necessary.
