Restrict SNMP on SwOS?

smyers119 · December 31, 2021, 1:46pm

According to the docs it only supports snmpv1.

https://help.mikrotik.com/docs/display/SWOS/SwOS

you may be able to use ACL’s to restrict source ip’s

smyers119 · December 31, 2021, 1:58pm

~~[quote=davidand post_id=901881 time=1640958956 user_id=170714]~~

Is it only me who considers this to be a potential security risk, exposing some configuration of the router to every device on the network?
[/quote]

It’s only a security risk if you configure it like a security risk

mkx · December 31, 2021, 2:03pm

If access to any of switch’ management features (either SNMP or WebUI) is considered security risk, then one should go with VLANs, only allow access from one VLAN and restrict access to that VLAN using decent firewall rules on router/firewall.
SwOS is pretty plain and one can’t expect very much of it.

mkx · January 1, 2022, 9:54am

~~[quote=davidand post_id=902009 time=1641029313 user_id=170714]~~
@mkx I think you are referring to the “Allow from VLAN” field under System -> General in SwOS
[/quote]

Yes, I was referring to that setting. I don’t have any SwOS devices, so I can’t say with confidence whether this setting also works for SNMP or not. If it didn’t, I’d be much disappointed.

~~[quote=davidand post_id=902009 time=1641029313 user_id=170714]~~
Reacting to:
~~[quote]~~SwOS is pretty plain and one can’t expect very much of it.[/quote]

While that’s true, SwOS’s throughput is by far superior to RouterOS’ throughput (GB/s)…
[/quote]

Where did you get this information? All the dual SwOS/ROS devices have HW offload available in ROS and if configured properly device should perform equally well under both OSes for same tasks. ROS offers different possibilities and it’s only too easy to easy to miss some optimal configuration leading to subpar performance.

But anyway, if you’re happy with SwOS, then keep using it. You’ll just have to reconcile its shortcomings …

mkx · January 1, 2022, 8:10pm

As I said: if configured properly, your CRS should perform equally well regardless the OS running. Indeed ROS gives more possibilities … to screw things as well (seems to be the case in linked commentary). But definitely offers more options to secure access to any of its (management) services. So if setting “allow from” in SwOS doesn’t do the proper thing, you still have another option …

mada3k · January 1, 2022, 8:15pm

RouterOS has the same switching-performance as SwOS - if you are doing it correct.

Amm0 · January 7, 2022, 1:29pm

~~[quote=davidand post_id=901881 time=1640958956 user_id=170714]~~

Is it only me who considers this to be a potential security risk, exposing some configuration of the router to every device on the network?
[/quote]

To docs suggest you can disable SNMP, and you SHOULD be able to do that. Although SwOS seem to expose only limited data (e.g. you CANNOT read the config, etc) and is read only.

The commentary here isn’t aren’t wrong, ROS should perform the same. YouTube isn’t the best source for performance information. Since SwOS is pretty L3 unaware (e.g. you can’t even set a default route for mgmt port), any hope for an “SNMP Access List Filter” soon would be misplaced. It have 5 SNMP GETs and only in SNMP V1 today.

Totally get if all you need is to tag/untag a bunch of ports, ROS doesn’t make this easy. And, MT seem to put little effort into improving SwOS (e.g. either fully supporting SNMP & how mgmt IP is handled is just weird), while ROS is under constant development/bugfixing including the switching/bridging features. And in V7, there are skins for winbox so if you wanted to hide all the router stuff, you can at least the UI cleaner if all it is a switch.

But sometimes I think people here don’t realize the person setting up the network may be different from the people running it or fixing it years later. So while it can perform the same, VLAN management is ROS is even befuddling to router admins. e.g. forum topic “~~[url url= https://forum.mikrotik.com/viewtopic.php?t=173692]~~RouterOS bridge mysteries explained[/url]”. On something like a Netonix or Netgear switch, there aren’t a lot of mystery in switching that need explaining. And, both offer pretty easy ability to config the management services on the switch like SNMP (and more)… So if you wanted to stay in the Mikrotik family, SwOS is what there for a basic smart switch - what make it simple is the fact you can’t do filtering the SNMP traffic on a switch . In RouterOS, you can filter SNMP and even get full SNMP data from the device with proper protocol/auth – something you can’t do in SwOS apparently either.

Amm0 · January 7, 2022, 4:44pm

~~[quote=davidand post_id=903715 time=1641564029 user_id=170714]~~
Exactly, all what I do is I tag ports with VLAN IDs on the SwOS. I found that so much harder to set up and less fun to maintain in RouterOS.
[/quote]

Commentary here ain’t wrong… I do think ROS is a bridge worth crossing – if what you need worked on SwOS, the RouterOS config to do same isn’t much bigger. And, it only bigger to support things like restricting SNMP .

~~[quote]~~While I am able to turn off SNMP in SwOS, I’d like to keep it on for health monitoring, I’m just not super happy about it being publicly open.[/quote]
I’m a solution guy, so you can use a different (e.g. generated password, etc) as the community id string, and then set the in your NMS/Dude. It does go in the clear over the wire so wouldn’t use a password that’s used elsewhere.

~~[quote]~~
I never used skins and just discovered they should be available in WebFig, too, thanks for the tip!
[/quote]
Oh, I run into the problem where people think RouterOS’s UI is rather overwhelming. Webfig’s “Design Skin” feature seems solves those complaints. It’s actually webfig-only feature in V6, just that V7 added winbox. Since SwOS doesn’t even support winbox – ROS v6 be fine. I would NOT recommend trying V7 if you’re coming from SwOS. There ain’t anything new there, and RouterOS version 6 still let you get line rate on same device, just like SwOS does.

I’d imagine QuickSet’s “Bridge” profile would get you in a good starting place in RouterOS. Then you could use the Switch chip UI in webfig, which is roughly same as SwOS UI to set tag/untag stuff. While learning about Bridge/Hardware Offloading/“vlan-filtering=yes” be useful…“Using RouterOS to VLAN your Network” is worthwhile read. But if SwOS worked for you, the Switch UI in RouterOS should do same & all the Bridge interface filtering wouldn’t be needed. The new help.mikrotik.com site is much better at explain some of this stuff, but in reality all the switching stuff is pretty well documented: <LINK_TEXT text=“https://help.mikrotik.com/docs/display/ … p+Features”>https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features</LINK_TEXT>

BUT the only reason single bridge in RouterOS would NOT get line-rate is by using RouterOS feature that’s NOT in available SwOS. And, certainly a lot of L3 feature can actually be fast-path – more pointing out you should lose anything, other than a simple UI, by going RouterOS . The small pain today, likely may be worth it since all the “switch” IP services can be firewalled & when your monitoring/other needs change – say needing SNMPv3 or MQTT, or some other Layer3 thing RouterOS can likely might be handy.

SwOS is just a UI over the switch chip, so even basic SNMP GETs seems right on the edge of it’s abilities, without it turning into RouterOS.