I am thinking about whether and how to implement a Management vLAN. I don't have a config to look at, this is asking for opinions and experience so I can think it through myself.
At its base a Management vLAN will have 2 ends
1 [or more] devices which need to be managed and in the Mikrotik world can serve out Webfig or to Winbox
1 [or more] devices which can interact with Webfig via a web browser or Winbox
So, I could invoke a new bridge on the Managed device, put it on a new vLAN and give it an IP address on which Webfig will be available. This would give me by default, a route to the new bridge, which I could restrict by firewall rules.
For the Managing device, I could use an ordinary computer which I then plug into a dedicated vLAN port or I could make the Management vLAN more accessible and put an extra IP address on the Managing device which does have a route allowed by the firewall to the Managed device. Or I could even add a vLAN interface to the Managing device and connect to a hybrid ethernet port [or at least I think I can]
Of these approaches to doing the 2 ends of a Management vLAN - and any others you can suggest - which would be your preferred way of doing it? Thanks for any input on this topic.
Managing device sometimes called “Jump Box Server” (or “Bastion Host”).
For the network devices (routers and switches) you can set VLAN ID directly on the network interface (be sure to remove/disable default (aka VLAN 1) if you use different ID for your management VLAN).
For managing device (aka computer) there are, indeed, several approaches:
PC in your management VLAN:
Dedicated access port is, probably, the most safe and easy to configure: Your PC doesn’t have to be aware about VLAN, it just have to be connected to the certain network port.
Setting VLAN on your PC might be required if you have unmanaged switches between your PC and a first VLAN-aware device. In this case you need to add VLAN on PC NIC, but it makes system a little bit less secure: any PC in the same segment can set VLAN and “mimic” your PC (there is a mac-based VLAN, though, but technically, mac can also be spoofed)
If your PC is virtual, you can set VLAN on its virtual NIC on hypervisor, so it is more like 2, but slightly better as regular users usually do not have an access to hypervisors.
PC in a different network:
First of all, make sure nobody can spoof your IP: Either use static IP and bind mac address to your IP on a router, or use DHCP and bind mac there (and use filtering on your bridge with only one trusted port for DHCP server and enable DHCP snooping), but still try to keep this PC in a separate broadcast domain, far from regular users.
Which one is better? I think the first one: PC in your management VLAN. PC dedicated for management.
Sitting the same broadcast domain gives your ability to browse a list of all devices (which usually multicast their presence: Mikrotik does so).
Be sure to secure this computer (only authorized admins should have access to it), do not use it as your desktop.
Thanks for this. It is actually a home network with trusted users - apart from the guest wireless - so I will be pitching this to the lower end. No dedicated PC and no jump box, probably a PC which is on vLAN id 1 normally. But very helpful to have some idea of how far down I would be pitching from industrial scale.
I am somewhat perplexed by what happens at the Managed end. Looking at this now, I can see that if I put an IP address on a vLAN, this IP address will deliver the Webfig logon page, although only to permitted addresses within the IP Services list. So somewhat unnecessary to create another bridge to take an IP address to manifest Webfig.