Change the powerbox config to not be like a customer router. Having ether1 treated as a 'WAN' interface, firewalled off and blocked from mac telnet is monumentally stupid. That's where the device gets power by PoE, 99% of the time when its powered by PoE it's going to be connected upstream and thus needs access by management
We've had a few that have been installed and then the installers have to go back up to reconfigure them because of this idiotic design decision
And just now I have one that's somehow been factory defaulted, no problem at all if I could login to the thing, but I can't. Now I need to drive all the way out to site and organize access to reconfigure it
Change it to act just like a switch, all ports in a bridge, PoE auto, done. Nothing else should be put on it