Community discussions

MikroTik App
 
User avatar
smyers119
Member Candidate
Member Candidate
Topic Author
Posts: 232
Joined: Sat Feb 27, 2021 8:16 pm
Location: USA

Re: Restrict SNMP on SwOS?

Fri Dec 31, 2021 3:46 pm

According to the docs it only supports snmpv1.

https://help.mikrotik.com/docs/display/SWOS/SwOS

you may be able to use ACL's to restrict source ip's
 
User avatar
smyers119
Member Candidate
Member Candidate
Topic Author
Posts: 232
Joined: Sat Feb 27, 2021 8:16 pm
Location: USA

Re: Restrict SNMP on SwOS?

Fri Dec 31, 2021 3:58 pm

:(

Is it only me who considers this to be a potential security risk, exposing some configuration of the router to every device on the network?
It's only a security risk if you configure it like a security risk
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Restrict SNMP on SwOS?

Fri Dec 31, 2021 4:03 pm

If access to any of switch' management features (either SNMP or WebUI) is considered security risk, then one should go with VLANs, only allow access from one VLAN and restrict access to that VLAN using decent firewall rules on router/firewall.
SwOS is pretty plain and one can't expect very much of it.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Restrict SNMP on SwOS?

Sat Jan 01, 2022 11:54 am

@mkx I think you are referring to the "Allow from VLAN" field under System -> General in SwOS
Yes, I was referring to that setting. I don't have any SwOS devices, so I can't say with confidence whether this setting also works for SNMP or not. If it didn't, I'd be much disappointed.

Reacting to:
SwOS is pretty plain and one can't expect very much of it.
While that's true, SwOS's throughput is by far superior to RouterOS' throughput (GB/s)...
Where did you get this information? All the dual SwOS/ROS devices have HW offload available in ROS and if configured properly device should perform equally well under both OSes for same tasks. ROS offers different possibilities and it's only too easy to easy to miss some optimal configuration leading to subpar performance.

But anyway, if you're happy with SwOS, then keep using it. You'll just have to reconcile its shortcomings ...
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Restrict SNMP on SwOS?

Sat Jan 01, 2022 10:10 pm

As I said: if configured properly, your CRS should perform equally well regardless the OS running. Indeed ROS gives more possibilities ... to screw things as well (seems to be the case in linked commentary). But definitely offers more options to secure access to any of its (management) services. So if setting "allow from" in SwOS doesn't do the proper thing, you still have another option ...
 
mada3k
Long time Member
Long time Member
Posts: 682
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: Restrict SNMP on SwOS?

Sat Jan 01, 2022 10:15 pm

RouterOS has the same switching-performance as SwOS - if you are doing it correct.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Restrict SNMP on SwOS?

Fri Jan 07, 2022 3:29 pm

:(

Is it only me who considers this to be a potential security risk, exposing some configuration of the router to every device on the network?
To docs suggest you can disable SNMP, and you SHOULD be able to do that. Although SwOS seem to expose only limited data (e.g. you CANNOT read the config, etc) and is read only.

Image

The commentary here isn't aren't wrong, ROS should perform the same. YouTube isn't the best source for performance information. Since SwOS is pretty L3 unaware (e.g. you can't even set a default route for mgmt port), any hope for an "SNMP Access List Filter" soon would be misplaced. It have 5 SNMP GETs and only in SNMP V1 today.

Totally get if all you need is to tag/untag a bunch of ports, ROS doesn't make this easy. And, MT seem to put little effort into improving SwOS (e.g. either fully supporting SNMP & how mgmt IP is handled is just weird), while ROS is under constant development/bugfixing including the switching/bridging features. And in V7, there are skins for winbox so if you wanted to hide all the router stuff, you can at least the UI cleaner if all it is a switch.

But sometimes I think people here don't realize the person setting up the network may be different from the people running it or fixing it years later. So while it can perform the same, VLAN management is ROS is even befuddling to router admins. e.g. forum topic "RouterOS bridge mysteries explained". On something like a Netonix or Netgear switch, there aren't a lot of mystery in switching that need explaining. And, both offer pretty easy ability to config the management services on the switch like SNMP (and more)... So if you wanted to stay in the Mikrotik family, SwOS is what there for a basic smart switch - what make it simple is the fact you can't do filtering the SNMP traffic on a switch ;). In RouterOS, you can filter SNMP and even get full SNMP data from the device with proper protocol/auth – something you can't do in SwOS apparently either.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Restrict SNMP on SwOS?

Fri Jan 07, 2022 6:44 pm

Exactly, all what I do is I tag ports with VLAN IDs on the SwOS. I found that so much harder to set up and less fun to maintain in RouterOS.
Commentary here ain't wrong... I do think ROS is a bridge worth crossing – if what you need worked on SwOS, the RouterOS config to do same isn't much bigger. And, it only bigger to support things like restricting SNMP ;).
While I am able to turn off SNMP in SwOS, I'd like to keep it on for health monitoring, I'm just not super happy about it being publicly open.
I'm a solution guy, so you can use a different (e.g. generated password, etc) as the community id string, and then set the in your NMS/Dude. It does go in the clear over the wire so wouldn't use a password that's used elsewhere.
I never used skins and just discovered they should be available in WebFig, too, thanks for the tip!
Oh, I run into the problem where people think RouterOS's UI is rather overwhelming. Webfig's "Design Skin" feature seems solves those complaints. It's actually webfig-only feature in V6, just that V7 added winbox. Since SwOS doesn't even support winbox – ROS v6 be fine. I would NOT recommend trying V7 if you're coming from SwOS. There ain't anything new there, and RouterOS version 6 still let you get line rate on same device, just like SwOS does.

I'd imagine QuickSet's "Bridge" profile would get you in a good starting place in RouterOS. Then you could use the Switch chip UI in webfig, which is roughly same as SwOS UI to set tag/untag stuff. While learning about Bridge/Hardware Offloading/"vlan-filtering=yes" be useful..."Using RouterOS to VLAN your Network" is worthwhile read. But if SwOS worked for you, the Switch UI in RouterOS should do same & all the Bridge interface filtering wouldn't be needed. The new help.mikrotik.com site is much better at explain some of this stuff, but in reality all the switching stuff is pretty well documented: https://help.mikrotik.com/docs/display/ ... p+Features

BUT the only reason single bridge in RouterOS would NOT get line-rate is by using RouterOS feature that's NOT in available SwOS. And, certainly a lot of L3 feature can actually be fast-path – more pointing out you should lose anything, other than a simple UI, by going RouterOS ;). The small pain today, likely may be worth it since all the "switch" IP services can be firewalled & when your monitoring/other needs change – say needing SNMPv3 or MQTT, or some other Layer3 thing RouterOS can likely might be handy.

SwOS is just a UI over the switch chip, so even basic SNMP GETs seems right on the edge of it's abilities, without it turning into RouterOS.

Who is online

Users browsing this forum: No registered users and 8 guests