Community discussions

MikroTik App
 
User avatar
atomicduck
Member Candidate
Member Candidate
Topic Author
Posts: 244
Joined: Fri Oct 02, 2020 1:42 pm

CRS326 as a switch, running basic ROS?

Thu Apr 21, 2022 8:14 pm

I am configuring some CRS325 as switches on ROS LT branch. Setup is very simple, and the switch is inside a LAN, connected to the main router. All packages except DHCP and SYTEM are disabled, and I've put firewall on input chain, and the rest should be fine?

In essence, I am trying to cut all down to the bare minimum, while keeping some security and manageability of ROS via Dude.

Any comments appreciated! :D

Full config:
/interface bridge
/system package
disable advanced-tools
disable hotspot
disable ipv6
disable mpls
disable ppp
disable routing
disable security
disable wireless
add admin-mac=00:etc auto-mac=no comment=defconf name=bridge
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
/ip dhcp-client
add disabled=no interface=bridge
/ip firewall filter
add action=drop chain=input comment="Drop invalid packets" connection-state=invalid log=yes log-prefix="DROP INVALID"
add action=accept chain=input comment="Allow established, related" connection-state=established,related
add action=accept chain=input comment="Allow IP range" src-address=10.10.10.0/24
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=drop chain=input comment="Drop all" log=yes log-prefix="DROP ALL OTHER"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.10.10.0/24
set ssh port=22
set api disabled=yes
set winbox address=10.10.10.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name="SWITCH 4"
/system ntp client
set enabled=yes
/system package update
set channel=long-term
/system routerboard settings
set boot-os=router-os
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: CRS326 as a switch, running basic ROS?  [SOLVED]

Sat Apr 23, 2022 5:07 pm

IIRC you need the security package for SSH.
As you have an input firewall restricting access, specifying address= under /ip service is unnecessary.
Using plain www is insecure, if winbox & SSH for management are not sufficient consider using www-ssl although you will have to create an import certificates for this.

To prevent various outbound polling:
/ip cloud
set update-time=no

/system clock
set time-zone-autodetect=no time-zone-name=Europe/Zagreb


Also consider adding:
/ip settings
set ip-forward=no
/ip ssh
set strong-crypto=yes
/tool bandwidth-server
set enabled=no
 
User avatar
atomicduck
Member Candidate
Member Candidate
Topic Author
Posts: 244
Joined: Fri Oct 02, 2020 1:42 pm

Re: CRS326 as a switch, running basic ROS?

Sat Apr 23, 2022 5:58 pm

Thank you.

Does ip-forward matters at all, given all interfaces are in one bridge?

Really curious about this one.

**

I just checked and there are no visible setting in the /ip cloud. Time updated only when I turned on SNTP client, so do I need to explicitly state that one?

**

Re www 80, simplest is to turn it off not to hassle with SSL. In what way is http server on ROS insecure? You mean re plaintext password sniffing, or that the server is bad per se and has holes in it? Are there exploits for it? I use this one for convenience to see graphs and such, nothing else, so it won't be missed if I turn it off.

**

Why turn off BW server? That one wont work without a password, and I use BIG passwords (50 chars)?


Thanks!

EDIT: You are right re security package and SSH.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: CRS326 as a switch, running basic ROS?

Sat Apr 23, 2022 6:17 pm

ip-forward is just for completeness, with only a single IP address there should be no forwarding.

One of the defaults for /ip cloud is update-time=yes, and defaults are not shown in exports unless you use /export verbose. If there is no other time source RouterOS will use the Mikrotik cloud to provide it. As your IP address, gateway, DNS and NTP servers are acquired by DHCP it is unlikely, but not impossible, that an external request would be made.

There have been vulnerabilities in the www service in the past, however mostly that your really strong password could be extracted from the simple password digest. If you are monitoring your IT estate centrally you could graph anything important via SNMP.

If you are not going to use the bandwidth test server you may as well disable it, there may be as-yet unknown vulnerabilities which allow authentication bypass and remote code execution found in future.
 
User avatar
atomicduck
Member Candidate
Member Candidate
Topic Author
Posts: 244
Joined: Fri Oct 02, 2020 1:42 pm

Re: CRS326 as a switch, running basic ROS?

Sat Apr 23, 2022 6:23 pm

Thank you very much for your reply.

Will do as suggested.

EDIT: Only thing I left on and that was suggested to turn off is the Cloud time update. I see not much harm from that, so I left it on. Thanks again.

Who is online

Users browsing this forum: GoogleOther [Bot] and 30 guests