Community discussions

MikroTik App
 
benoitc
Member Candidate
Member Candidate
Topic Author
Posts: 169
Joined: Wed Jul 08, 2020 12:33 am

How do you configuree the cloud router switch so you can access to its configuration from the LAN ?

Fri Oct 23, 2020 1:16 am

How do you configuree the cloud router switch so you can access to its configuration from the LAN ? I have the following configuration
Router (ER-12 waiting mikrotik one) 
192.168.1.1
      |
      |
Cloud Router Switch
?
How do you setup the cloud router switch so it get the correct IP to be administered by the lan? Do you set the eth2 port to get a new IP? Makes sense but prefer asking.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11452
Joined: Thu Mar 03, 2016 10:23 pm

Re: How do you configuree the cloud router switch so you can access to its configuration from the LAN ?

Fri Oct 23, 2020 9:30 am

If you're going to use CRS as normal switch (and will be running ROS as opposed to SwOS, some units are capable of running both), then you have two options:
  1. if you trust your LAN devices and users (sometimes that trust is not warranted), then you can configure all ports on CRS to single bridge. Then you either set static IP address or run DHCP client on bridge interface. And be sure you're not running DHCP server on bridge interface not to mess with your LAN's DHCP server.
  2. if you don't trust your LAN devices and/or users, then you can create management (V)LAN or management port on CRS device.
    Easier is to create management port on CRS device, which means you have to connect to that port to get management access. In this case you add all ports to bridge except for the management port (let's say it'll be ether1, but any other will do just the same). Then set static IP address on ether1 and better use different IP subnet than used in main LAN. Also configure DHCP server on ether1 (assign a pool of IP addresses from management IP subnet) so that when you connect to management port, PC will get appropriate IP address. In this case, CRS won't have access to internet so you won't be able to perform ROS upgrades simply by running upgrade command from CRS (you'll have to upload upgrade packages from management PC). CRS also won't be able to fetch correct time and date from network servers, so after reboot timestamp will be 1st of January 1970 ... not very useful if you have to analyze logs (but not many logs should be interesting on a pure switch device anyway).
    You can also create management VLAN, but that means you'll have VLANs on your main router as well, you might configure one of CRS ports as access port to that VLAN and/or you'll allow routing between VLANs, optionally blocking access to management VLAN from most LAN devices. In this case, router/firewall may allow some (limited) access from CRS to internet and problems, mentioned in previous bullet, will not happen.
 
benoitc
Member Candidate
Member Candidate
Topic Author
Posts: 169
Joined: Wed Jul 08, 2020 12:33 am

Re: How do you configuree the cloud router switch so you can access to its configuration from the LAN ?

Sat Oct 24, 2020 1:00 am

You can also create management VLAN, but that means you'll have VLANs on your main router as well, you might configure one of CRS ports as access port to that VLAN and/or you'll allow routing between VLANs, optionally blocking access to management VLAN from most LAN devices. In this case, router/firewall may allow some (limited) access from CRS to internet and problems, mentioned in previous bullet, will not happen.
can it be the bridge port ? Or should I take one from the switch?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11452
Joined: Thu Mar 03, 2016 10:23 pm

Re: How do you configuree the cloud router switch so you can access to its configuration from the LAN ?  [SOLVED]

Sat Oct 24, 2020 12:39 pm

can it be the bridge port ? Or should I take one from the switch?

I'm not sure what kind of scenario you have in your mind. But anyway, if you're thinking about management VLAN, then configuring switch to use that VLAN for management is separate isssue from configuring all LAN gear for you to be able to acces it.

A word of caution: when reconfiguring management access it's easy to lock self out. So one really should enable safe mode before changing dangerous settings and disable it after settings are done and management connection remains alive. If management conection breaks (either due to configuration errors or due to administrator terminating it), changes since start of safe mode will be reverted. Manually disabling safe mode makes changes permanent. Safe mode is available in all UIs, in GUIs there's a button for enabling/disabling it, in CLI pressing ctrl-X toggles it.

Let's assume all switch ports are members of same bridge and that ether1 is trunk port towards router. And let's say that you'll use VLAN 99 as management VLAN. To make CRS manageable through it, it needs IP address in that VLAN and you configure it thus:
/interface vlan
# create VLAN interface, which will receive IP settings
add interface=bridge name=MGMT vlan-ids=99
/interface bridge vlan
# setup tagged VLANs on bridge ports. bridge interface has to be tagged member as well due to vlan interface above
add bridge=bridge tagged=bridge,ether1 vlan-ids=99
/ip address
# set up IP address for management. I'm all for static addresses for management
add interface=MGMT address=192.168.99.2/24
/interface bridge
# make bridge VLAN-aware
set [ find name=bridge ] vlan-filtering=yes
At this point CRS can be managed through configured IP address and if router knows about VLAN 99 and IP subnet 192.168.99.0/24, then you can connect to CRS' address from normal LAN (depending on router configuration).

At this point you don't have ethernet port for connecting management PC, connections have to pass router. As next step you can take one of CRS ports out of normal LAN and dedicate it for management access. You leave it on bridge, just make it access port for management VLAN:
/interface bridge port
set [ find interface=ether24 ] pvid=99 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes
# no need to explicitly set ether24 as untagged member of VLAN 99, pvid setting does it already

Actual order of performing the two steps doesn't matter.
When both steps are done, you can manage CRS without router being set up for management VLAN, simply by connecting management PC to dedicated management ether port (and setting appropriate IP address).

There are additional steps needed to "burn the bridges" ... to make sure other ways of management access are disabled. One step is to make sure CRS doesn't have any other IP address set.
Another step is to make sure that MAC connections are only allowed through VLAN 99 (MGMT interface). I'm not sure if CRS line has any related config by default, but end state should be something like this:
/interface list
add name=MGMT
/interface list member
add list=MGMT interface=MGMT
#optionally add ether24 but shouldn't be necessary
#add list=MGMT interface=ether24
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
Before executing the above make sure you can connect to CRS via it's management IP address.
 
benoitc
Member Candidate
Member Candidate
Topic Author
Posts: 169
Joined: Wed Jul 08, 2020 12:33 am

Re: How do you configuree the cloud router switch so you can access to its configuration from the LAN ?

Mon Oct 26, 2020 11:20 pm

can it be the bridge port ? Or should I take one from the switch?

I'm not sure what kind of scenario you have in your mind. But anyway, if you're thinking about management VLAN, then configuring switch to use that VLAN for management is separate isssue from configuring all LAN gear for you to be able to acces it.

A word of caution: when reconfiguring management access it's easy to lock self out. So one really should enable safe mode before changing dangerous settings and disable it after settings are done and management connection remains alive. If management conection breaks (either due to configuration errors or due to administrator terminating it), changes since start of safe mode will be reverted. Manually disabling safe mode makes changes permanent. Safe mode is available in all UIs, in GUIs there's a button for enabling/disabling it, in CLI pressing ctrl-X toggles it.

Let's assume all switch ports are members of same bridge and that ether1 is trunk port towards router. And let's say that you'll use VLAN 99 as management VLAN. To make CRS manageable through it, it needs IP address in that VLAN and you configure it thus:
/interface vlan
# create VLAN interface, which will receive IP settings
add interface=bridge name=MGMT vlan-ids=99
/interface bridge vlan
# setup tagged VLANs on bridge ports. bridge interface has to be tagged member as well due to vlan interface above
add bridge=bridge tagged=bridge,ether1 vlan-ids=99
/ip address
# set up IP address for management. I'm all for static addresses for management
add interface=MGMT address=192.168.99.2/24
/interface bridge
# make bridge VLAN-aware
set [ find name=bridge ] vlan-filtering=yes
At this point CRS can be managed through configured IP address and if router knows about VLAN 99 and IP subnet 192.168.99.0/24, then you can connect to CRS' address from normal LAN (depending on router configuration).

At this point you don't have ethernet port for connecting management PC, connections have to pass router. As next step you can take one of CRS ports out of normal LAN and dedicate it for management access. You leave it on bridge, just make it access port for management VLAN:
/interface bridge port
set [ find interface=ether24 ] pvid=99 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes
# no need to explicitly set ether24 as untagged member of VLAN 99, pvid setting does it already

Actual order of performing the two steps doesn't matter.
When both steps are done, you can manage CRS without router being set up for management VLAN, simply by connecting management PC to dedicated management ether port (and setting appropriate IP address).

There are additional steps needed to "burn the bridges" ... to make sure other ways of management access are disabled. One step is to make sure CRS doesn't have any other IP address set.
Another step is to make sure that MAC connections are only allowed through VLAN 99 (MGMT interface). I'm not sure if CRS line has any related config by default, but end state should be something like this:
/interface list
add name=MGMT
/interface list member
add list=MGMT interface=MGMT
#optionally add ether24 but shouldn't be necessary
#add list=MGMT interface=ether24
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
Before executing the above make sure you can connect to CRS via it's management IP address.
thanks for your answer. That's helpful :-)
 
wanumet
just joined
Posts: 2
Joined: Wed May 04, 2022 4:40 pm

Mikrotik CRS is blocking cloud managed switches and WiFi APs from the internet

Wed May 04, 2022 5:09 pm

Hi
Am new here and i need help
I have switches and routers that are managed through internet but the problem is that they are being blocked by the Mikrotik CRS yet other devices are getting internet
The mikrotik is the Internet router and the public IP is configured on it.
There are no VLANS configured and neither are there Firewall or NAT rules
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: DanMos79, raiser and 25 guests