feat(mgmt): DHCP server + web UI on the isolated mgmt VLAN
Makerspace experiment: plug into ether8 and get a 192.168.88.x lease, reach the admin at http://192.168.88.1 (web UI re-enabled) / WinBox / SSH. Login still required; default admin stays disabled. mamba keeps static .2 (outside the pool). New flags switch_web_enabled + switch_mgmt_dhcp_enabled/pool/network (off by default). Verified: www HTTP 200, lease handed out + bound, run-twice idempotent. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
199edf85ad
commit
18de750507
5 changed files with 67 additions and 2 deletions
|
|
@ -1,4 +1,4 @@
|
|||
# 2025-09-11 10:03:39 by RouterOS 7.19.6
|
||||
# 2025-09-11 10:21:40 by RouterOS 7.19.6
|
||||
# software id = 73S3-5F2W
|
||||
#
|
||||
# model = CRS310-8G+2S+
|
||||
|
|
@ -8,6 +8,8 @@ add admin-mac=D0:EA:11:24:F4:AA auto-mac=no comment=defconf name=bridge \
|
|||
vlan-filtering=yes
|
||||
/interface vlan
|
||||
add interface=bridge name=vlan-mgmt vlan-id=99
|
||||
/ip pool
|
||||
add name=mgmt-pool ranges=192.168.88.10-192.168.88.254
|
||||
/interface bridge port
|
||||
add bridge=bridge comment=defconf interface=ether1 pvid=30
|
||||
add bridge=bridge comment=defconf interface=ether2 pvid=30
|
||||
|
|
@ -25,10 +27,13 @@ add bridge=bridge untagged="ether1,ether2,ether3,ether4,ether5,ether6,ether7,s\
|
|||
add bridge=bridge tagged=bridge untagged=ether8 vlan-ids=99
|
||||
/ip address
|
||||
add address=192.168.88.1/24 interface=vlan-mgmt network=192.168.88.0
|
||||
/ip dhcp-server
|
||||
add address-pool=mgmt-pool interface=vlan-mgmt lease-time=1h name=mgmt-dhcp
|
||||
/ip dhcp-server network
|
||||
add address=192.168.88.0/24 gateway=192.168.88.1
|
||||
/ip service
|
||||
set ftp disabled=yes
|
||||
set telnet disabled=yes
|
||||
set www disabled=yes
|
||||
set api disabled=yes
|
||||
set api-ssl disabled=yes
|
||||
/system identity
|
||||
|
|
|
|||
|
|
@ -27,6 +27,20 @@ switch_mgmt_gateway: "" # isolated mgmt -> no default route
|
|||
switch_dns_servers: "" # no DNS on an isolated mgmt plane
|
||||
switch_ntp_enabled: false # no internet on mgmt -> NTP would only error
|
||||
|
||||
# Makerspace experiment: make the mgmt port low-friction. Serve DHCP on the mgmt VLAN
|
||||
# and enable the web UI so anyone plugging into ether8 can reach the admin (still a
|
||||
# login; default `admin` stays disabled). mamba keeps its static .2 (outside the pool).
|
||||
switch_web_enabled: true
|
||||
switch_disabled_services: # same as the role default but WITHOUT www (web UI on)
|
||||
- telnet
|
||||
- ftp
|
||||
- www-ssl
|
||||
- api
|
||||
- api-ssl
|
||||
switch_mgmt_dhcp_enabled: true
|
||||
switch_mgmt_dhcp_pool: "192.168.88.10-192.168.88.254"
|
||||
switch_mgmt_dhcp_network: "192.168.88.0/24"
|
||||
|
||||
switch_admin_user: "sjat"
|
||||
|
||||
# ----- VLANs + per-port map (all untagged access; no trunks) -----
|
||||
|
|
|
|||
|
|
@ -17,6 +17,12 @@ switch_disabled_services:
|
|||
- api
|
||||
- api-ssl
|
||||
switch_ssh_port: 22
|
||||
switch_web_enabled: false # enable the WWW (HTTP) admin UI
|
||||
|
||||
# Optional DHCP server on the management VLAN (convenience; login still required).
|
||||
switch_mgmt_dhcp_enabled: false
|
||||
switch_mgmt_dhcp_pool: "" # e.g. "192.168.88.10-192.168.88.254"
|
||||
switch_mgmt_dhcp_network: "" # e.g. "192.168.88.0/24"
|
||||
|
||||
# ----- Users -----
|
||||
switch_admin_user: "sjat"
|
||||
|
|
|
|||
|
|
@ -43,3 +43,10 @@
|
|||
commands:
|
||||
- /ip/service/set ssh disabled=no port={{ switch_ssh_port }}
|
||||
changed_when: false
|
||||
|
||||
- name: Enable the WWW (HTTP) admin UI
|
||||
community.routeros.command:
|
||||
commands:
|
||||
- /ip/service/set www disabled=no
|
||||
when: switch_web_enabled | bool
|
||||
changed_when: false
|
||||
|
|
|
|||
|
|
@ -101,6 +101,39 @@
|
|||
interface="vlan-mgmt" }
|
||||
changed_when: false
|
||||
|
||||
# Optional DHCP server on the isolated mgmt VLAN: plug into the mgmt port and get an
|
||||
# address automatically (login to the switch is still required). Guards by name; the
|
||||
# network entry guards on "no networks yet" because RouterOS find-by-address does not
|
||||
# match prefix values (see the legacy-bridge-IP note above).
|
||||
- name: Create the management DHCP address pool
|
||||
community.routeros.command:
|
||||
commands:
|
||||
- >-
|
||||
:if ([:len [/ip/pool/find name="mgmt-pool"]] = 0)
|
||||
do={ /ip/pool/add name="mgmt-pool" ranges="{{ switch_mgmt_dhcp_pool }}" }
|
||||
when: switch_mgmt_dhcp_enabled | bool
|
||||
changed_when: false
|
||||
|
||||
- name: Create the management DHCP server on vlan-mgmt
|
||||
community.routeros.command:
|
||||
commands:
|
||||
- >-
|
||||
:if ([:len [/ip/dhcp-server/find name="mgmt-dhcp"]] = 0)
|
||||
do={ /ip/dhcp-server/add name="mgmt-dhcp" interface="vlan-mgmt"
|
||||
address-pool="mgmt-pool" lease-time=1h disabled=no }
|
||||
when: switch_mgmt_dhcp_enabled | bool
|
||||
changed_when: false
|
||||
|
||||
- name: Define the management DHCP network
|
||||
community.routeros.command:
|
||||
commands:
|
||||
- >-
|
||||
:if ([:len [/ip/dhcp-server/network/find]] = 0)
|
||||
do={ /ip/dhcp-server/network/add address="{{ switch_mgmt_dhcp_network }}"
|
||||
gateway="{{ switch_mgmt_address.split('/')[0] }}" }
|
||||
when: switch_mgmt_dhcp_enabled | bool
|
||||
changed_when: false
|
||||
|
||||
- name: Set the default gateway route
|
||||
community.routeros.command:
|
||||
commands:
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue