diff --git a/backups/crs310-maker/export.rsc b/backups/crs310-maker/export.rsc index f072abf..97e9679 100644 --- a/backups/crs310-maker/export.rsc +++ b/backups/crs310-maker/export.rsc @@ -1,4 +1,4 @@ -# 2025-09-11 10:03:39 by RouterOS 7.19.6 +# 2025-09-11 10:21:40 by RouterOS 7.19.6 # software id = 73S3-5F2W # # model = CRS310-8G+2S+ @@ -8,6 +8,8 @@ add admin-mac=D0:EA:11:24:F4:AA auto-mac=no comment=defconf name=bridge \ vlan-filtering=yes /interface vlan add interface=bridge name=vlan-mgmt vlan-id=99 +/ip pool +add name=mgmt-pool ranges=192.168.88.10-192.168.88.254 /interface bridge port add bridge=bridge comment=defconf interface=ether1 pvid=30 add bridge=bridge comment=defconf interface=ether2 pvid=30 @@ -25,10 +27,13 @@ add bridge=bridge untagged="ether1,ether2,ether3,ether4,ether5,ether6,ether7,s\ add bridge=bridge tagged=bridge untagged=ether8 vlan-ids=99 /ip address add address=192.168.88.1/24 interface=vlan-mgmt network=192.168.88.0 +/ip dhcp-server +add address-pool=mgmt-pool interface=vlan-mgmt lease-time=1h name=mgmt-dhcp +/ip dhcp-server network +add address=192.168.88.0/24 gateway=192.168.88.1 /ip service set ftp disabled=yes set telnet disabled=yes -set www disabled=yes set api disabled=yes set api-ssl disabled=yes /system identity diff --git a/host_vars/crs310-maker.yml b/host_vars/crs310-maker.yml index 8667cf9..aef12c0 100644 --- a/host_vars/crs310-maker.yml +++ b/host_vars/crs310-maker.yml @@ -27,6 +27,20 @@ switch_mgmt_gateway: "" # isolated mgmt -> no default route switch_dns_servers: "" # no DNS on an isolated mgmt plane switch_ntp_enabled: false # no internet on mgmt -> NTP would only error +# Makerspace experiment: make the mgmt port low-friction. Serve DHCP on the mgmt VLAN +# and enable the web UI so anyone plugging into ether8 can reach the admin (still a +# login; default `admin` stays disabled). mamba keeps its static .2 (outside the pool). +switch_web_enabled: true +switch_disabled_services: # same as the role default but WITHOUT www (web UI on) + - telnet + - ftp + - www-ssl + - api + - api-ssl +switch_mgmt_dhcp_enabled: true +switch_mgmt_dhcp_pool: "192.168.88.10-192.168.88.254" +switch_mgmt_dhcp_network: "192.168.88.0/24" + switch_admin_user: "sjat" # ----- VLANs + per-port map (all untagged access; no trunks) ----- diff --git a/roles/makerfloss.mikrotik_switch/defaults/main.yml b/roles/makerfloss.mikrotik_switch/defaults/main.yml index 32590ec..d0685a3 100644 --- a/roles/makerfloss.mikrotik_switch/defaults/main.yml +++ b/roles/makerfloss.mikrotik_switch/defaults/main.yml @@ -17,6 +17,12 @@ switch_disabled_services: - api - api-ssl switch_ssh_port: 22 +switch_web_enabled: false # enable the WWW (HTTP) admin UI + +# Optional DHCP server on the management VLAN (convenience; login still required). +switch_mgmt_dhcp_enabled: false +switch_mgmt_dhcp_pool: "" # e.g. "192.168.88.10-192.168.88.254" +switch_mgmt_dhcp_network: "" # e.g. "192.168.88.0/24" # ----- Users ----- switch_admin_user: "sjat" diff --git a/roles/makerfloss.mikrotik_switch/tasks/identity.yml b/roles/makerfloss.mikrotik_switch/tasks/identity.yml index eda0337..48f803e 100644 --- a/roles/makerfloss.mikrotik_switch/tasks/identity.yml +++ b/roles/makerfloss.mikrotik_switch/tasks/identity.yml @@ -43,3 +43,10 @@ commands: - /ip/service/set ssh disabled=no port={{ switch_ssh_port }} changed_when: false + +- name: Enable the WWW (HTTP) admin UI + community.routeros.command: + commands: + - /ip/service/set www disabled=no + when: switch_web_enabled | bool + changed_when: false diff --git a/roles/makerfloss.mikrotik_switch/tasks/vlans.yml b/roles/makerfloss.mikrotik_switch/tasks/vlans.yml index bb3c898..afe8703 100644 --- a/roles/makerfloss.mikrotik_switch/tasks/vlans.yml +++ b/roles/makerfloss.mikrotik_switch/tasks/vlans.yml @@ -101,6 +101,39 @@ interface="vlan-mgmt" } changed_when: false +# Optional DHCP server on the isolated mgmt VLAN: plug into the mgmt port and get an +# address automatically (login to the switch is still required). Guards by name; the +# network entry guards on "no networks yet" because RouterOS find-by-address does not +# match prefix values (see the legacy-bridge-IP note above). +- name: Create the management DHCP address pool + community.routeros.command: + commands: + - >- + :if ([:len [/ip/pool/find name="mgmt-pool"]] = 0) + do={ /ip/pool/add name="mgmt-pool" ranges="{{ switch_mgmt_dhcp_pool }}" } + when: switch_mgmt_dhcp_enabled | bool + changed_when: false + +- name: Create the management DHCP server on vlan-mgmt + community.routeros.command: + commands: + - >- + :if ([:len [/ip/dhcp-server/find name="mgmt-dhcp"]] = 0) + do={ /ip/dhcp-server/add name="mgmt-dhcp" interface="vlan-mgmt" + address-pool="mgmt-pool" lease-time=1h disabled=no } + when: switch_mgmt_dhcp_enabled | bool + changed_when: false + +- name: Define the management DHCP network + community.routeros.command: + commands: + - >- + :if ([:len [/ip/dhcp-server/network/find]] = 0) + do={ /ip/dhcp-server/network/add address="{{ switch_mgmt_dhcp_network }}" + gateway="{{ switch_mgmt_address.split('/')[0] }}" } + when: switch_mgmt_dhcp_enabled | bool + changed_when: false + - name: Set the default gateway route community.routeros.command: commands: