feat(mgmt): DHCP server + web UI on the isolated mgmt VLAN
Makerspace experiment: plug into ether8 and get a 192.168.88.x lease, reach the admin at http://192.168.88.1 (web UI re-enabled) / WinBox / SSH. Login still required; default admin stays disabled. mamba keeps static .2 (outside the pool). New flags switch_web_enabled + switch_mgmt_dhcp_enabled/pool/network (off by default). Verified: www HTTP 200, lease handed out + bound, run-twice idempotent. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
199edf85ad
commit
18de750507
5 changed files with 67 additions and 2 deletions
|
|
@ -1,4 +1,4 @@
|
||||||
# 2025-09-11 10:03:39 by RouterOS 7.19.6
|
# 2025-09-11 10:21:40 by RouterOS 7.19.6
|
||||||
# software id = 73S3-5F2W
|
# software id = 73S3-5F2W
|
||||||
#
|
#
|
||||||
# model = CRS310-8G+2S+
|
# model = CRS310-8G+2S+
|
||||||
|
|
@ -8,6 +8,8 @@ add admin-mac=D0:EA:11:24:F4:AA auto-mac=no comment=defconf name=bridge \
|
||||||
vlan-filtering=yes
|
vlan-filtering=yes
|
||||||
/interface vlan
|
/interface vlan
|
||||||
add interface=bridge name=vlan-mgmt vlan-id=99
|
add interface=bridge name=vlan-mgmt vlan-id=99
|
||||||
|
/ip pool
|
||||||
|
add name=mgmt-pool ranges=192.168.88.10-192.168.88.254
|
||||||
/interface bridge port
|
/interface bridge port
|
||||||
add bridge=bridge comment=defconf interface=ether1 pvid=30
|
add bridge=bridge comment=defconf interface=ether1 pvid=30
|
||||||
add bridge=bridge comment=defconf interface=ether2 pvid=30
|
add bridge=bridge comment=defconf interface=ether2 pvid=30
|
||||||
|
|
@ -25,10 +27,13 @@ add bridge=bridge untagged="ether1,ether2,ether3,ether4,ether5,ether6,ether7,s\
|
||||||
add bridge=bridge tagged=bridge untagged=ether8 vlan-ids=99
|
add bridge=bridge tagged=bridge untagged=ether8 vlan-ids=99
|
||||||
/ip address
|
/ip address
|
||||||
add address=192.168.88.1/24 interface=vlan-mgmt network=192.168.88.0
|
add address=192.168.88.1/24 interface=vlan-mgmt network=192.168.88.0
|
||||||
|
/ip dhcp-server
|
||||||
|
add address-pool=mgmt-pool interface=vlan-mgmt lease-time=1h name=mgmt-dhcp
|
||||||
|
/ip dhcp-server network
|
||||||
|
add address=192.168.88.0/24 gateway=192.168.88.1
|
||||||
/ip service
|
/ip service
|
||||||
set ftp disabled=yes
|
set ftp disabled=yes
|
||||||
set telnet disabled=yes
|
set telnet disabled=yes
|
||||||
set www disabled=yes
|
|
||||||
set api disabled=yes
|
set api disabled=yes
|
||||||
set api-ssl disabled=yes
|
set api-ssl disabled=yes
|
||||||
/system identity
|
/system identity
|
||||||
|
|
|
||||||
|
|
@ -27,6 +27,20 @@ switch_mgmt_gateway: "" # isolated mgmt -> no default route
|
||||||
switch_dns_servers: "" # no DNS on an isolated mgmt plane
|
switch_dns_servers: "" # no DNS on an isolated mgmt plane
|
||||||
switch_ntp_enabled: false # no internet on mgmt -> NTP would only error
|
switch_ntp_enabled: false # no internet on mgmt -> NTP would only error
|
||||||
|
|
||||||
|
# Makerspace experiment: make the mgmt port low-friction. Serve DHCP on the mgmt VLAN
|
||||||
|
# and enable the web UI so anyone plugging into ether8 can reach the admin (still a
|
||||||
|
# login; default `admin` stays disabled). mamba keeps its static .2 (outside the pool).
|
||||||
|
switch_web_enabled: true
|
||||||
|
switch_disabled_services: # same as the role default but WITHOUT www (web UI on)
|
||||||
|
- telnet
|
||||||
|
- ftp
|
||||||
|
- www-ssl
|
||||||
|
- api
|
||||||
|
- api-ssl
|
||||||
|
switch_mgmt_dhcp_enabled: true
|
||||||
|
switch_mgmt_dhcp_pool: "192.168.88.10-192.168.88.254"
|
||||||
|
switch_mgmt_dhcp_network: "192.168.88.0/24"
|
||||||
|
|
||||||
switch_admin_user: "sjat"
|
switch_admin_user: "sjat"
|
||||||
|
|
||||||
# ----- VLANs + per-port map (all untagged access; no trunks) -----
|
# ----- VLANs + per-port map (all untagged access; no trunks) -----
|
||||||
|
|
|
||||||
|
|
@ -17,6 +17,12 @@ switch_disabled_services:
|
||||||
- api
|
- api
|
||||||
- api-ssl
|
- api-ssl
|
||||||
switch_ssh_port: 22
|
switch_ssh_port: 22
|
||||||
|
switch_web_enabled: false # enable the WWW (HTTP) admin UI
|
||||||
|
|
||||||
|
# Optional DHCP server on the management VLAN (convenience; login still required).
|
||||||
|
switch_mgmt_dhcp_enabled: false
|
||||||
|
switch_mgmt_dhcp_pool: "" # e.g. "192.168.88.10-192.168.88.254"
|
||||||
|
switch_mgmt_dhcp_network: "" # e.g. "192.168.88.0/24"
|
||||||
|
|
||||||
# ----- Users -----
|
# ----- Users -----
|
||||||
switch_admin_user: "sjat"
|
switch_admin_user: "sjat"
|
||||||
|
|
|
||||||
|
|
@ -43,3 +43,10 @@
|
||||||
commands:
|
commands:
|
||||||
- /ip/service/set ssh disabled=no port={{ switch_ssh_port }}
|
- /ip/service/set ssh disabled=no port={{ switch_ssh_port }}
|
||||||
changed_when: false
|
changed_when: false
|
||||||
|
|
||||||
|
- name: Enable the WWW (HTTP) admin UI
|
||||||
|
community.routeros.command:
|
||||||
|
commands:
|
||||||
|
- /ip/service/set www disabled=no
|
||||||
|
when: switch_web_enabled | bool
|
||||||
|
changed_when: false
|
||||||
|
|
|
||||||
|
|
@ -101,6 +101,39 @@
|
||||||
interface="vlan-mgmt" }
|
interface="vlan-mgmt" }
|
||||||
changed_when: false
|
changed_when: false
|
||||||
|
|
||||||
|
# Optional DHCP server on the isolated mgmt VLAN: plug into the mgmt port and get an
|
||||||
|
# address automatically (login to the switch is still required). Guards by name; the
|
||||||
|
# network entry guards on "no networks yet" because RouterOS find-by-address does not
|
||||||
|
# match prefix values (see the legacy-bridge-IP note above).
|
||||||
|
- name: Create the management DHCP address pool
|
||||||
|
community.routeros.command:
|
||||||
|
commands:
|
||||||
|
- >-
|
||||||
|
:if ([:len [/ip/pool/find name="mgmt-pool"]] = 0)
|
||||||
|
do={ /ip/pool/add name="mgmt-pool" ranges="{{ switch_mgmt_dhcp_pool }}" }
|
||||||
|
when: switch_mgmt_dhcp_enabled | bool
|
||||||
|
changed_when: false
|
||||||
|
|
||||||
|
- name: Create the management DHCP server on vlan-mgmt
|
||||||
|
community.routeros.command:
|
||||||
|
commands:
|
||||||
|
- >-
|
||||||
|
:if ([:len [/ip/dhcp-server/find name="mgmt-dhcp"]] = 0)
|
||||||
|
do={ /ip/dhcp-server/add name="mgmt-dhcp" interface="vlan-mgmt"
|
||||||
|
address-pool="mgmt-pool" lease-time=1h disabled=no }
|
||||||
|
when: switch_mgmt_dhcp_enabled | bool
|
||||||
|
changed_when: false
|
||||||
|
|
||||||
|
- name: Define the management DHCP network
|
||||||
|
community.routeros.command:
|
||||||
|
commands:
|
||||||
|
- >-
|
||||||
|
:if ([:len [/ip/dhcp-server/network/find]] = 0)
|
||||||
|
do={ /ip/dhcp-server/network/add address="{{ switch_mgmt_dhcp_network }}"
|
||||||
|
gateway="{{ switch_mgmt_address.split('/')[0] }}" }
|
||||||
|
when: switch_mgmt_dhcp_enabled | bool
|
||||||
|
changed_when: false
|
||||||
|
|
||||||
- name: Set the default gateway route
|
- name: Set the default gateway route
|
||||||
community.routeros.command:
|
community.routeros.command:
|
||||||
commands:
|
commands:
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue