feat(mgmt): DHCP server + web UI on the isolated mgmt VLAN

Makerspace experiment: plug into ether8 and get a 192.168.88.x lease, reach the
admin at http://192.168.88.1 (web UI re-enabled) / WinBox / SSH. Login still
required; default admin stays disabled. mamba keeps static .2 (outside the pool).
New flags switch_web_enabled + switch_mgmt_dhcp_enabled/pool/network (off by
default). Verified: www HTTP 200, lease handed out + bound, run-twice idempotent.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
sjat 2026-06-09 12:55:03 +02:00
parent 199edf85ad
commit 18de750507
5 changed files with 67 additions and 2 deletions

View file

@ -1,4 +1,4 @@
# 2025-09-11 10:03:39 by RouterOS 7.19.6
# 2025-09-11 10:21:40 by RouterOS 7.19.6
# software id = 73S3-5F2W
#
# model = CRS310-8G+2S+
@ -8,6 +8,8 @@ add admin-mac=D0:EA:11:24:F4:AA auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan-mgmt vlan-id=99
/ip pool
add name=mgmt-pool ranges=192.168.88.10-192.168.88.254
/interface bridge port
add bridge=bridge comment=defconf interface=ether1 pvid=30
add bridge=bridge comment=defconf interface=ether2 pvid=30
@ -25,10 +27,13 @@ add bridge=bridge untagged="ether1,ether2,ether3,ether4,ether5,ether6,ether7,s\
add bridge=bridge tagged=bridge untagged=ether8 vlan-ids=99
/ip address
add address=192.168.88.1/24 interface=vlan-mgmt network=192.168.88.0
/ip dhcp-server
add address-pool=mgmt-pool interface=vlan-mgmt lease-time=1h name=mgmt-dhcp
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system identity

View file

@ -27,6 +27,20 @@ switch_mgmt_gateway: "" # isolated mgmt -> no default route
switch_dns_servers: "" # no DNS on an isolated mgmt plane
switch_ntp_enabled: false # no internet on mgmt -> NTP would only error
# Makerspace experiment: make the mgmt port low-friction. Serve DHCP on the mgmt VLAN
# and enable the web UI so anyone plugging into ether8 can reach the admin (still a
# login; default `admin` stays disabled). mamba keeps its static .2 (outside the pool).
switch_web_enabled: true
switch_disabled_services: # same as the role default but WITHOUT www (web UI on)
- telnet
- ftp
- www-ssl
- api
- api-ssl
switch_mgmt_dhcp_enabled: true
switch_mgmt_dhcp_pool: "192.168.88.10-192.168.88.254"
switch_mgmt_dhcp_network: "192.168.88.0/24"
switch_admin_user: "sjat"
# ----- VLANs + per-port map (all untagged access; no trunks) -----

View file

@ -17,6 +17,12 @@ switch_disabled_services:
- api
- api-ssl
switch_ssh_port: 22
switch_web_enabled: false # enable the WWW (HTTP) admin UI
# Optional DHCP server on the management VLAN (convenience; login still required).
switch_mgmt_dhcp_enabled: false
switch_mgmt_dhcp_pool: "" # e.g. "192.168.88.10-192.168.88.254"
switch_mgmt_dhcp_network: "" # e.g. "192.168.88.0/24"
# ----- Users -----
switch_admin_user: "sjat"

View file

@ -43,3 +43,10 @@
commands:
- /ip/service/set ssh disabled=no port={{ switch_ssh_port }}
changed_when: false
- name: Enable the WWW (HTTP) admin UI
community.routeros.command:
commands:
- /ip/service/set www disabled=no
when: switch_web_enabled | bool
changed_when: false

View file

@ -101,6 +101,39 @@
interface="vlan-mgmt" }
changed_when: false
# Optional DHCP server on the isolated mgmt VLAN: plug into the mgmt port and get an
# address automatically (login to the switch is still required). Guards by name; the
# network entry guards on "no networks yet" because RouterOS find-by-address does not
# match prefix values (see the legacy-bridge-IP note above).
- name: Create the management DHCP address pool
community.routeros.command:
commands:
- >-
:if ([:len [/ip/pool/find name="mgmt-pool"]] = 0)
do={ /ip/pool/add name="mgmt-pool" ranges="{{ switch_mgmt_dhcp_pool }}" }
when: switch_mgmt_dhcp_enabled | bool
changed_when: false
- name: Create the management DHCP server on vlan-mgmt
community.routeros.command:
commands:
- >-
:if ([:len [/ip/dhcp-server/find name="mgmt-dhcp"]] = 0)
do={ /ip/dhcp-server/add name="mgmt-dhcp" interface="vlan-mgmt"
address-pool="mgmt-pool" lease-time=1h disabled=no }
when: switch_mgmt_dhcp_enabled | bool
changed_when: false
- name: Define the management DHCP network
community.routeros.command:
commands:
- >-
:if ([:len [/ip/dhcp-server/network/find]] = 0)
do={ /ip/dhcp-server/network/add address="{{ switch_mgmt_dhcp_network }}"
gateway="{{ switch_mgmt_address.split('/')[0] }}" }
when: switch_mgmt_dhcp_enabled | bool
changed_when: false
- name: Set the default gateway route
community.routeros.command:
commands: