MakerFLOSS_Mikrotik/docs/makerspace-switch-fieldguide.md
sjat 66a1aaad69 docs: on-site makerspace field guide for CRS310 prep
Standalone printable checklist: bring-list, access via WinBox MAC,
confirm RouterOS, upgrade+pin firmware, record facts, reset to
no-defaults, temp IP + SSH, addressing decisions, physical finish.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-07 08:24:10 +02:00

165 lines
6.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Makerspace Field Guide — Preparing the CRS310 Switch
**Print this and bring it.** This is the exact, on-site procedure to get the MikroTik
**CRS310-8G+2S+IN** ready so Ansible can take over. Total time: ~3045 min (most of it
the firmware upgrade). Work on a **bench/isolated network** — do **not** plug the switch
into the live makerspace network until VLANs are configured later (avoids loops and
DHCP/IP conflicts).
When you're done, you'll have: the switch on a known firmware, wiped to a clean slate,
reachable over SSH at a temporary IP, and a few facts written down for me to drop into
`host_vars`.
---
## Bring with you
- [ ] The CRS310 + its PSU.
- [ ] A laptop with **WinBox** (download from mikrotik.com/download) — or just a browser for WebFig.
- [ ] One Ethernet cable (laptop ↔ a 2.5G port).
- [ ] Internet for the switch during the upgrade (a cable from an existing LAN/uplink, **temporarily**, with DHCP — unplug it again before the final steps).
- [ ] The **SFP+ module or DAC** for the 10G uplink (to fit physically; we don't cable the real uplink yet).
- [ ] This guide + something to write the recorded facts on (or a phone note).
---
## Step 1 — Power on and get in
1. Power the switch. Wait ~1 min for it to boot RouterOS.
2. Connect your laptop to **ether1** (a 2.5G port).
3. Open **WinBox → Neighbors tab**. The switch appears (by IP `192.168.88.1` and/or by MAC).
- **Tip:** click the **MAC address** (not the IP) to connect — this works even when the
switch has no IP, which matters in Step 5.
4. Log in: user `admin`, password **blank** (just press Enter). RouterOS 7 may ask you to
set a password — you can set a temporary one or skip; Ansible will set the real one later.
> No WinBox? Browse to `http://192.168.88.1` (WebFig) instead. The CLI commands below are
> typed in **WinBox/WebFig → New Terminal**.
---
## Step 2 — Confirm it's running RouterOS (not SwOS)
The CRS310 can dual-boot SwOS, but we need **RouterOS** for VLAN filtering + Ansible.
- In terminal: `/system/routerboard/print`
- It should report RouterOS. If the device booted **SwOS** (different, simpler web UI),
switch the boot OS: in SwOS go to the **System** page and set boot to RouterOS, or use
the reset/boot-OS toggle, then reboot. (You want the full RouterOS interface.)
---
## Step 3 — Upgrade and pin the firmware
This needs internet for the switch. Plug a DHCP uplink into **ether8** temporarily.
1. Give the switch internet briefly: it should pull a DHCP lease on the uplink port, or in
terminal: `/ip/dhcp-client/add interface=ether8 disabled=no`
2. Update RouterOS:
```
/system/package/update/set channel=stable
/system/package/update/check-for-updates
/system/package/update/download
/system/reboot
```
(Or WinBox: **System → Packages → Check For Updates → Download & Install**.)
3. After reboot, upgrade the bootloader (RouterBOOT) to match:
```
/system/routerboard/upgrade
/system/reboot
```
4. **Write down the final version:** `/system/resource/print` → the `version` line.
➜ **Record as `RouterOS version: ______`** (this becomes `switch_firmware_target`).
5. **Unplug the temporary internet uplink** and remove the DHCP client:
`/ip/dhcp-client/remove [find]`
---
## Step 4 — Record the device facts
Run `/system/routerboard/print` and `/system/resource/print` and write down:
- [ ] **Model:** ____________________ (should be CRS310-8G+2S+IN)
- [ ] **Serial:** ____________________ (also on the sticker underneath)
- [ ] **Base MAC:** ____________________
- [ ] **RouterOS version:** ____________________ (from Step 3.4)
---
## Step 5 — Wipe to a clean slate (no default config)
This makes Ansible the single owner of the whole configuration.
1. In terminal:
```
/system/reset-configuration no-defaults=yes skip-backup=yes
```
(Or WinBox: **System → Reset Configuration** → tick **No Default Configuration** and
**Do Not Backup** → **Reset**.)
2. The switch reboots. It now has **no IP and no services** — WinBox-by-IP won't find it.
3. Reconnect using **WinBox → Neighbors → click the MAC address** (this is why we use MAC).
Log in as `admin` with a **blank** password.
---
## Step 6 — Give it a temporary IP + enable SSH (so Ansible can reach it)
In the terminal (laptop still on **ether1**):
```
/ip/address/add address=192.168.88.1/24 interface=ether1
/ip/service/enable ssh
/ip/service/print
```
Then on your laptop, set a static IP `192.168.88.2` / `255.255.255.0` and confirm SSH:
```
ssh admin@192.168.88.1
```
If that logs in, **you're done** — leave the switch powered and on the bench.
> ⚠️ Keep a **WinBox MAC session** open as your lifeline whenever you change network
> settings. If you ever lock yourself out, MAC-telnet/WinBox-by-MAC still works; a full
> **Netinstall** (mikrotik.com/download) is the last-resort recovery.
---
## Step 7 — Decide the real addressing (write it down for me)
I need these to fill in `host_vars/crs310-maker.yml`. Decide with whatever the makerspace
network plan is (or we can finalize together):
- [ ] **Management IP + mask** (real, not the temp one): ____________________
- [ ] **Management VLAN ID:** ____________________
- [ ] **Default gateway:** ____________________
- [ ] **Upstream uplink port** (which SFP+ / port goes to the OPNsense/router): ____________________
- [ ] **DNS / NTP server IP** (usually the gateway): ____________________
(If the makerspace VLAN plan isn't settled yet, that's fine — we ship a placeholder and
fill these in later. The switch just needs to be reachable per Step 6.)
---
## Step 8 — Physical finish
- [ ] Fit the **SFP+ module/DAC** into `sfp-sfpplus1` (don't cable the live uplink yet).
- [ ] Mount/label the switch.
---
## When you're back
Bring me:
1. The recorded facts (Step 4) and addressing decisions (Step 7).
2. Confirmation that `ssh admin@192.168.88.1` (or your temp IP) works.
Then I'll: create the empty `MakerFLOSS_Mikrotik` repo on `forgejo.makerfloss.eu`, drop
your facts into `host_vars`, and run **`play_bootstrap.yml`** — which creates your named
admin user, imports your SSH key, and hands the switch over to Ansible. After that,
`play_switch.yml` configures identity, services, VLANs, and backups.
> **Do not connect the switch to the live makerspace network** until VLANs are configured
> (Task 7 in the implementation plan) — an unconfigured switch on the live net can cause
> loops or hand out the wrong VLAN.