MakerFLOSS_Mikrotik/docs/makerspace-switch-fieldguide.md
sjat 66a1aaad69 docs: on-site makerspace field guide for CRS310 prep
Standalone printable checklist: bring-list, access via WinBox MAC,
confirm RouterOS, upgrade+pin firmware, record facts, reset to
no-defaults, temp IP + SSH, addressing decisions, physical finish.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-07 08:24:10 +02:00

6.4 KiB
Raw Blame History

Makerspace Field Guide — Preparing the CRS310 Switch

Print this and bring it. This is the exact, on-site procedure to get the MikroTik CRS310-8G+2S+IN ready so Ansible can take over. Total time: ~3045 min (most of it the firmware upgrade). Work on a bench/isolated network — do not plug the switch into the live makerspace network until VLANs are configured later (avoids loops and DHCP/IP conflicts).

When you're done, you'll have: the switch on a known firmware, wiped to a clean slate, reachable over SSH at a temporary IP, and a few facts written down for me to drop into host_vars.


Bring with you

  • The CRS310 + its PSU.
  • A laptop with WinBox (download from mikrotik.com/download) — or just a browser for WebFig.
  • One Ethernet cable (laptop ↔ a 2.5G port).
  • Internet for the switch during the upgrade (a cable from an existing LAN/uplink, temporarily, with DHCP — unplug it again before the final steps).
  • The SFP+ module or DAC for the 10G uplink (to fit physically; we don't cable the real uplink yet).
  • This guide + something to write the recorded facts on (or a phone note).

Step 1 — Power on and get in

  1. Power the switch. Wait ~1 min for it to boot RouterOS.
  2. Connect your laptop to ether1 (a 2.5G port).
  3. Open WinBox → Neighbors tab. The switch appears (by IP 192.168.88.1 and/or by MAC).
    • Tip: click the MAC address (not the IP) to connect — this works even when the switch has no IP, which matters in Step 5.
  4. Log in: user admin, password blank (just press Enter). RouterOS 7 may ask you to set a password — you can set a temporary one or skip; Ansible will set the real one later.

No WinBox? Browse to http://192.168.88.1 (WebFig) instead. The CLI commands below are typed in WinBox/WebFig → New Terminal.


Step 2 — Confirm it's running RouterOS (not SwOS)

The CRS310 can dual-boot SwOS, but we need RouterOS for VLAN filtering + Ansible.

  • In terminal: /system/routerboard/print
  • It should report RouterOS. If the device booted SwOS (different, simpler web UI), switch the boot OS: in SwOS go to the System page and set boot to RouterOS, or use the reset/boot-OS toggle, then reboot. (You want the full RouterOS interface.)

Step 3 — Upgrade and pin the firmware

This needs internet for the switch. Plug a DHCP uplink into ether8 temporarily.

  1. Give the switch internet briefly: it should pull a DHCP lease on the uplink port, or in terminal: /ip/dhcp-client/add interface=ether8 disabled=no
  2. Update RouterOS:
    /system/package/update/set channel=stable
    /system/package/update/check-for-updates
    /system/package/update/download
    /system/reboot
    
    (Or WinBox: System → Packages → Check For Updates → Download & Install.)
  3. After reboot, upgrade the bootloader (RouterBOOT) to match:
    /system/routerboard/upgrade
    /system/reboot
    
  4. Write down the final version: /system/resource/print → the version line. ➜ Record as RouterOS version: ______ (this becomes switch_firmware_target).
  5. Unplug the temporary internet uplink and remove the DHCP client: /ip/dhcp-client/remove [find]

Step 4 — Record the device facts

Run /system/routerboard/print and /system/resource/print and write down:

  • Model: ____________________ (should be CRS310-8G+2S+IN)
  • Serial: ____________________ (also on the sticker underneath)
  • Base MAC: ____________________
  • RouterOS version: ____________________ (from Step 3.4)

Step 5 — Wipe to a clean slate (no default config)

This makes Ansible the single owner of the whole configuration.

  1. In terminal:
    /system/reset-configuration no-defaults=yes skip-backup=yes
    
    (Or WinBox: System → Reset Configuration → tick No Default Configuration and Do Not BackupReset.)
  2. The switch reboots. It now has no IP and no services — WinBox-by-IP won't find it.
  3. Reconnect using WinBox → Neighbors → click the MAC address (this is why we use MAC). Log in as admin with a blank password.

Step 6 — Give it a temporary IP + enable SSH (so Ansible can reach it)

In the terminal (laptop still on ether1):

/ip/address/add address=192.168.88.1/24 interface=ether1
/ip/service/enable ssh
/ip/service/print

Then on your laptop, set a static IP 192.168.88.2 / 255.255.255.0 and confirm SSH:

ssh admin@192.168.88.1

If that logs in, you're done — leave the switch powered and on the bench.

⚠️ Keep a WinBox MAC session open as your lifeline whenever you change network settings. If you ever lock yourself out, MAC-telnet/WinBox-by-MAC still works; a full Netinstall (mikrotik.com/download) is the last-resort recovery.


Step 7 — Decide the real addressing (write it down for me)

I need these to fill in host_vars/crs310-maker.yml. Decide with whatever the makerspace network plan is (or we can finalize together):

  • Management IP + mask (real, not the temp one): ____________________
  • Management VLAN ID: ____________________
  • Default gateway: ____________________
  • Upstream uplink port (which SFP+ / port goes to the OPNsense/router): ____________________
  • DNS / NTP server IP (usually the gateway): ____________________

(If the makerspace VLAN plan isn't settled yet, that's fine — we ship a placeholder and fill these in later. The switch just needs to be reachable per Step 6.)


Step 8 — Physical finish

  • Fit the SFP+ module/DAC into sfp-sfpplus1 (don't cable the live uplink yet).
  • Mount/label the switch.

When you're back

Bring me:

  1. The recorded facts (Step 4) and addressing decisions (Step 7).
  2. Confirmation that ssh admin@192.168.88.1 (or your temp IP) works.

Then I'll: create the empty MakerFLOSS_Mikrotik repo on forgejo.makerfloss.eu, drop your facts into host_vars, and run play_bootstrap.yml — which creates your named admin user, imports your SSH key, and hands the switch over to Ansible. After that, play_switch.yml configures identity, services, VLANs, and backups.

Do not connect the switch to the live makerspace network until VLANs are configured (Task 7 in the implementation plan) — an unconfigured switch on the live net can cause loops or hand out the wrong VLAN.