Management VLAN on mikrotik - how to set it up correctly?

S

sash9992019-07-30 15:08:47

Computer networks

sash999, 2019-07-30 15:08:47

I worked quite a lot with Cisco switches, but now I had to deal with mikrotic with routeros. Now (I didn’t set it up), hardware management is available with the knowledge of the login-password even from the guest Wi-Fi network, which is not good at all. An idea immediately arose - vlan + atsl management. But after a quick googling, I still didn’t really understand how to properly configure the management interface there. Poke your nose into some sensible guide please ...

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

P

poisons, 2019-07-30
@sash999

how to properly configure the management interface there

That's right - just the way you want it.
By default, all internal services listen on all interfaces from any subnet.
Further, depending on the need, we block access only from the necessary subnets

ip service set winbox address=

Address ::= Address[,Address]
  Address ::= Address | Address
    Address ::= A.B.C.D/M    (IP prefix)
    Address ::= IPv6/0..128    (IPv6 prefix)

We need direct management vlan - well, we do vlan

interface vlan add interface=ether1 name=managment_vlan vlan-id=1000 comment="for managment purpose" 
ip address add address=1.1.1.1/24 interface=managment_vlan

To make sure we add a rule to the firewall

ip firewall filter add chain=input action=accept in-interface=managment_vlan protocol=tcp dst-port=8291
ip firewall filter add chain=input action=drop

In total, you have vlan 1000 with ip 1.1.1.1/24 on your ether1 interface and the winbox service listens to the subnets selected in the first paragraph, any incoming traffic is cut on the firewall by the last rule, the rule above allows incoming traffic.
It is more than a router, you can use analogies with a Linux router.