{ linked fromNew User Pathway To Success Config Success-viewtopic.php?t=182373}

QUESTIONS ALL NEW ADMINS ASK THEMSELVES.

1. Do you ever have those days where every time you touch the bridge config and it burps and you ask yourself the same question,WHY DIDNT I USE SAFEMODE?
2.冰箱我想如何设置一个新的子网和move this away from 192.168.88.1 without locking myself out?
or as buckeye put it...."It's avoiding the "sawing off the limb your are sitting on"problem.

ANSWERS.

3.USE SAFE MODE.USE SAFE MODE.USE SAFE MODE.
4. Do NOT remove the admin access to the router rule in the input chain - DANGER, especially with " drop all else" rules in play!
4. One recommended approach that works well, and isthe subject of this article,is to give yourself a safe way out of such a dilemma and that isan independent configuration access OFF the bridge. This can be used to access the router after locking yourself out on bridge changes, or actually to conduct all configurations if preferred.

GUIDE:How To Config The MT Device,OFFThe Bridge

CONCEPT
-ISOLATE ETHERPORT { remove from bridge }
-ADD INDEPENDENT IP ADDRESS to ETHERX
-ADD ETHERX TO 'TRUSTED' INTERFACE LIST { trusted=usually contains a management vlan or the subnet where the admin PC resides and bad actors,careless users of the internet, & guests doNOTreside -ensures part of mac server winbox-mac server setting!!}
-ENSURE ACCESS TO WINBOX (INPUT CHAIN) { INPUT CHAIN RULE FOR ETHERX }
-ENSURE ETHERX IP Address is included if you have ALLOW settings in IP services for winbox.
-USE MANUALLY SET RELATED IPV4 ADDRESS TO ACCESS FROM PC
(see example at bottom of page)

SETUP OF WIRED AND WIFI DEVICES
(common to Routers/Switches/APs using RoS - where a spare port or spare wlan/vwlan may be available).

1. Remove spare etherport (lets use 5) from the bridge and in the case of a capac (two ports - use ether2).
2.Give it a new nameether5-access
3. Give it an IP address that does not conflict with any other subnets on the LAN or any remote subnets etc.... lets use192.168.5.1/24network 192.168.5.0
4. Add ether5-access to thetrusted interfaceas a list member. It could be a trusted vlan, could the management vlan, could be LAN etc...... (router only)
5. For the Switch/AP scenario, if not already done, create an interface calledManageor base etc. (you may already have one so can just use that).
-add ether5-access as a list member (switch)
-add vwlan-access as a list member (AP)
-add vlan XX (the trusted or management vlan or subnet) as a list member (normally should already exist)
6. Add the interface listManageor whatever it is called on your device as the entry inIP neighbours
7. Add the interface listManageor whatever it is called on your device under tools mac serverWINMACSERVER

Note :On an MT Device not doing routing,normally, the ONLY interface required is the "Manage" interface (no wan, no lan, no IP DHCP, no firewall rules etc.)

NOTES:
A. If you have delineated subnets/IP addresses in the IP Services of WINBOX, be sure to add 192.168.5.0/24 to the "Available From" column.
B. If you have delineated subnets/IP address in System Users, be sure to add the 192.162.5.0/24 to the "Allowed Addresses"
{In both cases, A and B. you can use the single IP address you intend to use for such access, if desired, such as 192.168.5.5.}

WIFI ONLY

8. Define a Virtual WLAN, lets callvwlan-accessfrom an existing WLAN.
9. DO NOT attach it to the bridge.
10. Provide the usual wifi config parameters, SSID, Security profile etc........
11. Ensure steps 3,5-7 are completed above.

DONE!!
Note1: It is assumed for switches/APs that an IP route has been created with dst-address=0.0.0.0/0 with gateway being the IP gateway of trusted subnet/vlan
Note2: For Routers, it is assumed that the trusted interface list is used to allow the admin access to the router (input chain) and thus this new connection will automatically be included, otherwise you will need to create in input chain rule to allow ether5-access to the router. (router only)

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

CONNECTING TO THE WIFI DEVICE (assuming using iphone & mt app OR laptop wifi & winbox)

15. Go to the manual settings for the SSID showing in WIFI settings.
a. This can be accomplished by using the(i)symbol/icon next to the network/ssid on the iphone.
b. Use the appropriate WIFI (adapter) connection on your network settings on the laptop.

16. Enter in 192.168.5.5 for address and mask 255.255.255.0.
17. Connect to the WIFI network.
Note: One should establish successful connectivity by accessing safari or the browser of choice and then confirming access to the internet etc...

18. Next, open up the MT APP, and enter in192.168.5.1:8291for IP address / or in winbox on the laptop.
19. Use the assigned username and password.

Note: For a Capac with two ports, ether1 remains part of the bridge and is connected to your main router through this trunk port, the examples above speak to using the free ether2 or a virtual wlan.

+++++++++++++++++++++++++++++++++++++++++++++++

EXAMPLE- ether5, decide to use 192.168.5.55 as allowed IP.

Note: Since you have defined a subnet 192.168.5.0/24 you can pick any IP to enter into the IPV4 settings on the laptop.
If you can remember which one, feel free to narrow it down to lets say .55 in winbox rules or input chain rules etc.........

/interface ethernet
set [ find default-name=ether5 ] name=ether5-access
/ip address
add interface=ether5-access address=192.168.5.1/24 network=192.168.5.0
/Interface list
add interface=Trusted
/interface list members
add interface=ether5-access list=Trusted
/ip neighbours discovery
add interface-list=Trusted
/tool mac-server mac-winbox
set allowed-interface-list=Trusted
/ip firewall filter
add action=accept chain=input src-address-list=Authorized
add action=accept chain=input in-interface=ether5-access src-address=192.168.5.55
add action=accept chain=input in-interface=ether5-access src-address=192.168.5.0/24{ if you do not want to narrow down access }

where firewall address list is comprised of all potential Admin IP addresses locally or coming in on VPN.
This one is likely one you will be adjusting from time to time and may screw up.
As long as the separate rule exists not touched for the ether5 port, you can access the config.

Add the interface list MANAGE

Is this means when I create another list in neighborhood discovery (and there is no option to select multiple lists), router will now only visible to the managed interface list ?

trusted interface as a list member.

isn't that part of DHCP?

The interface for neighbours discovery is to ensure that, at least for me, all my MT devices can see each other when I fire up winbox!!
This is why the management vlan or trusted vlan or subnet, is where all managed devices get their IP address from.
So if you already use a trusted vlan or subnet for your neighbors discovery and mac winmac winbox entries, then no need to create another list.......

Some call it base, some call it control, some call it managemnt or manage and they all equal = trusted subnet where all smart devices get their Ip address from.

4. Add ether5-access to the trusted interface as a list member. It could be a trusted vlan, could the management vlan, could be LAN etc...... (router only)

How do I do this? I'm sure for someone experienced with Mikrotik this is an obvious and stupid question. However most using this guide will be complete beginners. What does it mean to add to the "trusted interface"?

Do you do this in Interfaces tab on the left? I do not want to mess around with anything in case I mess stuff up and lose connectivity and have to factory reset the device

Edit: do you go Interfaces -> interface list -> Add ->

List: LAN
Interface: Ether5-access

Click OK

I am guessing that's what you do but it doesn't say Trusted anywhere

[" = TheLorc post_id = 949340 = 1659461290用户_id=203713]
4. Add ether5-access to the trusted interface as a list member. It could be a trusted vlan, could the management vlan, could be LAN etc...... (router only)

How do I do this? I'm sure for someone experienced with Mikrotik this is an obvious and stupid question. However most using this guide will be complete beginners. What does it mean to add to the "trusted interface"?
Do you do this in Interfaces tab on the left? I do not want to mess around with anything in case I mess stuff up and lose connectivity and have to factory reset the device
Edit: do you go Interfaces -> interface list -> Add ->
List: LAN
Interface: Ether5-access
Click OK
I am guessing that's what you do but it doesn't say Trusted anywhere
[/quote]

Well you do have to do some work trial and error but yes.
A trusted subnet means to me, one where you have confidence there are no mal intentioned parties or dangerous parties.
For example I would not call guest wifi a trusted network, but I would also not call a network with teenage kids a trusted network as they are going to explore and may visit not so friendly sites.
Businesses use a separate management vlan from any work vlan to monitor/config devices.
So its up to you. Personally whatever network my PC is on, would be the usual trusted network.
For example my wife works from home, so I put on her on a separate vlan, NOT the trusted network, but also independent from any other user behind the router.
The only thing that is common is access to a common printer.

So typically besides the default Interface List entries of WAN and LAN, I add
MANAGE, or TRUSTED.

The interface members of this group would be
a. the Management vlan (add vlan name)
b. the name of the ethernet interface you have chosen you would use for off bridge configuration. (add interface name)

There are two other settings to ensure are factored in
6. Add the interface list Manage or whatever it is called on your device as the entry inIP neighbours
7. Add the interface list Manage or whatever it is called on your device undertools mac server WINMAC SERVER

Finally, your input rules should match the reality
add chain=input action=accept in-interface-list=MANAGE

You can refine that further by really drilling down to only those that need access to Winbox or SSH port.
add chain=input action=accept in-interface-list=manage dst-port=winboxport# protocol=tcp src-address-list=authorized.

Where Authorized is a firewall address list comprised of specific groups or individual Ips with access to config the router.
add address=Desktop IP of admin list=Authorized
add address=Laptop IP of admin list=Authorized
add address=smartphone of of admin list=Authorized
添加地址= OffbridgeIP笔记本=授权列表{ this would be set to the common IP you add to your iPV4 settings }

Dont forget that if you change the input rules, the rest of the users still need access to DNS and maybe NTP
add chain=input action=accept in-interface-list=LAN dst-port=53 protocol=tcp
add chain=input action=accept in-interface-list=LAN dst-port=53 protocol=udp

Finally finish off the input chain with the Drop all else rule
add chain=input action=drop

{ linked fromNew User Pathway To Success Config Success-viewtopic.php?t=182373}

EXAMPLE- ether5, decide to use 192.168.5.55 as allowed IP.

add interface=ether5 name=ether5-access
/ip address
add interface=ether5-access address=192.168.5.1/24 network=192.168.5.0
/Interface list
add interface=Trusted
/interface list members
add interface=ether5-access list=Trusted
/ip neighbours discovery
add interface-list=Trusted
/tool mac-server mac-winbox
set allowed-interface-list=Trusted
/ip firewall filter
add action=accept chain=input src-address-list=Authorized
add action=accept chain=input in-interface=ether5-access src-address=192.168.5.55

Thank you for explaining and writing the examples. I am very new to all the MT topic and trying to learn. I have to say that I am already stuck in the first command.

> add interface=ether5 name=ether5-access
Gives me an "bad command name add (line 1 column 1)"

Do I have to be in a specific directory in the terminal to be able to run this command?

I am running RouterOS 7.8 on Hex.

/interface ethernet

You can also use GUI part. Might be easier, especially since I suspect ether5 might already be there.

Not sure how to understand this. If I check in the GUI (WINBOX) I can see:
——default bridge (members: ether2,3,4). I removed interface 5 from the bridge.
- ether1 (WAN)
- And ether5

I tought that that command "add interface=ether5 name=ether5-access" is to create some sort of alias for ether5.
So what should I do if the interface is already there?

Also, in the path "/interface/ethernet" there is no "add" command. I get the same error.

With WINBOX I have done the following:
- added ether5 to the "LAN" list. At the moment the "LAN" list is accepted in the firewall.
- Gave ether5 a static ip and tested if I can connect to it via the physical port ether5. It works. So I will continue and play with VLANs.

Thank you

THe default name for an etherport is ether5

Many people change the name to suit their purposes....... or keep the default.
/interface ethernet
set [ find default-name=ether2 ]
set [ find default-name=ether3 ]
set [ find default-name=ether4 ] name="ether3 - Fiber to Store 02"
set [ find default-name=ether5 ] name=ether5emerg

/interface/ethernet
set [ find default-name=ether5 ] name=ether5emerg

This worked. Thank you.

I have 2 MT APs and an MT switch, would they all use 192.168.5.0 network for the management/emergency ether2 port??

ie
AP1 192.168.1.2
AP2 192.168.1.3
SW1 192.168.1.4

and with the config detailed above, would i:
1) be able to connect to any of the 3 management interfaces without having to physically connect to Ether2, assuming i'm calling from the trusted laptop/pc IP?
2) need to cable both Ether1 and Ether2 ports on the AP's? I'm sure i would....

The idea of theoff bridgeemergaccessis LOCALemergency access.
If you want to be able to login into another device, then that depends on ensuring the configuration on all devices is setup accordingly.

As Ive stated, PLAN and fullystate your user requirements before hand, create a network diagram to reflect that and equipment, ISP connection etc.
Then a config will make sense.

Chasing a config like you are doing is fruitless.......what about this, or whattabout that. I dont care.
PLAN it, draw it, config it, It will work...

@BigCol, each smart device (can read vlan tags for example) should get an IP address on a trusted subnet. Assuming we are talking MT devices, then each device will show up on your winbOX display as they would all belong to the LIST you made that is used in ip neighbors discovery and the mac-server winbox-mac-server setting. Typically these are static leases. If the device is not MT, one should still assign its IP on the trusted subnet under good security practices.