I always set up an 'emergency' port on all my mikrotiks. Saves so much time. This includes routers and switches. This acts like a dedicated management port we see on enterprise gear like Juniper or Extreme.
Good idea. I usually let the 88.1 IP running on the Management Port and add a DHCP to it. Also the Port is usually disconnected and therefore no security issue. For Inband Management, I use a Management VLAN that sometimes is connected to the bridge (or port). Additionally I only use devices with an extra OOB Management Port.
So do I, I have the last port assigned with its own IP and DHCP. I also allow all VLANs to go through, so if I want to test a specific subnet I can just set it in my computer interface.
I use a different approach but similar. I just edit the FW rule that blocks all what is LAN and I change it to WAN, so any bridge or VLAN interfaces will allow to connect to the router for Management.!!! Very nice video by the way!
Hahaha I need to get a haircut and trim my beard and moustache a little bit, my wife wants me to try a new style since I have looked the same since we met 7 years ago so letting my hair grow out a little bit.
yeeeeah gothic FTW in the background! also looking forward to the remake? oh and also a side note ... naming interfaces with something like "[ ]" could cause trouble once one starts to work with scripts. just a precaution ;)
Yeah indeed! Gothic's atmosphere is one of the best ever. I usually replay 1 and 2 every couple of years. Definitely looking forward to the remake, but I can see myself still playing the original more. Sad that Piranhabytes is being closed down by Embracer group.
@@TheNetworkBerg all of them were great at that time and absolutely stunning for their genre at that time. oh i missed out on that close-down story :( need to get myself updated on that. a pity.
Normally you would remove a port from bridge and therefore Lan list with a good purpose like singing it as a Wan port ore just because you would like to route to an other router. You could then make a special list entry like Management and configger a FW rule for just Management and Mac allowing on Management also. Then make sure connectionfor wan is alliwed also for the Management list,that way when adding it to the port, you are sure to cut off everything and can still have a meaningful dual purpose why you deleted it from Bridge 😀
This is taking a single port and essentially converting it for PURE management in the event of a critical failure. It beats having to factory reset and rebuilding config from backup or scratch or even having to netinstall. Can be very useful especially for people that many many tweaks to their devices.
@@TheNetworkBerg Having added Port 2 to interface list, when the device is rebooted while the port be excluded from the default switch function? What is the function og 'Interface list'?
This video seems relevant to my interests, however I'm new to Mikrotik and to 'advanced' networking in general, so I though I'd ask before I start going down the rabbit hole. I have a custom 5G router / modem with a RBM33G board. ETH1 is currently being used to power the device via POE and for management. ETH2 is not part of the default bridge (disabled) and is set up as pass-through for the LTE interface (and it's wired into one of the WAN ports of my multi-WAN router, providing internet access). Forgive my ignorance, but is there a way to use ETH1 for POE and LTE pass-through *and* have it be accessible via Winbox for management? Or is setting up VLANs the only option to have all three things work with only one ethernet cable and interface? Thanks.
Hi mr.Berg, can you explain me, why after install virbox or vmware player on PC, i can't see mikrotik packets for winbox, i think that somethg with mutilple interfaces, but not understand how fix it, that problem seeing in vrtual environment like GNS or eve-ng.
A management vlan is preferred for daily operations, the dedicated port is more of an additional failsafe incase you lock yourself out of a router by accident and need to get back onto it.
Thank you for the video, quick question when you showed the IP firewall and port 2 wasn't on it does that mean it can not pass any traffic ingress and engress out of the switch or just that port can not connect to the winbox ? The reason I ask is wonder if I only have a direct connect computer to have access would it be better to disable port or just use firewall rule on PFsense 6100 router ? I have the CRS 328-24P-4S+RM. The MK is just used as a switch.
No the MT firewall allows everything by default if there is no deny rule or traffic matches any rules it will just be allowed but in that instance since there is a rule referring everything that is not in the LAN interface list will be dropped on input traffic to the router itself. This will however not block transit/forwarding traffic going through the router to other networks or the Internet. Hope that helps
I always set up an 'emergency' port on all my mikrotiks. Saves so much time. This includes routers and switches. This acts like a dedicated management port we see on enterprise gear like Juniper or Extreme.
Good idea. I usually let the 88.1 IP running on the Management Port and add a DHCP to it. Also the Port is usually disconnected and therefore no security issue. For Inband Management, I use a Management VLAN that sometimes is connected to the bridge (or port). Additionally I only use devices with an extra OOB Management Port.
So do I, I have the last port assigned with its own IP and DHCP. I also allow all VLANs to go through, so if I want to test a specific subnet I can just set it in my computer interface.
I use a different approach but similar. I just edit the FW rule that blocks all what is LAN and I change it to WAN, so any bridge or VLAN interfaces will allow to connect to the router for Management.!!! Very nice video by the way!
It would be nice to see a mikrotik tutorial with a dedicated port placed in a separate vrf limiting it from data traffic ;)
Good advice including the onscreen bit for some additional info was nice.
Good advice! Mistakes taught me to create such management interfaces already 😅
Networkberg . Been a while ,u look more brit now 😅 . Nice one for dropping this . Well appreciated.
Hahaha I need to get a haircut and trim my beard and moustache a little bit, my wife wants me to try a new style since I have looked the same since we met 7 years ago so letting my hair grow out a little bit.
Thumbs up just for the Berserk wallpaper!
3:50
Even if ether port 2 is not part of the bridge, we should still be able to see the router to which it is connected
4:35
I can see now
I think you could create a DHCP server on ether2 so you don't need to hard set it on the laptop
safe mode is a good mode to be in, just dont forget to leave. ive made that mistake, usually 100 lines into a vrf and it only happened once. honest.
Thank you
How can i configure mikrotik for automatic hitspot billing
yeeeeah gothic FTW in the background!
also looking forward to the remake?
oh and also a side note ... naming interfaces with something like "[ ]" could cause trouble once one starts to work with scripts. just a precaution ;)
Yeah indeed! Gothic's atmosphere is one of the best ever. I usually replay 1 and 2 every couple of years. Definitely looking forward to the remake, but I can see myself still playing the original more. Sad that Piranhabytes is being closed down by Embracer group.
naming interfaces is always a bad idea, that's what the comments are for :)
@@TheNetworkBerg all of them were great at that time and absolutely stunning for their genre at that time.
oh i missed out on that close-down story :( need to get myself updated on that. a pity.
Normally you would remove a port from bridge and therefore Lan list with a good purpose like singing it as a Wan port ore just because you would like to route to an other router. You could then make a special list entry like Management and configger a FW rule for just Management and Mac allowing on Management also. Then make sure connectionfor wan is alliwed also for the Management list,that way when adding it to the port, you are sure to cut off everything and can still have a meaningful dual purpose why you deleted it from Bridge 😀
This is taking a single port and essentially converting it for PURE management in the event of a critical failure. It beats having to factory reset and rebuilding config from backup or scratch or even having to netinstall. Can be very useful especially for people that many many tweaks to their devices.
@@TheNetworkBerg Having added Port 2 to interface list, when the device is rebooted while the port be excluded from the default switch function? What is the function og 'Interface list'?
This video seems relevant to my interests, however I'm new to Mikrotik and to 'advanced' networking in general, so I though I'd ask before I start going down the rabbit hole. I have a custom 5G router / modem with a RBM33G board. ETH1 is currently being used to power the device via POE and for management. ETH2 is not part of the default bridge (disabled) and is set up as pass-through for the LTE interface (and it's wired into one of the WAN ports of my multi-WAN router, providing internet access). Forgive my ignorance, but is there a way to use ETH1 for POE and LTE pass-through *and* have it be accessible via Winbox for management? Or is setting up VLANs the only option to have all three things work with only one ethernet cable and interface? Thanks.
do u know what bridge-->port-cost-mod does?
Hi mr.Berg, can you explain me, why after install virbox or vmware player on PC, i can't see mikrotik packets for winbox, i think that somethg with mutilple interfaces, but not understand how fix it, that problem seeing in vrtual environment like GNS or eve-ng.
hello
in this way cant access to all network
we must use romon
is it better to use mangment vlan?
A management vlan is preferred for daily operations, the dedicated port is more of an additional failsafe incase you lock yourself out of a router by accident and need to get back onto it.
Thank you for the video, quick question when you showed the IP firewall and port 2 wasn't on it does that mean it can not pass any traffic ingress and engress out of the switch or just that port can not connect to the winbox ? The reason I ask is wonder if I only have a direct connect computer to have access would it be better to disable port or just use firewall rule on PFsense 6100 router ? I have the CRS 328-24P-4S+RM. The MK is just used as a switch.
No the MT firewall allows everything by default if there is no deny rule or traffic matches any rules it will just be allowed but in that instance since there is a rule referring everything that is not in the LAN interface list will be dropped on input traffic to the router itself. This will however not block transit/forwarding traffic going through the router to other networks or the Internet. Hope that helps
@@TheNetworkBerg Thank you, yes sir it does!
What happened to your pfsense ? Have you stopped using it
Hello, yes I have stopped using pfSense. If I am looking at opensource firewalls I am more inclined to work on OPNsense.