UP  |  HOME

Network Hardware

Basic Network Topology

net_device_topology.svg

Fios G1100 Configuration

I'm keeping the Fios provided G1100 as the main gateway. This is to maintain TV/Phone functionality that's hard to work around due to the set top boxes being on a separate Coax/MoCA network. My main router lives behind the G1100 with the DMZ pointed at it per "Secondary DMZ" instructions in the DSLReports FAQ.

Here's a rundown of the configurations I set on the device:

  • Set a password
    • Main > Change Admin Password
  • Disable radios
    • Wireless Settings > Basic Security Settings > 2.4 GHz Wireless: [ ] On [X] Off
    • Wireless Settings > Basic Security Settings > 5 GHz Wireless: [ ] On [X] Off
  • Turn off WPS
    • Wireless Settings > Wi-Fi Protected Setup (WPS) > Wi-fi Protected Setup: [X] OFF
  • Set custom DNS Servers
    • My Network > Network Connections > Broadband Connection > Settings
      • DNS Server: Use the following DNS Server Addresses
      • Primary DNS Server: X.X.X.X
      • Secondary DNS Server: X.X.X.X
  • Disable Firewall
    • My Network > Network Connections > Broadband Connection > Settings
      • Internet Connection Firewall: [ ] Enabled
  • Block Traffic for Amazon Dash
    • Firewall > Access Control
      • Add, Pick User Defined Device, Add, select MAC Address. You can select from the list if already on the network, or fill in the Mac Address field.
      • Choose Protocol (Any), and when (Always) then Apply
  • DMZ the secondary router
    • Firewall > DMZ Host
      • DMZ Host: [X] Enable [ ] Disable
      • IP Address: X.X.X.X (static address of my router)
  • Dynamic DNS (for noip.com addresses)
    • Click Add. Fill out host info, provider, user, pass. Click Apply.
  • IPv6
    • Advanced > Routing > IPv6 Configuration
      • Keep enabled in case Frontier ever does something with IPv6
  • DHCP Server (enabled for easy direct connection if needed)
    • Advanced > Routing > IP Address Distribution
      • Click on the Pencil Icon. I usually pick something like 192.168.1.150-250 for the address range. Set top boxes get static addresses starting at 100, and that leaves all the low numbers free.
  • Set the router's hostname and domain
    • Advanced > Configuration Settings > System Settings
      • Wireless Broadband Router's Hostname: <hostname>
      • Local Domain: <domain>

Mikrotik Configuration Management

CAPsMAN

  • Theory

    I configure the main device, then hold a button while booting subsequent devices. This is only supposed to handle wireless config. I'm not sure how it will work for the cap ac behind the switch unless I preconfigure the switch.

    Initially I'll try it out with all devices directly connected to the CAPsMAN device.

Ansible

  • Minimal manual configuration

    TODO This can probably be done with a script and a few vars (ip, bridge new-ip) ssh-keygen is only done once.

    • get the ip from script argument
    • push the key over ftp
    • add user
    • add key
    • fix the admin account
    • bridge ports if bridge
    • set a new ip
    • management ports with use-service-tag set

    TODO: this is theory still

    1. Generate your ssh key, and then update the comment.
    ssh-keygen -t rsa -m pem
    ssh-keygen -c -C ansible
    

    https://wiki.mikrotik.com/wiki/Use_SSH_to_execute_commands_(public/private_key_login) upload the key with ftp

    1. Add a ansible user

    import the file user ssh-keys import public-key-file=id_rsa.pub user=ansible

    1. Add a ssh certificate enable ssh
    2. Disable admin account or at least password it
    3. Bridge all ports (except main router)
    4. Set a static IP???

    Can I create a ansible playbook for this? Temporarily override the ssh_host IP with 192.168.88.1 and use default admin account.

  • Inventory
    Listing 1: inventory
    all:
        vars:
            vlan_mapping: {
                        3: 'mgmt',
                        5: 'service',
                        10: 'family',
                        20: 'mine',
                        21: 'vintage',
                        30: 'kids_games',
                        40: 'guest'
                        }
    
    home_mikrotiks:
        hosts:
            # note: macs change based on port
            # can probably get away with matching on the first 5 octets for my small net
            mtk_router:
                init_type: "router"
                mac_addr: "fa:ke:ma:ca:dd:rs"
                ansible_ssh_host: "10.0.3.1"
            mtk_family:
                init_type: "bridge_ap"
                ansible_ssh_host: "10.0.3.3"
                mac_addr: "fa:ke:ma:ca:dd:rs"
            mtk_cap_ac:
                init_type: "bridge_ap"
                ansible_ssh_host: "10.0.3.4"
                mac_addr: "fa:ke:ma:ca:dd:rs"
            # mtk_crs125:
            #     init_type: "switch"
            #     ansible_ssh_host: "10.0.3.2"
            #     mac_addr: "fa:ke:ma:ca:dd:rs"
            # TEMPORARY stand-in for crs125 (hap_crs_sub is actually hapac2_eu)
            mtk_hap_crs_sub:
                init_type: "switch"
                ansible_ssh_host: "10.0.3.2"
                mac_addr: "fa:ke:ma:ca:dd:rs"
    
        vars:
            ansible_network_os: "community.routeros.routeros"
            ansible_user: "ansible"
            ansible_ssh_key_file: "/path/to/key.pub"
            ansible_connection: "ansible.netcommon.network_cli"
    
    home_servers:
        hosts:
            astaroth:
                ansible_ssh_host: "10.0.3.10"
            barbatos
                ansible_ssh_host: "10.0.3.11"
    
    
    
    test_mikrotiks:
        hosts:
            mtk_hapmini:
                mac_addr: "fa:ke:ma:ca:dd:rs"
            mtk_rb751u:
                mac_addr: "fa:ke:ma:ca:dd:rs"
            mtk_maplite:
                mac_addr: "fa:ke:ma:ca:dd:rs"
            mtk_hapac2_eu:
                mac_addr: "fa:ke:ma:ca:dd:rs"
    
        vars:
            ansible_network_os: "community.routeros.routeros"
            ansible_user: "ansible"
            ansible_ssh_key_file: "/path/to/key.pub"
            ansible_connection: "ansible.netcommon.network_cli"
    
  • Playbooks

    Always set gather_facts: false for mikrotik devices. strategy: free lets playbook continue immediately instead of waiting for each inventory item.

    Listing 2: playbook.yml
    ---
    - name:Home Network
      gather_facts: false
      hosts: home_mikrotiks
      strategy: free
      tasks:
        - name:enable wifi
          routeros_command:
            commands: /interface wireless ...
    ...
    
    • Playbook Ideas
      • upgrade firmware, routeros https://github.com/gregsowell/ansible-mikrotik
      • reboot devices
      • disable wireless
      • bridge all ports
      • forward ports
      • backup configs (on a schedule)
      • set a device note with inventory name
      • reset with keep-users
      • limit management ssh allowed address ranges
      • disable password ssh "/ip ssh set always-allow-password-login=no"
      • a nice testing playbook to verify all network devices remain reachable (possible verify they can all reach each other too)
  • Roles
    Create a template "rolename"
    ansible-galaxy init <rolename>
    

Power draw

Device Idle, Wifi Off Idle, Wifi On
hAP ac2 4.3 W  
cAP ac 4.3 W  
CRS125-24G