Network Hardware
Table of Contents
Device page links
Also have these as extra equipment:
Basic Network Topology
Fios G1100 Configuration
I'm keeping the Fios provided G1100 as the main gateway. This is to maintain TV/Phone functionality that's hard to work around due to the set top boxes being on a separate Coax/MoCA network. My main router lives behind the G1100 with the DMZ pointed at it per "Secondary DMZ" instructions in the DSLReports FAQ.
Here's a rundown of the configurations I set on the device:
- Set a password
Main > Change Admin Password
- Disable radios
Wireless Settings > Basic Security Settings > 2.4 GHz Wireless: [ ] On [X] OffWireless Settings > Basic Security Settings > 5 GHz Wireless: [ ] On [X] Off
- Turn off WPS
Wireless Settings > Wi-Fi Protected Setup (WPS) > Wi-fi Protected Setup: [X] OFF
- Set custom DNS Servers
My Network > Network Connections > Broadband Connection > SettingsDNS Server: Use the following DNS Server AddressesPrimary DNS Server: X.X.X.XSecondary DNS Server: X.X.X.X
- Disable Firewall
My Network > Network Connections > Broadband Connection > SettingsInternet Connection Firewall: [ ] Enabled
- Block Traffic for Amazon Dash
Firewall > Access Control- Add, Pick User Defined Device, Add, select MAC Address. You can select from the list if already on the network, or fill in the
Mac Addressfield. - Choose Protocol (Any), and when (Always) then Apply
- Add, Pick User Defined Device, Add, select MAC Address. You can select from the list if already on the network, or fill in the
- DMZ the secondary router
Firewall > DMZ HostDMZ Host: [X] Enable [ ] DisableIP Address: X.X.X.X (static address of my router)
- Dynamic DNS (for noip.com addresses)
- Click Add. Fill out host info, provider, user, pass. Click Apply.
- IPv6
Advanced > Routing > IPv6 Configuration- Keep enabled in case Frontier ever does something with IPv6
- DHCP Server (enabled for easy direct connection if needed)
Advanced > Routing > IP Address Distribution- Click on the Pencil Icon. I usually pick something like 192.168.1.150-250 for the address range. Set top boxes get static addresses starting at 100, and that leaves all the low numbers free.
- Set the router's hostname and domain
Advanced > Configuration Settings > System SettingsWireless Broadband Router's Hostname: <hostname>Local Domain: <domain>
Mikrotik Configuration Management
CAPsMAN
Theory
I configure the main device, then hold a button while booting subsequent devices. This is only supposed to handle wireless config. I'm not sure how it will work for the cap ac behind the switch unless I preconfigure the switch.
Initially I'll try it out with all devices directly connected to the CAPsMAN device.
Ansible
Minimal manual configuration
TODO This can probably be done with a script and a few vars (ip, bridge new-ip) ssh-keygen is only done once.
- get the ip from script argument
- push the key over ftp
- add user
- add key
- fix the admin account
- bridge ports if bridge
- set a new ip
- management ports with use-service-tag set
TODO: this is theory still
- Generate your ssh key, and then update the comment.
ssh-keygen -t rsa -m pem ssh-keygen -c -C ansible
https://wiki.mikrotik.com/wiki/Use_SSH_to_execute_commands_(public/private_key_login) upload the key with ftp
- Add a ansible user
import the file user ssh-keys import public-key-file=id_rsa.pub user=ansible
- Add a ssh certificate enable ssh
- Disable admin account or at least password it
- Bridge all ports (except main router)
- Set a static IP???
Can I create a ansible playbook for this? Temporarily override the ssh_host IP with 192.168.88.1 and use default admin account.
Inventory
all:
vars:
vlan_mapping: {
3: 'mgmt',
5: 'service',
10: 'family',
20: 'mine',
21: 'vintage',
30: 'kids_games',
40: 'guest'
}
home_mikrotiks:
hosts:
# note: macs change based on port
# can probably get away with matching on the first 5 octets for my small net
mtk_router:
init_type: "router"
mac_addr: "fa:ke:ma:ca:dd:rs"
ansible_ssh_host: "10.0.3.1"
mtk_family:
init_type: "bridge_ap"
ansible_ssh_host: "10.0.3.3"
mac_addr: "fa:ke:ma:ca:dd:rs"
mtk_cap_ac:
init_type: "bridge_ap"
ansible_ssh_host: "10.0.3.4"
mac_addr: "fa:ke:ma:ca:dd:rs"
# mtk_crs125:
# init_type: "switch"
# ansible_ssh_host: "10.0.3.2"
# mac_addr: "fa:ke:ma:ca:dd:rs"
# TEMPORARY stand-in for crs125 (hap_crs_sub is actually hapac2_eu)
mtk_hap_crs_sub:
init_type: "switch"
ansible_ssh_host: "10.0.3.2"
mac_addr: "fa:ke:ma:ca:dd:rs"
vars:
ansible_network_os: "community.routeros.routeros"
ansible_user: "ansible"
ansible_ssh_key_file: "/path/to/key.pub"
ansible_connection: "ansible.netcommon.network_cli"
home_servers:
hosts:
astaroth:
ansible_ssh_host: "10.0.3.10"
barbatos
ansible_ssh_host: "10.0.3.11"
test_mikrotiks:
hosts:
mtk_hapmini:
mac_addr: "fa:ke:ma:ca:dd:rs"
mtk_rb751u:
mac_addr: "fa:ke:ma:ca:dd:rs"
mtk_maplite:
mac_addr: "fa:ke:ma:ca:dd:rs"
mtk_hapac2_eu:
mac_addr: "fa:ke:ma:ca:dd:rs"
vars:
ansible_network_os: "community.routeros.routeros"
ansible_user: "ansible"
ansible_ssh_key_file: "/path/to/key.pub"
ansible_connection: "ansible.netcommon.network_cli"
Playbooks
Always set gather_facts: false for mikrotik devices.
strategy: free lets playbook continue immediately instead of waiting for each inventory item.
---
- name:Home Network
gather_facts: false
hosts: home_mikrotiks
strategy: free
tasks:
- name:enable wifi
routeros_command:
commands: /interface wireless ...
...
- Playbook Ideas
- upgrade firmware, routeros https://github.com/gregsowell/ansible-mikrotik
- reboot devices
- disable wireless
- bridge all ports
- forward ports
- backup configs (on a schedule)
- set a device note with inventory name
- reset with keep-users
- limit management ssh allowed address ranges
- disable password ssh "/ip ssh set always-allow-password-login=no"
- a nice testing playbook to verify all network devices remain reachable (possible verify they can all reach each other too)
Roles
ansible-galaxy init <rolename>
Power draw
| Device | Idle, Wifi Off | Idle, Wifi On |
|---|---|---|
| hAP ac2 | 4.3 W | |
| cAP ac | 4.3 W | |
| CRS125-24G |