# WIP: Dedicated Console Port on ether5

**Status:** Pending consideration
**Created:** 2026-01-31
**Purpose:** Emergency management access independent of VLAN configuration

---

## Rationale

If VLAN or bridge configuration breaks, having a dedicated port with static IP provides guaranteed router access without relying on the main network setup.

---

## Current State

| Port | Current Use | PVID |
|------|-------------|------|
| ether5 | Unraid eth2 (bond member) | 10 |

---

## Proposed Configuration

### Remove ether5 from Bridge

```routeros
# Backup first
/system backup save name=pre-console-port

# Remove from bridge
/interface bridge port remove [find interface=ether5]
```

### Assign Static IP

```routeros
# Isolated subnet - not used by any VLAN
/ip address add address=192.168.99.1/24 interface=ether5 comment="Console Port - Emergency Access"
```

### Firewall Rule

```routeros
# Allow all management traffic from console port
/ip firewall filter add chain=input action=accept in-interface=ether5 \
    comment="Console Port - Allow All" place-before=0
```

---

## Access Instructions

1. Connect laptop directly to **ether5** (rightmost port on hAP ax³)
2. Configure laptop with static IP:
   - IP: `192.168.99.2`
   - Netmask: `255.255.255.0`
   - Gateway: `192.168.99.1`
3. Access router:
   - **WinBox:** 192.168.99.1:8291
   - **SSH:** `ssh -p 2222 xtrm@192.168.99.1`
   - **WebFig:** http://192.168.99.1

---

## Impact Assessment

### Pros
- Always-available management access
- Independent of bridge/VLAN state
- Works even if filtering misconfigured

### Cons
- Loses one port from bridge (ether5)
- Unraid bonding reduced to single link (ether4 only)
- Physical security concern (anyone plugging in gets router access)

---

## Alternatives

### Option A: Use ether5 (Current Proposal)
- Simple, dedicated port
- Sacrifices Unraid bond member

### Option B: Use ether2 (CAP XL ac port)
- CAP currently on ether2
- Would need to move CAP to switch port
- More complex but preserves Unraid bond

### Option C: Separate VLAN for Management
- Keep ether5 in bridge
- Create untagged management VLAN on ether5
- More complex but keeps port in bridge

---

## Decision

- [ ] Implement Option A (ether5 dedicated)
- [ ] Implement Option B (move CAP)
- [ ] Implement Option C (management VLAN)
- [ ] Defer - not needed

---

**Notes:**
- Consider physical labeling of port if implemented
- Document in network map
- Keep emergency access instructions printed/offline