jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4b766145b492845d2dedf0ed1faf47fa00f99402
infrastructure/docs/wip/CONSOLE-PORT-ETHER5.md
Kaloyan Danchev 4b766145b4 Add AdGuard DNS setup with automatic failover documentation 
- docs/16-ADGUARD-VLAN-PLAN.md: Implementation plan for AdGuard on VLANs
- docs/17-DNS-ADGUARD-FAILOVER.md: Complete DNS architecture with:
  - Dual AdGuard setup (MikroTik primary, Unraid secondary)
  - Automatic failover via Netwatch monitoring
  - NAT redirect rules for all VLANs
  - Sync configuration between instances
- docs/wip/CONSOLE-PORT-ETHER5.md: WIP plan for dedicated console port

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-31 17:22:18 +02:00

2.4 KiB
Raw Blame History

WIP: Dedicated Console Port on ether5

Status: Pending consideration Created: 2026-01-31 Purpose: Emergency management access independent of VLAN configuration

Rationale

If VLAN or bridge configuration breaks, having a dedicated port with static IP provides guaranteed router access without relying on the main network setup.

Current State

Port Current Use PVID
ether5 Unraid eth2 (bond member) 10

Proposed Configuration

Remove ether5 from Bridge

# Backup first
/system backup save name=pre-console-port

# Remove from bridge
/interface bridge port remove [find interface=ether5]

Assign Static IP

# Isolated subnet - not used by any VLAN
/ip address add address=192.168.99.1/24 interface=ether5 comment="Console Port - Emergency Access"

Firewall Rule

# Allow all management traffic from console port
/ip firewall filter add chain=input action=accept in-interface=ether5 \
    comment="Console Port - Allow All" place-before=0

Access Instructions

  1. Connect laptop directly to ether5 (rightmost port on hAP ax³)
  2. Configure laptop with static IP:
    • IP: 192.168.99.2
    • Netmask: 255.255.255.0
    • Gateway: 192.168.99.1
  3. Access router:

Impact Assessment

Pros

  • Always-available management access
  • Independent of bridge/VLAN state
  • Works even if filtering misconfigured

Cons

  • Loses one port from bridge (ether5)
  • Unraid bonding reduced to single link (ether4 only)
  • Physical security concern (anyone plugging in gets router access)

Alternatives

Option A: Use ether5 (Current Proposal)

  • Simple, dedicated port
  • Sacrifices Unraid bond member

Option B: Use ether2 (CAP XL ac port)

  • CAP currently on ether2
  • Would need to move CAP to switch port
  • More complex but preserves Unraid bond

Option C: Separate VLAN for Management

  • Keep ether5 in bridge
  • Create untagged management VLAN on ether5
  • More complex but keeps port in bridge

Decision

  • Implement Option A (ether5 dedicated)
  • Implement Option B (move CAP)
  • Implement Option C (management VLAN)
  • Defer - not needed

Notes:

  • Consider physical labeling of port if implemented
  • Document in network map
  • Keep emergency access instructions printed/offline
Reference in New Issue View Git Blame Copy Permalink