The odd approach of MikroTik - bridges - management - switching

I jumped down the rabbit hole and bought a CRS309-1G-8S+IN.
Trying to do the sane thing, and not storm the network, I wanted to separate the management interface from the switch ports and the bridge they where connected to - quite a sane thought, since it’s delivered with a bridge, doing everything, being active on everything…

How do the mikrotik community approach this? —> Allow management only on a specific (lan) port - MikroTik

They firewall the heck out of it - same bridge, plenty of fw rules and usually not a sane approach to it at all. Granted, this was a older thread, but the newer ones did recommend the same approach.

Here’s an idea instead -

Create a new bridge - name it something clever.
My model has 1 1gb ethernet (with PoE), so this is my target to use.
In the current firmware I am using, all the management services listens on the IP set under IP > Addresses… Now, here’s the kicker…

You might wanna hook up additional cables, because we would need to have a commit button instead of realtime apply/ok…

We need to do two things -
Assign the IP to the new bridge (causing the connection to die off ofc)
Assign the port we want, into the newly created bridge.

But - why don’t I just assign the port first? Well, I did end up trying the otherway around - push all the other interfaces over to a new bridge - that simply caused lockups and a lovely reset needed to happen… Now, if you are with this model connected to say port 1 (not ether1) to start with, this works - and you can do the above parts in the other order, flipping cables around later on…

Summary - I feel that the MikroTik and it’s community likes to do everything the long way around. For me, this is odd - really odd. Documentation on this is well, bad as well. I feel that a easier approach should be had - this is not pure consumer level stuff, heck, even old netgear switches makes it easier to lock down management parts to at least specific ports or ip filters. Assigning it to it’s own bridge means no need for fw rules, there’s nothing listening! Thanks for listening/reading ;).

Bridging together the interfaces you want to talk to another makes sense in my book, as does you locking yourself out when transferring the management-session around.

I will take a look at my MT-gear later regarding “management”-interfaces.

I’ve found oddities with my approach - as the bridging does not work out of the box as I expected. I was reading the documentation from MikroTik way to long tonight, I’ll see if I can expand on this, but, there seems to be a longer way still than my approach above. Mission is still - locked to specific interface (still have serial ofc…), and no bridging between “switch interfaces” and “management interface”.

In short, the first “bridge” that had “auto-mac” on, now does not have it, and it has set the same MAC on both bridges…

Yes, the locking-yourself-out part during setup is valid - had my session been not over the bridges I am poking, this would be a non issue.