cloud and security. lol. keep your enterprise stuff.- Develop a damned cloud portal for us "enterprise" [IT/MSP/WISP/Enterprise/Professional] for us to manage and provision XYZ devices [Pro/Enterprise] type of hardware MikroTik develops. This would create the added layer of security
There is never a perfect world. But for certain device types, cloud provisioning these days is leading the way. There also needs to be local management. If we cloud provision, the device info and network/device password would be saved at an administrative level. We copy password and use it to access the device locally [if cloud provisioned].cloud and security. lol. keep your enterprise stuff.- Develop a damned cloud portal for us "enterprise" [IT/MSP/WISP/Enterprise/Professional] for us to manage and provision XYZ devices [Pro/Enterprise] type of hardware MikroTik develops. This would create the added layer of security
10000% this and feel your fustration. Similar experience and feelings.at some point we had to deploy around 800 cap ac for a hotel. of course managed by capsman. so with the old v6 ros, this was done in a few days, just resetting the new device and upload a minimal config that would set a few things took us around 1.5 - 2 min per device.
imagine now with DEVICE PASSWORD. read what's written on the small label, then type it in, then change password to something normal... and after some time you start making errors and takes more and more time to read the small label. i think i'd start throwing them to the wall and then destroy everything around me and go to a mental healthcare.
and then if somewhere along that path entered some device mode and we had to do even MORE work to change some settings. hell no.
i really have no idea why the f you started with random passwords, and now with this device mode bullshit.
you're not considering that IT PEOPLE don't want to make their own life more difficult. but you're making it more difficult with this nonsense choices.
PS i'm still waiting for the day you return real superchannel with all frequencies open. until that happens, bye bye mikrotik ptp.
YES! I thought i was the only one.i think i'd start throwing them to the wall and then destroy everything around me and go to a mental healthcare.
YES! but in this case this will break stuff already deployedand then if somewhere along that path entered some device mode and we had to do even MORE work to change some settings. hell no.
YES!i really have no idea why the f you started with random passwords, and now with this device mode bullshit.
I like youyou're not considering that IT PEOPLE don't want to make their own life more difficult. but you're making it more difficult with this nonsense choices.
This year several of the largest "cloud providers" had 0day events, allowing hackers to take over your network during device provisioning. Please follow security blogs, it's not as the pretty advertisements say. We take security very seriously, and working on our own controller, we are taking all this into consideration. Rushing cloud solutions gets you hacked.There is never a perfect world. But for certain device types, cloud provisioning these days is leading the way. There also needs to be local management. If we cloud provision, the device info and network/device password would be saved at an administrative level. We copy password and use it to access the device locally [if cloud provisioned].
cloud and security. lol. keep your enterprise stuff.
Can you please describe in full sentences how device-mode is interfering with your workflow? What was implemented in first beta releases is no longer in 7.17rc.This thread speaks for itself, please rethink device-mode and don't give a shit. We have been switching to MTik devices for some time, but now we can move on to other manufacturers. Thanks!
Other changes since v7.16:
!) device-mode - after upgrade, mode "enterprise" is renamed to "advanced" and traffic-gen, partition (command "repartition"), routerboard and install-any-version features will be disabled (additional fixes);
Thank you for these clear words. I appreciate Mikrotik's position on the cloud topic.This year several of the largest "cloud providers" had 0day events, allowing hackers to take over your network during device provisioning. Please follow security blogs, it's not as the pretty advertisements say. We take security very seriously, and working on our own controller, we are taking all this into consideration. Rushing cloud solutions gets you hacked.
There is never a perfect world. But for certain device types, cloud provisioning these days is leading the way. There also needs to be local management. If we cloud provision, the device info and network/device password would be saved at an administrative level. We copy password and use it to access the device locally [if cloud provisioned].
One of the most beautiful sentences read on the forum.Rushing cloud solutions gets you hacked.
yes, but the only meaingful thing you can do there, is enable boot from network without touching the device. now you need to press the button, to change this menu.>>> routerboard [feature will be disabled]
What exactly is disabled? The entire menu?
how can this be circumvented?>>> install-any-version [feature will be disabled]
Given that this thing can be TRIVIALLY circumvented, this could be an extremely annoying thing,
This is again a new offtopic. Is this a 7.17 question?@ Normis
mine is a question without controversy. It seems clear that Mikrotik is focusing on the domestic market and I can only be pleased about this, personal opinion. Have you ever thought of dividing ROS into an Enterprice branch and a Home branch, the latter with only the minimum packages (DLNA comes to mind - Media useful at home but perhaps not much in an Enterprice environment) perhaps with small step-by-step guided procedures? I know it would be a double version to maintain but in my opinion the Home version would be much simpler. The hateful problem of the 16MB flash memories of Home devices (AC2 for example) could be solved in one fell swoop. As a home user, I am in love with Mikrotik and ROS and where I could, even at relatives and friends' houses, I installed a Mikrotik but sometimes I lost hours configuring everything 100%. A Home version perhaps even more concentrated only on WebFig instead of Winbox with small guided procedures, guides and advice would not be bad. Let's be clear, in a Home environment you hardly use ROS in a complete way, once you create a wizard for: opening TCP/UDP ports, VPN, Media Sharing, Wifi with easy procedures to add a second RB as a repeater/access point you have almost completely satisfied home users and you could afford not to touch this "ROS-Home Edition" for months. It goes without saying that any device modes etc. on Home devices you could apply without too many problems and concentrate on more structured procedures for Enterprice users. If we look, all router manufacturers that sell both in the Enterprice and Home market have double versions of their ecosystem/system and in my opinion you should seriously consider this possibility if, as I think, you have rightly decided to enter the home-domestic market. Even if it has little to do with the discussion, I would invite Mikrotik to take our comments/suggestions a little more seriously and in my opinion only something good can come out of it, see the retracement of the much more restrictive device mode on the first betas of 7.17.
that's not true, we have more professional switches than ever, etc. we have many products.It seems clear that Mikrotik is focusing on the domestic market
when extra space is needed, we already do that. if there is plenty of space in a device, you can simply ignore features you do not use. we don't plan to separate RouterOS. it was always our main goal, any device can do anything. you don't need to pay thousands to use ospf etc.Have you ever thought of dividing ROS
Just intercept routerboard traffic and provide fake webserver, dns, ip. Test already done successfully.how can this be circumvented?
I can't find the right words to express myself, I'm not a native speaker, the idea is that other users would say to you <CENSORED>a button press is needed. that is all. it is not forbidden. it just requires a button press.
already installed devices are not changed by this?
So if I understand wrongly, how come to me and other people on the forum it seems CLEARLY that it says that after upgradeOther changes since v7.16:
!) device-mode - after upgrade, mode "enterprise" is renamed to "advanced" and traffic-gen, partition (command "repartition"), routerboard and install-any-version features will be disabled (additional fixes);
If you read carefully, I did not write about installing a modified version of RouterOS, but a real, authentic package from an older version.That's not true, RouterOS itself checks package integrity, checksum and allowed version. It does not matter where package came from, it will not be installed.
Default device mode = advanced, routerboard is set to disabled.*) ethernet - improved linking after reboot for hAP ax lite devices ("/system routerboard upgrade" required);
*) routerboot - fixed boot MAC for devices with Alpine CPU ("/system routerboard upgrade" required);
*) routerboot - fixed boot MAC for MIPSBE CRS3xx and CRS5xx switches ("/system routerboard upgrade" required);
*) routerboot - improved stability for IPQ8072 and IPQ6010 when flash-boot is used ("/system routerboard upgrade" required);
*) sfp - improved initialization for certain SFP modules on CRS309 and CRS317 devices ("/system routerboard upgrade" required);
It is still possible to downgrade ROS as normis already explained.
Until this I believe what on help.mikrotik.com is documented.I've seen a response to a bug ticket this will be prevented later on.
The world is marching to cloud everything, but as Normis states, it should not be done blindfolded.This year several of the largest "cloud providers" had 0day events, allowing hackers to take over your network during device provisioning. Please follow security blogs, it's not as the pretty advertisements say. We take security very seriously, and working on our own controller, we are taking all this into consideration. Rushing cloud solutions gets you hacked.
There is never a perfect world. But for certain device types, cloud provisioning these days is leading the way. There also needs to be local management. If we cloud provision, the device info and network/device password would be saved at an administrative level. We copy password and use it to access the device locally [if cloud provisioned].
about downgrades, there is ZERO logical reason to knowingly downgrade to a version with a known CVE, possibly allowing easy access to the device by a hacker. Zero. Do not try to find it.
Simply someone do not want you to downgrade to a SECURE working version once you install some version that have major changes but later is unexpected unstable...This list can be updated to versions which includes some major changes in RouterOS below which downgrade should not be allowed.
We dont know. I assume this info about insecure version is hardcoded into ROS main package. But this would make no sense TBH (as some devices may not be updated regularly). A check against an external database would make more sense somehow. But what if intruder of network blocks or redirects these remote database requests to own fake-service? ok, responses could be signed so ROS only accepts trusted data. But intruder could still block outgoing requests to the database, so ROS wont be able to update its "insecure version" list.about downgrades, there is ZERO logical reason to knowingly downgrade to a version with a known CVE, possibly allowing easy access to the device by a hacker. Zero. Do not try to find it.
This is new to me ... that ROS upgrader has built in function to check certain ROS package against database of CVEs applicable to ROS'
Or how should I understand this feature?
The device-mode itself carrying a lot of possibilities of deadlocks. Like install-any-version, flagged, etc. What if I enabling all of the needed features, then something happens and flagged activating and disables the escape possibilities, or if I upgrade some production routers to a stable but buggy version and need to downgrade to a previous stable version which is marked as insecure by MTik, but that is the version where the bug is not "implemented" in and we could operating stable on....and opening a ticket which is never answeredCan you please describe in full sentences how device-mode is interfering with your workflow? What was implemented in first beta releases is no longer in 7.17rc.This thread speaks for itself, please rethink device-mode and don't give a shit. We have been switching to MTik devices for some time, but now we can move on to other manufacturers. Thanks!
There seems to be different meanings of "Enterprise". My "Enterprise" employer (and all others I know) has a dedicated Information Security Department which never would allow to have highly sensitive network devices talking to a vendor cloud without going through lengthy approval process including regular audits and in the US FIPS certification (without saying those corporate security theater necessarily makes things safer). That works for Cisco etc. which are used to this and have all the required certificates and contracts ready. But not for a shop like Mikrotik.It's definitely a challenge for managing MikroTik devices, especially in enterprise settings. A cloud provisioning portal would be a great solution for easier management.
I agree and have also suggested soho and enterprise/professional product lines from MikroTik@ Normis
mine is a question without controversy. It seems clear that Mikrotik is focusing on the domestic market and I can only be pleased about this, personal opinion. Have you ever thought of dividing ROS into an Enterprice branch and a Home branch, the latter with only the minimum packages (DLNA comes to mind - Media useful at home but perhaps not much in an Enterprice environment) perhaps with small step-by-step guided procedures? I know it would be a double version to maintain but in my opinion the Home version would be much simpler. The hateful problem of the 16MB flash memories of Home devices (AC2 for example) could be solved in one fell swoop. As a home user, I am in love with Mikrotik and ROS and where I could, even at relatives and friends' houses, I installed a Mikrotik but sometimes I lost hours configuring everything 100%. A Home version perhaps even more concentrated only on WebFig instead of Winbox with small guided procedures, guides and advice would not be bad. Let's be clear, in a Home environment you hardly use ROS in a complete way, once you create a wizard for: opening TCP/UDP ports, VPN, Media Sharing, Wifi with easy procedures to add a second RB as a repeater/access point you have almost completely satisfied home users and you could afford not to touch this "ROS-Home Edition" for months. It goes without saying that any device modes etc. on Home devices you could apply without too many problems and concentrate on more structured procedures for Enterprice users. If we look, all router manufacturers that sell both in the Enterprice and Home market have double versions of their ecosystem/system and in my opinion you should seriously consider this possibility if, as I think, you have rightly decided to enter the home-domestic market. Even if it has little to do with the discussion, I would invite Mikrotik to take our comments/suggestions a little more seriously and in my opinion only something good can come out of it, see the retracement of the much more restrictive device mode on the first betas of 7.17.
@NormisThe frustrations here is that we all feel MikroTik is taking the wrong direction for security and function. Do some market research what other vendors have done or are currently doing with success. Why reinvent the wheel?
soho/consumer product lines: hAP and similar - "lock" to WebFig and MikroTik App [iOS / Android]. These come with a baked config like any other consumer device. Home / residential users are not going to maintain.
The real hardware [CCR,CRS, Routerboard lines] be the Professional/Enterprise and be full featured with proper packaging of software. Look at what other vendors do for pushing their firmware and software. Perhaps have built in md5-checksums during install, or signed packages. Randomized passwords on stickers is chaos theory and has already caused us headaches with remote cAP deployments.
IE: We drop shipped new cAPs to a customer and had a tech go connect them. Well, they shipped with the new randomized passwords.... We had to go back to distribution to get the passwords. This made a 3-minute job per AP of factory reset for cAP mode and provision, to hours. We ended up having tech take pictures of the stickers and we matched up the MAC address to device and was able to get into them after reset.
Same goes for outdoor APs that are in the weather.
What happens if a technology company takes over a customers network and the prior IT / MSP did NOT properly document the default passwords.......