FEATURE REQUEST: Add Basic Firewall Rule Wizard

bds1904 · Wed Mar 25, 2020 3:40 am

Please add a button that will add certain common, basic firewall rules. For example, on ip/firewall/rules add a winbox button called "add basic rules wizard". Have this button generate a series of check-boxes that can be selected from to add basic firewall rules based on your LAN/WAN lists.

Such possibilities include:

Add Default firewall rules
Block BOGON networks from WAN, incoming and outgoing
Add default FASTTRACK rules
Add IPSEC rules
Add VPN rules

Just to name a few

Steveocee · Wed Mar 25, 2020 9:47 am

That’s already included in the default config. The rules are freely available from the Wiki if you need to reference them.

bds1904 · Thu Mar 26, 2020 3:54 am

I understand that they are there but not logging into the terminal and running a bunch of commands would be nice for the average user. Not looking through the wiki would be nice also.

Click button, get firewall rules.

There’s nothing wrong with adding some simple features via a wizard. It’s when there’s no manual configuration and it’s not transparent that wizards become an issue.

Making RouterOS slightly more friendly never hurt anybody.

vecernik87 · Thu Mar 26, 2020 5:31 am

You can't simplify this. Each situation is different. For example some people may be behind ISP's NAT and use RFC1918 address... blocking bogons might break this...
In addition, these "premade" rules may be incompatible with existing setting etc... If you have a single change against defconf, it may break so many things...
Too many problems, not much simplification.

Finally, if you know you want bogon rules (i.e. you know the term) then you can create the rule in less than 1 minute anyway. If you want VPN rules, you know exactly what kind of VPN you use and again - you can add it in few minutes. Users, who would benefit from such Wizard will not understand those terms and in the end will not have any benefit.

Thu Mar 26, 2020 9:08 am

That is why we have quickset where you can disableenable default firewall ruleset or default NAT rules.

bds1904 · Thu Mar 26, 2020 3:58 pm

You can't simplify this. Each situation is different. For example some people may be behind ISP's NAT and use RFC1918 address... blocking bogons might break this...
In addition, these "premade" rules may be incompatible with existing setting etc... If you have a single change against defconf, it may break so many things...
Too many problems, not much simplification.

Finally, if you know you want bogon rules (i.e. you know the term) then you can create the rule in less than 1 minute anyway. If you want VPN rules, you know exactly what kind of VPN you use and again - you can add it in few minutes. Users, who would benefit from such Wizard will not understand those terms and in the end will not have any benefit.

This is exactly why I hate the IT community. Simplifying something isn’t going to cost you your job.

Simplifying a firewall rule wizard such as adding bogon and certain types of VPN won’t mess anything up for standard configurations as long as you actually follow best practice and put your WAN’s and LAN’s in the address lists.

Personally I have a script written that applies all the firewalls I need for certain situations, including Multi-WAN and Multi-LAN and everything. The scripts utilize the address lists to ensure everything works. I am not the typical user, but I do work with ISPs that utilize Mikrotik products at the customer location, including basic residential.

Note, I’m saying for standard configurations. One WAN, one LAN, standard.

If you are not using a “standard configuration“ then you likely don’t want to use a firewall rule or wizard.

Get your head out of the sand and realize that simplifying a product or its configuration makes the product more marketable to more people. The more markable routerOS products are, the more cool products Mikrotik will keep making.

pe1chl · Thu Mar 26, 2020 5:39 pm

That is why we have quickset where you can disableenable default firewall ruleset or default NAT rules.

It would be helpful when there was a feature (in quickset or otherwise) to reset the firewall to defaults (including the required interface lists) without changing other router config.
The default firewall has been improved a lot, but many users still run the old firewall because it is only updated when you reset EVERYTHING to defaults.

vortex · Thu Mar 26, 2020 6:33 pm

The default firewall has been improved a lot, but many users still run the old firewall because it is only updated when you reset EVERYTHING to defaults.

I did not know this and I would not reset everything.

Cha0s · Fri Mar 27, 2020 12:07 am

This is exactly why I hate the IT community. Simplifying something isn’t going to cost you your job.

That's why I hate the non-IT community. Instead of complaining about what you don't know how to use and asking to dumb down things, you should start by RTFM. It doesn't cost your job. It isn't even your job to begin with.

Sob · Fri Mar 27, 2020 1:05 am

making something more intuitive - good, and RouterOS is doing well (of course it's relative, beginners may not agree)
making it simpler - depends, but probably good if it doesn't limit possibilities
dumbing down - bad

This could be the second case, some of it could be good as part of future more capable Quick Set. But outside of it, I'm not sure. Some of those things are just too simple (e.g. VPN/IPSec needs one to three simple rules). And you add them once. You save nothing with the wizard. It could make sense for something more complex, but then you have the problem how to put things together. You still need to understand what you're doing, put the rules in right place, etc. It's difficult to do automatically, unless you support it only for one specific basic config. Which IMHO leads again to improved Quick Set.

Steveocee · Fri Mar 27, 2020 5:22 am

There is no possible scenario an “auto firewall” button would work. Where it may work for you, it won’t for another.

I share your sentiment entirely with not over complicating things but sometimes there is wanting to be spoon fed.

pe1chl · Fri Mar 27, 2020 12:33 pm

Some of those things are just too simple (e.g. VPN/IPSec needs one to three simple rules). And you add them once. You save nothing with the wizard. It could make sense for something more complex, but then you have the problem how to put things together. You still need to understand what you're doing, put the rules in right place, etc. It's difficult to do automatically, unless you support it only for one specific basic config. Which IMHO leads again to improved Quick Set.

Well of course there is the possibility of having an extra layer on top of the current settings where you would manage the firewall from Quick Set only and you would have selections like "open this service to internet" or "forward this port to that IP (from internet)" and the system would maintain the rules required for that by itself.
Indeed when you make manual changes in the config and then go back to the Quick Set way it will totally break, but that already is the case with the current Quick Set once you go beyond a simple NAT-router setup... we have requested a "lock" on Quick Set for a long time (so you can block Quick Set once you have made specific customizations, either manually or automatically) but it never happened, so MikroTik apparently is not so worried about that.

But note that lots of things that people are fighting with, like having the proper firewall settings for a system that uses IPsec, have been solved in the default firewall on newer RouterOS versions.
But most people never get that new default firewall. Even when you buy the device new, the first time you plug it in it loads the default firewall rules for the RouterOS that was installed by the factory (maybe half a year ago) and then when you click "Check for Updates" in the Quick Set and it updates the RouterOS, the new firewall is never loaded unless you then again click Reset to Defaults.
Which most people never do because they already started from defaults.
Similar, once you have owned the device for some time and you upgrade RouterOS, the new firewall is never loaded and you won't Reset to Defaults anymore because you have already configured it.
It would be great when there was an additional "Reset only Firewall to Defaults" button on Quick Set that just resets the firewall. Maybe it should even hint to do that when you first access the router after an upgrade and it sees it does not have the current defaults yet.

vortex · Fri Mar 27, 2020 2:11 pm

Resetting just the firewall is not great either, except for totally casual users.

A firewall analyzer would be nice.

pe1chl · Fri Mar 27, 2020 4:06 pm

I think most casual users would be totally fine with the default firewall as it is today.
Of course it is not a button you must click without knowing what you are doing, but that is the case for almost any setting in a router like this.

vortex · Fri Mar 27, 2020 4:34 pm

You have to be careful because the WAN might not be connected to the first port.

Chupaka · Fri Mar 27, 2020 5:14 pm

You have to be careful because the WAN might not be connected to the first port.

That's why Interface Lists were introduced: no more "ether1" in firewall rules!

pe1chl · Fri Mar 27, 2020 5:22 pm

You have to be careful because the WAN might not be connected to the first port.
That's why Interface Lists were introduced: no more "ether1" in firewall rules!

Indeed, that is one of the reasons the new default firewall is so much better.
Of course, resetting the firewall should also create and populate the interface lists when they were not yet present.
(as the defaults script does as well)

vortex · Fri Mar 27, 2020 5:37 pm

How would the router know which ports are WAN in the general case to create those lists?

pe1chl · Fri Mar 27, 2020 5:45 pm

It can look at the existing configuration. E.g. check where the default route is pointing.
Remember this is only for the simple "NAT router on a consumer internet connection" case.
It manages quite well when you use QuickSet to configure a router, e.g. when you configure PPPoE client that interface is automatically added to the WAN list.
It does not matter so much when it makes wrong decisions because of the clever use of WAN and !LAN in the firewall.

Valerio5000 · Sat Mar 28, 2020 1:34 am

I would very much agree to include a very simplified entry under Quick setup to open a certain port or service to a specific IP address. I believe that the Quick Setup page could be made a separate package of ROS so that it is installed only by novice users and those who do not want it do not install it.

aoakeley · Sat Mar 28, 2020 6:43 am

If you are not using a “standard configuration“ then you likely don’t want to use a firewall rule or wizard.

Sorry - what's a standard configuration?

I'm serious... what you consider to be standard will not be what someone else does.

Chupaka · Sat Mar 28, 2020 11:12 am

"Standard" means "the configuration you have after configuration reset", the default one

pe1chl · Sat Mar 28, 2020 11:37 am

If you are not using a “standard configuration“ then you likely don’t want to use a firewall rule or wizard.

Sorry - what's a standard configuration?

I'm serious... what you consider to be standard will not be what someone else does.

I consider a "standard configuration" to be the consumer NAT router with one internet interface (be it ethernet, VLAN, PPPoE or what you can think of) and a local LAN bridge that has the remainder of the ethernet ports and possible wifi interfaces as ports.
This is what QuickSet already can setup and what Reset to Defaults installs (except on CCR and RB1100, but those are not the intended audience).

Additional to this "standard configuration" the user may want to add a VPN or wants to open some port to an internal system.
This is also what other consumer type routers do support.

Anything beyond that is not covered by this and will have to be configured manually. I operate a lot of routers that would not be covered by this, but I think I am not within the majority group of router users and I do not require such functionality for myself.
That does not mean that it would not be useful for others. Probably not for you, but it would be useful for the typical home user.

Of course the question always is: what group of users do you want to support as a manufacturer. It appears (from recent product introductions) that MikroTik is trying to shift more from "a router for the network expert" towards the "canned solution for specific situation" including the use in households. Easier configuration is a part of that. But of course they should not lock the expert out of configuring the router exactly to their request.

QuickSet is an approach to that, although I agree with Valerio5000 that is should be made possible to remove that package or at least disable its function, as it is too difficult to make a QuickSet that can safely be used after customization has been applied directly using the normal menus.

mducharme · Sat Mar 28, 2020 8:34 pm

For our home users we do customized webfig skins that limit the options shown to them to hide things that they don't care about and might confuse them.

The most user friendly way IMO of managing a home MikroTik is with the iOS or Android app. It might make more sense to have such wizards in there for home routers for the average user with the default config (ex. port forward wizard).

vortex · Sat Mar 28, 2020 9:23 pm

The app is not friendly because you cannot download an apk anymore.

Valerio5000 · Sun Mar 29, 2020 4:09 am

For our home users we do customized webfig skins that limit the options shown to them to hide things that they don't care about and might confuse them.

The most user friendly way IMO of managing a home MikroTik is with the iOS or Android app. It might make more sense to have such wizards in there for home routers for the average user with the default config (ex. port forward wizard).

This is certainly true but why not do an identical procedure on ROS via WinBox or WebFig?

Cha0s · Sun Mar 29, 2020 6:16 pm

This is certainly true but why not do an identical procedure on ROS via WinBox or WebFig?

Because it is a waste of developer resources.
MikroTik should focus on fixing bugs and introducing new features. Not cater to noobs that cannot be bothered to read the manual.

Seriously, the amount of posts asking for stuff like that is annoying.
Do you see cisco making it easier to use an ASA? No, there you have to bust your rear, to learn how to use it.
So, stop asking for MikroTik to waste their time on useless stuff, and read the manual.

Current UI and CLI are perfectly fine. Wizards and guides and quick setups are for losers.

Chupaka · Sun Mar 29, 2020 7:30 pm

Wizards and guides and quick setups are for home users.

I fixed it for you

pe1chl · Sun Mar 29, 2020 9:16 pm

MikroTik should focus on fixing bugs and introducing new features. Not cater to noobs that cannot be bothered to read the manual.

Seriously, the amount of posts asking for stuff like that is annoying.
Do you see cisco making it easier to use an ASA? No, there you have to bust your rear, to learn how to use it.
So, stop asking for MikroTik to waste their time on useless stuff, and read the manual.

Cisco is doing that under their Linksys brand.
And MikroTik is operating partly in the same market as Linksys, especially with the newly introduced products.
As MikroTik uses the same software across the product line, they should offer such features as well, and can benefit from them in
some higher-end products as well (not all, of course, nobody would buy a CCR1072 without knowledge how to configure it).

vortex · Sun Mar 29, 2020 9:46 pm

Cisco sold Linksys in 2013.

Valerio5000 · Mon Mar 30, 2020 1:13 am

This is certainly true but why not do an identical procedure on ROS via WinBox or WebFig?
Because it is a waste of developer resources.
MikroTik should focus on fixing bugs and introducing new features. Not cater to noobs that cannot be bothered to read the manual.

Seriously, the amount of posts asking for stuff like that is annoying.
Do you see cisco making it easier to use an ASA? No, there you have to bust your rear, to learn how to use it.
So, stop asking for MikroTik to waste their time on useless stuff, and read the manual.

Current UI and CLI are perfectly fine. Wizards and guides and quick setups are for losers.

Oh yes ? so why Mikrotik produces and releases new products suitable for "home and office" use? I love Mikortik products but currently it doesn't make sense to have a QuikSetup page with simplified options just for home users and then to open a door on a firewall do I have to go and read manuals and command line? So why was QuikSetup developed at the time? I don't understand answers like "not convenient"; Wouldn't opening Mikrotik to home users and selling more devices be good for a money-making company?

mducharme · Mon Mar 30, 2020 5:06 am

One of the biggest complaints that I hear about MikroTik is the interface for things like wireless CPEs. UBNT has a nice interface for wireless configuration, very easy to use - but obviously it is limited in terms of what you can do with the device overall. With MikroTik you can do anything, you can configure anything you can think of, but the interface is so overloaded that for a specific device type you are presented with many options and features that you usually don't care about for that device, and this can be really confusing for people who are not tech wizards. I'm not sure what the solution is for this - I love the fact that you can take any RouterOS device and have full configuration abilities for any ROS features, and wouldn't want to lose that. But it would be nice to have a targeted alternate UI for a certain deployment type - ex. a UI specifically for configuring wireless CPEs. I know QuickSet is supposed to do this but part of the issue is that you don't know what QuickSet will do if you have changed anything else in the config from the factory default.

vecernik87 · Sat Apr 11, 2020 3:42 pm

This is exactly why I hate the IT community. Simplifying something isn’t going to cost you your job.

I am not worried about my job. I am worried about general security and about wasting mikrotik's developers time on a feature, which will not have many uses.

Simplifying a firewall rule wizard such as adding bogon and certain types of VPN won’t mess anything up for standard configurations as long as you actually follow best practice and put your WAN’s and LAN’s in the address lists.

If you don't modify defconf, then yes, it might work. Once you implement a single change, it may break it. You can't deny the possibility.

Personally I have a script written that applies all the firewalls I need for certain situations, including Multi-WAN and Multi-LAN and everything. The scripts utilize the address lists to ensure everything works. I am not the typical user, but I do work with ISPs that utilize Mikrotik products at the customer location, including basic residential.

Excellent. And you have a script why? to simplify your job, because you know EXACTLY what you want to do and why you are doing it. Adding a wizzard will not achieve this for anyone else except you, because average user will not even understand what it does and why its there. On the other hand, experienced user can sort it out with script exactly as you.

Note, I’m saying for standard configurations. One WAN, one LAN, standard.

Noted. Does not change my opinion.

Get your head out of the sand and realize that simplifying a product or its configuration makes the product more marketable to more people. The more markable routerOS products are, the more cool products Mikrotik will keep making.

No. No no no no no. NOOO! Please. If you want to promote this approach, please go, buy an Apple and do not return. Let me remind you why you are here - because mikrotik offers flexibility. Once you start simplifying, you will draw developer resources from other (more useful) tasks and sooner or later, the flexibility will die for sake of simplicity.
There were some attempts for simplifying (e.g. parental control) which can be easily replaced with a simple script, yet, mikrotik had to spend significant resources to develop it and now they have to maintain it forever (or until they deprecate it).

One topic for future thoughts - who exactly would benefit from such wizard? (except you of course)

vortex · Sat Apr 11, 2020 4:41 pm

Apple stopped selling routers years ago.

Docop · Wed Apr 15, 2020 9:36 pm

Indeed, some more quick set tick box could be quite handy for a starting configuration. It take many about a week to find out how to configure , for basically, just get a robust firewall and get the voip service passing. So yes, a kind of wizard could be very usefull for large majority of user. If people do have a 48ports or so... no. But the software is the same for a 4 port router up to multi 10gbs switch. So a gui helper and auto config for what normal config is could be very great.

Like on the rb44.. the activate wifi is easy to setup and work. After, if you need special thing.. ok dig on 1 wiki, that refer to another one, then pass few hrs trying to find a setup in the forum.
I guess more example in the wiki could help. But a gui with more option and more 'standard' parameter can be very very usefull for many and many new customer.

Thanks

anav · Sat Apr 18, 2020 5:22 pm

As a newb user with a self assigned accreditation of TUNA (MCNE or whatever is for the birds)...........
The default firewall that comes with the units these days is excellent.
There is only one thing missing, a wiki page that explains this default setup in simple terms for the home or home office user.
(Note: One that would explain why the rules are in place and explain what ! symbol is doing in the config for example)
(Note: The Wiki should include a caution, that configuring the router beyond this point will require reading and liberal use of the SAFE button)
The fact jack is that any other configuration that the user may want to do is going to take as Chaos noted, some sweat and equity.
This is not and never will be a plugNplay dumb consumer router.
THe forums are sufficient to get a new user gently to a place of more complexity when required.

This thread should be closed!

Tue Apr 21, 2020 1:33 pm

Very similar to default config is described in first time configuration
https://help.mikrotik.com/docs/display/ ... gtheRouter
"ProtectingtheRouter" and "ProtectingtheClient" sections

Chupaka · Tue Apr 21, 2020 9:16 pm

https://help.mikrotik.com/docs/display/ ... gtheRouter

Is it only me or there's something wrong with double quotes?..

/user set 0 password="!={Ba3N!"40TуX+GvKBz?jTLIUcx/,"

anav · Sat May 02, 2020 5:31 pm

https://help.mikrotik.com/docs/display/ ... gtheRouter
Is it only me or there's something wrong with double quotes?..
Code: Select all
/user set 0 password="!={Ba3N!"40TуX+GvKBz?jTLIUcx/,"

Good pickup, pattern recognition! Looks like its been fixed.
What do you think about the webproxy stuff near the end: "Blocking Unwanted Websites", to block http traffic - outdated and not useful??

mozerd · Sat May 02, 2020 5:42 pm

Is it only me or there's something wrong with double quotes?..
Code: Select all
/user set 0 password="!={Ba3N!"40TуX+GvKBz?jTLIUcx/,"

The double quotes is OK but when quotes are used in the actual password as shown in your illustration that quote must be preceded with the escape character as follows:

/user set 0 password="!={Ba3N!\"40TуX+GvKBz?jTLIUcx/,"

mozerd · Sat May 02, 2020 5:54 pm

What do you think about the webproxy stuff near the end: "Blocking Unwanted Websites", to block http traffic - outdated and not useful??

@anav ..... If one uses their TiK router as a webproxy THAT will mean a significant amount of Read-Write cycles will be made on the NAND memory .... not a good thing cause that may reduce the lifespan of the Router. Best to delegate webproxy to another machine like a capable UTM .... plus most websites are https today and TiK cannot unpack that encrypted stream so that would be a waste of time. A good UTM like UNTANGLE can unpack https streams and payloads for effective layer 7 work

pe1chl · Sat May 02, 2020 6:00 pm

Proxy without caching does not incur write cycles...

pizzonia · Fri Jul 10, 2020 5:20 pm

Is this good enough for home router setup?

Sob · Fri Jul 10, 2020 5:33 pm

No. It's doing useless stuff like trying to detect port scanners (just don't have anything open and then you don't need to worry about anyone scaning anything), makes router open resolver (bad), ... in short, you're better off with default firewall from factory.

sleerf · Wed Aug 12, 2020 5:11 pm

I not only agree but would like to see a customer side portal for customers. It's not like there are dozens of companies already doing this.

Wed Aug 12, 2020 5:16 pm

The original post describes all the things that are already there. This does all you asked for:

Screenshot 2020-08-12 at 17.15.55.png

The button is already there. Can it be simpler?

sleerf · Wed Aug 12, 2020 5:38 pm

This activates the firewall but does nothing to rules. The way I see what the OP is suggesting is a basic dialog box for basic rule configuration.

Basically, you setup the router as you want it. Click the firewall "wizard" and you get a bunch of options for basically creating and customizing a script for rules similar to what is already posted on the wiki and pulling in the config info for the options to set up. Then you avoid the complexity of having to copy/paste and then alter a script that is much easier to screw up.

Then of you wanted to go to further detail amd customization, you click an "advanced" button that launches IP/FIREWALL

This would be great for quicky deployments and would drastically reduce the chances of error for those uncomfortable with the command line amd additional jargon in the regular interface.

It would also allow me to have an installer set it up on site rather than assign an engineer to do it prior to installation.

Cha0s · Thu Aug 13, 2020 10:22 am

If you like wizards and non industry standard terminology (jargon), you can always use vendors like TP-Link, D-Link, Netgear, etc.

pe1chl · Thu Aug 13, 2020 10:44 am

It would likely be a waste of time to setup such a firewall wizard and see it evolve to handle more and more complex cases until it basically is the same as the normal firewall menu, but I would consider it a good idea to have some "user input panel" capability for scripts.
I.e. a user-written script can call some function or have some description in its definition that makes it display an input panel when it is executed (depending on the use of winbox, webfig or cli this would be made in the user interface style of that interface), then the user can input values and the script continues with those values in variables.
That would enable the creation of scripts that can perform actions like "basic firewall rule" in the view of those requesting it. Probably they mean things like "port forwarding", the input panel could ask for parameters like local port at the router, destination IP and destination port, and the script could create the rule.
But someone else has completely different intentions and could write an appropriate script for that.
This would enable configuration of routers that previously have been prepared with standard config including such script.
(probably these scripts should also have some shortcut button somewhere, e.g. on the QuickSet screen)

Thu Aug 13, 2020 11:17 am

Click the firewall "wizard" and you get a bunch of options for basically creating and customizing a script for rules

I fail to understand how this is easier for anyone, I'm sorry. Those bunch of options will still be address, port, protocol, action. Same options currently used in the Firewall Filter menu.

pe1chl · Thu Aug 13, 2020 12:12 pm

I fail to understand how this is easier for anyone, I'm sorry. Those bunch of options will still be address, port, protocol, action. Same options currently used in the Firewall Filter menu.

I think what many users mean by "adding a firewall rule" is more like "adding a port forward in a NAT router".
In a typical consumer router you can go to some screen and enter a port number and select an internal system (sometimes by entering IP address, often by selecting it from a list of internal systems known by the router), optionally specify a port number to connect to. Click OK and you are done.

This of course is equivalent to adding a dstnat rule in the NAT table, but people do not know that. And also those dstnat rules have like 25 options that you do not need to set in this case, and you have to know which ones you have to set.
(it already was made simpler by the new firewall because it does not require 2 different rules to be set anymore, only the dstnat rule, no more forward filter rule)

Newbie users are confused and ask for features like this, which they know from their previous router.

Maybe a solution would be to have a Simple/Advanced mode button like there is in Wireless Interfaces, where Simple mode removes all the options starting from "Packet Mark" and up to "Action".
Also, it would help when you select the dstnat chain the default action would automatically change to dst-nat rather than accept, and show the relevant fields.
Preferably, in simple mode the above would all be on a single tab, so you would see the matching criteria (protocol, port, maybe address and interface) and the action all in a single view. The multi-tab view is of course OK for advanced mode.

sleerf · Thu Aug 13, 2020 4:46 pm

I don't disagree with a lot of the points made about each user's needs being unique. What I'm backing the OP on is the concept of a wizard for basic firewall rules to save time and resources which saves money.
The argument against this is similar to the argument that the gui isn't needed at all because there's a command line.
There is already a quickset but as noted, once you begin to make manual changes that's all lost.
The default firewall rules from the quickset could be improved by simply adding a script that applies them after the initial router config using parameters already in place that have been put in by the user.
In short, a firewall quickset that doesn't change the entire config, just firewall.
Then the user can build from there. A VPN wizard would be nice as well. It could walk the user through the steps of creating a secure vpn based on the existing config of the router....complete with on-the-fly public and private key creation.
For me this isn't an argument for dumbing down the router for noobs or being lazy. It's about saving time, and making it easier for field techs and end-users which would reduce my operational costs and save time while also reducing the chances of error.
As someone else noted, a simple/advanced gui option could also accomplish this by eliminating a lot of options that just create confusion to those same people. I'm not so concerned with how it's done. But what does concern me is the number of devices out there with poor or no firewall settings because of the complexity which in turn makes mikrotik a favorite for hackers which in turn puts us all at greater risk.

Cha0s · Fri Aug 14, 2020 12:54 am

The argument against this is similar to the argument that the gui isn't needed at all because there's a command line.

The argument against this, is that it will produce anecdotal time and money savings.

santyx32 · Fri Aug 14, 2020 2:26 pm

I like Mikrotik's approach of allowing the user to manually configure each aspect of the network/device but sadly there's no SQM amongst all those tons of options, I think Mikrotik should add features requested by users instead of creating a slow and limited web GUI like regular SOHO vendors do.

sleerf · Fri Aug 14, 2020 5:35 pm

The argument against this is similar to the argument that the gui isn't needed at all because there's a command line.
The argument against this, is that it will produce anecdotal time and money savings.

Anecdotal? How can you pretend to know the benefits, or lack thereof, without fine details regarding the way that it would work?

What's wrong with adding something that you obviously wouldn't use, but while leaving the structure in place that you're familiar with, allows Mikrotik to gain more marketshare that currently don't buy their products because of the lack of a simplified interface? And with that, greater profit margins allowing them to develop new products, improve hardware with minimal cost increases, and improve firmware design to reduce the frequency of updates fixing one thing while breaking something else?

Again, I'm not talking about removing anything. I'm advocating some drastic improvements to the quickstart that stick rather than disappear when you begin to make changes either through the command line or gui and adding basic firewall configuration and a couple of other things to it as well. I'm not suggesting that they re-invent the wheel.

Sob · Fri Aug 14, 2020 7:08 pm

Actually, RouterOS already has at least one wizard (IP->DHCP Server->DHCP Setup) outside of Quick Set. It doesn't really do much, only adds pool, server and config for network, so just three config lines. I could add the same manually, but I still use this, because it automatically offers sane values derived from interface's IP address, so it's convenient and faster.

If MikroTik adds more of these where it makes sense, I'm for it. The question is where does it make sense. So far I don't see it for something like port forwarding, because it's already simple enough, just one rule and nothing to fill in automatically.

pe1chl · Fri Aug 14, 2020 7:29 pm

So far I don't see it for something like port forwarding, because it's already simple enough, just one rule and nothing to fill in automatically.

That is because RouterOS has no picture of internal systems. Other routers have integration between their DHCP and DNS servers (so they can put hostnames into the local DNS zone), and often they allow selection of a target for a portforwarding from that info. RouterOS has part of that (it allows you to "fix" the IP address of an internal system that has obtained a dynamic address from DHCP), but there is no way to refer to that address e.g. in a rule. You need to enter it again, and be careful when you change it.

Still, when the Firewall screens would have a Simple/Advanced mode (like the Wireless interface screen), or when a new button "+(simple)" is added that opens a simplified version of the screens, it could be made much easier to add something like a forwarding rule.

Remember, when you are familiar with those screens or even seen have them evolve over time, it is easy to setup a new dstnat rule by entering only 5 fields. But when you see those screens for the first time, how do you know where to enter those and what fields are not important for this simple usage?

Cha0s · Fri Aug 14, 2020 7:41 pm

Anecdotal? How can you pretend to know the benefits, or lack thereof, without fine details regarding the way that it would work?

I do not pretend. I know that it won't be more beneficial, faster, more money saving (or whatever) than pasting a single command on CLI for example.

There are all the tools you need, already there to allow you to be as fast as possible.
Wizards will not be one of them under the context you provided.

And as I already mentioned, my "beef" with it is that it will draw developer resources away from fixing bugs and making improvements, to implement wizards for noobs.

I consider releasing a stable v7 with improved BGP, other fixes and new features FAR more important than wizards.
Sorry, but I use ROS professionally, I don't particularly care about non-proficient users trying to dumb down a power-user's network OS.
There are many options out there for those users.

rooted · Sat Aug 15, 2020 6:55 am

Sorry, but I use ROS professionally, I don't particularly care about non-proficient users trying to dumb down a power-user's network OS.
There are many options out there for those users.

It's a good thing you aren't in sales.

sleerf · Sat Aug 15, 2020 9:02 am

Wow. I never said anything about dumbing down the system. Only adding some capabilities that generate more market share which increases profits and produces that outcome you desire.

I use mikrotik routers professionally as well. I'm proficient with both the gui andbthe command line although I don't deal with them as deeply or frequently as my engineers.

I'm not even thinking about this for myself. I'm thinking about employees that I have to pay, end-users, and basic economics.

It's not like such a thing would take away from your job security.... Is that what you're worried about?

Cha0s · Sat Aug 22, 2020 4:27 pm

It's a good thing you aren't in sales.

You can tell that to Cisco. With ALL their wizards for noobs. Right? ;)

rooted · Sat Aug 22, 2020 10:45 pm

You can tell that to Cisco. With ALL their wizards for noobs. Right? ;)

Cisco doesn't make devices like the hAP lite or hAP ac² which are not business class devices, or if they do I'm not familiar with them.

Sat Aug 22, 2020 11:05 pm

Paternot · Sun Aug 23, 2020 12:53 am

Wow. I never said anything about dumbing down the system. Only adding some capabilities that generate more market share which increases profits and produces that outcome you desire.

Ah, yes. Dumbing down the system, but with salespeak!

Maggiore81 · Sun Nov 08, 2020 5:26 pm

Hello
Just my 2 cents...
I dont agree at all doing wizards in MT.
The MT is not for the casual user... or the average home user. They need a TPLINK, DLINK or NETGEAR stuff...
With MT you can do everything.
We prepared a standard conf to apply on our brand new devices before installing them to our custumers.
Do the same you.
Reset to default, load the packages you need, paste the "your standard" conf, and go!
Dont need to be fed with spoon with pre-done configurations.

Sob · Sun Nov 08, 2020 6:25 pm

I don't want to be unfair to TP-Link and others, I don't follow what they do now, maybe they improved their products. But no, home users don't need the kind of limited routers I've seen from them in the past, where it's impossible to configure anything remotely advanced (more like anything else than bare basics).

MikroTik routers are good for home users, even for those who don't know much about network stuff. Home devices have default config that's in many cases plug & play, so users don't need to do anything. When they need something, then Quick Set, as kind of dumbed down interface, is similar to what other simple routers have. But the huge difference and advantage is that when they need even more, they can get it, either themselves if they are willing to learn, or they can find someone else to configure it for them.

If you're ISP who preconfigures routers for customers, you're on the other extreme end from home users. You don't need any of this, if you polish your standard config once and then just load it over and over. But there's also everyone else in between, everyone doing any ad hoc config, advanced home users, small office admins, even professionals whose work is not just copy & paste. It's not wrong to make things simpler, more efficient, user friendly, etc, if it doesn't mean dumbing down, i.e. taking away advanced possibilities. Quick Set is good example, you may find it useless and waste of developer's time (can't be too much), but is doesn't get in your way, you can simply ignore it. But it helps MikroTik to sell their stuff to new groups of customers.

pe1chl · Sun Nov 08, 2020 7:54 pm

In the newest testing version 6.48beta48 a simple port forwarding rule wizard was added to quickset...

Cha0s · Mon Nov 09, 2020 11:26 am

Quick Set is good example, you may find it useless and waste of developer's time (can't be too much), but is doesn't get in your way, you can simply ignore it. But it helps MikroTik to sell their stuff to new groups of customers.

Which in turn those new groups of customers which were attracted by Quick Set and never bothered to learn how to use ROS properly, ask for more dumbing down. Vicious circle...

Again, if it didn't affect ROS, I wouldn't care. But MikroTik is clearly not Cisco or Juniper in terms of developer resources.
Every time they focus on user 'friendliness', some other aspect of ROS hurts (like say... I dunno... WiFi for example? - I am sure all those new customers would prefer a performant WiFi implementation rather than a "dumb" one...)

So, it does, indirectly, get in the way.

WeWiNet · Mon Nov 09, 2020 12:27 pm

The MT is not for the casual user... or the average home user. They need a TPLINK, DLINK or NETGEAR stuff...
With MT you can do everything.

As MT sells devices like Audience, Chateau, hap ac2 these devices ARE for the average user and you must have QuickSet to enable them
with basic functionality. Same as any GUI on products from TP-Link etc.

The problem with Mikrotik is once you need a bit more than Quickset its hard to move over to classic Winbox or command line.
There is no "expert" mode in Quickset and its really limited to the most basic use case...

If I were Mikrotik I would make an online Wizard to create more advanced (but still standard) configs for their SOHO device product range.
- You select the HW device you have.
- Select the number of separate VLANs and their IP and DHCP servers. Number of Wifi AP (SSID, security, hide SSID) and which VLAN they go on, number of ETH ports and on which VLAN they go, security and IP setup (NAT, basic firewall) etc. and couple of other infos.
- You press the button and you get a config file you download and run after reset in your device...!

BANG.... no more questions about "separating" Wifi clients, how to make a VLAN and add ETH port, and this and that and so and so.

Something like this would be helpful for all, as you create profiles quickly and save them as various templates in your MT online profile...
When then configuring a new device you start from clean starting point or assemble them quickly.

Sob · Mon Nov 09, 2020 12:48 pm

@Cha0s: When I see dumbing down, something advanced going away and being replaced by something limited, I'll start to complain with you. But until then, I don't see any reason to do it.

Btw, there's also another possible explanation. Because now MikroTik products attract new group of customers, they can make more money and hire more developers, who can work also on advanced stuff, because they can't just polish Quick Set forever. Who knows, maybe you actually profit from that. But only MikroTik knows for sure. :)

pe1chl · Mon Nov 09, 2020 2:40 pm

If I were Mikrotik I would make an online Wizard to create more advanced (but still standard) configs for their SOHO device product range.
- You select the HW device you have.
- Select the number of separate VLANs and their IP and DHCP servers. Number of Wifi AP (SSID, security, hide SSID) and which VLAN they go on, number of ETH ports and on which VLAN they go, security and IP setup (NAT, basic firewall) etc. and couple of other infos.
- You press the button and you get a config file you download and run after reset in your device...!

But that is what Quick Set basically does!

And there is no real way to have a config file imported into a new router automatically.
That would be a big improvement for MikroTik routers: a way to "transfer" configuration from one router to another, or from an external tool to a router.
Unfortunately it is not really there. It would require an import command that can wipe the config before beginning, can ignore things like MAC addresses and that sensibly handles "errors" during the import.

anav · Sat Nov 14, 2020 4:49 pm

As a system user and not IT trained, I think MT has a reasonable user 'dumb' interface in winbox. If it was just CLI I wouldn't be here.
I used zyxel products before that were webgui and CLI based very similar but their web gui was mostly wizards and cluster of rules done behind the scene, like port forwarding.
Not until I used MT and had to think of networking as chasing packets around the router to ensure they got where they needed to be did I appreciate what zyxel did on my behalf LOL.
BY that I mean, MT helps one learn networking, the rest dont, and for that I wouldnt give up my MT for any other router. It gives me a great GUI tool and helps me learn (or at least Sob Sindy MKX and others are generous enough to kick me in the right direction so that I gain footholds of knowledge). In other words, the sooner a new user learns what the basic rules are doing, the better off in the long run. There is no in between. Either MT makes a router for home users like zyxel, mostly all dummy rules and wizards, or provides what they do now which is a SAFE START for basic needs and then grow with the router.

I think its fair to say the documentation is what is lacking in many instances to bring a home user up to a low or medium level of understanding to progress. If I was not scatterbrained and had time I could take all the gems others have posted and conduct such an endeavour but thats dreaming. ALso its a separate topic.

Additionally, the WIFI situation is a complete mess with functionality, how to adjust wifi, documentation etc etc etc.......... Confuses even IT trained folks much of the time.
Throw in Capsman and its a support nightmare. For some reason, MT doesnt like my idea of hiring bpwl to work with MT coders to clean up the wifi systems at least a the home user level including documentation. Until they do, I cannot recommend MT homeuser wifi products - speaking about being concerned with Sales!

(Perhaps a wizard for Capsman is the only thing I would like to see 'wizardized' and maybe hotspot, but I probably think that not having tried them out yet)
.

Who is online