Community discussions

MikroTik App
 
snehasharma
just joined
Topic Author
Posts: 7
Joined: Sat Jul 01, 2023 4:52 pm
Location: india
Contact:

Complaints from v7.17rc [testing]

Tue Nov 26, 2024 7:34 am

MOD EDIT:
Moving quite a bit of complaints from 7.17rc thread over here


It's definitely a challenge for managing MikroTik devices, especially in enterprise settings. A cloud provisioning portal would be a great solution for easier management.
 
pyfgcrl
just joined
Posts: 8
Joined: Tue Nov 20, 2012 11:26 pm

Re: v7.17rc [testing] is released!

Tue Nov 26, 2024 2:55 pm

I have a big stack of MikroTik devices here at home that I test betas and RCs long before putting things into production. I don't have half the issues these people speak of. That said, when I do have an issue, it's great that I'm testing it in a lab where it doesn't matter, instead of on my enterprise production devices running a multi-million dollar business that no one would be happy if I tested on!

Can't imagine how fun it would be as all the complainers are, to discover changes to /system/device-mode and to /interface/bridge/vlan in production…. That said, I love the changes made thus far, and look forward to my planned rollout.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: v7.17rc [testing] is released!

Tue Nov 26, 2024 3:37 pm

Take it easy anyway, and REPLACE the devices (with equal but updated) or do netinstall on the place...
You can't even imagine how many things you CANNOT test in the lab... One above all, the history of previous versions and the aftermath left by these...
 
toxicfusion
Member
Member
Posts: 324
Joined: Mon Jan 14, 2013 6:02 pm

Re: v7.17rc [testing] is released!

Tue Nov 26, 2024 7:31 pm

my knee jerk reaction, and I will keep bringing this up until I'm blue in the face.

IF team MIKROTIK is LISTENING.....

- Develop a damned cloud portal for us "enterprise" [IT/MSP/WISP/Enterprise/Professional] for us to manage and provision XYZ devices [Pro/Enterprise] type of hardware MikroTik develops. This would create the added layer of security and enough of this randomized password bullshit and this device-mode "Just press the button, its okay!"

We cannot ask customers to touch their equipment, otherwise costs us truck rolls. We are starting to leave MikroTik, you're not listening - you're not taking your Trainers, WISP/ISP customers seriously.. its' a joke.

And now MikroTik is working with Ampere.....

We realize MIkroTik is focusing on a level of security and safety for their hardware.

Our opinion:

hAP, SOHO routerboards == Consumer / Lab / end-users. Use Winbox, WebFig to manage. These are OKAY to use the randomized passwords on stickers. End-User MUST keep track. Or rely on the higher quality sticker to hold up over the years. We have concerns about the outdoor equipment and the stickers -- see next comment.

it is a pain in ass for us as IT/WISP/MSP/Professionals to keep track of randomized passwords for EACH hardware device we deploy to customer. We have to develop a process, document and store the password. Or at worse, find the original order and ask distribution for the password for the particular device serial/MAC.

If MIkroTik HAD a Reseller or PARTNER portal -- this would be easier and more uniform. We give our MikroTik Partner ID or customer portal ID to our distributors of choice, and when orders are placed everything will be stored or kicked over to the MikroTik partner account....

For the "enterprise" level equipment, there needs to be another way.

Also think about this - For those of us that deploy MikroTik switching gear. What happens if we have to for some reason factory reset a switch, or a new high-end MikroTik POE switch or upcoming Ampre gear.... The switch will be in a RACK, mounted and most likely very difficult to access and read the sticker. We would have to defer to original order, or documentation. It is kind of silly to have to document every device serial/mac and associated default password. What if a users password vault, spreadsheet or other system was compromised?

Or say a bad actor at an organization could easily factory reset the MikroTik gear and laugh as they know they'd be locked out not having the original password documented.

Cloud device provisioning we can set the device(s) passwords per network or device.

We are NOT upgrading to 7.17 until we know what the plan is for device-mode. Even if there are the needed wireless qcom-ac and wireless AX driver fixes/improvemens.

MikroTik -Focus on the open bugs, issues and feature requests. Cut the crap with the ROSE. This does not belong on a router, it is cool for home lab or people that way to tinker. Release it as own operating system with the packages enabled by default.

We're still waiting on CAPsMAN improvements [Config sync]
MLAG
Router High Availability via a Wizard [Not just manual VRRP], with config sync to active spare.
Last edited by toxicfusion on Tue Nov 26, 2024 7:44 pm, edited 2 times in total.
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1465
Joined: Thu Nov 12, 2020 12:07 pm

Re: v7.17rc [testing] is released!

Tue Nov 26, 2024 7:37 pm

- Develop a damned cloud portal for us "enterprise" [IT/MSP/WISP/Enterprise/Professional] for us to manage and provision XYZ devices [Pro/Enterprise] type of hardware MikroTik develops. This would create the added layer of security
cloud and security. lol. keep your enterprise stuff.
 
toxicfusion
Member
Member
Posts: 324
Joined: Mon Jan 14, 2013 6:02 pm

Re: v7.17rc [testing] is released!

Tue Nov 26, 2024 7:40 pm

- Develop a damned cloud portal for us "enterprise" [IT/MSP/WISP/Enterprise/Professional] for us to manage and provision XYZ devices [Pro/Enterprise] type of hardware MikroTik develops. This would create the added layer of security
cloud and security. lol. keep your enterprise stuff.
There is never a perfect world. But for certain device types, cloud provisioning these days is leading the way. There also needs to be local management. If we cloud provision, the device info and network/device password would be saved at an administrative level. We copy password and use it to access the device locally [if cloud provisioned].
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1465
Joined: Thu Nov 12, 2020 12:07 pm

Re: v7.17rc [testing] is released!

Tue Nov 26, 2024 7:51 pm

Cloud device management is as secure as using cloud password vaults. Go ahead, there are many enterprise hardware vendors out there. I for myself chose Mikrotik, because they dont do (and obviously honestly dont believe in) that Cloud crap.
Sry for the offtopic post.
 
toxicfusion
Member
Member
Posts: 324
Joined: Mon Jan 14, 2013 6:02 pm

Re: v7.17rc [testing] is released!

Tue Nov 26, 2024 8:01 pm

or for us to test these new beta releases and improvements. Could MikroTik instead fork the releases into different types

IE:
7.17rc release with "security/lock-down mode"
7.17rc release without lock-down mode, but contains all new improvements,fixes, enhancements. etc
 
igorr29
Frequent Visitor
Frequent Visitor
Posts: 83
Joined: Tue Jan 02, 2024 12:53 pm

v7.17rc [testing] complaints

Tue Nov 26, 2024 8:03 pm

at some point we had to deploy around 800 cap ac for a hotel. of course managed by capsman. so with the old v6 ros, this was done in a few days, just resetting the new device and upload a minimal config that would set a few things took us around 1.5 - 2 min per device.
imagine now with DEVICE PASSWORD. read what's written on the small label, then type it in, then change password to something normal... and after some time you start making errors and takes more and more time to read the small label. i think i'd start throwing them to the wall and then destroy everything around me and go to a mental healthcare.
and then if somewhere along that path entered some device mode and we had to do even MORE work to change some settings. hell no.
i really have no idea why the f you started with random passwords, and now with this device mode bullshit.
you're not considering that IT PEOPLE don't want to make their own life more difficult. but you're making it more difficult with this nonsense choices.

PS i'm still waiting for the day you return real superchannel with all frequencies open. until that happens, bye bye mikrotik ptp.
 
toxicfusion
Member
Member
Posts: 324
Joined: Mon Jan 14, 2013 6:02 pm

Re: v7.17rc [testing] is released!

Tue Nov 26, 2024 8:30 pm

at some point we had to deploy around 800 cap ac for a hotel. of course managed by capsman. so with the old v6 ros, this was done in a few days, just resetting the new device and upload a minimal config that would set a few things took us around 1.5 - 2 min per device.
imagine now with DEVICE PASSWORD. read what's written on the small label, then type it in, then change password to something normal... and after some time you start making errors and takes more and more time to read the small label. i think i'd start throwing them to the wall and then destroy everything around me and go to a mental healthcare.
and then if somewhere along that path entered some device mode and we had to do even MORE work to change some settings. hell no.
i really have no idea why the f you started with random passwords, and now with this device mode bullshit.
you're not considering that IT PEOPLE don't want to make their own life more difficult. but you're making it more difficult with this nonsense choices.

PS i'm still waiting for the day you return real superchannel with all frequencies open. until that happens, bye bye mikrotik ptp.
10000% this and feel your fustration. Similar experience and feelings.
 
guipoletto
Member Candidate
Member Candidate
Posts: 201
Joined: Mon Sep 19, 2011 5:31 am

Re: v7.17rc [testing] is released!

Tue Nov 26, 2024 9:19 pm

i think i'd start throwing them to the wall and then destroy everything around me and go to a mental healthcare.
YES! I thought i was the only one.
and then if somewhere along that path entered some device mode and we had to do even MORE work to change some settings. hell no.
YES! but in this case this will break stuff already deployed
don't worry, it's just a button press! (times 800 Cap's hidden in the pigeon holes)
i'd imagine it would be easier to get approval to cycle power site-wide (plus, no dealings with safety people!)
i really have no idea why the f you started with random passwords, and now with this device mode bullshit.
YES!
And the fact those passwords are not also on a QR code, is evidence they are doing this just to taunt us.
you're not considering that IT PEOPLE don't want to make their own life more difficult. but you're making it more difficult with this nonsense choices.
I like you
We should meet at the MUM for some beers

There are two classes of crazy people in this thread:
- The ones that operate telecom networks
- The ones that cooked "device mode" and brought it to RC status
 
oreggin
Member Candidate
Member Candidate
Posts: 201
Joined: Fri Oct 16, 2009 9:21 pm

Re: Complaints from v7.17rc [testing]

Wed Nov 27, 2024 10:21 am

This thread speaks for itself, please rethink device-mode and don't give a shit. We have been switching to MTik devices for some time, but now we can move on to other manufacturers. Thanks!
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26912
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.17rc [testing] is released!

Wed Nov 27, 2024 12:05 pm



cloud and security. lol. keep your enterprise stuff.
There is never a perfect world. But for certain device types, cloud provisioning these days is leading the way. There also needs to be local management. If we cloud provision, the device info and network/device password would be saved at an administrative level. We copy password and use it to access the device locally [if cloud provisioned].
This year several of the largest "cloud providers" had 0day events, allowing hackers to take over your network during device provisioning. Please follow security blogs, it's not as the pretty advertisements say. We take security very seriously, and working on our own controller, we are taking all this into consideration. Rushing cloud solutions gets you hacked.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26912
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Complaints from v7.17rc [testing]

Wed Nov 27, 2024 12:05 pm

This thread speaks for itself, please rethink device-mode and don't give a shit. We have been switching to MTik devices for some time, but now we can move on to other manufacturers. Thanks!
Can you please describe in full sentences how device-mode is interfering with your workflow? What was implemented in first beta releases is no longer in 7.17rc.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Complaints from v7.17rc [testing]

Wed Nov 27, 2024 12:18 pm

Other changes since v7.16:

!) device-mode - after upgrade, mode "enterprise" is renamed to "advanced" and traffic-gen, partition (command "repartition"), routerboard and install-any-version features will be disabled (additional fixes);


I try to answer for all those who work there, and don't play there at home.

>>> !) device-mode - after upgrade, mode "enterprise" is renamed to "advanced"
No problem on this.

>>> and traffic-gen [feature will be disabled]
I do not mind, I never use this feature on production or on non-core devices.

>>> partition (command "repartition") [feature will be disabled]
on production only a foolish change number of partition with the risk of lose the device...
if everything else can be done, who cares...

>>> routerboard [feature will be disabled]
What exactly is disabled? The entire menu?

>>> install-any-version [feature will be disabled]
Given that this thing can be TRIVIALLY circumvented, this could be an extremely annoying thing,
maybe MikroTik provides a version of RouterOS to solve some problem, but the customer can no longer do as before, that is, freely install it.
Also the fact of no longer being able to put a previous version, compared to those available in the menu,
which perhaps circumvents a bug present on the new versions, as OFTEN happens,
is a real pain in the ass if one has to reach a device mounted 200Km away just to turn it off and on again...

>>> (additional fixes);
What???



The most obvious thing to do,
that a company respecting its customers should think about on its own, without the need for users to complain,
is to activate the new mode only in devices purchased new, which already have 7.17 and leave those already in PRODUCTION as they are,
without creating further burdens of WORK.
Often those who WORK there suggest to the administrations what to buy,
if you "bother too much" those who WORK there, with useless and ridiculous work, in the end they will change brands FOR SURE.
Last edited by rextended on Wed Nov 27, 2024 12:29 pm, edited 2 times in total.
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1465
Joined: Thu Nov 12, 2020 12:07 pm

Re: v7.17rc [testing] is released!

Wed Nov 27, 2024 12:25 pm



There is never a perfect world. But for certain device types, cloud provisioning these days is leading the way. There also needs to be local management. If we cloud provision, the device info and network/device password would be saved at an administrative level. We copy password and use it to access the device locally [if cloud provisioned].
This year several of the largest "cloud providers" had 0day events, allowing hackers to take over your network during device provisioning. Please follow security blogs, it's not as the pretty advertisements say. We take security very seriously, and working on our own controller, we are taking all this into consideration. Rushing cloud solutions gets you hacked.
Thank you for these clear words. I appreciate Mikrotik's position on the cloud topic.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: v7.17rc [testing] is released!

Wed Nov 27, 2024 12:30 pm

Rushing cloud solutions gets you hacked.
One of the most beautiful sentences read on the forum.
 
Valerio5000
Member Candidate
Member Candidate
Posts: 104
Joined: Fri Dec 06, 2013 2:38 am

Re: Complaints from v7.17rc [testing]

Wed Nov 27, 2024 12:33 pm

@ Normis

mine is a question without controversy. It seems clear that Mikrotik is focusing on the domestic market and I can only be pleased about this, personal opinion. Have you ever thought of dividing ROS into an Enterprice branch and a Home branch, the latter with only the minimum packages (DLNA comes to mind - Media useful at home but perhaps not much in an Enterprice environment) perhaps with small step-by-step guided procedures? I know it would be a double version to maintain but in my opinion the Home version would be much simpler. The hateful problem of the 16MB flash memories of Home devices (AC2 for example) could be solved in one fell swoop. As a home user, I am in love with Mikrotik and ROS and where I could, even at relatives and friends' houses, I installed a Mikrotik but sometimes I lost hours configuring everything 100%. A Home version perhaps even more concentrated only on WebFig instead of Winbox with small guided procedures, guides and advice would not be bad. Let's be clear, in a Home environment you hardly use ROS in a complete way, once you create a wizard for: opening TCP/UDP ports, VPN, Media Sharing, Wifi with easy procedures to add a second RB as a repeater/access point you have almost completely satisfied home users and you could afford not to touch this "ROS-Home Edition" for months. It goes without saying that any device modes etc. on Home devices you could apply without too many problems and concentrate on more structured procedures for Enterprice users. If we look, all router manufacturers that sell both in the Enterprice and Home market have double versions of their ecosystem/system and in my opinion you should seriously consider this possibility if, as I think, you have rightly decided to enter the home-domestic market. Even if it has little to do with the discussion, I would invite Mikrotik to take our comments/suggestions a little more seriously and in my opinion only something good can come out of it, see the retracement of the much more restrictive device mode on the first betas of 7.17. ;)
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26912
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Complaints from v7.17rc [testing]

Wed Nov 27, 2024 12:35 pm

>>> routerboard [feature will be disabled]
What exactly is disabled? The entire menu?
yes, but the only meaingful thing you can do there, is enable boot from network without touching the device. now you need to press the button, to change this menu.
>>> install-any-version [feature will be disabled]
Given that this thing can be TRIVIALLY circumvented, this could be an extremely annoying thing,
how can this be circumvented?
the idea behind this function is to only allow versions without known security bugs / CVEs in this list. to install other version apart from this list, a button press is needed. that is all. it is not forbidden. it just requires a button press.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26912
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Complaints from v7.17rc [testing]

Wed Nov 27, 2024 12:39 pm

@ Normis

mine is a question without controversy. It seems clear that Mikrotik is focusing on the domestic market and I can only be pleased about this, personal opinion. Have you ever thought of dividing ROS into an Enterprice branch and a Home branch, the latter with only the minimum packages (DLNA comes to mind - Media useful at home but perhaps not much in an Enterprice environment) perhaps with small step-by-step guided procedures? I know it would be a double version to maintain but in my opinion the Home version would be much simpler. The hateful problem of the 16MB flash memories of Home devices (AC2 for example) could be solved in one fell swoop. As a home user, I am in love with Mikrotik and ROS and where I could, even at relatives and friends' houses, I installed a Mikrotik but sometimes I lost hours configuring everything 100%. A Home version perhaps even more concentrated only on WebFig instead of Winbox with small guided procedures, guides and advice would not be bad. Let's be clear, in a Home environment you hardly use ROS in a complete way, once you create a wizard for: opening TCP/UDP ports, VPN, Media Sharing, Wifi with easy procedures to add a second RB as a repeater/access point you have almost completely satisfied home users and you could afford not to touch this "ROS-Home Edition" for months. It goes without saying that any device modes etc. on Home devices you could apply without too many problems and concentrate on more structured procedures for Enterprice users. If we look, all router manufacturers that sell both in the Enterprice and Home market have double versions of their ecosystem/system and in my opinion you should seriously consider this possibility if, as I think, you have rightly decided to enter the home-domestic market. Even if it has little to do with the discussion, I would invite Mikrotik to take our comments/suggestions a little more seriously and in my opinion only something good can come out of it, see the retracement of the much more restrictive device mode on the first betas of 7.17. ;)
This is again a new offtopic. Is this a 7.17 question?
It seems clear that Mikrotik is focusing on the domestic market
that's not true, we have more professional switches than ever, etc. we have many products.
Have you ever thought of dividing ROS
when extra space is needed, we already do that. if there is plenty of space in a device, you can simply ignore features you do not use. we don't plan to separate RouterOS. it was always our main goal, any device can do anything. you don't need to pay thousands to use ospf etc.

We provide other means to help the basic users - they can use MikroTik smartphone app and use the Wizard to configure the router. But if they later decide to learn, all the tools are in there. No need to pay extra or to change the device.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Complaints from v7.17rc [testing]

Wed Nov 27, 2024 12:42 pm

how can this be circumvented?
Just intercept routerboard traffic and provide fake webserver, dns, ip. Test already done successfully.
Try integrate website certs and check https before download from update. Tested on previous 7.12 versions.
I do not know if 7.13+ / 7.17 check website certs before download/connect.

a button press is needed. that is all. it is not forbidden. it just requires a button press.
I can't find the right words to express myself, I'm not a native speaker, the idea is that other users would say to you <CENSORED>

You and the others staff members possibly can't understand that the devices are not all mounted in the same room,
but are installed hundreds of kilometers away, and are often on pylons or in places that are difficult to reach normally???
What do you think that all the devices are mounted inside an office???
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26912
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Complaints from v7.17rc [testing]

Wed Nov 27, 2024 12:52 pm

That's not true, RouterOS itself checks package integrity, checksum and allowed version. It does not matter where package came from, it will not be installed.

rextended, is it a language barrier also, that makes you not understand that already installed devices are not changed by this? and new devices you are configuring before mounting on the tower.
about downgrades, there is ZERO logical reason to knowingly downgrade to a version with a known CVE, possibly allowing easy access to the device by a hacker. Zero. Do not try to find it.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Complaints from v7.17rc [testing]

Wed Nov 27, 2024 12:57 pm

already installed devices are not changed by this?

Other changes since v7.16:

!) device-mode - after upgrade, mode "enterprise" is renamed to "advanced" and traffic-gen, partition (command "repartition"), routerboard and install-any-version features will be disabled (additional fixes);
So if I understand wrongly, how come to me and other people on the forum it seems CLEARLY that it says that after upgrade
traffic-gen, partition (command "repartition"), routerboard and install-any-version features will be disabled

It says clearly: after upgrade features will be disabled. So where did I misunderstand?
Last edited by rextended on Wed Nov 27, 2024 1:04 pm, edited 7 times in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Complaints from v7.17rc [testing]

Wed Nov 27, 2024 12:59 pm

That's not true, RouterOS itself checks package integrity, checksum and allowed version. It does not matter where package came from, it will not be installed.
If you read carefully, I did not write about installing a modified version of RouterOS, but a real, authentic package from an older version.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Complaints from v7.17rc [testing]

Wed Nov 27, 2024 1:08 pm

I wrote what I had to write.
Now I will wait at the pass for the results of the MikroTik choices such as protected-routerboot and all the various consequences.
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1465
Joined: Thu Nov 12, 2020 12:07 pm

Re: Complaints from v7.17rc [testing]

Wed Nov 27, 2024 1:13 pm

The real question is: how many people - in teh real world - rely on traffic-gen, re-partition and downgrade to insecure ROS versions with known security vulnerabilities? Ok, the routerboot settings thing may be an issue for someone. But tbh: if you have the regular need to mess around with routerboard settings then I think your environment is flawed.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Complaints from v7.17rc [testing]

Wed Nov 27, 2024 1:17 pm

@infabo
Is not a point on traffic-gen or repartition.

I, for first, have never spoken of install insecure versions of RouterOS.
It means installing a previous version of RouterOS, which perhaps does not have the bugs of the next version, as often happens.
No matter how many tests you do in the lab, things can be different in production...

Can happen that I remote netinstall devices with some problems caused for various reasons, and I use routerboard menu for that, obviously.
Last edited by rextended on Wed Nov 27, 2024 1:20 pm, edited 1 time in total.
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1465
Joined: Thu Nov 12, 2020 12:07 pm

Re: Complaints from v7.17rc [testing]

Wed Nov 27, 2024 1:20 pm

It is still possible to downgrade ROS as normis already explained. see https://help.mikrotik.com/docs/spaces/R ... edversions
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Complaints from v7.17rc [testing]

Wed Nov 27, 2024 1:28 pm

On routerboard, there is an important thing to be taken into account... upgrade or autoupgrade FW to latest version.
There have been quite a bit of fixes lately where this upgrade was needed for some corrections to work afterwards.

E.g.
*) ethernet - improved linking after reboot for hAP ax lite devices ("/system routerboard upgrade" required);
*) routerboot - fixed boot MAC for devices with Alpine CPU ("/system routerboard upgrade" required);
*) routerboot - fixed boot MAC for MIPSBE CRS3xx and CRS5xx switches ("/system routerboard upgrade" required);
*) routerboot - improved stability for IPQ8072 and IPQ6010 when flash-boot is used ("/system routerboard upgrade" required);
*) sfp - improved initialization for certain SFP modules on CRS309 and CRS317 devices ("/system routerboard upgrade" required);
Default device mode = advanced, routerboard is set to disabled.
Manual upgrade is still possible as of now BUT I've seen a response to a bug ticket this will be prevented later on.
Setting auto-upgrade is not possible without first changing device mode settings.

How would this be done then for all devices already in the wild ??
That presents a real problem, isn't it ?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Complaints from v7.17rc [testing]

Wed Nov 27, 2024 1:30 pm

It is still possible to downgrade ROS as normis already explained.

Honestly, in 17rc, I have never read or noticed it anywhere.

install-any-version it's misleading, it should be install-unsecure-version

Well, this time I was wrong, about RouterOS version, I read and interpreted badly.
I hope you all will accept my apologies if I insisted.

But the "routerboard" menu still a problem...
Last edited by rextended on Wed Nov 27, 2024 1:33 pm, edited 1 time in total.
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1465
Joined: Thu Nov 12, 2020 12:07 pm

Re: Complaints from v7.17rc [testing]

Wed Nov 27, 2024 1:33 pm

@holvoetn look here: https://help.mikrotik.com/docs/spaces/R ... rification
I've seen a response to a bug ticket this will be prevented later on.
Until this I believe what on help.mikrotik.com is documented.

"routerboard" restricts "system routerboard settings". "system routerboard upgrade" is still possible even with this flag enabled. so no need to worry at all.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Complaints from v7.17rc [testing]

Wed Nov 27, 2024 1:38 pm

I don't use netinstall remotely often, but that's okay...
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Complaints from v7.17rc [testing]

Wed Nov 27, 2024 1:43 pm

Just checked the details of the ticket again ...

The problem was that with 7.17b4, after changing device mode to advanced, routerboard settings could be changed without first changing that setting (it was "yes" without doing anything).
It seems that part has been "corrected" (7.17rc1, maybe already with b6 ? Didn't check).
You first need to change that part now before you can proceed (but that requires again a press of a button or power toggle).

So manual upgrade remains to be possible indeed.
Still a problem but less invasive.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: v7.17rc [testing] is released!

Wed Nov 27, 2024 2:28 pm



There is never a perfect world. But for certain device types, cloud provisioning these days is leading the way. There also needs to be local management. If we cloud provision, the device info and network/device password would be saved at an administrative level. We copy password and use it to access the device locally [if cloud provisioned].
This year several of the largest "cloud providers" had 0day events, allowing hackers to take over your network during device provisioning. Please follow security blogs, it's not as the pretty advertisements say. We take security very seriously, and working on our own controller, we are taking all this into consideration. Rushing cloud solutions gets you hacked.
The world is marching to cloud everything, but as Normis states, it should not be done blindfolded.
 
lurker888
just joined
Posts: 21
Joined: Thu Mar 02, 2023 12:33 am

Re: Complaints from v7.17rc [testing]

Wed Nov 27, 2024 2:48 pm

I don't want to get into the whole war, but sometimes I have found it useful to set cpu frequency to non-auto values. I don't think that it would have security implications to allow this without any special mode settings.

(My reason for setting non-auto rates is that I have seen TCP "oscillations" on rb5009 devices, where a starting TCP stream gets lost packets on 350MHz before the cpu can ramp up the frequency, lowers transmission rate, the cpu dials back the frequency again and so on.)
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12979
Joined: Thu Mar 03, 2016 10:23 pm

Re: Complaints from v7.17rc [testing]

Wed Nov 27, 2024 6:01 pm

about downgrades, there is ZERO logical reason to knowingly downgrade to a version with a known CVE, possibly allowing easy access to the device by a hacker. Zero. Do not try to find it.

This is new to me ... that ROS upgrader has built in function to check certain ROS package against database of CVEs applicable to ROS'

Or how should I understand this feature?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Complaints from v7.17rc [testing]

Wed Nov 27, 2024 6:33 pm

install-any-version it's misleading, it should be install-unsecure-version

For what I understand till now, 7.17rc has internal databases of compromised versions that do not accept to downgrade.

So far, all good and correct.

But how does it work with versions that are NOT in the database of compromised versions? Read this text on doc:
This list can be updated to versions which includes some major changes in RouterOS below which downgrade should not be allowed.
Simply someone do not want you to downgrade to a SECURE working version once you install some version that have major changes but later is unexpected unstable...

This means that those who produce RouterOS feel like God and are immune to errors.

Isn't it enough for them to have the example that twice, for two versions of WinBox,
it had to be downloaded manually because the update was not recognized???

Sooner or later it happens that they make some similar error and RouterOS can no longer be updated to any version due to some internal error.
So someone will have to travel a few kilometers to press the button...
And maybe urgently because the unupgradeable version contains some security bugs...

Again, in light of what I learned today, after the misinterpretation, and the apology for it,
I have nothing more to add on that.
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1465
Joined: Thu Nov 12, 2020 12:07 pm

Re: Complaints from v7.17rc [testing]

Wed Nov 27, 2024 8:33 pm

about downgrades, there is ZERO logical reason to knowingly downgrade to a version with a known CVE, possibly allowing easy access to the device by a hacker. Zero. Do not try to find it.

This is new to me ... that ROS upgrader has built in function to check certain ROS package against database of CVEs applicable to ROS'

Or how should I understand this feature?
We dont know. I assume this info about insecure version is hardcoded into ROS main package. But this would make no sense TBH (as some devices may not be updated regularly). A check against an external database would make more sense somehow. But what if intruder of network blocks or redirects these remote database requests to own fake-service? ok, responses could be signed so ROS only accepts trusted data. But intruder could still block outgoing requests to the database, so ROS wont be able to update its "insecure version" list.
 
mickdoev
just joined
Posts: 18
Joined: Fri Mar 17, 2023 2:44 am

Re: Complaints from v7.17rc [testing]

Thu Nov 28, 2024 7:27 am

PIM-SM RP candidate selection still not working as it should - I have an unanswered support ticket that's now 6 weeks old on this issue . . .
 
oreggin
Member Candidate
Member Candidate
Posts: 201
Joined: Fri Oct 16, 2009 9:21 pm

Re: Complaints from v7.17rc [testing]

Fri Nov 29, 2024 6:26 pm

This thread speaks for itself, please rethink device-mode and don't give a shit. We have been switching to MTik devices for some time, but now we can move on to other manufacturers. Thanks!
Can you please describe in full sentences how device-mode is interfering with your workflow? What was implemented in first beta releases is no longer in 7.17rc.
The device-mode itself carrying a lot of possibilities of deadlocks. Like install-any-version, flagged, etc. What if I enabling all of the needed features, then something happens and flagged activating and disables the escape possibilities, or if I upgrade some production routers to a stable but buggy version and need to downgrade to a previous stable version which is marked as insecure by MTik, but that is the version where the bug is not "implemented" in and we could operating stable on....and opening a ticket which is never answered :-(
Simply there is no way to physically access all (thousands) of our CPE routers. I was bravely says that to my company to change to MTik devices until 7.17. Now? I tell him DON'T, as MTik implemented a "how to make a brick" function. It is not funny if we need to send our engineers to all sites where MTik routers bricked itselves. It is also a shame if we need to call these site to unpower the whole cabinet to surefully reactivating the internet service.
I understand and accept that security is important, but it is not too elegant to pass the poop to the customers, and stubbornly cling to it.

Please, rethink of it.

Regards,
oreggin
 
User avatar
jbl42
Member Candidate
Member Candidate
Posts: 225
Joined: Sun Jun 21, 2020 12:58 pm

Re: Complaints from v7.17rc [testing]

Fri Nov 29, 2024 8:13 pm

It's definitely a challenge for managing MikroTik devices, especially in enterprise settings. A cloud provisioning portal would be a great solution for easier management.
There seems to be different meanings of "Enterprise". My "Enterprise" employer (and all others I know) has a dedicated Information Security Department which never would allow to have highly sensitive network devices talking to a vendor cloud without going through lengthy approval process including regular audits and in the US FIPS certification (without saying those corporate security theater necessarily makes things safer). That works for Cisco etc. which are used to this and have all the required certificates and contracts ready. But not for a shop like Mikrotik.

For smaller Cisco/Juniper devices (large ones have cloud required, see above) we use auto configuration: Using special options, the device asks the DHCP server for a https or scp URL to download configs or FW updates, providing serial number so the DHCP server knows what to respond. Of course the https or scp certificates are checked by the device before downloading anything. This allows for zero touch provisioning of switches and similar. Just by knowing the SN, we can configure things upfront, the device is directly shipped to the branch by the vendor. Local staff just unpacks and connects it to the network and switches it on. The rest happens automatically without any 3rd party server or cloud.
Something similar for Mikrotik would be nice and IMO much better than any cloud stuff.

Obviously some users here refer with "enterprise" to the many small-medium companies taking any cloud as long as it safes time and money in the short term. Until it doesn't and they end up paying bitcoins to some thugs to get their data unencrypted.
 
toxicfusion
Member
Member
Posts: 324
Joined: Mon Jan 14, 2013 6:02 pm

Re: Complaints from v7.17rc [testing]

Sun Dec 01, 2024 7:15 am

@ Normis

mine is a question without controversy. It seems clear that Mikrotik is focusing on the domestic market and I can only be pleased about this, personal opinion. Have you ever thought of dividing ROS into an Enterprice branch and a Home branch, the latter with only the minimum packages (DLNA comes to mind - Media useful at home but perhaps not much in an Enterprice environment) perhaps with small step-by-step guided procedures? I know it would be a double version to maintain but in my opinion the Home version would be much simpler. The hateful problem of the 16MB flash memories of Home devices (AC2 for example) could be solved in one fell swoop. As a home user, I am in love with Mikrotik and ROS and where I could, even at relatives and friends' houses, I installed a Mikrotik but sometimes I lost hours configuring everything 100%. A Home version perhaps even more concentrated only on WebFig instead of Winbox with small guided procedures, guides and advice would not be bad. Let's be clear, in a Home environment you hardly use ROS in a complete way, once you create a wizard for: opening TCP/UDP ports, VPN, Media Sharing, Wifi with easy procedures to add a second RB as a repeater/access point you have almost completely satisfied home users and you could afford not to touch this "ROS-Home Edition" for months. It goes without saying that any device modes etc. on Home devices you could apply without too many problems and concentrate on more structured procedures for Enterprice users. If we look, all router manufacturers that sell both in the Enterprice and Home market have double versions of their ecosystem/system and in my opinion you should seriously consider this possibility if, as I think, you have rightly decided to enter the home-domestic market. Even if it has little to do with the discussion, I would invite Mikrotik to take our comments/suggestions a little more seriously and in my opinion only something good can come out of it, see the retracement of the much more restrictive device mode on the first betas of 7.17. ;)
I agree and have also suggested soho and enterprise/professional product lines from MikroTik

They’re very confused right now head stuck up their ass, or in the sand and only focused on cheap and to third world market

If they segmented soho (hAP series) and limited those to WebFig and a phone app. This make it simple for market to entry Home users (get them familiar with MikroTik and build confidence - look at return rate and reviews or negative forum post by new comers to complexity). Or we as professionals can easily recommend hAP to home users or family and spend less time.

Then, for us real fucking people and professionals, let us have the full routerOS with Winbox, and all you can eat as professionals and enterprise level. MikroTik develop snd create a partner portal and get serious. Otherwise, I feel market share will shrink…. Imploding….

That way MikroTik can lock down and protect their hAP series and mitigate this bullshit device mode and sticker passwords

Meraki/Cisco, Cambium, Forti and even Ubiquiti don’t have this device lock or sticker password

Also I call lies on MikroTik in their mindset of “open to hacking when rushing to cloud”

Well, MikroTik - eat your own dog food. Don’t rush it.

Your hardware is great (keep 16mb flash to home devices).

We’re leaving MikroTik and can no longer recommend. This is as a 12+ year user who deploy in business settings.

MikroTik - why don’t you reach out to your certified trainers and get their feedback? Listen. Grow. Advanced. Profit

Last note - I am of feeling that the only current stable MikroTik wireless products are the 60Ghz line. We feel confident deploying these to customers and have stable links. However, the Cube 60 Pros did have water ingestion issues.

The outdoor AX wireless are not yo to quality as competition in same price point. I can now buy cambium outdoor product for near same price of a modded out NetMetal AX.

And thus Ampere partnership is cool…. But I feel the software quality will need to meet the hardware. Why have such great hardware but missing what we ask for. Stop the ROSE push. It is a sick joke. Shame.
 
toxicfusion
Member
Member
Posts: 324
Joined: Mon Jan 14, 2013 6:02 pm

Re: Complaints from v7.17rc [testing]

Sun Dec 01, 2024 8:57 pm

The frustrations here is that we all feel MikroTik is taking the wrong direction for security and function. Do some market research what other vendors have done or are currently doing with success. Why reinvent the wheel?

soho/consumer product lines: hAP and similar - "lock" to WebFig and MikroTik App [iOS / Android]. These come with a baked config like any other consumer device. Home / residential users are not going to maintain.

The real hardware [CCR,CRS, Routerboard lines] be the Professional/Enterprise and be full featured with proper packaging of software. Look at what other vendors do for pushing their firmware and software. Perhaps have built in md5-checksums during install, or signed packages. Randomized passwords on stickers is chaos theory and has already caused us headaches with remote cAP deployments.

IE: We drop shipped new cAPs to a customer and had a tech go connect them. Well, they shipped with the new randomized passwords.... We had to go back to distribution to get the passwords. This made a 3-minute job per AP of factory reset for cAP mode and provision, to hours. We ended up having tech take pictures of the stickers and we matched up the MAC address to device and was able to get into them after reset.

Same goes for outdoor APs that are in the weather.

What happens if a technology company takes over a customers network and the prior IT / MSP did NOT properly document the default passwords.......
 
toxicfusion
Member
Member
Posts: 324
Joined: Mon Jan 14, 2013 6:02 pm

Re: Complaints from v7.17rc [testing]

Mon Dec 02, 2024 2:02 am

The frustrations here is that we all feel MikroTik is taking the wrong direction for security and function. Do some market research what other vendors have done or are currently doing with success. Why reinvent the wheel?

soho/consumer product lines: hAP and similar - "lock" to WebFig and MikroTik App [iOS / Android]. These come with a baked config like any other consumer device. Home / residential users are not going to maintain.

The real hardware [CCR,CRS, Routerboard lines] be the Professional/Enterprise and be full featured with proper packaging of software. Look at what other vendors do for pushing their firmware and software. Perhaps have built in md5-checksums during install, or signed packages. Randomized passwords on stickers is chaos theory and has already caused us headaches with remote cAP deployments.

IE: We drop shipped new cAPs to a customer and had a tech go connect them. Well, they shipped with the new randomized passwords.... We had to go back to distribution to get the passwords. This made a 3-minute job per AP of factory reset for cAP mode and provision, to hours. We ended up having tech take pictures of the stickers and we matched up the MAC address to device and was able to get into them after reset.

Same goes for outdoor APs that are in the weather.

What happens if a technology company takes over a customers network and the prior IT / MSP did NOT properly document the default passwords.......
@Normis
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1465
Joined: Thu Nov 12, 2020 12:07 pm

Re: Complaints from v7.17rc [testing]

Tue Dec 03, 2024 1:26 pm

Because I have a "strong opinion" on Fortinet especially (as one of these "enterprise" vendors), here is my 2 cents - with ChatGPT "polite" filter applied. So please don't say it is ChatGTP made up.

Enterprise solutions like Fortinet often come with their own challenges. For example, the handling of 0-day exploits can be concerning, especially when vulnerabilities remain undisclosed for extended periods while being exploited in the wild. Additionally, their business models, which heavily rely on cloud subscriptions, feature-specific licensing, and costly support contracts, can be quite demanding.

If these aspects align with your enterprise needs, they may be the right choice for you. However, it’s important not to project these expectations onto Mikrotik, whose philosophy and approach to networking differ significantly. Consulting your compliance department might provide clarity on the specific requirements and solutions suitable for your organization.
 
oreggin
Member Candidate
Member Candidate
Posts: 201
Joined: Fri Oct 16, 2009 9:21 pm

Re: Complaints from v7.17rc [testing]

Wed Dec 04, 2024 3:45 pm

Last saturday I chatted with my old friend whom actively using Enterprise level MikroTik devs and other vendors devices too.
He didn't hear about device-mode. I don't want to mess the joke so I didn't tell about it.
There are many others over the world whom doesn't hear about device-mode and its lockdown features.
There are many people whom using a lot of vendors's lot of enterprise level routers and switches. What do you think, which of those can locks itself for security reason?
There will be a lot of surprises, when 7.17 comes to stable and gets widespread :-)

Who is online

Users browsing this forum: nillyhan, parm and 28 guests