On a tangentially related note I recently found another manufacturer that is very similar to MikroTik: Teltonika. They are also based in a baltic state (Lithuania) and manufacture a range of inexpensive mostly-commercial-focused networking products. Their firmware is pretty open, and they provide a pretty good SDK that can build all the open source bits of the firmware and can be used to develop third party applications for their routers.
I'm evaluating their RUTX11 LTE/WiFi router as an in-vehicle router for a commercial application. I'm reasonably impressed so far. Their firmware strategy seems to be going for implementing every feature under the sun, so I'd be a bit concerned about the robustness of some of the edge cases, but no problems yet.
(This is not intended to imply "move off of MikroTik to Teltonika because of this security issue" at all, I just needed to get this out of my system)
I used their rut to provide 2 paths out for comms to 10 locations around the UK for a high profile Outside Broadcast a couple of weeks ago. The RUTs have decent modems and took two sim cards, and could be configured with routing policies to effectively have two independent paths out. Used a mikrotik for the third off some venue network which varied depending on the location.
I set up a wireguard tunnel from the RUT so I could have remote management to the rut and to the tieline gateway providing the comms over one of the sims, in addition to my normal tunnel from the mikrotik.
In Dover sim coverage was patchy, as was the "ethernet line" (which I believe was a 60G wireless link across the harbour). Just before the broadcast started the "ethernet" circuit dropped off, as did one of the sims. The other sim had fortunatly managed to connect to a French 4G provider.
Another location had issues with the venue internet so again rut to the rescue, but another location had no 4g coverage at all so wired did the job.
Those ruts are now on the way to be in use at a site near Poole to do 3 sim cards worth of connectivity to some remote locations. I really like the wireguard connection, makes it easy to see what's going, and they're a nice little box anyway.
Configuration isn't good though -- a mikrotik has a nice simple "/export terse" to see how it's configured and easilly apply. The Ruts config is spread all over the file system and it's not obvious to me yet how to manage that. There's some bugs in the gui too around routing tables too.
> Their firmware strategy seems to be going for implementing every feature under the sun, so I'd be a bit concerned about the robustness of some of the edge cases, but no problems yet.
in what way ? If it is just "let's expose every feature of linux kernel underneath and add some" I wouldn't be worried. I think (not sure) RouterOS reimplemented a lot of networking for whatever reason instead of just using Linux facilities, and that bug would suggest that, as otherwise it would also show up in vanilla linux (I guess it could be in userspace tool not in kernel?)
> On a tangentially related note I recently found another manufacturer that is very similar to MikroTik: Teltonika.
How's CLI?
The one thing that makes me steer away from Mikrotik is its CLI. It is different enough from anything else networking and different from linux commands that I have zero intuition for it. So I just use plain linux
My go-to was PCEngines APU2 but AMD no longer supports/produces CPU it uses so it is near-discontinued
> If it is just "let's expose every feature of linux kernel underneath and add some" I wouldn't be worried.
This is a bad mental model to use for Linux. The level of maturity generally has a direct relationship to the size of the user base. Stuff like MPLS support and tons of VRFs is not nearly as polished as something like basic routing+nat.
This extends beyond reliability to things like tooling for debugging. Some of the kernel networking features are nearly impossible to debug when they break without going into the kernel code and reading the source.
Which of course means it can forward the NMEA data to a TCP server, and also cache it, and also log it to a file, and you can configure this all per-sentence type, and you can enable an HTTPS server to provide it, and it supports multiple AVL protocols for vehicle location tracking, and it has a rules engine, and a geofencing system, and it can trigger GPIO pin signals. I'm pretty sure it has an RTCM client as well but I can't find it mentioned on the wiki right now.
All of which is awesome if you want to use it as an integration point within a larger system, like I want to, assuming that those features actually work. I do not know either way.
These routers tend to be implemented with A proprietary GUI and a few proprietary daemons on top of OpenWRT and a bunch of bundled open source daemons. The Teltonica appears to be the same. This can work well but it gives me the heebie jeebies.
> How's CLI?
It's an OpenWRT shell, basically. Presumably they have commands to interact with whatever configuration system the GUI is using but I haven't checked.
I just recently migrated myself personally from Fortigate to Opnsense, where I did look a bit into Mikrotik as #network irc folk tend to love it. Mikrotik to me seemed just odd as well (particularly emphasis to use a thick client app), and I've installed and run almost every (other) major vendor out there. In the end I opted not to use yet another completely foreign dialect router/firewall, at least opnsense is freebsd, which I can work with ie close enough to linux and entirely accessible.
Vendor rep is important. I really don't trust Fortinet much anymore in moving off them, when they have security problems, they're usually pretty bad/catastrophic, and you NEVER want to NOT have updates on their kit if facing the internet (which mine was eos). Cisco isn't much better. I don't see Mikrotik in the news very often, which I'd take as a win at least and have compelling enough hardware/pricing I'd see this is a relatively small thing soon patched.
I've also been using Opnsense in some networks recently, I like it so far.
Some of the networks I work with have some older Mikrotik gear (which the Opnsense appliances are going to replace), I've just never really quite liked it - it has every feature under the sun but the interface always just seemed a bit janky to me. I might be judging a book by its cover but the software has just never felt solid...
What I'm concerned about is if this is a Mikrotik-specific issue or - given that IIRC their RouterOS is essentially a specialized and highly customized GNU/Linux distribution (I could be wrong) - some issue in Linux kernel or radvd. Aka "should I worry about my own software routers, or if this is strictly about Mikrotik?"
> given that IIRC their RouterOS is essentially a specialized and highly customized GNU/Linux distribution (I could be wrong)
Based on my conversations with people who have worked there- RouterOS is running on Linux kernel, but it's so heavily patched, that upgrades to newer version are.. delayed until the benefits of the upgrade exceeds the cost. Up until the release of RouterOS 7 (circa 2021-2022) it was running on Linux kernel 3.3 (of 2012 vintage).
The drawbacks to this may not be obvious at first, but e.g. Wireguard support took a few years.
Forking like this is very expensive. I am curious what they feel they can do better than the linux kernel here. Otherwise, the benefit doesn't seem worth the investment and now you have a lot of lag.
Legacy (the development started in 90s), a lot of different CPUs/SoCs to cover (from various vendors, none of which are famous for their mainline-ness), drivers for ICs that are not publicly available (that you're forbidden to distribute in source form).
Not that other networking companies are better in this regard, they just have been founded when OpenWRT was already around.
Shouldnt we be able to know this? If it is a Linux kernel there should be a download source somewhere, or are you saying mikrotik is violating the GPL?
Charging $45 for GPL sources on a CD-ROM is a violation of the GPL as you can only charge for:
> your cost of physically performing source distribution
and it must be distributed
> on a medium customarily used for software interchange
As a CD-ROM has not been customarily used for distributing this sort of software for many years(computers don't typically even have CD-ROM drives these days) this offer is clearly not GPL compliant.
I don't think you have a case, but once you get the CD-ROM you are allowed to redistribute the content on the CD-ROM. So you can upload it to the Internet and take out a billion dollars in ads to point the way to everyone, and their little $45 CD-ROM racket goes out of business.
I don't know why they wouldn't just push it to Github for free, though. Any competitor that wants to borrow their modifications will gladly cough up $45. So they're just making people mad for no reason.
It's not unusual for the CVE to be listed as reserved when other content comes out referencing the number. The process is basically ask mitre for a CVE number, then discuss the vulnerability with multiple parties using that number, and at some point someone puts details into the mitre database. Usually the CVE is updated before a public mention by the vendor, but not always.
This vulnerability doesn't impact routers with default settings (according to the post). The vulnerability only arises when a router is specifically configured to function as an endpoint device in IPv6, rather than its default setting as a router. If you set your default GW statically or using some routing protocol, you're fine.
And PS: One of my routers that I just checked is running 7.9beta4, and the next available version (testing) is 7.10beta5. In the blog post they said that the fix is in 7.10beta7
Just wait until you see the Mikrotik scripting language. I dabbled with it a bit in the past and it's like an extremely buggy and finicky version of PHP. I still have a Mikrotik router in my basement, but it's the last one I think I'll buy.
I love the idea of scripting on a router, but please give us a real language to work with.
I set one up for the first time a few weeks back. The Web UI would sometimes time out my session after less than a minute, and then many of the sidebar buttons would be duplicated. Choosing a "template" option for how the WiFi/LTE is used would appear to take effect, but be ignored. There was no option to enter a password for the 5GHz radio, it simply remained open. It stopped responding and had to be factory reset. This was all over a stable wired Ethernet with a browser config that allows scripts, cookies etc, and before any work I'd upgraded its firmware and performed a factory reset. I too was a bit horrified.
Been using them since the 00s, never had that experience, I've got 190 permament installs globally and another 50 or so which come and go as the need arises.
I’ve never had that happen but it will act a bit weird if the webpage thinks you’re logged in but you’re not. Check cookies and passwords or use the command line.
Thanks for this info! It had to be installed and working rather promptly, which meant I didn't have the time I'd usually like to acclimate to a new operating system. I'll look into WinBox.
No, I commented independently about this earlier having noticed it after rebooting (and then again - duplicated again). Must fetch & store menu items on login I suppose, but not clear them first nor check for duplicates.
I don't care about SDN per se, but I do desire a home network that I can configure and deploy (or easily re-bootstrap) from a git repo with a plain text editor.
The result is that I use NixOS for my NAT gateway/firewall, and simply live without fancier network features (I only have two NICs in that machine).
For wifi I begrudgingly use an off-the-shelf wifi router combo in bridge mode.
Curiously after upgrading there's a separate 'upgrade firmware' to be done (no idea if necessary for this though) in System > RouterBOARD. Mine was still on its stock 6.something though I was on 7.7 software. Just found it by accident looking for where to upgrade to 7.9.1.
(Even more curiously, I seem to get a duplicate menu item every time I reboot - three of each now (6.something / 7.7 -> 7.7 / 7.91 -> 7.9.1 reboots) ..almost in order - some of them seem to be somehow grouped for ordering purposes (and so are repeated as a group, not individually) despite not being nested or even obviously related.)
Interesting that they say the combination of setting is uncommon but somehow I had it set on my RB5009 running 7.9.0
IMHO it's disturbing that any component of the IPv6 stack can be exploited even with /ipv6/settings/disable-ipv6 yes
There also seems to be a disagreement between Mikrotik and the researchers about whether the vuln was actually disclosed in Dec. Hopefully some more info comes out regarding that.
> disagreement between Mikrotik and the researchers about whether the vuln was actually disclosed in Dec
It seems likely that it was not properly disclosed because according to https://mikrotik.com/supportsec "you will be notified within 48 hours with acknowledgement of the issue" , but the reporter's web site states "ZDI reported the vulnerability to the vendor during Pwn2Own Toronto".
According to MT, none of their staff attended that event.
The report says it can be exploited with IPv6 enabled, but IPv6 forwarding disabled and reception of router advertisements conditional on the this aka stop looking at router advertisements if the system is configured as IPv6 router.
Maybe the blog post is just ambiguously worded but I'd like a confirmation from them if so.
You are only affected if one of the below settings is applied:
ipv6/settings/ set accept-router-advertisements=yes
or
ipv6/settings/set forward=no accept-router-advertisements=yes-if-forwarding-disabled
Specifically I'd like to know whether this config is vulnerable:
Run `/ipv6/settings/export verbose` to show you the combination of your configuration and the default values on the relevant subtree. I would've expected the `disable-ipv6` to disable all ICMPv6 processing including the code paths leading to the RCE vulnerability, but the post doesn't state it explicitly.
I'm evaluating their RUTX11 LTE/WiFi router as an in-vehicle router for a commercial application. I'm reasonably impressed so far. Their firmware strategy seems to be going for implementing every feature under the sun, so I'd be a bit concerned about the robustness of some of the edge cases, but no problems yet.
(This is not intended to imply "move off of MikroTik to Teltonika because of this security issue" at all, I just needed to get this out of my system)