Every Internet connected device needs some automatic update functionality by default. It's tricky for routers since you typically do not want any downtime and it's really difficult/expensive (well at least 2x the cost for hardware alone) to do a blue/green (or is it red/black?) deployment. Not to mention since Mikrotik is low end, there is no state replication functionality between routers.
Here is a config for Mikrotik that updates my non-ISP hardware once a week at 3AM: https://gist.github.com/kaihendry/59a656c3883450d2df2fd52574...
And when the ISP opts out of the suggested automatic update default, they need to make the commitment to test and roll up updates in a timely fashion. As we all know this is hugely expensive, and I strongly believe a vendor/"computer program" should be able to provide this service. Customers with these ISPs who didn't update are probably seeing some crazy packetloss.
So the future I'd like to see is Mikrotik updates being automatic, staged to some degree & ultimately non-breaking. Cons are downtime for some & I guess allowing your device to be remotely controlled by Latvians. ;)
I have a script I have been running for a year without issue. It check for an update, and then if there is an update installs it.
I'm a stable updating kindof guy.
As to their update availability - I'm fairly certain I could take something they manufactured 15 years ago and update it to the current version, as it all uses the same OS, and they still support every architecture they've used.
But as the first comment says - introducing breaking changes is not acceptable and they should appear only in major releases. And then those security bugfixes should be backported on all major versions which were released at least 5 years back. Yesterday I upgraded mikrotik from 6.14 to 6.42 and it took me 30minutes of additional configuration to make everything working again.
Also mikrotik collets a lot of network stats so implementing an algorithm which would restart the router when there's usually the least amount of traffic should be feasible - those updates take less than a minute so it's not like windows 10.
The main problem with Mikrotik is that the configuration interface is too low-level and it's easy to fall into such traps.
For the firewall I've got pfSense (FreeBSD based firewall) running on an small Intel box from Aliexpress with 6x ethernet ports. I overspecced the machine so I knew it would last for years, whilst allowing running intrusion detection (snort), reverse proxy, auto blacklisting and much more.
This is also acting as my router, but if & when my home network expands I'll add a dedicated one (and probably put 4x ethernet ports bonded using lagg into it as it'll still be controlling my vlans).
I got a dedicated ceiling mount wireless AP from TP-Link.
This has only slightly higher power and space requirements than what I had, but that buys me so much flexibility. I can upgrade and augment individual components when needed (particularly wifi). I have individual vlans, firewalled off from each other, running over three wifi SSIDs - trusted, guest and internet-of-shit. I'm currently connected into my trusted vlan over OpenVPN, so I can connect to my server without having to open any ports to the outside world.
The downsides are that it did take a couple of days to set it all up to my liking, but personally I've learned so much doing it it's been worth every minute.
"Regardless of version used, all RouterOS versions that have the default firewall enabled, are not vulnerable"
I don't believe all MK devices OOTB had the WAN interface firewall'd (they do now though their wAP's run same license level 4 of RouterOS and do not have fw enabled on the ethernet port) though I do recall that being made very clear in both the documentation that came with the hardware and in any wiki/docs I looked at at the time I was first setting up my MK device.
The issue I have is the lack of communication with customers. I have not received any notification of this vuln since August 5th (well since patched in April) but they in general seem rather blase about the whole thing. I haven't followed the link to story but I follow BPR on Twitter and saw that it's around 421K according to censysio.
Edit: I see...*notification via email is what I thought I had written in top post.
They provide regular software updates, and it is imho a good hacker/tinkerer router.
One major advantage of Turris Omnia is that CZ.NIC is a non-profit, so they are not as constrained by profitability of this project, and it's a part of a larger strategy (e.g. you may allow reporting statistics back to turris: https://project.turris.cz/en/global-stats/).
There is this one the horizon though: https://up-shop.org/up-ai-edge/233-up-net-plus.html
It'd make a fine router in the same vein, no word on power usage though.
Their routers were also not affected by the KRACK WPA2 exploit last year.
AVM products cost a lot more than their competitors' but they are really worth their money.
It's 100% worth the extra cash getting an AVM over most ISP routers you get in germany.
They have hardware offloading for routing and iptables, will route 900Mbps, and get regular software updates.
Edgerouter Lite is $99, and draws about 5W.
I would recommend buying something else.
0: https://community.ubnt.com/t5/EdgeRouter/EdgeRouter-X-SFP-le... (reported 2017-03, still alive as of 2018-08)
So MikroTik did its part.
I just had this thought and want to get it down, apologies for the rant: I suspect that philosophically, the basic measure of our economy has been units of energy, but it's transitioning to units of power. The 'subscription model' most businesses are transitioning to seems to be an early recognition of that fact. Server space, similarly, isn't really something one can store as easily as gold or gasoline - it's only valuable while in use and degrading whether it's in use or not. Our whole concept of currency may be based on an idea of 'stored' value, analogous to swapping joules, while we should be thinking about 'sources' of value - swapping watts. I think the trouble is that renting (or hijacking) servers is accounting in terms of watts, while currency is accounting in terms of joules. The accounting of the two types of approaches may not be as easily reconcilable as it seems at firs.
EdgeRouter X issues:
* 3.10 kernel. This is out of LTS support.
* Poor IPv6 support. The GUI has practically 0 support and you instead have to learn EdgeOS config, and it's awkward.
I'm happy to use EdgeRouter X as a switch, so I'm looking for a SBC that can act as router/firewall and run vanilla Debian.
I think that's a pretty good level of support for a $49 device.
But considering some of the comments on that thread, I'm not entirely shocked.
> Attackers will not be able to use that, nor will they care.
> If you're exposing that unfettered to the web at large, imo you deserve what you get.
Did no one really think 200,000 devices was a worthwhile target?
I managed to have consistent upgrades by using only the main package and Netinstall, but it is still a huge pain in the ass.
Mikrotik makes stable routers, but they messed up the upgrade process completely.
I just upgraded my last hAP ac from 6.39.2 to 6.42.9 through the web interface, entered the bootloop, then did the Netinstall of the system package only, then manually restored the configuration.
Upload the package to the router(make sure it completes)
Reboot the router.
Upgrade the bios "Routerboard firmware"
Did your hAP run out of flash disk space? I notice that it only has 16MB.
The only method I have ever used is dropping the .npk packages into the root of the filesystem via sftp or ftp, and rebooting. No Netinstall required.
I've done this something like 50 times, on multiple models covering multiple architectures (Mips, PPC, x86, Arm), and never once had any issues.
Uploading them one-by-one via the web interface or Winbox (via the Files section) and rebooting also works just fine, but why bother when you can do them in one shot as above?
And if you have to upgrade a large number of routers, best of all is write your own script that pulls firmware from your own private repository on your management VLAN, and reboots. And seriously, anyone who is managing a large number of routers and is not bothering to test image upgrades in a testing environment before deploying to live deserves any trouble they get.
Once or twice I have run into upgrade issues that had to be resolved with a technician on site (broke vlan configs)
Just once the update wiped the config.
This is out of several thousand successful updates. I've run into similar issues with other big router manufacturers.
Like most companies, you do not want to be on the 'bleeding edge' of their updates unless absolutely necessary. They do have a significant problem with regressions in their updates.
I never use the web interface though - winbox is way better.
But the standard upgrade procedure is to put the new firmware image in the filesystem root (scp, update button via UI, etc) and reboot the device.