The device-mode is a feature which sets specific limitations on a device, or limits access to specific configuration options. Such feature is required in order to protect your router and network from attackers who might in some way gain access to your router and use it as a gateway for attacks to other networks. By protecting your device in such a way, even if an attacker manages to gain access to your unprotected device, he will not be able to use it in order to abuse your or any other network.
There are three available modes: advanced, home and basic. Device modes are factory pre-installed to routers, if the router is manufactured and shipped with MikroTik RouterOS v7.17 or later. Advanced (previously called enterprise) mode is assigned to CCR and 1100 series devices, home mode is assigned to home routers and basic mode to any other type of device. For devices running versions prior to RouterOS version 7.17, all devices use the advanced/enterprise mode.
[admin@MikroTik] > system/device-mode/print mode: advanced
The device-mode can be changed by the user, but remote access to the device is not enough to change it. After changing the device-mode, you need to confirm it, by pressing a button on the device itself, or perform a "cold reboot" - that is, unplug the power. When the change is confirmed, regardless of confirmation mode, the device will be rebooted!
[admin@MikroTik] > system/device-mode/update mode=home update: please activate by turning power off or pressing reset or mode button in 5m00s -- [Q quit|D dump|C-z pause]
If no power off or button press is performed within the specified time, the mode change is canceled. If another update command is run in parallel, both will be canceled.
There are several EOL products which do not "confirm" mode changes with a reset button press. These routers can confirm mode change only with a power cycle.
The following commands are available in the system/device-mode/ menu:
Property | Description |
---|---|
get | Returns value that you can assign to variable or print on the screen. |
Shows the active mode and its properties. | |
update | Applies changes to the specified properties, see below. |
Available device-mode modes
There are three device modes available for configuration (mode=advanced is default one), each mode has a subset of features that are not allowed when it is used. Note that there is no mode, which has all features enabled. Certain features need to be enabled even if you have "advanced" mode enabled. See section "Feature clarification" for more details about what each option means. So, as per the below table it can be seen that "traffic-gen, container, partitions, bootloader" features are always disabled, unless specifically enabled by the admin user.
Mode | Description of disabled features |
---|---|
advanced (default) | traffic-gen, container, partitions, bootloader |
basic | traffic-gen, container, partitions, bootloader, downgrade, bandwidth-test, zerotier, hotspot, proxy, socks |
home | traffic-gen, container, partitions, bootloader, downgrade, bandwidth-test, zerotier, hotspot, proxy, socks, sniffer, romon, email, scheduler, fetch |
List of available properties
Property | Description |
---|---|
container, fetch, scheduler, traffic-gen, ipsec, pptp, smb, l2tp, proxy, sniffer, zerotier, bandwidth-test, email, hotspot, romon, socks, partitions, downgrade, bootloader. (yes | no; Default: yes, for advanced mode) | The list of available features, which can be controlled with the device-mode option. See section "Feature clarification" for more details about what each option means. |
activation-timeout (default: 5m); | The reset button or power off activation timeout can be set in range 00:00:10 .. 1d00:00:00. If the reset button is not pressed (or cold reboot is not performed) during this interval, the update will be canceled. |
flagging-enabled (yes | no; Default: yes) | Enable or disable the flagged status. See below for a detailed description. |
flagged (yes | no; Default: no) | RouterOS employs various mechanisms to detect tampering with it's system files. If the system has detected unauthorized access to RouterOS, the status "flagged" is set to yes. If "flagged" is set to yes, for your safety, certain limitations are put in place. See below chapter for more information. |
mode: (basic, home, advanced; default: advanced); | Allows choosing from available modes that will limit device functionality. By default, advanced mode allows options except container, traffic-gen, partitions, downgrade, bootloader. So to use these features, you will need to turn it on by performing a device-mode update. By default, home mode disables the following features: scheduler, socks, fetch, bandwidth-test, traffic-gen, sniffer, romon, proxy, hotspot, email, zerotier, container. |
More specific control over the available features is possible. Each of the features controlled by device-mode can be specifically turned on or off.
For instance scheduler won't allow to perform any action at system scheduler. Used device-mode disables all listed features, for instance mode=home is used, but zerotier is required for your setup, device-mode update /system device-mode update zerotier=yes will be required with the physical access to device to push the button or cut the power.
Note, downgrade mode does not allow to run /system package downgrade command, but you can switch between RouterOS release channels (stable, testing, etc.) and change RouterOS versions.
[admin@MikroTik] > system/device-mode/update mode=home email=yes [admin@MikroTik] > system/device-mode/update mode=advanced zerotier=no
If the update command specifies any of the mode parameters, this update replaces the entire device-mode configuration. In this case, all "per-feature" settings will be lost, except those specified with this command. For instance:
[admin@MikroTik] > system/device-mode/update mode=home email=yes fetch=yes [admin@MikroTik] > system/device-mode/print mode: home fetch: yes email: yes [admin@MikroTik] > system/device-mode/update mode=advanced sniffer=no -- reboot -- [admin@MikroTik] > system/device-mode/print mode: advanced sniffer: no
We see that fetch = yes and email = yes is missing, as they were overriden with the mode change. However, specifying only "per-feature" settings will change only those:
[admin@MikroTik] > system/device-mode/update hotspot=no -- reboot -- [admin@MikroTik] > system/device-mode/print mode: advanced sniffer: no hotspot: no
If the feature is disabled, an error message is displayed for interactive commands:
[admin@MikroTik] > system/device-mode/print mode: advanced sniffer: no hotspot: no [admin@MikroTik] > tool/sniffer/quick failure: not allowed by device-mode
However, it is possible to add the configuration to a disabled feature, but there will be a comment showing the disabled feature in the device-mode:
[admin@MikroTik] > ip hotspot/add interface=ether1 [admin@MikroTik] > ip hotspot/print Flags: X, S - HTTPS Columns: NAME, INTERFACE, PROFILE, IDLE-TIMEOUT # NAME INTERFACE PROFILE IDLE-TIMEOUT ;;; inactivated, not allowed by device-mode 0 X hotspot1 ether1 default 5m
Feature clarification
Feature | Clarification of which menus become unavailable |
bandwidth-test | tool bandwidth-test tool bandwidth-server |
bootloader | system routerboard settings |
container | all container functionality |
downgrade | system package downgrade RouterOS downgrade command "/system package downgrade" becomes unavailable, even though you can switch the upgrade channel to one with an older version and issue the upgrade command to downgrade that way. This possibility is limited to the version available in the selected channel. |
tool e-mail | |
fetch | tool fetch |
file | operations with files in file menu |
hotspot | ip hotspot |
ipsec | ip ipsec |
l2tp | interface l2tp-server interface l2tp-client |
partitions | partitions does not allow switching the active partition. If your router is unable to boot, it will still be able to boot into your other partitions. No restriction for crash recovery. You can still repartition your disk into more partitions. No restriction for repartition. |
pptp | interface pptp-server interface pptp-client |
proxy | ip proxy |
romon | tool romon |
scheduler | system scheduler |
smb | ip smb |
sniffer | tool sniffer |
socks | ip socks |
traffic-gen | tool traffic-generator |
zerotier | zerotier |
Flagged status
Along with the device-mode feature, RouterOS now can analyze the whole configuration at system startup, to determine if there are any signs of unauthorized access to your router. If suspicious configuration is detected, the suspicious configuration will be disabled and the flagged parameter will be set to "yes". The device has now a Flagged state and enforces certain limitations.
[admin@MikroTik] > system/device-mode/print mode: advanced flagged: yes sniffer: no hotspot: no
If the system has this flagged status, the current configuration works, but it is not possible to perform the following actions:
bandwidth-test, traffic-generator, sniffer, as well as configuration actions that enable or create new configuration entries (it will still be possible to disable or delete them) for the following programs: system scheduler, SOCKS proxy, pptp, l2tp, ipsec, proxy, smb.
When performing the aforementioned actions while the router has the flagged state, you will receive an error message:
[admin@MikroTik] > /tool sniffer/quick failure: configuration flagged, check all router configuration for unauthorized changes and update device-mode [admin@MikroTik] > /int l2tp-client/add connect-to=1.1.1.1 user=user failure: configuration flagged, check all router configuration for unauthorized changes and update device-mode
To exit the flagged state, you must perform the command "/system/device-mode/update flagged=no". The system will ask to either press a button, or issue a hard reboot (cut power physically or do a hard reboot of the virtual machine).
Important! Although the system has disabled any malicious looking rules, which triggered the flagged state, it is crucial to inspect all of your configuration for other unknown things, before exiting the flagged state. If your system has been flagged, assume that your system has been compromised and do a full audit of all settings before re-enabling the system for use. After completing the audit, change all the system passwords and upgrade to the latest RouterOS version.