Date: Tue, 19 Mar 2024 05:29:53 +0200 (EET) Message-ID: <156586542.7763.1710818993599@help.mikrotik.com> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_7762_935718239.1710818993595" ------=_Part_7762_935718239.1710818993595 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
The device-mode is a feature which sets specifi=
c limitations on a device, or limits access to specific configuration optio=
ns.
There are two available modes: enterprise and home. By d=
efault, all devices use the mode enterprise, which allows all=
functionality except container. The home mode disables the following features: scheduler, socks, fe=
tch, bandwidth-test, traffic-gen, sniffer, romon, proxy, hotspot, email, ze=
rotier, container.
[admin@MikroTik] > sy= stem/device-mode/print=20 mode: enterprise
The devi= ce mode can be changed by the user, but remote access to the device is not = enough to change it. After changing the device-mode, you need to confirm it= , by pressing a button on the device itself, or perform a "cold reboot" - t= hat is, unplug the power.
[admin@MikroTik] > sy= stem/device-mode/update mode=3Dhome=20 update: please activate by turning power off or pressing reset or mode bu= tton=20 in 5m00s -- [Q quit|D dump|C-z pause]
If no power off or button press is performed within the specified time, th= e mode change is canceled. If another update command is run in parallel, bo= th will be canceled.
The following commands are availab= le in the system/devic= e-mode/ menu:
Property | Description |
---|---|
get |
Returns value that you can assign = to variable or print on the screen. |
Shows the active mode and its properties. | |
update | Applies changes to the specified properties, see= below. |
Property |
Description |
---|---|
container, f=
etch, scheduler, traffic-gen, ipsec, pptp, smb, l2tp, proxy, sniffer, zerotier, bandwidth-test, email, h= otspot, romon, socks. (yes | no; Default: yes, for enterprise mode) |
The list of availabl= e features, which can be controlled with the device-mode o= ption. |
activation-t= imeout (default: 5m); | The reset button or = power off activation timeout can be set in range 00:00:10 .. 1d00:00:00. If= the reset button is not pressed (or cold reboot is not performed) during t= his interval, the update will be canceled. |
flagging-ena= bled (yes | no; Default: yes) | Enable or disable th= e flagged status. See below for a detailed description. |
flagged (yes | no; Default: no)
RouterOS employs var=
ious mechanisms to detect tampering with it's system files. If the sys=
tem has detected unauthorized access to RouterOS, the status "flagged" is s=
et to yes. If "flagged" is set to yes, for your safety, certain limitations=
are put in place. See below chapter for more information. |
|
mode:<= /strong> (home, enterprise; default: enterprise);= td> | Allows choosing from=
available modes that will limit device functionality. In the future, vario=
us modes could be added. By default, enterprise mode allows all options except container. So to use the containe= r feature, you will need to turn it on by performing a device-mode= update. By default, home mod= e disables the following features: scheduler, socks, fetch, bandwid= th-test, traffic-gen, sniffer, romon, proxy, hotspot, email, zerotier, cont= ainer. |
More spe= cific control over the available features is possible. Each of the features= controlled by device-mode can be specifically turned on or off, for exampl= e:
[admin@MikroTik] > sy= stem/device-mode/update mode=3Dhome email=3Dyes [admin@MikroTik] > system/device-mode/update mode=3Denterprise zerotier= =3Dno
If the u= pdate command specifies any of the mode parameters, this u= pdate replaces the entire device-mode configuration. In this case, all "per= -feature" settings will be lost, except those specified with this command. = For instance:
[admin@MikroTik] > sy= stem/device-mode/update mode=3Dhome email=3Dyes fetch=3Dyes [admin@MikroTik] > system/device-mode/print=20 mode: home fetch: yes email: yes [admin@MikroTik] > system/device-mode/update mode=3Denterprise sniffer= =3Dno -- reboot -- [admin@MikroTik] > system/device-mode/print=20 mode: enterprise sniffer: no
We= see that fetch =3D yes and email =3D yes is missing, as they were override= n with the mode change. However, specifying only "per-feature" settings wil= l change only those:
[admin@MikroTik] > sy= stem/device-mode/update hotspot=3Dno -- reboot -- [admin@MikroTik] > system/device-mode/print=20 mode: enterprise sniffer: no hotspot: no
If= the feature is disabled, an error message is displayed for interactive com= mands:
[admin@MikroTik] > sy= stem/device-mode/print=20 mode: enterprise sniffer: no hotspot: no [admin@MikroTik] > tool/sniffer/quick=20 failure: not allowed by device-mode
However, it is possible to add the co= nfiguration to a disabled feature, but there will be a comment showing the = disabled feature in the device-mode:
[admin@MikroTik] > ip= hotspot/add interface=3Dether1=20 [admin@MikroTik] > ip hotspot/print=20 Flags: X, S - HTTPS Columns: NAME, INTERFACE, PROFILE, IDLE-TIMEOUT # NAME INTERFACE PROFILE IDLE-TIMEOUT ;;; inactivated, not allowed by device-mode 0 X hotspot1 ether1 default 5m
Along with the devic= e-mode feature, RouterOS now can analyze the whole configuration at system = startup, to determine if there are any signs of unauthorized access to your= router. If suspicious configuration is detected, the suspicious configurat= ion will be disabled and the flagged parameter will be set= to "yes". The device has now a Flagged state and enforces certain limitati= ons.
[admin@MikroTik] > sy= stem/device-mode/print=20 mode: enterprise flagged: yes sniffer: no hotspot: no
If the system has this flagged status=
, the current configuration works, but it is not possible to perform the fo=
llowing actions:
bandwidth-test, traffic-generator, sniffer, as well as configuration actio=
ns that enable or create new configuration entries (it will still be possib=
le to disable or delete them) for the following programs: system schedu=
ler, SOCKS proxy, pptp, l2tp, ipsec, proxy, smb.
When performing the aforementioned actions while the router has the flagge=
d state, you will receive an error message:
[admin@MikroTik] > /t= ool sniffer/quick=20 failure: configuration flagged, check all router configuration for unauthor= ized changes and update device-mode [admin@MikroTik] > /int l2tp-client/add connect-to=3D1.1.1.1 user=3Duser failure: configuration flagged, check all router configuration for unauthor= ized changes and update device-mode
To exit the =
flagged state, you must perform the command "/system/device-mode/update fla=
gged=3Dno". The system will ask to either press a button, or issue a hard r=
eboot (cut power physically or do a hard reboot of the virtual machine).&nb=
sp;
Important! Although the system has disabled any=
malicious looking rules, which triggered the flagged state, it is crucial =
to inspect all of your configuration for other unknown things, before exiti=
ng the flagged state. If your system has been flagged, assume that your sys=
tem has been compromised and do a full audit of all settings before re-enab=
ling the system for use. After completing the audit, change all the system =
passwords and upgrade to the latest RouterOS version.