In MikroTik RouterOS, the “Device mode” is presented as a key feature that sets specific limitations on a device or restricts access to specific configuration options.
At the end of the article you will find a small test that will allow you assess the knowledge acquired in this reading
This article will explore in detail what the “Device mode“, its available modes and how this function contributes to security and customization on MikroTik devices.
Available Modes: Enterprise and Home
MikroTik RouterOS offers two main modes: “enterprise"And"home".
By default, all devices use the “enterprise” mode, which allows all functionalities, except “container”.
El “home” mode disables features such as scheduler, socks, fetch, bandwidth testing, traffic generation, sniffer, romon, proxy, hotspot, email, zerotier and container.
[admin@MikroTik] > system/device-mode/print mode: enterprise
Device Mode Changes
The user can change the “Device mode“, but remote access is not enough to perform this action.
After changing the mode, it must be confirmed by pressing a button on the device or performing a “cold reset” (disconnect the power).
[admin@MikroTik] > system/device-mode/update mode=home
update: please activate by turning power off or pressing reset or mode button
in 5m00s
-- [Q quit|D dump|Cz pause]
If a shutdown or button press is not performed within the specified time, the mode change is canceled. If update commands are executed in parallel, both will be cancelled.
Properties and Settings
The available properties include options such as “container”, “fetch”, “scheduler”, “traffic-gen”, “ipsec”, “pptp”, among others.
The “activation-timeout” property sets the time to activate the reset button or turn off the device.
You can also enable or disable the “flagged” state that indicates a possible intrusion.
[admin@MikroTik] > system/device-mode/print
mode: enterprise
flagged: yes
Sniffer: No.
hotspot: no
Peripheral Changes
Specific changes can be made for each feature controlled by device-mode. For example, change “home” mode and enable email:
[admin@MikroTik] > system/device-mode/update mode=home email=yes
“Flagged” status
RouterOS scans the configuration at startup to detect intrusions. If a suspicious configuration is detected, it is disabled and set to a “flagged” state.
This imposes limitations, and certain actions, such as bandwidth testing or traffic generation, are not allowed.
[admin@MikroTik] > system/device-mode/print
mode: enterprise
flagged: yes
Sniffer: No.
hotspot: no
To exit the “flagged” state, use the command “/system/device-mode/update flagged=no”. It is crucial to audit the configuration before exiting the flagged state to ensure system integrity.
Conclusion
The “Device-mode” in MikroTik RouterOS provides an additional layer of security and customization, allowing network administrators to set specific limitations and detect intrusions.
By understanding how it works and how to apply specific settings, users can strengthen the security of their MikroTik devices and maintain finer control over enabled features.
Brief knowledge quiz
What do you think of this article?
Do you dare to evaluate your learned knowledge?
Recommended books for this article
(Book) Networking with MikroTik RouterOS: A Practical Approach to Understanding and Implementing RouterOS
Study material for the MTCNA Certification Course, updated to RouterOS v7
MikroTik Fundamental Concepts Book, RouterOS v7
Study material for the MTCNA Certification Course, updated to RouterOS v7
Related Posts
- WireGuard on MikroTik RouterOS: A Secure and Efficient VPN Solution
- Wi-Fi 6 (802.11ax): The Future of Wireless Connectivity
- Wake on LAN: operation and practical situations
- Virtual Private LAN Service (VPLS): An advanced approach to network connectivity
- UPnP on MikroTik: Advantages, Challenges and Essential Security Practices