Would anyone...
who regularly reads here, admit to owning a MicroTik router?
If you haven't installed a batch of patches for bugs in your MikroTik routers – and two thirds of owners apparently haven't – then stiffen the sinews and summon up the blood: you really need to update your firmware. The vulnerabilities, which were addressed by the manufacturer way back in August in software updates, can lead …
Plenty of people I would imagine. A lot of smaller WISPs around the world use almost exclusively MicroTik kit. The real WTF is people leaving the admin interface open to the internet in the first place. Any competent admin would at least use a VPN to administer them or at the very least restrict with ACLs.
Yup. I've got a bunch of them around the place.
The only one I have actually directly connected to the internet is regularly updated and has pretty minimal functionality enabled. The others are blocked by firewalls except when I'm updating them.
That being said, they are very nice flexible cheap little boxes.
I have. I bought it in 2012 as it was, at that time, the only sensibly priced router that would give me IPv6. I have not had any problems with it, a few small bugs but nothing really bad. It is highly configurable but not for a novice user -- eg you need to have an idea of how Linux IpTables works.
However: usual story, I can't get any updates, they were available for a couple of years and then ... zilch, nada. As with most hardware vendors they rapidly lose interest, expect you to buy a new box.
A new one would cost me some £40-£70ish, but then you add in:
* time to work out what new model I need
* time to configure the thing (IPv4 & IPv6 filtering, forwarding, etc)
I have another firewall on my main (Linux) desktop - so potential damage would largely be stealing bandwidth.
who regularly reads here, admit to owning a MicroTik router?
Yes!
The Mikrotik CCR1036-8G-2S+ is a rackmount box with 8 x 1G and 2 x 10G ports, and costs under £1K, with no charge for software upgrades or for turning on features.
A Cisco 4431 will cost you upwards of £5K once you've paid for the "performance licence" to unlock it from 500M to 1G. Plus you pay software maintenance every year on top of that.
If you want 10G ports in a Cisco you're talking at least an ASR1001-X at £12K+ (and that is locked to 2.5Gbps until you pay more)
There are a few foibles in RouterOS, but equally there are some very nice aspects to it as well. Cisco are just having a laugh with their 1990's pricing.
Going on for 5 years now after the makers of the old consumer gear we had stopped providing updates. I don't rely solely on the e-mail reminders to let me know updates are available, but check manually every week. It could be scripted (everything is scriptable with ROS, unlike the consumer stuff). Can't imagine why anyone would remove the default rules that will defeat most exploits (my own rule mods tighten security). After thinking a lot about it I confined admin access to ssh, but recently turned webfig back on, https only (Let's Encrypt is a wonderful thing). These Mikrotiks have served us well over the years, and should continue to do so for years to come.
>Would anyone... who regularly reads here, admit to owning a MicroTik router?
I did in the thousands for a business and I personally have 10-20 devices at home for testing & whatever (e.g. true 500Gbps duplex radio bridge)
ROI for suitable applications was excellent in comparison with big vendors.
This company only employs 150 people and their equipment can be found operating in most places on Earth (and in the air).
I don't know if it is any use, but it is possible to load OpenWrt on many MikroTik routers.
OpenWrt Table of (supported)Hardware:MikroTik
OpenWrt: Common Procedures for Mikrotik RouterBoard Products
So it might be possible to load OpenWrt it you can't get an updated MikroTik image for an old model. Obviously, I can't tell you if OpenWrt is suitable for your needs. Caveat Emptor and all that.
The default config firewalls off the management services from external interfaces, you need to remove these rules to be vulnerable.
Cisco IOS has 16 CVE listed this year, 212 since 2012
Cisco IOS-XE has 19 CVE this year 140 sine 2012
Cisco charge for updates unless you find the right article, log a case quote the ref and wait to see if they agree, then login with a password to an FTP site to download the update with a 2 day window, then apply to your router.
Mikrotik send you an email when there's an update, you login to your router/switch/AP press the check for updates button, if there is click download and install, the router reboots and a minute later you're good to go.
I have several RB1000 from 2008 (10 years old) that cost $650ea and are still running the hardware VPN acceleration. The RB1000 does 400,000PPS or 3.2Gbps duplex headline and about 200,000pps with full ethernet frames, they're still getting free software updates, so I don't know why Alain Williams has issues.
Compare a Cisco refurb 7206 npe-400 2 fast ethernet Jan 2012 list $10,650 (only price I can find, was EOL'd in 2008, but still widely used[BT used to put them at the end of a 100Mbps circuit) one off software around $600-700 a pop and even with gig ethernet ports it still only does about 200Mbps.
I make that better pricing, better/cheaper updates and support and better performance.