For example, the "new default config" (which was Netinstalled) would have many of the packages disabled (such as aMPLS, Routing, Hotspot, etc.) and a script that runs every few minutes. Something like, check for existence of a file that matched, say ether1 MAC or the license key or something unique to that router. If it didn't exist (i.e. it was defaulted), go download that file name from a known URL using fetch and then run that file. In it would be that router's specific config (wifi ssid's/passphrases, or pppoe user or whatever). Ideally, the router would check for changes to its config at some regular interval so could also use it to push out additional changes the customer wanted or the instruction to go download and update to the latest stable RouterOS, then reboot again afterwards to update the firmware. I don't know, it's getting complicated...
For config file management, someone smarter than me could probably whip something out using Python or PHP to manage config files on an HTTP server (that fetched connected to) and handle a fixed number of configurable items (like SSID, etc.). Even doing port forwards this way wouldn't be that difficult to handle.
I suppose an alternative to having the router go pull its config would be to use the API to push it - UNIMUS might be more cost effective/less troublesome in the end.
I kind of like the idea of giving the customer the TikApp. The "Internet Detect" and "Kid Controls" features might be helpful to them. In the end though, I agree that even a stripped down user in the TikApp still has too many knobs - too much room for error. I guess we'd have to really push the "managed" part of it and for them to call us if they wanted a change, which would be trivial for us to accomplish.
Jesse DuPont
Owner
/ Network
Architect
email:
jesse.dup...@celeritycorp.net
Celerity
Networks LLC / Celerity
Broadband LLC
Like us!
facebook.com/celeritynetworksllc
Like us! facebook.com/celeritybroadband
I think they can't be a true "zero touch" config because the default config on most models has a firewall on ether1 which prevents outside access.
You'll have to login once and load a config file, or have a config that you paste into the terminal. Both methods are pretty fast though. After that you could use Unimus or similar. I'd be tempted to disable the reset button. I don't remember a situation where I actually fixed a Mikrotik issue by resetting to defaults. I think it's more likely to be used to break the Internet and force a truck roll.
It seems like Netinstall ought to be the way to get your initial config done, but I seem to have issues with it. I don't remember what my issue was, and I'm sure it was fixable if I really wanted to. If you get that working reliably for you, then replacing the default config would be a wise choice.
My biggest issue with Mikrotik as a customer prem router is you can't turn over any control to the customer. I mean, of course, you could give them a login but there are too many knobs there. They only really need to do port forwards and change their WiFi SSID and WPA2 Key. The NAT settings are hard for regular people to grasp, and everything else just has so many buttons and menus that they're almost guaranteed to mess something up. I gave two different customers access to a Mikrotik on their customer prem, and maybe it's just random coincidence, but they both broke things by playing with the "hotspot" menu.
Where I saw Mikrotik being used a customer prem router, they were pre-provisioning with a copy+paste script. They had a customer login set on each one, but they avoided handing it out. No real mass management in their case. When one of those remote-access bugs forced updates they just did them onsey-twosey.
On 10/23/2020 10:08 PM, Jesse Dupont wrote:
I don’t disagree, but I was hoping...
Sent from my iPhone
On Oct 23, 2020, at 6:59 PM, Adam Moffett <dmmoff...@gmail.com> wrote:
This is the path to the dark side.
On 10/23/2020 7:34 PM, Jesse DuPont wrote:
Question for anyone using Mikrotik routers in customers' homes:--
Anyone doing any kind of zero-touch provisioning with them? If so, what method? Unimus? Minim? Something home grown?
Are you doing a NetInstall with an included configuration so they have some kind of baseline config after a default? Just disabling the reset button?
How are you managing them after they're installed, Dude? Something TR-069? Something SNMP?
Jesse DuPont
Owner / Network Architect
email: jesse.dup...@celeritycorp.net
Celerity Networks LLC / Celerity Broadband LLC
Like us! facebook.com/celeritynetworksllcLike us! facebook.com/celeritybroadband
<celeritynetworks-GIF.gif>
AF mailing list
AF@af.afmug.com
http://af.afmug.com/mailman/listinfo/af_af.afmug.com
-- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
