Our literature tells us these devices are configured and ready to go out the box.

Can you tell us about the security behind the bridging technology please - ours are paired and working.

However we'd like to know more about the technology that pairs the devices - and the fact its safe to plug and go without configuring the links securing technology

The devices are secured out of box

The OP asked what type of security is used which unfortunately isn't stated in the product description. Presumably, the wireless encryption is performed with some kind of AES-GCM/WPA3, but to be sure drop an email to sales@mikrotik.com.

EDIT: feel free to ask the Mikrotik sales team to update the product page with this info.

There doesn't appear to be any support on these devices???

I've emailed the distributor - I emailed sales - and they just sent a canned and useless response.

I need a written reply

Well, access the one (or the other, or both) devices and check It should be something like:
So, wpa2-psk.

I was going to say it used wap2, or at least what older cubes use.

Also, then information printed on the sticker is stored by Mikrotik and available to distributors AFAIK. So that includes the SSID password. While likely low risk, if the manufacturing database of the stickers was ever compromised, that be really bad.

So I get these may be part of a plug-and-play kit ... but it's likely best to change the passwords. Both the admin login and SSID password.

Well, access the one (or the other, or both) devices and check

Code: Select all

 /interface wireless security-profiles

It should be something like:

Code: Select all

set [ find default=yes ] authentication-types=wpa2-psk comment=defconf \
    disable-pmkid=yes mode=dynamic-keys supplicant-identity=MikroTik \
    wpa2-pre-shared-key=xxxx-yyyy

So, wpa2-psk.

thats only the 5ghz side. on the 60ghz you select a password only.

Sure, but the password is the same as the wpa2-pre-shared-key.

It would make IMHO little sense to use a different security method for the 60 and the 5 GHz connection.

In any case, an attacker capable of breaking the wpa2-psk on the 5 GHz would have the password for the 60 GHz link or - at the most - would need to put a highly sophisticated shielding device[1] in the line of sight of the devices to force them on 5 Ghz backup connection.

If the OP requirements are either WPA2-Enterprise or WPA3, they are not there.




[1] likely a piece of cardboard would do

As the new 60Pro AC implements 802.11ay it should support AES-GCM or WPA3.

Besides what the device can support, it has to be seen how it is pre-configured in factory, we have a report one week old about a pair Wireless Wire CubeG-5ac60aypair that have that wpa2-psk setup.

So, even if possible, it is not pre-set, in the kit.

Maybe if you get single devices, the quick setup (or whatever) offers an option to change the security protocol, but more likely it needs to be done manually.

When connecting the devices - we've changed the admin passwords - which are on the box.
We're also presented an option to change the Wi-Fi key -
We are not Microtik certified - however we chose a very long string - we could get mental with it - but we assume this isn't the binding technology.

We are experienced network / virt engineers but RouterOS is totally new to us.

Pre-configured is a go ?

Likely got this part: but there are two password for the Wi-Fi – one for the 5Ghz and 60Ghz. So need to change both. But other than that should be good to go.

Also they use "auto" frequency for 5Ghz by default. Default config creates an active-backup bond, with 60G and 5Ghz interface in it. But even if 5Ghz is backup, it's possible you might want to select a channel if there is a lot of interference in your area. Interfere at 5Ghz is slightly less of a concern here since distance cannot exceed the 60G range, but something to consider. There is a scan button that might help pick one, but no SpecA.

We are experienced network / virt engineers but RouterOS is totally new to us.

You'll do fine. RouterOS it's more of an erector set of the various protocols/interface/etc. & all devices have same software features. e.g. If you wanted turn the Cube60ACs into a pair of VRRP-enabled routers running OSPF for a LAN, they'd work (but limited in capacity) and config be same as on a bigger router. Not saying to do that but that's how RouterOS works.

One thing Mikrotik-specific to note is the winbox app allows Layer2 access to routers via MAC address. That can be helpful to get into these Cube when bridging since the default IP are likely in a different subnet.

OT, but not much, translation from US to EU (if needed) Erector=Meccano
https://en.wikipedia.org/wiki/Meccano

Hi,

The initial setup option just gave one line for the wi-fi password. We changed that and the admin.

If the pre-config requires more indepth config - then I'd suggest its not pre-config'd

Super Unique Random - if you get my drift.

LOL. Fair enough... And I believe out-of-box they do work .

Now I'd like to think QuickSet updates both password, not sure, never tried that... But simplicity and easy-of-use are not Mikrotik strong point (flexible, yes), so these new user wizards often cause more problems.

But also depending on use case, you may need to enable SNMP (for monitoring), add /system/identity (so LLDP/CDP know what it is), disable unused services under /ip/services (e.g. you likely don't need ftp telnet etc running), etc. etc., especially if part of a larger network. None of that effect the core wireless bridging, but still hygiene.

I've since heard from disty.

Basic config is sufficient with passwords as described