Hi love to see the following features on RouterOS v7 ( or even v6 ):
VSS ( Virtual Switching and Stacking ): Even ROS supports for years VRRP you need to custom scripts to replicate other configuration parameters like DHCPs. Connection states should be replicated to allow a transparent failover if primary device ( i.e RB or CRS3.x) goes down.
ZTP (Zero Touch Provisioning): Shouldn’t be great specially when you are trying to deploy remotely new devices that as soon they can reach the internet via default factory config using DHCP client the router calls to a remote system ( i.e. IP Cloud) and using the serial number or any other method the remote admin can register that device and use the IP Cloud like a proxy to get remote access to the router to load the configuration desired? This concept is similar to Unifi’s remote access that creates like an Out of the Band secure access without the need to deal with sometimes complex VPNs setups.
IPv6 L3 HW offloading on CRS 3.x: I saw this feature recently launched on the recent BETA of ROSv7 for IPv4 and is great but also IPv6 support should be added to continue pushing this protocol as mainstream !!
SD-WAN: ROS is very versatile on several areas and SD-WAN overlays and PBR can be emulated but requires a lot of manual configurations. If Mikrotik creates its own SD-WAN algorithm that is simple to use and can be turned in just in few clicks (aligned with ZTP approach) with DPBR (Dynamic Policy Base Routing) based on DPI (Deep Packet Inspection) on a nice dashboard will be a home run to star taking on big leagues on the market.
UTM features: Even Mikrotik has a good IPTables based firewall the lack of additional security features such as IDS/IPS, AMP ( Anti malware protection) and others (similar to what PFsense offers) will make ROS a very compelling story that integrates network and security.
I would love to see these features implemented on the new ROS code as I am a big fan of it and I want to compete better with some bigger leagues including but not limited to Cisco as an example!!
MikroTik is already working on stacking, I’ve talked with them at length about the need for this at the MUMs. The last I heard, MikroTik was using a standards based protocol to implement a redundant switching control plane but I don’t remember which one.
The tools to do ZTP are there if you put a little time in on scripting or ansible. API, SSH or TR-069 can all be used to take a stock MikroTik and have it receive a config when plugged in
IPv6 HW offloading is just a matter or time…once IPv4 L3 HW offload is working well, i’m sure that will be bext
In my opinion, the addition of Wireguard signals an intent by MIkroTik to compete in the SDWAN space - all of the protocols are there now except a controller for path selection, perf analysis and monitoring. Not sure if they will extend functionality of the Dude or build a webapp.
UTM - I don’t know that we’ll see this anytime soon. UTM requires a lot of development resources. Trying to manage the ability to detect and mitigate at L4 - L7 using signatures and other automated mechanisms requires constant care and feeding by a dev team. This doesn’t seem consistent with MikroTik’s cost effective approach.
Just my two cents as someone who works on MikroTik for consulting clients (including small, medium and large enterprise) every day.
That doesn’t make any sense…UTM is not just Internet facing, it’s designed to detect internal and external threats across an organization’s infrastructure.
Can you share some details of how blockchain and torrent would prevent malware from replicating on an infected operating system to adjacent systems?
Thanks for the insights!!! Seems that Mikrotik is going in the right track on these features :). My main priorities are ZTP and VSS to have first above the others.
ZTP - already available, although not completely out-of-box as with UBNT. Only true form of out-of-band management is a serial port and that is available.
L3 HW offloading - in development, although it seems having some limitation (quite small amount of connections can be managed concurrently). I do not believe these limitations will be lifted since it depends on HW support within switch-chip.
SD-WAN - usual SD-WAN is a service which depends on some features (multi-wan routing, failovers, tunneling etc..). Features are already available. Service can be implemented by anyone. Such organisation then may be promoted as “MFM / certified mikrotik integrator”. If you are smart enough, all you need is to hire few VM’s in AWS/GCP/Azure, make few provisioning scripts and offer the service. You could actually make sh*tloads of money on this.
UTM - again, it is a service, which depends on some features. In this case, features are not quite there (lets be honest, the most advanced matcher in mikrotik’s firewall is L7 which is known to eat all CPU, so for any more advanced IDS, you would need probably some different approach. However, once there are all required features and power, it will still depend on service (someone supplying and updating database of rules) which is completely different market. I agree it would be nice, but whoever is capable of implementing mikrotik will have likely no troubles to pair it with Surikata/Snort or other free IDS/IPS
I guess my understanding of development is a bit different than many other users, because I am SW developer myself. I know that suppliers have limited resources and we always have to choose - which features take precedence? All your suggestions are interesting and could be implemented/improved, but there are heaps of others which need to be focused on as well.
