That’s worse. You need an extra point of failure (“proxy controller” service) plus the need to rely on 3rd party cloud services (be it MikroTik, the cloud provider they choose, and everyone in between).
Just terrible for operators that will rely heavily on the controller. For the average Joe that has 2-3 APs and 1-2 routers/switches on their home or their SOHO business, the cloud solution might be good enough.
The best approach is what Ubiquiti does. Give the option to either use their cloud service or allow end users/integrators to install it on-premises and be 100% air-gapped. Not every network has direct or indirect (ie proxy) access to the Internet.
But do they still offer that? I know it was like that in the past, and I have cut the connection between our locally installed controller and the internet during the
security breach scare (not justified, it turned out later), but it seems that models introduced from around that time and later have mandatory cloud management instead
of local? or do I misunderstand that?
I manage numerous Unifi Switches and APs and none of them require any connection to Ubiquiti to work.
Same with the Unifi controller itself.
In fact, one of my installations is being used in the exact scenario I mentioned. Air-gapped network without any internet access.
It works flawlessly without being “held hostage” to any cloud service.
A very good idea but only if MikroTik wants to build something similar to Panorama from Palo Alto Networks. Unifi Network Application has shit management of router functions (e.g. USG has maybe 20% of functions from GUI) . Unifi Network App works reasonably well but only with AP . MT please looks on better big vendors , platform form Ubnt not good solution.
Hi
I want to write post but I found this usefully and we can add some points to Dude servers.
as IT and network admin our requirement its monitoring all network device in the network public/private before/after NAT.
currently with dude its limited on IPs are connected via Dude Server and required some Route Rules and NAT rule to access other network before/after NAT.
My suggestion its use multiple Dude Servers on multiple devices and all connected to main Dude Server Showing all devices on other Dude Server and give FULL access like main one.
something like Inter mapper and other SNMP network monitoring Devices.
for example let see for Small ISPs
Site-1
they Have main GW <===> BGP <====> Distribution/Firewall/Rule/B.W Control router <=== > SIWTCHs VLANs. (((Dude level 1 server))
Then DHCP/PPOE/DSL/FTTX etc routers with private and public Access ((Dude level 2 Server))
finally Customer Devices which it’s almost on private. ((Dude level 3 Server))
almost above can Access via NOC and Public Network.
Site-2
same
Site-X
what we need DUDE MAIN Controller that MIX all Dude sites and levels info main one Screen. then NOC or support team when click on requested network open the map for this network.
don’t know if available on dude or not.
and the importance its import list and scripts to add one time set password and users for access to router OS now if you have 1000 router you need to setup it one by one or you will have failure login link millions
Make populating the 802.11k/v/r caches accessible to us the integrators.
Everyone seems to be asking for centralized change management, but one can build that based on the current APIs.
A controller in its purest form is orchestrating client access over a distributed system, while dealing with the intentional short-comings of a client controlled access protocol.
By all means build your own MT controller, but if you want the community to innovate on what a controller could be, then we need the ability to fill the neighbor lists (802.11k) and get access to those transition management frames when supported (802.11v).
So every MT device can connect on that and send data to it. So we can create rules (schedule or passive) do config,udate,backup,reboot. Also can crate groups (by platform, ip range, mac, ver, model…) and than change/manage certan param on one device/group/model/ver or all devices…also “netinnstall” support, if some MT device “dies”, over DHCP can “call” controler for new ROS and some template config or backup config or admin define data…
I have had too many customers recently that have wanted IPS/IDS and as a result I had to remove Mikrotik routers.
You don’t need a centralised app for that though. I would love a checkbox in winbox that said enable IDS/IPS, as simple as that
As for the Centralised app:
-I would like it to have the Dudes excellent mapping functionality
-In fact why not just upgrade The dude to do all of that?
-The app needs to have autodetect functionalities
-The app needs to be opt in for all devices
-No thin client hardware, all Mikrotiks need to be able to operate independently, read above, OPT-IN only.
-SwOS support?
-Config backups, both binary and text.
Let’s not pollute the topic of centralized management with requests for new features in the router!
There is a separate topic for that. This topic is about a controller to manage the configuration of features of the router, and features of that controller would at most extend to e.g. synchronization of configuration of redundant routers. IPS/IDS is not (only) configuration.
Dear,
Thanks for reading my answer.
According to my idea “MikroTik controller app for MikroTik Devices is must connected with Cloud DDNS sn.mynetname.net” so any one access any where as they are accessing MikroTik Router. Because in many countries there is typical ISP’s policies so they have blocked VPN or some time users needs to white list their VPN IP’s.
Thanks & Regards.
Mehar
i reckon you do not really know how a IDS/IPS works and what “in depth protocol” steps it iterates through and how quite cpu-intense a IDS/IPS is, or do you?
Rather than reinventing the wheel with own protocols, I would recommend using standard management protocols as much as possible.
Possibly by extending Dude or maybe building it as a superset to Capsman, but with Radius, SSH, SFTP for encrypted file copy and similar.
Either way, should be optional to use this or not and should run on RouterOS.
When it comes to features:
better centralized syslog that can be filtered, searched through, copy/pasted, exported, rotated, parsed and scripted
remote script execution and centralized backup & export location would be nice
different devices and probes to notify different operators through email
multiple daily time schedules for different operator email addresses
automated delay of update (for RouterOS and Routerbord firmware) on POE powered device, while POE powering device is updating (through neighbor discovery) on top of hierarchy defined in this new monitoring system
txt/csv/xml/xlsx imports for IPs, macs, etc. to be monitored
better scaling for map icons and background images
if system would allow monitoring dashboards or maps, please make it HTTPS as primary means
ability to report #clients connected to each CAP, not only on CAPSMAN that can be done now
network port connections discovery so to build connection map, not just find devices within VLAN
rogue device detection and reporting when attached to VLANs (through scheduled IP and MAC scans) or ports
identify to which port of which device is particular MAC connected to across the LAN
identify/alert for rogue WiFi networks nearby
port monitoring, LAG monitoring, STP changes monitoring and alerting
extend RouterOS with ability to trigger every change of RouterOS object state with a script (eg. dynamic events port/bridge up/down, client connected to WiFi, hotspot, or configuration changes … ) that could interface with this management system or execute these scripts on the device itself.
multicast monitoring and reporting
visualization/reporting of traffic passing through the firewall rules to help troubleshooting
ability to add labels or dummy rules for troubleshooting which rule blocks particular traffic - highlight rule in winbox or that new management
add action to firewall rules for triggering synchronous or asynchronous script, passing into it all other traffic info and stream/packet details,
so it can trigger any action on that monitoring/management system
connect one WiFi CAP to another as scheduled, to assure RF radios device part works properly on each
identify single frequency interference impacting multiple APs; better reporting for weather radars and sources of interference
integrated spectral scans
extend RouterOS/scripting object model with ability to address any other device on the network through scripting…
eg. Enterprise_Name/Device_Identifier/RouterOS_Object/RouterO_Sub_Object/… below which levelstandard scripting applies.
This would allow to orchestrate scripts which easily control or collect data from multiple devices.
Please note, just brainstorming here… I didn’t bake enough any of these ideas.
I understand some are not directly related but might be enabler for some features of the system proposed or prove useful for Mikrotik elswhere.
