Hello
how many of you think that mikrotik should give us an option to disable the CPE reset even with netinstall if user don’t have a reset pin / password
it should be some thing like Mobile operator are providing bundled iPhone or other devices that you can not use on any other network unless allowed by them
why i am asking this is many big isp company are providing the same thing from other vendors and that is why their setup cost is too low but we have to give customer Mikrotik device and there is risk that device might be used by customer with other operator
also if we do this then no one will try to steal a Mikrotik CPE mounted on roof top of a building as they can’t use it otherwise
Set the override reset timer to something long but not the maximum (maybe 263 seconds or similar) and then as long as your admin password doesn’t leak then you will have what you are looking for.
Just be aware that you may find your need to hold spares of everything is increased especially if you sometimes roll out firmware without detailed testing with an absolutely standard configuration (as you would need to hold the reset for the exact time to get into a netinstall and restore a config)
However it does seem like Mikrotik now provides the feature you are asking for, just please be aware of the risks you take and consider that without a big sign telling people that they can’t reset them and reuse them they may well still take your CPE radios away for their own uses.
Protected RouterBOOT is said to be available on all newer devices. However if you own a device that had been produced before this feature was introduced, it won’t be available until you update a backup bootloader (a special piece of firmware, kind of recovery firmware). The link to the updated backup bootloader package can be found on this wiki page. Please note that this update procedure is said to be DANGEROUS- it can potentially brick you device (to the point where even netinstall will no longer be possible).
However unless they know the exact number of seconds you have set to unlock the system and allow netinstall then they won’t be able to make use of that, or if your password leaks then all bets are off as they can just login.
It sounds like what you are asking for is a way to prevent any resets / changes. For this I would suggest you rip off any serial ports, any reset buttons, and remove any reset points that can be shorted out, turn on this locked bootloader, and remove all usernames and passwords as this will make it (theoretically) impossible for anyone to login and change the setup, reset the config, netinstall it, or do anything else. However I think personally this is overkill and if you pick a nice long random number for the reformat timer key as that would prevent people from easily guessing the count they need to reformat the whole system and should make it harder than most people are willing to try to get control over a Mikrotik.
Wrong. As normis wrote in this post “Exactly or More seconds will result the same - reformat NAND and Etherboot mode; netinstall will fix the device in any case”. I.e. you don’t have to hold the reset button exactly the configured number of seconds, holding it (arbitrarily) longer will have the same result.
The purpose of protected RouterBOOT is to protect configuration of your device from unauthorized access, not the device itself. Please read thorough this thread, it explains everything.
Thank you for putting this correction in. I apologise to everyone in this post. I was wrong.
Great learning opportunity for me, I wish the wiki would be updated with information on these clarifications / additional information or links to associated forum posts.
Again apologies to everyone for sharing incorrect information.
