Question to our users about controllers

1. Are you interested in a central controller for MikroTik devices? If yes:

I want to be able to manage all configurations of different MikroTik devices including x86 and CHR and be able to see general data on a dashboard to have it always open and monitor various parameters. (Maybe you can implement Grafana in your controller dashboard/user interface so you won’t have to reinvent the wheel). Like:

https://grafana.com/grafana/dashboards/14420-mikrotik-monitoring/
https://github.com/IgorKha/Grafana-Mikrotik
https://grafana.com/grafana/dashboards/13679-mikrotik-mktxp-exporter/
https://github.com/M0r13n/mikrotik_monitoring

2. How would you like to run it?

Of course, a self-hosted server on X86 (Please make it open source)

3. What features would you like to see mostly? (mass auto-upgrade, configuration, provisioning, monitoring)? Please provide as much detail as possible.

One of the most time-consuming tasks while troubleshooting or updating the configuration of multiple routers is that you have to use Winbox to go back and forth or use scripts (However, each router might need only part of the change of the other one or its own unique one). I want to have something like the following whether with Winbox windows or more like the following picture and solely text-based where I can drag and drop and change things on the fly. For example, I drag a firewall filter rule from router A and want to add it to routers B, C, and F which I already have open in Config Editor or Config Magician (You can name it that). While dragging, I hold down Ctrl+A and when I drop it, it will add it to all of them. Or if I want to add it to only B and D, I’ll open those two alongside router A and then when I drag the config line and press down Ctrl+A, it’ll add it to those two. If I want to add such a line to only router B while router D or other routers are open in the editor, I’ll simply drag and drop it on the desired router box.

Ideally, I want Config Magician to have a compare option where I can open multiple routers in it and it’ll compare their configurations and show me their differences as follows:

Address-list box/vault would be crucial as well since I want to have a single address-list synced between multiple routers (maybe not in real-time - even a 24h interval is fine for me (adjustable sync time can be nice)) and such address-lists can have up to hundreds of thousands of static addresses. Since currently RouterOS doesn’t support individual address-list exporting, every time I want to sync them I have to export all address-lists and then edit the .rsc file and manually remove the unwanted address-lists and then upload the file to routers I want them to sync and remove the outdated address-list from them manually (by Ctrl+A and deleting them, and since they are so enormous in numbers, Winbox crashes multiple times during this process) and then import the address-list.

Logging base to be able to see all the routers’ logs (specific number or color to differentiate each router’s log) and be able to search and view through all of them, ideally be able to store logs via the controller on a separate path/storage.

4. How do you imagine this service would look? Similar to current CAPsMAN, based in RouterOS configuration, or something completely new, modern web-based UI etc.

You guys showed with the new Winbox and new WebFig design that you are all well-capable of designing modern-looking nice GUIs, so why not one more time build something nice that is self-hostable and open-source and can be Docker-based and easily opened in our browsers to show us its different sections which are Config Magician / Monitoring / Dashboard (Overall overview) / Logging base / etc.

Docker Please (Ideally provided with a Compose/Portainer friendly docker compose template)

I would love to config management arrive as a versioned config script with diff support. So every time a config made (Save/Apply) is changed, it just commits a version. That way we can see/compare the whole history of changes. There should be a commit log with commit comments that automatically includes the author/time and optionally a comment.

Imagine config scripts in git (or just literally do that and then build whatever web GUI you want for editing, provisioning etc.).

Stats should be chartable, so everywhere there’s a number there should be the option to chart it as a time series but no need to chart everything (keep it lean). Values can update slowly but there should be an inspector view with realtime (1Hz) data from the inspected subsystem- this model allows for scalability.

There should be a realtime log with category filters. If I unplug a particular port, I’d like to see that at the controller level within 5s.

Stats should allow for grouping/culling to lower time-resolution using any or all of min/max/average. For instance say we’re looking at a port’s Rx bps at 1Hz, but after 1h, we only want to keep 1m resolution we can look at max() to see the max 1s in that minute. This is more interesting than avg() since it preserves the peaks and we can see things like if we’re maxing out our ISP provided bandwidth. There are timeseries DBs that have these functions built-in or it can be done with very simple scripts.

The Dude is a good monitoring and management tool. Why not just improve it and add new features to it? Why no any work conducted to improve and support it? You don’t even fix the bugs, though there are lots of them. In response to bug reports related to Dude, you always say like “We will look into it when we will be working on the Dude client…”. And it is the only answer for many-many years. What is the problem with it?

1. Are you interested in a central controller for MikroTik devices? If yes:
   a) do you need it for wireless settings only (like a centralised capsman)
   b) or you are interested to manage all configuration of these MikroTik devices

B - Management all of the MIKROTIK devices and its configuration in network will be perfect!

2. How would you like to run it?
   a) “Cloud solution” hosted by MikroTik?
   b) Self hosted server on X86 (*NIX)
   b) Self hosted server as package on a powerful MikroTik router

Option A or B - as powerfull MIKROTIK router. Not everyone has extra selfhoster server, but if it will run like home assistant on RPi, why not
Or make it as separate small PoE device, which will connect to the current network.

3. What features would you like to see mostly? (mass auto-upgrade, configuration, provisioning, monitoring)? Please provide as much detail as possible.

I would like to have possibility of completely configuration of each MT device, from one place, that I don’t have to jump from device to device in Winbox for instance. Also it will be nice to have something, like copy paste configuration from one AP, to another one, just assigning it different ID/Identity.

4. How do you imagine this service would look? Similar to current CAPsMAN, based in RouterOS configuration, or something completely new, moden web based UI etc.

I never had a possibility to configure and work with Unify devices, but as I saw some materials in internet, or config training on YT, I must say that I love their GUI, doesn’t matter is it page, or special app, like Winbox, but what I really like that is just on first screen some nice graphs about traffic, firewall, active users, so do devices, really nice thing is network map also.

i.e. @fifrak #4 answer, some “dashboard” could be relatively simply: i.e. using The Dude’s existing device discovery on the defconf LAN 192.168.88.1/whatever, combined with new feature in winbox4 to actually render the The Dude’s map SVG maps produced by existing Dude auto-discovery. Skipping the 32-bit Dude app part. Not UBNT, but some be dashboard by default.

1. Yes, I’m interested in a central controller. I would use it for managing updates, network wide settings and network wide monitoring. A centralized capsman would fall under that umbrella.

2. I would run it as a self hosted server on either my VM platform or as part of a central powerful MikroTik router. I would not like to run it in the public cloid or in a MikroTik cloud.

3. The following features is what I would like:
   Automatic handling of updates (firmware and ROS). Either fully automatic (nightly) or at least so I can manually select a version to update/downgrade a selected number of routers to. I would also like to be able to create groups of routers to act on.
   For configuration, anything system wide. Such as wireless APs (capsman/multiple capsmans). But actually not much. Easy way to log in to a specific router though.
   For monitoring I would like a system wide overview where I can see active ports, VLAN assignments, VLAN names, routes, etc. Perhaps a way to follow a traffic flow (some kind of global packet capture/Torch function).

4. I would like for it to be a totally new thing. Perhaps a web UI / backend API server combo that can talk to all MikrotTik devices. Perhaps the MikroTik devices can connect to this central API and keep a connection to it at all times. Some kind of mutual TLS certificates would probably be needed for security.

1. Yes I do, it would be nice to manage all devices (routers, switches, APs) on a per-site basis using a non-cloud solution.

2. Yes I do but only if it’s a local, non-cloud solution that could be deployed either on a MikroTik box or FreeBSD, NetBSD or in worst case scenario GNU/Linux server (preferably with both options supported).

3. I’d love to be able to deploy devices via user created templates (and possibly mass change settings on boxes deployed that way).

4. Both WebUI and CLI interfaces should be available. If there is any interaction possible from WinBox it has to be backported to 3.x version family (version 4 is useless).

Hi,

i do not want to repeat all the good Ideas. So i just wanted to add how i would like a controller to look:
It should be secure by design. For this i wish to see protocols like OIDC,Webauthn etc. for authentication. Any local management on the devices should be disabled. Except for a emergency ssh login with for example key authentication.
Also for audits i’d like to see who did what <= could be a log facility like already in routeros but logging the actions which only appear on the controller. like changing some templates which might not necessarily result in a config change on the routers. Or changing IDP provider.

Interface: I know a lot of the folks like their native clients. And i love Winbox too. But in this case i vote for a good Web interface. I do not think a CLI on a controller makes a ton of sense. I’d rather want to see some kind of API.

For the question what is the most urgent config i would like to manage centrally:

• firewall aliases (maybe even with some api. so i can feed it with external data)
• VLANs
• scripts (maybe directly with git integration)
• config backups and versioning

In my imagination a first controller could look more like a git with web text editor where routers can be adopted to get their config. So even with a minimal first version you could manage the whole feature set of any adopted device. Then add functionality as you go. Build a GUI for Wifi management then a GUI for firewall rules, centralized vpn management. And so on…

Take your time do it well. I love the idea of a controller to selfhost on some vm. +1

And thank you very much for asking the community. +1

I recently switched from MikroTik switches and routers to UniFi for my home network, primarily because UniFi offers a centralized controller. Setting up VLANs with MikroTik took me three days and multiple device resets. In contrast, configuring the same VLAN with UniFi only took me five minutes.

Personally, I am happy with mikrotik as of right now. I am a home user with a few access points. I go with mikrotik specifically because a “controller” setup is not forced on us like so many other manufacturers. So what ever the outcome, please don’t take the ability to be fully standalone and controller-less away from us!

1. interested to manage and monitor all configuration of these MikroTik devices
2. Self hosted server on X86 similar to CHR eg HyperV image or Windows service
3. Monitering / dashboard, and maintaince eg. mass auto-upgrade, configuration, provisioning,
4. A service than accepts incomming connections from RouterOS instances to be mangede on port Y (MT Private protocol), and Port X for webbrowser access (HTTP or HTTPS) for web dashboard.
   the MT private protocol need to be simpel/harddened enough to be used over WAN. Its important that the connection is initalized from the manged devices to the controler (Devices behind CGNAT)

Definitely yes, lack of a management tool that would simplify managing of highly available sets of devices is a pain (one has to remember to do the same steps twice…)

Self hosted on x86 or whatever other platform would be available

An ability to have an uniform export and transaction-based import/replace of a subset of options.

As there are a lot of standards for managing network devices (https://xkcd.com/927/) my suggestion is to KISS and use whatever is there already - ansible for those who can code, API for those who can use what someone else built. The major gripes I have with ROS at the moment are that it can’t really do a proper, always-the-same export and that no transaction-based config change is possible. Let me explain:

1. I have 2 physically identical devices, but since I’m managing them via WinBox, the order of actions is sometimes different. If I do an /export now on both of them and DIFF the results, it’ll be a bit different here and there (major offenders: DHCP leases, DNS static entries, IPSec policies, IP Firewall Address Lists). What I’d love to have is some internal magic that would ALWAYS sort the export by a predictable field (ID? number? name? anything!) so that the output can be compared to each other.
2. The transaction system would be very useful with a REPLACE function: your management tool of choice jumps in, starts REPLACE inside, let’s say IP>Interfaces, and then after an explicit COMMIT, the configuration is fully replaced.
   These 2 changes would already make tools like Ansible or Napalm go from “maybe it works for you” to “the platform is 99% supported” in no time flat. If it has to be a GUI tool, well, I believe that with such functionality as a base, any tool could be built as somebody sees fit.

100% spot on. This “transactions” topic was common in the older thread about the “new controller”. IMO the above are more fundamentally needed, than worrying about UIs and packaging…

Without these concepts, I’m not sure how any controller could work… And what makes it difficult today is there are no primitives to “update” a config item (e.g. either do “add” or “set” as needed), or more formally, an idempotence config. The solution could be as simple as having an “update” operator that let you set the .id= field directly, rather than it be autogenerated by an “add”.

I currently manage a network of approximately 250 MikroTik routers and access points. A cloud-based solution that allows the organization of devices by site, with status monitoring (online/offline and general performance), would be highly beneficial.

Remote upgrades are a key requirement, but mass upgrades should be carefully designed and implemented, both on the RouterOS devices themselves and the cloud solution. The upgrade process must include multiple checkpoints and execute sequentially, rather than in bulk. A major challenge with upgrades is the potential for failure, such as when power is lost or an error occurs during the process. Each step must be deliberate and methodical, as device failures—especially for remote units located 15 meters in the air—are costly and problematic. Currently, I perform upgrades rarely and on a per-device basis, including subsequent RouterBOARD upgrades, to minimize the risk of failure. Repairing failed APs often requires hiring lifting equipment, which is both time-consuming and expensive.

While The Dude works well for local management, it introduces significant configuration overhead, making it impractical for anything beyond local sites. As a result, I limit its usage to on-site deployments. (Meaning: it can be done, but it is very hard to do reliably.)

A RouterOS-based solution is unnecessary, as such functionality is already available in Dude.

Regarding the interface, it should prioritize delivering the maximum amount of information in a single visual layout—an “engineering approach” that emphasizes functionality and detail over minimalism.

Yes, this is (maybe off-topic but) 100% true: “commit”, and “commit confirmed <minutes/seconds>” for not cutting yourself out (a la Junos). I have devices that I would like to reconfigure but I cannot, even with safe mode, without physical access.

If you want to make something truly beneficial, then a look at the concept of FortiManager would provide a good start.
If something like this would materialize even only in a form of VM images to host on site or in NOC, then it would be usable both for “on-premises” or remote management.

Hello,

I would like to have the option to manually select the WiFi data rates just like in the case of the classic wireless driver. The reason is that even though the signal is very low -88dBm - -90dBm, some devices decide to connect to those APs even though there are much closer APs and there is no interference. And it takes about 1-2 minutes of multiple bad AP choices until those devices decide to select the closest AP.

And yes I do have WNM&RRM configured, neighbor groups and FT with associated mobility domains, but some devices still try to connect to far away APs, and yes, roaming is an STA decision.

Using the classic driver and setting the minimum data rate to 24Mbps would just make those APs “invisible”, limiting client conectivity to only the closest APs.

Cisco also recommends this method:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-7/b_wireless_high_client_density_design_guide.html#concept_D47FC5C7BA124D79B56764DEEFE9AE47

Setting the minimum data rate this way to both 2.4 and 5GHz interfaces fixed a lot of roaming issues:
/caps-man rates
add basic=24Mbps name=OFDM supported=24Mbps,36Mbps,48Mbps,54Mbps

Thank you!

Can you please fix the link?

Fixed, sorry about that.