Change the powerbox config to not be like a customer router. Having ether1 treated as a 'WAN' interface, firewalled off and blocked from mac telnet is monumentally stupid. That's where the device gets power by PoE, 99% of the time when its powered by PoE it's going to be connected upstream and thus needs access by management

We've had a few that have been installed and then the installers have to go back up to reconfigure them because of this idiotic design decision
And just now I have one that's somehow been factory defaulted, no problem at all if I could login to the thing, but I can't. Now I need to drive all the way out to site and organize access to reconfigure it

Change it to act just like a switch, all ports in a bridge, PoE auto, done. Nothing else should be put on it

Maybe Mikrotik can use internet detecting to switch the rules off when no internet is reachable on that interface.
If you make on your side the Internet unreachable it will become a LAN port instead of WAN. This could gives a security risk in the time between switching.

https://wiki.mikrotik.com/wiki/Manual:Detect_internet

Still a bad idea. We want the powerbox to have internet connectivity, it's part of the management network and that's used for firmware updates, sending email notifications etc
The powerbox should always have been treated as a switch, not a router

I like that it is a RB product and not SwOS but it shouldn't be treated like a CPE. Terrible, terrible decision. I'm sure its caused a lot of people a lot of frustration and wasted time cause they can't get to it remotely after an install

Does MAC telnet travels over the internet?

@millenium7: If I understand it correctly, your employee stuff up, make excuses and because of that, you want Mikrotik to adjust setting for whole world?
That just does not add up

Its almost better that recent request to have confirmation box for disabling interfaces because employees miss-clicked (topic seems to be deleted now)

@millenium7: If I understand it correctly, your employee stuff up, make excuses and because of that, you want Mikrotik to adjust setting for whole world?
That just does not add up

No to the first part, yes to the second. Today the powerbox just randomly reset itself, nobody did it. Maybe power surge or something I don't know, bottom line is a site visit was required because the default config blocks me from accessing it
Tell me a GOOD and VALUED reason for ether1 being blocked from all external access and the only way to get to it is via ether2-5?

A powerbox is an infrastructure device, it's NOT a CPE. There might be a handful of them out there that get their power from the customers site, with the customer attached to ether1. That's going to be a very rare scenario
What's far more likely is the powerbox being installed where there was 1 radio, but now there's 2-4. You power the powerbox from the same cable, then you attach radio's. That's its primary purpose in life, so again explain to me why you would block off access from ether1 out of the box? It just doesn't make any sense at all

ALL other devices on the market similar to powerbox (i.e. Netonix) do NOT block access on any port as the default config, because it would be a ridiculous thing to do. MikroTik seems to think otherwise. Fine, tell me why it's a better way to do things? To absolutely have to carry a laptop up a tower to install it. To maybe forget to configure it up there and have to climb back up?
MikroTik wants people to get more exercise maybe?

There is always possibility to set your own default config before putting it in the tower.

Netinstalling a new default config is a lot more work for something that should be set from factory. Installers should be able to just put the device in without having the mess around with netinstall

Tell me a viable case for blocking off ether1 on a powerbox by default? Otherwise why not just change it to be more useful to more people?

Power box is the same RB750P, so they share the same configuration. Since there were not a lot of complains, this configuration is being kept.

Count me as a complaint too. It was actually an OmniTik PoE 5ac, uplink on ether1 connected to the IDU of a NEC ipasolink (transparent bridge over which I access the device), I have reset it to defaults but (my mistake) forgot to check "no default configuration" - no MAC telnet/winbox access anymore, IPv6 link-local didn't work either, site visit required to connect a laptop to one of the "LAN" (2-5) ports with a long cable. I can understand you want to protect it from remote access over IP (if connected to ISP who gives public IPs by DHCP), but MAC and IPv6 link-local should still work by default on the PoE-in port of outdoor devices.

Power box is the same RB750P, so they share the same configuration. Since there were not a lot of complains, this configuration is being kept.

Why do you have to get lots of complaints? It's about use case
It makes perfect sense if we are talking about a device like hAP AC. This is a CPE device, commonly connected with ether1 facing the internet

Nobody is using a powerbox like that. I guarantee you every powerbox out there is not using default config
This is fine I don't expect a magical default config that works for everyone. But the number one priority should be getting to the device to reconfigure it for your network. Why rely on complaints? look at the use case, why did you even make a powerbox? It is obviously made to power radio's on ports 2-5 and its very likely that the uplink into a providers network will be port 1. Why would you block it so the provider cannot login to change it? It's a really bad design decision

we reset them before installation

As do we, and in all transparency we havn't had a big issue with powerboxes that we've been installing for a year. However I say 'big' issue. The one i'm talking about where it just reset itself was infact a big issue that would have been a small issue had I been able to get access to it. That's the point, its about being able to get to a critical infrastructure device at any time. This was a big deal for us and nearly cost us a major client, not to mention lost productivity on our side. An outright hardware failure would have been far far better because I could have sent anyone out to replace it, instead I was the only one available at the time who knows how to do the configuration (note that i'm the senior network engineer for an ISP, not a L1 tech. This wasn't a valuable use of my time for the company). Not every installer knows MikroTik and how to configure them, and they quite frankly don't need to know they should just be able to call us and get us to do it remotely. Can't if the uplink port is blocked from access!

I agree that in theory everything should be nicely planned and all provisioning and configuration done ahead of time. But the real world isn't all nice and neat and pretty, sometimes someone grabs the wrong device, it was labelled wrong, there was a major outage that required just getting one thats in the back of the truck etc etc etc. Conditions dictate that sometimes you just need to work on the fly. And we've had multiple instances where we've just had to put the powerbox in, it hasn't been configured prior. No big deal right? We do this with all other switches, radio's and sometimes even routers on a regular basis. Just phone in and get one of the techs to reconfigure, oops they can't if it's a powerbox because Mikrotik has blocked access on port1! WHY!??!???. Installer doesn't have a laptop, didn't bring one up, doesn't know how to configure it, doesn't have RJ45, whatever, pick your scenario. All of which can be mitigated by just allowing access on all ports as the default. Config can be changed by a tech after, simple, easy, done

Flip it around, tell me 1 reason why it would be really bad to open up ether1? Powerbox is not a home router, it's not a security vulnerability to open it up to access for installation. It won't break anything, it won't cause any problems. Its use case is to be put into a providers network. So why MikroTik won't you make this change? Really simple and it's not going to cause a problem for anyone, but it will help save a lot of time and frustration from not being able to get into it. Not everybody lodges a complaint, we've had this happen multiple times we havn't submitted a complaint. I'm only doing it now because it was a BIG problem for us, big enough that if I see it happen again anywhere in our network, all powerboxes are going in the bin and we're moving to Netonix. We'll save more money than we potentially lose. All because of a stupid design decision that's very easily fixed.....

I'm only doing it now because it was a BIG problem for us, big enough that if I see it happen again anywhere in our network, all powerboxes are going in the bin and we're moving to Netonix. We'll save more money than we potentially lose. All because of a stupid design decision that's very easily fixed.....

LOL good luck switching brands...
It's not a stupid design, just lack of testing everything on your side before leaving the place.

It's not a stupid design, just lack of testing everything on your side before leaving the place.

And yet you can't provide an example of why its a good design...

Maybe you're right, maybe it is lack of testing. We should have tested totally unexpected scenario's like oh I dunno the device factory resetting itself for no apparent reason with no way to reconfigure it remotely, then came to the conclusion it's a stupid design and used a Netonix instead

Suggested solution, make a custom default configuration for your network. And netinstall those devices (a delay added to the script is sometimes necessary). That way even if a customer reset it, it would be back to your default configuration.

Mikrotik devices are not always used as expected by many customers. So they try to make the safest configuration possible for customers. I have seen devices just plugged in and not configured, with blank admin password. Last power box i saw like that was at a hotel to power their access points.


Sent from my SM-A520W using Tapatalk

Mikrotik devices are not always used as expected by many customers. So they try to make the safest configuration possible for customers. I have seen devices just plugged in and not configured, with blank admin password. Last power box i saw like that was at a hotel to power their access points.

The primary use case of a powerbox is 'not' going to be customer facing on ether1. So its really stupid to have ether1 blocked off which is most likely connected to an uplink
In the case of that hotel you are describing, the powerbox couldn't be connected to via ether1 to change its password. Yet it would be visible to hotel clients connecting in via ether2-5. That isn't safe or secure at all....

If anything it should be the opposite with ether1 allowing access and ether2-5 blocked off. But that would also be bad because the uplink may be one of those ports. So MikroTik please just open up all ports for access by default