...because there's no shell access to the underlying Linux

MiktoTik products are feature-rich and also attractive in terms of pricing.
They use the Linux kernel and other open-source code (cf. /help/license.html on the device),
and on top of that their own closed-source RouterOS and SwOS,
but without giving admins, power-users, enthusiasts, nor independent developers a shell access
(neither as user nor as root) to the underlying Linux OS.

Too bad, I just need such a shell access to try out some advanced ideas
for which I need to install own code using the libnetfilter_queue library
( https://www.netfilter.org/projects/libn ... index.html )
for extending the firewall to cover our own advanced firewall security requirements
(and also for traffic load-balancing and some more ideas which all require the use
of the above library and coding in the C/C++ language), on the CRS3xx switch that shall
serve also as a central firewall.

I asked the MikroTik Support, but they just wrote:

Unfortunately, shell access isn't available to the public. Sorry for the inconvenience.

So, it unfortunately looks like that I need to look for alternatives from another vendor where these ideas can freely be realized.
I did a quick research on the web, and the next best alternatives seem to be Ubiquiti EdgeRouter/EdgeSwitch as it uses Debian and gives root access, or installing the open-source OpenWRT Linux for routers/switches on the MT device, if the device is supported by OpenWRT (not sure yet whether CRS3xx is supported by OpenWRT; the old CRS1xx seems to be supported).

Any other alternatives?

Any other alternatives?

Cisco Catalyst 3650 Series Switches
This one will meet all of your security objectives plus it will route at wire speed plus do things that you have yet to imagine.

Any other alternatives?

Cisco Catalyst 3650 Series Switches
This one will meet all of your security objectives plus it will route at wire speed plus do things that you have yet to imagine.

I doubt a Cisco device will meet my listed requirements, as it is IMO even more closed-source than MikroTik.
But I understand, you just mean it sarcastically Or do you?
Or do you mean the closed-source code of Cisco that was stolen --> https://www.theregister.co.uk/2005/05/1 ... stigation/
No, thx

You're one very very smart Dude
The ACL's on the 3650 is very rich [granular] but for fire-walling I would use Untangle + this switch .... Check out Untangle .... very rich UTM

You're one very very smart Dude
The ACL's on the 3650 is very rich [granular] but for fire-walling I would use Untangle + this switch .... Check out Untangle .... very rich UTM

Thx, but as I wrote I need a central firewall on the switch itself to which all of the LAN devices are attached to.
Ie. an external firewall solution is not the right solution for my specific use-case.
MikroTik would be excellent for my requirements, if it only would allow Linux shell access.

Any other alternatives?

Cisco Catalyst 3650 Series Switches
This one will meet all of your security objectives plus it will route at wire speed plus do things that you have yet to imagine.

I doubt a Cisco device will meet my listed requirements, as it is IMO even more closed-source than MikroTik.
But I understand, you just mean it sarcastically Or do you?
Or do you mean the closed-source code of Cisco that was stolen --> https://www.theregister.co.uk/2005/05/1 ... stigation/
No, thx

Enlighten us en do state your requirements please...I'm curious what kind of mysterious environment you are running there...
Is it this one ?? -> "I wrote I need a central firewall on the switch itself to which all of the LAN devices are attached to"

If you are looking for UTM "security" features I don't think Mikrotik is for you.
Are the filtering-capabilities of MT not enough ? What exact features do you need more ?
What speeds are you looking for ?
Are you looking for a product that can do per-port state full filtering, advanced UTM etc and has a mix of 1G / 10G / 40G / 100G ports ? I think you need to switch vendors & increase budget


The link you mention to this netfilter API library, what do you want to accomplish with it ?

@jvanhambelgium, we need max security in and out, as well max possible performance at the same time, obviously.
We have multiples of such small but for us important in-house projects in the pipeline,
for example an Advanced Application Layer Firewall that operates as a C/S solution:
the S part being on the switch (can't disclose any more, hope you still get the idea... )
These are some advanced security stuff for traffic in both directions. Yes, indeed, one can call it UTM. But we prefer open-source,
or in this case our own in-house solution. No closed-source solution for such very sensitive security issues
as nowadays you can't trust anybody any more, not even the NSA...

@jvanhambelgium, we need max security in and out, as well max possible performance at the same time, obviously.
We have multiples of such small but for us important in-house projects in the pipeline,
for example an Advanced Application Layer Firewall that operates as a C/S solution:
the S part being on the switch (can't disclose any more, hope you still get the idea... )
These are some advanced security stuff for traffic in both directions. Yes, indeed, one can call it UTM. But we prefer open-source,
or in this case our own in-house solution. No closed-source solution for such very sensitive security issues
as nowadays you can't trust anybody any more, not even the NSA...

Then perhaps the this more in the area your are looking for ?
(recently acquired by NVIDIA)

https://cumulusnetworks.com/products/cumulus-linux/

Have some bare-metal switch-fabric, and then ontop this software.

Then perhaps the this more in the area your are looking for ?
(recently acquired by NVIDIA)

https://cumulusnetworks.com/products/cumulus-linux/

Have some bare-metal switch-fabric, and then ontop this software.

Yeah, this indeed looks very interesting and promising.
But that said company has unfortunately a not that good reputation here (maybe I'm a little bit biased, maybe even unfair, I admit).
I'll nevertheless study the docs of that product.
Btw, we can't build our own switch here, so any solution must fit on/for the MT device, or an alternative such 24+x 1G ports switch device with 2+x 10G ports for attaching HPC servers.
Thx for the info & link.