Manual:RouterBOARD settings: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
Line 131: Line 131:
There is a new feature, which allows to protect RouterOS configuration and files from attacker by disabling etherboot. It is called "protected RouterBOOT". Feature can be enabled and disabled only from RouterOS after login, i.e., there is no such RouterBOOT setting. These extra options appear only under certain conditions.  When this setting is enabled - both reset button and reset pin-hole is disabled. Console access is disabled. Only ability to change boot mode or RouterBOOT settings is through RouterOS. If you do not know the RouterOS password - only complete format is possible.  
There is a new feature, which allows to protect RouterOS configuration and files from attacker by disabling etherboot. It is called "protected RouterBOOT". Feature can be enabled and disabled only from RouterOS after login, i.e., there is no such RouterBOOT setting. These extra options appear only under certain conditions.  When this setting is enabled - both reset button and reset pin-hole is disabled. Console access is disabled. Only ability to change boot mode or RouterBOOT settings is through RouterOS. If you do not know the RouterOS password - only complete format is possible.  


* Backup RouterBOOT version can not be older than v3.22 version. A special package is provided to upgrade backup RouterBOOT ('''DANGEROUS'''). Newer devices will have this new backup loader already installed in factory. Download the packahe [http://www.mikrotik.com/download/share/protected_routerboot_3_22.dpk here]
* Backup RouterBOOT version can not be older than v3.22 version. A special package is provided to upgrade backup RouterBOOT ('''DANGEROUS'''). Newer devices will have this new backup loader already installed in factory. Download the package [http://www.mikrotik.com/download/share/protected_routerboot_3_22.dpk here]
* RouterOS version 6.26 is required to enable this feature
* RouterOS version 6.26 is required to enable this feature



Revision as of 10:17, 19 February 2015

General

Sub-menu level: /system resource

on RouterBOARD devices the following menu exists, which gives you some basic information about your device:

[admin@demo.mt.lv] /system routerboard> print 
       routerboard: yes
             model: 433
     serial-number: 185C01FCA958 
  current-firmware: 3.25
  upgrade-firmware: 3.25

Properties

All properties are read-only

Property Description
model (string) If this device is a MikroTik RouterBOARD, this describes the model name
serial-number (string) Serial number of this particular device
current-firmware (string) the version of the RouterBOOT loader that is used right now. Not to be confused with RouterOS operating system version
upgrade-firmware (string) RouterOS upgrades also include new RouterBOOT version files, but they have to be applied manually. This line shows if any new RouterBOOT file has been found in the device. The file can either be included with RouterOS version, or a FWF file can manually be uploaded to the router. In either case, newest found version will be shown here


Upgrading RouterBOOT

RouterBOOT upgrades usually include minor improvements to overall RouterBOARD operation. It is recommended to keep this version upgraded. If you see that upgrade-firmware value is bigger than current-firmware, you simply need to perform the upgrade command, accept it with y and then reboot with /system reboot

 [admin@mikrotik] /system routerboard> upgrade 
 Do you really want to upgrade firmware? [y/n] 
 y
 echo: system,info,critical Firmware upgraded successfully, please reboot for changes to take effect!

After rebooting, the current-firmware value should become identical with upgrade-firmware

Settings

Sub-menu level: /system RouterBOARD settings

          boot-device: nand-if-fail-then-ethernet
        cpu-frequency: 600MHz
     memory-frequency: 225MHz
        boot-protocol: bootp
  force-backup-booter: no
          silent-boot: no
Property Description
boot-device (nand-if-fail-then-ethernet ...; Default: nand-if-fail-then-ethernet) Choose the way RouterBOOT loads the operating system:
  • flash-boot -
  • flash-boot-once-then-nand -
  • nand-if-fail-then-ethernet -
  • nand-only -
  • try-ethernet-once-then-nand -
boot-protocol (bootp |dhcp ...; Default: bootp) Boot protocol to use:
  • bootp - the default option for booting RouterOS
  • dhpc - used for OpenWRT and possibly other OS
memory-frequency (depends on model; Default: depends on model) This option allows to change the memory frequency of the device. Values depend on model, to see available options, hit [?] button on the keyboard at this prompt
cpu-frequency (depends on model; Default: depends on model) This option allows to change the CPU frequency of the device. Values depend on model, to see available options, hit [?] button on the keyboard at this prompt
force-backup-booter (yes | no; Default: no) If to use the backup RouterBOOT. This only useful if somehow the main loader is corrupted and cannot be fixed. So that you don't have to boot the device with a pushed reset button (which loads backup loader), you can use this setting to load it every time
  • yes - backup loader will be used always
  • no - main booter will be used
silent-boot (yes | no; Default: no) This option disables output on the serial console, to avoid the text output interrupting a connected device. Useful if you have some temperature monitor or modem connected to the serial port
  • yes - no output on the serial console
  • no - regular info and option menu on serial console

Protected bootloader

There is a new feature, which allows to protect RouterOS configuration and files from attacker by disabling etherboot. It is called "protected RouterBOOT". Feature can be enabled and disabled only from RouterOS after login, i.e., there is no such RouterBOOT setting. These extra options appear only under certain conditions. When this setting is enabled - both reset button and reset pin-hole is disabled. Console access is disabled. Only ability to change boot mode or RouterBOOT settings is through RouterOS. If you do not know the RouterOS password - only complete format is possible.

  • Backup RouterBOOT version can not be older than v3.22 version. A special package is provided to upgrade backup RouterBOOT (DANGEROUS). Newer devices will have this new backup loader already installed in factory. Download the package here
  • RouterOS version 6.26 is required to enable this feature
Property Description
protected-routerboot (enabled | disabled; Default: disabled) This setting disables any access to RouterBOOT configuration settings over console cable and disables operation of the reset button to change boot mode (Netinstall will be disabled). Access to RouterOS will only be possible with a known RouterOS admin password. Unset of this option is only possible from RouterOS. If you forget the RouterOS password, the only option is to do complete reformat of NAND and RAM with the next option, but you have to know the reset button hold time in seconds.
  • enabled - secure mode, only RouterOS can be accessed with a RouterOS admin password. Any user input from serial port is ignored. Etherboot is not available, RouterBOOT setting change is not possible.
  • disabled - regular operation, RouterBOOT settings available with serial console and reset button can be used to launch Netinstall
reformat-hold-button (5s .. 300s; Default: 20s) As an emergency recovery option, it is possible to reset everything by pressing the button at power-on for reformat-hold-button time. You will have to remember this setting, otherwise even reformat will not be possible and device will not be recoverable. When you use the button for complete reset, following actions are taken:
EXTREMELY DANGEROUS. Use this only if you have lost access to device. 
  1. RouterOS, all of its files and configuration is completely and irreversibly erased by nand re-format;
  2. all RouterBOOT settings are reset to defaults;
  3. board is rebooted;
  4. as boot from NAND fails, it goes to etherboot automatically;
  5. Netinstall is required to reinstall RouterOS.