Default usernames and passwords are significant security vulnerabilities on any internet facing device. It’s a…
Tips4Tiks – Safe Mode
Most MikroTik users are aware of MikroTik’s Safe Mode and understand what it does. If you aren’t familiar with it, it’s a “safety net” to minimize risk while working on a configuration by allowing an easy roll-back if your session breaks.
This post shares some factual, as well as anecdotal and personal experience-based, information that MikroTik users might have missed throughout their time using MikroTik devices.
Enter Safe Mode in Terminal
While statistically, most people are WinBox users, I prefer using terminal. This is a tip for all the other terminal users:
To use Safe Mode in terminal, press Ctrl+X to enter or exit.
Check the Status of Safe Mode
If you worked on a different machine than usual, left your session on, and aren’t sure if you left Safe Mode on, you can use history to check the situation on the router. This is also useful if you want to check any recent changes on the MikroTik – especially if there’s more than one person doing work.
Session A making a change:
History print in Session A (SSH):
History in Session B (WinBox):
Also, notice there is a system identity change activity with a flag “F,” which represents the action we did in Safe Mode:
If you terminate your session in any way other than using the “quit” command, your config will roll back to the version before Safe Mode.
Exiting Safe Mode from a Different Session
If you’re in a situation where you want to stop Safe Mode for a different session, the easiest way is to SSH into the router and activate Safe Mode. You’ll get prompted to decide what you want to do with changes that were done in Safe Mode from the other session.
u – this option will roll back the changes from the other session
r – this option will release the existing Safe Mode which will apply the changes
d – this option is a “cancel button” to leave everything as is
If you decide to not cancel your Safe Mode attempt, and pick “u” or “r”, you can simply exit Safe Mode now.
When it comes to using WinBox, taking over a Safe Mode session is not possible at the time (WinBox v3.40).
My Personal Tips on Safe Mode:
- An unofficial MikroTik piece of software, WinBox4Mac (by Joshaven Potter) is loved and used by many engineers around the world. One anecdotal lesson we learned the hard way at Admiral, is that Safe Mode can be unreliable in WinBox4Mac.
- Beware that Safe Mode uses history as cache to roll back changes. That cache is somewhat limited, so make sure you’re making changes in small blocks, disable and re-enabling Safe Mode in between.
- Your router can be unintentionally left with Safe Mode on. At the next power outage, this will cause your router to roll back any changes done in that Safe Mode.
- A quick way of having better insight into active Safe Mode is to add your router to Admiral Platform. This way, you will be alerted if that occurs on any of your routers.