RouterOS: Understanding ‘Safe Mode’.

It is sometimes possible to change router configuration in a way that will make the router inaccessible from a remote connection and an access from the local console is needed to repair the mistake.
Usually this is done by accident, but there is no way to undo last change when connection to router is already cut.

In RouterOS, Safe Mode can be used to minimize this risk.

Safe Mode is entered by pressing the “Safe Mode” button in Winbox (on the Top-Left corner of the main GUI Screen) or by pressing [CTRL]+[X] while using Console.

To save changes and quit safe mode, it is enough to press the “Safe Mode” button or hit [CTRL]+[X] again in Console.

To exit without saving the made changes, hit [CTRL]+[D] in the Console.

[admin@MikroTik] ip route>[CTRL]+[X]
[Safe Mode taken]
[admin@MikroTik] ip route<SAFE>

Message “Safe Mode taken” is displayed and prompt changes to reflect that session is now in safe mode.
All configuration changes that are made (also from other login sessions), while in Safe Mode, are automatically undone if safe mode session terminates abnormally.
All changes that will be automatically undone will be tagged with an F flag in system history:

[admin@MikroTik] ip route>
[Safe Mode taken]
[admin@MikroTik] ip route<SAFE> add
[admin@MikroTik] ip route<SAFE> /system history print
Flags: U - undoable, R - redoable, F - floating-undo
  ACTION                    BY            POLICY
F route added               admin         write

If shell connection (or Winbox terminal) terminates abnormally (simply cut, for example), after a while (according to TCP Timeout, set to 9 minutes in the default configuration) all made changes while configuring in safe mode will be completely undone.
Exiting session by [Ctrl]+[D] also undoes all safe mode changes, while /quit does not and store permanently the active configuration.

If another user tries to enter safe mode, the following message will be displayed in his terminal:

[admin@MikroTik] >
Hijacking Safe Mode from someone - unroll/release/don't take it [u/r/d]:
    [u] - undoes all safe mode changes, and puts the current session in safe mode.
    [r] - keeps all current safe mode changes, and puts current session in a safe mode.
          Previous owner of safe mode is notified about this: 
 
     [admin@MikroTik] ip firewall rule input
     [Safe mode released by another user]
 
    [d] - leaves everything as-is.

If too many changes are made in Safe Mode and there’s no room in history to hold them all the session is automatically put out of the safe mode and no change is automatically undone.


Comments are closed.