I am a huge fan of Mikrotik. In the past, I have been worked for an ISP, and we made fantastic stuff with them. A CCR box that costs less than 1000€ can handle the same number of users, with advanced QoS queueing than an equivalent Cisco that costs 20x.
Having (almost) the same features to ever model, from the big boxes to the core routers, it's a big plus, they are very flexible, and they have almost all the features that a carrier-class router needs (the big lack at that time were OSPF-v3 and multi-core BGP).
Once you learn the CLI and some quirky configuration, it's worth the money.
The only problem is the availability: they are not stable as a Cisco/Juniper, but you can add several layers of redundancy with a fraction of the costs.
Also the support is very basic.
So, what's the best wifi gateway with extra access points for a home that I don't have to screw with and doesn't spy on me or have cloud crap? My ISP sent a Google wifi thing but I'd rather pay a few hundred than use that for 10 bucks a month to rent that thing, and I don't trust Google.
Edit: Thanks for all the answers, from me and anyone else who was looking! I have some good ideas from the below comments and hopefully this thread helps some others as well.
I'm currently in the process of moving my home network from Ubiquiti to an open solution with a few Mikrotik RBM11Gs to serve as APs, and will probably also replace my Netgate SG-3100 with pfSense with likely a PC Engines machine. All will probably be running OpenWrt, though if that's too limiting / buggy, I'll just use plain Linux or OpenBSD on them.
The major benefit of this setup is that you don't depend on some manufacturer for updates. Given Ubiquiti's and Netgate's recently hostile actions towards users and open source, this provides a great peace of mind. The other benefit is that you're free to upgrade your hardware as needed, which particularly for WiFi cards is great to have. Right now I'm sticking with WiFi 5 because of the costs, but in the future upgrading to 6E would just be a matter of changing the cards (assuming they're supported by the OS).
Speaking of cards, I went with Compex WLE1216V5-20, which have an Atheros chip and are thus much better supported on Linux than Broadcom, etc.
Have you ever looked at VyOS (https://vyos.io/)? IIRC EdgeOS was a fork of Vyatta and Vyatta became VyOS. Their LTS pricing doesn't work for small businesses, but the rolling release might be an option for home use.
It's sad that everyone only wants to accept huge amounts of cash these days. Take VyOS as an example. The smallest licensing option they have is $6k per year for unlimited installs. That makes it completely unobtainable for a person that I build firewalls for, so we don't even evaluate it.
In terms of percentages, we could probably add about 15% to every firewall sold and that could be passed along to a software vendor. If we had a self serve portal where we could download LTS releases and generate lifetime licenses we'd send them 15% of our firewall (sales) revenue and they'd basically never hear from us.
In real numbers that would be about $1-1.5k a year as long as we could pay per device as we sell/install them. Using pfSense as an example it'd be in the range of $10k since we started using pfSense and, in the last 5 years, I think I've only had 1 issue I couldn't figure out on my own where I had to go ask on their forum.
I haven't, but I remember Vyatta from many years ago, and I'm looking for something less enterprisey. If OpenWrt becomes a problem, I just might fall back to plain Linux or OpenBSD. Though OpenWrt is quite stable and fully featured from what I've read. I really don't need anything special for home use.
I also have an EdgeRouter, but will probably replace that last since it works fine and doesn't require any of the Ubiquiti Controller / Cloud shenanigans.
I've had intermittent LAN dropouts on the SG3100 that I couldn't explain from the logs. That in addition to Netgate's hostility towards open source with how they're handling pfSense, and the whole pfSense+ product, just puts a bad taste in my mouth when it comes to supporting the company. For the hardware and software stack they provide, the devices are very overpriced IMO. Same with Ubiquiti, though at least with Ubiquiti you're paying for a set-it-and-forget-it network, as long as you're willing to fully invest in their ecosystem. They're the Apple of network prosumer equipment.
But my main interest in abandoning both is investing in devices that I can upgrade and maintain independently and at my own pace. It will also be cheaper in the long run, though it does require some tinkering to setup.
Got it, thanks very much for the summary! Agreed that the EdgeRouter is fine, but the one I have is a bit anemic (ER Lite), and I've been disappointed with Ubiquiti's push for increased telemetry/phoning home, so I didn't want to buy a more powerful ER to replace it.
I thought about it, but WiFi cards are generally better supported on Linux, and since I'll be running OpenWrt on the APs, I'd prefer having a unified OS for both APs and the router.
I guess it will depend on how much I like OpenWrt :) I don't have any experience with it.
If you do go the OPNSense route, just be aware you need to disable the spectre/meltdown mitigations to get reasonable performance. pfsense has them disabled by default.
Unless something radical has changed in the last half year or so, pfSense will be a giant PITA if you have "residential" IPv6. That is, anything but a completely static prefix.
I am unhappy with pfsense's inability to push gigabit traffic on my hardware, but IPV6 works fine for me. I'd be curious what isp you have and what your issue is.
My ISP has a dynamic prefix, so it changes "willy-nilly", sometimes per day.
With pfSense, the issue was primarily two-fold. First was the fact that all the firewall rules and such did not support dynamic prefixes. Major PITA right there.
Second was the DNS server, that is, when using pfSense as a DNS server I couldn't figure out how to prevent it from sending the public IPv6 address to clients. Thus when the (public) prefix changed, DNS stopped working on the clients.
Some of this might have improved since I last used it, but I switched to OpenWRT and haven't looked back for a second.
i build in the past a few times APs with compex cards. the problem it's that some of them have extra large form factor and won't fit standard mpcie slots. i had to build an adapter :/
eventually instead of upgrading to new iteration i got a couple of netgear r7800 and flashed them with openwrt.
the router is on separate x86 box
I used to work on a product for secure small-biz Wifi, and so dogfooded my own product in my house. When that was over and I took that out of my house, I had my eyes on Ubiquiti, and it is an impressive ecosystem. But as others have said, it's out of stock all the time, and Ubiqiti are teasing people right now with their next-gen product which is available but also unobtainable.
Eventually I picked the Asus ZenWifi system, and honestly it works great (I have no affiliation with Asus). There's no cloud account to create when you install it. The app is acceptable. There are various security things you can turn on which seem to require cloud assistance, but the core product seems to work very nicely. Any time you try to turn on something which might cause the system to share extra data, a popup appears to explain that to you.
It's so powerful, Wifi-wise, that I bought three nodes and only deployed two. I use it with Ethernet backhaul but it has a dedicated radio for wireless backhaul. It has ethernet LAN ports on each node, and each node is identical to every other node (i.e. there is no "base" and "satellite"). I went from spotty Wifi throughout my 2,000 sq ft house to very strong Wifi throughout. I wrung my hands for a long time because I gave up VLANs and some other things I wanted, and then said the heck with it.
Subscriptions are coming I bet. The whole ui.com account thing where they force you to create an account and link new devices like the UDM Pro are the writing on the wall IMO. They back-peddled on adding it to the v2 firmware of Cloud Key's IIRC, but the end game is likely to get everyone paying per device per month.
The last time they had a pay per device per month service it started at $1/device/month and then they bumped it to $10/device/month. Somehow they thought the one time cost of a device should become an annual cost and that people would adopt it. Obviously that flopped.
Now think of the same scenario, but everyone's gotten complacent and are getting dependent on their devices that are linked back to ui.com. They might not blatantly flip the switch, but now that they have a hook for licensing checks they can start shifting development so new features are licensed for a monthly fee rather than getting them free forever when you buy a device.
IMO as soon as the all-in-one devices that perform management (ex: UDM Pro) while being linked to a ui.com account get enough adoption they'll shift to some kind of feature licensing or simply release new devices / revisions that require "cloud licensing" or something similar.
They're also very flippant when it comes to breaking devices in a way that prevents a connection to the controller. They think SSHing into broken devices to fix them is reasonable and it's not if you have to deal with many sites / devices.
Its gotten much much better over the last six months or so. The transition to generic linux for their router line was rough, but the worst seems to be over.
I went from AirPort Extreme -> Google Wifi -> Asus RT-AX86U. They all have their pros and cons but the Asus is immensely more powerful. I love that it can mount a large USB drive as Time Machine, and the wireless is so fast it's actually usable. When there's a 2.5G WAN port you know they mean business.
One of the nice things about the Omada AP's is that it can run (and be configured) in standalone mode without the need of a controller. I bought one to replace the single Ubiquiti I had and its been solid; better even!
There is also the classic UDM. Also purchaseable on store.ui.com. For people who want a prosumer alternative to the crappy routers that telcos/cables give, this is a great option. Highly recommend, but it also a gateway drug.
Unfortunately the UDR which replaces the UDM costs a mere $79 and delivers more functionality including Wifi 6. UDM is kind of a poison pill at the moment.
Not exactly what I want to see in the device that can literally compromise all of my other devices. Am I missing something -- did this turn out to be nothing, or did folks decide that Ubiquiti has bounced back? This seemed really really serious at the time and turned me completely off from ever purchasing one of their products.
Ah, that's a fair point. I guess at some level a sufficiently privileged employee can manage this in almost any system. But there's also some discussion of backdoors and inadequate access control in Ubiquiti's backend here that could concern privacy-minded folk.
I heard good things about PCengines APU products (e.g. see here https://teklager.se/en/products/routers/apu3d4-open-source-r... I'm not affiliated). You essentially run openwrt or pfsense on your own hardware. Alternatively, many people are now putting pfsense/opnsense on their own hardware. In particular thin-clients are very capable and some can be easily be retrofitted with multiple ethernet ports (however, prices have gone up significantly for some of these over the last year). The one thing you need to be careful with is wifi hardware compatibility.
Hot take: All routers completely suck right now, and most of them are built to spy on your network at worst and accidentally expose you to cyberattacks at best.
There are two choices, the way I see it:
1. Invest in a decent router (probably $150-200 at least) and throw openwrt on it. You'll need something with serious CPU beef because openwrt relies more on software than hardware, and most routers use hardware for QoS etc., hence the price tag. You'll also need to actually understand the multitude of settings offered by openwrt if you care at all about security or performance -- this is nontrivial if you aren't already a network engineer.
2. Buy a used Apple Airport router. The last generation support AC wifi, which is... basically as fast as the best things out there right now, barring wifi 6E. On the plus side: this comes with mostly sane defaults and good performance, I easily get 600+ mbps up/down on my gigabit internet. On the downside... I think you can only configure airport routers through macOS (and a mostly-dead iOS app), and they don't let you configure all the settings you might want. A fair tradeoff for good, non-footgun defaults IMO, but YMMV.
There's also the third option of creating some bespoke raspberry pi + wifi hardware solution for yourself, but that's likely to get you punched by your flatmates when it inevitably reboots incorrectly during a power outage or overheats or whatever and suddenly you need to spend 2 hours debugging problems without a working wireless connection and everyone else is pissed they can't use the internet. Unless, of course, you're a brilliant network engineer who would never make a silly mistake or have a bug in their custom router solution.
Which I guess is why most people use Google or Amazon spyware for internet in their homes.
> 1. Invest in a decent router (probably $150-200 at least) and throw openwrt on it. You'll need something with serious CPU beef because openwrt relies more on software than hardware, and most routers use hardware for QoS etc., hence the price tag. You'll also need to actually understand the multitude of settings offered by openwrt if you care at all about security or performance -- this is nontrivial if you aren't already a network engineer.
Why not OPNsense on an old x86 box?
> but that's likely to get you punched by your flatmates when it inevitably reboots incorrectly during a power outage or overheats or whatever and suddenly you need to spend 2 hours debugging problems without a working wireless connection and everyone else is pissed they can't use the internet.
I thought for a couple of years that my OPNsense setup would pass the Family Acceptance Factor, but one day (a few months back!) it spontaneously wiped itself of its settings — requiring me to plug in a monitor, reconfigure it to boot, and restore my settings from a backup.
My (very annoyed) family had to ask why we had to jump through hoops, and not use a simple consumer router like everyone else.
I'd imagine that OpenWrt would be the same, or worse.
Old x86 boxes tend to be hot, having moving parts (fans), large, and noisy. Sure some folks have a large house, basement, and don't care. For many a nice new reliable (with warranty) widget that burns little power, is silent, has no moving parts, and is tiny/easily mounted is a pretty big win. The edgerouter is pretty good, I have a 6P, but the ubiquiti trend towards subscriptions, cloud management, etc is pretty worrying.
Given that I'd likely keep my next router for 5+ years, I'm hoping for 2.5gbit (if not 10gbit), 4 ports, IPv6 aware (I get a /60 from my ISP), VLANs (so I can keep the random consumer crap segregated off), etc. I had settled on the hardkernel with 6x2.5 Gbit ports, but it's discontinued.
My Ubiquiti 6xp does a great job, I can keep the config file in git, I can assign a IPv6 /64 per port, run custom firewall rules to redirect all DNS to my DNS server (allowing blocking youtube, web games, etc), etc. I block all remote access to my router and from the consumer crap VLAN with watches, TVs, AV receivers, game consoles, etc.
Here's hoping someone ships similar, have my eye on the Mirotek RB5009UG+S+IN, has 1 10G, 1 2.5G, and a bunch of 1G. I'd need a second vlan capable switch with a 10G uplink for my uses, but it's workable. Hoping for similar with a few more faster ports. Even just 2x10G would make a big difference.
In my (extensive) experience on several different hardware platforms, OpenWRT is far more stable and featureful than stock firmware.
In the worst case, stock firmware would require a hard reset (power cycle) every few weeks. I've had OpenWRT firmware running without interruption (on UPS) for years at a time.
Thanks for that, it is what I figured. I have a really old, nice, router running one of the WRT-like OSes and I really, really don't want to do that anymore. I have a small family and do not want to mess with this stuff. I might just bite the bullet and hook up a few more of the Google routers. I hate using Google, and don't trust them, but I probably trust them more than most other brands in this space. Also, I can't argue that I don't get good performance from their stuff. The only problem is, if I turn off the cloud features with this thing, I can't even do port forwarding or anything! Who the F puts that behind a cloud? Anyways, thanks for the answer.
Yeah, I've been frustrated with the router space for a while recently so I figured you might benefit from my research (and likely bias as well). Too bad others in this thread downvoted me without responding, though -- if anybody can recommend a decent answer to this question that I didn't cover or explain why I'm wrong, I'm happy to admit that. I would really like there to be a decent router out there for my use case.
The biggest reason I don't use a Google router or something of that ilk is exactly what you mentioned in this comment: I don't want basic functionality like port forwarding locked behind some cloud account that I might have to pay for monthly eventually (or might get shut down). At least my current hardware will likely work perfectly until the hardware fails.
I think the reason why you got downvoted is because you made broad sweeping statements without anything to back it up. It also does not reflect my experience, the amount of routers running open source systems that one can buy is much larger than it has ever been (I pointed out some options further up the thread), ASUS uses dd-wrt IIRC and others.
Also the openwrt/pfsense/opnsense solutions are not really slower than commercial offerings, many offerings now are capable of running OpenVPN at reasonable speeds, in particular if your CPU has AES-NI support.
The way it was written your statement sounded like a Apple shill really.
I got an Amplifi Alien recently. They are expensive!!! but it has been rock solid and makes full use of my gigabit uplink. I disabled all the cloud stuff so no issues there. I wanted something fast and reliable that I wouldn’t ever have to mess with, and didn’t mind paying more to get it. Wi-Fi is fast on this thing. First run experience was total crap but once I got past that no issues. I recommend it.
I looked into them a while back, and they do generally seem to be capable devices. I think they fall into the too-footgun-y category I mention above, though -- if you don't already know a lot about networks, you can easily leave gaping holes in your network security since there are so many options to screw up. They're a bit on the expensive side, too, and honestly even trying to figure out which router to buy was enough of a nightmare to dissuade me.
Thanks for this suggestion, I'll have to keep an eye on this the next time I need a router. Definitely on the pricey side, but given that it's fully open source, that's a con I can live with.
Instead of buying out of date kit, just buy a second hand Ruckus AP and call it a day. No telemetry and you can set it up in 10 minutes. They're enterprise grade and will last 10 years or more.
Synology has been far and away the best I've deployed for "friends and family". I've not received a single phone call for support and it's the first wifi product I can say that about.
They also are introducing full VLAN support in DSM 1.3 which should be out soon if you're a power user. Honestly if they supported PoE for their extenders I probably would have switched out to it. The extenders will mesh wired or wireless which is nice.
I personally like that because I can safely remotely access the routers I've deployed for others if I ever have a reason to. They just need to check a box to turn it on or off in the GUI.
They also have an "experience improvement" program that sends home telemetry that can also be disabled. As far as I know there's no "phone home" that you can't turn off if you don't want it.
QuickConnect makes your NAS wide open to internet. It does so using UPnP or a relay station in a synology data center. Not only Stnology will likely have access to users data at the relay station (see change of certificate!), DSM login page will be open to anyone on internet (you can try random usernames on https://quickconnect.to/ and
connect to people’s NASes).
Maybe for routers it’s different, but this service is not secure for NAS.
I agree that this is what I would want to use, but doesn't the lack of any kind of specialized switching hardware make it uncompetitive in terms of price/power consumption/speed?
I have on order a mikrotik rb5009UG+S+, which has nine gigabit ethernet ports, one 2.5 gigabit ethernet port, and a 10g sfp+ cage. It has zero fans and benchmarks show it capable of 10 gigabit routing. It costs less than $200.
I love vyos, and I would definitely prefer an open source router. But people I talk to love their mikrotik products. It doesn't seem like the old ones are being abandoned.
Yes, this is easily superior to most options; Debian/OpenBSD/whatever is far more trustworthy than any commercial offering (and many noncommercial options), and hostapd isn't especially hard to set up - a bit of effort up front and then you can just sit on it for years with no more maintenance than installing updates (and even that can be automated with unattended upgrades in Debian). The result is a capable little box that will get security updates indefinitely and which only serves your interests.
I also use PC Engines Alix with Debian as home router and it is in many ways superior to commercial options, but quality of wifi drivers in Linux is long-term issue.
Also note that in unpatched hostapd channel bonding (40MHz and more channels) does not really work. There is a check whether neighboring channel is crowded (which always is due to overcrowded spectrum) that disables channel bonding. AFAIK Openwrt has patch that allows to override this check, but Debian does not.
As a result, i get consistently higher wifi speeds from commercial wifi APs than from my Alix router.
I tend to use OpenWRT on Mikrotik devices, but I used a board from PC Engines, and I was was impressed by it. The hardware is very standard, and their support was good. I had a question about the max power the mini PCI port could supply. I got an answer and info on a change I can make that adds a capacitor to help in this scenario.
I've been building a little TP-Link Omada setup for my home. There is a cloud option for the controller software or you can buy the hardware controller (or...run it yourself)
Was going to go all in on Ubiquiti but was put off when reading about the reliability issues, plus was way more expensive.
Pleased with my router + access point + PoE switch + hardware controller :)
I bought a used Ruckus R610 on ebay for a modest $160 (not including power adapter). I am extremely happy with the hardware performance and the stability and options of the Unleashed firmware.
It says it supports a gateway mode, but as a power user I want a bit more control than what I would expect a WAP to offer. I use an EdgeRouter-4 running whatever the latest official release is. Having separate boxes grants me freedom to do things like mess with Wi-Fi settings while my SO watches a show on Apple TV connected via Ethernet. It's the little things.
I often think of a pfSense build, but then I remember how happy I am with the performance and efficiency of a dedicated box.
FWIW, I do OPNsense on a dedicated box (Protectli FW4B) and then an R610 for wireless, with an eBay special EOL'd Brocade switch in the middle.
A dumber switch would be just fine, but I wanted something with 802.1at POE and good VLAN support because I like to break things up a bit.
OPNsense is darned handy, and I like that it does more than an EdgeRouter would, like terminate a Wireguard VPN. The R610 works wonderfully, and the switch... well... it's a switch. Once configured it's kinda transparent.
Moving houses soon, so I got a second R610 to fill in signal on what I perceive will be dead spots due to plaster+lathe construction, and in testing thus far it all seems to Just Work. And like you appreciate, since it's all modular it's a lot easier to maintain than the UniFi stuff when things go sideways.
I think that any slim/passive box will work well. So long as it has enough NICs and they have quality drivers for hardware offload and whatnot it'll work great.
+1 for the TP-Link EAP225 and its brethren (they have a cloud management portal, but with just a handful of units they can be managed individually or via self-hosted management server).
I use mine with a Mikrotik RB4011. A very stable and reliable combination.
Unify Dream Machine, it's constantly out of stock, you have to keep checking Ubiquiti website to get it. It has cloud access which is used by app to monitor or control it from outside of your house, but you can disable it.
We use UDM's at work and I really feel like they are half baked products at best. I'm really not a fan and we've stopped using them completely in new installations because of it and have gone back to MikroTik hardware which has never given us issues.
I also just find the UDMs interface an absolute shit show to navigate and find things.
Agreed... their old edgerouter was much better. Hoping their unifi OS (containerization of their platforms on their hardware) becomes more flexible without the hacks people use now. Until then, I'll keep using my edgerouter...
I'm not a fan, but surely the prosumer version has one! Due to system load being above 1 all the time it causes quite some heat, and thus fan noise. Crappy firmware, never fixed.
Having owned UDM for over a year with auto update off, they never pushed any forced update, I always do it manually every few months. Based on number of updates[1] that they push I can totally give them benefit of doubt that it was a bug.
They have dozens of products which they update constantly, picking one bug at one time as malice and blacklisting a company is not correct. If you go that route you won't have any company left to buy from.
Have you heard of Fritz!box from AVM? That’s what I have setup for a few friends, with good success. Personally I use a Mikrotik hap ac 3 in my apartment. They have a ‘mesh’ product in the Audience line.
I know it's "in" to shit on ubiqitui right now - but the new Ubiquti Dream Router and the older Unifi Dream Machine are the best spiritual successor I have seen to this device. The UDM comes out of the box with the switch and AP, which performas well, while the UDR also has PoE switches and WIFI 6 in case you want to run other APs or security cameras.
And before anyone else jumps in with old information,as of the latest firmware, it does not require cloud access. And the PPoE performance problem has been fixed.
It was a bumpy transition for a bit because they moved off of Vyatta to generic Linux for the routers.
Not sure if it passes the “don’t have to screw with” test (as configuration generally requires a decent level of networking knowledge), but I’m quite happy with Mikrotik Audience access points/routers.
I'm running Netgear N600 / WNDR3800 with OpenWRT since day one. So if you (can) plan for OS before buying, you can dodge a bullet when $VENDOR stops giving f*cks. That particular box has been released in 2011! Mikrotik is good enough (tm) probably, but it's licensed/closed-source. bcantrill once mentioned that "Infrastructure software should be open-source" and I'm adhering to this mantra for 10 years now. Dodged many bullets coming my way ... (i.e. if you want to buy something, can you plan for linux/BSD OS when vendor just doesn't care anymore?)
Would like to hear ideas about Apple's airports running custom NetBSD ... are you guys still running those as edge/internet routers with wifi or have you pushed them to the inside of the network and promoted some other box to the firewall role? I'm kinda stuck in the conundrum "it's unix with PF, it can handle itself" and "it's does not get updates anymore".
As far as I understand, no Wi-Fi 6 routers actually run Openwrt. The only way to get somewhat open software on your Wi-fi 6 or newer device is to use Merlin's fork of Asuswrt. Merlin is pretty big on not making large modifications though, so, for instance, it's very difficult to get Docker running on the device because the default Kernel doesn't ship with a lot of necessary modules. There are some nice apps that use the router directly like Diversion but I would really love a little device that managed everything from VLAN tagging to running little docker appliances and also provided a fast modern AP. Imagine an app store where the moderate power user could click and install apps on their router that all lived in little containers.
I wish to declare that I'm a Mikrotik fanboy. My hardware is ten years old, doesn't break, and Mikrotik supports it on the latest versions, apparently without plans to ever sunset the support. Ooh aah.
Big supporter of Mikrotik here, it’s a perfect middle ground between consumer “crap”, and $10,000 enterprise network equipment.
Rolled out a 10gbit / 25gbit network at home. My biggest complaints are:
* Wireless is really difficult to get “decent speeds”. I also have my ISP’s router and a Draytek at home, these easily do 500mbit, and it’s nearly impossible to get my router board to do the same. When asking support there’s mainly a lot of hand-waving “you’ll never get better than 100mbit anywhere anyway”, etc. Even if other router vendors use hacks / cheats to achieve what they do, I would want an explanation what exactly it is they’re doing, and why Mikrotik can’t do that.
* I know their Linux Kernel supports certain features, I would really like an “escape hatch” so I can just run traffic shaping commands manually. Eg if I want to use RED with ECN, the lack of a UI checkbox shouldn’t be the limiting factor;
* Upgrades while being in their development branch has been a big pain, many times losing crucial configurations; I guess this is fair game when I’m on the beta channel.
* Hardware is a bit underpowered for my needs, but I guess that’s why enterprise equipment is 10x - 50x as expensive. Doing traffic shaping on anything more than 1gbit is pretty much impossible; probably the best solution is to use some dedicated hardware with a whole bunch of network cards inside.
Standalone wireless on Mikrotik is bad. CapsMan is even worse as it seems to hobble some of the standalone settings. Mikrotik are good at engineering routers but bad at engineering Wifi drivers.
I tried every which way to get Mikrotik wifi to work well, at reasonable speed, without dropping packets when roaming. No dice.
Now I have three HAP AC running OpenWRT, connected to a CCR for switching and a HEX S for routing, the latter two still running RouterOS 6. 5 VLANs, PoE, queues, several forwarded services, Solid as a rock.
(I've said it now... massive network wobble likely on the way).
You can always run routeros on X86 hardware. I think the problem with things like mangle rules run into. Had loss and a hell of a lot of reorders at just 500mbit through a CCR1036 the other week, disabled 100 or so mangle rules and it vanished, but from looking at other routers I think it's more of a limit in the linux kernel (perhaps just the 2.6 one). Maybe routeros7.1 will be better, something to test in the coming weeks.
10/25 feels like a CCR2004? Or are you just talking switching.
If routing remember it isn't full bandwidth - the 170gbit of ports is squished into 2x25 before hitting the CPU[0]. Not sure how much is offloaded to the PIPE.
> 10/25 feels like a CCR2004? Or are you just talking switching.
That’s exactly right. Thanks for the tip that things get squished into 2x25gbit before reaching the CPU; this effectively means that anything that isn’t offloaded to the hardware is limited by “just” 2x25GBit. Is my understanding also correct that this would be the case for when traffic needs to go from the SFP+ ports to the SFP28 ones?
Regardless, what I really wanted to do (mostly as an experiment) is use QoS to prioritize iSCSI and others; the problem I’m running into is that the CPUs are just not able to do that that fast.
I think the only solution to this problem would be to use an x86 machine with a bunch of Mellanox cards in it.
The hardware is underpowered because they optimise for people who deploy a hundred routers on mountaintops, with excellent lines of sight but poor access for replacement. Underclocking severely helps reliability.
I would really like to see a open source alternative that can interface with all sorts of different hardware to manage my infrastructure with a single pane of glass. Sorta Ubiquti - but leveraging things like the Unifi API & the new REST api on Microtek to get me out of vendor lock in.
I don't think I have ever seen anything along those lines out there.
Im actually happy with my unifi setup - but there are some things (like multiple load balanced WAN ports) that should be easy to do, but instead are impossible.
There is some OS tooling in the SDN realm, like Stratum[1] for example, or a P4 board for the serious. But the hardware behind it isn't cheap.
I wish router for personal use were as "easily" programmable as an OpenFlow compatible equipment with a external controller. Even if you need some extra tooling to reach all the feature of RouterOS, like a compute node for the DNS. I don't know if this kind of evolution will ever reach the consumer space.
Doubtful. Some basic stuff is supported across almost all devices (interface names, speeds, status,...), but more detailed info varies widely between vendors, their OS versions and devices. SNMP SET support is mostly a joke and not worth the trouble. Better use whatever API each vendor came up with.
I know that the Asuswrt integration with Home-assistant lets me manage devices which is kind of cool, but I too would love a little deeper access via a 3rd party app. Most of these things use web scraping or ssh to the device though, not an actual API as very few routers give access to one.
Ive replaced Ubiquiti Unifi routers with Mikrotik RB5009's and its resultant bang for buck is impressive. The Ubiquiti Edge series is capable too but hasnt had feature updates in months. Ubiquiti product direction currently feels like a massive cluster f*k and isnt improving.
Some nice features you may not realise exist on RouterOS 7 are built-in support for Wireguard VPN and ZeroTier client support.
Both the GUI and their CLI are among the most unintuitive systems I've ever seen. I definitely spent more than one evening trying to configure my Mikrotik from scratch as a typical home router + switch + AP. I'm no networking guru, I only did some Cisco stuff a few years ago at uni, but I didn't understand 80 % of the terms used in their OS.
Agreed, MikroTik is extremely complex due to how feature-rich it is and because they run the same OS across all their devices, regardless of router/switch/AP/generation. Definitely not for the faint of heart that simply want to do some basic networking.
On the other hand, I'm not sure "unintuitive" is the correct word here. Having had the (dis)pleasure of setting up complex topologies on other manufactures like Cisco I found MikroTik to be considerably more intuitive (or perhaps "less unintuitive" would be more appropriate), possibly because Cisco has been built on for many decades and new features were constantly added on top of existing systems for compatibility purposes instead of redoing the CLI from scratch to make a more consistent user experience.
I've been using a MikroTik router at home for 6+ years; I would say that RouterOS is absolutely NOT "easy for a noob". It's on the prosumer side of things, but you need to be willing to sink your teeth into some fairly gritty network configuration workflows.
Anyone posting on HN will likely be able to figure out the basics, but it is definitely much less polished than other prosumer products such as Ubiquiti and the documentation can be a little rough around the edges.
Nope, it's really not for noobs. Basics things you can get via click on other SoHo routers like sane default firewall configuration, NAT loopback or simple VPN setup do not exist here.
Setting up a Mikrotik is more akin to setting up a DSL connection on 1992 Linux - it's all "technically" available in the UI, but the UI is just a clickable version of all the CLI complexity and you need to know network terminology to get to capability of a default SoHo router configuration.
Having said that - if you know network setup very well, then Mikrotiks are very powerful and allow for network setups that are much more flexible than consumer equipment.
Their firewall is iptables wrapped in a really nice GUI.
The criticism on their firewall might as well be a criticism on iptables (which IMO is completely valid, even after years I still have doubts about what a certain rules structure is going to do).
iptables itself is extremely unintuitive (although extremely powerful and flexible), but their GUI makes it more manageable.
To setup port forwarding you have to understand how to configure the firewall, yes. This is both a drawback for simple use cases but a boon for more advanced ones. It cuts both ways. Personally I think it’s rather unfair to call the UI unintelligible. If you don't like it just ssh to it and configure it that way. Everything you can do is packaged up in a nice command structure.
I've got a few Mikrotik devices (CRS328, CSS326). Maybe I just haven't gotten it, but I find their RouterOS WebUI extremely confusing. Like go into three separate top-level tabs to assign a VLAN to a port. The CLI is okay, once you get stuff working and just need to duplicate/modify lines.
Mikrotik's SwOS is alright and has most of the options you'd expect from a switch, but is missing the ability to have a human readable text config. I've got a Netgear switch as well, and I'd label its obtuseness on par with RouterOS. At the end of the day it seems every network vendor has their own bespoke proprietary UI that you have to suffer through.
In general I'm much more at home with Linux's iproute2/bridge-utils/nft. What I really want is some low power switches that can run OpenFlow or the like so I can centralize all the config back to my Linux router. On a home network, most devices shouldn't be talking directly among themselves anyway!
Another thing I really want is for network switches to have an RGB LED on each port that can indicate what VLAN it's configured for.
Yes, mikrotiks separate bridges, vlans, interfaces.
If you want to set ether 3, 4 and 5 to untagged vlan called "Alf" with ID 11, ether 6 to untablled vlan "Bob" (id 12), and ether 7 and 8 to a trunk of both Alf and Bob, you can do
1) Create a bridge for Alf, and a bridge for Bob
2) Assign IPs for them (assuming your mikrotik is the router), and maybe dhcp pools, server etc
3) add ether3, 4 and 5 as bridge ports for Alf, and ether6 for Bob
4) Create a vlan interface on ether7 for Alf with vlanid=11, add to bridge Alf
5) Create a vlan interface on ether8 for Alf with vlanid=11, add to bridge Alf
6) Create a vlan interface on ether7 for Bob with vlanid=21, add to bridge Bob
7) Create a vlan interface on ether8 for Bob with vlanid=21, add to bridge Bob
But the killer is there are two different recommended ways to do it depending on the hardware.
I haven't looked at my config in a while. It appears I've got a single bridge, and ports get added to it with their VLAN tags (for ingress, I believe) -
The device is a CRS328-4C-20S-4S+RM. It seems like I am using the other recommended way. Which would make sense because I'm not really using the "router" part of the software, but rather configuring the built in switch chip to do its thing.
Looking at the text config now it seems quite sensible, and isn't far from SwOS, Linux CLI, or switch chip datasheets. But I remember getting to that point in the WebUI being somewhat confusing, perhaps due to the alternative in-CPU way you described.
worked for me.
one suggestion though, get a serial cable, so in case you creative some too creative vlan config that will lock you out, you could fix it without having to reset entire box
Most of their devices come out of the box in a sensible configuration for a home router, and port forwarding/vlans are very straightforward to set up. If you're really worried, you can run the cloud-hosted router software in a VM to play around with it and find out if it will meet your needs.
When compared to consumer router devices, then no.
When compared to configuring enterprise networking kit using the CLI ... well ... perhaps. Mikrotik does have some short cuts / UI features. But if you want to do anything vaguely complex, you're going to need to put some serious time into getting your head around the way the system processes packets.
If getting to grips with how packets flow through different subsystems in your router doesn't really appeal (check out https://wiki.mikrotik.com/wiki/Manual:Packet_Flow) then there are better, simpler options which are still powerful.
Curious, would you trust someone to do that? For me when it comes to network, my paranoia level is sky high. I would definitely not allow some random person to configure my network...
As someone with moderate networking experience in a Cisco environment, and having set up Ubiquiti products and a pfsense router, MikroTik tops the cake for worst learning curve. I wasn't even trying to use it as a router, I just wanted a basic L2/L3 switch with some VLANs. It's set up now and I'm happy with it, but prepare for lots of trial, error, and head scratching.
I have been using the Wireguard support in the beta release for most of this past year. Having a persistent connection from my Android phone and my wife's iPhone was simple with the built-in Mikrotik DDNS service. It makes checking on things like security cameras nice if you do not want to use a cloud service.
Yep! I’ve been using the beta and it’s awesome. What other vendors include native WG support? Historically the concept of a performant VPN router pushed you into the realm of enterprise level expensive hardware. Now you can do it on cheap arm cores. It’s game changing.
I used to want Wireguard on my router. It was in fact one of the reasons why I went with an EdgeRouter X.
Then one day, when I was away from home and actually needed the VPN, it absolutely melted. Basically everything on the router stopped working, and I suspect it was Wireguard since the router went haywire when I was actually using it extensively. Needed a hard power cycle, which I couldn't actually do.
These days I just leave my router to do its basic duties and have a Raspberry Pi dedicated to nothing but Wireguard. Haven't had issues since. The Pi 2 Model B also performs better for Wireguard and I imagine that the Pi 4 could saturate my 100 Mb/s upload.
I sort of only want WG support in EdgeRouter as WG client such that my homes in different geographical locations can share the same network transparently. Is that still a good use?
Since there's no actual WG support in EdgeRouters and the experiences I've had with the community-maintained version, I'd personally not go that route. You can probably get better bang for your buck by configuring a couple of Raspberry Pis.
Granted, it's been a hot minute since I've last tried WG on EdgeRouters.
On the nerdier side of that. More exotic features, lot less nice UI, lots of (cheap) lower-performance options and sometimes obscure product variations.
I.e. among people where I know what kind of stuff they have, anybody vaguely technical might have an Ubiquiti AP for their WiFi, whereas the people that love to tinker with networking stuff have some mikrotik device somewhere to play with.
I landed on MikroTik for a recent build because you simply can’t get Ubiquity right now. And I’m glad I did, what a great product. Checkout their newest RB5000 and CCR2000 series. Very powerful arm cores with sfp+ options at an incredibly reasonable price.
Yes, but possibly with more ambition to be a budget alternative to Cisco and Juniper. Looking at the presentations under https://mum.mikrotik.com/, it seems there are quite a few ISPs running on MikroTik kit, especially in less-developed parts of the world.
As a Network Admin at an ISP in Brazil I can confirm their products are extremely popular due to the basically unbeatable price to performance and especially price to features. I can't think of anything close to their retail prices that can offer BGP, OSPF, MPLS, VRF, Wireguard, iptables, L3 hardware-acceleration, MLAG, ZeroTier, RPKI, VRRP, VXLAN, ECMP, Recursive Routing, LetsEncrypt, CA, REST API, etc. They have a 4x 10Gbps switch that has all of these features for $150.
You could potentially build a Linux PC to do some of the more basic stuff that most ISPs require at a similar price, such as PPPoE concentrators, but it's still a lot more hands-on work for no clear benefit.
I can't find right now what the market share of peering routers is in Rio's IX, but i feel like it's significantly higher than 10% (probably between 20 to 30%).
I just bought a bunch of Ubiquiti equipment (UDM Pro + 10G Switch Aggregate + U6-LR AP) and I've been super happy with it. Putting sexy UI aside, the performance is outstanding and rock solid.
Unifi really does unify the entire ecosystem, it's basically the Apple of network gear down the quality of packging. I love it.
I heard good things about Mikrotik but their product line feels scattered and unorganized.
I've always found the Ubiquiti interface flashy but borderline unusable. Things are scattered everywhere to the point you need 26 clicks to get to anything and they keep moving things around (especially their awful cloud UI for the UDM)
Lots of changes in v7 around routing, but this seems like a reasonable time to start work on it.
Still seems to be missing certain features - like showing what routes you're advertising to a BGP peer, so certainly not ready for use. Of course the way that routeros is developed, it relies on users to do the testing and debugging.
Really happy with the CRS-305 and its value for money.
Release candidates for 7.1 had container support which opens worlds of possibilities for the switch. But unfortunately was removed for the final version pending updates.
Edit:
Container support was introduced in rc3 and removed in rc5.
Does anyone know what the scripting support looks like in v7? Scripts have always been a bit awkward on RouterOS (I spend ages perfecting one that turned DHCP reservations into dynamic DNS entries). I'm hoping they have worked on this a bit.
So what is a good mesh wifi system that would allow me to put all my IoT things on a separate VLAN?
Dream Machine is not a mesh system…the only alternative that I could find by googling was Orbi Pro
I tracerouted to a host across the world now and poked at the routers along the path. All of the routers whose vendor or OS I can identify use closed source. So whatever the answers to "why?" may be, it's a common thing to trust.
Any ISP-provided gateway will be closed source.
Cisco products are closed source.
Netgear products are closed source.
TP-Link products are closed source.
Aruba products are closed source.
To my knowledge, the only viable open-source project is that one Linksys router/AP combo, and that doesn't necessarily fit the features someone might be looking for.
While it's nice to think everything could be open source, in the hardware/firmware world it's just not common.
As soon as your router hands off packets to your ISP, packet handling is either closed source software, or closed source hardware, anyway. Even if your gateway is open source, the chips it uses are not.
The only problem is the availability: they are not stable as a Cisco/Juniper, but you can add several layers of redundancy with a fraction of the costs. Also the support is very basic.