Unifi Switches vs Mikrotik Switches - Adivce

Hi Folks
I was planning to revamp my network setup. I had originally thought of going fully Unifi as follows:

UDM PRO --> Unifi 10G switch US 16 XG --> USW-24Port-POE --> USW 5 port switch (for media center) + 2 Unifi AP - UAP-AC-PRO

But after doing some research on UDM PRO and raising the same here on this forum and responses from Tom i have now dropped the UDM Pro and replaced it with PFsense, but will be running this on an old PC for now. Netgate is unbelievably expensive in my country. So my revised network would be

Pfsense of Local PC --> Unifi 10G switch US 16 XG --> USW-24Port-POE --> USW 5 port switch (for media centre) + 2 Unifi AP - UAP-AC-PRO

Anyways I was calculating the cost of this setup in terms of just switches and APs, it works out to about the equivalent of USD 1500. That’s a lot of money. That’s when i came across Toms video on Mikrotik 10g Switch. I researched the brand a bit more and what i seem to have found is that Mikrotik from a switches hardware point of view is same if not better than Unifi switches, but from a software perspective Unifi is way better and hence there is a steep learning curve with Mikrotik. Also the general feedback seems to be that Mikrotik Access Points are just not worth the effort compared to Unifi.

So what i was thinking was to use Mikrotik for the switches and stick to Unifi for Wi-Fi access points. For switches i thought of going with Mikrotik CRS328-24P-4S+RM as this has 4 10g ports and 24 Gig ports in addition to POE. For now i need only 4 10g ports so this would suffice, but if i need more i will have to purchase the CRS305-1G-4S+IN. But there could be an issue of availability of this model (Mikrotik CRS328-24P-4S+RM) in my country. if this is not available then i was thinking of going with the combination of CSS326-24G-2S+RM and CRS309-1g-8s 10g

Pfsense of local PC --> Mikrotik CRS328-24P-4S+RM --> Mikrotik hEX S RB760iGS (for media centre) + 2 Unifi AP - UAP-AC-PRO
OR
Pfsense of local PC --> Mikrotik CRS309-1g-8s 10g --> Mikrotik CSS326-24G-2S+RM --> Mikrotik hEX S RB760iGS (for media centre) + 2 Unifi AP - UAP-AC-PRO

But i have some doubts

  • For me reliability is of utmost importance. Cant have the switches acting funny or misbehaving or failing. Are the models chosen good from a reliability point of view
    Mikrotik CRS328-24P-4S+RM
    Mikrotik hEX S RB760iGS
    Mikrotik CRS309-1g-8s 10g
    Mikrotik CSS326-24G-2S+RM
  • Is it ok to mix and match multiple vendors in a network setup. I have Pfsense, Mikrotek, Unifi ? Will this lead to issues later ?

Thanks
jinu

As an experienced network engineer who is comfortable with everything you’ve mentioned (PFSense, Unifi switching and APs, Mikrotik RouterOS and SwitchOS for routers, switches, and APs) I have several different points of feedback.

  1. If you want to look at Mikrotik for switching, only use CRS3xx or CSS devices. Mikrotik has gone through several iterations in their switch setup. The first and most rudimentary is the setup for devices that aren’t labeled as a Switch - meaning the hEX S. On those the options are the most basic, because the device is intended as a router and the switch builtin is only meant to provide multiple LAN ports. The second is CRS1xx and CRS2xx devices, they have nearly all the features one expects from a managed switch, but have to be programmed via the Switch menu, which basically amounts to programming the chip yourself - for example to make a port be “untagged” or “access” for a certain VLAN, you have to tell the switch chip to convert the traffic to/from the VLAN for both ingress and egress, on two different pages. The third setup type is that for CRS3xx/CSS3xx devices. On these they completely rebuilt their programming so that everything is done via the Bridge menu in RouterOS mode (CRS3xx devices), and made SwitchOS version 2 (CRS3xx and CSS3xx devices) which is very streamlined and straightforward for purely switching use cases.

  2. CSS devices, and the RB260 devices, only run SwitchOS. CRS3xx devices have the choice of SwitchOS or RouterOS. All other Mikrotik devices use RouterOS only.

  3. While it is OK to mix and match devices from different vendors, I would not mix and match devices using RouterOS and devices using SwitchOS (the exception being if you decided to use a Mikrotik router instead of PFSense). While the networking principals are the same, the interfaces are very different. This means you should either only use RouterOS on CRS3xx devices (CRS328, CRS309, etc), or only use SwitchOS on CRS3xx/CSS3xx devices (CRS328, CRS309, CSS326, etc).

  4. Using the hEX S as a media center switch is a bad idea not just for the programming as above, but cost wise. The RB260GS or RB260GSP is a better choice. Both run SwitchOS - however if you get old stock then you may get one that can only run SwitchOS 1 not SwitchOS 2. I don’t consider this a problem, but something to be aware of. Also sometimes these are called CSS106 instead of RB260 - they tried to rename them when they made them SwitchOS 2 compatible but it isn’t consistent or universal.

  5. Hardware reliability of Mikrotik is the same as Ubiquiti. And generally software reliability is much better with Mikrotik, they have far fewer bugs and unexpected changes make it to their “stable” releases. The only thing I’ve had an issue with once, was when making a lot of changes quickly via RouterOS, I think it missed applying one of the changes to the switch chip and I had to reboot it to get it working properly. But once it was applied there was no issues. Also this was on a CRS125, so I have no idea whether that could happen on a CRS3xx device.

Your primary choice of CRS328 + CRS305, and secondary choice of CSS326 + CSS309 are both fine. As I said above the hEX S is something I would avoid, use the RB260/CSS106 devices instead.

5 Likes

Thanks a lot for your response. Truely appreciate the level of detail in your response. It helps me a lot. As adviced I will be changing my media switch to the RB250GSP. However can you advise if there is anyway i can specify to the vendor that i get a model that supports Switch OS 2. Is there a hardware version or similar for this switch ?

Ask the vendor to confirm it is the new revision (by new I mean a few years now). Indications of the new revision are that the model is CSS106-*, or that it comes with RouterOS 2 from the factory. If you get a device that has RouterOS 1, try to return it. But I have some of the old ones and they would still do fine for what you want, and the interface is mostly the same as SwitchOS 2.

how much do you save when using mikrotik switches instead unify?

I was using mikrotik devices some years ago, maybe it is different now but I dont think so.
Best way to configure mikrotik device is only over winbox application which is windows only. I have only linux on desktop so I did stop using mikrotik.

@brwainer Thanks a lot for your help and advice

@jano
If i go with the following option
Pfsense of local PC --> Mikrotik CRS328-24P-4S+RM --> Mikrotik hEX S RB760iGS (for media centre) + 2 Unifi AP - UAP-AC-PRO

The saving is the equivalent of USD 550. This has to be because straight away i am reducing 1 switch (the 10G switch) compared to the Unifi layout

My only thing i will miss is the overall network picture and data utilization by each network point in a single screen.

I had discussion with my friends who are doing networking full time.
They has not good experiences with unify devices, they are saying that unifi APs are not stable.
For last big project they did used tp-link eap with mikrotik switches, router and they are much more satisfy.
They are also recommend mirktorik wifi AP : Audience or hAP acÂł

Wow now totally confused, most of the posts on the net i found can generally be summarised as follows:

  • Ubiquiti Dream Machine - definitely not ready for production. Still in beta
  • Ubiquiti Switches - Expensive but worth it for the software. But they have had a lot of issues in the past especially on their POE implementation, but seems to have resolved now
  • Ubiquiti Wireless - Did come across some complaints, but general advice was that it is rock solid and reliable

Regarding Mikrotik

  • Learning curve - High
  • Switches - Good , stable and reliable if you can climb the learning curve otherwise disastrous
  • Wireless - Here i am looking for wall mounted solution so was looking at cAP ac. This requires Router OS, which makes the learning a lot higher as the Switches i was planning to run Switch OS only.

The fact that the AP will require me to learn Router OS details was very diffcult to swallow especially since Ubiquiti is stable and is easier to install/configure and price difference is not much.

Now i am confused. What is you view on the Mikrotik cAP ac ?

1 Like

@jinu do you need managed switches? If you need reliability, get an unmanaged tp-link switch with or without PoE.

@Spectre yes i need managed switches as i need to create multiple VLANs

Mikrotik wireless is basic and reliable. By “basic” I mean they don’t have features such as MU-MIMO, nor 802.11r/k/v which Ubiquiti collectively refers to as “Fast Roaming”. CAPsMan is also much less polished and more annoying to use than any other vendors’ wireless controller offerings. (For context, I used CAPsMAN with three APs in my house for three years, I’ve used Unifi for non-profits for years, and I have professional experience with Ruckus, Meraki, Extreme, and Aruba. I have tested TP-Link Omada.)

Ubiquiti wireless is reliable in general, but they have less testing and introduce more bugs, even on their “stable” software releases. My method for my non-profits whose Unifi systems I manage is to wait until a stable release has been out for 2-3 weeks without a replacement. If they haven’t replaced the stable version in that timeframe then there probably wasn’t a major bug in it.

RouterOS requires you to learn and understand networking basics, and for wireless this is doubly so. Setting up standalone APs/Routers is not bad, but I never want to touch CAPsMan again. It very much falls into the same category of RouterOS in general - if you really learn it then you love how much control it gives you, otherwise it partially remains a frustrating mystery. I love every part of RouterOS except CAPsMan.

In case you haven’t heard the term, CAPsMan is their system for one device to be the controller and central management point for multiple APs. You don’t have to use it, every device with wireless radios can be set up as an AP by making the settings on it directly.

Hardware wise I think the cAP ac has no issues. Like nearly everything Mikrotik makes it is reliable and great value. But wether I recommend it depends on how much you’re willing to learn and troubleshoot. You should be able to get a working wireless system in less than an hour, but CAPsMan took me much longer than any other wireless system I’ve ever touched to get the results I wanted.

1 Like

@brwainer

Great approach, should handle unstable releases effectively.

What you have said about Mikrotik wireless exactly resonates with what i have read on the web in general on the same. While i dont have issues learning a new platform or interface, but i dont want to do it when there is no need to do it. Since i will be operating the Switches with Switch OS, there is no reason to take on the headache of RouterOS for wifi. So i will go with Ubiquiti for WIFI.
Thanks

@LTS_Tom I’m glad you liked the details here (from your VLOG Thursday 1/7/21). Mikrotik switching is definitely a confusing rabbit hole, but they finally have a good setup when sticking with the CSS and CRS3xx devices. I still only treat them as a budget option though and will choose Unifi/Aruba/Ruckus/etc given sufficient budget. That being said the CRS305 is soon to be part of my network, because noone else makes a similar device for any price.

1 Like

Regarding your overall layout:

Unless I’m missing something, no point running your router into your 10G switch. I’d suggest the following, regardless of which brand or models you choose:

router

  • 24 port 1Gb PoE switch
    • wifi access points
    • other small switches (where needed)
    • 10G switch

Regarding cost of Unifi:

The 5 port Unifi Flex Mini switch is definitely a bargain at $29 USD. I didn’t notice any specific indication of how many 10G ports you need, but if you only need a few, the 8 port Unifi 10G Aggregation switch is a lot less at $270. But it doesn’t have an uplink port so you only actually have room for seven 10G devices.

Skip the AC Pro access points. Get the AC/LR. Cheaper and longer range. IIRC, maximum throughput is less, but maximum speed for each device is the same? Anyway, for a home system, if the AC/LR can’t handle it, then it should be hardwired anyway.

The only PoE problem I’m aware of with Ubiquiti was that their early access points used 24 volt passive PoE whereas the standard was 48 volt active. Active PoE auto negotiates the PoE power necessary, if at all. With passive, you turn on PoE in the switch and then the switch outputs 24 volts on that port whether the connected device can handle it or not. That’s why I only use red Ethernet cables plugged into my passive PoE port as a warning to myself.

More recent access points added standard 48 volt active, and I think the newest may have dropped the 24 volt passive altogether. Or maybe that last part is just wishful thinking on my part.

If there have been other Ubiquiti PoE problems, I’m not aware of them.

I would definitely go with pfSense or OPNsense (a fork of psSense) as your router/firewall.

Regarding Microtok vs Unifi:

Do you want networking to be a hobby or do you just want a functioning network. For me, it’s a hobby, so I deliberately avoided going all Unifi so I can’t rely on its integration and ease of use.

If you don’t want it to be a hobby, I’d go pfSense over OPNsense just because you’ll find a lot more tutorials for pfSense. And I’d go with Unifi for switches and access points. You’ll have enough “learning” connecting your VLANS in pfSense to the LANS in the Unifi controller software to last you a lifetime.

If you just love to get your virtual fingers dirty, sure, save some money and buy Microtik switches.

But here’s my sit-on-the-fence approach:

Step 1

  • setup pfSense
  • buy a $29 5 port Flex Mini switch
  • buy an AC/LR access point
  • setup your VLANS

Step 2
Now, if you thought that experience was fun but you want a bigger challenge/learning experience, add Microtik switches.

But if you thought it was a PITA, buy Unifi switches.

The best thing about this approach is that everything you buy or do in Step 1 applies to Step 2, no matter which way you go.

Amateur tip:

While you’re setting it all up, you can plug your pfSense box into your existing LAN and run it double NAT so your existing network stays running until you sort it all out. There are issues with some protocols when running double NAT, but that’s why you only do it for initial setup of VLANS, etc.

1 Like

@Super_Stealth Thanks for the detailed response on the same. The reason i was considering the ACPRO over the LR was primarily on 2 reasons

  • AC PRO has 3 dual band antennae compared to 1 in LR
  • AC PRO supports POE and POE+ whereas LR only support passive POE 24 V

I also see that Ubiquiti has just launched the Unifi 6 range of access points in my country and their cost is same as the AC PROs. Might consider that to future proof myself.

Regarding 10G, i need 3 ports (not counting the port to firewall). From what i read you need a 10G port to the firewall if the nodes on the 10G switch are from different VLANS. In my config of the 3 ports 2 will be in one VLAN and 1 will be in another . Since these are all L2 Switches, traffic will be routed through the firewall. Hence the requirement for 10G port on Firewall/Pfsense.

I would have loved to get my hands on the Ubiquiti Aggregation switch. Unfortunately Ubiquiti does not plan to bring that particular switch to my country and it is not yet available either at Amazon or newegg. And I cannot ship it from the stores where it is available today.

The AC-LR was updated to support 802.3af - same for the AC-Lite. If you’re buying one used or have one already you can check the manufacturing date code to see whether it has the updated circuitry.

Unless you need an AP that is not a round dome, I would only be buying U6 models from this point. They are at the same price point or cheaper than the AC products. If yiu need an AP that sits on a desk/shelf, is outdoors, has a builtin ethernet switch, or is just a wireless extender, then you can wait for updated products to be released.

As to needing 10G to the firewall when you have VLANS, that’s definitely past the limit of my knowledge as I’m only just getting started with VLANS. But if it were the case that you need a 10G connection to the Firewall, wouldn’t you also need 10G on the firewall to avoid all the traffic getting slowed down to Gigabit speed as it passes through your firewall? I’ve never seen anyone mention that in any of the YouTube videos I’ve seen about 10G.

As to Unifi access points, the AC Lite, LR, and Pro have all supported 24v passive and regular 802.3af/A for several years.

The AC/LR is 3x3 on 2.4 GHz and 2x2 on 5GHz. The AC Pro is 3x3 on both.

Here is a link to the data sheet for the AC access points:

The wifi 6 Lite and LR support 802.3af PoE and 48v passive. I don’t see any sign of wifi 6 Pro yet on Ubiquiti’s web site. Perhaps it’s still in the early access program?

Interestingly, the wifi 6 LR is 4x4 on both bands. It will be interesting to see what’s done with the Pro to differentiate it from the LR.

But if AC and wifi 6 access points are the same price, the only reason not to go wifi 6 is because you want to avoid any early firmware issues. If I had older equipment to fall back on if a problem came up, I’d absolutely go wifi 6 now.

I dont believe this. I checked their US website and you are right, there the LR model is updated to support 802.3af, but on their India website its still the same old. I am guessing they are selling their old outdated products here. Though the description of the models are the same, the model number is difference in US store it is UAP-AC-LR-US and in India store it is UAP-AC-LR. It not just the power but the number of concurrent client has also increased in the US model.

I am not sure what to believe anymore… The site says one thing and the document another. ( UniFi Long-Range Access Point – Ubiquiti Store India (store-ui.in))

Yes my pfsense box will also need to have a 10g Card going by the logic i read or i will have to get a layer 3 switch and get into Inter Vlan routing.

According to https://help.ui.com/hc/en-us/articles/115000263008-UniFi-Supported-PoE-Output-and-Input-Modes :

** UAP-AC-LRs with a date code of 1634 or board revision 17 and following ones, support 802.3af in addition to 24V passive PoE.
** UAP-AC-LITEs with a date code of 1634 or board revision 33 and following ones, support 802.3af in addition to 24V passive PoE.

This is true of all AC-Lites and AC-LRs, not just the “-US” ones. “-US” just means that the device has been locked to the United States country code for wireless channel settings. This is required by the FCC for all 5GHz products sold in the US, to make sure that noone can “accidentally” use the wrong power settings on channels or ignore the DFS requirements.

They may not have updated the specifications listed on the India store page, but the Datasheet which is linked to by that page is updated. https://dl.ubnt.com/datasheets/unifi/UniFi_AC_APs_DS.pdf