Just curious why there is very little discussion around here about Mikrotik’s routers. I use them quite a lot and find their bang-for-buck value to be crazy. I keep a pile of HEXs routers on hand just because they are great little problem solvers.
Not sure what makes you think that, I don’t really do videos on their RouterOS because I prefer other solutions. But there are good discussions on here about MikroTik.
Fair enough. I think a lot of discussion is driven from your reviews.
May I ask what your overall take is on RouterOS?
Maybe it will spark some interesting conversation.
I used pfSense for years as my primary router of choice, but ultimately found I really like the utility and flexibility of RouterOS and the hardware is rock solid.
I like the idea of a router/firewall/switching platform that doesn’t make assumptions about what you will be doing with it - it is just a toolbox to build the solution you need.
What I don’t understand is why Mikrotik refuses to spend time creating a more user friendly GUI? Instead, they make more and more hardware. it is not a “dirty word”. People avoid spending time to learn how to configure these things.
Remember that iPhone became no1 because people didn’t need a manual to operate them.
Different strokes. I think Winbox is a nearly perfect approach to giving a minimal UI to the tools without having to build a lot of constructs about the use case. I don’t like working in command line for routers and switches - it is nice to see all the options presented for a firewall rule, for example, without having to remember all the switches. I prefer the focus on a variety of hardware options and deep functionality.
I do wish they would build a Linux tool though. Seriously.
I’ll be picking one up soon as the Chateau LTE 12 is one of the most competitively priced Cat 12 routers I have seen. Specs are decent and also am intrigued to test it out. For my application only basic functionality will be required though - The primary reason I’m using it is for LTE Cat 12
The breadth of quality hardware is what I really like. Everything is very robust and you can find hardware for almost any need. I’m interested to play with the KNOT IoT products - could do some pretty interesting things paired with Home Assistant for fun and the industrial and environmental monitoring applications are interesting.
The lack of topics doesn’t mean it’s a dirty topic. Simply fewer people on this forum use them. I came close to buying a 10gb mikrotik switch but ultimately settled on the slight price difference to get the unifi one. Already having their APs, felt like a “why not” since I’ve got my toes in the water.
Hard to comment on something you do not own and could truly have an unbiased opinion on. Instead maybe post your experiences and watch some of @LTS_Tom 's videos, copy his testing methods and make a 1:1 comparison (iperf tests both switched and routed etc etc…).
I agree with the statement that RouterOS is a toolbox. Tools like romon, traffic sniffer, and torch are lifesavers and I use them almost daily. Can’t beat the price point either. Though RouterOS is lacking a bit, v7 is very close and has a lot of new features due to updating the Linux kernel. Things like Wireguard, ZeroTier and docker can now be run on-box. Usually the question with MikroTik isn’t “can I do this?”, It’s “should I do this?”. These little $20 boxes can run full MPLS (not that you should as the cpu can’t handle more than a few megs of traffic). This also makes for more cost-effective lab systems since they are affordable and can then be used to implement and learn complex architechtures.
I really wish I would have used a different subject for this post - I didn’t mean for it to come across as negatively as I now realize it does. But I do really appreciate the discussion here.
Agreed that the tools are why RouterOS is such an ingrained part of my network builds. Things like Torch and Traffic Sniffer have always felt like they were built by people trying to solve their own problems - and therefor are just straight-forward solutions to problems without being bogged down by a need to keep adding more “stuff”.
I am definitely looking forward to v7 features - they are sorely needed.
All of that being said - if we are looking at the core utility of RouterOS - which I would define as switching, routing and filtering - I’m curious what others see as deficiencies in these core areas. The primary complaint seems to be complexity and UI - but I’m curious where some see more core issues. Why should I be looking at other platforms?
My only real complaint I’d file with MikroTik in those “core” areas is vlans/bridging. It’s not terribly straightforward and varies by device on performance and how you configure it. If this were streamlined and consistent it would be really nice. That said, once you figure it out it’s not that bad. Minus CRS1XX series. To heck with those haha overall core functionality in RouterOS is pretty rock solid IMO.
I admit that Mikrotik GUI is not user friendly the first time you open it, and its learning curve is steeped. But once you know it is very easy. Besides, there are plenty of info in their wiki with tons of examples.
I’ve spent a lot of time in quarentine learning mikrotik, junos, and fortigate just because I love networking, and based on that I can say you can do some things quicker on mikrotik routeros than junos / fortigate and vice versa.
The key question is … have you enough of will power to learn something new?
Becuase make some basic configs like dhcp server in junos is not very intuitive, and checking if a destiny interface is down in fortigate to disable a route neither.
The point is that you have to learn each vendor’s cli / gui you want to use, and you can do it using gns3 or eve-ng without buying hardware.
It’s funny and need hard work, like a learing new language.-
Thank you for your input, Qu4k3r, just what I was looking for.
Running a small IT business - time is scarce and with something like routers, there is usually a big investment of time to really dig into learning something new. Miktotik meets my needs 95% of the time - but there is always the problem of not knowing what you don’t know.
I need better VPN solutions and adding IDS/IPS to MT is problematic - so that is a weak spot also. Probably would look at implementing pfSense speficially for IDS/IPS and VPN and keeping MT up front for core routing/filtering - but then why not just move pfSense to the front and have a MT sitting behind for the tools.
For IPS/IDS take a look at lucidview.net. specifically designed for mikrotik and pretty slick setup. I just started playing with it and it works pretty well. They also offer content filtering and traffic shaping as well.
I will say mikrotik took me a bit of time to get used to coming from a Cisco background. Though I probably would have had the same problem in reverse. Now Im way more comfortable in Mikrotik and find myself wishing most of my Cisco gear was mikrotik because it’s so much easier to troubleshoot.
That said in a small business time and effort are definitely a worthy consideration. It takes a lot of resources to properly learn, support, and deploy a new technology so it’s not something to be taken lightly. I tend to try a few things out and try and stick with the one that meets at least 90% of my need. For me, that’s MikroTik. I can usually find add-ons or supplemental systems to do the rest. Nothing is ever 100% perfect in every situation so having a bit of a repertoire is helpful, especially when working with small to medium businesses. This is where I see a lot of larger MSPs start to struggle, they think Cisco is a one-size-fits all solution and are deploying crazy amounts of gear to companies with less than 50 employees and can’t afford the bill but have no other choice.
I’ve put in unifi systems as well, but with the lack of decent firewalling and good IPS/IDS it’s hard to feel comfortable deploying to businesses. Especially if they have any sensitive information or devices to protect MikroTik is just so flexible it’s as much as a one-size-fits-all solution as I can find (at least for a basic starting point). And costs are more than reasonable. they don’t have an NGFW, but there’s companies that do that can be an add-on solution if the customer wants it/can afford it. Pfsense and opnsense are good players in this space for sure for the small to medium business and are a good complement to a MikroTik route/switch LAN. At least these are my findings. I’m sure others have differing opinions/experiences.
Ubiquiti invests a lot into marketing – brand management. Marketing is not just advertising. They managed to position themselves into “good brand” category. Through the years they made some really bad business decisions but it is very difficult to destroy “good brand” image.
Mikrotik sadly didn’t succeed in creating “good brand” image through marketing.
Sadly Mikrotik feels like dirty word in a lot of places I have been.
Which router manufactures are taught in schools?
If you ask any random person to name you some router manufactures, what will they say to you? Which one?
It is all brand management.
I actually have a Mikrotik CSR 328 base off people on here so not sure that this statement line up.
It’s a little less brand management and a little more market options with Ubiquiti. When it comes to layer 2 devices, there’s not a lot of better options I’ve found for a centrally managed system that doesn’t incur recurring licensing fees (yes, I’m aware of TP Link Omada. Maybe for a home installation). Ubiquiti has definitely made some terrible decisions and created issues, but nothing so bad I stop using any of their products. That being said, the UniFi layer 3 devices are very lackluster and not really worth the money in my opinion.
If Mikrotik has any similar options for central management I wouldn’t mind exploring that, but I haven’t heard of anything quite like that yet. I’m also personally not a fan of their RouterOS. Their switches definitely seem alright though.
Lucidview is interesting. I have a little test router set up and it appears to be online - I’m not sure where to go from here. The documentation is pretty sparse. From what I have been able to piece together - for the IPS module - the scripts generated for an Enforcer instance creates a VPN to LucidView’s servers and then I believe the Mikrotik sends Netflow data to LucidView and LucidView sends back commands to create firewall rules to block traffic flagged as suspect? I don’t see any way to see what traffic it is seeing or blocking. Any insight into what I am missing?
Also - fully agree with seeing so many small clients who have had someone come in with a pile of Cisco equipment that is crazy overkill for the clients actual needs.
Appreciate you thoughts.
The VPN tunnel sends DNS requests to them for scrubbing, as well as netflow data. After a bit of traffic has flown through you should be able to generate reports. Also, if you have restricted any categories those should be blocked on any devices behind the router, assuming the router is doing DHCP/DNS and all that (in the most basic configuration). They do the category blocking via DNS, so as long as your requests get sent to their resolvers they scrub it for you. For netflow to work I have had to play around with the timeouts a bit and toggle it on and off a couple times. This only seems to be an issue on first setup, after that it works just fine.
IPS is a little more complex, as it uses address lists on the MikroTik to block “suspicious” connections. You’ll want to whitelist specific domains/IP’s that you don’t want blocked beforehand especially if they are things like VPN connections, etc… So basically, they use the Netflow data to look at connections, and once they flag an IP it gets added to the address list on the MikroTik, which has a corresponding firewall filter rule to block traffic to that IP. By default the address list is called “lvcloud_kill_list_external”, and the firewall rule is named the same. Those should be setup by the script when you run it.