Why does Mikrotik feel like a dirty word around here?

Fair enough. I think a lot of discussion is driven from your reviews.

May I ask what your overall take is on RouterOS?

Maybe it will spark some interesting conversation.

I used pfSense for years as my primary router of choice, but ultimately found I really like the utility and flexibility of RouterOS and the hardware is rock solid.

I like the idea of a router/firewall/switching platform that doesn’t make assumptions about what you will be doing with it - it is just a toolbox to build the solution you need.

What I don’t understand is why Mikrotik refuses to spend time creating a more user friendly GUI? Instead, they make more and more hardware. it is not a “dirty word”. People avoid spending time to learn how to configure these things.
Remember that iPhone became no1 because people didn’t need a manual to operate them.

Different strokes. I think Winbox is a nearly perfect approach to giving a minimal UI to the tools without having to build a lot of constructs about the use case. I don’t like working in command line for routers and switches - it is nice to see all the options presented for a firewall rule, for example, without having to remember all the switches. I prefer the focus on a variety of hardware options and deep functionality.

I do wish they would build a Linux tool though. Seriously.

I’ll be picking one up soon as the Chateau LTE 12 is one of the most competitively priced Cat 12 routers I have seen. Specs are decent and also am intrigued to test it out. For my application only basic functionality will be required though - The primary reason I’m using it is for LTE Cat 12

The breadth of quality hardware is what I really like. Everything is very robust and you can find hardware for almost any need. I’m interested to play with the KNOT IoT products - could do some pretty interesting things paired with Home Assistant for fun and the industrial and environmental monitoring applications are interesting.

The lack of topics doesn’t mean it’s a dirty topic. Simply fewer people on this forum use them. I came close to buying a 10gb mikrotik switch but ultimately settled on the slight price difference to get the unifi one. Already having their APs, felt like a “why not” since I’ve got my toes in the water.

Hard to comment on something you do not own and could truly have an unbiased opinion on. Instead maybe post your experiences and watch some of @LTS_Tom 's videos, copy his testing methods and make a 1:1 comparison (iperf tests both switched and routed etc etc…).

I agree with the statement that RouterOS is a toolbox. Tools like romon, traffic sniffer, and torch are lifesavers and I use them almost daily. Can’t beat the price point either. Though RouterOS is lacking a bit, v7 is very close and has a lot of new features due to updating the Linux kernel. Things like Wireguard, ZeroTier and docker can now be run on-box. Usually the question with MikroTik isn’t “can I do this?”, It’s “should I do this?”. These little $20 boxes can run full MPLS (not that you should as the cpu can’t handle more than a few megs of traffic). This also makes for more cost-effective lab systems since they are affordable and can then be used to implement and learn complex architechtures.

I really wish I would have used a different subject for this post - I didn’t mean for it to come across as negatively as I now realize it does. But I do really appreciate the discussion here.

Agreed that the tools are why RouterOS is such an ingrained part of my network builds. Things like Torch and Traffic Sniffer have always felt like they were built by people trying to solve their own problems - and therefor are just straight-forward solutions to problems without being bogged down by a need to keep adding more “stuff”.

I am definitely looking forward to v7 features - they are sorely needed.

All of that being said - if we are looking at the core utility of RouterOS - which I would define as switching, routing and filtering - I’m curious what others see as deficiencies in these core areas. The primary complaint seems to be complexity and UI - but I’m curious where some see more core issues. Why should I be looking at other platforms?

My only real complaint I’d file with MikroTik in those “core” areas is vlans/bridging. It’s not terribly straightforward and varies by device on performance and how you configure it. If this were streamlined and consistent it would be really nice. That said, once you figure it out it’s not that bad. Minus CRS1XX series. To heck with those haha overall core functionality in RouterOS is pretty rock solid IMO.

I admit that Mikrotik GUI is not user friendly the first time you open it, and its learning curve is steeped. But once you know it is very easy. Besides, there are plenty of info in their wiki with tons of examples.

I’ve spent a lot of time in quarentine learning mikrotik, junos, and fortigate just because I love networking, and based on that I can say you can do some things quicker on mikrotik routeros than junos / fortigate and vice versa.

The key question is … have you enough of will power to learn something new?

Becuase make some basic configs like dhcp server in junos is not very intuitive, and checking if a destiny interface is down in fortigate to disable a route neither.

The point is that you have to learn each vendor’s cli / gui you want to use, and you can do it using gns3 or eve-ng without buying hardware.

It’s funny and need hard work, like a learing new language.-

Thank you for your input, Qu4k3r, just what I was looking for.

Running a small IT business - time is scarce and with something like routers, there is usually a big investment of time to really dig into learning something new. Miktotik meets my needs 95% of the time - but there is always the problem of not knowing what you don’t know.

I need better VPN solutions and adding IDS/IPS to MT is problematic - so that is a weak spot also. Probably would look at implementing pfSense speficially for IDS/IPS and VPN and keeping MT up front for core routing/filtering - but then why not just move pfSense to the front and have a MT sitting behind for the tools.

For IPS/IDS take a look at lucidview.net. specifically designed for mikrotik and pretty slick setup. I just started playing with it and it works pretty well. They also offer content filtering and traffic shaping as well.

I will say mikrotik took me a bit of time to get used to coming from a Cisco background. Though I probably would have had the same problem in reverse. Now Im way more comfortable in Mikrotik and find myself wishing most of my Cisco gear was mikrotik because it’s so much easier to troubleshoot.

That said in a small business time and effort are definitely a worthy consideration. It takes a lot of resources to properly learn, support, and deploy a new technology so it’s not something to be taken lightly. I tend to try a few things out and try and stick with the one that meets at least 90% of my need. For me, that’s MikroTik. I can usually find add-ons or supplemental systems to do the rest. Nothing is ever 100% perfect in every situation so having a bit of a repertoire is helpful, especially when working with small to medium businesses. This is where I see a lot of larger MSPs start to struggle, they think Cisco is a one-size-fits all solution and are deploying crazy amounts of gear to companies with less than 50 employees and can’t afford the bill but have no other choice.

I’ve put in unifi systems as well, but with the lack of decent firewalling and good IPS/IDS it’s hard to feel comfortable deploying to businesses. Especially if they have any sensitive information or devices to protect MikroTik is just so flexible it’s as much as a one-size-fits-all solution as I can find (at least for a basic starting point). And costs are more than reasonable. they don’t have an NGFW, but there’s companies that do that can be an add-on solution if the customer wants it/can afford it. Pfsense and opnsense are good players in this space for sure for the small to medium business and are a good complement to a MikroTik route/switch LAN. At least these are my findings. I’m sure others have differing opinions/experiences.

Ubiquiti invests a lot into marketing – brand management. Marketing is not just advertising. They managed to position themselves into “good brand” category. Through the years they made some really bad business decisions but it is very difficult to destroy “good brand” image.
Mikrotik sadly didn’t succeed in creating “good brand” image through marketing.

Sadly Mikrotik feels like dirty word in a lot of places I have been.

Which router manufactures are taught in schools?

If you ask any random person to name you some router manufactures, what will they say to you? Which one?

It is all brand management.

I actually have a Mikrotik CSR 328 base off people on here so not sure that this statement line up.

It’s a little less brand management and a little more market options with Ubiquiti. When it comes to layer 2 devices, there’s not a lot of better options I’ve found for a centrally managed system that doesn’t incur recurring licensing fees (yes, I’m aware of TP Link Omada. Maybe for a home installation). Ubiquiti has definitely made some terrible decisions and created issues, but nothing so bad I stop using any of their products. That being said, the UniFi layer 3 devices are very lackluster and not really worth the money in my opinion.

If Mikrotik has any similar options for central management I wouldn’t mind exploring that, but I haven’t heard of anything quite like that yet. I’m also personally not a fan of their RouterOS. Their switches definitely seem alright though.

Lucidview is interesting. I have a little test router set up and it appears to be online - I’m not sure where to go from here. The documentation is pretty sparse. From what I have been able to piece together - for the IPS module - the scripts generated for an Enforcer instance creates a VPN to LucidView’s servers and then I believe the Mikrotik sends Netflow data to LucidView and LucidView sends back commands to create firewall rules to block traffic flagged as suspect? I don’t see any way to see what traffic it is seeing or blocking. Any insight into what I am missing?

Also - fully agree with seeing so many small clients who have had someone come in with a pile of Cisco equipment that is crazy overkill for the clients actual needs.

Appreciate you thoughts.

The VPN tunnel sends DNS requests to them for scrubbing, as well as netflow data. After a bit of traffic has flown through you should be able to generate reports. Also, if you have restricted any categories those should be blocked on any devices behind the router, assuming the router is doing DHCP/DNS and all that (in the most basic configuration). They do the category blocking via DNS, so as long as your requests get sent to their resolvers they scrub it for you. For netflow to work I have had to play around with the timeouts a bit and toggle it on and off a couple times. This only seems to be an issue on first setup, after that it works just fine.

IPS is a little more complex, as it uses address lists on the MikroTik to block “suspicious” connections. You’ll want to whitelist specific domains/IP’s that you don’t want blocked beforehand especially if they are things like VPN connections, etc… So basically, they use the Netflow data to look at connections, and once they flag an IP it gets added to the address list on the MikroTik, which has a corresponding firewall filter rule to block traffic to that IP. By default the address list is called “lvcloud_kill_list_external”, and the firewall rule is named the same. Those should be setup by the script when you run it.

Long time lurker here and this hit the nail on the head for me. I’ve used Mikrotik for over a decade setting up semi complex networks in developing nations where connections were as slow as dial up. The biggest frustration was the DIY “central management” solutions that were used were flaky and even with “The Dude” were a challenge to verify newly scripted configs (do they work with this outdated RouterOS version?) Ultimately I resorted to using python and cron jobs to “manage” those really remote switches in South America on terrible connections, but it really was like trying to baptize a cat.

Now I’m curious to see how RouterOS will run on hardware that pfSense does a great job on (like the SuperMicro Xeon’s with 10Gbe support). Winbox does run out of the box in WINE on Linux, I’ve never had an issue working with Mikrotik’s on Linux or Mac using a crossover/WINE utility to do so.

This thread had me all the way to the end. Glad someone brought it up in the forums!

I spend quite a bit of time on the Ubiquit forum in the EdgeMAX section (tag). The ER-X is what I know the most about. And right now, getting them is near impossible (unless you don’t mind paying much more than MSRP).

I had a “spare” ER-X at home for a VPN connection to work, but it got recalled for use at a branch that needed a “quick” working solution. When the official network admin got the hEX, it wasn’t obvious how to get it to work with a site-to-site vpn from a dynamic ip using gre/ipsec and ospf. We have “standard configs” that work with the ER-X to Cisco corp head end, so to expedite things, the ER-X I had at home was recalled to be used at the branch, and I was given the hEX S (RB760iGS) as a replacement, which has very similar hardware to the ER-X (same SoC, same RAM 256MB, but substantially less flash (16MB what were they thinking? vs 256MB on the ER-X). On the other hand, the hEX S does have a microSD slot and USB port, but I am not aware of any possibility to boot from that. The hEX S is still quite new to me. About the only reference to the microSD on the hEX S is for use with the Dude, and I don’t think that works with v7 (yet).

On the ER-X when you load a new version of firmware it essentially keeps the old version/configuration around until you manually delete it, and it is easy to switch system images (it is very similar in concept to having multiple boot partitions on a disk with the ability to switch which is the default boot partition.)

After I got the RB760iGS (hEX S) and tried getting vlans configured, I found the “man vs woman” control panel picture and edited it to replace man with “ER-X” and woman with “hEX S” I am not sure which one I copied from, so I can’t provide attribution, but here is my result that I sent to my co-worker, along with the comment that he had put a hex on me.

If all you want is a “consumer level” router with one WAN connection and a single LAN with 4 switch ports (similar to the ER-X WAN+2LAN2 single LAN config), the RB760iGS “default config” has presets for all the controls, but then it you want to modify it in any way, there really aren’t any great examples. And the other bad thing about MikroTik is that there are many different models, and you often have to use different methods to do the same thing. Vlans is a prime example, with at least 3 ways to configure them. It also seems that many of the wiki.mikrotik.com (now replaced by RouterOS - RouterOS - MikroTik Documentation) example configurations are gone (as can be confirmed by the wayback machine’s webarchive of 20210127 snapshot of Manual:TOC)

The ER-X has Setup wizards that make it easy to get a working config (similar to the MikroTik default), but the ER-X WAN+2LAN2 wizard also allows you to set up a second LAN with a second ip address, and it will setup a dhcp server for that subnet as well. It there is a way to do that easily on the hEX S, I didn’t find it. It is of course possible modify the config using either the command line, webfig, or winbox, and remove a port from the bridge, add an ip address, and dhcp server, and add the remove interface to the LAN interface list, but there is not an option change what the default config does (what pressing the reset button does). That’s similar to the edgerouter, but the Basic (aka WAN+2LAN2) setup wizard gives you more options that the quickset (well different, quickset appears to offer vpn, althought I have not tried that yet). And the FAQ suggests you shouldn’t mix quickset and webfig. My guess is because using quickset is somewhat like using the ER-X setup wizards, i.e. they don’t modify your existing config, they both replace the config starting with what you provide as the basis for the new configuration. You will discover that the first time you try to use quickset to modify something in your config (hopefully you backed up before you tried, fortuneately I had).

And vlans on the hEX S (at least before 7.1rc5) didn’t have support for hardware vlan-aware switch support (what Mikrotik now calls HW offload support for vlan-filtering on the primary bridge).

What’s new in 7.1rc5 (2021-Oct-25 20:15):
—snip—
*) bridge - added HW offload support for vlan-filtering on MT7621 switch chip (hEX, hEX S, RBM33G, RBM11G, LtAP);

Easy access to the vlan-aware switch0 on the ER-X has been there for the 4 years I have been using the ER-X. Yes, you can easily lock yourself out, but there are multiple youtube videos and blog posts with examples of how to avoid that.

With the hEX, I feel like I am playing a Zachtonics game (SHENZHEN I/O: BUILD CIRCUITS. WRITE CODE. RTFM. - from the web site description) or writing code for the Raspberry Pi Pico RP2040 PIO state machines. In other words, it seems like RouterOS is like assembly language programming, and each MikroTik model has a slightly different instruction set.

I wish there was a “Router O/S Rosetta Stone” with Cisco, Junos, Vyatta/VyoS/DanOS/EdgeOS, pfsense, RouterOS, OpenWRT, Untangle, Unifi, Omada… with some common configurations, and the configs in each “language”. As an example of common configs, what the EdgeOS setup wizards support. [REFERENCE] Setup Wizard ER-X v2.0.9-hotfix.1 reference configurations It would be even better to have configurations including VPN (ipsec, openvpn, wireguard, zerotier, some dynamic routing protocols (OSPF, BGP)

How did you learn RouterOS, and what features are you using that make you feel the hEX is a better router than other options (even OpenWRT on cheap hardware). Are you using MPLS, VRF? One thing that RouterOS does have going for it is that you can quite easily setup a virtual lab with EVE-ng or GNS3 and use the CHR images.

One last comment on EdgeOS on the ER-X vs RouterOS on the hEX S. Both are based on top of linux, but EdgeOS doesn’t hide it from you. That can be an advantage or a disadvantage (if the router gets compromised, there are a lot more tools to live off the land on the ER-X, and packages can even be loaded. But I find the tools very handy.

Both RouterOS and EdgeOS can be misconfigured by someone that doesn’t understand how the commands work, but I think that EdgeOS is much easier to understand than RouterOS. And therefore less likely to be misconfigured. But that could partly be because I am much more familiar with EdgeOS.