Mikrotik's support for OpenVPN/IPsec is a joke. They should just allow to specify plain openvpn configuration instead.
I would not recommend these routers with original firmware.
No UDP support after all these years is really quite shameful. Tunneling TCP over TCP is insanely bad, the slightest packet loss and your connections are toast.
still not? I was moaning about this in 2006. I can't imagine why Mikrotik can't be bothered to implement UDP for OpenVPN when they have added so many other features.
This is my #1 gripe with mikrotik, you can't figure out if the feature you want to use is half-baked or not without testing it. And then once it works you had better not upgrade versions or it may very well break.
Finding a version which has all the features you need working used to be a nightmare.
I recently spent several hours trying to implement BFD...only to find out it's broken on CCR, known to be broken, and won't be fixed any time soon [1]
But to be fair, I've run across similar things in Cisco land. Spend hours trying to get something to work, when I finally run across an single line somewhere on their site that says what I'm trying to do doesn't work with CEF and I have to disable CEF if I want it to work. Which cuts my throughput by 10x.
My understanding is that MikroTik isn't a fan of OpenVPN (for whatever reason), and doesn't want to spend any more development time on the feature. Which is a shame, because it really is a poor choice without UDP support.
On the plus side, you can use the VM ("Metarouter") feature to host a real OpenVPN client inside an OpenWRT instance. But you don't get the nice admin console if you do that.
At one point I was kind of excited about Mikrotik routers. They seemed pretty beefy, a bit pricey, but cool as a device support OpenWRT and having an OS that they said was "even better" than OpenWRT.
However everything I looked at was somewhat disappointing. One router I was looking at had an unpowered USB port, that was a low speed (USB 1), which just seemed to be a weird caveat when consumer routers of the time were all USB-2 and capable of running at least a small pocket hard drive or at least mount a USB key.
At this point there seems to be a lot of good commercial routers which are strong, cheap, and don't require much blob code etc and are easy to find (sometimes it was vague what kind of chips you'd get with different commercial hardware).
I guess I'm too used to Cisco and Juniper pricing, but "pricey" is the last thing that comes to mind when I think of Microtik... When you say "good commercial routers" that are cheaper, are you talking about consumer hardware? I'm curious what you prefer.
I don't have any Microtik hardware at all, so I don't have any vested interest here - I am just curious what people are liking these days. The vast majority of the consumer networking gear I've tried has been terrible, even with alternate firmware (e.g. OpenWRT doesn't keep crappy Linksys routers from overheating).
I'm using a $50 Mikrotik hAP AC Lite (RB952Ui-5ac2nD-US) as a home router. It's not the most high-powered router — it only has a single 5GHz radio, no antenna, and the Ethernet port is 10/100 only — but it's stunningly solid.
Previously I had, over the span of 18 months, an ASUS "Dark Knight" (whose 5GHz network slowly faded and then _disappeared_, apparently a known issue), an ASUS RT-AC66U (frequently just choked, requiring a reboot), an a Netgear Nighthawk AC1900 (same, and also issues with unstable wifi).
By contrast, the Mikrotik has been rock stable for the time I've had it (6 months). I also love the WebFig UI. It's a lot more technical than consumer routers, but it's responsive, consistent and doesn't hide any technical details from me. I don't need 90% of the RouterOS features, but I know that if I needed something obscure, I could set it up. You basically get an industrial-quality Linux-based router/switch OS for almost nothing.
(I do like the fine-grained metrics, though. You can get bandwith and connection data not just per interface, but also per NAT rule, for example.)
I cut my teeth at an "ISP" that would order a business DSL line at a MDU/Apartment complex, run it through a Linksys router, then over the phone wiring using 2-wire "HomePNA" devices and charge each person $30/month for the service.
The routers locked up so much they had one of those plug-in timers [1] set to reboot the router each night during their 'daily maintenance period'. They wouldn't even dispatch someone to do it when they started getting calls.
I left after about 6 months. This was around 2001.
They also got in trouble with the LEC(and law enforcement) for using the LEC copper to interconnect their equipment between buildings. It was a common practice for them to tone out pairs in a neighborhood and patch their own wires in using the LEC's boxes and wiring.
Yes, this reliability is why I don't use consumer network hardware when I can avoid it. I got sick of getting calls from my wife when I was traveling and she was trying to work from home but the wireless had stopped working again.
My home network is all Ubiquiti, and is also rock solid. The 10/100 ethernet port is what actually pushed me to move from my Cisco ASA to a Ubiquiti router - the router had become the bottleneck in my internet connection.
Agreed - I'm using a Mikrotik hAP AC at home now, after a series of disappointing high-end consumer devices (ASUS RT-AC3200 most recently). It isn't perfect (AC speeds are temperamental for me), but it does offer a huge amount of configurability - including a Cisco-esque CLI interface via SSH, which is nice.
Mikrotik routers are not designed to be a consumer router. The average consumer would pull his/her hair out trying to configure one. Providing network attached storage is generally not a feature requested of anything but the full-consumer line home routers of the type that you purchase from Best Buy etc...
I was not aware they were marketing in that direction...imo they shouldn't be, for the reasons listed by others. The UI just isn't quite intuitive enough for the average-joe that's expecting something like a Linksys/Beldin interface.
Mikrotik was pre-Ubnt and had excellent hardware lineups. These days Ubnt is miles ahead in the router/wireless-board field, which puzzled me.
While Mikrotick sells its RouterOS, it's not that hard to install Openwrt on it. Ubnt was quite Openwrt friendly at the start, not so any more.
These days I'm just assembling my own x86 routers. PCengines and Soekris do not have the best performance/price ratio nowadays, and they somehow just feel a bit out of date.
I have personally deployed about 100 Mikrotik routers and can say they work well for what they do.
They're not designed to be a home router and the learning curve if you want to use one like that would be similar to someone without Cisco IOS knowledge trying to configure a Cisco IOS device as a home router.
Not many routers can do 5-10gb/s+ throughput for the price. Their most recent model has 8x10Gb ports, costs USD $2,500 and will route the full 80gb/s [1]
They have come a long way since the RB433 and running on Soekris/PCEngines boards. UBNT is just getting started in the real router field(Not their Radio-with-a-router, those are quite mature now but very limited in features) and I do not care for their current EdgeRouter UI. It's a mess. For example: You need local access just to add the interface you're accessing it from to a bridge. (Because you can't add an interface WITH an IP on it to a bridge, and you can't remove the IP from the interface without losing access. You can apply multiple commands at once, but the command validation doesn't honor the order that you enter them, thus tosses an error because it tries to add the interface to the bridge before removing the IP)
Sure you can put something x86 together and run one of the many many firewall/routing OSes, or even roll your own with (pick your flavor)Linux, Zebra and IPTables, but I don't have time to make something work and prefer something that just works and isn't priced at the Cisco/Juniper level.
I wouldn't recommend either for mission-critical ENTERPRISE grade routing, without significant planning into redundancy, but, if you are doing things at that level, then you probably have the funds to purchase enterprise grade gear.
"Their most recent model has 8x10Gb ports, costs USD $2,500 and will route the full 80gb/s"
No, it won't route 80Gbps, because any single flow on a CCR uses a single core on their multi core Tilera CPUs. The CCRs struggle to really do 10Gbps of real world IP transit traffic.
If you're pushing 5Gbps+ of your customers' IP traffic in a daily sine wave pattern to/from upstream and adjacent BGP peers (paid IP transit and peering at a local IX), and have $2,500 to spend, you will be MUCH better off buying a proper routing platform that has things like hotswap fan trays, hotswap 1+1 or N+1 power supplies, redundant hotswap routing engines, etc. You can do this with a used/refurb Cisco or Juniper for the same price as the higher end Mikrotiks. I can build a Cisco 7604 or 7606 with dual RSP720 for less than $2000.
The CCRs have a single motherboard in them that is about the same quality as a $85 PC motherboard. If you're running an ISP that is moving multi-Gbps of customer traffic and have potentially thousands of singlehomed customers downstream of you, do you want to rely on a 'core' router that has absolutely zero hardware redundancy?
Mikrotiks have their place at edge and small aggregation but when you start talking about things that are $2,000+, please, buy a real router.
What ISP needs a single flow to exceed 1gb? I would venture to say most non-storage networks don't have single flow requirements in the Gb/s.
I can buy 3 CCR routers and run OSPF/BGP/etc... on them to provide redundancy. The likelyhood of all 3 failing at once is slim and I'm still an order of magnitude cheaper than an equivalent Cisco/Juniper setup. Yes, dynamic routing takes a few seconds to converge, so an unplanned failure will result in a short disruption in connectivity, but planned maintenance can be done seamlessly, including power supply replacement(since only one model has hot-swappable power supplies). I do not deploy any single-power models and have not had a single router fail in the 2 years I have been deploying them. I have had a $6500 Cisco ASA fail, twice.
I am a fan of all 3. Cisco and Juniper make great equipment. So does Mikrotik. Each one is a tool that must be used properly and the right one needs to be selected for the job and requirements.
Thing is, it's not an 'order of magnitude' different in price... Three $2500 CCRs vs, what? I know somebody who recently bought a whole Juniper MX960 for around $10,000. For a serious ISP that is a big jump in capability and resiliency.
If looking at used/refurb core routing platforms these days, anything that is not capable of being upgraded to a reasonable density of 100GbE is selling for very affordable prices now. Even systems that are fully modular and redundant and capable of more than 60 10GbE interfaces in one chassis, such as the MX480 or MX960. Or an ASR9006/ASR9010 with first generation linecards.
I'm seeing used, empty, MX480s in the range of $13k on ebay[1]. Plus $3k for add in 10g cards[2]
And I have to pay for support if I want to get updates, security patches, etc... [3]
And I need 2+ of them if I want to multi-home.
So I'm buying a used device of unknown history, that someone is selling for unknown reasons(could be a working pull, could be something with an obscure problem that will surface 3 months later), without a hardware warranty or support, with outdated software, and going to trust my entire network with it and it's internal redundancy. If I could get 3 for that price I might consider it.
I like the SpaceX approach. Don't trust one big expensive engine to get you where you're going. It probably won't fail, but if it does, you're toast. Trust 9 cheaper ones and have enough redundancy that if/when one does fail, you shrug and keep going and just replace it before the next launch.
Comcast fiber is 3gbps (sold as 2gbps) and provisioned via a Juniper box to you which acts a bridge alone, with SFP+ port giving 2gbps, and a GigE port separate.
I bought a Mikrotik a month or two ago, expressly so I could install OpenWRT on it, and use it to get around the Chinese firewall with Shadowsocks. The OpenWRT install never worked, so now I just have a (pretty nice) router, doing what routers are supposed to do. It's long since that OpenVPN didn't work in China, but this should provide a good learning experience, and who knows, maybe it will lead me to something that works.
OpenVPN uses its own non-TLS UDP protocol to carry traffic (with an optional TCP fallback), and only uses TLS for connection setup. ref: https://wiki.wireshark.org/OpenVPN
You can run OpenWRT as a virtual router (MetaRouter) on top of Mikrotik. That would allow you to get around the TCP limit. Does anyone have any experience with running OpenWRT as a MetaRouter?
I've done it. It works fine. You just have to keep in mind that most of the Routerboard products have limited RAM, like any other embedded device.
The only catch is that anything done inside of OpenWRT has to be configured by hand from a terminal (obviously), instead of through Mikrotik's admin console.
I help maintain a page[0] that keeps a list of the best performing routers that support OpenWRT and DD-WRT. It allows to sort by Value, Performance or Price.
Just make sure, what batch of C7s are you buying from.
TPLink started to lock down the firmware, due to the new regulation about locking down wifi devices. So if you get an unlocked C7, you are fine, if locked, you get to keep their firmware on the device.
Currently, the only safe choices for OpenWRT are Linksys WRT1900ACS and Turris Omnia. Both are a bit pricier.
I have a friend who's part of a startup here in the UK that makes routers for gamers called NetDuma[1]. The routers they sell have a VPN client like this ready to go, I've got one and it works well.
Be aware that very few routers actually have enough power to do openvpn encryption with higher bandwith (20Mbit+) links and 256CBC encryption. You may get better results by downgrading your cipher (not every vpn provider supports that)
To achieve good performance you are looking for hardware with Intel QuickAssist, I would recommend putting pfsense on something like http://store.netgate.com/ADI/RCC-VE-2440.aspx
I actually just built one with a C2758 (8 core atom) supermicro board. I put PFsense on it and it's been running great. I have gigabit internet at home, so I opted for the more powerful box. A lot of people on the pfsense forums seem to use one form of these boards.
I started using pfSense on itx Intel-based hardware and have been quite happy with the results, though using it with modern hardware (recommended with today's faster broadband speeds) means it's usually a little pricier than most consumer devices. Now there's news that the pfSense team is working on a small, ARM-based device which sounds like it'd give Miktotik devices competition. If you can hold out a bit, it might be worth the wait.
I'm a network engineer for an ISP (5 years now; ~8 years in the same role at a .edu before this) and I am very much in the Cisco/Juniper camp.
When I started at the ISP, I had never even heard of Mikrotik. Having been using high-end Cisco/Juniper gear for years, I was quite skeptical that those cheap little Mikrotiks were worth a damn.
I've actually been quite surprised. While all of my "critical" infrastructure runs on Cisco, I've got several Mikrotik routers running in production, almost exclusively as access concentrators (for PPPoE sessions). I really use very little of their features, but they handle PPPoE and OSPF just fine.
We also have an MSP side, which is mostly our ISP customers whom we also handle managing their local networks for. Our guys have deployed a handful of Mikrotiks at the edge of these customer networks as well but, again, this is just basic office router functionality (DHCP, NAT, firewalling, etc.).
For the price point, they're actually pretty decent devices. I don't own any myself (excluding a couple in my "networking test lab" here at home, but those belong to $work) and wouldn't personally use one. This is mostly on principle -- I disagree with their beliefs when it comes to the GPL and compliance.
Also, I wouldn't recommend using them for anything you deem "critical" or even "really important". Just read through the Changelogs for their firmware releases -- some of the bugs/fixes do not instill confidence in their software engineering.
FWIW, my router at home (on a fiber connection) is (was?) designed and sold as a RouterOS device [0], although I removed the Mikrotik CF card and replaced it with another one that I installed an OpenBSD image onto [1]. It's mounted read-only (except when I want to modify things, of course) to preserve the lifetime but lately, I've been considering installing an SSD into it. It's actually a pretty powerful (albeit low-end) PC disguised as a router. It can easily provided all the basic network services one might need at home (DHCP, DNS, NAT, firewalling, TFTP, etc.). It wasn't cheap, though -- $600, IIRC, but it's a few years old now. I wrote a bit more about it [2] a few months ago.
