Mikrotik CRS125 with Wireless

I

iroc409

[H]ard|Gawd
Joined
Jun 17, 2006
Messages
1,385
Has anyone used one of these? I've been looking at upgrading my networking gear at home, and these look like a too-good-to-be-true one-stop shop for the home network, with a router, managed GigE switch, and wireless all wrapped up into one. Mikrotik stuff gets pretty good reviews, would this be a good unit for home to do a managed GigE network with a secure & guest wireless?

Going to one of these I would lose my UTM. Can I route all the traffic through a pair of ports for a filtering device, or is that a hokey solution? I'd really like to go down to just my file server, but don't really want to put a virtual device on the network. My office is always hot an noisy with the older server and PC firewall.
 
Looks interesting... Throughput would be limited by how much filtering you are doing and packet size.

Check out this model with (twice the CPU) and look at what filter rules do to the throughput, located at the bottom of the page: http://routerboard.com/RB1100AHx2


Like most all-in-one boxes there are compromises....but this is not a bad "jack of many trades"

The hardest parts would be aligning the actual performance to your expectations and programming the unit. Routerboard can be quite overwhelming to users.
 
Last edited:
I'm definitely concerned about overall performance, and I need network stability so having everything in one may be a bad idea. They haven't published performance data on either CRS yet, but I think the RB2011 has the same CPU and it doesn't look too bad.

It does look like a substantial learning curve, but not impossible. I've been using a single Untangle box for years now with a crappy WRTG54 for wireless. The PC is over 5 years old and I'm starting to expect failure. I've been looking at Sophos, but their appliances seem pretty pricey.

$200+ for a managed switch, $100 for an AP, another few hundred for a new low-power firewall... it all adds up and makes this unit... interesting.
 
RouterOS is awesome but beware their wireless. Many of the radios they use are limited to MCS 7 which is a 150Mbit/s at best. Couple years ago I jumped on the 751 thinking it was the best of everything only to find out the wireless was crap and got a separate Unifi AP.
 
Thanks for the info--good to know about the wireless. I've kind of been looking into the Edge Router with Unifi AP's as well. It looks like a good combo, they even make a small one with PoE ports.
 
iroc409 said:
Thanks for the info--good to know about the wireless. I've kind of been looking into the Edge Router with Unifi AP's as well. It looks like a good combo, they even make a small one with PoE ports.
Click to expand...
I was in the same boat. EdgeRouter does OpenVPN correctly although you will be limited to about 10Mb/s until they implement hardware acceleration for OpenSSL (no eta). Also, if you want AC, Unifi AC AP is $250 afaik.

For that price you can go with a dual core broadcom router + AC AP combo like the the Asus AC68, Netgear R7000, Linksys 6700/6900 and install DD-WRT/Tomato. I ended keeping the Routerboard 750G (gave away the 751) as my router/firewall and buying a used Asus AC66 to use replace my Unifi AP. Merlin firmware doesn't do vlans so I will be flashing Tomato soon and possibly retiring the 750G if I can learn to live without Winbox. AC66 is also limited to ~10Mb/s OpenVPN due to similar MIPS CPU but my upstream bandwidth is about the same so it would do for a while. I also picked up an EA6700 during the $100 Black Friday sale to hopefully replace both once Tomato for it is ready.

Don't get me wrong, I'll take RouterOS over Vyatta, Tomato, or DD-WRT, but when you have to add a decent AP and/or proper OpenVPN the costs go up fast.
 
Last edited:
Ouch, $250 is pretty steep. I didn't realize it costs that much--I can wire my house with Ethernet for less than that (with some elbow grease). I've just been lazy and have a couple difficult spots to get to and haven't. Currently we just use wireless for some light web browsing (segregated for cell phones, DVD player & guests), I was planning on installing a HTPC, but I'd rather just have my server stuff out of my office entirely.

I don't really need vPN, though I've thought about it. Maybe in the future.
 
I love Mikrotik too, they are great little devices but I moved over to a EdgeRouter and have to say I like them as well. You don't have a pretty GUI for most things, but I'm used to CLIs working with other switches and routers. I prefer CLI. I have a ERL and a N66 for wireless at home, works great. I really like the Unifi APs as well and use many of them for work as well as Mikrotiks, but couldn't justify the cost at home for a pro so I could get dual band wireless N.
 
Out of curiosity, do you separate your wireless from you wired network?
 
iroc409 said:
Out of curiosity, do you separate your wireless from you wired network?
Click to expand...

At home? No. I have a Internal VLAN, Guest VLAN, DMZ Vlan, Cisco Lab VLAN and DATA VLAN (iSCSI). Only me and my wife's wireless are on the internal VLAN. Guests that come over or if I work on a person's computer gets into the Guest VLAN, eiuther through wireless with a password or wired. DMZ is for my external access servers. Everything is firewalled at my ERL and it also does the routing between VLANs.

Anything in my internal VLAN can access any other VLAN but other VLANs can't access each other or my internal VLAN. Only established traffic is allowed back into my internal VLAN.

I do separate, just not based on wireless vs wireless.
 
the CRS series is limited to about 120-130mbps TCP NAT routing with a decent firewall+QOS.

The unknown about the CRS is what handles the inter-vlan routing. If it is the switch chip then it'll be (close to) gigabit speeds. If it is the CPU it'll be the same 120-130mbps.

The wifi and processor in the CRS are the same as the 912 and the 2011 series.

The wifi issues that everyone had with the 712 and 912 have been solved with RouterOS 6.1 and up. I run several 912's on my home network (plaster and lath walls, one on each floor and one outside in a custom enclosure) and they are stable and pretty fast. Wifi rates are exactly what you would expect out of any N150 device. I also have 3 running offsite with site-to-site VPN's back to my house. Stable as can be. Used to run pfsense on remote boxes and they needed to be rebooted about once a month when they locked up. The only time the RB's ever get rebooted is when there is a software upgrade that I want to install.

My main router is a 2011UAS-RM that I use to load balance a 45/6 and a 30/6 connection.

As far as VPN performance with IPSEC, about 12-17mbps is typical depending on your packet size with the CRS, 912 or the 2011.

RouterOS is fantastic and can do just about anything you ever need a router to do, but there is a pretty good learning curve.

If you never want to buy a router again, buy the RB1100ahX2 and grab a 912 (or 2) for wifi.. Hardware AES encryption and will route darn close to wire speed. If you need a SOHO device, have a WAN speed >100mbps and aren't too worried about fast inter-vlan routing or blistering fast VPN, get the CRS.
 
Thanks for the info bds1904. That RB1100ahX2 is a bit pricey, I could build a Haswell PC for less than that. I guess I'm not sure what I am going to do yet. I've come up with a few different plans, I just need to land on one.

I think the next thing is to test out Sophos UTM on my current hardware and see what I think. I am looking at some of the following:

-Build a new Haswell i3 to replace my current firewall and continue with Untangle or Sophos
-Get a Mikrotik or ERL for the edge device, build a new all-in-one that has a UTM between the edge device and switch
-Dump the UTM and just drop in something like the ERL or a Mikrotik, and maybe replace my file server with a Microserver

It sounds like the CRS makes a good managed switch, so I will keep it on the short list for that. Either one of those, or maybe a HP or something. My current switch is an unmanaged HP.

I wouldn't mind building the AIO, but server RAM prices right now are so high it's rather prohibitive. I definitely need to upgrade my WAP, the current performance is not very good.
 
You must log in or register to reply here.
Back
Top