Separate names with a comma.
Discussion in 'Networking & Security' started by Meeho, Aug 29, 2018.
Does anyone have experience with MikroTik switches, especially compared to UBNT?
Following because I've looked at their products- great pricing, but I read the config is hell on earth. Which may not matter for simpler environments.
I don't have much experience with UBNT except for some demos and si with us that they presented to my company a few years ago. But for MikroTik, I used to have the RB2011-UAS-2HnD-IN about 3 years ago. It was an awesome product and I highly recommend MikroTik products IF you don't mind learning CLI and are comfortable getting your hands dirty with it. It is a very powerful product but requires a lot of DIY. There are a lot of user generated scripts for it. If you are familiar with Cisco or even Juniper CLI OS then the MikroTik CLI is super easy to pick up. They do have a GUI and it can do everything the CLI can (I think) but the GUI itself is not as powerful. I sold my router 3 years ago so I have no idea how the ecosystem has evolved. The only reason why I haven't bought another MikroTik product (and why I sold mine 3 years ago) is because I switched jobs and my new job requires me to test products at home so I have no more time to play with any other products other than the ones I am testing. I believe MikroTik is cheaper but that's because you don't get the support that UBNT will give you.
GUI is almost as powerful as the CLI actually. It also gives you an easier "bird" view of the overall configuration and rules in different sections. As for their routers, there are very few things that can be done only in CLI, like modifying the MAC addresses of ports (which by itself is incomprehensible).
MikroTik are just cheaper alternative to more prominent brands like Cisco but as dependable as them.
Comparing mikrotik vs. Ubnt products often boils down to personal preference. Mikrotiks are very powerful and sophisticated devices. I like their configuration tool Winbox - much better to work with than any clunky web interface.
Not very easy to get a good grasp on the way they work but not hard to accomplish if you have few hours to read docs and have some minimal networking knowledge.
So I'd say not "hell" but "paradise" on earth if you need powerful and flexible device for your network .
There are two main lines of Mikrotik switches:
CSS: uses a lightweight GUI interface called swOS, supports hardware LACP, VLAN tagging, STP and a few other things. Key word is lightweight, L2 only.
CRS: same physical hardware as the CSS only they support very limited speed L3 support and lack hardware LACP. Most CRS switches are dual boot cabaple and can run the swOS as well. Running swOS disables any L3 support.
I'm mainly interested in the upcoming 48x PoE switch with L3 support. What does hardware vs software LACP mean?
How would you compare their L3 speed vs UBNT Edge switches?
The CRS series running RouterOS (which enables the use of L3 features) typically is quite slow although that is changing with their larger POE switches utilizing the ARM 98DX3236 such as the CRS328-24P-4S+RM. The "Test Results" tab on their product description page shows pretty decent performance for very basic routing (they call it "Fast Path") which would be utilized for simple inter-vlan routing. Once you start adding firewall rules things really, really slow down.
A direct comparison to the UBNT switches? I haven't personally used the Edgeswitch product line extensivly but I have been paying attention to them since UBNT first came out with the line. I do know several people that use them on a regular basis. The Failure rate doesn't seem any different than Mikrotik, Linksys or any other non-pro-grade line of switches. Personally I hate the entire UniFi administration environment but the Edgesiwtch line doesn't seem too bad. The GUI seems to have most the options and the CLI seems familiar if you've used Cisco products before. The RouterOS GUI is complicated (all the options, not many descriptions) but straightforward once you take a look around, same with the CLI. The Edgeswitch line is either near-line rate L3 or pretty close to it from everything I can find.
LACP is the deal breaker on the CRS line. LACP is useless while running RouterOS. In RouterOS LACP runs thorugh the CPU (causing very slow performance), swOS handles it through the switch chip which enables line-speed communication over the LACP link. I personally don't run LACP anymore on "smaller" networks because 10Gb is so cheap.
Short version? Need LACP? Get the Edgeswitch. Don't need LACP? Start looking at the price-per-port value and other features like Dual PSU. Need it now? Get the Edgeswitch because Mikrotik has a terrible time delivering products when they say the "should be ready".
No matter what one you choose, if downtime is an issue then buy a spare because the warranty exchange for either isn't going to be fast.
This is why I don't consider LACP a big deal; I also won't be purchasing a storage or compute device/system without 10Gbit in the future either.
Worst part is if you roll mostly 10Gbase-T copper (which I opted to do), because while the SFP+ switches have dropped into affordable range, there's still a bit of a premium for 10Gbase-T. I went with an HP Officeconnect 1850, which is layer 2+ (with LACP), and a used Aruba S2500 off eBay that's not much different than the linked Mikrotik to make sure I don't run out of ports for homelabbing.
CRS354-48P-4S+2Q+ was the one I was looking at, but the latest prediction I could find is 5/2019 release, so that may not even be an option. L3 would be used for inter-vlan routing. I haven't yet figured out how I should segment the inter-vlan routing and firewalling between the switch itself and pfsense on a separate server.
LACP was planned for switch<>nas and switch<>pfsense/cameras_rec/Plex VM server, but maybe it would be better to use two SFP+ ports for that and buy the additional cards for the servers.
This most definitely, whether you buy say 10Gtek or FS.com custom DACs (to make sure) or just use fiber. Main reason is that LACP scaling >1Gbps with one connection is always iffy, but 10Gbps will go no problem.
I'm going to admit to being new on how to implement this properly, but the basic idea is to put stuff that needs to be separated on separate DHCP subnets, with each subnet tagged with a different VLAN.
An example as a point of further discussion:
Put IoT stuff on 10.0.2.0/24 and VLAN2
Put cameras on 10.0.3.0/24 and VLAN3
Put guest WiFi on 10.0.4.0/24 and VLAN4
I plan on revisiting this a bit as I think I've recovered from borking my network repeatedly during my last attempt
I have a general plan to segment the network like your example above. What I'm not sure about is how to solve the communication and security between some segments that have to talk to each other - when to do it on the switch (faster) and when to go through pfsense (more versatile).
Switches by design can not forward between vlans, that is the job of the router (l3 SVI instance).
pfsense will allow you to setup different vlan-access mapping. Default I believe is to allow all communication.
There are switches with L3 routing features, though, which avoid the single link bottleneck with an external router. A 10 Gbit switch<->pfsense link would mitigate that hopefully.
Correct, but a multilayer switch with L3 features that has no knowledge of the routing required between the vlans can not do so.
Certain technology (intervlan routing) permits the "routing" between vlans on a switch by leaking the routing table via discovery.
L3 switches that support intervlan routing are desirable for pretty much every situation where high local bandwidth exists that must be segregated.
Typically not a home user situation, yet, but with the IoT explosion including cameras, which are themselves physically exposed network attack vectors, the need to be able to put nodes on not just separate broadcast domains but also separate routing domains will certainly increase.