The Mikrotik Group

[ChristopherH]

Hi All

 

I have been browsing the forum for quite some time, and I unfortunately haven't come across a thread dedicated to Mikrotik hardware. So here we are.

 

I am a heavy user of Mikrotik hardware. At home, I have an RB2011UiAS-2HnD-IN, and in my datacentre colocation racks in Sydney and Melbourne I use CCR1009-7G-1C-1S+, with EoIP tunnels all over the place on one big internal network. I have also rebuilt an ISP in Vanuatu (a small country in the pacific islands) using Mikrotik routing and switching equipment.

 

If you have any issues or problems, want some advice or just want to show-off what you got, feel free to do so here.

 

Thanks,

Christopher H.

[ChristopherH]

Basic Firewall Rules

This is a basic firewall rule list which I have used for a few years. It works really well and I have not had issues yet. reply below if you think any better changes could be made.

 

/ip firewall filter
add action=drop chain=input comment="Drop recursive DNS traffic" dst-port=53 protocol=tcp
add action=drop chain=input comment="Drop SSH brute force users" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=4w2d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=drop chain=input comment="Drop Telnet brute force users" dst-port=23 protocol=tcp src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=telnet_blacklist address-list-timeout=4w2d chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1 log=yes
 

[brwainer]

Sounds good. This is my home setup:

• https://mikrotik.com/product/CRS125-24G-1S-IN - central router and switch, using 2 of 5 public IPs.
• 2x RB750Gr2 (they don't seem to have this on the site anymore, but here's the specs) - additional routers, using 1 public IP each
• (5th public IP is used by a Verizon Quantum Gateway router, in case anyone was wondering)
• 3x https://mikrotik.com/product/RB962UiGS-5HacT2HnT - APs / VLAN filtering switches
• 2x https://mikrotik.com/product/RB260GS - used to be used as switches, reserved for use in my "fiber connection to the outdoor shed" project as glorified media converters.

Stuff I've installed in other people's houses:

• https://mikrotik.com/product/RB951G-2HnD - at grandparent's house as the only piece of networking equipment other than the modem
• https://mikrotik.com/product/RB750GL - at friend's house, he has separate APs

Commonly used by work:

• CCR series routers, up to and including the CCR1072s - core routers at our customer sites and colos
• RB1100AHx2 - core router at older sites that haven't been upgraded yet; management routers at sites that have been upgraded and thus had these as surplus
• RB750, RB750L, RB750GL, RB750Gr2, RB750Gr3, CRS series products - management routers
• Many other router models - very old core routers that have long been retired and probably recycled. I know we had some of the original x86 based routers like RB230 lying around up until a few years ago
• https://wiki.mikrotik.com/wiki/Manual:CHR - I'm using it for a project, but we may use PFSense in the end since I haven't been approved to buy a license for >1mb/s speeds... I only need ~5Mb/s for this project so the upgrade to gigabit is being seen as unnecessary

About RouterOS versions / recent changes

Both at home and at work we stay on the Bugfix channel, but I avidly follow the Announcements part of the Mikrotik forum. The changes in the RC channel to the way that hardware switches are configured is both very exciting, and somewhat terrifying. I'm not expecting to be able to cleanly upgrade my home core router when the time comes, because my use of the switch chip features is very complex, moreso than I expect the upgrade script will be able to handle.

[Just.Oblivious]

Mikrotik tinkerer chiming in (RB2011UiAS-RM, hEX Gr3 and a few access points).

 

I've been using Routerboard hardware for just over four years now (with no significant hiccups).

 

One thing that Mikrotik didn't impress me with is indoor 802.11ac wireless.

I recently replaced my two RB wAP AC access points with UniFi AC Lite's. The AC Lite is giving me far better 5 GHz coverage and 802.11ac throughput compared to the wAP AC (with identical channel/rate settings).

[Chaz042]

Hey, Just got my fist MikroTik device a few weeks ago, the Mikrotik CRS317-1G-16S+RM, 16 port 10gig switch.

 

Any tips I should know?

[brwainer]

4 hours ago, Chaz042 said:

Hey, Just got my fist MikroTik device a few weeks ago, the Mikrotik CRS317-1G-16S+RM, 16 port 10gig switch.

 

Any tips I should know?

A lot of the "switch" features of the CRS3xx features are tied up in the new bridge implementation, where instead of programming them using the "Switch" menu, you set everything up with the bridge menu, and it will apply "hardware acceleration" as long as you don't add any features that the switch chip can't handle. The end goal is that all functions will be available, but they will be easier to set up than having to use the Switch menu. Setting up advanced VLANs and other things via the Switch menu has always been much harder than on a Cisco, HP, etc managed switch because you are basically programming the switch chip yourself. While this means it is more powerful config-wise, it is also harder to do. The new bridge implementation is meant to fix that. Right now, the new bridge implementation is only available in the RC channel, in version 6.41.

[ChristopherH]

On 22/11/2017 at 5:16 AM, Chaz042 said:

Hey, Just got my fist MikroTik device a few weeks ago, the Mikrotik CRS317-1G-16S+RM, 16 port 10gig switch.

 

Any tips I should know?

Hey Chaz042, are you planning to use it as a router, or simply a switch?

[KrauseeAUS]

Huge fan of mtik, +1 this post, we use them mainly at work (at a DC) and I use one at home.

[ChristopherH]

51 minutes ago, KrauseeAUS said:

Huge fan of mtik, +1 this post, we use them mainly at work (at a DC) and I use one at home.

What have you got (and in which) DC?

[KrauseeAUS]

I work at DC West, small DC in Perth.

 

I have an RB2011L-RM at home 

[ChristopherH]

42 minutes ago, KrauseeAUS said:

I work at DC West, small DC in Perth.

 

I have an RB2011L-RM at home 

I've bought the same to deploy at home in a little 4RU comms rack, that has been sitting its box for the past 3 weeks along with a CRS125-24G-IS-RM

[Guest]

Been debating buying one to play around with but struggling to find a disti for them

[ChristopherH]

4 minutes ago, Windspeed36 said:

Been debating buying one to play around with but struggling to find a disti for them

Where abouts are you located?

[Guest]

21 minutes ago, ChristopherH said:

Where abouts are you located?

Melbourne but we don't have a trade account with Streakwave and due to internal policy, would need to source it from one we did..

 

[ChristopherH]

I can help you with that. Send me a PM with your e-mail and I'll contact you.