Migrating From OPNsense To Mikrotik

Also RO, also Mkt fanboy , also Homelaber, only difference left about 8 years ago

Nice , Yes i know hard to swallow that some other manufacturers also make good enterprise stuff way cheaper than the "Mercedes" of the field

Using one rb3011 since last 2022, really a good router. It runs my 1Gb network, both ipv4/ipv6

​@lucasthielke RB5009UPr here. I use it with a CRS305-1G-4S+IN to get a 10G backbone for my desktop and home server, and its PoE has been useful for my Grandstream access points. Absolutely excellent router.

Interesting. What made you ditch Mikrotik?

@@mirceanton I have a very simple home lab and automation at home, Mikrotik was more than enough and even more powerful than I needed but I wanted something more “user friendly” that I could add plugins and consolidate the hardware. I got an Intel J4125 4x 2.5Gbe NIC small box(tiny) that I’m running proxmox and passthrough 3 NICs to OPNSense and the other is shared across some small VMs/Containers (WireGuard, reverse proxy, home assistant, DDNS, etc).
Also, OPNSense has some nice dashboards, log views and drill down information out of the box. It could be done with Mikrotik and Grafana, but “too much” work. Lol.

Is it for "plugin stuff" like Suricata?

@@mirceanton mainly for plugins and “ease of use”. Mikrotik was more than enough for me but I wanted to consolidate hardware also, I got an Intel J4125 4x2.5Gbe port that I installed proxmox and reserved 3 ports for OPNSense and allocated the other for reverse proxy and some other small things.
Also OPNsense is “more visual” and have some nice addons and reports.

@@guyboisvert66 not only but mainly.

Thanks for the sub!
I'm afraid that the video won't cover all the details you are looking for :(
The configuration that I will be presenting, or rather the method to apply it, will be automation via Terraform. I won't really cover using WinBox to configure the router more than the initial setup.
To be fully honest, there are far better resources out there for specialized Mikrotik content, such as TheNetworkBerg youtube channel. I'm a DevOps guy dabbling in networking stuff, mainly from the perspective of automation.

Idei si planuri sunt, timp sa avem! Vreau sa imi configurez toata reteaua, serverul de VPN si eventual si niste containere pentru DNS/ad-blocking cu Terraform.
De asemenea, cum Terraform si-a schimbat licenta recent, ma gandeam sa investighez OpenTofu ca alternativa pentru tot setup-ul

@@mirceanton Suntem în situații similare, dar în contexte diferite. De vreo câțiva ani mi-am început homelab-ul cu un cluster Proxmox construit din vechituri și nuc-uri, dar ideile se schimbă așa de repede că mereu e ceva de luat de la zero, ca în povestea meșterului Manole. Ultima chestie e că am reușit să aprind un cluster Kubernetes bazat pe vm-uri Talos prin Terraform, Packer și experiența ta cu talosctl, dar și eu sunt în dilema cu open tofu, iar timpul disponibil și viața de zi cu zi sunt principalele obstacole.
În septembrie o să ajung în România, în București și poate ne-om cunoaște face to face la un schimb de experiență.
Baftă!

I haven't really looked into it so I can't comment on that.
I will say, however, that if you're looking for fail over I think it's pretty nice that you can fit 2x RB5009 routers in a single rack unit using the k-79 mounting kit

There are many videos on using more than one internet access link, RouterOS can even load balance and do very crazy things! Mangle is very powerful and i use it often to do many cool stuff with routing, DNS, etc.

I would not recommend VyOS. I am not currently using it, not have I used it in the past, but there has been some controversy surrounding it lately, which caused a lot of people to migrate away from it.
Essentially, the maintainers threatened to take down some community builds and made it very difficult to build the LTS release. I haven't really kept up to date on this, but there have been some personal jabs made as well against people doing their own OS builds.
Someone that is more involved in these events may chime in to give some more details, but that's the gist of it, from what I understood.

@@mirceanton That doesn’t sound too great, I guess I’ll have a closer look at MikroTik then.
EdgeOS might also be an option, but I feel like Ubiquiti’s support there has been very lackluster and they focus more on their UniFi range.

It really depends what you're looking for. Sure, UniFi is great and a lot of people use it in their homelabs. If you're looking for automation and Infrastructure-as-Code, then I can't really recommend it. Otherwise, it's a solid option too

Hi! Thank you for the tips! That's precisely the plan. I am bridging the ports as a temporary solution until I get some proper switches.
I plan to use the 10g port for my lab switch and the 2.5g for my LAN switch and then one of the 1g ports for my WAN and another for my management network or something along those lines. I need to get the switches first though!

There is an option to change that, they call "Hardware Offload" you can see that option in the bridge. This will use the Switch Chip instead of the processor.

@@hey_leao you are 100% right about this, but in some cases when IP filter is enabled some strange behaviour can happend. But yes HW offload is also solution, but sadly not for all routerboards :) I still prefer router on a stick setup, since messing with multiple bridges as vlans is actually nightmare.

@@kurosudo8762 Yes! Thats why you need to do some inspection in your topology (its not a router problem). Another think about it "Not all device devices support port isolation, currently only CRS1xx/CRS2xx series devices support it and only 7 isolated and hardware offloaded bridges are supported at the same time, other devices will have to use the CPU to forward the packets on other bridges" and not all RBs has VLAN Table, thats important too. the option IP firewall uses CPU, you can try to use some bridge filter.

Yeah, I already got a Mikrotik AP by the time I finished this video and I had trouble getting CAPSMAN to work properly. I ended up configuring the AP as a standalone device just to get it up and running, but it's something I need to look into a bit more!
Mikrotik definitely has a steeper learning curve than other solutions for sure 😅

@@mirceanton capsman wise make sure all the APs you would buy can work with the same version. Otherwise each one can be managed individually via RouterOS means that all of them run. So probably would be easier to hook them up to your terraform that way.

@@mirceanton generally speaking, wifi from MTK lags behind competitors a bit. Does not have any 802.11be or 802.11axe solutions, only recently added 802.11r/k/v (not sure how well it works), don't do more than 2x2 and so on, and so on... Good news: you could run TPlink or Ubiquity controllers in containers on your RB5009 and MTK works fine with those access points.

Yep, the device itself can do more than 1Gb. The problem is that I don't really have other 10g devices to test with it, either SFP+ or RJ45
And then, even if I did, my switches are all 1gb and my internet is not even half of that

@@mirceanton it’s more for the future, make this router with better longevity

@@lucasthielke oh absolutely. Even though I can't use those ports right now, they did play a role in the decision since they future proof this device a bit. They were not the main deciding factors, but they sure gave me some peace of mind!

Thanks!
The landscape is definitely quite diverse. I'd love to see more support for arm platforms though, as we've seen quite a few SBCs which would fit the bill nicely as a low power and quiet router.

I'm curious why you're playing with OpenWRT. Do you have a use case? I started my networking journey in 1991 as a network engineer. I used since then many many NOS and i was using DD-WRT for friends and SMBs long time ago! After finding Mikrotik / RouterOS, i stopped using *wrt. I too used monowall / pfSense and i was glad to replace it with RouterOS too! Not that they are that bad, but i highly prefer RouterOS for many reasons. The management aspect of RouterOS being one of them, one of the best management i used IMHO.

@@guyboisvert66 I have been playing with OpenWRT; I was interested in the low power, compact size, and performance. It was an RK3588 with 16G ram; As a router, it worked fine but once you delved into building VLAN's, some pieces of the network rules seems to be less than optimal; but at the same time, things like Policy Based Routing with VPN's was super easy, and worked very well. There's also a ton of other things like Docker, storage, etc that I didn't delve into; security was a greater concern, and OpnSense seemed "better". It only drew a handful of watts, and was fanless; so much overhead it was ridiculous. Fairly sure everyone has unique use cases, and unique reasons why they went one way or another.
I still have a Mikrotik router unopened in a box; may have to try it some day when I get some time. I could run much more on the RK3588; but I have trust issues; not with OpenWRT, but as the hardware wasn't directly supported by OpenWRT... There are ways to compile it yourself, but I don't have the time.. Great hardware though.
I may still use the hardware moving forward; not sure how much I can change without annoying the spouse however. I realize I like to tinker..

Wrong or right, I used the hardware I already had laying around that had no other purpose. Sure, just like you mentioned, I could have improved that setup with some better hardware, but that was not really the point. I never felt limited by my hardware choices. The power consumption and maybe even the performance could have been improved, and I totally agree, but those were not my limiting factors.
This was more of a software limitation, where OPNsense doesn't really support automation to the extent that Mikrotik does. Other than that, yes, I could have stayed on OPNsense and optimize my hardware setup to achieve similar results.

​@@mirceanton IF he told me that, I'd assume he meant using a older full-on desktop/ server hardware is the wrong hardware.. And I'd agree that "what you happen to have" it's not likely ever going to be optimal. Not sure what the Cisco ASA5515X is internally, but sometimes if one wants efficiency, one needs to consider either different hardware or buying different hardware especially if things like excessive power consumption, fan noise, and heat are a concern. Am running Opnsense on a N100 fanless mini PC; and it draws about 12 Watts, IIRC. OpenWRT on ARM hardware also was an option, and drew less power, but my issue was not really with OpenWRT but who/where the code for it was maintained as it wasn't available directly from OpenWRT. It did have lots of headroom however, and drew less than OpnSense did on the N100. Personally, I would not want running fans of any sort in my sleeping area !! After years of dealing with fan noise, I think my hearing is more screwed up than from the time I spent in the military dealing with loud turbocharged/supercharged diesel engines, and marine turbine engines.
Congrats on your new router; hope it serves you well.. TBH; it's not right nor wrong; it's a choice, with consequences. Choosing Opnsense on a N100 is both a choice and has consequences; Choosing mikrotik hardware is also a choice and has consequences. Everything in life is about making a choice, leveraging the pro's and accepting the con's.

Servus! Yeah, I understand where they come from, saying that this was in fact a downgrade. However, I specifically mention in the video that I was not doing any of that with OPNsense to begin with, and strictly from the PoV of my use-case there is more-or-less feature parity between the two. It's a matter of perspective, in my opinion

@@mirceanton Gotcha, i watched the video after i wrote the comment where you stated the reason for size and noise because i was searching for something related to the router world and the Yt algorithm or who knows maybe karma ;) suggested through my feed also this video and i was just skimming through it and because of your name i thought you are a fellow landsman , Nice , Keep up the energy

Yeah, it's definitely got a steeper learning curve!

Better or worse are both subjective and highly dependent on the criteria used for the comparison. For me and my particular use-case, I'd say Mikrotik wins out this competition.
What are some features that you find to be missing on Mikrotik, that you use on OPNsense?

Which features are more necessary, if all inbound ports are closed anyways?
I can’t think of any.

@@youtubear02xdax OPNSense supports plugins, like Suricata. I since many years stop to use *sense and replaced with RouterOS. I didn't like the ugly and slow WEB UI and that pf was always reloading after config modification. I'm not bashing against *sense, it has its strengths but i don't like it.
I'm an Open Source advocate but sometimes, you have to make choices based on your use cases or preferences.

This is a homelab. I mention in the video that I was not running any IDS or IPS on my OPNsense or anything like that. In my use case, and for many others who run it at home I'd assume, it's acting mainly, if not only, as a router/basic firewall.
I explained in the video that I personally consider it an upgrade because it allows me to do something which I was not able to before, which is to adopt it in my IaC/GitOps setup. To me as a DevOps engineer that matters more, for my homelab than IDS or IPS.
Homelabs are all about what you want to learn/play with, and from that aspect, it was an upgrade for me 🤷‍♂️

Genuine question: how is Mikrotik that much more insecure compared to OPNsense or other solutions? At least as far as I can tell features/customizability seem to be fairly similar.
If one has the knowledge to configure an OPNsense device properly, wouldn't it be the same case for a Mikrotik as well?

@@mirceanton End user has the ability to fully audit all software running on OPNsense compared to Mikrotik

@@mirceanton a firewall (UTM or NGFW) has multiple advanced features like deep packet inspection, ssl inspection, IPS/IDS, antimalware, sandboxing , application and url filtering and many others. Mikrotik has very good products but has limited firewalling features. It's a good router but just a router. you can keep using Opnsense of other firewall solutions as VM

@@sparc64, please show me the "end user" that has the ability to "fully audit" a complex software product. I'm a networking guy (mostly with MikroTik devices) as well as an experienced C++-developer, and even with my capabilities, in particular as developer, my std::chrono::lifetime is too small to audit the source codes used in my networking equipment, my cellphone, or any other device around me.

@@claudiobolcato3048, are you stuck in the mid 2010s? Nowadays most of the traffic is encrypted and newer technologies make it hard or completely impossible to intersect TLS traffic. Anyhow I agree with your bottom line: use MikroTik as router (or as switch, or as wifi-ap) and extend this setup with specialised systems, if you really (believe you) need them, be it a firewall, be it a network access system.