I dove head first into MikroTik this year... Replacing everything except my NAS and access point. I'm using the RB5009UPr, CRS309, and CSS326. Learning RouterOS can be intimidating, but there are soooo many TH-cam videos with help.
Great video! I really like Mikrotik devices. I have a LOT of network devices--Cisco, Mikrotik, TP-Link, Arista, Unifi, Netgear, HP, and generic. Mikrotik does a good job with informing users and documenting their devices. I would love to see how you're going to use Terraform with the setups. Keep up the great videos!
I was once accidently converted a cisco fanboy to mikrotik believer. "What's that?" "Mikrotik router." "Why do you use consumer grade hardware while you are a professional?" "Consumer? What? You never seen one of these?" I fired up winbox and less than 15 minutes later he was the one commandeer the mouse.
I love your journey through networking iac. It's something that I've always wanted but it really didn't really seem robust enough with opnsense. I hope routeros with terraform works out for you long term!
@@mirceanton I have a very simple home lab and automation at home, Mikrotik was more than enough and even more powerful than I needed but I wanted something more “user friendly” that I could add plugins and consolidate the hardware. I got an Intel J4125 4x 2.5Gbe NIC small box(tiny) that I’m running proxmox and passthrough 3 NICs to OPNSense and the other is shared across some small VMs/Containers (WireGuard, reverse proxy, home assistant, DDNS, etc). Also, OPNSense has some nice dashboards, log views and drill down information out of the box. It could be done with Mikrotik and Grafana, but “too much” work. Lol.
@@mirceanton mainly for plugins and “ease of use”. Mikrotik was more than enough for me but I wanted to consolidate hardware also, I got an Intel J4125 4x2.5Gbe port that I installed proxmox and reserved 3 ports for OPNSense and allocated the other for reverse proxy and some other small things. Also OPNsense is “more visual” and have some nice addons and reports.
Este pe drum! M-am apucat de lucrat la mai multe chestii in paralel și evident că am ajuns sa procrastinez lucrând la varii proiecte... 😅 Am deja vreo 3 videoclipuri planificate ca follow-up, gen automatizare cu terraform, integrare cu Kubernetes, etc. Soon ™️
I use opnsense on two port mini pc for firewall, behind that I have mikrotik router that handles everthing internally. I have lots of dynamic macvlans for different purposes such appliances, cameras, personal netwoks for each family member etc..
That sounds like a neat setup! Once I settle into my network a bit more, I might be looking into something like that. I'll probably wait until the opnsense REST API matures a bit more so I can IaC that too
Curious to see how this goes, subbed. I'm considering moving my router from a VM to a bare metal solution. I'm wondering how easy/good the firewall is to configure. Could you go over the options for that? I'm curious how flexible and capable these mikrotik boxes are, I love my Mikrotik CSS switch, and would consider them for the router too.
Thanks for the sub! I'm afraid that the video won't cover all the details you are looking for :( The configuration that I will be presenting, or rather the method to apply it, will be automation via Terraform. I won't really cover using WinBox to configure the router more than the initial setup. To be fully honest, there are far better resources out there for specialized Mikrotik content, such as TheNetworkBerg youtube channel. I'm a DevOps guy dabbling in networking stuff, mainly from the perspective of automation.
Yep, the device itself can do more than 1Gb. The problem is that I don't really have other 10g devices to test with it, either SFP+ or RJ45 And then, even if I did, my switches are all 1gb and my internet is not even half of that
@@lucasthielke oh absolutely. Even though I can't use those ports right now, they did play a role in the decision since they future proof this device a bit. They were not the main deciding factors, but they sure gave me some peace of mind!
Have you considered Vyos? I believe it supports both Terraform and Ansible. The entire configuration process basically consists of CLI commands. I'm in a similar situation where I'm considering switching from OPNsense because I want to manage my configurations as code. However, I'm still undecided about which option to choose.
I would not recommend VyOS. I am not currently using it, not have I used it in the past, but there has been some controversy surrounding it lately, which caused a lot of people to migrate away from it. Essentially, the maintainers threatened to take down some community builds and made it very difficult to build the LTS release. I haven't really kept up to date on this, but there have been some personal jabs made as well against people doing their own OS builds. Someone that is more involved in these events may chime in to give some more details, but that's the gist of it, from what I understood.
@@mirceanton That doesn’t sound too great, I guess I’ll have a closer look at MikroTik then. EdgeOS might also be an option, but I feel like Ubiquiti’s support there has been very lackluster and they focus more on their UniFi range.
It really depends what you're looking for. Sure, UniFi is great and a lot of people use it in their homelabs. If you're looking for automation and Infrastructure-as-Code, then I can't really recommend it. Otherwise, it's a solid option too
It definitely has a learning curve and it can be a bit overwhelming. I've been tinkering with it for the last few months and I'm still learning new things every time. That being said, I don't regret it. I feel like it's a better setup than I had before
@@mirceanton I am not a networking expert it took me about a month to figure out things. The workflow makes sense when you read the documenttion and understands how stuff works, you can do pretty much everything. Winbox mirror almost 100% the CLI as well ( most of it ) so to be good at the cli you can check winbox and do the commands in the CLI at the same time. It is a good trainign anf helped me a lot. You will also save money on your electricity bill lol :D Nothing wrong with pfSense or OPNsense , but when you use a mini PC that can draw up to 100W depending on the model , since it runs all the time it can be really expensive to run, depending where you live. At least now you have hardware that is really energy efficient.
Yeah, I really like that the CLI matches quite closely to winbox and to the API as well (thus also to the Terraform provider). It definitely makes it easier
@lucasthielke RB5009UPr here. I use it with a CRS305-1G-4S+IN to get a 10G backbone for my desktop and home server, and its PoE has been useful for my Grandstream access points. Absolutely excellent router.
Foarte bine! Abia aștept să văd cum o să-l croiești. Eu deocamdată am lăsat rutarea între vlan-uri în grija unei perechi de pfsense virtualizate în proxmox...
Idei si planuri sunt, timp sa avem! Vreau sa imi configurez toata reteaua, serverul de VPN si eventual si niste containere pentru DNS/ad-blocking cu Terraform. De asemenea, cum Terraform si-a schimbat licenta recent, ma gandeam sa investighez OpenTofu ca alternativa pentru tot setup-ul
@@mirceanton Suntem în situații similare, dar în contexte diferite. De vreo câțiva ani mi-am început homelab-ul cu un cluster Proxmox construit din vechituri și nuc-uri, dar ideile se schimbă așa de repede că mereu e ceva de luat de la zero, ca în povestea meșterului Manole. Ultima chestie e că am reușit să aprind un cluster Kubernetes bazat pe vm-uri Talos prin Terraform, Packer și experiența ta cu talosctl, dar și eu sunt în dilema cu open tofu, iar timpul disponibil și viața de zi cu zi sunt principalele obstacole. În septembrie o să ajung în România, în București și poate ne-om cunoaște face to face la un schimb de experiență. Baftă!
Looking forward to the next video. I use both OpnSense and Microtik but my current Microtik hardware is in need of an upgrade. Just replacing with OPNsense feels like the easy option but i do like the look of the RB5009's. Have you considered failover? And do you know how easy it is that to set up with routerOS?
I haven't really looked into it so I can't comment on that. I will say, however, that if you're looking for fail over I think it's pretty nice that you can fit 2x RB5009 routers in a single rack unit using the k-79 mounting kit
There are many videos on using more than one internet access link, RouterOS can even load balance and do very crazy things! Mangle is very powerful and i use it often to do many cool stuff with routing, DNS, etc.
Hi, i hope you love your mikrotik setup, the RB5009 is great powerful machine. Some tips for a future. Bridging in mikrotik is really terrible because all packets are going through CPU, if you will have a better switch with sfp+, buy a SFP+ DAC cable, they are really cheap and connect switch and router with one port. On that router port assign VLANs and let switching work do a switch, not router. You will receive a better performance
Hi! Thank you for the tips! That's precisely the plan. I am bridging the ports as a temporary solution until I get some proper switches. I plan to use the 10g port for my lab switch and the 2.5g for my LAN switch and then one of the 1g ports for my WAN and another for my management network or something along those lines. I need to get the switches first though!
There is an option to change that, they call "Hardware Offload" you can see that option in the bridge. This will use the Switch Chip instead of the processor.
@@hey_leao you are 100% right about this, but in some cases when IP filter is enabled some strange behaviour can happend. But yes HW offload is also solution, but sadly not for all routerboards :) I still prefer router on a stick setup, since messing with multiple bridges as vlans is actually nightmare.
@@kurosudo8762 Yes! Thats why you need to do some inspection in your topology (its not a router problem). Another think about it "Not all device devices support port isolation, currently only CRS1xx/CRS2xx series devices support it and only 7 isolated and hardware offloaded bridges are supported at the same time, other devices will have to use the CPU to forward the packets on other bridges" and not all RBs has VLAN Table, thats important too. the option IP firewall uses CPU, you can try to use some bridge filter.
This was an interesting one, thank you! Would love to see what you'd manage to do with terraform here. Regarding WiFi: miktorik's wifi can be problematic, hope it works alright for you. Watch out for mix and match of old and new mtk access points as Mikrotik has two CAPSMAN (their controller) versions that are incompatible.
Yeah, I already got a Mikrotik AP by the time I finished this video and I had trouble getting CAPSMAN to work properly. I ended up configuring the AP as a standalone device just to get it up and running, but it's something I need to look into a bit more! Mikrotik definitely has a steeper learning curve than other solutions for sure 😅
@@mirceanton capsman wise make sure all the APs you would buy can work with the same version. Otherwise each one can be managed individually via RouterOS means that all of them run. So probably would be easier to hook them up to your terraform that way.
@@mirceanton generally speaking, wifi from MTK lags behind competitors a bit. Does not have any 802.11be or 802.11axe solutions, only recently added 802.11r/k/v (not sure how well it works), don't do more than 2x2 and so on, and so on... Good news: you could run TPlink or Ubiquity controllers in containers on your RB5009 and MTK works fine with those access points.
He just pointed few reasons in this video: Less sound Less apace in garage Cheaper on fuel From my side, I will also add much cheaper service and parts replacement. And actaully, smart people use to think the opposite way: why would I use ferrary if I only need mini smart. Why would someone use 6th gen i5, 8 gig of ram, nmve ssd and whole bunch on psu, cables, etc for a task that a basic mikrotik router can do?
@@Office-Clerk negative my friend. Now you can run opnsense or pfsense on a small embedded device that cost near the crappy mikrotik. Btw when it come to benchmark and VPN throughput mikrotik becomes a joke and you will end up wasting $$ trust me I've been through this
To be fair, I didn't look into it THAT much, but I didn't find an x86 computer + all the required components (rack mount case, PSU, ram, storage etc) that draws under 10 watts and is comparable in price with the MikroTik. Also, in my experience using ZeroTier as a VPN solution, it's good enough to saturate my uplink. so for what I need, it seems to be plenty, at least this far
Not an apples to apples comparison even.. 🤦♂️ OPNSense is a firewall with some routing capability’s and RouterOS is a router with some firewall capability’s. The analogy should be going from a Ferrari to a rally car. They excel at different tasks, but both can take you to the store and back to buy milk… 😅
Nice video, I have subscribed and “liked”. I’m looking forward to seeing the rules you implement on the MikroTik. I’ve used MikroTik and think it’s very powerful, but I have switched my firewall appliance for a Firewalla Gold Plus. No command line, all app based, but I’d like to return to the MikroTik environment.
Ok first off you had the wrong hardware for opnsense, am running latest version on a Cisco ASA5515X. It draws less than 20w and I get full 1Gbps download and 120Mbps upload. Mikrotik is nice but it takes a while to learn the mikrotik way.
Wrong or right, I used the hardware I already had laying around that had no other purpose. Sure, just like you mentioned, I could have improved that setup with some better hardware, but that was not really the point. I never felt limited by my hardware choices. The power consumption and maybe even the performance could have been improved, and I totally agree, but those were not my limiting factors. This was more of a software limitation, where OPNsense doesn't really support automation to the extent that Mikrotik does. Other than that, yes, I could have stayed on OPNsense and optimize my hardware setup to achieve similar results.
@@mirceanton IF he told me that, I'd assume he meant using a older full-on desktop/ server hardware is the wrong hardware.. And I'd agree that "what you happen to have" it's not likely ever going to be optimal. Not sure what the Cisco ASA5515X is internally, but sometimes if one wants efficiency, one needs to consider either different hardware or buying different hardware especially if things like excessive power consumption, fan noise, and heat are a concern. Am running Opnsense on a N100 fanless mini PC; and it draws about 12 Watts, IIRC. OpenWRT on ARM hardware also was an option, and drew less power, but my issue was not really with OpenWRT but who/where the code for it was maintained as it wasn't available directly from OpenWRT. It did have lots of headroom however, and drew less than OpnSense did on the N100. Personally, I would not want running fans of any sort in my sleeping area !! After years of dealing with fan noise, I think my hearing is more screwed up than from the time I spent in the military dealing with loud turbocharged/supercharged diesel engines, and marine turbine engines. Congrats on your new router; hope it serves you well.. TBH; it's not right nor wrong; it's a choice, with consequences. Choosing Opnsense on a N100 is both a choice and has consequences; Choosing mikrotik hardware is also a choice and has consequences. Everything in life is about making a choice, leveraging the pro's and accepting the con's.
Thanks! The landscape is definitely quite diverse. I'd love to see more support for arm platforms though, as we've seen quite a few SBCs which would fit the bill nicely as a low power and quiet router.
I'm curious why you're playing with OpenWRT. Do you have a use case? I started my networking journey in 1991 as a network engineer. I used since then many many NOS and i was using DD-WRT for friends and SMBs long time ago! After finding Mikrotik / RouterOS, i stopped using *wrt. I too used monowall / pfSense and i was glad to replace it with RouterOS too! Not that they are that bad, but i highly prefer RouterOS for many reasons. The management aspect of RouterOS being one of them, one of the best management i used IMHO.
@@guyboisvert66 I have been playing with OpenWRT; I was interested in the low power, compact size, and performance. It was an RK3588 with 16G ram; As a router, it worked fine but once you delved into building VLAN's, some pieces of the network rules seems to be less than optimal; but at the same time, things like Policy Based Routing with VPN's was super easy, and worked very well. There's also a ton of other things like Docker, storage, etc that I didn't delve into; security was a greater concern, and OpnSense seemed "better". It only drew a handful of watts, and was fanless; so much overhead it was ridiculous. Fairly sure everyone has unique use cases, and unique reasons why they went one way or another. I still have a Mikrotik router unopened in a box; may have to try it some day when I get some time. I could run much more on the RK3588; but I have trust issues; not with OpenWRT, but as the hardware wasn't directly supported by OpenWRT... There are ways to compile it yourself, but I don't have the time.. Great hardware though. I may still use the hardware moving forward; not sure how much I can change without annoying the spouse however. I realize I like to tinker..
Pfsense is not a next genration firewall as many here suggests. It uses outdated IPS/IDS plugins like Surricata. But it has nothing to do with deep packet inspection of HTTPS frames what Fortigate does. It does not decrypt and re-encrypt thr HTTPS frames. It just checks IP lists and unencrypted packets. In the era of full TLS encryption, the regular IDS/IPS has very little to no benefit. A regular stateless firewall blocks the same traffic what PfblockerNG blocks. If you don't use IDS/IPS and list based protection, pfsense has no benefit over any other router system, like RouterOS or OpenWRT. Why should we use an inefficient BSD based system if we can use faster, Linux based systems with less power draw?
Servus my fellow Ro i assume because i also am one :) I see the opinions that you downgraded it is somehow kinda true but Mikrotik has also products that support packet inspection , the only issue is that they are other product class with other price point , Mikrotik operates since 1996 or 97 and they manufacture also ISP grade devices just like Juniper, Cisco , Nokia etc but also stuff like this consumer grade routers for the enthusiasts that sometimes have fun experimenting with OSPF, BGP, or tunneling protocols like Wireguard, OpenVPN , i also have some of their RB 2011, RB 4011, and some other cheaper smaller devices because not everybody will pay around 400-500 $ or EUro for a used CISCO router just to have the hands on experience and if i am not mistaking the Torch function on Mkt RB does exactly that : Packet Inspection
Servus! Yeah, I understand where they come from, saying that this was in fact a downgrade. However, I specifically mention in the video that I was not doing any of that with OPNsense to begin with, and strictly from the PoV of my use-case there is more-or-less feature parity between the two. It's a matter of perspective, in my opinion
@@mirceanton Gotcha, i watched the video after i wrote the comment where you stated the reason for size and noise because i was searching for something related to the router world and the Yt algorithm or who knows maybe karma ;) suggested through my feed also this video and i was just skimming through it and because of your name i thought you are a fellow landsman , Nice , Keep up the energy
I can't really comment on automatic fail over in dual WAN scenarios, as I've never ran such a setup personally, but at least in the context I was referring, network automation has nothing to do with automatic fail over. I simply meant automating the configuration of my networking equipment using infrastructure as code
Congrats, you threw away UTM and called it an upgrade. How do you go through an entire build and not understand the value of intrusion detection and threat management 🤔 “upgrade” what the…
This is a homelab. I mention in the video that I was not running any IDS or IPS on my OPNsense or anything like that. In my use case, and for many others who run it at home I'd assume, it's acting mainly, if not only, as a router/basic firewall. I explained in the video that I personally consider it an upgrade because it allows me to do something which I was not able to before, which is to adopt it in my IaC/GitOps setup. To me as a DevOps engineer that matters more, for my homelab than IDS or IPS. Homelabs are all about what you want to learn/play with, and from that aspect, it was an upgrade for me 🤷♂️
Yeah, pretty much. Though I still believe it was the right choice for me. I wasn't using any of the advanced features of Opnsense anyway. That's just not the focus of my homelab, at least not for now.
Better or worse are both subjective and highly dependent on the criteria used for the comparison. For me and my particular use-case, I'd say Mikrotik wins out this competition. What are some features that you find to be missing on Mikrotik, that you use on OPNsense?
@@2uxzh01k OPNSense supports plugins, like Suricata. I since many years stop to use *sense and replaced with RouterOS. I didn't like the ugly and slow WEB UI and that pf was always reloading after config modification. I'm not bashing against *sense, it has its strengths but i don't like it. I'm an Open Source advocate but sometimes, you have to make choices based on your use cases or preferences.
I agree that in the grand scheme of things the OPNsense box I had previously had a larger set of features. However, strictly from the point of view of the features I was using and I needed, I still think that the Mikrotik is an upgrade since it allows me to do all I was doing before and some more. It's not all black and white. Context matters as well.
@@mirceanton I'd rather keep opnsense and add the zenarmor addon for a really high performing next gen firewall 🙂 But you could run that on a small intel n100 that has the same performance as a gen 6 core i5 but only uses 10w if not less 🙂
So, you just trashed your over0sized firewall/UTM and replaced it with a router, congratulations on downgrading your security.... You drank the Miki coolade.
Genuine question: how is Mikrotik that much more insecure compared to OPNsense or other solutions? At least as far as I can tell features/customizability seem to be fairly similar. If one has the knowledge to configure an OPNsense device properly, wouldn't it be the same case for a Mikrotik as well?
@@mirceanton a firewall (UTM or NGFW) has multiple advanced features like deep packet inspection, ssl inspection, IPS/IDS, antimalware, sandboxing , application and url filtering and many others. Mikrotik has very good products but has limited firewalling features. It's a good router but just a router. you can keep using Opnsense of other firewall solutions as VM
@@sparc64, please show me the "end user" that has the ability to "fully audit" a complex software product. I'm a networking guy (mostly with MikroTik devices) as well as an experienced C++-developer, and even with my capabilities, in particular as developer, my std::chrono::lifetime is too small to audit the source codes used in my networking equipment, my cellphone, or any other device around me.
@@claudiobolcato3048, are you stuck in the mid 2010s? Nowadays most of the traffic is encrypted and newer technologies make it hard or completely impossible to intersect TLS traffic. Anyhow I agree with your bottom line: use MikroTik as router (or as switch, or as wifi-ap) and extend this setup with specialised systems, if you really (believe you) need them, be it a firewall, be it a network access system.
I dove head first into MikroTik this year... Replacing everything except my NAS and access point. I'm using the RB5009UPr, CRS309, and CSS326. Learning RouterOS can be intimidating, but there are soooo many TH-cam videos with help.
Great video! I really like Mikrotik devices. I have a LOT of network devices--Cisco, Mikrotik, TP-Link, Arista, Unifi, Netgear, HP, and generic. Mikrotik does a good job with informing users and documenting their devices.
I would love to see how you're going to use Terraform with the setups. Keep up the great videos!
Been using Mikrotik for over a decade now. Always exciting to see new content.
Loved seeing your setup! My hardware knowledge is pretty terrible but I enjoyed seeing your process in this migration. Keep it up!
I was once accidently converted a cisco fanboy to mikrotik believer.
"What's that?"
"Mikrotik router."
"Why do you use consumer grade hardware while you are a professional?"
"Consumer? What? You never seen one of these?"
I fired up winbox and less than 15 minutes later he was the one commandeer the mouse.
Nice , Yes i know hard to swallow that some other manufacturers also make good enterprise stuff way cheaper than the "Mercedes" of the field
And no need to pay subscriptions, expansion packs, DLCs, etc
As a Mikrotik Cert (MTCNA)guy. Thank you so much for this video.
I love your journey through networking iac. It's something that I've always wanted but it really didn't really seem robust enough with opnsense.
I hope routeros with terraform works out for you long term!
I just did exactly the opposite couple month back, left Mikrotik in favor of OPNSense.
Interesting. What made you ditch Mikrotik?
@@mirceanton I have a very simple home lab and automation at home, Mikrotik was more than enough and even more powerful than I needed but I wanted something more “user friendly” that I could add plugins and consolidate the hardware. I got an Intel J4125 4x 2.5Gbe NIC small box(tiny) that I’m running proxmox and passthrough 3 NICs to OPNSense and the other is shared across some small VMs/Containers (WireGuard, reverse proxy, home assistant, DDNS, etc).
Also, OPNSense has some nice dashboards, log views and drill down information out of the box. It could be done with Mikrotik and Grafana, but “too much” work. Lol.
Is it for "plugin stuff" like Suricata?
@@mirceanton mainly for plugins and “ease of use”. Mikrotik was more than enough for me but I wanted to consolidate hardware also, I got an Intel J4125 4x2.5Gbe port that I installed proxmox and reserved 3 ports for OPNSense and allocated the other for reverse proxy and some other small things.
Also OPNsense is “more visual” and have some nice addons and reports.
@@guyboisvert66 not only but mainly.
Hi mate, I've been using an RB5009 as my gateway for a couple of years. An excellent device.
Ce spui despre o serie privitoare la MikroTik ?
Este pe drum! M-am apucat de lucrat la mai multe chestii in paralel și evident că am ajuns sa procrastinez lucrând la varii proiecte... 😅
Am deja vreo 3 videoclipuri planificate ca follow-up, gen automatizare cu terraform, integrare cu Kubernetes, etc.
Soon ™️
Good video, waiting for the next one
I use opnsense on two port mini pc for firewall, behind that I have mikrotik router that handles everthing internally. I have lots of dynamic macvlans for different purposes such appliances, cameras, personal netwoks for each family member etc..
That sounds like a neat setup! Once I settle into my network a bit more, I might be looking into something like that. I'll probably wait until the opnsense REST API matures a bit more so I can IaC that too
well done video I've been using mikrotik for 11 years now, and I even have mikrotik CHR running a dhcp server setup in a vm running on proxmox.
Curious to see how this goes, subbed. I'm considering moving my router from a VM to a bare metal solution. I'm wondering how easy/good the firewall is to configure. Could you go over the options for that? I'm curious how flexible and capable these mikrotik boxes are, I love my Mikrotik CSS switch, and would consider them for the router too.
Thanks for the sub!
I'm afraid that the video won't cover all the details you are looking for :(
The configuration that I will be presenting, or rather the method to apply it, will be automation via Terraform. I won't really cover using WinBox to configure the router more than the initial setup.
To be fully honest, there are far better resources out there for specialized Mikrotik content, such as TheNetworkBerg youtube channel. I'm a DevOps guy dabbling in networking stuff, mainly from the perspective of automation.
Personally id keep opnsense as the edge firewall and use microtik as a internal firewall but its your network.
Аж залип, до конца посмотрел 🎉ну что welcome 🙏 to mum community
I’d love to see how migrate opnsense rules and settings to mikrotik!
Thanks
You can basically use more than 1Gb on 5009 using sfp+ and 2.5gb port. Can recive in sfp port with an adapter easily, so it can reach more than 1Gb
Yep, the device itself can do more than 1Gb. The problem is that I don't really have other 10g devices to test with it, either SFP+ or RJ45
And then, even if I did, my switches are all 1gb and my internet is not even half of that
@@mirceanton it’s more for the future, make this router with better longevity
@@lucasthielke oh absolutely. Even though I can't use those ports right now, they did play a role in the decision since they future proof this device a bit. They were not the main deciding factors, but they sure gave me some peace of mind!
Have you considered Vyos? I believe it supports both Terraform and Ansible. The entire configuration process basically consists of CLI commands.
I'm in a similar situation where I'm considering switching from OPNsense because I want to manage my configurations as code. However, I'm still undecided about which option to choose.
I would not recommend VyOS. I am not currently using it, not have I used it in the past, but there has been some controversy surrounding it lately, which caused a lot of people to migrate away from it.
Essentially, the maintainers threatened to take down some community builds and made it very difficult to build the LTS release. I haven't really kept up to date on this, but there have been some personal jabs made as well against people doing their own OS builds.
Someone that is more involved in these events may chime in to give some more details, but that's the gist of it, from what I understood.
@@mirceanton That doesn’t sound too great, I guess I’ll have a closer look at MikroTik then.
EdgeOS might also be an option, but I feel like Ubiquiti’s support there has been very lackluster and they focus more on their UniFi range.
It really depends what you're looking for. Sure, UniFi is great and a lot of people use it in their homelabs. If you're looking for automation and Infrastructure-as-Code, then I can't really recommend it. Otherwise, it's a solid option too
You have made the best move ever going to mikrotik
It definitely has a learning curve and it can be a bit overwhelming. I've been tinkering with it for the last few months and I'm still learning new things every time.
That being said, I don't regret it. I feel like it's a better setup than I had before
@@mirceanton
I am not a networking expert it took me about a month to figure out things. The workflow makes sense when you read the documenttion and understands how stuff works, you can do pretty much everything. Winbox mirror almost 100% the CLI as well ( most of it ) so to be good at the cli you can check winbox and do the commands in the CLI at the same time. It is a good trainign anf helped me a lot.
You will also save money on your electricity bill lol :D
Nothing wrong with pfSense or OPNsense , but when you use a mini PC that can draw up to 100W depending on the model , since it runs all the time it can be really expensive to run, depending where you live.
At least now you have hardware that is really energy efficient.
Yeah, I really like that the CLI matches quite closely to winbox and to the API as well (thus also to the Terraform provider). It definitely makes it easier
Welcome to the Mikrotik team, i have been running a rb3011 for like 4 years now, a bit overkill for my network hehehehe.
Using one rb3011 since last 2022, really a good router. It runs my 1Gb network, both ipv4/ipv6
@lucasthielke RB5009UPr here. I use it with a CRS305-1G-4S+IN to get a 10G backbone for my desktop and home server, and its PoE has been useful for my Grandstream access points. Absolutely excellent router.
Nice and interesting video. Will buy an RB5009 soon for my homelab also :))
Foarte bine! Abia aștept să văd cum o să-l croiești.
Eu deocamdată am lăsat rutarea între vlan-uri în grija unei perechi de pfsense virtualizate în proxmox...
Idei si planuri sunt, timp sa avem! Vreau sa imi configurez toata reteaua, serverul de VPN si eventual si niste containere pentru DNS/ad-blocking cu Terraform.
De asemenea, cum Terraform si-a schimbat licenta recent, ma gandeam sa investighez OpenTofu ca alternativa pentru tot setup-ul
@@mirceanton Suntem în situații similare, dar în contexte diferite. De vreo câțiva ani mi-am început homelab-ul cu un cluster Proxmox construit din vechituri și nuc-uri, dar ideile se schimbă așa de repede că mereu e ceva de luat de la zero, ca în povestea meșterului Manole. Ultima chestie e că am reușit să aprind un cluster Kubernetes bazat pe vm-uri Talos prin Terraform, Packer și experiența ta cu talosctl, dar și eu sunt în dilema cu open tofu, iar timpul disponibil și viața de zi cu zi sunt principalele obstacole.
În septembrie o să ajung în România, în București și poate ne-om cunoaște face to face la un schimb de experiență.
Baftă!
Looking forward to the next video. I use both OpnSense and Microtik but my current Microtik hardware is in need of an upgrade. Just replacing with OPNsense feels like the easy option but i do like the look of the RB5009's.
Have you considered failover? And do you know how easy it is that to set up with routerOS?
I haven't really looked into it so I can't comment on that.
I will say, however, that if you're looking for fail over I think it's pretty nice that you can fit 2x RB5009 routers in a single rack unit using the k-79 mounting kit
There are many videos on using more than one internet access link, RouterOS can even load balance and do very crazy things! Mangle is very powerful and i use it often to do many cool stuff with routing, DNS, etc.
Hi, i hope you love your mikrotik setup, the RB5009 is great powerful machine. Some tips for a future. Bridging in mikrotik is really terrible because all packets are going through CPU, if you will have a better switch with sfp+, buy a SFP+ DAC cable, they are really cheap and connect switch and router with one port. On that router port assign VLANs and let switching work do a switch, not router. You will receive a better performance
Hi! Thank you for the tips! That's precisely the plan. I am bridging the ports as a temporary solution until I get some proper switches.
I plan to use the 10g port for my lab switch and the 2.5g for my LAN switch and then one of the 1g ports for my WAN and another for my management network or something along those lines. I need to get the switches first though!
There is an option to change that, they call "Hardware Offload" you can see that option in the bridge. This will use the Switch Chip instead of the processor.
@@hey_leao you are 100% right about this, but in some cases when IP filter is enabled some strange behaviour can happend. But yes HW offload is also solution, but sadly not for all routerboards :) I still prefer router on a stick setup, since messing with multiple bridges as vlans is actually nightmare.
@@kurosudo8762 Yes! Thats why you need to do some inspection in your topology (its not a router problem). Another think about it "Not all device devices support port isolation, currently only CRS1xx/CRS2xx series devices support it and only 7 isolated and hardware offloaded bridges are supported at the same time, other devices will have to use the CPU to forward the packets on other bridges" and not all RBs has VLAN Table, thats important too. the option IP firewall uses CPU, you can try to use some bridge filter.
Well, you just got a "bell" enabled...
waiting for part 2!
Soon ™️
I wanted to daily drive this setup for a while before sharing my thoughts on it
Love my 5009!
Finally.. found homelaber with mikrotik and no unifi. Si cred ca esti din Ro😁. Eu tot mikrotik folosesc
😅 Eu tenho um homelab com Mikrotik (rb4011), Unifi (U6-Enterprise) e opnsense 😅😅
This was an interesting one, thank you! Would love to see what you'd manage to do with terraform here.
Regarding WiFi: miktorik's wifi can be problematic, hope it works alright for you. Watch out for mix and match of old and new mtk access points as Mikrotik has two CAPSMAN (their controller) versions that are incompatible.
Yeah, I already got a Mikrotik AP by the time I finished this video and I had trouble getting CAPSMAN to work properly. I ended up configuring the AP as a standalone device just to get it up and running, but it's something I need to look into a bit more!
Mikrotik definitely has a steeper learning curve than other solutions for sure 😅
@@mirceanton capsman wise make sure all the APs you would buy can work with the same version. Otherwise each one can be managed individually via RouterOS means that all of them run. So probably would be easier to hook them up to your terraform that way.
@@mirceanton generally speaking, wifi from MTK lags behind competitors a bit. Does not have any 802.11be or 802.11axe solutions, only recently added 802.11r/k/v (not sure how well it works), don't do more than 2x2 and so on, and so on... Good news: you could run TPlink or Ubiquity controllers in containers on your RB5009 and MTK works fine with those access points.
Nice! Liked and subscribed !
Why would someone switch from driving Ferrari to the mini smart unless you desperately need it
He just pointed few reasons in this video:
Less sound
Less apace in garage
Cheaper on fuel
From my side, I will also add much cheaper service and parts replacement.
And actaully, smart people use to think the opposite way: why would I use ferrary if I only need mini smart.
Why would someone use 6th gen i5, 8 gig of ram, nmve ssd and whole bunch on psu, cables, etc for a task that a basic mikrotik router can do?
@@Office-Clerk negative my friend.
Now you can run opnsense or pfsense on a small embedded device that cost near the crappy mikrotik.
Btw when it come to benchmark and VPN throughput mikrotik becomes a joke and you will end up wasting $$ trust me I've been through this
To be fair, I didn't look into it THAT much, but I didn't find an x86 computer + all the required components (rack mount case, PSU, ram, storage etc) that draws under 10 watts and is comparable in price with the MikroTik.
Also, in my experience using ZeroTier as a VPN solution, it's good enough to saturate my uplink. so for what I need, it seems to be plenty, at least this far
Not an apples to apples comparison even.. 🤦♂️ OPNSense is a firewall with some routing capability’s and RouterOS is a router with some firewall capability’s. The analogy should be going from a Ferrari to a rally car. They excel at different tasks, but both can take you to the store and back to buy milk… 😅
Nice video, I have subscribed and “liked”. I’m looking forward to seeing the rules you implement on the MikroTik.
I’ve used MikroTik and think it’s very powerful, but I have switched my firewall appliance for a Firewalla Gold Plus. No command line, all app based, but I’d like to return to the MikroTik environment.
Ok first off you had the wrong hardware for opnsense, am running latest version on a Cisco ASA5515X. It draws less than 20w and I get full 1Gbps download and 120Mbps upload.
Mikrotik is nice but it takes a while to learn the mikrotik way.
Wrong or right, I used the hardware I already had laying around that had no other purpose. Sure, just like you mentioned, I could have improved that setup with some better hardware, but that was not really the point. I never felt limited by my hardware choices. The power consumption and maybe even the performance could have been improved, and I totally agree, but those were not my limiting factors.
This was more of a software limitation, where OPNsense doesn't really support automation to the extent that Mikrotik does. Other than that, yes, I could have stayed on OPNsense and optimize my hardware setup to achieve similar results.
@@mirceanton IF he told me that, I'd assume he meant using a older full-on desktop/ server hardware is the wrong hardware.. And I'd agree that "what you happen to have" it's not likely ever going to be optimal. Not sure what the Cisco ASA5515X is internally, but sometimes if one wants efficiency, one needs to consider either different hardware or buying different hardware especially if things like excessive power consumption, fan noise, and heat are a concern. Am running Opnsense on a N100 fanless mini PC; and it draws about 12 Watts, IIRC. OpenWRT on ARM hardware also was an option, and drew less power, but my issue was not really with OpenWRT but who/where the code for it was maintained as it wasn't available directly from OpenWRT. It did have lots of headroom however, and drew less than OpnSense did on the N100. Personally, I would not want running fans of any sort in my sleeping area !! After years of dealing with fan noise, I think my hearing is more screwed up than from the time I spent in the military dealing with loud turbocharged/supercharged diesel engines, and marine turbine engines.
Congrats on your new router; hope it serves you well.. TBH; it's not right nor wrong; it's a choice, with consequences. Choosing Opnsense on a N100 is both a choice and has consequences; Choosing mikrotik hardware is also a choice and has consequences. Everything in life is about making a choice, leveraging the pro's and accepting the con's.
Welcome to mikrotik.Been using mikrotik since 2017,before that using x86 monowall in 2008,x86 pfsense in 2014..now 2024, playing with openwrrt
Thanks!
The landscape is definitely quite diverse. I'd love to see more support for arm platforms though, as we've seen quite a few SBCs which would fit the bill nicely as a low power and quiet router.
I'm curious why you're playing with OpenWRT. Do you have a use case? I started my networking journey in 1991 as a network engineer. I used since then many many NOS and i was using DD-WRT for friends and SMBs long time ago! After finding Mikrotik / RouterOS, i stopped using *wrt. I too used monowall / pfSense and i was glad to replace it with RouterOS too! Not that they are that bad, but i highly prefer RouterOS for many reasons. The management aspect of RouterOS being one of them, one of the best management i used IMHO.
@@guyboisvert66 I have been playing with OpenWRT; I was interested in the low power, compact size, and performance. It was an RK3588 with 16G ram; As a router, it worked fine but once you delved into building VLAN's, some pieces of the network rules seems to be less than optimal; but at the same time, things like Policy Based Routing with VPN's was super easy, and worked very well. There's also a ton of other things like Docker, storage, etc that I didn't delve into; security was a greater concern, and OpnSense seemed "better". It only drew a handful of watts, and was fanless; so much overhead it was ridiculous. Fairly sure everyone has unique use cases, and unique reasons why they went one way or another.
I still have a Mikrotik router unopened in a box; may have to try it some day when I get some time. I could run much more on the RK3588; but I have trust issues; not with OpenWRT, but as the hardware wasn't directly supported by OpenWRT... There are ways to compile it yourself, but I don't have the time.. Great hardware though.
I may still use the hardware moving forward; not sure how much I can change without annoying the spouse however. I realize I like to tinker..
Pfsense is not a next genration firewall as many here suggests. It uses outdated IPS/IDS plugins like Surricata. But it has nothing to do with deep packet inspection of HTTPS frames what Fortigate does. It does not decrypt and re-encrypt thr HTTPS frames. It just checks IP lists and unencrypted packets.
In the era of full TLS encryption, the regular IDS/IPS has very little to no benefit. A regular stateless firewall blocks the same traffic what PfblockerNG blocks.
If you don't use IDS/IPS and list based protection, pfsense has no benefit over any other router system, like RouterOS or OpenWRT.
Why should we use an inefficient BSD based system if we can use faster, Linux based systems with less power draw?
That was precisely my point! I couldn't have said it better. Thank you!
Servus my fellow Ro i assume because i also am one :) I see the opinions that you downgraded it is somehow kinda true but Mikrotik has also products that support packet inspection , the only issue is that they are other product class with other price point , Mikrotik operates since 1996 or 97 and they manufacture also ISP grade devices just like Juniper, Cisco , Nokia etc but also stuff like this consumer grade routers for the enthusiasts that sometimes have fun experimenting with OSPF, BGP, or tunneling protocols like Wireguard, OpenVPN , i also have some of their RB 2011, RB 4011, and some other cheaper smaller devices because not everybody will pay around 400-500 $ or EUro for a used CISCO router just to have the hands on experience and if i am not mistaking the Torch function on Mkt RB does exactly that : Packet Inspection
Servus! Yeah, I understand where they come from, saying that this was in fact a downgrade. However, I specifically mention in the video that I was not doing any of that with OPNsense to begin with, and strictly from the PoV of my use-case there is more-or-less feature parity between the two. It's a matter of perspective, in my opinion
@@mirceanton Gotcha, i watched the video after i wrote the comment where you stated the reason for size and noise because i was searching for something related to the router world and the Yt algorithm or who knows maybe karma ;) suggested through my feed also this video and i was just skimming through it and because of your name i thought you are a fellow landsman , Nice , Keep up the energy
network automation? mikrotik doesnt even automatically failover on dual wan setup
I can't really comment on automatic fail over in dual WAN scenarios, as I've never ran such a setup personally, but at least in the context I was referring, network automation has nothing to do with automatic fail over. I simply meant automating the configuration of my networking equipment using infrastructure as code
Mikrotik firewalls are not for the beginners.. You need to know how an IP network is working and how a firewall is supposed to work.
Yeah, it's definitely got a steeper learning curve!
Mikrotik is good, but it is not a proper firewall though.
Congrats, you threw away UTM and called it an upgrade. How do you go through an entire build and not understand the value of intrusion detection and threat management 🤔 “upgrade” what the…
This is a homelab. I mention in the video that I was not running any IDS or IPS on my OPNsense or anything like that. In my use case, and for many others who run it at home I'd assume, it's acting mainly, if not only, as a router/basic firewall.
I explained in the video that I personally consider it an upgrade because it allows me to do something which I was not able to before, which is to adopt it in my IaC/GitOps setup. To me as a DevOps engineer that matters more, for my homelab than IDS or IPS.
Homelabs are all about what you want to learn/play with, and from that aspect, it was an upgrade for me 🤷♂️
Home-ops sent me here lol
Title be like "Migrate from firewall to router"…
Yeah, pretty much. Though I still believe it was the right choice for me.
I wasn't using any of the advanced features of Opnsense anyway. That's just not the focus of my homelab, at least not for now.
Opnsense is better it have more features I guess that doesn't matter to you
Better or worse are both subjective and highly dependent on the criteria used for the comparison. For me and my particular use-case, I'd say Mikrotik wins out this competition.
What are some features that you find to be missing on Mikrotik, that you use on OPNsense?
Which features are more necessary, if all inbound ports are closed anyways?
I can’t think of any.
@@2uxzh01k OPNSense supports plugins, like Suricata. I since many years stop to use *sense and replaced with RouterOS. I didn't like the ugly and slow WEB UI and that pf was always reloading after config modification. I'm not bashing against *sense, it has its strengths but i don't like it.
I'm an Open Source advocate but sometimes, you have to make choices based on your use cases or preferences.
Going to mikrotik from opnsense is a downgrade.. Not an upgrade
I agree that in the grand scheme of things the OPNsense box I had previously had a larger set of features.
However, strictly from the point of view of the features I was using and I needed, I still think that the Mikrotik is an upgrade since it allows me to do all I was doing before and some more.
It's not all black and white. Context matters as well.
@@mirceanton I'd rather keep opnsense and add the zenarmor addon for a really high performing next gen firewall 🙂
But you could run that on a small intel n100 that has the same performance as a gen 6 core i5 but only uses 10w if not less 🙂
So, you just trashed your over0sized firewall/UTM and replaced it with a router, congratulations on downgrading your security.... You drank the Miki coolade.
Genuine question: how is Mikrotik that much more insecure compared to OPNsense or other solutions? At least as far as I can tell features/customizability seem to be fairly similar.
If one has the knowledge to configure an OPNsense device properly, wouldn't it be the same case for a Mikrotik as well?
@@mirceanton End user has the ability to fully audit all software running on OPNsense compared to Mikrotik
@@mirceanton a firewall (UTM or NGFW) has multiple advanced features like deep packet inspection, ssl inspection, IPS/IDS, antimalware, sandboxing , application and url filtering and many others. Mikrotik has very good products but has limited firewalling features. It's a good router but just a router. you can keep using Opnsense of other firewall solutions as VM
@@sparc64, please show me the "end user" that has the ability to "fully audit" a complex software product. I'm a networking guy (mostly with MikroTik devices) as well as an experienced C++-developer, and even with my capabilities, in particular as developer, my std::chrono::lifetime is too small to audit the source codes used in my networking equipment, my cellphone, or any other device around me.
@@claudiobolcato3048, are you stuck in the mid 2010s? Nowadays most of the traffic is encrypted and newer technologies make it hard or completely impossible to intersect TLS traffic. Anyhow I agree with your bottom line: use MikroTik as router (or as switch, or as wifi-ap) and extend this setup with specialised systems, if you really (believe you) need them, be it a firewall, be it a network access system.