Sunday, June 5, 2011

MikroTik RouterBoard: the ultimate networking swiss army knife

I've been on the hunt for a while now for a better router for the house. What I've wanted was the perfect marriage of cost, customizability, utility and ease of use. The features I've needed:

1. Basic NAT and Firewall with uPnP or NAT-PMP
2. DHCP client on WAN port, DHCP server on inside network
3. IPv6
4. Dynamic DNS
5. Uplink bandwidth prioritization / QoS

The closest I have come up to now has been the AirPort Extreme. It does most of what is on that list, but has some holes, particularly in its (lack of) ability to do QoS, and its limited DDNS implementation. It also lacks any sort of VPN server, but I'd been able to work around that with a combination of one internal machine with a DHCP reservation and an SSH port forwarding and/or MobileMe's "Back To My Mac" functionality.

But a few weeks ago, I discovered MikroTik.

My first product of theirs that I tried was their RB250GS. I bought it because I needed a switch with a tap port, and that was the cheapest switch I could find that did it. And I was happy with its performance and functionality. But that little introduction to their product line also brought me an introduction to their RB450G board, which intrigued me greatly.

It's a box with a CPU, 5 gigabit Ethernet ports, a serial port and a beeper. It runs a proprietary Linux distribution called RouterOS. Combined with a Windows (Windows, yes, but it runs perfectly under WINE) management UI, it's the swiss army knife of routers. Almost as good as a Cisco box costing hundreds (perhaps thousands) of dollars more.

I can hear a lot of you out there saying, "why not just install DD-WRT on a Linksys or Netgear router?" And indeed - that was what I thought I would wind up doing. And it may have wound up being every bit as capable as what I have. But the difference here is that the RouterOS that it comes with is every bit as capable, but the firmware is actually supported by the manufacturer - it's not as if you bought a Honda because you intend to remove the power-train and drop it onto a nitro funny-car chassis. It's certainly something that's done, but it's generally a lot more trouble than it's worth.

Now, MikroTik's products are not for everyone. For one thing, they come as bare boards. You have to actually pay extra (in most cases - depending on the reseller) for a chassis and power supply. They're also pretty poorly documented. If you want to play with them, you're going to have to know what you want, know what you're talking about, and do some googling around to figure out how to get it done.

But after a couple of days of work, I have a box that does everything I want it to do. It has one port dedicated to being the WAN port. There, a DHCP client gets a lease from our cable modem. It then uses dynamic DNS to set a hostname in our domain so I can easily find home from out on the Internet. The other four ports are bridged together, with one of them being a bridge tap port (in case that is ever needed again). It is a caching DNS and NTP server for the inside network as well as providing DHCP service. It also does the NAT and is the endpoint for an IPv6 tunnel from Tunnelbroker, and advertises that prefix to the LAN. It is configured to give priority to the two VoIP devices we have, so they get first crack at the bandwidth. It's also an L2TP VPN server, so we can get in from the outside, if necessary.

One box. About $100. And no having to shoehorn in third party firmware.


Anna said...
This comment has been removed by a blog administrator.
soop said...


Im not even sure if my last comment posted properly ...

I'm trying to configure external nat to an internal ip using my mikrotik and for some reason the thing is kicking my ass

email me at soop@soop dot ca and hopefully we can start a dialogue