New to RouterOS. I have been running a CRS326 in SWOS for the last 2-3yrs now with PfSense (virtualized on ProxMox). I have decided to move away from this so I can do whatever I want with the physical server and not interrupt internet service to the rest of the house.
I have been able to read & watch enough information to get RouterOS working, however I have 0 rules in the Firewall Filter. I have seen several videos where there are about 8 or 9 "default" rules in place if you use default config. Today I "reset configuration" and tried to see if those rules would populate, when using default script, they did not.
I am running RouterOS 7.13.3. Very vanilla! Seriously 1 DHCP server for the one WAP I have in place. Most other server stuff is static IP as it is a real small home network. (hoping to grow into subnets or vlans, which is why I originally bought a managed switch)
I don't know how to use command line (without examples), but I am able to open the terminal within WinBox and Copy/Paste. I did not see any "default rules" in the documentation.
Any website or knowledge base pointers would be greatly appreciated. I am hoping to just lock out basic issues. I do not need to port forward or anything for now. I will eventually learn how to VPN in, but that comes later.
Thanks for any pointers!
Unkis
Re: Default Firewall Rules for CRS326
Two things:
- CRS is a switch, not a router and definitely not a firewall. Yes, since it can run ROS, it can perform those tasks ... but very slowly.
- Default config of CRS is config of a switch. If you, despites bullet #1 above, insist on using it as router/firewall, then you'll have to configure it. You can use default config of a SOHO router, it was posted a few times on this forum. Or you can get it from a SOHO Mikrotik if you have access to one.
Re: Default Firewall Rules for CRS326
@mkx,
Thank you for the reply. I am surprised to hear this, clearly I am a noob when it comes to networking. I was hoping to remove my virtualized pfsense firewall from my server and use a stand-alone firewall .
I was hoping to do this without the need to buy yet another piece of hardware and increased cost of electric consumption. My server is already an older one that is a bit too power hungry by today's standards.
I guess will go back to my previous setup for now. Guess it is time to read some more about home networking.
Thank you,
Unkis
Thank you for the reply. I am surprised to hear this, clearly I am a noob when it comes to networking. I was hoping to remove my virtualized pfsense firewall from my server and use a stand-alone firewall .
I was hoping to do this without the need to buy yet another piece of hardware and increased cost of electric consumption. My server is already an older one that is a bit too power hungry by today's standards.
I guess will go back to my previous setup for now. Guess it is time to read some more about home networking.
Thank you,
Unkis
Re: Default Firewall Rules for CRS326
Depending on your WAN speed you might get away by purchasing a humble ARM-based miktotik to be used as router. It seems that hAP devices provide best price/performance ... in particular hAP ax2 or hAP ax3 or hAP ac2. They all consume up to around 15W.
WiFi is a bonus (or you can disable it or even uninstall wifi drivers to free up some storage and RAM and reduce power consumption).
When assessing performance, check device product page (e.g. hAP ax2), they all have Test results tab. To get an estimate of device performance as router, look at figure listed as "Ethernet test results - Routing - 25 ip filter rules - 512 byte packets", it seems to resemble average real life performance best. Actual performance can be +-50% depending on actual config, so don't aim for exact thtoughput of your WAN link, go for a bit higher to have some headroom.
According to this rule, all mentioned devices are around 4x faster routers than your CRS.
WiFi is a bonus (or you can disable it or even uninstall wifi drivers to free up some storage and RAM and reduce power consumption).
When assessing performance, check device product page (e.g. hAP ax2), they all have Test results tab. To get an estimate of device performance as router, look at figure listed as "Ethernet test results - Routing - 25 ip filter rules - 512 byte packets", it seems to resemble average real life performance best. Actual performance can be +-50% depending on actual config, so don't aim for exact thtoughput of your WAN link, go for a bit higher to have some headroom.
According to this rule, all mentioned devices are around 4x faster routers than your CRS.
Re: Default Firewall Rules for CRS326
@mkx,
Thank you for the additional reply. I was searching and reading around on the forums and came across the same type of input as your suggestion. It seems like using one of the hAP devices sounds like a good solution. Low power and quite affordable (I'm in the US and can buy easy from Amazon).
I have 800/20 Mbps internet connection (via Motorola cable modem). It seems hAP x2 might be a bit lean. I guess the better product would be the hAP x3 as the test data shows 912Mbps(hAP ax2) and 1145(hAP ax3). Seems like a good fit, unless you suggest something else. (Saw the RB4011, but no wifi on that, would need to add some type of AP, but that most likely means adding POE injector and more things I don't know)
Then I could remove the pfSense Firewall. That is what is most important to me. Next I will try and get VLANs working and eventually run a VPN for me to remote in as I travel for work.
Thank you for your continued help!
Unkis
Thank you for the additional reply. I was searching and reading around on the forums and came across the same type of input as your suggestion. It seems like using one of the hAP devices sounds like a good solution. Low power and quite affordable (I'm in the US and can buy easy from Amazon).
I have 800/20 Mbps internet connection (via Motorola cable modem). It seems hAP x2 might be a bit lean. I guess the better product would be the hAP x3 as the test data shows 912Mbps(hAP ax2) and 1145(hAP ax3). Seems like a good fit, unless you suggest something else. (Saw the RB4011, but no wifi on that, would need to add some type of AP, but that most likely means adding POE injector and more things I don't know)
Then I could remove the pfSense Firewall. That is what is most important to me. Next I will try and get VLANs working and eventually run a VPN for me to remote in as I travel for work.
Thank you for your continued help!
Unkis
Re: Default Firewall Rules for CRS326
I have 800/20 Mbps internet connection (via Motorola cable modem). It seems hAP x2 might be a bit lean.
hAP ac2 seems to perform roughly the same as hAP ax2 (test results are not directly comparable 1:1, ac2 was tested running ROS v6 and it's known that ROS v6 has a bit better routing performance than v7 in same conditions; speed difference depends on traffic pattern so it's hard to quantify the difference though). And FWIW: I've got 1000/100 Mbps via PPPoE (which adds a bit of performance overhead) with VLANs in the mix (adding ever so slightly small overhead) and my hAP ac2 running ROS v7 handles it just fine. I'd gently advise against choosing ac2 due to it's very limited storage space (16MB is getting very tight with recent ROS releases) as list price is same for both ac2 and ax2. Unless one gets ac2 for half price somewhere ...
RB4011 is a weird beast which is pretty hard to get right if running ROS v7 (it's got two switch chips and SFP port is connected directly to CPU so one has to think carefully which ports to use to connect what; if one wants to maximize wifi throughput by installing new wifi drivers then 2.4GHz wifi is lost), and it's previous generation (RB5009 is its natural successor, just like ax2/3 are successors to ac2/3). As already mentioned, RB5009 is a beast ... but doesn't have wireless.
So the long story short: hAP ax (either 2 or 3) are best choices if one wants both decent routing speed and decent wifi in the same device.
Re: Default Firewall Rules for CRS326
@mkx,
Again thank you for the additional information yet again. As cool as the RB5009 sounds, I think I need to realize that I don't really know much about this more advanced networking. Don't get me wrong, I think it is very cool, but I am only self taught on things I have found need/application for.
Currently I have one WAP in the house and it is next to my server rack, which happens to be conveniently located almost in the center of my house in the basement (happy accident when we moved to current home) and I have little issues with Wireless signal (there is no upstairs or second floor in this house). Most of my devices are wired, wireless is more for the phones and tablets these days.
I will purchase the hAP x3 by the end of the week and have a fun project to play with for the weekend.
Once I get that up and working I think it might be best to put the CRS326 back in RouterOS mode and see if I can those two devices working together. This way maybe I will learn more about RouterOS.
Thank you again! I have been reading lots here at the forum and on Reddit and this community really is great!
Unkis
Again thank you for the additional information yet again. As cool as the RB5009 sounds, I think I need to realize that I don't really know much about this more advanced networking. Don't get me wrong, I think it is very cool, but I am only self taught on things I have found need/application for.
Currently I have one WAP in the house and it is next to my server rack, which happens to be conveniently located almost in the center of my house in the basement (happy accident when we moved to current home) and I have little issues with Wireless signal (there is no upstairs or second floor in this house). Most of my devices are wired, wireless is more for the phones and tablets these days.
I will purchase the hAP x3 by the end of the week and have a fun project to play with for the weekend.
Once I get that up and working I think it might be best to put the CRS326 back in RouterOS mode and see if I can those two devices working together. This way maybe I will learn more about RouterOS.
Thank you again! I have been reading lots here at the forum and on Reddit and this community really is great!
Unkis