I am a noob when it comes to MikroTik. I have a had a RouterBoard RB3011 in my shed for at least 3 years now, and had no clue or until now interest to know what it was. I have been trying to set up a VPN, and was finally able to connect to my office using L2tp with IPSec on hAP ac^2 (ARM) v712.1, but now the connected PC can't authenticate to my network, and thus connect to the mapped drives. What do I need to do to get this to work? Thanks

Show your config, perhaps ?
Both routers.

viewtopic.php?t=203686#p1051720

# 2024-03-14 22:01:12 by RouterOS 7.12.1
# software id =
#
# model = RBD52G-5HacD2HnD
# serial number =
/interface bridge
add arp=proxy-arp fast-forward=no mtu=1500 name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether5 ] mac-address= name=\
ether-not1
set [ find default-name=ether1 ] mac-address=
set [ find default-name=ether4 ] arp=proxy-arp mac-address= \
name=ether2
set [ find default-name=ether3 ] mac-address=
set [ find default-name=ether2 ] mac-address= name=ether4
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 country=no_country_set \
frequency-mode=manual-txpower name=wlan2 ssid=MT-ME station-roaming=\
enabled
set [ find default-name=wlan2 ] antenna-gain=0 country=no_country_set \
frequency-mode=manual-txpower name=wlan3 ssid=MT-ME station-roaming=\
enabled
/disk
set usb1 type=hardware
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] group-ciphers="" supplicant-identity=MikroTik \
unicast-ciphers=""
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=VPN_IPs ranges=10.10.1.186
/port
set 0 baud-rate=auto name=serial0
/ppp profile
add bridge=bridge1 dns-server=10.10.1.21,10.10.1.14 local-address=10.10.1.254 \
name=VPN_Profile remote-address=VPN_IPs use-ipv6=no wins-server=\
10.10.1.21
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2 nssa-translator=\
candidate
/system logging action
set 1 disk-file-name=log
add bsd-syslog=yes name=remotefw remote=76.72.101.66 syslog-severity=info \
target=remote
add bsd-syslog=yes name=remotecrit remote=76.72.101.66 syslog-severity=\
critical target=remote
/interface bridge port
add bridge=bridge1 hw=no ingress-filtering=no interface=ether2
add bridge=bridge1 hw=no ingress-filtering=no interface=ether3
add bridge=bridge1 hw=no ingress-filtering=no interface=ether4
add bridge=bridge1 hw=no ingress-filtering=no interface=ether-not1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set allow-fast-path=yes default-profile=VPN_Profile enabled=yes max-mru=1500 \
max-mtu=1500 max-sessions=1 mrru=1500 one-session-per-host=yes use-ipsec=\
yes
/interface ovpn-server server
set auth=sha1,md5
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=pap,chap,mschap1,mschap2 default-profile=*4
/interface sstp-server server
set certificate=Server default-profile=VPN_Profile enabled=yes pfs=yes
/ip address
add address=10.10.1.254/24 interface=bridge1 network=10.10.1.0
add address= interface=ether1 network=
add address= interface=ether1 network=
add address= interface=ether1 network=
add address= interface=ether1 network=
add address=10.10.2.1/24 interface=bridge1 network=10.10.2.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1
/ip dns
set max-udp-packet-size=512 servers=8.8.8.8

/ip firewall filter
add action=drop chain=input connection-state=invalid
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input protocol=icmp
add action=accept chain=input protocol=gre
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input dst-port=5678 protocol=udp
add action=accept chain=input in-interface=bridge1
add action=accept chain=input src-address-list=Mgmt-List
add action=drop chain=input log=yes log-prefix=INPUTDROP
add action=accept chain=forward dst-port=25 protocol=tcp src-address-list=\
BarracudaIP-SMTP
add action=accept chain=forward dst-port=25 out-interface=ether1 protocol=tcp
add action=drop chain=forward dst-port=25 log=yes log-prefix=SMTPDROP \
protocol=tcp
/ip firewall nat

/ip proxy
set max-cache-size=none parent-proxy=0.0.0.0
/ip route
add disabled=yes dst-address=0.0.0.0/0 gateway=97.65.32.145
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=
set ssh address=
set api disabled=yes
set winbox address=


set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp aaa
set accounting=no
/ppp secret
add local-address=10.10.1.254 name=TRIBITADM profile=VPN_Profile \
remote-address=10.10.1.186 service=l2tp
/radius incoming
set accept=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=America/Chicago
/system identity
set name=MT-ME
/system leds
add interface=*D leds="" type=wireless-status
/system logging
add action=remotefw topics=firewall
add action=remotecrit topics=critical
add action=remotecrit topics=warning
add action=remotecrit topics=error
add action=remotefw topics=firewall
add action=remotecrit topics=critical
add action=remotecrit topics=warning
add action=remotecrit topics=error
/system note
set show-at-login=no
/system ntp client servers
add address=204.2.134.164
add address=195.154.211.37
/system resource irq rps
set ether-not1 disabled=no
set ether2 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether1 disabled=no
/tool bandwidth-server
set max-sessions=10

Additional ports will need to be opened in the "Input" chain for L2TP authorization. We use address-list. Necessary corrections in the firewall section. We always use the ``default'' firewall as the basis for everything and supplement it with what we need as needed. In order for the traffic to work correctly, we drop everything at the end of both the Input chain and Forward chain rules - add action=drop chain=forward comment="drop all else"
Firewall rules are executed from top to bottom. The sequence also matters.

Additional ports will need to be opened in the "Input" chain for L2TP authorization. We use address-list. Necessary corrections in the firewall section. We always use the ``default'' firewall as the basis for everything and supplement it with what we need as needed. In order for the traffic to work correctly, we drop everything at the end of both the Input chain and Forward chain rules - add action=drop chain=forward comment="drop all else"
Firewall rules are executed from top to bottom. The sequence also matters.

Code: Select all

/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=bridge2 list=LAN2
/ip firewall address-list
add address=192.168.1.0/24 list=Local-LAN
add address=192.168.2.0/24 list=Guest
add address=192.168.3.240-192.168.3.245 list=VPN

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input src-address-list=Local-LAN comment="Config Access"
add action=accept chain=input comment=L2TP dst-port=500,1701,4500 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="IKE IPSec" in-interface-list=WAN \
    protocol=ipsec-esp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="Access Internet From LAN" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Access Internet From LAN2" \
    in-interface-list=LAN2 out-interface-list=WAN
	add action=accept chain=forward comment=VPN dst-address-list=Local-LAN \
    src-address-list=VPN
add action=accept chain=forward dst-port=25 protocol=tcp src-address-list=\
BarracudaIP-SMTP
add action=accept chain=forward dst-port=25 out-interface=WAN protocol=tcp
add action=accept chain=forward comment="allow dst-nat from both WAN and LAN (including port forwarding)" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN

 add arp=proxy-arp name=bridge1

So, when I try to access the mapped drive, or even access the unc path, I get that the credentials are not correct. The VPN credentials are being passed as the only authentication method, not the Windows one. Will this solve the issue? Thanks!

A vpn connection is one of the authorization methods. The next authorization will already be the authorization defined for internal network share drives. Maybe the information about vpn config is also useful for you.. https://netpro.lv/en/basic-l2tp-ipsec-s ... ik-device/
Make sure you have properly defined rules for access to the internal network. If they are not correct, then the vpn connection can work very badly, freezing and dropping. I already copied my example for you. I hope it helps you

Sorry, I still don't see how these will allow the AD authentication from the laptop, which has domain credentials, get to the network shared folders of a Windows Server 2022 that requires the mentioned authentication.

I am using a Username that is not in the domain to access the VPN, which it does. The Windows client is logged in with domain credentials. The network folders connection is broken as soon as I log in to the VPN. I can RDP to every computer as the DNS are working correctly, but mapped drives, UNC Paths are not.

If the office has a network and a server on which AD works and your laptop is registered (join) in the domain, then by creating a vpn ipsec connection with the office you should be able to open network folders without authorization.
If this laptop is not "no join" to domain, then the access to the network folders will have to manage the authorization data.
But all this will work correctly only if the traffic flow is correct and all the necessary fw rules are used, properly configured l2tp ipsec with accesses to Local-LAN. If your configuration is currently exactly as shown in your example, then it will not work correctly. There will be no security either, because the traffic rules do not meet the basic standard of protection that is required.
f the connection of the network folders is interrupted as soon as you log in to the VPN, you need to see how the windows vpn client is configured. Whether to use ""use default gateway'' or not. It can also affect It has happened to see variants when the Office IP address subnet is the same as the home address subnet. The addresses must be different. There can be various reasons why there is no access to network folders.

I copied you an example of what the FW section should look like in order for it to work correctly.
Uses address-lists. Define your IP addresses (LAN, Wan, vpn, etc.)

As a small example (it can be seen in my copied list): when creating a vpn connection, this rule correctly indicates that your VPN address (or several) will go directly to your Local-LAN.
add action=accept chain=forward comment=VPN dst-address-list=Local-LAN \ src-address-list=VPN
Every entry is important and so is the order. Do not mix Input and forward places. I think if you fix the FW then everything should start working

Mikrotik has two ways to configure traffic.
1) we allow everything and prohibit only what we need to prohibit
2) we drop everything and allow only what we need
The second option is the most popular and also the most correct. We prohibit everything and - if we do not reach a resource, etc., we look at the address-list and then create a roll - for example from VPN->LAN1 or LAN2, Guest or somewhere else.

If the office has a network and a server on which AD works and your laptop is registered (join) in the domain, then by creating a vpn ipsec connection with the office you should be able to open network folders without authorization.
If this laptop is not "no join" to domain, then the access to the network folders will have to manage the authorization data.
But all this will work correctly only if the traffic flow is correct and all the necessary fw rules are used, properly configured l2tp ipsec with accesses to Local-LAN. If your configuration is currently exactly as shown in your example, then it will not work correctly. There will be no security either, because the traffic rules do not meet the basic standard of protection that is required.
f the connection of the network folders is interrupted as soon as you log in to the VPN, you need to see how the windows vpn client is configured. Whether to use ""use default gateway'' or not. It can also affect It has happened to see variants when the Office IP address subnet is the same as the home address subnet. The addresses must be different. There can be various reasons why there is no access to network folders.

I copied you an example of what the FW section should look like in order for it to work correctly.
Uses address-lists. Define your IP addresses (LAN, Wan, vpn, etc.)

As a small example (it can be seen in my copied list): when creating a vpn connection, this rule correctly indicates that your VPN address (or several) will go directly to your Local-LAN.
add action=accept chain=forward comment=VPN dst-address-list=Local-LAN \ src-address-list=VPN
Every entry is important and so is the order. Do not mix Input and forward places. I think if you fix the FW then everything should start working

Mikrotik has two ways to configure traffic.
1) we allow everything and prohibit only what we need to prohibit
2) we drop everything and allow only what we need
The second option is the most popular and also the most correct. We prohibit everything and - if we do not reach a resource, etc., we look at the address-list and then create a roll - for example from VPN->LAN1 or LAN2, Guest or somewhere else.

Thanks!

Additional ports will need to be opened in the "Input" chain for L2TP authorization. We use address-list. Necessary corrections in the firewall section. We always use the ``default'' firewall as the basis for everything and supplement it with what we need as needed. In order for the traffic to work correctly, we drop everything at the end of both the Input chain and Forward chain rules - add action=drop chain=forward comment="drop all else"
Firewall rules are executed from top to bottom. The sequence also matters.

Code: Select all

/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=bridge2 list=LAN2
/ip firewall address-list
add address=192.168.1.0/24 list=Local-LAN
add address=192.168.2.0/24 list=Guest
add address=192.168.3.240-192.168.3.245 list=VPN

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input src-address-list=Local-LAN comment="Config Access"
add action=accept chain=input comment=L2TP dst-port=500,1701,4500 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="IKE IPSec" in-interface-list=WAN \
    protocol=ipsec-esp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="Access Internet From LAN" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Access Internet From LAN2" \
    in-interface-list=LAN2 out-interface-list=WAN
	add action=accept chain=forward comment=VPN dst-address-list=Local-LAN \
    src-address-list=VPN
add action=accept chain=forward dst-port=25 protocol=tcp src-address-list=\
BarracudaIP-SMTP
add action=accept chain=forward dst-port=25 out-interface=WAN protocol=tcp
add action=accept chain=forward comment="allow dst-nat from both WAN and LAN (including port forwarding)" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN

 add arp=proxy-arp name=bridge1

add action=accept chain=input comment=L2TP dst-port=500,1701,4500 does not work: "failure: ports can be specified if proto is tcp,udp,udp-lite,dccp,sctp"

what do your firewall rules look like after the changes? It is not clear why your vpn does not work correctly. Do you have "interface list=Local-LAN" specified for your current Profile in PPP-profiles?

what do your firewall rules look like after the changes? It is not clear why your vpn does not work correctly. Do you have "interface list=Local-LAN" specified for your current Profile in PPP-profiles?

/ip firewall address-list
add address=1.1.1.64/28 comment="COMP_A\?" disabled=yes list=Mgmt-List
add address=1.1.1.110 comment="COMP_A\?" disabled=yes list=Mgmt-List
add address=1.1.1.0/20 list=BarracudaIP-SMTP
add address=1.1.1.0/21 list=BarracudaIP-SMTP
add address=1.1.1.83 comment="COMP_A\?" disabled=yes list=Mgmt-List
add address=1.1.1.158 comment=RAMS list=Mgmt-List
add address=1.1.1.34 comment="RAMS TMS WiFi" list=Mgmt-List
add address=10.10.1.1-10.10.1.254 comment="Local LAN" list=Local-LAN
/ip firewall filter
add action=drop chain=input connection-state=invalid
add action=accept chain=input connection-state=invalid disabled=yes \
in-interface=ether1 log=yes log-prefix=VPN_Access protocol=icmp \
src-address-list=Local-LAN
add action=accept chain=input disabled=yes in-interface=ether1 protocol=\
ipsec-esp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input protocol=icmp
add action=accept chain=input protocol=gre
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input dst-port=5678 protocol=udp
add action=accept chain=input in-interface=bridge1
add action=accept chain=input src-address-list=Mgmt-List
add action=drop chain=input log=yes log-prefix=INPUTDROP
add action=accept chain=forward dst-port=25 protocol=tcp src-address-list=\
BarracudaIP-SMTP
add action=accept chain=forward dst-port=25 out-interface=ether1 protocol=tcp
add action=drop chain=forward dst-port=25 log=yes log-prefix=SMTPDROP \
protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-address=1.1.1.108 dst-port=3390 \
protocol=tcp src-address-list=Mgmt-List to-addresses=10.10.2.24 to-ports=\
3389
add action=dst-nat chain=dstnat dst-address=1.1.1.108 dst-port=3391 \
protocol=tcp src-address-list=Mgmt-List to-addresses=10.10.2.25 to-ports=\
3389
add action=dst-nat chain=dstnat comment=VRTX dst-address=1.1.1.108 \
dst-port=443 protocol=tcp src-address-list=Mgmt-List to-addresses=\
10.10.2.10 to-ports=443
add action=dst-nat chain=dstnat comment=VRTX dst-address=1.1.1.108 \
dst-port=5900 protocol=tcp src-address-list=Mgmt-List to-addresses=\
10.10.2.10 to-ports=5900
add action=src-nat chain=srcnat out-interface=ether1 src-address=10.10.1.20 \
to-addresses=1.1.1.106
add action=src-nat chain=srcnat out-interface=ether1 src-address=10.10.1.22 \
to-addresses=1.1.1.106
add action=src-nat chain=srcnat out-interface=ether1 src-address=10.10.1.27 \
to-addresses=1.1.1.108
add action=dst-nat chain=dstnat disabled=yes dst-address=1.1.1.106 \
dst-port=25 protocol=tcp to-addresses=10.10.1.32 to-ports=25
add action=dst-nat chain=dstnat disabled=yes dst-address=1.1.1.106 \
dst-port=80 protocol=tcp to-addresses=10.10.1.25 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-address=1.1.1.107 \
protocol=gre to-addresses=10.10.1.21
add action=dst-nat chain=dstnat dst-address=1.1.1.107 dst-port=1723 \
protocol=tcp to-addresses=10.10.1.21 to-ports=1723
add action=dst-nat chain=dstnat dst-address=1.1.1.107 dst-port=500 \
protocol=tcp to-addresses=10.10.1.21 to-ports=500
add action=dst-nat chain=dstnat dst-address=1.1.1.107 dst-port=1701 \
protocol=tcp to-addresses=10.10.1.21 to-ports=1701
add action=dst-nat chain=dstnat dst-address=1.1.1.107 dst-port=443 \
protocol=tcp to-addresses=10.10.1.21 to-ports=443
add action=dst-nat chain=dstnat comment=Exchange disabled=yes dst-address=\
1.1.1.108 dst-port=25 protocol=tcp to-addresses=10.10.1.27 to-ports=25
add action=dst-nat chain=dstnat comment=Exchange disabled=yes dst-address=\
1.1.1.108 dst-port=443 protocol=tcp to-addresses=10.10.1.27 to-ports=\
443
add action=dst-nat chain=dstnat comment=Exchange disabled=yes dst-address=\
1.1.1.108 dst-port=80 protocol=tcp to-addresses=10.10.1.27 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-address=1.1.1.109 \
dst-port=80 protocol=tcp to-addresses=10.10.1.28 to-ports=80
add action=dst-nat chain=dstnat dst-address=1.1.1.108 dst-port=21 \
protocol=tcp to-addresses=10.10.1.23 to-ports=21
add action=dst-nat chain=dstnat dst-address=1.1.1.108 dst-port=60000-60010 \
protocol=tcp to-addresses=10.10.1.23 to-ports=60000-60010
add action=dst-nat chain=dstnat dst-address=1.1.1.108 dst-port=60000-60010 \
protocol=udp to-addresses=10.10.1.23 to-ports=60000-60010

https://help.mikrotik.com/docs/pages/vi ... eId=328435
I see that you have not fixed the firewall filter. Your existing configuration does not ensure the correct traffic flow. Your firewall rules are crap and not secure at all.
You will also have no security, because "Input chain" and "Forward chain" traffic termination Drop=All are not specified. As an example - if we scan your IP address from the outside, the scanner will show that you have a lot of ports open, which is basically completely wrong. Fix the firewall according to the example I copied for you earlier.
We do not specify vpn ports in the NAT section. Normal vpn will not work for you. See my example. They must be in the ""Input'' chain. In the Forward section we indicate everything needed for "Barracuda" with all ports, etc.
I already copied ready-made firewall rules for you and you have to correct your IP addresses in the address-list.
Example:
/ip firewall address-list
add address=10.10.1.10-10.10.1.199 comment="Local LAN" list=Local-LAN
add address=10.10.1.200 comment="AD server"
add address=10.10.1.201 comment="AD server2"
add address=10.10.1.202 comment="BarracudaIP-SMTP"
add address=10.10.2.0/24 comment="WIFI subnet" list=WIFI-LAN

https://help.mikrotik.com/docs/pages/vi ... eId=328435
I see that you have not fixed the firewall filter. Your existing configuration does not ensure the correct traffic flow. Your firewall rules are crap and not secure at all.
You will also have no security, because "Input chain" and "Forward chain" traffic termination Drop=All are not specified. As an example - if we scan your IP address from the outside, the scanner will show that you have a lot of ports open, which is basically completely wrong. Fix the firewall according to the example I copied for you earlier.
We do not specify vpn ports in the NAT section. Normal vpn will not work for you. See my example. They must be in the ""Input'' chain. In the Forward section we indicate everything needed for "Barracuda" with all ports, etc.
I already copied ready-made firewall rules for you and you have to correct your IP addresses in the address-list.
Example:
/ip firewall address-list
add address=10.10.1.10-10.10.1.199 comment="Local LAN" list=Local-LAN
add address=10.10.1.200 comment="AD server"
add address=10.10.1.201 comment="AD server2"
add address=10.10.1.202 comment="BarracudaIP-SMTP"
add address=10.10.2.0/24 comment="WIFI subnet" list=WIFI-LAN

Sorry, I did, but since I encountered errors, I reverted back. I do appreciate your help, since I said before I am a complete noob using MikroTik, up until last year, did not have a clue about them. I have always used NetGear routers for home or either Cisco or Sonicwall firewall devices. Never had to configure one or the other, and this device was already configured when I took this job. A contractor was assisting my predecessor, and he had a lot of access and billable hours.
Again, thanks for your time and effort.

Sorry, I did, but since I encountered errors, I reverted back.

going back would not be the best advice. You understand - you don't have correct firewall entries that affect firewall flow, security and the rest. If you have this mikrotik in the production environment as the primary one, then you absolutely need to arrange the traffic flow as shown in my example. Otherwise, your router can be hacked, your local LAN can be accessed and it will cause you a lot of other problems.
Sonicwall and Cisco are a slightly different level of hardware and often require a lot more knowledge to configure than mikrotik. Each device has its own specifics.
Of course, do as you wish, it's just my suggestion.