I am relatively new to the world of MikroTik and was looking at it as a solution for a small business that I am starting to manage. They have very limited bandwidth without many options to increase bandwidth due to being a remote location. However, they are increasing their load on the current system because of business expansion. I was wondering if using a MikroTik Router might be able to help this client.
Here is the situation:
Client has 10 to 15 devices (including 2 Windows 2003 servers (I know they need an upgrade)
They have a dedicated T1 line (too far away for DSL or Cable solutions)
They have nothing controlling who does what on the internet, and they may have it open to their employee’s having access to the WIFI. They do not have WSUS setup and Patch Tuesday - Wednesday is a nightmare bandwidth wise. They are using a cloud-based email and accounting platform and frequently get kicked off of them due to timeouts and latency.
The client wants to implement a dd-wrt solution to monitor who is using what bandwidth and for what purpose before locking down the system. One thing I have seen is users have the ability to stream their favorite radio talk shows w/o any issues. I am not sure if this is against the network policy or not, (Or even if there is a policy) But obviously some QoS would help here.
Questions:
Can I use the MikroTik hardware/softwareOS to …
create detailed reports by node of who uses what?
setup QoS rules that prioritize Cloud accounting/email over other traffic?
setup node/user-specific policies that allow X,Y,Z traffic but block A-W traffic?
setup load balancing between the T1 and a possible LTE solution in the future?
replace current WIFI solution (Nighthawk, TP-LINK extenders) with a more robust system? (dedicated routes, directional antenna’s, etc.)
Monitor all traffic for business sensitive data including https connections. (This is a much lower priority and not even one on the owner’s radar, but I foresee it coming.)
The client’s #1 priority is getting a system in place that can track what everyone uses bandwidth wise, and then be able to shape the traffic to best promote business centered data. Basically, they are looking at the Map and wanting to know where the “you are here” X is. Then map out a route to best manage his business.
Thanks in advance for answering this Beginner’s question,
Matt
Mikrotik routers can do what you’re talking about, but they aren’t the easiest tool to use for beginners, especially where QoS scheduling is concerned.
On the other hand, they’re quite inexpensive and quite flexible so if you have a good grasp of networking functions / behaviors, then you can probably accomplish what you want using Mikrotik. By itself, a Mikrotik router isn’t going to give you the pretty dashboard showing who is doing what in a digestible executive piechart type of format, but it does have fantastic real-time troubleshooting tools like torch, packet sniffer, etc.
If you want to mess around with one for zero dollars, you can install virtualbox and then download a Mikrotik CHR image to play around with and see if the features make any sense to you.
To fulfill clients prio #1 simplest and best is to set up an intermediate caching proxy with logging for the whole network. Old PC running LINUX+squid reduces required bandwidth (because of cache) and provides extensive logging of user activities on http and https.Various log analyzers for squid logs available. All the software is free of charge, open and well established. Rather good docs available on the web, in case you use one of the mayor LINUX distros, i.e. Ubuntu. Afterwards, when you have solid data regarding user behaviour, you might use MT for the actual QoS.
Or use the org PC, in case powerful enough.
Now this is an interesting idea that escaped me. I have not used squid before, so I will have to do some research. But if If follow the concept correctly, would I be placing this proxy in the network like so?
Internet<–>ISPModem<–>SQUIDPROXY<–>Client Network Router<–>Network switch<–> Servers, PC’s, Wifi Routers etc.
Squid Proxy would need two NIC cards one for inbound one for outbound traffic…
I would start by just putting Squid on the LAN and blocking web access from everything else. This would require that you explicitly configure the clients to use the proxy server. You can then watch the router to see who is still trying to get out on to the internet directly rather than via the proxy.
You aren’t going to get any caching or a lot of useful info from Squid about HTTPS sites without MITM.
@cpctech: Yes, setup is the most suitable, and simplest. @troffasky: “You aren’t going to get any caching or a lot of useful info from Squid about HTTPS sites without MITM.”
No caching effect without MITM, correct. Amd this setup is for (very) advanced users.
However, useful info from https-logging you can already get with some mediocre expirience: the IPs/domains accessed, at least. Not URLS, of course.
