From Mikrotik to Ubiquiti UniFi and back to Mikrotik

RouterOS General
1

Hello all, it’s ben a good while since I’ve been on here!

Way-back-when I had a RB2011UiAS-2HnD-IN which I used as my main home router. This was connected to a pair of VDSL services via the two providers supplied ‘broadband routers’, with me using the RB2011 to load balance between the two among other things. At that time I was using some old Cisco LAN switches and APs that I’d managed to collect during my time working in the networking industry for far too many years.

Then I discovered UniFi and liked the glossy look of it and firstly changed to their APs then I got one of their LAN switches then finally (the biggest mistake) was to swap the RB2011 out for their USG (router). I think I was influenced by their nice app and interface and how it was all joined up in one place, which it is. However during the time that I’ve had the UniFi setup it’s not been the most reliable thing, I’ve had a number of random issues and the frustrating thing is that often their shiny application doesn’t show that anything is wrong, when there plainly is. The other issue is the functionality is limited via their interface and seems to be developing in features very slowly. Lastly the load-balancing has never worked properly for me. Yes you can do stuff under the hood (in their difficult to understand CLI) but you have to mess about to stop the controller (which is part of their solution) overwriting the under-the-hood changes that you have done. So I think it’s time to come back to Mikrotik where you can configure pretty much whatever you want and with a proper CLI!

So (finally) to my question(s).

I currently have 3 x AP-AC-LR APs an 8-port US-8-60W PoE switch (still using an old Cisco PoE switch too), the USG router and their controller (running on W10). This solution is for my home (including home office) and I will be connecting to my 2 x VDSL services as before (both with <20Mbps download).

My thoughts are as follows:

RB4011iGS+RM
3 x cAP ac
2 x hEX PoE (to provide PoE to the APs and also some CCTV) - then possibly still using my old Cisco switch too

Or do I collapse the routing and switching into just a CRS328-24P-4S+RM (I assume this has a fan, I would like fanless)

Or maybe the CRS112-8P-4S-IN & CSS326-24G-2S+RM

What I don’t know is what’s the key differences between the RB4011iGS+RM, CRS328-24P-4S+RM & CRS112-8P-4S-IN in relation to their routing capability. I can see that the RB4011 seems to be a lot more powerful. I will be wanting to use the router for CAPsMAN too.

One thing I noticed is that the these newer routers (compared to the RB2011) don’t have USB ports (I seem to recall the recommendation with the RB2011 to use a USB memory stick to avoid wearing out the internal storage, is this not an issue anymore?)

Any comments/thoughts appreciated.

2

Keep ubiquiti for Wi-Fi, replace USG with RB4011 for routing.
Mikrotik wifi will be considerably slower than ubiquiti, especially with capsman.
CRS devices are meant to be used as switches. They can do routing, but performance will be slow.

3

Very interested in this as I have nearly the same scenario at home that I’m looking to move to Mikrotik.

I’ve seen throughout the forum that Unifi AP’s are faster but to what degree?

I’m limited by a rural DSL line and LTE modems I use. I plan on using a Hex S to load balance the connectiosn but even then I’m highly unlikely to notice any “speed” difference from a Mikrotik vs Unifi AP… but I’m interested in hearing other reasons to keep the Unifi AP’s.

4

Hi all,

I am very interested in this topic also. I have an almost all Unifi setup also and was looking at replacing the USG-3P. I was looking for something that might support Wireguard or something better than the L2TP VPN built into the USG for connecting to my network when I am away. I was thinking maybe get something to play with to see if RouterOS would fit my needs (the online demo looks like a steep learning curve). the 4011 was mentioned in this post but could I get something cheaper to play and move to the 4011 if it works out? Would the hEX S work? I dont think the L4 vs L5 would make a difference to me. Also, can I assume that if I buy the hardware, the license comes with it?

Here is my current setup…

USG-3P → US-16-150W → 2x - UAP-nanoHD
TP-Link EAP-225 also

i have 3 networks configured in the system. 1 VPN, 1 main network and 1 VLAN for all my IoT devices.

Thanks for any advice you can provide.

CyBuzz

5

Hi all

Well, I skipped the hEX S and I received the RB4011 last night and have started to play around with it. I think this will be a steep learning curve since I am not a network expert and just a tinkerer. Here is what I did and the list of things I need to figure out since Ubiquiti made it so easy. I understand though from reading on here that the hardware is much better than the USG.



My Setup:
I realize the RB4011 connected to the USG is not good and eventually the USG will be replaced with the RB4011. The stuff connected to my USG(Lan1) will eventually be moved over to my RB4011(WAN2/LAN2) but had to leave this up while I am figuring stuff out since we work from home.

LAN1
Cable Modem → USG-3P(LAN1) → TP-Link(TL-SG108E) |-> UAP-NanoHD(1)(4 SSIDs: A(disabled, was IoT), B, C & D) & UCK1 &
Other Clients

WAN2/LAN2
Cable Modem → USG-3P(WAN2/LAN2) → RB4011(Port1) → RB4011(Port 6) → US16-150W → UAP-NanoHD(2)(2 SSIDs: E & F) & Other clients & Netgear GS208 → other clients(some wired IoT devices)
Cable Modem → USG-3P(WAN2/LAN2) → RB4011(Port1) → RB4011(Port 8) → UnRaid server(runs UnifiController to manage UAP-Nanohd(2) and US16-150W)
Cable Modem → USG-3P(WAN2/LAN2) → RB4011(Port1) → RB4011(Port 10) → TP-Link EAP225(2 SSIDs: G & H)

Networks:
USG
LAN1: 192.168.XX.XX/24
WAN2/LAN2: 10.10.YY.YY/24
RB4011
WAN: 10.10.YY.YY
LAN: 192.168.ZZ.ZZ/24 (Bridge)


My Goals:

  1. Get everything moved from USG to RB4011 (weekend or late night to avoid downtime)
  2. Isolate my IoT(SSID E) network so that my wireless IoT devices only have internet access and no access into the LAN but I can get to them from within the LAN.
  3. Isolate wired IoT devices (Roku, Audio Receiver, Game Consoles) like wireless IoT devices
  4. Migrate SSIDs from UAP-NanoHD(1) to UAP-NanoHD(2)
  5. Remove the USG-3p from the setup and only use the 4011 router
  6. Set up some sort of VPN (I liked being able to connect into the home network when away with the USG)5.
  7. Set up RADIUS server (had one on USG) for authentication for VPN if needed
  8. Clean up the mess of the space where all this hardware is located :slight_smile:
  9. Document/Label ports so I dont spend so much time tracing cables.

Right now the thing I am most concerned with and dont have a clue how to implement is isolation of the IoT devices. It was easy on the Ubiquiti stuff, not so much here.

Thanks for reading everyone. If anyone has insight, I welcome it. I will be digging through these forums as much as I can.

CyBuzz

6

Good article how to setup the RB4011 device for vlans etc…
I too would stick with other vendors wifi and get the wired only RB4011.

http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

7

Thanks for all that information. I have read through it twice and think it will take another to see how it applies specifically to my devices. This is going to take some time.

CyBuzz

8

Consider using the Audience.

MikroTik audience is fantastic for home WiFi…I have three of them as APs/MPLS routers and use a CRS328 for switching with a CCR1009 to connect to symmetric 1G fiber. Then I use OSPF/MPLS to build VPLS for the main and IoT SSIDs.

I hope we’ll see MikroTik continue to add wireless features and improve performance to grab market share away from the Ubnt dumspter fire.

This is my simple home network with MikroTik wireless :wink:

9

Hey IPANet, how do you compare audience to previous wifi like on capac etc…
Also do you have to run the beta software to gain the advantages?

I dont see anything extraordinary about them except the high price for just a wifi5 AP.
Call me a sceptic but where is the gain in using these… Doesnt look wall mountable much either.

10

IPANetEngineer, thank you for the information. I will take a look in the future however my goal is to replace my Ubiquiti USG with the RB4011 that I purchased. I do not intend to replace my Ubiquiti APs or Switch or any other hardware unless I have to (incompatibility or failure) so I am going to try and work with what I have.

11

Well whoo hoooo! I was able to create a VLAN on the RB4011 with all the other stuff (Network, dhcp server, firewall rule, etc.) from reading reading reading…this forum is awesome. I was then able to set my 2 APs to have an SSID with that VLAN for IoT stuff and get that all configured so they can talk to the internet but not talk to anything on the rest of my network. I am far from done but feel accomplished with this success however i am not sure why it all works…but it does :smiley:

12

Good news, if you want a review of your config thus far
/export hide-sensitive file=anynameyouwish

13

Mikrotik kills Ubnt when it comes to routing. However their APs are really good.

The CRS328 has a good enough CPU for a handle a NAT and firewall for at least a 100/100M connection.

14

I have dumped Ubiquiti Wi-Fi for my personal and all by clients. It is now all MikroTik for Routing + Wifi [Always used MikroTik for routing…]. Some clients I will use TP-LinK EAP access points; they are nearly identical to Unifi but more stable… hint.

MikroTik Wifi can be just as fast as UBT consumer. All about configuration, [channel config, AP placement is key!]. MikroTik will be more stable and in my experience, better radio sensitivity. YMMV!!!

The RB4011 is a great router, powerful. Be sure to run routerOS 4.57.10 - fixes stablility the stability issues some had . The RB4011 will not break a sweat running CapsMAN.

Use CapsMAN with LOCAL FORWARDING ON!. Otherwise, performance will be SHI*%.

In regards to switching. Go with a Regular CRS instead of the HEX units. CRS running SwOS will be easier to manage. HEX’s are great, just use switch CHIP or configure CPU based vlan with bridge method. Or, keep your Unifi Switch until it dies [it will]. Use Any Smart managed PoE switch of your pick.

15

I agree 100% with your statements. I’m waiting for MT to release new wireless devices, alongside of RouterOS 7. Time is near! Ubnt is very much dumpster fire; not to mention the data breach – much worse than they publicly admit. I’ve dumped all Ubt products over year ago. Not looking back.

Ubt products are consumer toys with shiny interface. Easy to turn the knobs.

Yes - Folks running a WISP will argue otherwise. That is different story with the Ubt airfiber products. Or Move to Cambium [wisp].

16

I did this…but where is the file saved and how do i get to it?

17

I do not run WISP, but I do lots of wireless installations …’lots’. ….. UBNT wireless is excellent in FACT outstanding …. Tik Wireless is very POOR … VERY POOR. UBNT Has AI that works really well in mesh environments … how long before MikroTik will have AI … 10 yrs ???

18

2021.06.22.ehs.rsc (7.57 KB)
Wow, this has been challenging. I think I have figured out much of what I wanted to do on my list. I feel accomplished since this isn’t my trade. I am looking to this group in hopes you can look at my config and see if i did anything glaringly bad.

So, my list…

  1. Done - Get everything moved from USG to RB4011 (weekend or late night to avoid downtime)
  2. Done - Isolate my IoT(SSID E) network so that my wireless IoT devices only have internet access and no access into the LAN but I can get to them from within the LAN.
  3. Done - had to figure out VLAN/PVID on my TL-SG108E - Isolate wired IoT devices (Roku, Audio Receiver, Game Consoles) like wireless IoT devices
  4. Done - Migrate SSIDs from UAP-NanoHD(1) to UAP-NanoHD(2)
  5. Done - Remove the USG-3p from the setup and only use the 4011 router
  6. Done - Set up some sort of VPN (I liked being able to connect into the home network when away with the USG)5.
  7. ToDo if needed - Set up RADIUS server (had one on USG) for authentication for VPN if needed
  8. :frowning: Not looking forward to this - Clean up the mess of the space where all this hardware is located :slight_smile:
  9. Started - Document/Label ports so I dont spend so much time tracing cables.


    I have also added to the list of to-do items a few more things:
  10. My UAP-nanoHDs both work fine however in the Controller (running in a docker on unraid) they both show as adopting. Since they work…not going to worry about that at the moment.
  11. Figure out how to connect my switch to my router via SFP (Unifi is SFP and Switch is SFP+)
  12. Play around with DNS. I use Pihole for local DNS and not sure i have the router set up right…but it works.

Anyway, for now, for what i know…it works as i want it to. Please take a look at my config and let me know if it is ok. If i am missing something, please let me know also.

19

I’ve told TP-Link that I’ll bitch about this issue and warn users with any chance I get but this is ridiculous, two in two days!
@CyBuzz see what I wrote here about TL-SG108E: http://forum.mikrotik.com/t/home-vlan-design-mikrotik-tplink-ubiquiti-my-experience-and-some-firewall-advice-sought/149585/1
And below.. since @anav was talking about a totally different switch series.

20

Yup I did find some threads about the SG108 series.
I believe their may be a work around and that is ensure the PVID of 1 is replaced by any other pvid if possible (at least for trunk or hybrid ports).
or flash netgear firmware on it… (or get a switch that works somewhat to standard)