I’m new to Mikrotik, just bought a couple of RB to play with thinking I could start to deploy these at clients. My first week with the RB has been rough…including:
Discover OpenVPN is over TCP only (not practical)
Discover PPTP/IPSec rules/design is a mess (i set this up easily on Linux…). After 20 hours I still can’t get this working…
Found little to no mikrotik support on forums
Lots of 1/2/3 year old postings gone unanswered.
No bug list/tracker to know what’s outstanding and when it will be fixed
Before I recommend more of these (or invest a lot more time learning MT), I’m curious about the experience of others!? Is just the PPP/IPSEC portion problematic? Are the MT’s more of a router only (not a VPN endpoint) or access point? Regrets?
I couldn’t find a good forum for this..so “general” seemed right Look for honest experience (not fan boy stuff), not trolling either
Mikrotik products are awesome, especially taking into account how little they cost. Just take into account, that RouterOS (as everything around here) has its limitations.
Great router. As to the VPN endpoint role, IPsec works fine for L2L. It’s useless for road-warrior configurations, however. I use OpenVPN as a road-warrior solution, but I need it for a secure management access only, so I’m happy with TCP.
I have been ‘playing around’ with mikrotik for a few years, mainly at home. In this time it sparked enough curiosity topursue it more.
In the past year and a bit i have taken them more seriously and spent alot of time learning them more and have started deploying them in alot of my customer sites.
My opinions/discoveries so far:
Excellent value - there’s nothing at their pricepoint that has the capabilities these RB’s have
Poor Communication - Bugs and Changelogs aren’t communicated well, Mikrotik have a great community presence but are selectively quiet sometimes
Somewhat complex config - This isn’t really a bad thing, but it does ward off alot of potential customers for mikrotik
Usage Observations:
RB as a appliance - The firewall is extremely powerful and i have used it in many loadbalancing projects successfully.
RB as a business access point - Deployed in many small businesses, again the best value vs. capabilities but unfortunately looses
out in large corporate for smarter AP’s that operate in a lightweight configuration or have
RB as a firewall - great, works well but for some may be a steep learning curve. If you’re coming from IPTables this most likely wont be the case
RB User interface (Winbox and Webfig) - Feedback from my peers is that its not that good for people coming in from most other Router or Firewall vendors, this hasn’t bothered me and i actually like winbox quite alot now.
RB for VPN - Fairly average, IPSec unfortunately doesn’t play well with other vendor devices and is slightly odd to configure the first few times around. Some odd irregularities have come up (like a roadwarrior setup that decides to lose its SA’s) that have pushed me to other vendors for some projects.
RB for QoS - I’m still undecided on this one, from what i read it is extremely powerful and i have set it up a few times. I’m not really sold on it 100% yet but i hope that it is just due to my understanding.
RB for SMB/SoHo - I see Mikrotik aiming alot for this space but there are a few things holding them back from what i can see. One is the lack of DSL modems, bridging works well but means another device for the end user. WiFi doesn’t seem to hold up to media rich applications as well as other vendors, it may have only been the RB751 models i used but still none the less was a roadblock. They will also need to pay attention to VoIP a bit more to be successful in this space also.
RB for Wireless (PtP-PtMP)- I believe this is almost where Mikrotik started, I have not had the chance to really use all of its potential here but there are many on the forums who have created businesses out of Mikrotik so i’m sure it is a great product.
RB for Switching - I saw potential with this to get a share of the market that would have a use for a cheap smart switch however this has seemingly died all together. SwOS has a terribly basic featureset, there’s alot of potential here but they’d need to provide much higher density models, PoE and a revised OS before I could put them out in the wild.
All in all i like them very much and i’ve decided to get some of their certifications
We can consider adding ModeCFG and Xauth in the future versions.
As I understand split routing is simple policy routing setup un the client the same goes for spit DNS.
I don’t see any problems configuring so called “split-tunnel” if client is routeros.
Not ‘policy routing’, just ordinary (destination based) routing- server (VPN concentrator) tells client what prefixes should be routed through the tunnel. Same goes for split-DNS. And it is reqlly easy, the only thing RouterOS should support as a server is ModeCfg- everything else will be done by a compliant client (ShrewSoft VPN client, vpnc, Cisco VPN client just to name a few).
We are talking about road-warrior, right? So the clients are ordinary laptops, mostly.
Not quite. I have a couple of devices of different vendors nearby, with road-warrior VPN configured. When client connects to one of these devices, it receives a list of prefixes, say 192.168.10.0/22, 172.16.1.0/24, 172.20.1.0/27, … and all and only these prefixes are routed through the tunnel. And these prefixes have no relation to the IP range the client gets its inner VPN tunnel IP address from.
Again, I need not only the DNS server address, but also a list of domain name suffixes, that should be resolved using these DNS server.
Yes, you understand it correctly. Zero configuration on the client side.
I bought rb1100 mostly for QoS setup and clients bandwidth limitations, but now I feel that I’ve been fooled by the advertisements, tiktube’s presentations and posts on forums. This is only feature (QoS), that I missed in mikrotik. It’s present maybe, but from what I know - it is very-very bad or even not working. The rest is working fine.
PS: Running torrents at 6144kbytes/sec (full internet speed) with QoS disabled and QoS enabled - absolutely no difference in google news page load time (~10 seconds). Without torrents it loads in 2 seconds.
It is not possible to distinguish between encrypted and unencrypted traffic in FW rules (which is required to make dynamic policy generation secure)
i.e. IPsec policy matching.
Add my voice to this. Loudly too!
While it’s been an endless complaint, UDP on OpenVPN is a big deal. Always will be.
It will be an even bigger deal without IPSec policy matching to secure L2TP or IPSec for RW connect.
It will also be a bigger deal until SSTP is stable on a current version. Reports are of SSTP being unstable for months now.
So, that leaves OpenVPN as the only really viable Road-warrior VPN - and it’s half-baked. No LZO compression and no UDP support.
Certificate revocation lists aren’t there yet either. [Though that’s promised, vs UDP/LZO - but there’s no idea of when.]
It’s like every single VPN in RoS has is like 80% complete, and if you’d just finish IPSec, and OpenVPN off, we’d largely quit bitching and be really pretty happy. But when really basic stuff like mentioned above is unfinished, then it’s pretty hard to say that RoS has an even marginally competitive VPN environment.
There are two things preventing us from selling more Mikrotik
No xDSL interfaces
Very basic IPSEC implementation. We need ModeCfg, xAuth, Split tunnelling, Virtual Tunnel Interfaces(VTI) and Next Hop Tunnel Binding(NHTB).
The lack of these features limit the Mikrotik’s usefulness to deploy to Remote Branch Offices. With Mikrotik we need to deploy both a RouterBoard + a xDSL modem, and then we cant do IPSEC mesh networks with OSPF due to the lack of VTI and NHTB.
It also stops us from deploying them as access concentrators for road warriors due to the lack of xAuth and ModeCfg.
Because of the lack of these features we still sell a large number of Cisco and Fortigate devices. We would happily pay USD $300-400 for a RouterBoard that could be wall mounted, had a rack mount kit and could take ADSL2/VDSL2/SHDSL interfaces and had the above IPSEC features with crypto acceleration. Hell if it had 8 ports with 802.3af and the above features they would be a killer product for the enterprise market.
Even if there was a Enterprise IPSEC “feature licence” we would pay for it.
Most likely you simply don’t know how to do it. Make a separate topic in the forum - paste “/queue export compact” into post and also describe your desired setup (make sure you have v5.20)
I’ve got several RB750G and I’m happy with my purchase. I’ve had some problems with IPsec tunnel to Cisco when connected straight to ethernet on WAN port, see here:http://forum.mikrotik.com/t/mikrotik-ipsec-tunnel-problem/58989/1
But I’ve had help on the forum so that’s great. I’m still working on this problem, at the moment I have a script that restarts the router early every morning and I’m going to see how and if that has any effect on the problem.
What I’ve seen though is that there are a lot of zero reply threads. Too many in my opinion. What I think would be good is using same method they use at LinuxQuestions.org. Every know and then they have a “campaign” to eliminate zero reply threads. Not saying they really eliminate the threads but this works really well to cut id down. When this “campaign” is on they encourage members to take a look at the zero reply threads and see if they can help with the question asked. I’ve done it here, I take a look at zero reply threads and if I think I can be of any help I answer.
So, what do you say? Anyone up for a combat against zero reply threads?
A lot of those zero reply threads are down to poorly worded questions , very customized and difficult to troubleshoot configuration or complete lack of detail regarding a technical problem.LQ like zero-thread eliminators might help to kill those dead threads.
@ocgltd . I find it great as a router/traffic shaper and since most of my boxes I used to do this were all linux based the general configuration makes sense to me.I’m with you on the vpn/roadwarrior side though.UDP less openvpn and wonky ipsec have made these boards non starters for me when doing this.
Forwarding protocol support is also pretty strong , and from my experience works pretty reliably.
Your signal is bad, and you are running a very old RouterOS version. Also in the forum you got many answers which recommend you to align antenna and improve signal. Please do these things before complaining.
i already have upgraded the ROS version to 5.20
and also aligned the antenna to be best possible
still disconnection now when i configured it in bridge + station mode i am getting disconnection with new error message(Screenshot attached check the signal and the wireless disconnection log)
i have seen people running links over -80db signal and also the bandwidth test is showing 11Mbps/11Mbps average
if signal is the issue how i am getting the bandwidth??
Look for honest experience (not fan boy stuff), not trolling either