We have two CCR1009 and one is active but every few months we have to reboot it to fix dns error for our PPPoE clients?
An active CCR is using primary services - OSPF, L2 Bridged Vlans , Firewall , PPPoE server
The reason for L2 Bridged Vlans for PPPoE is because Mikrotik OSPF is not robust and was causing regular router lockups or router stuck in “init mode”, even after numerous OSPF configuration modifications over a 5 year period the problem remains,
The CPU’s were never running at 100% but yet a reboot solves the issue,
My opinion is that Mikrotik is very good at one function per router but activate extra functions and then reliability is reduced ,
My question is for opinions on using a hardware firewall before both of the CCR’s ?
It is very advisable to have each service (L2-switching, BRAS, firewalling, core-routing, edge-routing) on it’s own (specialised) platform.
If you can afford it .
“…very advisable to have each service (L2-switching, BRAS, firewalling, core-routing, edge-routing) on it’s own (specialised) platform.”
Also forgot to mention BGP is also used
“…RouterOS is very versatile platform that sometimes leads us to combine too many functionalities in the same box”
I totally agree
For 800 clients can I ask what “…own (specialised) platform” is recommended
It depends on what you combine and how heavily everything is loaded.
I run a CCR1009 for ~800 NAT clients plus BGP for a company VPN (not full internet routing tables but just some 25 routes and 8 endpoints), a number of VPN connections, and complicated firewall, and it runs just fine (2 250Mbps internet connections).
I would not pull in much more, e.g. L2 switching is better done by a dedicated switch, and when you want 800 PPPoE sessions that is probably done better on 1 or 2 separate boxes.
(but beware of having /32 routes for each session and updating them via auto-routing, that also causes issues)
.