Currently I’m using a pfSense-box as my router/firewall/WAN-loadbalancer/…, but it seems the routerboards can provide more performance (gbit ports) combined with less power consumption (and probably less noise). But I’m not entirely sure a routerboard will cover all my needs… and I rather ask here before buying one and finding out the hard way. This is my setup and what I want to do with the routerboard:
Dual WAN, with loadbalancing and failover, and certain hosts/networks preferring one network, others preferring the other network, certain traffic (on ports or to certain IPs) always through a specific connection,…
→ 1x 100mbit for my DSL-connection, for which the RB would terminate the PPPoE-session and provide IPv6
→ 1x 100mbit for a connection to another network which goes to the internet as well, only IPv4
NAT and reverse NAT for both connections, DHCP-server with reservations, DNS-server,…
4 internal VLANs: one of them for my home lab, one for my home PC’s,…
→ Firewalling between VLANs
→ 1 connection from the routerboard to my switch, so VLAN-tagging. Preferably using the SFP-connection for more performance.
And a few things aren’t really necessary, but nice to have:
I’m also considering setting up a “open” wireless, but with a captive portal behind it. I don’t know yet if I’m better off doing that on the access point (using dd-wrt) and passing the Open-traffic on a separate VLAN, or if it’s possible or even better to have the captive portal on the routerboard.
The Routerboard I had in mind is the Routerboard 2011UAS RM, because it has multiple interfaces, it has a SFP-connection, it’s rackmountable, and it’s affordable. Does the 2011UAS RM support my needs? Or is there a better Routerboard-choice? Or is there something I can’t do with Routerboard and do I have to look for another solution?
If I have traffic going from VLAN A to VLAN B through, in and out through different VLANs on the SFP-port, and some basic firewalling (blocking ports), can I expect near-gigabit performance? If I hook the VLAN A up to a gbit UTP port, and VLAN B on another gbit port, will that give better performance?
Loadbalancing and failover are not as easy with the Mikrotik as it is with the pfSense box but can be done with a little bit of scripting.
QOS on pfSense I’ve always found to be better than the MTK QOS however I’ve always found actual shaping or bandwidth limiting much better on the MTK than on pfSense.
VLAN’s are pretty dead easy with the Mikrotik
DynDNS is scriptable and generally pretty reliable.
Traffic Graphs are okay-ish on the MTK , but you’re much better off with Cacti/Zabbix
Captive Portals are dead easy with MTK.
How much throughput do you require on the router ? The RB2011 is a great router , but it won’t come anywhere near the performance of a Bare Metal X86 box . Mikrotik have 24 hour trial editions of the X86 pack that you can evaluate in VirtualBox/VMWare if you want to look and compare the functions.
I currently use a Watchguard firebox with pfSense, it’s a (rather noisy) 1U box with Pentium III and only 100mbit NICs. Finding 1U (or at least rackmountable) hardware with a couple of gbit NICs drives up the price, and those boxes are rarely silent.
Concerning the performance: all my switches are gbit, but if I want to transfer a file to or from my lab, it goes through the firewall, and I’m currently limited to the 100mbit-interfaces of the watchguard. My internet-connections are much slower than 100mbit, so that’s no issue, but for transfers inside my house, I would like to go faster than the current 100mbit. But I can’t estimate the troughput I would get from the product page or specsheet… will it be around 100mbit (or even worse), will it be around the full gbit, or somewhere in between, and will it be more 200mbit-inbetween or 750mbit inbetween…
There’s quite a price difference between the 2011UAS-RM and the RB1100AHx2, and even a bigger gap towards the CCR1036. It’s only for home-use, so it has to fit in a budget as well
