I use Mikrotik all over my network for routing and bandwidth management and It’s a great product, but I’ve never used it as a firewall device. I’m looking for a new firewall for my Server network. 90-100 machines, 500 public IP Addresses. I need to open and close services (FTP, HTTP, Email, Terminal Services, etc…) by IP address based on the function of the machine, and do all the other happy firewall nonsense. Would Mikrotik be a good solution for this, or would I be more sane (i.e. I would keep my sanity) in a Cisco Pix, or Watchguard device?
What have others found as problems/pluses when using Mikrotik as a Firewall? Has anyone run Mikrotik as the firewall for their Datacenter network?
Personally I have come to love using MikroTik as a border firewall. For years I have been selling and configuring watchguard products and needed a less expensive solution for my smaller clients and i started using MT, Now i mostly use MT as my border router/firewallsolutions. I dont think you can beat the price for such a powerfull product, expecially when it comes to VPN costs for other products.
We now use only Mikrotik for our border routers. Kicks the pants off the ciscos that we could afford. Firewall is excellent. Had a buddy tear out 13 ciscos a few months and replaced them with mt. I only have good things to say about MT.
It’s a very good choice for this work. Contact the people to learn the max amount of connection’s tracked for how much memory installed and if that suits your needs. Spend (alot of) time to verify a version that works for you and your hardware.
I’m using mikrotik as a firewall and router too… and I’ve never faced any problem till now .. but I’m complaining about one thing which is IDS integrated with MT box…
IDS doesnt belong on the gateway, imho. It eats way too many resources.
In the good old days one would setup an extra nic on the router and connect an IDS directly to that nic. And instead one would just forward (without tampering with the packet) to this IDS server (w/two nics) so that it could analyze the traffic without impairing the network traffic.
After all, are you going to analyze the good traffic as well then all you will end up with is a router with terrible performance. IMHO
Wouldn’t even simply forwarding traffic slow down the router a lot, let alone analysing on spot? People have mentioned using an old hub sitting on the line connecting the router to the outside world and plugging the NIDS box into the hub instead, and using a listen-only sniffing cable too!
