Moving from USG to Mikrotik

I’m looking to move away from the now barely supported USG to a new router/gateway. My research keeps leading me to Mikrotik so I’m looking for some guidance on what I can and can’t do with the Mikrotik.

My setup is a USG, 4 x 8 port Unifi switches, 1 x 24 port Unifi switch and 4 Unifi APs. I have a dual WAN, 2 x 1Gb Fibre that plugs into an ONT with 2 x Cat 6A cables from the ONT to the USG. 4 VLANs are configured with 4 SSIDs that are configured to service both 2.4Ghz and 5Ghz channels on each SSID. For the new setup, I’d like to split the WAN connections so that one of them only handles traffic from one of the VLANs, but if one of the WAN circuits goes down, I can fall back all traffic to one thats working (this last bit may not be needed as both circuits are from the same ISP)

I’m not sure which Mikrotik device will give me the 2 x WAN and be able to handle the throughput, though I rarely max the links out. I’m also hoping to keep the USG Network controller running at a minimum for the GUI but I’m not sure if I can still manage the APs like I can now without the USG. Can RouterOS play nicely with Unfi APs? Would the config of the APs and SSIDs be on the Unfi Controller or on RouterOS?

The rest of the network is a couple of PiHole DNS servers that all clients use, an Unraid server which of which the containers run on one of the VLANs. If possible I’d like the Container traffic to run through a VPN. PIA at the moment but looking to move to Mulvard which plays nicer with Unraid.

Basically I’m hoping to just swap the USG for a Mikrotik and with some configuration work have it work as seamlessly as it does today. While I know my way around tech, it starts to get confusing if I need to write firewall rules from the CLI.

I hope thats not as confusing as it now reads to me. Any advice would be greatly appreciated.

I run UniFi for wireless and video surveillance in my house with a MikroTik router as the gateway. It works without any issues. My UniFi controller runs on a CloudKey.
You’ll lose visibility into anything WAN related in the UniFi controller but that’s about it. You will need to keep using the UniFi controller to manage your switches and APs. RouterOS has no integration with the UniFi system so it will be separate configuration for both of those worlds.

Yes, you can configure WAN fallback and different exit routes for different VLANs.

You can configure any number of “WAN” interfaces on RouterOS. Technically, “WAN” is just another network that your router routes traffic to and from. You can make any interface (even VLANs) a “WAN” interface if you like. In fact, you may notice that on most MikroTik routers there is actually no port that is labelled WAN or Internet. The more consumer oriented hEX series does have labelling to that effect but I assume it is mostly due to the fact that these routers are used by ISPs to give to their customers, which in turn expect such labelling to exist. Functionally, even on that platform, any of the ports can be a “WAN” interface.

Yes, you can configure a certain VLAN to route traffic through a VPN. I do this for my guest network, which is a WiFi without encryption on a separate VLAN.

I run a RB5009UG+S+ in my house with one 1Gb/s fibre connection and the router barely even breaks 20% CPU utilization at 700 MHz (the CPU is Quad-Core 1.4GHz) when the line is fully utilized.
My configuration is complex but not very demanding (a few IPSec tunnels to the office, AWS, my dedicated server and my parents’ house, BGP for my AWS connections, a few Wireguard tunnels to Mullvad for guest internet and geoblocking circumvention for media devices). Essentially, a fairly common tech enthusiast/work from home IT professional residential configuration. I don’t run DHCP or DNS on RouterOS because it doesn’t allow for the flexibility I need and also the DNS implementation in RouterOS 7 is troublesome.
But in general, this model can easily support what you need. I would believe that it is the most reasonable choice for your scenario.

I also have a CCR2004-16G-2S+ that I maintain for a business. It’s had a fair share of issues in the earlier RouterOS versions but for now it has stabilized to the point at which it only loses Ethernet link to the ISPs CPE a few times an hour for a few seconds and the SFPs and DACs that I use mostly work when you disable auto-negotiation and force the link up.
I would advise against using that model. It would probably also be overpowered and overpriced for your requirements.

Thanks for the detailed response. It’s covered everything, I think.

I was getting confused when I saw the hEX have one port labelled as WAN, but your explanation has cleared that up. I can move DHCP to one of the PiHole devices I have so that’s not an issue. I’ll check out the RB5009UG+S+ and use a few days leave I need to clear to get this going. Your setup is the sort of thing I’m trying to get too at some stage. Thanks again.

Can you better explain the shortcomings of the RB5009 you noted.
" I don’t run DHCP or DNS on RouterOS because it doesn’t allow for the flexibility I need and also the DNS implementation in RouterOS 7 is troublesome."

Sure:
The DHCP implementation of RouterOS can only match one DHCP option at a time and does not support boolean logic. So you cannot assign certain option sets to different devices of the same vendor, for example. In my concrete scenario I am netbooting Raspberry Pis (some of them with EFI, some of them using the native bootloader). For this purpose I need to match both on MAC prefix as well as vendor class identifier. The option that does this in my Kea DHCP server looks like this:

      {
        "name": "RaspberryPi",
        "test": "(substring(pkt4.mac, 0, 3) == 0xb827eb) and (option[60].hex == 'PXEClient:Arch:00000:UNDI:002001')",
        "option-data": [
          {
            "name": "rpi-boot-string",
            "data": "Raspberry Pi Boot"
          },
          {
            "name": "tftp-server-name",
            "data": "10.0.0.106"
          }
        ]
      },

Further, the Mikrotik DHCP implementation does not support Dynamic DNS updates which I use extensively. My Kea config for this looks like this:

    "ddns-send-updates": true,
    "ddns-override-no-update": true,
    "ddns-override-client-update": true,
    "ddns-replace-client-name": "when-not-present",
    "ddns-generated-prefix": "host",
    "ddns-qualifying-suffix": "home.mydomain.com.",
    "hostname-char-set": "[^A-Za-z0-9.-]",
    "hostname-char-replacement": "-",

This results in clients sending a hostname receiving DNS names in the format hostname.home.mydomain.com and clients that don’t send hostnames to receive a hostname of host-10-0-0-123.home.mydomain.com.
On RouterOS DHCP and DNS don’t interact at all other than DHCP handing out DNS server IPs.

As for the DNS implementation, my main issue is that there is one instance of DNS running on the router that shares a single cache. What that means is that, if I used the built-in DNS feature, all VLANs receive the same cached replies for DNS queries, as long as they are cached. This break some scenarios for my development and testing I do for work. Certainly an edge case for most regular users. However, this also breaks scenarios where EDNS is used to do geolocation or geoblocking. You can’t change the source IP of your DNS requests (or run a separate instance for another VLAN). If you go back to my initial mentions of using VPNs to route certain traffic from VLANs the problem becomes obvious. DNS requests are always made using my actual WAN IP address. I personally don’t really care about the privacy implication of leaking my real WAN subnet info through EDNS when going via a VPN exit route, but if that’s something that’s important to you just keep in mind that it’s happening when using the MikroTik DNS implementation in this configuration.

Additionally: ROS DHCPv6 server can’t hand out addresses (only prefixes) while some full-featured DHCP servers do (I’m still using ISC DHCP server, it seems that ISC wants me to switch over to Kea … I tried a few years ago but the configuration syntax killed me).

I was wondering if I could ask about your integration with USG. The last stumbling block I have is USG’s LAN / Management Network. It’s the untagged traffic (VLAN 1 I think) that the Unifi devices talk to each other on. USG, APs, Switches. How have you set that up on the MT? My thoughts are to configure another VLAN on the MT that is untagged on my trunk port which the Unifi kit and Controller should see as the mgmt lan. Or is there a better way to do it?

@felixka, would you be able to point in the right direction to route a VLAN through a particular WAN interface? I’ve tried all sorst of stuff from various posts but haven’t got it to work yet.