Network redesign - 2 storey house

Hello guys,

I plan to rebuild network in house and need your advice.
Previous holder used older Asus WIFI router with AC Wifi Routers from TPLink (3pcs), with poor WiFI coverage and NO security setup.
I have borrowed HAP ax3 from work and I was positively surprised by its Windows 3.11 style interface.
I was able to run the internet under 2 mins and following manual, to setup DHCP and first 2 VLANS with NAT under 30.
I want to stay with RouterOS and WinBox.

The layout is as follows:
2 storey house (2x100m2) and exterior covered terrace (100m2), everything from concrete, bricks and steel, what greatly attenuates all WIFI signals.
ISP Fibre - currently 500/100MBit, will be increased to 1000/200Mbit, after the current contract runs out in winter.
Rooms are wired with Cat5e solid cables, for gigabit ethernet, 16 sockets all together.
ISP modem and Asus router is placed under stairs from concrete and steel.
Dog sleeps 2m from ISP modem / router, all devices should be fanless.

Which setup could you advise?

A. CCR2004-16G-2S+PC + 3x cAP ax with 48V DC adapter (value apx. 730€)

B. CCR2004-16G-2S+PC + 3x hAP ax2 as APs with 28V DC adapter (value apx. 650€)

C. RB5009UG+S+IN + CSS610-8P-2S+IN + 2x S+85DLC03D + 1x XS+DA0001 + 3x cAP ax using PoE (value apx. 800€)

Additional question - is it be possible to schedule a “WIFI turn off policy” (during night) also for cAP APs in RouterOS?

Thank you for your time

I would say B.
If the looks of the hap ax2’s is acceptable/accepted and you can find appropriate places for them they are more “flexible” devices than the Cap ax’s (IMHO).
Since it is the cheapest option, you could think about using “plain” PoE power supplies at 24V to power them via the ehternet cable (thus giving you more flexibility with placement).

Mikrotik RoS has a “scheduler” that you can use to run scripts at a given interval or at set times, but there is also “kid-control” that may do in your case:
https://help.mikrotik.com/docs/display/ROS/Kid+Control

Hello jaclaz,

thank you very much for fast reply and pragmatic opinion. Design of HAP ax2 is absolutely not an issue, they are rather small and to my taste - very good looking.
As long as they will have enough WIFI power, they will be applicable. I could have some older PoE injectors also in my workshop, thank you for this tip!

According to specifications, cAP ax has antennas with better gain for 2,4 and also 5Ghz. This could be a nice bonus in building made of bricks and concrete.

So, I will take the CCR2004-16G-2S+PC router (2-in-one router and 16 port switch), one HAP ax2 and one cAP AX to test their WIFI capabilities in this object.
I don´t rally need the newest WIFI MIMO 3x3 standards and fastest possible WIFI connection.
For higher speeds, there is a wire ready in the wall. And not to forget, there is a limit from ISP.

Thank you for link on child protection setup. I can´t work with terminal yet, but I will try to replicate later on.
As long as I could sniff to RouterOS in the borrowed ax3 this week, I have found the Scheduler already and also manual steps, how to create a WIFI turn on / turn off policy. So I will test it with ax2 and also ax.

The CCR2004 will surely have enough grunt - but remember that it doesn’t have one 16 port switch: it have TWO 8 port switches. Take a look at the block diagram:
https://i.mt.lv/cdn/product_files/CCR2004-16G-2SPC_240129.png

If it is a problem or a feature, is up to You - could be either, depending on your needs.

The 5009 will have enough grunt too - less than the CCR2004, but plenty enough for these speeds.
The switch CSS610-8P-2S+IN uses SwOS, not RoS. Just remember this, in case is a problem for You.

As the CCR2004 doesn’t have PoE, I think this isn’t a hard requirement for You.
If running RoS is a hard requirement for the switch, and You don’t mind losing the PoE capabilities, then one of the other options would be this: CRS326-24G-2S+IN
https://mikrotik.com/product/crs326_24g_2s_in

24 gigabit ports
2 SFP+ ports
100% passive
This one above is the desktop version - but You can buy it to be rack mounted too: https://mikrotik.com/product/CRS326-24G-2SplusRM

It’s all about price and trade offs.

Hey Paternot,

thank you very much for your tip for 24 port CRS326 switch with routing capabilities! I have peeped on it yesterday already.
Its definitely a price winner, even if it has about 1/2 of the bridging and routing power of ax2.
Then, there is another option here:

D. CRS326-24G-2S+IN + 3x hAP ax2 as APs with 28V DC adapter (value apx. 430€)

Since I don´t know the possibilities of SwOS, I cannot react here. I have seen the RouterOS for 1 afternoon in ax3 and I really liked it (rookie).
I was certified by AlliedTelesis in switching, routing and security long time ago, but I don´t work in this area anymore + many things has been changed. But the networking basics are the same, so for my understanding - RouterOS interface is relatively clear and I don´t need to create something complex this time.

As you have mentioned correctly, performance wise RB5009UG+S+IN and CCR2004-16G have more than enough and the DC can be solved somehow (adapter or injector (thanks for the tip jaclaz)). And this is where the CCR2004-16G hits the nail with enough ports, with no need for separated switch.

Could you please explain your comment about two 8-port switches in CCR2004-16G a bit more?
I understand it as a feature (bonus in design), where every 8-ports has its own 10GB internal lane and dedicated switch chip.
Are there some limitations in the bridging of the ports from 1. switch with the ports from 2. switch?
Will it be necessary to create 2 bridges and to define the rules for bridge 1 and bridge 2 separately, or/and also the rules between these 2 bridges?
Anyway, I am sure, it is already thinked out in RouterOS somehow. Or did I miss something?

Maybe one more question. I have seen, that Mikrotik warns users about overvoltage sensitivity of its devices. Is there a way how to secure a mikrotik device? Circuit breaker with current guard is enough? Or maybe, surge protection is needed?

Thank you very much for your comments

No, wait, you need the RB5009 anyway besides the CRS326.
D: RB5009UG+S+IN +CRS326-24G-2S+IN + 3x hAP ax2 as APs with 28V DC adapter
you will still save something, but more than that you will get rid of the not needed in your setup (and usually source of issues) SFP adapters.
I change my vote (for what is worth) to D.

About the Cap Ax vs. Hap Ax2 I believe that in practice there won’t be much difference between the two, the Cap Ax is slightly more powerful, but the Ax2 has more ports and usually is mounted in an accessible position.
Only as an example, if you have a TV and possibly a decoder/TV stick of some kind and/or a gaming box or similar, if you have one of your ethernet sockets nearby you can place the Ax2 near them and connect them to its ports wired, if you have an Ax high on the wall or on the ceiling it is impossible or at least much less convenient.

In another room/area where your portable devices are the only clients, a Cap Ax on the ceiling will likely be better.
But where do you have these ethernet sockets? Running an extra cable to reach a Cap Ax on the ceiling might turn out to be complicated.

Your idea of getting one per type and make some experiments is the smartest thing to do.

I am partial to the AX3, with up to 1.8Ghz CPU and the 2.5ghz port but concur in your scenario the hapax2 fits the purpose and budget a bit better.
I prefer the CRS326-24G-2S+IN mainly because I have used SwOS switches and I wont ever paint myself into the corner of not having an RoS option.
Either way you cant go wrong with any of the selections but concur the 5009 is the router I would go with.

Hello jaclaz,

your input is greatly appreciated, thank you. All right, then lets update the pricing of the option D:

D: RB5009UG+S+IN +CRS326-24G-2S+IN + 3x hAP ax2 as APs with 28V DC adapter (value apx. 630€)

I understand your point about SFP+ accessories, so the option C is out of debate now.

Do you know something about the switch design of CCR2004, Paternot wrote about? Is it somehow limiting the configuration of the brick in RouterOS?
Because, if 2 switch design of CCR2004 would be solvable in RouterOSwith, the price difference of option B and option D would be so small, that I would incline to the option B (no SFP modules in use in this variant) as an 2-1 device consumer solution:

B. CCR2004-16G-2S+PC + 3x hAP ax2 as APs with 28V DC adapter (value apx. 650€)

To your question: ethernet sockets are only about 35cm above the ground. So ax2 will be better placeable, thats for sure.

Thank you for your ideas

Hello anav,

thank you for your opinions, I will test both of them in this building made of concrete - cAP ax and also hAP ax2 to see their performance.

You find the SwOS much simpler thank RoS? Can it control also routing functions?

Thank you

The CCR2004 dual switch is a highly debated topic, see this for example:
http://forum.mikrotik.com/t/ccr2004-16g-2s-multiple-bridges-or-not/172985/1

Anyway consider that in your setup you won’t likely have occasions to “saturate” the CPU.

SwOS, unless you really need it, stay away from it, not that it doesn’t work, but (as I see it) is so much different from RouterOS that you will have to learn two (largely undocumented/mis-documented) different operating systems at the same time.
RoS is - even if less friendly - much more powerful/customizable, and since you will need to get familiar with it (to configure the RB5009 and/or the hap/caps) at least you will have the same structures on all devices.

Same goes for SFP’s, it is not that they don’t work, but they introduce a further layer of complication (and usually lot of heat), since your LAN and WAN speeds top at 1 GB speed, you can avoid them.

In a (hypothetical) setup with the RB5009 as router and a CCR2004 as switch (why?) I think you can avoid most of the (theoretical) issues cabllng your 16 ethernet cables like:
7 to ports 2-8 of CCR2004
7 to ports 10-15 of CCR2004
2 to ports 7-8 of the RB5009
then add a couple cables:
from port 1 of CCR2004 to port 5 of the RB5009
from port 6 of CCR2204 to port 6 of the RB5009
or at least this is what I would try.

But if the CCR2004 is the one and only switch and router, you miss 2 interfaces, if you use them as loop between the two switches, as adviced by Darknate on the given thread, but again I don’t think that your traffic can overload the CPU.

On the other hand, I doubt that in a home setup one would need top speed/bandwidth on all 16 sockets, so you could select three less importante ones and connect them to an el-cheapo unmanaged switch and call it a day.

No, no. Please, PLEASE, don’t think about the CRS326 as routers - they are switches. Yes, they can route - but it is almost incidental. Yes, one could use it as a router/switch. But they are whoefully underpowered, only capable of routing a VERY slow connection. I suggested it as a substitute to the CSS610 IF (and only if) You have RoS as a hard requirement and/or needs/wants more ports. Yes, it is a little bit cheaper and runs RoS - but it lacks PoE capabilities and is an older model. They are good switches, but can do only very light routing.

SwOS is a quite small and simple Switch Operatin System. It deals with switching, and that’s it. No routing, no fancy things RoS gives to us. Its great advantage is simplicity - and this is its great weakness too. Works very well inside the projected roles, but the projected roles are just switching.

About the 8 port switches:
Traffic from (say) port 2 MUST cross the CPU, in order to reach (say) port 10. If it were a 16 port switch, the traffic would never leave the switching plane.
Yes, one would have to define two bridges, and traffic between them would cross CPU. It is already thinked out for some values of it. Because using the two switch chips as one may not be the intended use case.
Here You can find more about this: https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration#Layer2misconfiguration-VLANfilteringwithmultipleswitchchips

The last one I don’t know: overvoltage was never a problem for me, since I have always used them plugged on a nobreak - and never on the outdoors.

Hello jaclaz, hello Paternot,

thank you VERY MUCH for the links and your explanation.

Jaclaz, I mean we did not understood ourselves correctly. The configuration RB5009 as router and CCR2004 as switch was never planned.
There are only 2 possible configurations in plan after initial discussion:
B. CCR2004-16G-2S+PC + 3x hAP ax2 as APs with 28V DC adapter (value apx. 650€)
D: RB5009UG+S+IN +CRS326-24G-2S+IN + 3x hAP ax2 as APs with 28V DC adapter (value apx. 630€)

Considering configuration “B” with CCR2004, all three options would be feasible for me:

1. One bridge at the expense of some CPU load
2. Two bridges at the expense of 2 ether ports for trunk and 1GBit port limit between 2 switches. (more ports can be achieved by using of another unman. switch)
3. One bridge / Two bridges and the right design of VLANs, so every switch has its own VLANs (no interconnections between switches)

In case the configuration “D” with RB5009 router and CSS326 switch is used - are there any benefits in comparison to single CCR2004?
As far as I understood you correctly, SFP+ configuration is another complication you made me aware of, so communication between the router and switch will be at the level of 1GBit in this case. I have understood, that both devices (RB5009, CSS326) can be administrated from RouterOS, what is very nice.

Thank you once more

Please, beware of the switch models:

The CSS ones can only run SwOS.
The CRS ones can run RoS AND SwOS (they dual boot).

To make things harder: some switches have both variants - and the 326 is one of them.

This is the CSS variant:
https://mikrotik.com/product/CSS326-24G-2SplusRM

This is the CRS variant:
https://mikrotik.com/product/CRS326-24G-2SplusRM

And, now, the cherry on top:
We have the desktop variant too! (A CRS one, so runs RoS and SwOS)
https://mikrotik.com/product/crs326_24g_2s_in

@tilda, If you don’t need 24 Ethernet ports and can settle for 16, I’d definitely go for a CCR2004. It’s so much easier to manage just one device for home use since it minimizes the hassle factor according to Murphy’s Law. Plus, if you want to connect an SFP module it’s no problem at all as long as you don’t choose some odd and super-cheap model.

The talk about problems due to two switch blocks in the router for a regular home environment is just ignorance. It’s not an issue at all and is only important in specific situations like if you have a lot of servers and want to use hw filters, link aggregation etc between them. In that case it’s easily solved with patch cables.

If you want to run extra programs in a container environment, the RB5009 might be a better choice since it has more RAM. You can start with an RB5009 and later add a cheap unmanaged switch if needed.

Lastly, If you’re not sharing the environment with a business or a tenant I’d skip using VLANs as they usually just add complications for normal home use.

@tilda, I know , that RB5009+CCR2004 one was only a hypothetical (and not “smart”) example.

Personally I would still prefer D (or more generally a router that routes and a switch that switches, but I am told this is an old way to look at things).

Your existing cabling and AX2 or 3 devices (and I presume also all the devices you are going to connect wired) are 1GB anyway, the connection will be 1GB as well, the (older) CRS326-24G-2S+IN is more than enough, and you would still have a number of unused ports (you never know).

With the RB5009 (which is a router that can also switch, and quite good at it) and the CRS326 (which is a switch that can also route), you will have 2 devices in case of “emergency” (one of the two breaks) you can re-configure the other to temporarily do all the work (with some limits of course).

The reasons to go for B could be some lower power usage than the router+switch combo (30 W vs 15+20=35W) and a more modern architecture, a lot of RAM and storage, or if you prefer more “future proof”, and of course it is easier to manage a single device as Larsa pointed out.

As I see it (but I tend to look for cheap, good enough, solutions to problems) in a “normal” house setup the CRS326 could be replaced by a much cheaper, unmanaged switch or a cheaper 24 port managed one, like - just saying - a TP-Link TL-SG1024DE or a ZYXEL GS1900-24E should be more than enough, I mean. it is nice to have all Mikrotik products that can be configured with RoS, but most of what a managed switch (AFAIK) can do is useful in offices/enterprises (I have the marketing department that should be able to go on internet and on server A but not server B, and not engineering, while engineering department should be able to …).

Still for around the same kind of money, you could get 2x RB5009 (that could “serve” some 12 ports) and an el-cheapo, unmanaged but VLAN aware 8 port switch, such as - again just saying - the TL-SG608E is around or below 30 Euro and would do nicely.

Let’s call this “E”.

Decisions, decisions, always decisions …

The generic issue with SFP’s is IMHO threefold:

1. their added cost (which could or could not be an issue)
2. they are anyway “another” device in the middle with their own firmware and possible compatibility issues
3. the (stupid) amount of heat they produce (I was just reading that an optical SFP uses 0.7-0.8, maybe 1 W, while copper ones 10GBASE-T are easily more than 4 W each, for short links DAC’s are seemingly the best ones at around 0.1-0.2W) on passive cooled devices they are pure folly.

I think you’ve already decided on HAP instead of CAP. The difference (translated into price, this is not a complaint against mikrotik, all brands sell them more expensively), is the location. It will only really help you if you have wiring in the ceiling. You can do mesh, but the performance is not the same. The radiation distribution is not the same from the ceiling, as from the table where you put the hap, it is much greater. It is designed for that position. A hap raised to 2 meters and screwed to the wall may not meet the same expectations either, simply because the location of the antennas is different. But you will have time to play with it, using snooper, etc.

Hello guys,

thank you for all your valuable reactions.

I want to go with one device approach if there is one, as the administration should be simpler.

Since I don´t plan to run any container applications for IoT, Home management etc., the CCR2004-16G-2S+PC fills the bill with 15 usable ports.

I decided to do small performance test with hAP ax2 in free space, and cAP ax on the wall (not possible to hang it to ceiling), to see their real life performance in the building made of concrete, steel and bricks. I plan to link more APs into Mesh to share the same SSID and credentials. Hopefully this will work.

Lastly I will create some security restrictions (VLAN) and WIFI scheduling, what are some of the the reasons to go with Mikrotik and not with Omada or Unify, I have also checked shortly.

Thank you for your support, its nice to see an active community like this.

Remember that you can create ACCESS LIST for each Wi-Fi radio, and not allow connections smaller than what you set in Signal Strength Range. It will prevent distant devices from connecting, which surely have a closer AP

Thank you for the tip! If you have more, please don´t hesitate to write them down to the screen.