What? This thing isn't a true router either? Even though it runs something called RouterOS?
What are you going to tell me next? the firewall isn't really a firewall? or it can't really deliver 90 watts of PoE?
I started out with the idea of using an Engenius Cloud WAP and an Engenius Cloud Switch. I could manage both devices from anywhere in the world, even behind double-NAT or triple-NAT without changing anything in the Comcast Business gateway device. True Plug&Play. Everything was going well until I realized that the ECS1008P is a level-2 switch which doesn't allow me to establish routes or DHCP servers. Bummer. I suppose I could have grabbed a fairly inexpensive router/firewall but that would put three boxes at each site and I really want to do this with only two boxes. The Engenius L2 switch went back to the distributor.
Somebody recommended the Mikrotik CRS-112-8P-4S. It checks almost all of my "boxes":
- no licensing fees.
- cheap $
- enough PoE to light up 8 WAPs or 8 phones
- router & Switch in one box
- able to take a working config file and transfer it to another box
Now that I know this thing isn't a true "Cloud" router, I can work around that little fib. I already have TeamViewer access to every PC at every site, which will allow me to get into the Comcast gateway from the LAN side when WAN access doesn't work. I'll let the Mikrotik obtain a dynamic IP from the Comcast gateway for the WAN connection, but I will make that IP a reserved "pseudo-static". If Comcast decides to "accidentally" blow out my changes, the Mikrotik will continue working (except no remote access), even with a different WAN IP. The only other change I'll need is Port-Forwarding from the Internet to the Mikrotik. Yes, that leaves the router vulnerable to attack, but is it really an issue if I use a strong password and an obscure port number?
What do I really need the Mikrotik to do?
- DDNS -- check
- supply power to 8 typical devices with PoE or PoE+ -- check
- multiple VLANs -- check
- a separate DHCP scope in each VLAN -- check
- deliver Internet to each VLAN -- check
- a separate set of DNS settings in each VLAN -- check
- recognize that a phone has been connected and place it in a specific VLAN -- working on that
- isolate devices from one another on the Guest VLAN -- working on that
- NOT isolate printers on the Guest VLAN -- working on that
- reasonable firewall protection with ability to create exceptions -- I think so
I don't want to hijack my own thread with all the details of how to accomplish these tasks.
We can discuss the specifics in other threads.
For right now, before I go too much further down this rabbit hole, I just want to know:
- Will the Mikrotik CRS-112-8P-4S be unable to do anything that I need it to do?
- Have I chosen the best device for the job?
- Am I going to be clobbered with any more surprises?