Community discussions

MikroTik App
 
Wiley1
just joined
Topic Author
Posts: 11
Joined: Wed Jan 01, 2020 7:40 pm
Location: Virginia

is this really a "cloud router" ?

Sat Jan 04, 2020 4:36 pm

I am new to Mikrotik. I just purchased a CRS112-8P-4S-IN. On the face plate, it clearly says "Cloud Router".
To me, a cloud router should be able to log into a server somewhere, so it can be managed over the Internet, even when it is behind NAT and/or a firewall.
So far, I have not found a way to do that with the CRS112.

I have it connected behind a Comcast Business gateway that uses NAT. The Mikrotik DDNS feature is great, but it doesn't get me past the Comcast router. I know that I can configure the gateway in bridge mode or set up port-forwarding, but we really can't trust Comcast not to reset the device back to defaults for no reason and without warning.

I need a way to manage this router/switch even when it is behind NAT, without making any changes in the Comcast Business device.
How can I do that? Do I need to set up a VPN?
 
User avatar
jvanhambelgium
Member Candidate
Member Candidate
Posts: 109
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: is this really a "cloud router" ?

Sat Jan 04, 2020 8:01 pm

In that case yes. Some form of VPN is needed. And then you can only hope the Comcast device does not block any of that.
I see some possible options,

1) Payed service if you need to manage multiple of such routers : https://www.cloutik.com/

2) Have a VPS/VM running somwhere in AWS or Azure and setup Site2Site IPSEC VPN with your Mikrotik onpremise and perform management through that channel. But in theory you Comcast could screw this up if it blocks IPSEC protocols (eg. ESP)

3) Perhaps some solution with (outbound) SSH voodoo (with port-forwarding) but I don't think it works. SSH "client" on Mikrotik seems trimmed down.
 
Zacharias
Forum Guru
Forum Guru
Posts: 1780
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: is this really a "cloud router" ?

Sat Jan 04, 2020 8:01 pm

You can do it with either portforward or VPN...
 
User avatar
jvanhambelgium
Member Candidate
Member Candidate
Posts: 109
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: is this really a "cloud router" ?

Sat Jan 04, 2020 8:10 pm

You can do it with either portforward or VPN...
Yes, but the requirement was clearly to view the intermediate ComCast device as non controllable/not configurable.
An easy port-forward or (open)VPN could indeed solve this, but that requires the ComCast devices to be altered too.
 
Zacharias
Forum Guru
Forum Guru
Posts: 1780
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: is this really a "cloud router" ?

Sat Jan 04, 2020 8:30 pm

VPN is not equal to a server... it can be configured as a VPN client that connects to a VPN server and then accessed through that server... as simple as that...
Also why Open VPN? No need at all...
What is wrong with the easy port forward? I do not understand..Instead of suggesting people a paid service its better...
 
Wiley1
just joined
Topic Author
Posts: 11
Joined: Wed Jan 01, 2020 7:40 pm
Location: Virginia

Re: is this really a "cloud router" ?

Sat Jan 04, 2020 8:50 pm

I have also used an Engenius ECS1008P, which is a real cloud device.
It automatically logs into an Engenius server. It doesn't matter whether it is behind NAT, double-NAT, or a firewall.
It can be managed from anywhere in the world, just by logging into the Engenius website.

When I bought the Mikrotik, I thought I was getting that same capability because it was advertised as "Cloud Router". But, no, it isn't really.

So, I'm still looking for a cloud-managed L3 switch. Anybody know of one?
 
pe1chl
Forum Guru
Forum Guru
Posts: 6337
Joined: Mon Jun 08, 2015 12:09 pm

Re: is this really a "cloud router" ?

Sat Jan 04, 2020 9:02 pm

The name "cloud" is only on MikroTik devices because it is a hyped word. There is nothing in the devices that makes it specific for use with cloud, other than the "ip cloud" feature that is just a free DDNS/time service and it is present in all MikroTik devices, not only those with "cloud" in the name.

So yes, it is misleading. It is something completely different than Engenius.
 
szt
just joined
Posts: 19
Joined: Mon Aug 06, 2018 9:43 pm
Location: Olomouc, Czech Republic
Contact:

Re: is this really a "cloud router" ?

Sat Jan 04, 2020 9:12 pm

With some basic networking knowledge/experience, you can deploy your own cloud controller on VPS using Microtik CHR instance - even AWS EC2 t2.micro instance (1year free ) is enough, including static public IPv4 address. Mikrotik CHR appliance is also free (https://aws.amazon.com/marketplace/pp/B ... duct_title)

And then you can configure your own VPN server on that VPS, with ie SSTP server accessible from practically any customers site (as long as it allow outgoint HTTPS connection). As a result you can manage unlimited customer's routers via this VPS connectivity.

I am using such solution for managing hundreds of routers, located behing NAT.
 
Wiley1
just joined
Topic Author
Posts: 11
Joined: Wed Jan 01, 2020 7:40 pm
Location: Virginia

Re: is this really a "cloud router" ?

Sat Jan 04, 2020 10:57 pm

That sounds like a great solution. Does it only work on AWS? Or could I set up a server at my own company with a public IP address and accomplish the same thing?

The ideal situation would be one where the server is only used to make the initial connection. After that, I would prefer to be directly connected to the router without having traffic passing through an intermediary point. That is how TeamViewer works. Once the Remote successfully connects to the Host, there is no further need for the Teamviewer server to be involved.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6337
Joined: Mon Jun 08, 2015 12:09 pm

Re: is this really a "cloud router" ?

Sat Jan 04, 2020 11:09 pm

Are you sure about that? I think with Teamviewer all data passes through the Teamviewer servers. How else could it work between 2 sites that both are behind firewalls and even proxies?

Anyway, the MikroTik CHR can run on most VM environments, including your own VMware ESXi host or similar.
And you can do the same thing with any physical MikroTik router (or with many other manufacturer's routers) or with any system running a reasonably powerful networking OS.
 
szt
just joined
Posts: 19
Joined: Mon Aug 06, 2018 9:43 pm
Location: Olomouc, Czech Republic
Contact:

Re: is this really a "cloud router" ?

Sat Jan 04, 2020 11:15 pm

AWS is not necessary, you can use any VPS. Consider AWS only as example. Generally, 1 shared core and 128MB RAM (plus public IP) is enoung for running a Mikrotik CHR (https://wiki.mikrotik.com/wiki/Manual:C ... _platforms:) instance. Such VPS could be obtained for about 1USD/month.

About intermediate point - in case both partners are behind NAT, there always must be some intermediate point.
 
User avatar
jvanhambelgium
Member Candidate
Member Candidate
Posts: 109
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: is this really a "cloud router" ?

Sat Jan 04, 2020 11:54 pm

VPN is not equal to a server... it can be configured as a VPN client that connects to a VPN server and then accessed through that server... as simple as that...
Also why Open VPN? No need at all...
What is wrong with the easy port forward? I do not understand..Instead of suggesting people a paid service its better...
Sure the Mikrotik can be configured as a VPN-client to make an outbound connection to "a VPN server" running somewhere as a VPS. Specs of this VM can be very low (cost)
I'm not suggesting any payed service, just listing options that I found.

And "port-forward" ? Where ? On which device? If you cannot (reliable) perform any port-foward on the intermediate/first-stage ComCast router forget the "port forward" route to gain easy access to the Mikrotik which sits behind the Comcast.
 
User avatar
jvanhambelgium
Member Candidate
Member Candidate
Posts: 109
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: is this really a "cloud router" ?

Sun Jan 05, 2020 12:01 am

That sounds like a great solution. Does it only work on AWS? Or could I set up a server at my own company with a public IP address and accomplish the same thing?

The ideal situation would be one where the server is only used to make the initial connection. After that, I would prefer to be directly connected to the router without having traffic passing through an intermediary point. That is how TeamViewer works. Once the Remote successfully connects to the Host, there is no further need for the Teamviewer server to be involved.
Sure you could have this server located at you own company. As long as this has a static public IP address you are good to go (+ some config work off course)
Alternative is things like TeamViewer as indicated here. Have "some PC" on that remote site with Comcast equipped with TeamViewer client. You can then take over that PC remotely, and launch Winbox/Webfig to manage the locally installed Mikrotik. Sure you traffic passes through TeamViewer servers but encryption is end2end. Remember TeamViewer is normally not FREE unless for "personal use"

Dozens of possible solutions actually.
 
Wiley1
just joined
Topic Author
Posts: 11
Joined: Wed Jan 01, 2020 7:40 pm
Location: Virginia

Re: is this really a "cloud router" ?

Sun Jan 05, 2020 12:10 am

Are you sure about that? I think with Teamviewer all data passes through the Teamviewer servers. How else could it work between 2 sites that both are behind firewalls and even proxies?
One time I used the TeamViewer dashboard to make a connect to a host on my own LAN. Once it was established, I disconnected the Internet modem. The connection stayed up and worked nicely for as long as I tested it.

I'm not sure how they do it because I don't fully understand how NAT packets are structured.
But, it seems that the TeamViewer server somehow takes two incoming connections and teaches them how to talk to each other. Then it gets out of the way.
It would have to work that way. I can't imagine that they would want to act as the man-in-the-middle for tens of thousands of simultaneous connections.
 
szt
just joined
Posts: 19
Joined: Mon Aug 06, 2018 9:43 pm
Location: Olomouc, Czech Republic
Contact:

Re: is this really a "cloud router" ?

Sun Jan 05, 2020 12:15 am

Yeah, "Dozens of possible solutions actually." - but why to use unnecessarily complex solution, instead of one cheap/free VPS, one SSTP VPN and two NATs and quarter of hour total deployment time? TeamViewer specifically is not a free product.

AWS VPS is totally free for one year. Enough time to test feasibility of such VPS/VPN server way to managing devices behind NAT.
Last edited by szt on Sun Jan 05, 2020 12:18 am, edited 1 time in total.
 
szt
just joined
Posts: 19
Joined: Mon Aug 06, 2018 9:43 pm
Location: Olomouc, Czech Republic
Contact:

Re: is this really a "cloud router" ?

Sun Jan 05, 2020 12:16 am

ad "It would have to work that way. I can't imagine that they would want to act as the man-in-the-middle for tens of thousands of simultaneous connections."

Easy to determine - try to run "netstat -f" command during such TeamViewer session. I bet you will see at least one connection opened to TeamViewer central server.
Last edited by szt on Sun Jan 05, 2020 12:29 am, edited 1 time in total.
 
szt
just joined
Posts: 19
Joined: Mon Aug 06, 2018 9:43 pm
Location: Olomouc, Czech Republic
Contact:

Re: is this really a "cloud router" ?

Sun Jan 05, 2020 12:24 am

BTW ad "ComCast Business gateway" - do you really need it? Two years ago I replaced three such gateways by combo [Mikrotik Router(20USD one-time) + cheapest generic Cable modem bought at Target or such similar store (60USD one-time)]. Total cost 80USD one-time investment per combo, instead of 10USD each month per HomeGateway rental fee. Eight months ROI :-)

Works till today at all three estates - this is a kind of miracle, previously those HomeGateways needed to be replaced every 2-6 months - were not able to withstand overvoltages during thunderstorms at Florida.

And as bonus - the public IP address is bound directly to the Mikrotik's interface.

Image
Last edited by szt on Sun Jan 05, 2020 12:54 am, edited 6 times in total.
 
User avatar
jvanhambelgium
Member Candidate
Member Candidate
Posts: 109
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: is this really a "cloud router" ?

Sun Jan 05, 2020 12:44 am

Are you sure about that? I think with Teamviewer all data passes through the Teamviewer servers. How else could it work between 2 sites that both are behind firewalls and even proxies?
One time I used the TeamViewer dashboard to make a connect to a host on my own LAN. Once it was established, I disconnected the Internet modem. The connection stayed up and worked nicely for as long as I tested it.

I'm not sure how they do it because I don't fully understand how NAT packets are structured.
But, it seems that the TeamViewer server somehow takes two incoming connections and teaches them how to talk to each other. Then it gets out of the way.
It would have to work that way. I can't imagine that they would want to act as the man-in-the-middle for tens of thousands of simultaneous connections.
TeamViewer will try several methods, including a "direct one" without intermediates "cloud" services. (probably what you had tested on your local LAN)
But in this case, the TeamViewer cloud services would be the intermediate "man-in-the-middle" binding your sessions together.
They have 100+ datacenters around the world for these services. 10.000 or 100.000 concurrent session is peanuts.
 
Wiley1
just joined
Topic Author
Posts: 11
Joined: Wed Jan 01, 2020 7:40 pm
Location: Virginia

Re: is this really a "cloud router" ?

Sun Jan 05, 2020 2:47 am

BTW ad "ComCast Business gateway" - do you really need it? Two years ago I replaced three such gateways by combo [Mikrotik Router(20USD one-time) + cheapest generic Cable modem bought at Target or such similar store (60USD one-time)]. Total cost 80USD
I absolutely agree with you. I would much rather have just a plain old cable-modem that behaves as a bridge. But, that is not what the client is giving me to work with.
 
User avatar
bpwl
Member
Member
Posts: 303
Joined: Mon Apr 08, 2019 1:16 am

Re: is this really a "cloud router" ?

Mon Jan 06, 2020 10:25 pm

Doing this with multiple hEX devices that run DUDE for me. From the hEX I see the whole LAN network as I connect with a NATted address. The hEX contacts my hAP Lite at home over SSTP tunnel. The hEX sets up the SSTP tunnel, the hAP Lite is the SSTP server. I do travel with a mAP Lite to connect to my hAP Lite at home the same way as the hEX. The home network is a VDSL line with dynamic IP address. No problem for the Mikrotik with a DDNS name based on its serial number. The hEX-es are very deep in the monitored LAN network, behind 3 NAT devices (SXT LTE, Skynet satellite, TP-link load balancers, hEX NAT). None of these load balanced connections allow inbound connections (ISP blocked) , just outbound, but that's enough for the SSTP tunnel. Actually I'm working with 2 hAP Lites (second one at friends home) and 2 mAP's for redundancy (we have one each) . Topology is simple and straightforward, all connections in the tunnel are NATted, So from the hEX you cannot see the network the hAP Lite is connected to. At home I just connect to the hAP Lite (using implicit webproxy server for satellite link speed improvement) . On travel I use the mAP in repeater modus for connection to any wifi, that makes the tunnel to my hAP Lite. Access to the monitored network is transparant. The mAP is my token for access when travelling. Inbound connections to the monitored networks is not possible. The monitored network is even on a WAN port of the hEX.
 
Wiley1
just joined
Topic Author
Posts: 11
Joined: Wed Jan 01, 2020 7:40 pm
Location: Virginia

Re: is this really a "cloud router" ?

Tue Jan 14, 2020 3:32 am

Wow! I barely understood 1/3 of what I just read.
Can you dumb it down a little for a newb?
What is a hEX? What is a hAP? What is a mAP? I would Google but those generic names will get millions of results.

It sounds like you've set up a kind of tracking server in your basement and mirrored it to your friend's basement.
That allows the Mikrotik routers to log into the server. Then you are able to log into the same server.
Am I close?

Now we have both ends of the connection that we want, but how do you tie them together?
After you make a successful connection from your laptop to the router, is your basement server stay in the loop? Or do you make a direct connection to the router somehow?
 
User avatar
bpwl
Member
Member
Posts: 303
Joined: Mon Apr 08, 2019 1:16 am

Re: is this really a "cloud router" ?

Tue Jan 14, 2020 10:13 am

Hi hEX, hAP and mAP are Mikrotik devices (see the hardware list).

You are very close with the setup. Actually spot on. The connection is made with a SSTP tunnel (also known as SSL VPN) from the hEX, because that one recovers very well when the load-balancers have to change the connection link.to Internet for failover.

For security reasons I cannot just pass through the local tracking server from my local network, So I have to (wifi) connect to that device. The uplink to internet for that tracking server does not pass through my local LAN network. It could be done that way but as there are possible inbound connections I prefer not to do so. Could use that hAP Lite as "web proxy" from my local network if needed.

DUDE software (Mikrotik) runs on the hEX (Mikrotik) device at the monitored site.
The hAP Lite (Mikrotik) is the tracking/communication server at home. It is connected to internet, in what actually is a one node DMZ.
The mAP Lite (Mikrotik) is my travel compagnon as it easily can make that SSTP tunnel to the hAp Lite, over a public or guest wifi network. (configured as wifi repeater)
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1127
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: is this really a "cloud router" ?

Tue Jan 14, 2020 5:00 pm

I must be missing something here.
So @OP you saw an image of the device, it had the word "cloud" on it and you assumed it was a cloud managed device and bought it? You didn't think to look at the specifications of the device and confirm it had a feature that you categorically were looking for?
Wait until you figure out the "router" part is also a bit of a red herring on these devices.......
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
Wiley1
just joined
Topic Author
Posts: 11
Joined: Wed Jan 01, 2020 7:40 pm
Location: Virginia

Re: is this really a "cloud router" ?

Tue Jan 14, 2020 6:54 pm

What? This thing isn't a true router either? Even though it runs something called RouterOS?
What are you going to tell me next? the firewall isn't really a firewall? or it can't really deliver 90 watts of PoE?
.
I started out with the idea of using an Engenius Cloud WAP and an Engenius Cloud Switch. I could manage both devices from anywhere in the world, even behind double-NAT or triple-NAT without changing anything in the Comcast Business gateway device. True Plug&Play. Everything was going well until I realized that the ECS1008P is a level-2 switch which doesn't allow me to establish routes or DHCP servers. Bummer. I suppose I could have grabbed a fairly inexpensive router/firewall but that would put three boxes at each site and I really want to do this with only two boxes. The Engenius L2 switch went back to the distributor.
.
Somebody recommended the Mikrotik CRS-112-8P-4S. It checks almost all of my "boxes":
  • no licensing fees.
  • cheap $
  • enough PoE to light up 8 WAPs or 8 phones
  • router & Switch in one box
  • able to take a working config file and transfer it to another box
.
Now that I know this thing isn't a true "Cloud" router, I can work around that little fib. I already have TeamViewer access to every PC at every site, which will allow me to get into the Comcast gateway from the LAN side when WAN access doesn't work. I'll let the Mikrotik obtain a dynamic IP from the Comcast gateway for the WAN connection, but I will make that IP a reserved "pseudo-static". If Comcast decides to "accidentally" blow out my changes, the Mikrotik will continue working (except no remote access), even with a different WAN IP. The only other change I'll need is Port-Forwarding from the Internet to the Mikrotik. Yes, that leaves the router vulnerable to attack, but is it really an issue if I use a strong password and an obscure port number?

What do I really need the Mikrotik to do?
  • DDNS -- check
  • supply power to 8 typical devices with PoE or PoE+ -- check
  • multiple VLANs -- check
  • a separate DHCP scope in each VLAN -- check
  • deliver Internet to each VLAN -- check
  • a separate set of DNS settings in each VLAN -- check
  • recognize that a phone has been connected and place it in a specific VLAN -- working on that
  • isolate devices from one another on the Guest VLAN -- working on that
  • NOT isolate printers on the Guest VLAN -- working on that
  • reasonable firewall protection with ability to create exceptions -- I think so
.
I don't want to hijack my own thread with all the details of how to accomplish these tasks.
We can discuss the specifics in other threads.
.
For right now, before I go too much further down this rabbit hole, I just want to know:
  • Will the Mikrotik CRS-112-8P-4S be unable to do anything that I need it to do?
  • Have I chosen the best device for the job?
  • Am I going to be clobbered with any more surprises?
 
pe1chl
Forum Guru
Forum Guru
Posts: 6337
Joined: Mon Jun 08, 2015 12:09 pm

Re: is this really a "cloud router" ?

Tue Jan 14, 2020 7:01 pm

What? This thing isn't a true router either? Even though it runs something called RouterOS?
Well, it is a true router but (as you can see in the specifications) it cannot route at wirespeed.
So when you expected that a router with 1Gbit ports will be able to serve you on a 1Gbit internet connection, you will be disappointed.
It can SWITCH at 1 Gbit/s between the ports in a single network, but when you do routing and firewalling it will be much less than that.
(specs say that with 25 IP filter rules you will get ~94 Mbps max, well in practice it will be a bit more than that when you cleverly arrange
the rules so they do not all have to be checked for every packet, but as you can see the routing performance is only about 10% of the switching
performance)
 
Wiley1
just joined
Topic Author
Posts: 11
Joined: Wed Jan 01, 2020 7:40 pm
Location: Virginia

Re: is this really a "cloud router" ?

Tue Jan 14, 2020 9:19 pm

Thanks for that clarification. For what I'm doing, I'm not too concerned about the throughput on the WAN side.
Most of my clients are too cheap to pay for more that 200 Mbps. They might have 300 Mbps service if they lucked into a promo.

It sounds like you're saying the worst of the bottlenecks is in the firewall rules.
If I keep those minimal, can I hope to get a sustained 300 Mbps across all VLANs?



.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6337
Joined: Mon Jun 08, 2015 12:09 pm

Re: is this really a "cloud router" ?

Wed Jan 15, 2020 1:29 am

The bottleneck is in the painfully slow CPU.
Between switchports there is fast hardware to forward the packets, but when routing it has to be processed all by a processor slower than a Raspberry Pi model 1.
For decent routing performance you need to look at a CCR1009 or RB4011.

Who is online

Users browsing this forum: JPMARTINS, laimiss and 120 guests