Hello everyone!
Last week, I got gigabit internet installed at my home through fiber (yay! Finally!)

The company gave me a Zhone zNID 2400 router.


Plugging a computer directly to that router (with a Cat6) cable provides a 930 Mbps down, 830 up speed.
That internal network is a 192.168.1.1/24

Obviously, I don't like plugging all my devices to the Zhone router... as god knows what security measures it has.
So I bought a Miktorik CRS125.


The CRS125 is plugged via Cat6 to the Zhone router, and then the computer is plugged to the CRS125.
Yet the download speeds are hovering in the 4-500 Mbps down, 5-600 up.

Maybe double-NAT'ing is going on.
So I set the CRS125 in a DMZ (from the Zhone administration web-gui).
Yet the speeds are still slow (4-500 down, 5-600 up).

Any suggestions you can make?
The Zhone doesn't have (or I can't see) a "Bridge Mode"...
The next test I will do is to "scratch" the CRS125 config, and start from zero (instead of the auto-config on first boot).

What do you guys think?
Any suggestions you can make?

Thank you very much for your time and help!
Let me know what other information would be useful.

This box will need tweaking for that kind of speed.
I.e. make sure that fast path / fast track are enabled, optimize rules, ...
It would have been better to get a CCR. The CRS combines a fast switch with a "normal speed" router and
gigabit internet is not "normal speed".

This box will need tweaking for that kind of speed.
I.e. make sure that fast path / fast track are enabled, optimize rules, ...
It would have been better to get a CCR. The CRS combines a fast switch with a "normal speed" router and
gigabit internet is not "normal speed".

Thank you for the reply!

Which CCR would you suggest?
I see this one: Mikrotik CCR1036-12G-4S.

Not sure if that's the one you suggest?
If it is... any idea if there's something lower in price?
I see that unit at almost $1,000

Thank you!

Whatever ccr will provide enough speed for gigabit Internet access. Use it directly without any other router between you and the isp.

Which CCR would you suggest?
I see this one: Mikrotik CCR1036-12G-4S.

Not sure if that's the one you suggest?
If it is... any idea if there's something lower in price?
I see that unit at almost $1,000

Thank you!

I recently bought a CCR-1009-8G-1S-1S+ which I think is a very nice box that should well be able to handle
this speed, however of course it has only 8 ports of which 4 are switchports. I use it with a 48-port switch
so number of ports is not a concern for me.
There are also even lower priced CCR-1009 models. They should be roughly the same in routing speed.

The CRS should be able to get a little faster but not full gigabit. However, it is just a cosmetic issue, you will
probably not be able to notice the difference outside of speedtesting.

If you use the CRS as a switch (it's intended purpose), you should be able to get the same speeds as when your computer is plugged directly into the router. The CRS has a weak CPU and cannot easily handle the kind of speeds you're looking for. Set up the CRS with ports 2-24 as slave to port 1. This will effectively make the CRS a managed switch, and you can use the actual router for all routing. The CRS is a wire-speed switch, so you shouldn't have any loss of performance using this kind of a setup.

The CRS should be able to get a little faster but not full gigabit. However, it is just a cosmetic issue, you will
probably not be able to notice the difference outside of speedtesting.

I know... yet my OCD will not let me live this down!

Set up the CRS with ports 2-24 as slave to port 1. This will effectively make the CRS a managed switch, and you can use the actual router for all routing. The CRS is a wire-speed switch, so you shouldn't have any loss of performance using this kind of a setup.

And would the router (Zhone) be the one handing out the IPs? (DHCP server)

My main issue is that I want to separate my "internal network" from what the router (not mine) can see.
Trying to add some extra secutiry layers.

Guys, got a n00b question (yet another one!).
I was asking the people over at #miktorik (at freenode).

One of the suggestions was to add a Ubiquity Edgerouter Lite (ERL) between the Zhone fiber router and the Mikrotik CRS125.

Question: Why would this "ease up" the load on the CRS125?

Please excuse my n00b-ness...
A router sits between networks.
A switch is "internal" to a network.

So right now I have the CRS125 acting as a router (internal 192.168.21.1/24 and the external 221.som.eth.ing).
It is also acting as a switch for my internal devices.

My question:
Why would a UBNT ERL ease up the load on the CRS125?
Is it because the CRS125 is re-configured no-NAT?
I'm lost on this.

Thank you!

Do you really need the full gigabit speed? Or is this only apparent during testing?
You could always put the system that "requires" gigabit directly on the outside router (and configure good firewalling
on it) and put the remaining devices including those that you cannot really manage behind the MikroTik.
They will still be able to use the 500-800 Mbit/s that the CRS could do.

Also focus on getting everything on IPv6 as much as possible (of course with firewalling configured in the MikroTik).
This avoids the need for NAT. I hope your ISP gives you native IPv6 with a /60 or more and the possibility to route
some /64 prefixes to your own internal equipment.

The CRS can only achieve 500+ using fastpath...and not every connection can use it! This is why you should use a ROUTER for ROUTING, and a SWITCH for SWITCHING.

The Zhone is already doing NAT (most likely), so your internal IPV4 addresses are hidden from the outside world. Unless you've got a shady ISP, they're not snooping around in your router to check out your internal network. Adding another layer of NAT behind that really doesn't add any security, and it creates even more problems, especially with services that don't tolerate NAT very well. If you absolutely want to use your own router, get rid of the Zhone and use a CCR to accept your incoming fiber connection - the CCR1009 will more than do the trick. Or set the Zhone into bridge mode so that your own router takes on the external IP address.

If you check the diagram of the CRS, all ports are connzcted to the cpu through only one 1 gb/s link. I use the sfp port with one copper gigabit and i m able to route all my bandwith. Almost 800Mb/s

Envoyé de mon SM-G925F en utilisant Tapatalk

With fasttrack, you should expect to max out the CPU at around 750 Mbps half duplex for a home setup.

Hello everyone,
I orderd a Ubiquiti ERLite 3.
It's good because I get more experience with different types of equipment.

And I definitely don't need 1 Gbps all the time, yet I hate to "leave that on the table".
Now I will have a new piece of equipment to install and work with!

It is always a good idea when you buy equipment with such cutting-edge requirements to look at the specs.
On the CRS125 page, at the bottom, there are quite clear specs for that device that agree with what you see.
For the Edgerouter I don't see such a table in the brochure, only the "1M packets/s" claim (@64 bytes/packet).
You now need to hope that it sustains that claim at larger packet sizes. 1Gbps @ 1500 bytes/packet is over
650k packets/s so you will probably still be stretching it...
(remember that unqualified speed claims in brochures usually assume a configuration unusable in practice,
e.g. no firewall rules. the table in the MikroTik brochure at least provides some different datapoints)

We'll see

It is always a good idea when you buy equipment with such cutting-edge requirements to look at the specs.
On the CRS125 page, at the bottom, there are quite clear specs for that device that agree with what you see.
For the Edgerouter I don't see such a table in the brochure, only the "1M packets/s" claim (@64 bytes/packet).
You now need to hope that it sustains that claim at larger packet sizes. 1Gbps @ 1500 bytes/packet is over
650k packets/s so you will probably still be stretching it...
(remember that unqualified speed claims in brochures usually assume a configuration unusable in practice,
e.g. no firewall rules. the table in the MikroTik brochure at least provides some different datapoints)

We'll see

Thank you for the feedback!
Obviously I want it to work, yet what you just posted has been super insightful.

Five days ago, it hadn't even crossed my mind that routers can hit a performance limit.
I just didn't even realize it.
Also, although I slightly knew about networking, I didn't truly visualize how a packet would go from a computer, to the CRS125 (switch), then off to the internet.
It was an eye-opener to learn that the CRS125 is doing the switching, AND the routing.

I now understand the ERLite 3 could alleviate the load on the CRS125.
(That's a big maybe on the ERLite 3's performance!!)

I am looking forward to learn how to tell the CRS125: Hey you, stop doing routing, just stick to switching.

Again, this entire excercise has been awesome.

One thing I can say:
I have received help on this forum, and on the irc #mikrotik and #ubnt channels.
Yet Mikrotik folks are waaay nicer than the Ubiquiti irc folk.
Obviously that's a generalization, yet I just read non-nice things about Mikrotik from the Ubiquiti channel (the people that did respond).

I guess Cisco people at some point felt the same way towards other brands.

Thank you all, and I will keep this updated on how it progresses!

I believe you will come back to mikrotik even for routing when you realise what options you get from ubnt in the comparison. I have never read anything too much bad from a mikrotiker towards ubnt. It is just not necessary to denigrate. Experience talks for itself. You will get experience too.

The ERL should definitely do a better job than the CRS for routing, but for the price, you probably could've gotten a base RB2011 and the interface for configuration would be much more familiar with the CRS - and the RB2011 would easily have met your needs for gigabit routing. Since the ERL doesn't have an SFP port, you're going to need to use the Zhone as a media converter/bridge...don't double NAT. Depending on whether your ISP allows you any administrative access to the Zhone, you may need to ask them to put it into bridge mode so that your ERL takes on your assigned public IP.

The RB2011 will not provide more routing power than the CRS125.

if 10x gigabit ports were more that enough, I would just have got the RB3011 and get rid of the CRS125. Otherwise, an RB850Gx2. Also this if 5x gigabit ports total were more than enough.

From routing performance point of view the 2011 is the same like crs125.

Except for the fact that the CRS will max out at 1 gig since all ports share a single 1 gbps link to the CPU, whereas the RB2011 can reach up to 1.5 gbps. So, not quite the same, but yes, the RB2011 actually can route more than the CRS because of the physical architecture.

Except for the fact that the CRS will max out at 1 gig since all ports share a single 1 gbps link to the CPU, whereas the RB2011 can reach up to 1.5 gbps. So, not quite the same, but yes, the RB2011 actually can route more than the CRS because of the physical architecture.

Without firewall, with a simple firewall you max out a half that.

If you use the sfp port you can have 2x1gb

Envoyé de mon SM-G925F en utilisant Tapatalk

Without firewall, with a simple firewall you max out a half that.

True, but either way, the RB2011 still has the ability to outperform the CRS for layer 3 throughput because its physical design allows for up to 1.5 gbps versus only 1 gbps on the CRS. The CPU is not the limiting factor, otherwise the RB2011 would only push up to 1 gbps despite its physical architecture allowing for more, so one can reasonably assume that even with firewall rules enabled, the RB2011 will still outperform the CRS.

If you use the sfp port you can have 2x1gb

Envoyé de mon SM-G925F en utilisant Tapatalk

Incorrect. The only RB2011 model that even has an SFP port is the RB2011iLS-IN. As per the block diagram, that SFP port is still on the gigabit switch that shares a single 1 gbps uplink with the 5x 1 gpbs RJ-45 ports to the CPU.

Now, if you're talking about the CRS, you're still incorrect. The SFP ports on the CRS go directly to the switch chip, and the entire switch chip shares a 1 gbps link to the CPU.

Without firewall, with a simple firewall you max out a half that.

True, but either way, the RB2011 still has the ability to outperform the CRS for layer 3 throughput because its physical design allows for up to 1.5 gbps versus only 1 gbps on the CRS. The CPU is not the limiting factor, otherwise the RB2011 would only push up to 1 gbps despite its physical architecture allowing for more, so one can reasonably assume that even with firewall rules enabled, the RB2011 will still outperform the CRS.

I have an RB2011 with NAT, firewall, and fasttrack: 500 Mbps download -> 65% CPU

+ bridge: 100% CPU below that

Guys. The questioner bought the crs125 for security reasons. It means he runs a firewall there and maybe other stuff. Therefore his speed is pretty much the maximum he can get and the cpu is the limiting factor for him. In his case the 2011 would perform the same. If he wants better performance under the same conditions he needs to get faster device. That's obvious. If he resign on security he can use switch chip and be happy with duplex gigabit but it is not his situation. All other potential differences you see in the block diagram are irrelevant for him. So. He just selected wrong device to play the wrong role.

Hello everyone,
The Ubiquiti ERLite3 arrived last night.
Going to try and set it up tomorrow.

Will report back on how it goes!

He just selected wrong device to play the wrong role.

What Mikrotik would you suggest for such an application?
It's a home office, so costs are a consideration... yet I don't need more than 5 ethernet ports.
(and I could plug something like an RB951 for wifi).

Thanks!

What Mikrotik would you suggest for such an application?
It's a home office, so costs are a consideration... yet I don't need more than 5 ethernet ports.
(and I could plug something like an RB951 for wifi).

Thanks!

In that case a CCR1009-8G-1S-PC should probably be the preferred choice when from MikroTik.
It has a 4-port switch you can use at the LAN side and it has SFP where you could directly terminate
the fiber if this is possible with your ISP, or else connect the provided router on one of the 4 remaining
ethernet ports. Then you still have 3 ports that you can configure independently e.g. as a DMZ or
to connect the WiFi and have it completely separate.
Of course you can also put those ports and the switchport in a bridge, but then you may again hit
some performance ceiling.

To avoid double NAT, you can leave your fibre modem at 192.168.1.1/24, and switch off the DHCP on the modem. The plug it in port 1 of the CCR, and define a local network in the SAME subnet. So setup the DHCP on the Mikrotik in the range of 192.168.1.3 - 192.168.1.250. Give Mikrotik an IP as 192.168.1.2.

That way you do not need NAT. That speeds up.

See if you can set up the modem from the ISP into bridge mode. Be aware, usually if you do that you loose VoIP service (if you use it, then it can be a problem, if you do not have phone service no problem then).

Then your Mikrotik will get the real internet IP on port 1, and then you will NAT in Mikrotik.

See if you can set up the modem from the ISP into bridge mode. Be aware, usually if you do that you loose VoIP service (if you use it, then it can be a problem, if you do not have phone service no problem then).

Also, when you can get the VoIP details from your provider you can choose to get an IP phone and connect it to
the internal network instead of using an old-fashioned POTS phone connected to an ATA port. This will usually
get you a lot of nice features especially useful in a home office.

Hello everyone,
I tried to setup the Ubiquiti ERLite3.

It's my first time doing this, so I am a little bit lost on how to set everything up.

Below is a diagram of my network.


I have a couple of questions:
-The ERL3, I initially set it up with DHCP, and it acquired a 192.168.1.12 from the Zhone modem/router. That IP (.1.12) was set to static on the ERL3 for that interface.
-What IP address should I give the other port on the ERL3? (that's the port going to the Mikrotik CRS125) The CRS is doing DHCP on the 192.168.21.0/24 network (which I want to keep as the internal network).
-Any suggestions as to the ERL3's NAT rules? I figure I need a rule for srcNAT and one for dstNAT... right? Do I need anything else?

Finally, once this is done: How do I tell the Mikrotik CRS125: Hey, stop doing the routing, just do the switching. From now on, send everything out port1.


I know it's a lot of questions... it's just that I have never seen such a setup, and I am lost as to how to go forward with the network.

Greatly appreciate all the help!!

Hello again,
I am trying to get this up and running... and I have very basic questions.
Below is a quick diagram of the "temporary" network.


Basically, I am not sure what IPs to assign to what.
I am using a Miktorik RB951 while I figure this out... as the CRS125 is currently in-production... and I want to minimize down-time.
As soon as I nail down what has to be done, then I will do it in the CRS125.


My basic questions:
What IPs do I give to what interfaces?
Connected to the router (Zhone) I have one interface of the ERLite3 (I have eth0).
The router's DHCP server gave that interface an IP of 192.168.1.11

Alright!
So now, on eth2 of the ERLite3... what IP should I give it?
I was thinking to give it 192.168.88.1

Then, on the Mikrotik RB951... give eth0 192.168.88.2
??
Yes? No? What do you think?

In addition to this, how should I configure the NAT rules in the ERLite3?
I am a little bit lost as to what is what in those menus.

Here is a screenshot below:



What do you think?

Connected to the router (Zhone) I have one interface of the ERLite3 (I have eth0).
The router's DHCP server gave that interface an IP of 192.168.1.11

Alright!
So now, on eth2 of the ERLite3... what IP should I give it?
I was thinking to give it 192.168.88.1

Then, on the Mikrotik RB951... give eth0 192.168.88.2
??
Yes? No? What do you think?

If all of them are using a /24 netmask (eg 192.168.88.2/24, or 192.168.88.2/255.255.255.0), yes. It is correct.
Strictly speaking, You don't need NAT on the ERLite3. You could just route the packets and setup a firewall - but no NAT. You would have to insert a static route on the Zhone, telling that the network 192.168.88.0/24 is reachable through the router with IP 192.168.1.11
This would free some CPU on the ERLite3, and make easier when You forwarded services - no double NAT!

Alright! 
Got it working last night... probably a Frankenstein, yet it's working!
I reset without a configuration the RB951... then started adding things slowly.
Here is it's config: And here is the Ubiquiti's ERLite3's only NAT rule:


Right now, a computer behind the RB951 (which has a 192.168.88.30/24 IP) has internet access.

If all of them are using a /24 netmask (eg 192.168.88.2/24, or 192.168.88.2/255.255.255.0), yes. It is correct.
Strictly speaking, You don't need NAT on the ERLite3. You could just route the packets and setup a firewall - but no NAT. You would have to insert a static route on the Zhone, telling that the network 192.168.88.0/24 is reachable through the router with IP 192.168.1.11
This would free some CPU on the ERLite3, and make easier when You forwarded services - no double NAT!

Going to check this out right now... thank you!