I'm looking to get into Mikrotik to replace my router. I've got a Hex S on order, but am wondering if I chose the right board? I can still order something else if needed.

I have a 100 mbps down / 5 up connection, and I don't think I would be upgrading to anything beyond about 500 mbps any time soon. I already have a separate AP, so no need for the router to have that built in. Basic network for now, but would like to get into VLANs eventually. I like the POE setup of the Hex S, as I'll be able to power my AP from it directly. The AP needs 48V passive, so I'm planning to power the router with a 48V power supply to make sure that works.

What I'm wondering about is the CPU architecture. Is there an advantage to choosing something with ARM instead of the MMIPS, certain features, etc.? Anything worth sacrificing the 48V POE for? Thinking hap ac2 or ac3 as alternatives, and just not using the wireless. Or potentially the RB450Gx4 since that seems to have almost the same POE setup as the Hex S, though that's a bit pricey to buy with an enclosure. Anything else I should consider?

Thanks!

I have a 100 mbps down / 5 up connection, and I don't think I would be upgrading to anything beyond about 500 mbps any time soon.

The way you want to read the test results is to find a close-enough match to your use case in the Configuration column on the left, then decide how far over to the right you need to read for your traffic pattern.

The 1518 byte column models data flows where you pack the pipe maximally each time, such as big file downloads. For that, the hEX S is roughly a 1-2 Gbit/sec router. Since there is no port on the router faster than gigabit, you may be wondering how they get that value. Note the "all port" specification at the top of the table. For a single WAN uplink port, you have to clamp it to 1 gigabit.

You move over to the 512 byte column for mixed-type I/O: text web browsing + VoIP + DNS + MMORPG game streaming, etc. Here again we see it's more than capable of handling a 100/5 connection.

The 64-byte column is for cases where you're doing nothing but tiny packets to many clients, like proxying a DNS server. This is uncommon, but there are valid cases where you'll fall into this bucket.

would like to get into VLANs eventually

If you use RouterOS 7.1 or higher, the hEX S is capable of hardware inter-VLAN routing. (Source; it uses an MT7621 switch chip.)

I like the POE setup of the Hex S, as I'll be able to power my AP from it directly. The AP needs 48V passive, so I'm planning to power the router with a 48V power supply to make sure that works.

This sounds like a home setup, and that the existing AP already has power. Save the cash on the extra PSU and let it keep running from whatever it's running from now. PoE-powered APs are for cases like where you're adding one of those ceiling-mount APs and don't want to call in an electrician to run a new high-voltage line.

Is there an advantage to choosing something with ARM

The only ARM-specific feature in RouterOS land I'm aware of is ZeroTier. It's highly useful, but of little use in a single-site setup. If you just want a simple-to-configure VPN, WireGuard is easier to set up and runs on all RouterOS hardware.

If you had to have ARM + the specs you've called out so far, I think you want to jump up to the RB5009. The RB4011 would also work, but the 5009 is eclipsing it in most cases for the same price, so unless there's a supply chain issue forcing you to the 4011, I don't see why you'd do that. I wouldn't recommend saving a few tens of bucks on the 3011, even though that would also fill the role.

Thinking hap ac2 or ac3 as alternatives, and just not using the wireless.

That's another popular option, yes. Relative to the 5009, you lose:

• a few Ethernet ports
• an SFP+ cage, useful for a fiber uplink to a core switch, as for keeping NAS traffic off the router
• switch chip improvements (Atheros8327 vs 88E6393X) including HW offloaded VLAN filtering
• half the CPU MHz, which affects max routing performance
• 48V PoE output; both hAP ac² and ³ do 24V out only
• better passive cooling for longer life

If you can get by within those limitations, your plan is a sensible tradeoff.

Having Hex, hap AC2 and hAP Ac3 myself, I think AC3 is the more future safe option for SOHO network.

Hey everyone, thanks for all the input. I'll try to answer some of the points brought up--

Great explanation of what to look for in the test results. I think I had found similar in a video or other writeup a while back, and figured the hEX S would be plenty powerful for my current needs. Something to learn on, and then upgrade later if I ever upgraded my internet connection to something it couldn't handle. Though I'm not exactly sure what my configuration will look like yet in RouterOS. This is my home network with typical traffic, I'd think it would be pretty basic, especially for now at least.

On VLANs,

If you use RouterOS 7.1 or higher, the hEX S is capable of hardware inter-VLAN routing. (Source; it uses an MT7621 switch chip.)

and

I think you are confusing HW supported Bridge VLAN filtering with HW supported Inter VLAN Routing (L3 offloading).

I'm not sure I understand this. I read that VLANs were better supported on the MT7621 chip now, with updates in RouterOS, so I'd plan to run the latest stable version. The scenario I'm envisioning is having a security camera system on its own VLAN, and using a computer or phone on a main VLAN to access the feed or recordings as needed. Would something like that take advantage of the updated support for HW offloading for VLAN filtering? Or would that still hit the CPU anyway? Maybe depends on exactly how I would configure it, I definitely need to do some more reading on this.

To clarify on my AP situation, I have the tp-link EAP245. It's already got a 48V POE injector, so I'm thinking about trying to use it to power the hEX S on port 1, and also pass POE to the AP on port 5. Just trying to reduce some clutter and not add another wall wart if I can help it. But if that wouldn't work, I'd just use the 24V power supply that comes with the hEX S (or anything else I end up with), and power them separately.

As for the architecture,

The only ARM-specific feature in RouterOS land I'm aware of is ZeroTier.

This is the type of thing I had not seen. I don't use anything like this currently, so it seems ok to miss out on ZeroTier. Especially if WireGuard is a decent alternative should the need arise.

I had not really considered going up to the level of hardware of either the RB4011 or RB5009. It seemed to me that they are much more powerful than I really need. It sounds like my best alternative without overdoing it on price or hardware would be the hAP ac3. Would that be more future proof because it's a newer product? Or just down to the completely different setup of its CPU, etc, and simpler block diagram? It also seems like I would not need to replace it if I were to get much faster internet.

I really appreciate all the help.

On VLANs…I'm not sure I understand this.

woland's right: I was sloppy in my terminology and confused bridge VLAN filtering with inter-VLAN routing. Even the RB5009 doesn't do the latter. It's more a CRS3xx or CCR2xxx type of thing.

VLAN filtering has many uses. For instance, VLAN tag ingress filtering says, "This traffic is mine, gimme…that traffic is not, toss it." Under RouterOS 7.1+ on an MT7621 based device like the hEX S, enabling that feature no longer disables bridge hardware offloading. However, the Atheros8327 based devices like the hAP ac³ do not yet enjoy that benefit: you can do VLAN ingress filtering on them, but it happens on the CPU.

VLAN filtering also lets you say things like "If input traffic on this port isn't VLAN-tagged, give it ID 42." Once again, the hEX S can now do that on the switch chip, whereas if you ask the hAP ac³ to do that, it'll have to do it in software, on the CPU chip.

And that's fine! Routers are CPU-centric devices. It's very nice that the hEX S can now do these things in hardware, but that doesn't mean the hAP ac³ is useless because it cannot.

MikroTik is a very tech-focused company. They don't put switches and routers on separate product pages simply for marketing reasons. Given two MT boxes with 5 Ethernet ports each where one's classed as a router and the other as a switch, even though both run RouterOS, it's inadvisable to treat them interchangeably, even though at some level they are.

A switch is focused on wire-speed shuttling of traffic among interested nodes based on relatively simple rules. Inter-VLAN routing is one expression of this because it means some other device (likely a proper router) has tagged the traffic, so now it's up to the switch to deliver it to the proper endpoints based on those VLAN tags. Switches without inter-VLAN routing still make wire-speed switching decisions, but at a lower level based on MAC addresses, IGMP snooping, and other things they learn about the network as they run.

In a pure router, all traffic crosses the CPU, because that's where the routing rules are, specifying where each packet goes.

Because of this distinction, it's often advantageous to get a router and a switch. The router routes, and the switch switches. There are high-end devices in MT's lineup that do both well (e.g. the CCR line) but down at the hEX/hAP level, you're making tradeoffs.

I'm not trying to talk you into adding a switch to your hEX/hAP purchase decisions. I'm pointing out that while you've chosen a router for good and sufficient reasons, you should not expect it to be a top-end switch. These wondeful little guys do have a switch chip inside, and because of this they'll hold up well against a CRS106, but they'll have their asses kicked at raw switching by a CRS305. See the bridge hardware offloading feature table: note the row of green boxes on the CRS3xx line.

a security camera system on its own VLAN

Real-time HD streaming video over WiFi is lunacy as far as I'm concerned, so I'll assume wired, leaving you only 3 ports with the hEX/hAP units you're looking at after sending one up to the Internet and one down to the existing WiFi system.

(The hEX units have a sixth port, giving them their name, but to make it even I'll say that if you choose the hEX S, you've used its SFP port as a link back to a separate switch for other wired clients in another room, taking some load off the WiFi.)

Are 3 ports enough for your cameras?

Would something like that take advantage of the updated support for HW offloading for VLAN filtering?

If you run the cameras to a hEX S wired, you can VLAN-tag the ingress frames without disabling hardware offloading. A potential benefit of doing so is that you could then use VLAN tag filtering to keep those packets from going to the IoT network out of concern that your Evil Brand smart TV might be exfiltrating your security cam streams to China. It'd all happen in hardware, keeping the CPU free to do everyday routing tasks.

You could do the same with the hAP units, but these packets would have to cross the CPU switch to achieve such an end.

I have the tp-link EAP245

I don't know that hardware, but a quick skim of its specs page implies that the only way to use VLANs with it is to set up a separate SSID for each VLAN. Even if that truly is the limit of its VLAN capabilities, it's quite useful: it lets the router to make decisions based on which SSID the traffic came from.

One common way to use that is to set up a guest network that's only allowed to access the Internet. Another is to have an IoT network that can only access the cloud services your devices need, not the LAN services they do not.

power the hEX S on port 1…not add another wall wart if I can help it

It sounds backwards to me, but do as you like.

Making the router power the AP is "forwards," since the router is normally near a power point, while the AP is often not.

Another "forwards" example is a security camera, which may be mounted in a location that's hard to vandalize, but consequently far from an AC power point. PoE lets you pull just the one low-voltage data line.

it seems ok to miss out on ZeroTier. Especially if WireGuard is a decent alternative should the need arise.

ZeroTier and WireGuard are only alternatives in a limited sense.

WireGuard is a point-to-point encrypted tunnel, useful either for letting individual hosts VPN back into the LAN or for building site-to-site links between two routers.

ZeroTier is a virtual L2 switch in the cloud. While that does let you do VPN-like things, it's capable of much more. Read up on it before dismissing it. I'm not arm-twisting you into going with ZeroTier; I use WireGuard by preference myself, but it's out of a reasoned awareness that my needs don't yet require ZeroTier.

RB4011 or RB5009…much more powerful than I really need

Here's a reason you might not have thought of: 10G is dropping into the consumer range. High-end PCs are coming with 10G ports now, as are high-end NAS devices. A lot of stuff will remain 1G or slower, but even then, being able to aggregate multiple 1G links over a 10G uplink can make sense.

In my home network, I have a 4011 run over SFP+ back to a CRS328 per the router vs switch distinction I wrote of above. The 4011 is in the entertainment center with the Internet equipment, so each of the 1G links there effectively has a dedicated path back to the core. If I have a big Internet download running back to the office, it doesn't stall the over-the-top box running the flat screen, and neither of them bother the security cameras.

I'll admit to having weak justifications for the CRS328: it's the only switch in MT's lineup with multiple PoE out and 4x SFP+. What I really need is a 4x PoE + 4x SFP+ switch, but such does not exist yet. My alternative was to strap a hEX PoE to a CRS305, which did not appeal.

It sounds like my best alternative without overdoing it on price or hardware would be the hAP ac3.

I like the hEX S better:

• hardware VLAN filtering
• an SFP port for uplink to a proper core switch
• no unnecessary WiFi
• wee and cute

I'll trade ZeroTier away for all of that gladly.

It also seems like I would not need to replace it if I were to get much faster internet.

By clues from your posts, I'm going to guess that you're subject to cable data caps. In that world, a faster pipe just gets you into trouble faster. Unless you're willing to pay extra for "unlimited" Internet, 100 Mbit/sec is about as fast as makes sense. As long as that situation doesn't change, the only reason you'd outgrow a hEX/hAP is because of LAN-side things like the 10G core I brought up above.

What I'm wondering about is the CPU architecture. Is there an advantage to choosing something with ARM instead of the MMIPS, certain features, etc.? Anything worth sacrificing the 48V POE for? Thinking hap ac2 or ac3 as alternatives, and just not using the wireless. Or potentially the RB450Gx4 since that seems to have almost the same POE setup as the Hex S, though that's a bit pricey to buy with an enclosure. Anything else I should consider?

The hap ac3 has 128MB of flash vs 16MB on the hEX, so there may be issues about how many packages can be loaded on the hEX. But the hEX has a microSD slot, and can be a Dude server.

hap ac3 has 4 cores vs 2 (but possibly slower cores, it is hard to compare based only on clock speed).

As @tangent mentioned, ZeroTier is only available on ARM. ZeroTier has some portability advantages, since it doesn't even require dynamic dns on either end, since the "connection" is coordinated by a third party (the ZeroTier Root servers or your own Moon).

It does seem that vlans are supported better on the hEX, as least in v7.2 using the vlan-filtering bridge, where the hEX has hardware assisted vlans. So for devices within the same vlan, the CPU does not need to be involved. For traffic between vlans, this still has to be routed by the CPU, but that's true in general for low end switches that don't have L3 capabilities. But it would help for example if you had your cameras and NVR on the same vlan. Then the CPU wouldn't be involved.

The hEX can be used to host the Dude, if you decide to buy a replacement router in the future.

I have the hEX S, but not the hap ac3. And the hEX is strickly in a lab setting.

The hap ac3 has 128MB of flash vs 16MB on the hEX, so there may be issues about how many packages can be loaded on the hEX.

We user our hEX S as a "utility router" that our installation tech carries to the site and can reconfigure on the fly for whatever oddball need we have at the moment. As such, the flash memory limit isn't an issue for us.

I have a hEX PoE here with the same limit, and the only storage-related trouble I've run into with it is that you can only run the binary backup function about 10x before it fills the flash. It will then refuse to allow the OS to be upgraded, and it won't tell you why. Since I do a backup at least once per OS upgrade, I make a habit of going into Files periodically and weeding older backups.

the hEX has a microSD slot

We use ours to hold a few canned pcap test streams for use by the built-in traffic generator.

divide and conquer

is not the cheapest way, but you will enjoy some benefits from design perspective

i recommend independent router without wifi

in that ideas order i recommend rb4011igs+rm or rb5009ug+s+in 5009 is better but only routeros 7

tangent: thanks for all this info. Reading through, I think I am looking at the right level of hardware. It seems like I'll be pretty happy for a while with keeping the hEX S I have coming.

Looking at the switch chip feature page, I for some reason thought that the hEX S switching was brought more up to par with the hAP ac3 in those updates. But it seems like it's actually even surpassed that now in regard to vlans? I think that's better seen in the bridge hardware offloading portion that you also linked to. Again, not sure I need this right away, but good to know what's there when I do.

You're exactly right that I have cable internet, I probably do have a data cap but have never run into it. I also just don't have any devices yet that are capable of more than gigabit. No plans for much higher speed on cable any time soon, but I'll need to wait and see how my network shapes up too. I still need to run ethernet through my house eventually as I try to wire up more devices, and that possible camera system. I'm sure by that time I'll expand with a switch or two and need to consider the link speeds between them.

But it would help for example if you had your cameras and NVR on the same vlan. Then the CPU wouldn't be involved.

This is the exact scenario I'm envisioning. Let the NVR do its thing without affecting the router CPU most of the time. Then I guess it would get hit when accessing footage while I'm connected to a different vlan.

To chechito's point about having separate devices- I have to agree. I'm coming from a modem/router/ap combo that was hastily bought last time I needed an upgrade. Since then, I've been doing a lot of research about how to improve things, so I picked up the separate AP to improve wireless. I'm pretty happy with that so far. This separate router is the next logical step in that. I'll be putting the combo in bridge mode and just using it that way until I'm forced to upgrade.

-thanks all

Hello all,
sorry for "necroposting".
I found this thread really interesting.
I have an Hex S laying around, and a 1 Gbit/s down + 200 Mbit/s up connection coming home the next week.
Would like what opinion about Hex S as a router if it would suffice.

Some specs:
I need 1 port for wan and 2 LANs: one for LAN, the other for IOT/guest access
I already have a vlan-capable switch
I already have an AP vlan- capable configured this way:
The IOT is mapped to a 2.4 wifi network
The LAN is cabled + 5 Ghz wifi network

The 2 LANs do not need to talk to each other (well , bonus points if I get one static-ip of the 2.4 WiFi printer to talk to the LAN, but I can manage this in other ways)
Bonus point if I have a good experience while gaming on the cabled LAN

According to this:
1) do you think HEX S is enough ?
2) is it better to go for v6 + routed ports (I read there's a difference on a logic point of view, how should I choose the eth ports I need?)
3) or is it better to go for v7 (tagged as experimental as of today june 23) and use one port for WAN + one port for tagged LAN+IOT to switch ? Again, which ports to use ? Eth1 for WAN and Eth2 for LAN+IOT ?

I don't mind loosing some Mbit/s of theoretical speed as long as the overall experience is good (exp gaming).
Say half speed is the trigger that would stop me from going the HEX S way.

Thanks for sharing,
CG

Hi,

no I don´t think that would be enough, try at least a HAP ax2 but rather ax3.

Sorry, looks like I'm in need of new glasses, we are discussing 100Mbps and not 1G.
Forget all I wrote! (except the missing features, but those were mentioned by others)

If you have the hEX, try it and see if it meets your needs.

The hEX will probably be fast enough for you real needs.

If you lived near the autobaun, would you only buy a Bugatti Chiron so you could get the "full potential" of the road?

Then after you have used the hEX and if you determine it is too slow for you, then invest in something else. You may as well go for the RB5009 if the hEX doesn't satisfy.

I think that the primary thing that affects gaming is latency and jitter, not throughput.

My only concern with the hEX S is that it's the seemingly disfavored xMIPS platform. All the development (and likely testing) seems to be on the ARM-based devices. e.g. stuff like ZeroTier and Containers don't work on the hEX. Now you'd lose USB with the hAPax2, but the hAPax3 has USB 3.0 (hEX S is USB 2 I believe). Either of the L009 or RB5009 also seem like better choices than hEX S. I have a few of them deployed places & the hEX S is fine unit...but if you buying new, Mikrotik is strong ARM'ing folks.

I have a few HEXs boxes (2 pieces ), and they are great and versatile and they use very low power. I love them, but they don´t have the performance to be used as the primary router on my 400/200 Mbit Internet connection with CAKE queuing and with a lots of firewall rules.
Also they are missing container support & Zerotier. I used to use it as Dude server for logging and monitoring and Capsman and they do work very well for that.

https://help.mikrotik.com/docs/display/ ... chitecture

Also the HW offloaded vlan-filtering and IPsec in HW is fantastic on this little box.
The HEXs will probably have more performance for your setup if you install OpenWRT on it, which of course is unsupported.

stand corrected, as you grow older, short-sightedness gets combined with far-sightedness...