I have been trying out RouterOS in VM's and on hardware with trial and demo license, and I have answered a lot of my own questions already, but its really time consuming without prior knowledge of RouterOS to figure out some of the more advanced stuff, so I hope someone can answer a few (and then some) questions.

Can RouterOS do the following:

• Auto register DHCPv4 and v6 dynamic leases in DNS
• Auto register DHCPv4 and v6 fixed leases in DNS
• Run or serve different DHCPv4 and v6 scopes for different VLANs
• Support IPv6 on WAN with track interface for LAN/VLAN interfaces, allowing each VLAN a custom delegated IPv6 prefix ID
• Allow manual adjustment of DHCPv6 and router advertisements when setting LAN/VLAN interfaces to track WAN interface for IPv6. Namely the flags to set router advertisements to managed, assisted, or stateless, and whether or not to advertise default gateway and override DNS servers.
• Fully configurable outbount NAT for each internal interface with protocol selection

Optionally, can it also do:

• Support an interface ID (i.e., the numeric IPv6 interface ID used to construct the lower part of the resulting IPv6 prefix address)
• HAProxy or similar functionality with SNI support, for public and private (internal) domains. Terminate and passthrough options for SSL/TLS would be required if it does.
• Aliases for configuring firewall rules (with single alias supporting multiple objects)?
• DNSSEC and DNS64
• DNS over HTTPS and DNS over TLS
• DNS blocklists (DNSBL) with whitelist override support
• Split horizon DNS
• NAT reflection
• NAT on LAN/internal interfaces? Mainly to catch and redirect hardcoded DNS and NTP servers from clients to local services

I have been eyeing the CCR2004-1G-12S+2XS. I have 1Gbps fiber internet, will be upgraded to 4Gbps later this year. I use 2 Ubiquiti Unifi EnterpriseXG switches (24 x 10G ports copper, 2 x SFP28). Firewall is running OPNsense which you might have guessed from my questions. I run Wireguard to another site, mainly for storing offsite backups. I use Wireguard to get into my home when I am outside. Having said that current hardware for opnsense is too slow to use 1Gbps, let alone the 4Gbps once upgraded.

Are there any known compatibility issues between Mikrotik SFP, SFP+ or SFP28 ports and Ubiquiti?

The downside of this model is that I would require a handful of S+RJ10 modules which nearly doubles the purchase cost. I have a couple lying around but I hear / read Mikrotik can be finicky with cheap stuff (same with Ubiquiti, hence I have them lying around).

Love to hear from you.
Thanks in advance!

Can RouterOS do the following:

• Auto register DHCPv4 and v6 dynamic leases in DNS
• Auto register DHCPv4 and v6 fixed leases in DNS

Currently it's possible with DHCPv4, but you need to write a script and execute it with the "lease-script" property of the DHCPv4 server instance, and add the host to static DNS yourself (it's not simply checking a checkbox). For DHCPv6 server there is no lease-script hook yet.

• Run or serve different DHCPv4 and v6 scopes for different VLANs

Yes.

• Support IPv6 on WAN with track interface for LAN/VLAN interfaces, allowing each VLAN a custom delegated IPv6 prefix ID

Yes, if WAN prefix was obtained with DHCPv6 PD.

• Allow manual adjustment of DHCPv6 and router advertisements when setting LAN/VLAN interfaces to track WAN interface for IPv6. Namely the flags to set router advertisements to managed, assisted, or stateless, and whether or not to advertise default gateway and override DNS servers.
• Fully configurable outbount NAT for each internal interface with protocol selection

Yes.

Optionally, can it also do:

• Support an interface ID (i.e., the numeric IPv6 interface ID used to construct the lower part of the resulting IPv6 prefix address)

Currently you cannot specify the lower part of the prefix. If you allocate /64 prefixes from a /56 pool and assign them to interfaces, then they will get incrementing values for the 8 lower bits, and the assigned value might change each time you make edits to the interface (you have no control).

• HAProxy or similar functionality with SNI support, for public and private (internal) domains. Terminate and passthrough options for SSL/TLS would be required if it does.

You can run containers.

Optionally, can it also do:

• Aliases for configuring firewall rules (with single alias supporting multiple objects)?
• NAT reflection
• NAT on LAN/internal interfaces? Mainly to catch and redirect hardcoded DNS and NTP servers from clients to local services

Yes.

• DNSSEC and DNS64
• Split horizon DNS

No. But you can run Adguard Home or something similar in containers.

• DNS over HTTPS and DNS over TLS

The router can act as client for DoH, but not for DoT and not as server (only server for plain DNS53). But you can run something like Adguard Home in containers.

• DNS blocklists (DNSBL) with whitelist override support

There is the Adlist feature, or you can install Adguard Home or Pi-Hole or something like that in containers.

I am unable to answer the hardware compatibility questions.

...

Thanks so much!

I had found a couple of answers myself too, but the ability to run containers on ARM appliances I was unaware of. Learning this and the scripting ability makes this a killer.

I expect the device to be finicky with transponders, I honestly don't expect issues connecting to Ubuiqiti.

I ordered the CCR2004-1G-12S+2XS. If it arrives this week I'll take a day or two off to learn and configure it.

I can't wait .

Some of your wishes can be done using these scripts: https://github.com/eworm-de/routeros-scripts

Others maybe using containers etc.

I ordered the CCR2004-1G-12S+2XS. If it arrives this week I'll take a day or two off to learn and configure it.

I can't wait .

You are an optimist (which is good) .

But unless you are part of the Matrix and can upload "Mikrotik fu" those will likely be very looooooong days.

You are an optimist (which is good) .

But unless you are part of the Matrix and can upload "Mikrotik fu" those will likely be very looooooong days.

Its up and running .

There's a lot more to do but its not that difficult once you understand the command structure.

One thing I am really bummed out about is that while technically possible, its practically impossible to run containers on this device. Nothing I read and no advise mentioned that some routers have very limited storage and cannot be expanded. Its a real shame that such a high end device would not have a storage expansion option. This means no pi-hole or HAproxy. That's real bummer.

The ROSE-storage package supports network mounts potentially useful for container storage. Just a suggestion that I haven't tried myself.

The ROSE-storage package supports network mounts potentially useful for container storage. Just a suggestion that I haven't tried myself.

Thanks for the suggestion. Its not practical for my setup. It creates multiple dependencies to other devices that might go down (ie, switches and fileserver). Might as well just setup a separate pi-hole. That would also create a dependency but can go down without possibly corrupting files or even filesystems.