Community discussions

 
eduncan911
just joined
Topic Author
Posts: 9
Joined: Fri Nov 30, 2018 8:36 pm

Does RouterOS have all functionality of SwOS?

Mon Dec 03, 2018 2:23 am

Does RouterOS have the same switching/VLAN/LAG/PoE+/SFP+ functionality as SwOS?

Can it all be completely controlled via SSH?

/TL;DR

I am about to purchase CRS328-24P-4S+RM switch which comes with a RouterOS Level 5 license. I have no use for the router portions though, and the CPU is quite low-powered for what I'd use it for anyways.

I am very interested in using the device with the following:

* 5-7x PoE+ devices
* 2x LAG ports across 3x devices w/PoE+ (3x Unifi UAP-AC-HD)
* 4x VLANs across ~16 1Gbps Ports
* 3x SPF+ connections to various server/desktop/laptop

However, I just found out that SwOS does not have a CLI - and I will be scripting almost everything I do especially around SSL certificates and SSH keys.

So now I am looking into RouterOS, which seems awesome. However, I am trying to find information about the switching parts. Maybe someone can point me in the right direction?
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 648
Joined: Fri Nov 10, 2017 8:19 am

Re: Does RouterOS have all functionality of SwOS?

Mon Dec 03, 2018 3:56 am

Does RouterOS have the same switching/VLAN/LAG/PoE+/SFP+ functionality as SwOS?
Yes, RouterOS has all functionality of SwOS, however some functions may be bit more complicated to set up (typically VLANs in the bridge are pain in the a** until you fully understand how it works in RouterOS). That is not really unexpected as RouterOS has significantly more functions than simple SwOS and the setting can't be so simple.

Can it all be completely controlled via SSH?
Absolutely! Actually, some functions are available only via CLI and not via GUI.

Definitely worth to read through https://wiki.mikrotik.com/wiki/Manual:C ... s_switches. In your case, especially the "Bonding" (LAG) section will be interesting as it mentions that Only 802.3ad and balance-xor bonding modes are hardware offloaded, other bonding modes will use the CPU's resources.
Some other (more general) info about using switch functions in RouterOS may be found as well here: https://wiki.mikrotik.com/wiki/Manual:S ... p_Features and https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge, since in more recent versions of RouterOS, almost all bridge functionality is hw-offloaded to switch, you usually don't even need to access switch menu directly.

Keep in mind that RouterOS will automatically forward IP (L3) packets between interfaces if there is a suitable route (which may be created automatically if you assign IP to particular interface). If you want to use your device purely as switch, it may be useful to completely disable IP forwarding:
/ip settings set ip-forward=no

Also keep in mind that only single bridge can be hw-offloaded! If you create more bridges (for example for different VLANs or for port-isolation because it may look easier) only one bridge can be HW offloaded while rest will go through CPU which will greatly decrease the performance. Both VLAN's and port-isolation can be set up in bridge port setting, therefore it is not needed to create multiple bridges.

I cannot advise on setting LAG with UAP-AC-HD as I don't have this particular model anywhere around. I got few UAP-AC-PRO which are similar but apparently lacks the LAG functionality. Hopefully someone else will share knowledge about this.

Anyway, I have bit awkward question - If you have UniFi AP's, is there some particular reason why you want to use Mikrotik CRS instead of UniFi switch?
 
eduncan911
just joined
Topic Author
Posts: 9
Joined: Fri Nov 30, 2018 8:36 pm

Re: Does RouterOS have all functionality of SwOS?  [SOLVED]

Mon Dec 03, 2018 10:48 am

Yes, RouterOS has all functionality of SwOS, however some functions may be bit more complicated to set up (typically VLANs in the bridge are pain in the a** until you fully understand how it works in RouterOS). That is not really unexpected as RouterOS has significantly more functions than simple SwOS and the setting can't be so simple.
Thank you!
Absolutely! Actually, some functions are available only via CLI and not via GUI.
Definitely worth to read through https://wiki.mikrotik.com/wiki/Manual:C ... s_switches. In your case, especially the "Bonding" (LAG) section will be interesting as it mentions that Only 802.3ad and balance-xor bonding modes are hardware offloaded, other bonding modes will use the CPU's resources.
I just found that like 5 minutes before I read this reply. :)

Been trying to find out what spec the UAP-AC-HDs use for bonding/LAG, as they are short on those specifications. The only info I could find was in this review:
The UniFi AP AC HD features two Gigabit Ethernet ports. The second port can either be used as a bridge for connecting other un-powered network devices or can be used as a secondary connection for 802.3ad based link aggregation.
So according to that, it sounds like it is routed through the ASIC chip (hardware offloaded).

Is there a way I can confirm such a thing once I have it all connected, configured and working?
Keep in mind that RouterOS will automatically forward IP (L3) packets between interfaces if there is a suitable route (which may be created automatically if you assign IP to particular interface). If you want to use your device purely as switch, it may be useful to completely disable IP forwarding:
/ip settings set ip-forward=no
Awesome, thanks for the tip! Will do!
Anyway, I have bit awkward question - If you have UniFi AP's, is there some particular reason why you want to use Mikrotik CRS instead of UniFi switch?
Ah, welcome to my sleepless nights of late. :) Like, seriously.. It's 3:21 AM here as I write this and the kids get up in 3 hours.

In short...

* Unless I am reading wrong, all UniFi switches are all 1Gbps SPF except the big 48-port beasts - with only 2x 10 Gbps SPF+ and 2x SPF (the Mikrotik is 4x 10Gbps SPF+)
* The Mikrotik is cheaper (~$320) than the closest comparison, the ($400) US-24-250W. Though price isn't everything, it's those 4x 10Gbps ports I want on the Mikrotik (see below)
* The Mikrotik seems to be a lot quieter than the UniFi PoE+ 24 port (I have no problem replacing fans though)
* I'm building my own segmented/security-by-isolation router, which already leaves a big hole in the UniFi controller software

The final reason, and the device that introduced me to Mikrotik in the first place, is the announced CRS312-4C-8XG that I am anxiously waiting for. I have 3x 10GBase-T devices just waiting to plug into it today (server, desktop and laptop's usb-c docking station), and could easily expand that to 5 with a few more Cat 6e drops in the crawlspace. However, it was announced back in March 2018 - almost a year ago?! Is this the normal pace for taking so long?

I would still highly prefer to go UniFi switches to keep it, well, unified with a single pane of glass. However, their lack of 10 Gbps ports (nor 10GBase-T RJ45 ports) on anything lower than $600, and previous tech support posts stating the power draw is too great on RJ45 10GBase-T to even think about a switch and most likely would never happen (hello, CRS312-4C-8XG anyone?), steers me away from UniFi - and into the arms of Mikrotik. :)
 
eduncan911
just joined
Topic Author
Posts: 9
Joined: Fri Nov 30, 2018 8:36 pm

Re: Does RouterOS have all functionality of SwOS?

Mon Dec 03, 2018 11:16 am

Also keep in mind that only single bridge can be hw-offloaded! If you create more bridges (for example for different VLANs or for port-isolation because it may look easier) only one bridge can be HW offloaded while rest will go through CPU which will greatly decrease the performance. Both VLAN's and port-isolation can be set up in bridge port setting, therefore it is not needed to create multiple bridges.
So, I saved this for a separate reply (maybe it should be another post?)... This has me a bit concerned.

I have a little knowledge about what a bridge is, but will admit it's still new to me. Let me explain my simple setup, which I think I only need a single bridge for?

Router currently only has a single port on it, was planning on plugging it into Port 1 on the switch as a trunk with TAGGED VLAN10, VLAN20, VLAN30 and VLAN40.

In short, I am following the QubesOS mode of security-by-isolation and keeping every component isolated from the rest of the system within the router (it's an UP Squared board w/4-core Pentium 2.5 Ghz and 8 GB ram). DNSMasq w/DHCP, OpenVPN, firewall and NICs are all isolated in individual domUs (VMs) within Xen. If one gets compromised, it doesn't compromise the entire system (e.g. if openvpn gets exploited, they can't frack with my firewall to open ports). With Xen, the concept I am following is to setup a single Bridged device. This should allow DHCP requests for all four VLANs to be answered by my DNSMasq domU, while on the same network. The other devices I could segment into additional bridges.

The idea was to run a single bridge within the Xen backend to allow DHCP requests for all 4 VLANs to be served by my dnsmasq domU, all routed through the firewall domU internally to the router. My plan was to control traffic flow within the router's Firewall domU. I think I would be bottlenecked across VLANs, with all traffic going over the 1 Gbps connection for in and out. But I think that's fine. However, I am open to switching options if there is any?

Do note that I do have an option of building another router device with 4x 1Gbps ports - one external, and 3 internal with the same specs. So I could tag traffic across 3 of those 1Gbps ports, and connect them to 3 ports within the switch if that makes it easier.

As far as bandwidth-across-firewall-and-VLANs go: the only high-bandwidth connection I think of would be the Chromecast devices streaming 4K from my plex box. That can get up to 50 Mbps a sec, and across maybe 2 devices max at a time - that's 100 Mbps. That's about the max connection. (Chromecast is considered an IoT device, and therefore deemed Untrusted on my network. Hence why it would be on my Untrusted IoT VLAN, seperate from my Trusted Server VLAN)

Lastly, the switch itself and only one bridge: I think that's fine? Correct me if I am wrong, but I would have just 1 bridge for the single 1 Gbps port coming in on port 1 - and all VLAN tagged traffic within the switch connected to that one bridge? Aka "trunk"? I think if I was to use the 3x 1Gbps port device, to connect to 3x ports on the switch for different VLANs, is where I would run into trouble by needing multiple bridges for each VLAN on different ports? As long as I am running a single 1 Gbps connection from the router to the switch, I only need a single bridge?

Who is online

Users browsing this forum: Google [Bot], MSN [Bot] and 33 guests