I’ve been wanting to write about MikroTik routers for some time. These aren’t the kind of mainstream Wi-Fi routers for most consumers. However, if you’re a power user and in for some challenge to build your ultimate home network, MikroTik has some great products for you to consider.
I did post about the hAP ac briefly in 2017. That was my first MikroTik product, even though I had already considered trying out their switches and routers for some years prior to that. I now have three MikroTik routers, and have had some success influencing several network-savvy friends to get them for their homes, so I think this is about time to write a proper blog post about them.
By mainstream Wi-Fi routers, we typically think about those consumer products from the likes of ASUS, Linksys, Netgear, and TP-Link. There are also the newer generation of smart-home Wi-Fi such as the Google Nest Wi-Fi. Some people know about Ubiquiti. If you thought these are lesser mainstream networking gear for prosumers, you’re mostly right. Just know that MikroTik is far lesser mainstream, and definitely needs far more networking expertise to grapple with its prowess.
All that prowess makes it quite a problem for me to explain to most users what MikroTik routers can do. They won’t understand or appreciate these capabilities. Network professionals will understand, but they might not think they’re needed at home. A related problem is that, unfortunately, MikroTik does things in such a non-mainstream manner, vis-a-vis enterprising networking gear, that network professionals may struggle to configure a MikroTik router.
What or who is MikroTik? They are a small Latvian-based network equipment manufacturer founded in 1996. Their suite of wired and wireless products are mostly aimed at SOHO and SME networks. They are very affordably priced and are great value. (MikroTik’s website: https://mikrotik.com/)
MikroTik makes two main types of software which are standardised across their networking equipment, SwOS and RouterOS, for switching and routing devices respectively. Some products can be loaded with either software. I’m going to focus on just RouterOS, since that’s the more powerful of the two. Even some products which MikroTik markets as primarily a switch are loaded with RouterOS.
The standardisation of software, much like how Cisco has IOS, means that features and capabilities are fixed in software and mostly independent of hardware. Instead, and again like Cisco’s IOS, there is a concept of software license levels. MikroTik’s license levels, however, are fairly generous.
The default license level provided with a specific device type may make it seem like “higher-end capabilities” are only for higher-end products. But in practice, you’re likely not to find the licensing levels to be an issue.
Having features fixed to software means that, for example, cool “enterprise-y” capabilities like MPLS are standard and available across the board, regardless of whether you have a very entry-level router or a more pricey high-end SME device. However, the type of hardware may make some features irrelevant, such as a wired-only router without any radio interfaces can’t have any Wi-Fi related capabilities.
When I first saw the web management page of my hAP ac, I was totally awed by the software. It’s not about beautiful user interface design, which is quite basic, but that the suite of capabilities presented before me was very impressive.
The screenshot below is from the RB4011iGS+5HacQ2HnD-IN (photo above). At this point, I want to complain about how MikroTik names some of their products; there isn’t a simpler name for this device, and you’ve got to be careful about how you abbreviate the name, because there exists a RB4011iGS+RM, which is mostly identical but without any Wi-Fi capabilities.
I want to draw your attention to the titles in main navigation menu on the left. Some names may immediately seem intriguing, such as Mesh, MPLS, and Dot1X. You might wonder about CAPsMAN. It’s MikroTik’s Controlled Access Point system Manager, the same feature on enterprise Wi-Fi systems that allow centralisation of wireless access point control and data traffic management. I’ll circle back to CAPsMAN again later.
Remember that since these features are part of RouterOS, I have the exact same thing on the hAP ac and hAP ac2 Wi-Fi routers, even though, especially, the latter is a far lower-end device.
These main navigation titles don’t tell you more of what’s hidden beneath them. There are more gems hidden within. Take, for example, what we have after I expand the Routing menu. Do you see OSPF, OSPFv3, BGP, and others?
You won’t find OSPF routing in most consumer routers. You wouldn’t need them at home, anyway. RouterOS goes further, to even support BGP, which sometimes isn’t even available on some “enterprise-y” products. Again, while you’re likely not going to need these at home, it’s cool to know you can play with these to brush up your enterprise networking skills, or if you wanted to consider to use some of these technologies in a SME network environment.
I’ve expanded the IP menu (screenshot below) so you can peek at the breadth of IP-related features available in RouterOS. In particular, I’ve opened up the item on Hotspot. Yes, that’s right, you can configure Hotspot capabilities in RouterOS, complete with a captive portal and walled garden like Wireless@SG or MyRepublic@Starbucks (that’s Starbucks’ SSID in their Singapore outlets). Coincidentally, Starbucks, or their service provider MyRepublic, serves their hotspots through MikroTik’s RouterOS.
Looking at RouterOS’ hotspot configuration begins to hint at the immense configurability it offers. It’s not just one hotspot you can configure. You can have multiple instances, attached to different interfaces, each with different hotspot configurations. Users can be authenticated locally or against RADIUS, and you can have different profiles and policies applied to different users.
I’d still recommend WPA2 PSK for your guest Wi-Fi at home, but this could nevertheless be a fun project to try out. If you run a small business, a customised captive portal hotspot can up your customer experience.
Let me get back to some mundane network engineering topics: switching and routing. Most consumer routers offer some basic fixed configuration: there is one WAN port, typically four ports connected on a LAN switch, and simple routing between WAN and LAN. Some more advanced consumer products may support a guest VLAN, but those configurations are still very rigid.
MikroTik, you could say, gives you a blank slate to work with. Sure, there is a default configuration, and a simple (but actually not easy to understand) setup wizard, all designed to help get you started on the most common configurations. But you can change anything and everything. You can wipe out the configuration and start from scratch. The concept of a “WAN” port is merely a matter of configuration. For example, you can make any port a WAN, and you can use any number of ports to serve as WAN uplinks. You can designate any port to be a switch port, or a router port. You can have trunks and access ports. You can create layer 3 interfaces out of VLANs. You can create multiple bridges, and then make virtual interfaces, such as for Wi-Fi, VPN and tunnels, attached to different bridges. You can engineer complex network topologies all within a single MikroTik router.
If you don’t understand any of these, or why you would want any of these, it’s okay; these are capabilities networking professionals work with in their enterprise networks. It’s just unusual and amazing to find them in a networking device priced to be affordable for home use. This is why it is also hard for me to explain to most consumers about MikroTik’s configurability.
Let me come back to CAPsMAN. This is about controller-based wireless systems that are common in enterprise networks. Many consumers know and perhaps already use wireless repeaters/extenders and mesh devices. At the most simplistic level, you can think of controller-based wireless systems as a sort of mesh system. The key difference is that the former can very efficiently scale to thousands of wireless access points with fast and deterministic traffic forwarding over a backhaul wired network.
CAPsMAN refers to the controller end of the controller-based wireless system. The other end, the wireless access point, is known as a CAP, or Controlled Access Point, in MikroTik’s terminology. The equivalent is a WLC or WISM, and LWAP (Lightweight Access Point), in a Cisco setup. For MikroTik, CAPsMAN and CAP are just features in RouterOS, and any MikroTik RouterOS device can be a CAPsMAN or CAP. In fact, any MikroTik RouterOS device can be both the controller and the access point at the same time.
Whether using CAPsMAN/CAP or standalone access point mode, RouterOS offers a lot of control over Wi-Fi provisioning. Supporting virtual APs for additional SSDs and access lock down by MAC address may not be uncommon on higher-end Wi-Fi routers, but have you seen access controls like in the screenshot below?
RouterOS lets you selectively control how certain MAC addresses will have AP transmission rate limits, or have their traffic switched to a different VLAN, or enforce time controls. You can also control to disconnect clients after their signal strength falls below a configurable threshold and grace time; this is useful to steer clients to another radio on the same AP, or to a different AP altogether.
For users who prefer more traditional multi-AP setups, RouterOS supports WDS Mesh. MikroTik also has their own proprietary radio protocol, though this is only supported on devices with certain Atheros chipsets, which is useful when you need to construct wireless bridges.
RouterOS’ has impressive firewall capabilities. Being built on Linux, RouterOS’ firewall features will be largely familiar to Linux users. For example, RouterOS uses firewall terminologies like “chains” for input, forward, and output traffic. Like in Linux, you can create custom chains, and “branch” to them. Rules can perform actions to add addresses to an address list for a certain time interval, and these address lists can be used in rules. So you can write something like, if, a client “knocks” on a secret port number, your firewall will then open access to the SSH port on your server for the next 1 minute. A cool feature is that address lists can use FQDN, and the names will by resolved dynamically, with periodic refreshes.
There is comprehensive NAT and and Mangle features too, not different from what you’d expect in a Linux box.
Finally, I just want to mention a few more RouterOS features which I haven’t discussed more extensively, but are worth pointing out so you know they are there. There is complete IPv6 support, with DHCPv6 clients, servers, and relays. I have configured IPv6 connectivity with StarHub, using v6 prefix delegation and router advertisement/neighbour discovery. There is support for Dynamic DNS, and also some basic parental controls. There is a built-in web proxy and SOCKS proxy. You can configure VPN servers and clients using PPP, L2TP, and OpenVPN, among others. IPsec is also available if you prefer that over other VPN options. RouterOS has built-in DNS which allows you to override any FQDN with a locally configured IP.
There are a couple of ways you can configure RouterOS. There’s the web configuration interface. It’s a basic UI, but fully functional. There’s also a command line interface, which you can access through a terminal on the web interface itself, or through SSH, or in some devices, the serial console port. The final configuration interface is via a Windows program, Winbox (screenshot below), from MikroTik themselves, which works with all MikroTik products. There are some advantages of Winbox over SSH or web, which is that it can communicate with MikroTik devices using just Ethernet, without needing working IP. This is great when you’e mucked up your IP networking, but the physical Ethernet interface is still available.
With so many good things going on for RouterOS, I should mention that it has one big problem. I had already mentioned it earlier. MikroTik is hard to configure. It’s hard to master. I find myself struggling to figure out how to make various things work with my MikroTik routers. RouterOS does things differently from both consumer and enterprise networking equipment. To make matters worse, their documentation is not great at all. There’s just not enough documentation to commensurate the amount of things you can accomplish with RouterOS. The learning curve with this one is very steep.
MikroTik has quite a varied range of products. Some are designed to be basic switches which run SwOS. Most are more capable router devices that run RouterOS. Some devices meant to be wireless antenna systems, but they are also capable devices which run RouterOS.
Many of MikroTik devices have PoE, either to be powered from it, or to deliver power, or both. You can even daisy chain PoE devices. In the below photo, for example, my hAP ac is powered by PoE, which in turn powers the attached hAP ac2 via PoE. The big brother RB4011iGS+5HacQ2HnD-IN supplies power to the hAP ac through PoE too.
The downside of their hardware is that they don’t have the most advanced and most cutting-edge Wi-Fi capabilities. For example, there is no WPA3 and no Wi-Fi 6 hardware available at this time.
Software is definitely MikroTik’s forte. If you are looking at setting up anything more advanced in your home network, MikroTik probably has the the most capable networking gear you can find at a price point that is still friendly to consumers. Just be prepared to spend some time to figure out how to get it to work.
Hi Zitseng,
Are you using Mikrotik’s firewall feature or standalone pfsense? Also, do you have any recommendations for a meshed wifi setup that allows different subnet (via VLAN) and connected to Mikrotik so I can separate my IoT devices from my home play/work network?
I’m using MikroTik’s firewall. pfSense has been superseded. 🙂 Yeah, unfortunately, I’m not aware of mesh systems that do VLANs (but just supporting one extra Guest VLAN, yes).
I have not seen anyone using “Mesh” menu in MikroTik or perhaps no one know what is it? 🙂
The capabilities of the MikroTik range are awesome; the documentation is abysmal. Far too often there’s just a list of unexplained things to type. They desperately need to employ a native English speaking Technical Author to produce some coherent explanations of the products.
good so far mi like it
Happened to come across your site when I am looking at some Mikrotik stuff. I had been using their product for a long time. I started off with RB450G some years back and then use x86 + hAP. Now I am using CHR on vShpere (passthrough NIC) + hAP for my home setup. It is definitely a prosumer to professional products that not many people appreciate.
Good to know someone in SG uses it. I seldom see people discuss about it in HWZ or last time VRzone. Perhaps we can be friends to share more about use cases and configurations. Drop me an email and lets keep in touch.
Finally a great review/writeup about Mikrotik. Well done!
We use Mikrotik CapsMan for hotel’s deployments (guest WiFi) in UK; Mikrotik allowed us to start a business from scratch with a minimal investment.
We now support 16 hotels (in less than 2 yrs), the biggest being 330 bedrooms/ 100 AP’s and 9 different comms rooms.
Although their AP’s aren’t great (from HW prospective) they still do the job, you just need to install more than if you had Ruckus AP’s for example. The level of configuration is virtually endless; the limit is your fantasy and skills.
One final thought about “ease-of-use”: Yes they are annoyingly counterintuitive.
You either hate or love them. But once you master RouterOS (good that the cli structure is the same as the GUI one) everything else will look feature-missing.
Ubiquiti with their nice-looking free sw controller made WiFi “easy”; suddenly every cowboy become a WiFi expert and start deploying WLANs here and there. Mikrotik IS DIFFICULT and they don’t intend to change it. But in this way (this is my opinion) there is a natural selection, only committed and skilled people can deploy Mikrotik.
any issues with 1gbps on our local internet? tried dual wan? will netflow slow down the 1gbps ? as far as I know edgemax will disable hardware offload. does this happen to this mikrotik?
Heh ok so a quick summary: 1Gbps is fine, netflow seems to have no noticeable impact. I had dual WAN long ago on pfSense but not with MikroTik. However given the immense configuration flexibility, I expect it will accomplish most needs (e.g. active/standby, dual-active load balancing).
Hi Zit Seng, hoping that I will get to hear back from you via email if time allows for a quick correspondence.
FYI, I came across your blogspot as I was looking into Mikrotik and EdgeRouter models, i.e. RB4011iGS-RM and ER-10X/ER-12 as possible consideration to change my ISP supplied TP Link router for the house. Looking for something with gigabit ports (need 1 for WAN and 9 for LAN connected devices).
Certainly a novice here when it comes to network knowledge; not a Network or Software Engr. but a regular Mech Engr. I am worried that RouterOS GUI can be very overwhelming for someone like me where I may end up under utilizing it’s true software and hardware capability. On the other hand EdgeRouter’s GUI comes across more user friendly. Besides OS interface, also want to get value for the buck in choosing something that is fit for purpose based on my home network need and maybe future proof if and when I upgrade my ISP plan.
Hope to hear from you via email. Thanks.
Ok quick reply here. Certainly if you just want it to work “simply”, EdgeRouter is the way to go. MikroTik requires some patience and perseverance because it is so unique: not like Cisco, and though it draws upon some Linux concepts, it is really not the same. So a person fairly experienced with both Cisco and Linux still finds it hard to figure out.
Hi Zit Seng,
great article, I enjoyed the read and you’re absolutely correct about the steep learning curve of the MikroTik RouterOS. Even for seasoned network engineers it is a struggle to configure MikroTik as it is unlike any other. The price is unbeatable, but without experience it takes a long time to understand the configuration.
Hi read Zit Seng’s writeup on mikrotik a couple of years back and plunged in into their world of CCR Routers. Before i was using Asus RT-AC88U router wired up to my entire house as well as wifi. Added bridging to tighten up things but after a while things got pretty slowed down and sometimes unstable.
The steep learning curve is quite a put-off but nonetheless configured the necessary steps and eversince my entire home network is so damn stable. You can game at the game lab, zoom on work lab, watch online movies, whilst NAS and my proxmox runs happily…. and the best thing is CPU is less than 1% and RAM is also kept low. My other switches are Ubiquiti Unifi and AC, looking to do Vlans on them in time to come.