Zit Seng's Blog

A Singaporean's technology and lifestyle blog

MikroTik Routers at Home

I’ve been wanting to write about MikroTik routers for some time. These aren’t the kind of mainstream Wi-Fi routers for most consumers. However, if you’re a power user and in for some challenge to build your ultimate home network, MikroTik has some great products for you to consider.

I did post about the hAP ac briefly in 2017. That was my first MikroTik product, even though I had already considered trying out their switches and routers for some years prior to that. I now have three MikroTik routers, and have had some success influencing several network-savvy friends to get them for their homes, so I think this is about time to write a proper blog post about them.

By mainstream Wi-Fi routers, we typically think about those consumer products from the likes of ASUS, Linksys, Netgear, and TP-Link. There are also the newer generation of smart-home Wi-Fi such as the Google Nest Wi-Fi. Some people know about Ubiquiti. If you thought these are lesser mainstream networking gear for prosumers, you’re mostly right. Just know that MikroTik is far lesser mainstream, and definitely needs far more networking expertise to grapple with its prowess.

All that prowess makes it quite a problem for me to explain to most users what MikroTik routers can do. They won’t understand or appreciate these capabilities. Network professionals will understand, but they might not think they’re needed at home. A related problem is that, unfortunately, MikroTik does things in such a non-mainstream manner, vis-a-vis enterprising networking gear, that network professionals may struggle to configure a MikroTik router.

What or who is MikroTik? They are a small Latvian-based network equipment manufacturer founded in 1996. Their suite of wired and wireless products are mostly aimed at SOHO and SME networks. They are very affordably priced and are great value. (MikroTik’s website: https://mikrotik.com/)

MikroTik makes two main types of software which are standardised across their networking equipment, SwOS and RouterOS, for switching and routing devices respectively. Some products can be loaded with either software. I’m going to focus on just RouterOS, since that’s the more powerful of the two. Even some products which MikroTik markets as primarily a switch are loaded with RouterOS.

The standardisation of software, much like how Cisco has iOS, means that features and capabilities are fixed in software and mostly independent of hardware. Instead, and again like Cisco’s iOS, there is a concept of software license levels. MikroTik’s license levels, however, are fairly generous.

The default license level provided with a specific device type may make it seem like “higher-end capabilities” are only for higher-end products. But in practice, you’re likely not to find the licensing levels to be an issue.

Having features fixed to software means that, for example, cool “enterprise-y” capabilities like MPLS are standard and available across the board, regardless of whether you have a very entry-level router or a more pricey high-end SME device. However, the type of hardware may make some features irrelevant, such as a wired-only router without any radio interfaces can’t have any Wi-Fi related capabilities.

When I first saw the web management page of my hAP ac, I was totally awed by the software. It’s not about beautiful user interface design, which is quite basic, but that the suite of capabilities presented before me was very impressive.

The screenshot below is from the RB4011iGS+5HacQ2HnD-IN (photo above). At this point, I want to complain about how MikroTik names some of their products; there isn’t a simpler name for this device, and you’ve got to be careful about how you abbreviate the name, because there exists a RB4011iGS+RM, which is mostly identical but without any Wi-Fi capabilities.

I want to draw your attention to the titles in main navigation menu on the left. Some names may immediately seem intriguing, such as Mesh, MPLS, and Dot1X. You might wonder about CAPsMAN. It’s MikroTik’s Controlled Access Point system Manager, the same feature on enterprise Wi-Fi systems that allow centralisation of wireless access point control and data traffic management. I’ll circle back to CAPsMAN again later.

Remember that since these features are part of RouterOS, I have the exact same thing on the hAP ac and hAP ac2 Wi-Fi routers, even though, especially, the latter is a far lower-end device.

These main navigation titles don’t tell you more of what’s hidden beneath them. There are more gems hidden within. Take, for example, what we have after I expand the Routing menu. Do you see OSPF, OSPFv3, BGP, and others?

You won’t find OSPF routing in most consumer routers. You wouldn’t need them at home, anyway. RouterOS goes further, to even support BGP, which sometimes isn’t even available on some “enterprise-y” products. Again, while you’re likely not going to need these at home, it’s cool to know you can play with these to brush up your enterprise networking skills, or if you wanted to consider to use some of these technologies in a SME network environment.

I’ve expanded the IP menu (screenshot below) so you can peek at the breadth of IP-related features available in RouterOS. In particular, I’ve opened up the item on Hotspot. Yes, that’s right, you can configure Hotspot capabilities in RouterOS, complete with a captive portal and walled garden like Wireless@SG or MyRepublic@Starbucks (that’s Starbucks’ SSID in their Singapore outlets). Coincidentally, Starbucks, or their service provider MyRepublic, serves their hotspot through MikroTik’s RouterOS.

Looking at RouterOS’ hotspot configuration begins to hint at the immense configurability it offers. It’s not just one hotspot you can configure. You can have multiple instances, attached to different interfaces, each with different hotspot configurations. Users can be authenticated locally or against RADIUS, and you can have different profiles and policies applied to different users.

I’d still recommend WPA2 PSK for your guest Wi-Fi at home, but this could nevertheless be a fun project to try out. If you run a small business, a customised captive portal hotspot can up your customer experience.

Let me get back to some mundane network engineering topics: switching and routing. Most consumer routers offer some basic fixed configuration: there is one WAN port, typically four ports connected on a LAN switch, and simple routing between WAN and LAN. Some more advanced consumer products may support a guest VLAN, but those configurations are still very rigid.

MikroTik, you could say, gives you a blank slate to work with. Sure, there is a default configuration, and a simple (but actually not easy to understand) setup wizard, all designed to help get you started on the most common configurations. But you can change anything and everything. You can wipe out the configuration and start from scratch. The concept of a “WAN” port is merely a matter of configuration. For example, you can make any port a WAN, and you can make any number of ports to serve WAN uplinks. You can designate any port to be a switch port, or a router port. You can have trunks and access ports. You can create layer 3 interfaces out of VLANs. You can create multiple bridges, and then make virtual interfaces, such as for Wi-Fi, VPN and tunnels, attached to different bridges. You can engineer complex network topologies all within a single MikroTik router.

If you don’t understand any of these, or why you would want any of these, it’s okay; these are capabilities networking professionals work with in their enterprise networks. It’s just unusual and amazing to find them in a networking device priced to be affordable for home use. This is why it is also hard for me to explain to most consumers about MikroTik’s configurability.

Let me come back to CAPsMAN. This is about controller-based wireless systems that are common in enterprise networks. Many consumers know and perhaps already use wireless repeaters/extenders and mesh devices. At the most simplistic level, you can think of controller-based wireless systems as a sort of mesh system. The key difference is that the former can very efficiently scale to thousands of wireless access points with fast and deterministic traffic forwarding over a backhaul wired network.

CAPsMAN refers to the controller end of the controller-based wireless system. The other end, the wireless access point, is known as a CAP, or Controlled Access Point, in MikroTik’s terminology. The equivalent is a WLC or WISM, and LWAP (Lightweight Access Point), in a Cisco setup. For MikroTik, CAPsMAN and CAP are just features in RouterOS, and any MikroTik RouterOS device can be a CAPsMAN or CAP. In fact, any MikroTik RouterOS device can be both the controller and the access point at the same time.

Whether using CAPsMAN/CAP or standalone access point mode, RouterOS offers a lot of control over Wi-Fi provisioning. Supporting virtual APs for additional SSDs and access lock down by MAC address may not be uncommon on higher-end Wi-Fi routers, but have you seen access controls like in the screenshot below?

RouterOS lets you selectively control how certain MAC addresses will have AP transmission rate limits, or have their traffic switched to a different VLAN, or enforce time controls. You can also control to disconnect clients after their signal strength falls below a configurable threshold and grace time; this is useful to steer clients to another radio on the same AP, or to a different AP altogether.

For users who prefer more traditional multi-AP setups, RouterOS supports WDS Mesh. MikroTik also has their own proprietary radio protocol, though this is only supported on devices with certain Atheros chipsets, which is useful when you need to construct wireless bridges.

RouterOS’ has impressive firewall capabilities. Being built on Linux, RouterOS’ firewall features will be largely familiar to Linux users. For example, RouterOS uses firewall terminologies like “chains” for input, forward, and output traffic. Like in Linux, you can create custom chains, and “branch” to them. Rules can perform actions to add addresses to an address list for a certain time interval, and these address lists can be used in rules. So you can write something like, if, a client “knocks” on a secret port number, your firewall will then open access to the SSH port on your server for the next 1 minute. A cool feature is that address lists can use FQDN, and the names will by resolved dynamically, with periodic refreshes.

There is comprehensive NAT and and Mangle features too, not different from what you’d expect in a Linux box.

Finally, I just want to mention a few more RouterOS features which I haven’t discussed more extensively, but are worth pointing out so you know they are there. There is complete IPv6 support, with DHCPv6 clients, servers, and relays. I have configured IPv6 connectivity with StarHub, using v6 prefix delegation and router advertisement/neighbour discovery. There is support for Dynamic DNS, and also some basic parental controls. There is a built-in web proxy and SOCKS proxy. You can configure VPN servers and clients using PPP, L2TP, and OpenVPN, among others. IPsec is also available if you prefer that over other VPN options. RouterOS has built-in DNS which allows you to override any FQDN with a locally configured IP.

There are a couple of ways you can configure RouterOS. There’s the web configuration interface. It’s a basic UI, but fully functional. There’s also a command line interface, which you can access through a terminal on the web interface itself, or through SSH, or in some devices, the serial console port. The final configuration interface is via a Windows program, Winbox (screenshot below), from MikroTik themselves, which works with all MikroTik products. There are some advantages of Winbox over SSH or web, which is that it can communicate with MikroTik devices using just Ethernet, without needing working IP. This is great when you’e mucked up your IP networking, but the physical Ethernet interface is still available.

With so many good things going on for RouterOS, I should mention that it has one big problem. I had already mentioned it earlier. MikroTik is hard to configure. It’s hard to master. I find myself struggling to figure out how to make various things work with my MikroTik routers. RouterOS does things differently from both consumer and enterprise networking equipment. To make matters worse, their documentation is not great at all. There’s just not enough documentation to commensurate the amount of things you can accomplish with RouterOS. The learning curve with this one is very steep.

MikroTik has quite a varied range of products. Some are designed to be basic switches which run SwOS. Most are more capable router devices that run RouterOS. Some devices meant to be wireless antenna systems, but they are also capable devices which run RouterOS.

Many of MikroTik devices have PoE, either to be powered from it, or to deliver power, or both. You can even daisy chain PoE devices. In the below photo, for example, my hAP ac is powered by PoE, which in turn powers the attached hAP ac2 via PoE. The big brother RB4011iGS+5HacQ2HnD-IN supplies power to the hAP ac through PoE too.

The downside of their hardware is that they don’t have the most advanced and most cutting-edge Wi-Fi capabilities. For example, there is no WPA3 and no Wi-Fi 6 hardware available at this time.

Software is definitely MikroTik’s forte. If you are looking at setting up anything more advanced in your home network, MikroTik probably has the the most capable networking gear you can find at a price point that is still friendly to consumers. Just be prepared to spend some time to figure out how to get it to work.

2 thoughts on “MikroTik Routers at Home

  1. Hi Zitseng,

    Are you using Mikrotik’s firewall feature or standalone pfsense? Also, do you have any recommendations for a meshed wifi setup that allows different subnet (via VLAN) and connected to Mikrotik so I can separate my IoT devices from my home play/work network?

    1. I’m using MikroTik’s firewall. pfSense has been superseded. 🙂 Yeah, unfortunately, I’m not aware of mesh systems that do VLANs (but just supporting one extra Guest VLAN, yes).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

View Comment Policy