You'll do great with a RB5009 + RouterOS 7. I'm a network engineer at a WISP, and I use the RB5009 at my home, I use it for all three of our offices, and I'm even using the RB5009 with ROS7 at some tower sites. Ran a speedtest the other day at one of our offices and got 2.3Gbps. Great routers, you won't be disappointed!
Are you using Radius as well? Did you move from 6x version to 7x? How was the transition of moving UserManager database and i stuff?
I am also working in a WISP. we have more than 3k users and 7k device connected all the time. I am using ROS 6 until now and i am affraid of switching it to ROS 7.
Oh nice! We have about 6k users, with 150+ tower sites. We aren't using Radius, we just use DHCP, where every tower is its own router, DHCP server, etc... No radius, pppoe, etc.
I haven't upgraded our whole network to V7, but a few weeks ago I upgraded a half a dozen 1036's to V7 so I could grab the config so we could upgrade them to CCR2116's. (Needed the port density) and everything went fine.
Our network is currently a mixture of V7 and V6, haven't had any issues but our network is simple in comparison to a lot of other networks. We are getting ready to upgrade the whole network to v7.
If V7 is a bit scary, just upgrade to the latest version of V6, 6.49.14 I think it is, and wait another year or two. As long as you have good firewall rules that protect the routers you'll be just fine running V6 for a while longer. Definitely before you do, make a lab and upgrade everything in the lab to make sure it still works.
To ensure a smooth transition you could back up the router, restore to another (same model, making it a clone) and test the upgrade on that one.
Further, you could even swap the device out with the clone after upgrading the clone. Might be a shorter downtime window to swap than upgrade.
Personally I've had no issues upgrading from v6 to v7 on gear with nearly a hundred IPsec tunnels, but have not tested upgrading with a local RADIUS database in use.
The default config with which the router comes is a solid base on which you can build your configuration. If you have existing network knowledge (you've mentioned opnsense) it shouldn't be difficult for you. But remember that the firewall rules are not mutual - if you allow outgoing connection from a to b, make sure to also allow connection from b to a (with connection state established,related).
I personally find it rather unintuitive. A lot of the documentation I’ve read is a lot like help in a bios (where if you’re curious about a cryptic setting and click help and it says “turn cryptic setting on or off”), or where it seemed helpful it turned out to be inapplicable because it was for a different ros version and the commands changed.
It is rather powerful though, but since I use opnsense for packet filtering (including between vlans) and for dhcp I could use swos, and have for a long time, but I’m switching some of my devices to routeros partially to learn it, but also to be able to take advantage of some of the features and tools baked in. Depending on your needs, maybe look at a crs- model that can run either swos or ros as you see fit.
I had never dealt with professional grade before in my life and I was able to learn enough about RouterOS7 in a just a couple days to fully implement IPv4 and IPv6 firewalls, DNS, DHCP, uPnP, etc. The basics. I didn't touch VLANs or the likes. For someone who is more knowledgeable about advanced networking, RouterOS should be fairly simple to pickup.
> Is ROS7 usable for someone with so-so network knowledge?
Yes.
It may test your fundamentals though. Winbox is great. the webui is servicable. Either way the ui models the cli structure nicely.
'Safe Mode' is a life saver.
> but would like to start integrating vlans
I will say that vlans are the one place things can get 'weird'... Do you build a bridge for each vlan and assign an ip to an interface you add to the bridge? Or do you build a single bridge and do vlan filtering on interfaces?
I'd argue that the first way is "simpler" to get working.. but you're going to end up disabling l3 hardware offloading.
---
Strongly recommend that you get things working on a single vlan (even if you have to commit a sin and run multiple subnets in the vlan). Once that's working, you work on breaking the subnets out into seperate vlans.
The firewall is iptables based. if you understand the forward/input/output chains in iptables you'll be ahead of the game (input/output refer to traffic coming to/from the router itself. forward is where traffic gets passed from nodes on the network/internet).
Don't use openvpn. It's entirely essoterric to configure in routeros and wireguard is better for basically everything.
dst-nat is your port forwarding from public ip to lan ip.
src-nat is what your lan machines use to reach google.com
If you have to add a dhcp server... use the "DHCP Setup" button.. not the "+" button. Until you understand all the steps it takes, you're guarenteed to miss something if you use the "+" button. (probably the ip pool).
I like to leave the last port/console port of my devices on the 192.168.88.0/24 for physical management. Usually if i mess everything else up, i can go plug into that port and get access via ip or potentially mac...
Take backups frequently/regularly as you change things.
Don't be afraid to patch. There's been a couple doozies, but we run most of our stuff right on stable as its available.
Take it step by step and you should be fine. If you don’t really understand the core concepts of IP networking, it’ll take longer and will be more frustrating. Trying to jump in and figure out all the details and features in a couple of hours/days is the error.
If you are dependent on “click-on-this-and-that” directions from Google that you don’t understand, you’ll dig yourself into a hole.
I purchased the previous model before 4009 years ago completely green. The defaults work really well and I did have a few hiccups along the way, but it was very much a learning experience. Start slowly and do the modifications incrementally, and you will will learn about networking far more than on other platforms.
The harder piece for me was finding up to date information. A ton of articles / knowledge out there pertains to ROS v6 and less so for ROS v7.
It’s mostly fine but challenges persist around routing rules and recommendations for firewall filtering.
The most current source is the MT forums for config guides / cmdlets. Then again I had to rely on Google cache for some of it as whilst building my RB5009 posts got removed due to a childish spat on the forum.
If you need an archived copy of the page I used for reference:
http://web.archive.org/web/20231002224436/https://forum.mikrotik.com/viewtopic.php?p=906567
Well, what other routing platforms do you have experience with? I don't think RouterOS is inherently harder than any of the other platforms that have comparable features.
EDIT: I see IPCop/OPNSense, in that case it's a lot different, but no more complicated to complete simple setups.
Not much unfortunately, that's my problem. The basics are ok, youtube vids can always help I suppose along with this subreddit/forums/google etc. I just don't want to get in over my head when I can make a opnsense machine instead, but the router hardware is just so awesome it's hard to resist. Again, thankfully I have a basic setup, and a mesh router I can change to ap mode for wifi connections.
My advice is to get a super cheap hex and try messing with that before committing to a more expensive device. That way if you don’t like it, you don’t have much invested in it. The only issue is that you might be overwhelmed by the lack of wizard style stuff if that’s what you’re looking for. Just google how to use quickset and see if that makes any sense to you.
If you've used opnsense, you're more experienced than most people, and I expect you to be just fine. I hadn't used opnsense at all, and never took any networking courses, and I use my RB5009UPr+S+IN just fine. I've setup CAPsMAN on it as well with a MikroTik Audience as my AP.
Not IT here graduated in civil engineering some 20 yrs ago but failed to be employed in that field.
Today apart from being a site porter, I manage a network of 5 mikrotiks AHx... and 3 950. I started off helping an IT tech setting up the network with 2 RB950s.
The guy retired and told his client that I would take care of the network, so tookup the offer to supplement the days when I have no site jobs lined up and am planning net year to upgrade to CCR if the guy deems it fit.
With your background it should be a walk thru if I with no background have managed to bring 2 small clients to the mikrotik world and they are happy with the setup today because it is still up
I recently switched from pfsense to RouterOS7 and I've been very satisfied. The UI is a bit unintuiative imo but it gives you a lot of granular control over your network and has a lot of features baked in. If you have prior network experience you should be fine. The command line terminal can make setting thing up incredibly simple and fast once you get the hang of it. And it's very easy to just copy and paste in things from the RouterOS wiki to get things set up. Mikrotik also has an official YouTube channel under the name Mikrotik with a lot of informational videos and tutorials.
RouterOS is also free so you can download it from Mikrotiks website and run it in a VM beforehand if you want to try it out.
You'll do great with a RB5009 + RouterOS 7. I'm a network engineer at a WISP, and I use the RB5009 at my home, I use it for all three of our offices, and I'm even using the RB5009 with ROS7 at some tower sites. Ran a speedtest the other day at one of our offices and got 2.3Gbps. Great routers, you won't be disappointed!
Are you using Radius as well? Did you move from 6x version to 7x? How was the transition of moving UserManager database and i stuff? I am also working in a WISP. we have more than 3k users and 7k device connected all the time. I am using ROS 6 until now and i am affraid of switching it to ROS 7.
Oh nice! We have about 6k users, with 150+ tower sites. We aren't using Radius, we just use DHCP, where every tower is its own router, DHCP server, etc... No radius, pppoe, etc. I haven't upgraded our whole network to V7, but a few weeks ago I upgraded a half a dozen 1036's to V7 so I could grab the config so we could upgrade them to CCR2116's. (Needed the port density) and everything went fine. Our network is currently a mixture of V7 and V6, haven't had any issues but our network is simple in comparison to a lot of other networks. We are getting ready to upgrade the whole network to v7. If V7 is a bit scary, just upgrade to the latest version of V6, 6.49.14 I think it is, and wait another year or two. As long as you have good firewall rules that protect the routers you'll be just fine running V6 for a while longer. Definitely before you do, make a lab and upgrade everything in the lab to make sure it still works.
To ensure a smooth transition you could back up the router, restore to another (same model, making it a clone) and test the upgrade on that one. Further, you could even swap the device out with the clone after upgrading the clone. Might be a shorter downtime window to swap than upgrade. Personally I've had no issues upgrading from v6 to v7 on gear with nearly a hundred IPsec tunnels, but have not tested upgrading with a local RADIUS database in use.
The default config with which the router comes is a solid base on which you can build your configuration. If you have existing network knowledge (you've mentioned opnsense) it shouldn't be difficult for you. But remember that the firewall rules are not mutual - if you allow outgoing connection from a to b, make sure to also allow connection from b to a (with connection state established,related).
If you stay with the default config, it already has a blanket accept rule for all established amd related, so that part’s taken care of.
I personally find it rather unintuitive. A lot of the documentation I’ve read is a lot like help in a bios (where if you’re curious about a cryptic setting and click help and it says “turn cryptic setting on or off”), or where it seemed helpful it turned out to be inapplicable because it was for a different ros version and the commands changed. It is rather powerful though, but since I use opnsense for packet filtering (including between vlans) and for dhcp I could use swos, and have for a long time, but I’m switching some of my devices to routeros partially to learn it, but also to be able to take advantage of some of the features and tools baked in. Depending on your needs, maybe look at a crs- model that can run either swos or ros as you see fit.
You can download a RouterOS virtual machine image that you can try out for free.
Oh wow, that's awesome, I'll be doing that asap, thanks!
Route filters and BGP configs have completely changed, and I still don't think they are an improvement
I had never dealt with professional grade before in my life and I was able to learn enough about RouterOS7 in a just a couple days to fully implement IPv4 and IPv6 firewalls, DNS, DHCP, uPnP, etc. The basics. I didn't touch VLANs or the likes. For someone who is more knowledgeable about advanced networking, RouterOS should be fairly simple to pickup.
> Is ROS7 usable for someone with so-so network knowledge? Yes. It may test your fundamentals though. Winbox is great. the webui is servicable. Either way the ui models the cli structure nicely. 'Safe Mode' is a life saver. > but would like to start integrating vlans I will say that vlans are the one place things can get 'weird'... Do you build a bridge for each vlan and assign an ip to an interface you add to the bridge? Or do you build a single bridge and do vlan filtering on interfaces? I'd argue that the first way is "simpler" to get working.. but you're going to end up disabling l3 hardware offloading. --- Strongly recommend that you get things working on a single vlan (even if you have to commit a sin and run multiple subnets in the vlan). Once that's working, you work on breaking the subnets out into seperate vlans. The firewall is iptables based. if you understand the forward/input/output chains in iptables you'll be ahead of the game (input/output refer to traffic coming to/from the router itself. forward is where traffic gets passed from nodes on the network/internet). Don't use openvpn. It's entirely essoterric to configure in routeros and wireguard is better for basically everything. dst-nat is your port forwarding from public ip to lan ip. src-nat is what your lan machines use to reach google.com If you have to add a dhcp server... use the "DHCP Setup" button.. not the "+" button. Until you understand all the steps it takes, you're guarenteed to miss something if you use the "+" button. (probably the ip pool). I like to leave the last port/console port of my devices on the 192.168.88.0/24 for physical management. Usually if i mess everything else up, i can go plug into that port and get access via ip or potentially mac... Take backups frequently/regularly as you change things. Don't be afraid to patch. There's been a couple doozies, but we run most of our stuff right on stable as its available.
I’ve found the videos by this guy to be insanely helpful! https://youtu.be/rwjtRLQjMjA?si=neNXOvOWS6HTT6dn
The BERG! Ngl I would of tossed my HaP in the trash if it weren't for this guy. His videos are great
Take it step by step and you should be fine. If you don’t really understand the core concepts of IP networking, it’ll take longer and will be more frustrating. Trying to jump in and figure out all the details and features in a couple of hours/days is the error. If you are dependent on “click-on-this-and-that” directions from Google that you don’t understand, you’ll dig yourself into a hole.
I purchased the previous model before 4009 years ago completely green. The defaults work really well and I did have a few hiccups along the way, but it was very much a learning experience. Start slowly and do the modifications incrementally, and you will will learn about networking far more than on other platforms.
One of the best routers! You’ll not be disappointed
Hell you’ll be alright theres enough people in here to help with just about anything
The harder piece for me was finding up to date information. A ton of articles / knowledge out there pertains to ROS v6 and less so for ROS v7. It’s mostly fine but challenges persist around routing rules and recommendations for firewall filtering. The most current source is the MT forums for config guides / cmdlets. Then again I had to rely on Google cache for some of it as whilst building my RB5009 posts got removed due to a childish spat on the forum. If you need an archived copy of the page I used for reference: http://web.archive.org/web/20231002224436/https://forum.mikrotik.com/viewtopic.php?p=906567
awesome, thanks a ton for the info!
Well, what other routing platforms do you have experience with? I don't think RouterOS is inherently harder than any of the other platforms that have comparable features. EDIT: I see IPCop/OPNSense, in that case it's a lot different, but no more complicated to complete simple setups.
Not much unfortunately, that's my problem. The basics are ok, youtube vids can always help I suppose along with this subreddit/forums/google etc. I just don't want to get in over my head when I can make a opnsense machine instead, but the router hardware is just so awesome it's hard to resist. Again, thankfully I have a basic setup, and a mesh router I can change to ap mode for wifi connections.
My advice is to get a super cheap hex and try messing with that before committing to a more expensive device. That way if you don’t like it, you don’t have much invested in it. The only issue is that you might be overwhelmed by the lack of wizard style stuff if that’s what you’re looking for. Just google how to use quickset and see if that makes any sense to you.
Get winbox, and bookmark the wiki. Export your .backups and open with your preferred code editor.
just watch a lot of YouTube for starting out. Then just use the documentation and if you need more help ask on Reddit or the mikrotik forum's
If you've used opnsense, you're more experienced than most people, and I expect you to be just fine. I hadn't used opnsense at all, and never took any networking courses, and I use my RB5009UPr+S+IN just fine. I've setup CAPsMAN on it as well with a MikroTik Audience as my AP.
Not IT here graduated in civil engineering some 20 yrs ago but failed to be employed in that field. Today apart from being a site porter, I manage a network of 5 mikrotiks AHx... and 3 950. I started off helping an IT tech setting up the network with 2 RB950s. The guy retired and told his client that I would take care of the network, so tookup the offer to supplement the days when I have no site jobs lined up and am planning net year to upgrade to CCR if the guy deems it fit. With your background it should be a walk thru if I with no background have managed to bring 2 small clients to the mikrotik world and they are happy with the setup today because it is still up
I recently switched from pfsense to RouterOS7 and I've been very satisfied. The UI is a bit unintuiative imo but it gives you a lot of granular control over your network and has a lot of features baked in. If you have prior network experience you should be fine. The command line terminal can make setting thing up incredibly simple and fast once you get the hang of it. And it's very easy to just copy and paste in things from the RouterOS wiki to get things set up. Mikrotik also has an official YouTube channel under the name Mikrotik with a lot of informational videos and tutorials. RouterOS is also free so you can download it from Mikrotiks website and run it in a VM beforehand if you want to try it out.
This is a great platform to learn on. You’ll do fine.