Edgerouter 12 vs Mikrotik RB4011

[paraplu]

I think once you go to separates switches ports on the router having little meaning and purpose. You should use a large managed switch. The best choice would be a layer3 switch but you can get by OK with layer2. Maybe even a POE+ switch so you can run wireless APs and cameras and other things. It is a much cleaner setup for devices.

Used the excellent Cisco SG350 with Fibre WAN STP and inter vlan routing: works fine both with the MT and ER, both with simple static routing rules, and some ACLs on the switch. If that switch also had NAT this would be more then great, but you still need a separate router which means more cables in between. I just hate cables in between = more lag.

Combining routing, switching and VPN on one single high-performance device like the RB4011 gives me easier central maintenance, less cabling, and obviously less power usage. At least for my use case which is rather basic.

But I keep my Cisco L3 switch for future scenarios like additional port requirements, complex multicast or voip setups etc. Point taken.

 

[paraplu]

How is the performance compared to the ER4?

Pure routing with hardware offload and basic firewall rules: no notable difference; both can handle 1 Gbps easily.

 

[coxhaus]

Used the excellent Cisco SG350 with Fibre WAN STP and inter vlan routing: works fine both with the MT and ER, both with simple static routing rules, and some ACLs on the switch. If that switch also had NAT this would be more then great, but you still need a separate router which means more cables in between. I just hate cables in between = more lag.

Combining routing, switching and VPN on one single high-performance device like the RB4011 gives me easier central maintenance, less cabling, and obviously less power usage. At least for my use case which is rather basic.

But I keep my Cisco L3 switch for future scenarios like additional port requirements, complex multicast or voip setups etc. Point taken.

An 18 inch cable adding lag maybe but hard to detect.

I have always thought of L3 switches as parallel operations and routers as serial operations. Parallel is much faster if you can perform that way. Kind of like a single CPU vs a 24 core CPU.

 

[paraplu]

An 18 inch cable adding lag maybe but hard to detect.

I have always thought of L3 switches as parallel operations and routers as serial operations. Parallel is much faster if you can perform that way. Kind of like a single CPU vs a 24 core CPU.

It all depends on use case.

If you have lots of inter-vlan routing (traffic between clients not hitting the WAN) yes a L3 switch is the answer and takes this routing load away from a central WAN router.

In my home case, most if not all of my client packets go directly to/from the WAN, for which a L3 switch would only function as another hop in between. Extra lag.
The only advantage I would think of is keeping broadcast/multicast/arp packets away from the WAN router, which could be benificial if you have a huge amount of clients. It sure helps when dealing with many IPTV clients. The RB4011 however has proven me that it can handle an IPTV bridge, next to regular NAT, without breaking a sweat (hardware offloaded: keeping it within the dedicated switch chip). The ER4 had more trouble with this. Perhaps, and probably, an ER12 can handle this IPTV switching easily as well.

 

[coxhaus]

It all depends on use case.

If you have lots of inter-vlan routing (traffic between clients not hitting the WAN) yes a L3 switch is the answer and takes this routing load away from a central WAN router.

In my home case, most if not all of my client packets go directly to/from the WAN, for which a L3 switch would only function as another hop in between. Extra lag.
The only advantage I would think of is keeping broadcast/multicast/arp packets away from the WAN router, which could be benificial if you have a huge amount of clients. It sure helps when dealing with many IPTV clients. The RB4011 however has proven me that it can handle an IPTV bridge, next to regular NAT, without breaking a sweat (hardware offloaded: keeping it within the dedicated switch chip). The ER4 had more trouble with this. Perhaps, and probably, an ER12 can handle this IPTV switching easily as well.

Running the router without a L3 switch creates router lag for every broadcast. The more devices the more lag. Routing lag is a trade off for the router not having to respond to every broadcast on the network because L2 is faster than L3. Every one of those broadcasts create lag for a router on the same network. Running through a L3 switch with a router on a point to point connection in a separate network keeps the router running at full speed with no router lag only routing lag. The L3 switch feeds the router at full speed with no lag and this can not be achieved with all devices running in the same network as the router with no L3 switch. So you are trading 1 lag for another with the scales tipping to the L3 switch as you add more devices.

This why businesses use L3 switches. Maybe some day we will have L3 switches with NAT that are affordable for home use and we won't need routers.

My guess is wireless adds more lag then either of the above setups.

 

[BigMaras]

The CPU in the RB4011 is only a bit faster than the ER-12 too, they arent the same in hardware but very very different both in terms of routing performance, VPN performance and software performance with each CPU excelling in particular areas,

Which one will have better VPN performance? (RB4011 vs ER-12)
And second question, If I will have possibility to buy in the same price Fortigate 60E, is it worth consider against RB and ER? (without look in features, just VPN performance on 1GB/0.3GB internet connection)

Thank you in advanced for reply.

 

[System Error Message]

Which one will have better VPN performance? (RB4011 vs ER-12)
And second question, If I will have possibility to buy in the same price Fortigate 60E, is it worth consider against RB and ER? (without look in features, just VPN performance on 1GB/0.3GB internet connection)

Thank you in advanced for reply.

as a router hands on i would suggest mikrotik over ubiquiti simply because ubiquiti sucks in comparison to mikrotik, but i wouldnt recommend mikrotik in other areas because they arent as easy to configure for other things but can be really awesome if you do such as for wifi. I recently got one of their devices free during a MUM so i checked out the wifi bit and it gives you so much control that even ubiquiti cant match it.

Firstly check the block diagram of both systems. Newer mikrotik routers have bigger internal busses but not sure about ubiquiti, however if you are using QoS, ubiquiti will do poorly for you not to mention the huge amount of control you have with mikrotik. Its easier to set up than ubiquiti if you understand networking. VPN wise it depends, see if that specific mikrotik device has a crypto block on the diagram.

The only 2 faults that mikrotik currently has is that it does not support DNSSEC and openVPN UDP, but im ditching openVPN and going with wireguard as openVPN is such a pain and i still cant get it right on my VPS to create a multi user simultaneous connection, something you can so easily do with asus running rmerlin firmware.

Performance wise we are talking about a nice MIPS vs server ARM. In routing IPC, the MIPS wins, for the rb4xxx series in software use the ARM wins, so if your needs are things that cannot be accelerated, you're going to be out of luck with the MIPS. For instance my ERPRO last time managed 80Mb/s running squid proxy which i could not secure on mikrotik, but that CCR1036 from mikrotik took the spam from AWS without any sweat. It might sound unfair comparing a 36 core router to a dual core one but ubiquiti offerings do not match up to their said specs once you go outside their ideal use case. So putting skills aside, pick based on your use, if you have to use a feature that is outside of ubiquiti's acceleration like QoS, use mikrotik. Same for hotspot, radius, etc.

 

[BigMaras]

as a router hands on i would suggest mikrotik over ubiquiti simply because ubiquiti sucks in comparison to mikrotik, but i wouldnt recommend mikrotik in other areas because they arent as easy to configure for other things but can be really awesome if you do such as for wifi. I recently got one of their devices free during a MUM so i checked out the wifi bit and it gives you so much control that even ubiquiti cant match it.

Firstly check the block diagram of both systems. Newer mikrotik routers have bigger internal busses but not sure about ubiquiti, however if you are using QoS, ubiquiti will do poorly for you not to mention the huge amount of control you have with mikrotik. Its easier to set up than ubiquiti if you understand networking. VPN wise it depends, see if that specific mikrotik device has a crypto block on the diagram.

The only 2 faults that mikrotik currently has is that it does not support DNSSEC and openVPN UDP, but im ditching openVPN and going with wireguard as openVPN is such a pain and i still cant get it right on my VPS to create a multi user simultaneous connection, something you can so easily do with asus running rmerlin firmware.

Performance wise we are talking about a nice MIPS vs server ARM. In routing IPC, the MIPS wins, for the rb4xxx series in software use the ARM wins, so if your needs are things that cannot be accelerated, you're going to be out of luck with the MIPS. For instance my ERPRO last time managed 80Mb/s running squid proxy which i could not secure on mikrotik, but that CCR1036 from mikrotik took the spam from AWS without any sweat. It might sound unfair comparing a 36 core router to a dual core one but ubiquiti offerings do not match up to their said specs once you go outside their ideal use case. So putting skills aside, pick based on your use, if you have to use a feature that is outside of ubiquiti's acceleration like QoS, use mikrotik. Same for hotspot, radius, etc.

Huge thank you for explanation. i'm very greatfull and it looks that you have big knowledge and experience in this hardware.

One more thing about second part of my question, do you have any experience with fortigate 60E? The most important for me is performance during VPN connection. I have 1GB/0.3GB internet connection and I would like to have possibility to use this 0.3GB during only one tunnel at full speed, do you think that I should go with mikrotik rb4011 or think about fortigate 60E or maybe think about totally different hardware? In the past I had CCNP, so network command line or tricky interface is not big problem for me.

 

[System Error Message]

Huge thank you for explanation. i'm very greatfull and it looks that you have big knowledge and experience in this hardware.

One more thing about second part of my question, do you have any experience with fortigate 60E? The most important for me is performance during VPN connection. I have 1GB/0.3GB internet connection and I would like to have possibility to use this 0.3GB during only one tunnel at full speed, do you think that I should go with mikrotik rb4011 or think about fortigate 60E or maybe think about totally different hardware? In the past I had CCNP, so network command line or tricky interface is not big problem for me.

Well if you have CCNP you will definitely appreciate mikrotik, and unlike cisco mikrotik's strength in config is in its GUI, which is not user friendly to the untrained user. Im not sure about fortigate as i've not had a chance to try them but they are usually known for their firewalls.

I do know the rb4011 will do more than 300Mb/s of VPN but it depends on the type of VPN. IPSEC is accelerated and algorithms like SHA and AES too so stick to those, otherwise no matter which router you use, using a different VPN will yield slower results.

Mikrotik is the cisco alternative, but i complained that one local university i visited had a lab full of various cisco hardware but no mikrotik. Mikrotik has their certs too and they are rising thanks to being a better cisco alternative especially at the lower budget segment. The RB4011 also comes in a variant that has wifi too so if you're ok being overwhelmed with so many options then mikrotik will do well for you.

Although mikrotik switches are cheaper they do not compare to ubiquiti switches, but wifi seems mixed as ubiquiti goes with simpler APs whereas mikrotik exposes a lot to you (even better if you get the international version rather than the locked US version).

 

[Trip]

First off, let it be known that I have no dog in this fight. I use both Mikrotik and UBNT, and find they both have their strengths. That being said...

as a router hands on i would suggest mikrotik over ubiquiti simply because ubiquiti sucks in comparison to mikrotik

Care to explain your reasoning, other than what you spoke on already? Perhaps I missed a key area or two, but I didn't see anything you mentioned that would sway me one way or another conclusively for all use-cases.

if you are using QoS, ubiquiti will do poorly for you

How so? Simply due to less powerful CPU? Or are you speaking of queuing/shaping mechanisms? Do you find simple queues, trees and/or HTB in RouterOS to be as effective at minimizing bufferbloat as fq_codel + HTB in EdgeOS, or more so?

Not looking to take pot shots here. Genuinely interested in your responses. Thanks SEM.

 

[coxhaus]

In the past I had CCNP, so network command line or tricky interface is not big problem for me.

Not to be picky but a CCNP certification is a person with a good understanding of network knowledge.

 

[System Error Message]

First off, let it be known that I have no dog in this fight. I use both Mikrotik and UBNT, and find they both have their strengths. That being said...
Care to explain your reasoning, other than what you spoke on already? Perhaps I missed a key area or two, but I didn't see anything you mentioned that would sway me one way or another conclusively for all use-cases.
How so? Simply due to less powerful CPU? Or are you speaking of queuing/shaping mechanisms? Do you find simple queues, trees and/or HTB in RouterOS to be as effective at minimizing bufferbloat as fq_codel + HTB in EdgeOS, or more so?

Not looking to take pot shots here. Genuinely interested in your responses. Thanks SEM.

I've used both too. There are differences, for instance if you're trying to create something complex, this is much easier to do in mikrotik than in ubiquiti. Ubiquiti also lacks the layer 2 control that mikrotik has. The only thing i havent forgiven mikrotik for is the lack of DNSSEC, but lack of UDP openVPN is fine since after using openVPN on a linux server im ditching it as i got sick of trying to configure it on linux and support is really really poor.

Mikrotik actually responds to criticism. I saw their new CCR1036 online (same model though) but with the upgrades that the original first 2 were criticised for (me and others) that they now include a dual PSU with a fan in the PSU area too, a full sized USB port and a rj45 management port, havent checked if they've changed anything internally. They also hold mum and had i known early i would've applied to speak and gotten a free RB4011.

More importantly, its really like comparing 2 very different routers. UBNT works well replacing a home router, its actually the segment that UBNT will do well in should they focus their audience there. Their style of pushing their ecosysstem for both software/controllers makes them far more suited for places without their own tech team. Mikrotik however does have their own software but are never pushing their ecosystem, which makes them different from both UBNT and cisco and this is one reason why i dislike UBNT, because at the price point that you are paying for UBNT you are getting vendor locked in and that is bad, plus in terms of expertise mikrotik is router focused, meaning they work on their routers to do be a router first, other things 2nd. With UBNT thats not the case, their ecosystem is first which is powered by a linux OS running their interface, and their products arent function first like mikrotik. If you take a closer look at their devices, there are so many features that differ their target audience. For instance most if not all mikrotik routerboards come with serial/IPMI, and have a lot of redundancy like backup routerOS and more which you do not get with UBNT. If you move to their wifi units, its the same deal. Mikrotik exposes so much functionality to you that you would expect from an enterprise wifi router, ubiquiti doesnt let you configure the same options and yes i've actually helped my college configure UBNT outdoor APs before with their nice interface but it doesnt expose any advance options that you get when configuring a mikrotik AP.

So whenever i suggest either UBNT or mikrotik i check on whos asking and what they need. Just because the MIPS on UBNT isnt great for QoS and other non hardware accelerated tasks, you can still get one thats fast enough for your home needs and this price difference is where mikrotik shines too. When it comes to QoS and other features, its because that the MIPS architecture really is much much less than ARM especially server ARM. When you compare what their cores contain, how differently complex and sized their instruction pipelines and decoders are, you can clearly see that ARM is actually better and i explained this before in another thread a few years ago the order of which CPU is faster for routing, which is faster for running software. to me ubiquiti sucks as a router, but does not make it totally useless, however mikrotik wins over ubiquiti when it comes to networking in so many areas, from the features or how well they function as a router to being able to run dude on the router and get some really good network data and even other features as well. This is one part that people tend to forget when they talk about ubiquiti controllers that mikrotik has had theirs for quite a while that is compatible with other vendors via common features like snmp and can be configured to detect any services you like when scanning.

 

[paraplu]

The only thing i havent forgiven mikrotik for is the lack of DNSSEC.

running pi-hole on a rPi would take that dns limitation away, which is what I am doing for the past years; works great.

 

[paraplu]

lack of UDP openVPN

UDP openvpn is upcoming and available with beta ROS7, but haven’t tried this yet. The current IPSEC L2TP vpn solution is working fine with ROS6; giving me around 300mbps between externally wired laptop client, and around 100mbps with my iPhone on 4g. Although the connection times out after a while. Not sure why yet.

 

[System Error Message]

UDP openvpn is upcoming and available with beta ROS7, but haven’t tried this yet. The current IPSEC L2TP vpn solution is working fine with ROS6; giving me around 300mbps between externally wired laptop client, and around 100mbps with my iPhone on 4g. Although the connection times out after a while. Not sure why yet.

if you read on, i've ditched openVPN completely. i wasnt able to set up a proper functioning openVPN on debian to work with multiple simultaneous users and connections and also had connection issues on my VPS for this that i couldnt watch a video for more than a few minutes before being disconnected. Sometimes thats not the case so it could be my VPS provider throttling me or cutting the connection, however i was not able to solve the problems with my openVPN setup and their own support was so bad and full of arrogance just like with ubuntu in the past which made me ditch it.

So the lack of openVPN features doesnt bother me on mikrotik, only that i am going to give wireguard a try.

 

[Trip]

WireGuard is a solid option, for sure. As Torvalds said, "compared to the horrors that are OpenVPN and IPSec, it's a work of art." LOL

I've been running it for months now in my SOHO lab environment to link a Vultr-based Win 10 VM to my EdgeRouter and it's been nothing but rock solid at full multi-hundred Mb/s line-rate with <5% CPU.

The only limiting factor I see thus far is lack of ability to do directory-based AAA, making it basically null and void for business setups larger than just a handful of employees, but other than that, it's seems like the way forward, for sure.

 

[paraplu]

As a follow-up on this topic trying to share my experiences:

Apparently the RB4011 has some stability issues: crashing without reason at random times; sometimes after a month, sometimes after a day after clean reboot. Lots of user-feedback on the mikrotik forums confirm this as well. Difficult issue, and unresolved. In my case; full-time 6% load on single-core while idle only routing between 2 ports = weird. Noticed that single-thread load went to 100% usage, before it crashed. Ditched this router.

As such, replaced it with my Ubiquiti ER4 (was unable to sell it: hmm no market interest), but after some more testing, ditched this one as well for the following reasons:
1) single-thread TCP routing; only a single thread (out of 4) got all CPU kernel load (>50%) while doing 1gbps downloads over 20 individual client TCP connections, and
2) >90% single-thread load and >20% drops when doing UDP gbps load. Apparently UDP is not HW offloaded.
With both 1.10 and 2.08 firmware.
To compare: mikrotik had 0% UDP drops and evenly balanced CPU usage during both TCP and UDP iperf3 tests.

Bummer.

I am now back to my old Mikrotik Hex 750gr3 for pure routing and firewall between WAN and LAN, combined it with my older Cisco 350 switch with L3 static (gbps) vlan routing + acl, dhcp etc, and all fine now for the past month; very stable and performant.

 

[coxhaus]

The Cisco RV340 router with a Cisco SG350 L3 switch will work well and it will be very stable. If you want a layer 7 firewall then run Untangle behind the RV340 router as a transparent bridge.

pfsense will work but you will need to setup gateways for all the routed networks in pfsense for the L3 switch. There will be lots of patching for pfsense and things will break. But it will be a strong runner with Xeons.

 

[paraplu]

And back again on the RB4011 as my main router. The Hex, although stable, was unable to deal with the kind of loads in my use cases.

My findings to get a RB4011 more stable:

Apparently, if you access the conntrack active connection table, through API or webfig or Winbox, CPU throttles up to a full 6 to 8% single-core usage, for no apparent reason, for a full minute. In my case I was doing these API calls every minute for monitoring purpose to post results to an InfluxDB (for Grafana dashboarding), resulting in a full-time CPU load of this kind. Which (probably: not proven) resulted in a crash at undefined times.

So stay away from doing this and keep your CPU usage, and possible system instability, at calm.

Rest to say that Mikrotik needs to delve into this issue, as this should not happen from a software point of view.

 

[coxhaus]

So I read that the new Mikrotik RouterOS 7 is going to be 5.x Linux kernel. Is that true? Is all the old hardware going to work?