Hi,

A newbie looking to purchase RB3011 for my office. We have two internet connections 1) 60/60 Mbps direct Ethernet and another 20/1 Mbps (from ADSL Modem), I wish to connect them both to RB3011 for Dual WAN (with Fail Over Support). The router will also have to act as a Firewall, DHCP Server and if possible VPN Server (for about 5 VPN Clients). We will have about 50-60 users connected to this router on Gig Lan network and via separate Wi-Fi access point.
I had a few questions, I would appreciate if someone could point me in the right direction. I have tried to go through these forums but have not found a decisive answer.

1) Will this router serve my requirements or should I be looking at the more expensive CR series?
2) Does Dual WAN work fine in this router with fail over and link aggregation (or whatever is the right term for it) ?
3) In the forums I see a lot of users stating that this is the first time ARM processor version so there are a lot of bugs. But I don't see any recent status if those have been resolved and if this is now a stable router.
4) Will it support VPN from Windows 10 based clients? About 4-5 VPN users at a time.
5) Does this router give good Gig Lan to Lan performance in case of NAT?

Any other pointers or suggestions for a newbie would be appreciated. Thanks for taking the time to respond to my query.

1) Will this router serve my requirements or should I be looking at the more expensive CR series?

Yes, 3011 has enough power for your scenario.

2) Does Dual WAN work fine in this router with fail over and link aggregation (or whatever is the right term for it) ?

Yes it does. You will be able to failover and load balance, but not link-aggregation (both WAN ends should belong to the same ISP router and would need configuration from their part)

3) In the forums I see a lot of users stating that this is the first time ARM processor version so there are a lot of bugs. But I don't see any recent status if those have been resolved and if this is now a stable router.

Users not having problems are very unlikely to come by and flood the forum with success reports... it's usually those having problems the ones posting, and that may create a false impression.

4) Will it support VPN from Windows 10 based clients? About 4-5 VPN users at a time.

Yes. It does support "Windows-native" SSTP.

5) Does this router give good Gig Lan to Lan performance in case of NAT?

NAT performance could be an issue with WANs via PPPoE with hundreds of Mbps of bandwith (>500Mbps), in the event of complex firewall setups, which isn't your scenario.

Why would you use NAT for LAN to LAN? use switch groups for that to run gigabit at wire speed without touching the CPU.

I would add to pukkita's response...

4) Will it support VPN from Windows 10 based clients? About 4-5 VPN users at a time.

Yes. It does support "Windows-native" SSTP.

While it does support SSTP, it does not support NAP, nor does it support any type of EAP for authentication. If you intend to use the NAP functionality provided by Microsoft's NPS server to check clients for current patching and antivirus before allowing a remote connection, then this will not work. Also, if you want to use certificate based authentication instead of username/password, this also will not work. The best that can be managed is using mschapv2 with server certificate validation.

You also stated:

The router will also have to act as a Firewall

What are your requirements for a firewall? MikroTik units tend to get bogged down pretty bad when dealing with a complex firewall rule base (more than 25 rules), and get almost unusably slow when trying to implement advanced firewalling capabilities, like Layer-7 inspection. If you're looking at something that can perform IDS/IPS inspection, AV inspection, etc. on the traffic, you won't be satisfied with the RB3011.

Thanks for your quick detailed response pukkita and mpreissner

As I said I was a newbie - I will look deeper into switch groups - thanks for the insight.


I plan to use just basic firewall features not too many rules. Right am using a consumer ended Linksys product with SPI Firewall which works fine. So something similar should be fine. Good to know the limitations of VPN.

Another query I forgot to ask. This page states [ https://routerboard.com/RB3011UiAS-RM ] it comes with RouterOS 5, but in the forums I see that new fixes are being made in version 6. Does that mean that I need to also purchase an upgrade to RouterOS 6?

Another query I forgot to ask. This page states [ https://routerboard.com/RB3011UiAS-RM ] it comes with RouterOS 5, but in the forums I see that new fixes are being made in version 6. Does that mean that I need to also purchase an upgrade to RouterOS 6?

The number 5 is the licence level. http://wiki.mikrotik.com/wiki/Manual:License
You can upgrade RouterOS to the latest version 6.37.1 from here http://www.mikrotik.com/download (ARM)

Thanks JB172 for the quick reply.

Just to conclude my post, I did purchase RB3011 and have set it up for Dual WAN with Policy Based Routing as well as Fail Over Support. With about 30 devices connected at the same time with 0%-1% CPU utilization. I have not been able to configure VPN or Firewall policies yet which may add some load. But at least I am getting stable speeds and seamless fail over support! So its certainly a very good purchase. Thanks for all those who helped me in the right direction.