MikroTik

I seek a prosumer router, something similar to UniFi Dream Machine, but with newer hardware for WireGuard throughput and better customizations. For example, I want to be able to access router via SSH to not only customize NAT via IPTables, but have my rules preserved after reboot and not have router override my settings or remove my tables when making further changes in router GUI, which is known as reprovisioning. Current routers like UniFi Dream Machine strip many custom settings during such a reprovisioning process and require 3rd party on-boot scripts to force custom changes during boot, but such scripts are not good enough because timing of application of custom settings is important or else GUI-based rules and custom rules mess up.

Manual SSH customization shouldn't even be necessary if router makers included all the necessary features in GUI. For example, some current ASUS routers let you create VLAN's, but do not allow creation of specific NAT rules for them. They only allow creation of NAT rules for man LAN. You need Merlin firmware with custom script applicaiton to get around that.

DD-WRT and OpenWRT are awesome, but router makers now focus on Secure Boot and make it impossible for newer models to support DD-WRT and OpenWRT. I know there is pfSense, but it is too much for me.

RouterOS seems to do all I want, I think... I'd like to try it, but I don't understand MikroTik products. Many MirkoTik products are labeled as Access Point, but do they include router capabilities? I see topics discussing how a user can simply designate one of AP Ethernet ports to be a WAN port. If that can do be done, then how are MikroTik AP's different from AIO Router+AP solutions? For example, https://mikrotik.com/product/chateau_lte12 is "one router to delight them all", but description is one of an AP, not a router. I am OK with spending time learning how to use MirkoTik AP products and RouterOS, but I want to make sure they can function as actual routers.

Hi!
Yeah, the AP part mostly indicates that there's radio onboard. If you can shell the money, I believe the Chateau will be very good device for you - seems to me like you just need the CPU to have enough "oomph" to service all the things you throw at it, and since it has ARM CPU with 4 cores, that should be okay.

Every device runs ROS, so every device can act as a router if that is your question.

I would not recommend any product until its clear what the requirements are.
a. type of internet connections
b. throughput of ISPs
c. if WIFI is required, size of location, number of rooms etc...
d. any other network issues one might need to take into account

Every device runs ROS, so every device can act as a router if that is your question.

Not all Mikrotik devices, there are devices running SWOS or SWOS Lite.

But the ones that do run ROS, all have a full-featured version of ROS, taking into account some HW restrictions.
(e.g. don't load too many additional packages on devices with only 16Mb storage, some packages are only available in arm-family devices, etc.etc)

The rest of your remarks related to making a recommendation are spot on.

Picky Picky Picky. ( we were talking aps, not switches )
If going to that extreme we should ensure we inform the op that antennas and sfp modules cannot run ROS.

Correct observation

Normally "AP" are strictly AP's.

Normally "AP" are strictly AP's.

Perhaps, but I've seen "router features" (e.g. NAT to internet) on most other vendor "APs" (outside perhaps UBNT).

And, in Mikrotik, all APs are routers running RouterOS (at some license level, which may limit things too).

Every device runs ROS, so every device can act as a router if that is your question.

I would not recommend any product until its clear what the requirements are.
a. type of internet connections
b. throughput of ISPs
c. if WIFI is required, size of location, number of rooms etc...
d. any other network issues one might need to take into account

Below is the desired configuration:

Household with 4 wired clients, 4 Wi-Fi clients (range of about 50 feet of router), no switches (except the one in router), 1GB fiber connection from ISP, strong desire for strict layer 2 isolation from each client, each clients on its own 255.255.255.252 subnet, no need for any sharing (such as IGMP, mDNS, LLDP, STP), no hosting for each other, no hosting of anything over WAN, only one client with access to router itself (all others are only allowed to forward), most clients are behind WireGuard or OpenVPN with separate accounts, high security environment. I prefer to not have needless services running instead of blocking needless services with firewalls and using SSH command to kill them. I prefer router to only forward traffic to WAN and not allow any automatic outbound and/or inbound traffic to router itself from WAN, except for NTP protocol and perhaps forwarding client DNS queries to built-in DoT/DoH forwarder. That means no telemetry, but also no firmware updates, except manually administered ones. Currently wired clients can pull/push up to 700-800Mbps on WireGuard and OpenVPN with Data Channel Offload VPN adapter and I'd like to have the same. Can Chateau AX Pro do that with RouterOS 7 pull off such a configuration? UniFi Dream Machine was able to do some of the above, but it crashed the whole network during WireGuard bandwidth tests, came with many needless features, sent a ton of telemetry, and updates were more about fancy UI graphics that anything else. I prefer basic graphics for UI with ton of configuration options that actually work.

Some other questions:
- How do MikroTik routers manage process isolation? I'd like hardened Linux environment where each process runs in its own container with the lowest possible privileges, similar to how Graphene OS does it for Android devices - https://grapheneos.org/features .
- Do MikroTik routers run WireGuard and OpenVPN clients in kernel space or user space?
- How do MikroTik routers manage boot security? Is firmware verified via some kind of signatures? What about serial port communication? We've had advanced attacks based on hardware schematics.
- Does Router OS obtain correct time via plain NTP or via HTTPS (for additional security)?

Mikrotik has a secure boot options (/system/routerboard), "locking out" features (and flagging) via /system/device-mode , and RouterOS packages are all signed. RouterOS does not use Linux standard GNU tools, so the split between kernel and user-mode is pretty abstracted by the CLI & there is no /bin/sh etc to access Linux. But the system is not containerized internally, just a mix between a patched kernel and Mikrotik's own user-mode tools. For example, they have their own implementation of ssh, and don't even use standard libs like openssl.

WireGuard is likely in the kernel, IDK about OpenVPN. If you want to run all traffic via WireGuard, that uses CPU capacity... So any AP or Chateau have trouble running WG anywhere near line-rate. A RB5009 (or better) and separate AP(s) likely better if your pushing "700-800Mbps" of VPN.

I prefer basic graphics for UI with ton of configuration options that actually work.

If you want "try" RouterOS, you can download CHR and run in a virtual machine using QEMU/VMWare/UTM/etc. You be able to also try winbox, which is the UI. Now it has a "ton of configuration options", but no "wizards", so winbox (and web GUI looks similar) is more likely a focused registry editor. For example, to "add a network", you actually add a VLAN interface, IP address, and DHCP Server as three RouterOS config options.

Thank you for such a prompt response!

Would clients running WireGuard (such as Windows clients running official WireGuard NT) be able to pull 700-800Mbps on Chateau AX Pro? I don't expect such throughput when running WireGuard on router itself, but fast PC's with WireGuard NT should be able to achieve such throughput.

My personal experience with wireguard between two routers both on same ISP network with 1gig connections was in the 300 range.
Also curious as to what others see.

Would clients running WireGuard (such as Windows clients running official WireGuard NT) be able to pull 700-800Mbps on Chateau AX Pro? I don't expect such throughput when running WireGuard on router itself, but fast PC's with WireGuard NT should be able to achieve such throughput.

Well, if WG is running on a client and router/AP is just forwarding it - that's a different story... In other words, RouterOS is NOT a peer itself... then it's just UDP traffic to RouterOS, and Wi-Fi forwarding is at line rate, so 700-800Mb/s be reasonable if you're close to the router. Wi-Fi and "switching" does happen in hardware. The Chateau Pro AX be better than rest of APs in Mikrotik's line up, in that it uses 4x4 MIMO AX. Now with Wi-Fi... the environment, distance, and what chipset AP client are using are play a role.

But all have exactly the same UI/interface. The default Wi-Fi configuration is pretty good, assuming you upgrade to latest stable (since often routers/APs comes with older versions) and reset the default configuration after upgrade & set the country approriately. If you want a "lot of configuration options", you'll be happy. And RouterOS more "table like" configuration, is very flexible. But since everything is configurable, it is initially more complex. And for Wi-Fi, there is "CAPsMAN" that essentially has "inherited" configuration to setup multiple APs indirectly using various channel/security/etc "profiles" - again very flexible, but not initially clear.

My biggest nit with Mikrotik is while docs are mostly complete as "reference manual"...they often lack in "holistic examples" or "best practices" - so it more like reading a bunch of "man pages". For example, there is a page on "Securing your Router" here: https://help.mikrotik.com/docs/spaces/R ... our+router - but fails to mention device-mode and secure boot, which OP asks about & RouterOS supports... but info buried in docs or forum posts.

Normally "AP" are strictly AP's.

All Mikrotik's APs (all are running ROS) are "wireless router" in parlance of many other vendors. Mikrotik doesn't have any "AP only" device at the moment (and never did so far, can't say anything about future models). However, it's possible (even easy for people fluent in ROSish) to disable all routing and switching functions and then Mikrotik AP acts as "AP only" device. Likewise it's possible to disable any other function (wireless, switch, ...) and thus convert device into any "pure" device ... be it multi-port router or ethernet switch.

My personal experience with wireguard between two routers both on same ISP network with 1gig connections was in the 300 range.
Also curious as to what others see.

AX Lite to RB5009: 405/400 Mbps

Would clients running WireGuard (such as Windows clients running official WireGuard NT) be able to pull 700-800Mbps on Chateau AX Pro? I don't expect such throughput when running WireGuard on router itself, but fast PC's with WireGuard NT should be able to achieve such throughput.

Well, if WG is running on a client and router/AP is just forwarding it - that's a different story... In other words, RouterOS is NOT a peer itself... then it's just UDP traffic to RouterOS, and Wi-Fi forwarding is at line rate, so 700-800Mb/s be reasonable if you're close to the router. Wi-Fi and "switching" does happen in hardware. The Chateau Pro AX be better than rest of APs in Mikrotik's line up, in that it uses 4x4 MIMO AX. Now with Wi-Fi... the environment, distance, and what chipset AP client are using are play a role.

But all have exactly the same UI/interface. The default Wi-Fi configuration is pretty good, assuming you upgrade to latest stable (since often routers/APs comes with older versions) and reset the default configuration after upgrade & set the country approriately. If you want a "lot of configuration options", you'll be happy. And RouterOS more "table like" configuration, is very flexible. But since everything is configurable, it is initially more complex. And for Wi-Fi, there is "CAPsMAN" that essentially has "inherited" configuration to setup multiple APs indirectly using various channel/security/etc "profiles" - again very flexible, but not initially clear.

My biggest nit with Mikrotik is while docs are mostly complete as "reference manual"...they often lack in "holistic examples" or "best practices" - so it more like reading a bunch of "man pages". For example, there is a page on "Securing your Router" here: https://help.mikrotik.com/docs/spaces/R ... our+router - but fails to mention device-mode and secure boot, which OP asks about & RouterOS supports... but info buried in docs or forum posts.

- Does RouterOS allow you to fully disable multicasting? LLDP? STP? By disabling I mean killing the services and not have any processes listening on respective ports or just not having processes running at all. It would be even better to be able to completely remove related packages via CLI!

- In case I do need to verify via SSH, can I use typical tools like PuTTY? I think PuTTY works with OpenSSL and if RouterOS doesn't support that, then I don't know...

- Can I create custom on-boot scripts that add extra IPTable rules? Would changes in RouterOS UI after adding rules via SSH flush my custom rules? I almost always find a reason to go into SSH to at least verify what UI is doing. For example, disabling multicast in some routers doesn't actually kill related services and although inaccessible, multicast processes keep running and listening on specific ports.

- Does RouterOS allow you to fully disable multicasting? LLDP? STP? By disabling I mean killing the services and not have any processes listening on respective ports or just not having processes running at all. It would be even better to be able to completely remove related packages via CLI!

You cannot remove these things, but you can full disable all of them, in different places:
- LLDP, CDP and "MMDP"(Mikrotik's winbox discovery broadcast) can be disabled, for both tx and rx:
https://help.mikrotik.com/docs/spaces/R ... figuration
- The bridge interface allows you set STP to "none": https://help.mikrotik.com/docs/spaces/R ... rfaceSetup
- You can to specifically allow multicast routing by enabling PIM-SM or IGMP, but there is no way "disable" multicast per se - more just not use features that use it. The firewall can block multicast explicitly via rules, either on the bridge firewall or /ip/firewall (in Linux, terms "iptables")

- In case I do need to verify via SSH, can I use typical tools like PuTTY? I think PuTTY works with OpenSSL and if RouterOS doesn't support that, then I don't know...

All that should work, although been years since I tried PuTTY.

- Can I create custom on-boot scripts that add extra IPTable rules? Would changes in RouterOS UI after adding rules via SSH flush my custom rules? I almost always find a reason to go into SSH to at least verify what UI is doing. For example, disabling multicast in some routers doesn't actually kill related services and although inaccessible, multicast processes keep running and listening on specific ports.

SSH has same access as GUI to all configuration, including the firewall and routing tables. so firewall command follow same scheme as everything else with add/remove/set operators. They have a whole scripting language to do things like configuration, that can be scheduled at boot, and a lot other services like DHCP/etc have their "on-event" scripts that can be optionally run say a new DHCP lease or a ping test that fails (netwatch). The firewall does not have any "script events" inside, but rules can added/removed from CLI/script/winbox or scripts.

- In case I do need to verify via SSH, can I use typical tools like PuTTY? I think PuTTY works with OpenSSL and if RouterOS doesn't support that, then I don't know...

All that should work, although been years since I tried PuTTY.

PuTTY works just fine.

Is it possible to install add-ons like AdGuard Home and/or Suricata?

Add-ons: not really or not in the way you may see it.
But you can install containers.
So if it works in a container, it may work.
Not full-fledged docker but usable.
Provided you have enough storage, memory, ...

My personal view: a router is not my primary target devide to run such things.
I also toy with it at home just to see what it can be used for but I use it nowhere on production setups.
(e.g. I run PiHole, Openspeedtest, iperf3 and netinstall as containers, purely for lab-purposes)

There are other things which are made available as separate packages by Mikrotik staff like zerotier, ROSE (network storage), ...
Those can simply be loaded and used (provided architecture is compatible and again, storage, memory, ...)

Thank you for all your replies! I still have some questions:
- Are there dumps of tools used by Router OS? For example, I want to have TCPDump, IPTables, EBTables, and ARPTables.
- Are there any NVRAM dumps?
- Can updates for tools (such as TCPDump, IPTables, EBTables, and ARPTables) be downloaded independently as packages via "apt update" or something similar?
- Does initial setup utilize any kind of encryption for local access? For example, ASUS routers use plaintext HTTP for initial local setup and encrypted HTTPS for local login only after setup is complete. I think that's a major flaw. Some Ubiquiti routers, for a while, allowed SSH access with hardcoded default login credential during initial setup phase. Yet, another major flaw.
- Where can I find a script that can start on boot to apply custom IPTables rules without messing up existing IPTables rules added via GUI? For example, some Ubiquiti routers allow for on-boot scripts, but there is no way to apply your custom IPTables at the right time via a script because of Ubiquiti firmware doesn't load in the same order every time. That means custom script rules can be inserted above GUI-based rules, in the middle of GUI-based rules, or afterwards, depending on how Ubiquiti firmware decides to process them on boot.

I've seen some threads about MirkoTik offering only TLS 1.2 and not TLS 1.3. That's a bit silly, but does it at least stick to secure ciphers (such as GCM instead of CBC) ?

- Are there dumps of tools used by Router OS? For example, I want to have TCPDump, IPTables, EBTables, and ARPTables.

ROS has packet capture as a tool, Other than that you can't access IPTables directly only through Mikrotiks "overlay"
But you can export all your config (or just a part of it) to a single file (backup or script) and you can restore from that. Scripts you can also edit in plaintext.

- Are there any NVRAM dumps?

Not as far as I know. If you're looking for the Firmware you can download that on the Website.

- Can updates for tools (such as TCPDump, IPTables, EBTables, and ARPTables) be downloaded independently as packages via "apt update" or something similar?

No

- Does initial setup utilize any kind of encryption for local access?

Mikrotik Devices now come with a default password (different for each device), but access to the router is possible either through unsecure HTTP/Telnet or with secure SSH/Winbox by default.

Where can I find a script that can start on boot to apply custom IPTables rules without messing up existing IPTables rules added via GUI?

I dont think thats necessary since your changes are saved.

If you want to checkout Router OS just use the demo here:
https://mikrotik.com/software

Or you can get a cheap device (AX Lite for example). Thats what i did when switching over from Unifi.

Try RouterOS now by using our online demo routers

Connect via SSH or download our graphical application WinBox (latest version). When connecting in either way, use the address demo.mt.lv or demo2.mt.lv. Username is "demo" and there is no password.

You can also open the web configuration interface in your web browser: demo.mt.lv and demo2.mt.lv

- Are there any NVRAM dumps?

Not as far as I know. ...

Binary backup is the closest possible (as opposed to export in txt format of config).
Can be used to restore on the exact same device or model (but be careful with MAC address duplication on your network since those will be copied as well)

I seek a prosumer router, something similar to UniFi Dream Machine, but with newer hardware for WireGuard throughput and better customizations.

Since it seems that you are tech savvy a separate router like the RB5009UPr+S+IN with a Marvell 88E6393X switch chip and WiFi Access Point(s) like the cAP ax (powered by the RB5009UPr+S+IN) with Qualcom QCN 5022 (or whatever AP you prefer from another vendor) would give you more flexibility on the long run. For example should you later need 10 Gbit optical ethernet you could easily add a CRS309-1G-8S+IN with a Marvell 98DX8208 switch chip which provides L3 Hardware Offloading capabilities (and could serve as your core switch).

No HTTPS? Only HTTP, Telnet, and SSH for local access?

How accurate is Mikrotik overlay for firewall rules? Without seeing actual tables, I can't even judge whether GUI applies what I think it applies...

It's enough accurate.

IMHO you should buy any Mikrotik router and test it by yourself. All functions are accessible for all models if only you do not want to use very advanced functions depending on eg. switch chipset funcionality but then you have to have at least BC degree in ROS
Don't you think that we - same kind of users as you - decide for you if MT hardware and software fits your needs and we do the "compare all functions of ... to ..." homework for you?

Or even before buying anything, you can get a CHR image and play with it.
https://help.mikrotik.com/docs/spaces/R ... Router+CHR
https://mikrotik.com/download
(though no wifi capabilities)
You can use that in a VM (like Virtualbox or VmWare) or - if you also want to test some networking/routing/firewalling functionalities - in a simulator/emulator like GNS3 (GNS3 is usually a PITA to install/configure, but once you manage to have it running, it is very useful to test settings and their effects).
The Winbox tool is very comfortable to use to configure a Mikrotik device as it also has a Terminal, so through Winbox you have both a GUI and a command line interface (like with Putty via ssh or telnet).
GNS3 has also an optional docker image of the Winbox tool.

Frankly, the OP appears to be the "must see everything all the way to the bottom, must feel 200% in control" kind of person (which is an attitude I share, but maybe not quite to the same level).

And because of that, I just would like to point out that RouterOS - which is basically 80% Mikrotik in-house proprietary code, 10% vendor code, 10% linux kernel - and its "no, you cannot peek behind the curtain" perspective - may be very much not the correct/comfortable choice for them.

Otherwise, however, indeed - "first vibe check" is perfectly handled with a CHR at zero cost, "second vibe check" can be handled with a low-cost device like a hex3, hexRe, or maybe hapax (lite?), unless the budget constraints are so tight it makes more sense picking up something that "can be used later" nonetheless.

(And no, of course HTTPS is available next to HTTP, just as SSH is available next to telnet; however HTTPS if I recall correctly has to be enabled manually due to the need for a certificate.)

Or even before buying anything, you can get a CHR image and play with it....

Stupid me .... had forgotten such an obvious solution

I've used MikroTik before, and while their products might seem like just access points at first glance, they can definitely work as full routers with RouterOS. The Chateau LTE12 you mentioned can be set up for routing, VLANs, NAT, and WireGuard without issue. RouterOS is powerful, but it’s a bit of a learning curve—once you get the hang of it, it's great for custom setups without the annoying restrictions other routers might have. I’ve had good experiences with it in terms of customization, and it doesn't wipe your settings like some other brands. If you're up for spending a bit of time learning RouterOS, it should do exactly what you're looking for.