I have just put up a new video focused on securing a MikroTik RouterOS device. Securing the device is often something overlooked however in this video I attempt to offer some guidance on how to make sure no unauthorised access is made.
UPnP is helpful in certain situations where you need a device to poke holes in your firewall for particular services, the most common usage of UPnP in MikroTik is for online gamers who want to achieve an open NAT type for their XBOX One’s, PS4’s and other applicable gaming consoles. Some CCTV systems do offer usage of UPnP for remote viewing. UPnP is seen as a bit of a security flaw because it allows devices to poke their own holes, if a device becomes compromised it could open your network up to a lot of nasty stuff from the web, you should only really use it as a temporary measure whilst you employ a good port forwarding structure or where port forwarding is not possible.
Both written and video tutorials are now written for adding UPnP to your router using MikroTik RouterOS. UPnP is a nice easy one to do but should only be used if you absolutely can’t forward the relevant ports.
Written tutorial can be found here
Video can be found here
I’ve had my YouTube video out there for a while now (link) and whilst it does get a fair amount of traffic I have always wanted to follow it up with something written as well.
I’ve now just added in a full written tutorial of how to achieve this by using my easy to use drag and drop .rsc file. Head over to the MikroTik section to see more or for a direct link go here
The newest part of my website is now the MikroTik section. This is a new section where I plan on documenting all of my MikroTik how to’s, homing some of the YouTube videos and accompanying files as well as adding in some text based tutorials.
Hopefully it will be of some use to people.
So a small one but very worthwhile. I’ve today upgraded the RAM from 24GB up to 48GB. It was a really simple swap out job replacing the 6 DIMMS with 4GB in each to 6 sticks containing 8GB each.
Booted up and worked straight away and now I have a lot more RAM to throw around between my VM’s.
OK so maybe I was a little harsh in the title, but to be honest. It’s quite true for the UK right now.
MikroTiks wireless wire truly is a groundbreaking product, Gigabit full duplex link over wireless at a total retail cost of less than £200 but if something sounds to good to be true, it usually is. The form factor of these units following the WAP build is great, small, versatile and outdoor grade, they feel so well made with a good weight to them. The box comes presented well and they have a nearly premium feel when you are opening the package (something which normally eludes even the expensive MikroTik products). Out of the box they follow MikroTiks normal IP convention of being on 192.168.88.0/24 space and are addressed and fully secured from the off, you can literally connect them and start passing traffic over them. So I did.
Performance was just as good as expected, with the units in very close proximity (probably a little too close) they were quite capable of maintaining a +800Mb speed test although that was using the built in bandwidth tester which is quite notorious for not being as efficient as it could be. Single duplex tests were slightly better as expected and when the connection was limited to “only” 500Mb either direction latency was measured at <1ms. At full tilt the latency did get a little wobbly but again I’m more along the lines of thinking this was the CPU’s in the devices that the actual link limitations.
So why won’t we be using this?
Unfortunately for our country whilst the use of the 60Ghz frequencies mentioned is license exempt, there are stipulations you need to adhere to, this one falls over in that whilst MikroTik haven’t officially released the specs, it is speculated the antenna gain in them is around 13dB which falls short of OFCOMs guideline stating that you need to use a minimum of 30dB to legally use the 60Ghz spectrum outdoors (page 2 if you’re interested). For the time being this means that this amazing wireless wire product is indoor use only.
There is a company though in Poland who are currently developing some larger antenna for them http://siec.multimediahd.pl/
So whilst the Gigabit full duplex low latency low price link is something we certainly want to see more of, you won’t be seeing one mounted externally anywhere near you any time soon (well not legally anyway).
MikroTik website product link here
As I’ve been shifting the home network around a lot lately I’ve taken the chance to have a test of the Unifi USG3 router. Whilst I have used it very briefly previously, I have never given it a good chance to stretch its legs and implement a lot of the features always having shelved it in favour of a MikroTik system.
The cherry on the icing with the USG range of routers has to be the brilliantly executed DPI (more about that later).
The home screen of the controller lights up the 2 left hand bubbles and the left hand middle (WAN) with information relating to the connection, the latency is a bit off as it pings ubnt.com and there is a variable but I found that this broke it completely so reverted it to UBNT. A couple of neat graphs under showing average throughput and latency over time with a summary of wireless channels and users to the right. Some more information towards the bottom of screen about device totals, user totals and then a brief overview of traffic and protocols causing it.
DPI is where the router comes to life though, if you want a nice user friendly interface to see who is smashing through your connection then the USG is definitely for you. the statistics page comes to life and clearly displays your traffic types for you in a format that even a networking noob could take in.
Which can be expanded upon category by category by clicking on the protocol identified
It also has a users option so you can see exactly who is causing the most or how vibrant a particular user is on each protocol
You can also click onto the clients tab (down the left) and click on a client and choose the DPI option to see that users history exclusively
The Unifi routing is where I start to lose interest though, it’s basic with some room for more advanced features and I can only but hope the Ubiquiti development team will expand upon this, for a basic consumer device this would be brilliant but the more corporate or power users will begin to feel hindered by this. I’m currently feeling like both hands are tied together coming from a MikroTik RB3011.
I will admit the lack of L2TP client (through the gui) is a bit of a pain for me and not being able to create lists of either IP’s or self resolving hostnames is also a major let down. Static routing you can do without any issues if you know the destination IP range but that’s about as far as I could take it in testing.
I will admit though that I am very taken by the Unifi App, it manages to cram all of the information which can looked crammed on a full screen down onto my iPhone SE screen. I often find myself sitting there flicking through the pages just out of pure interest.
All in all, I’m really happy with the USG3. I love having the clarity of seeing what device is putting traffic where but there is a downside, I miss the overwhelming control I get from having a MikroTik in there. If the USG were to be developed on a bit further and I could appease myself that the Pro rack mounted model could be quiet then I’d probably convert. For now though it will stay where it is until I convince myself that a CCR is really what I need.
After having some what of a very quick and easy build process for the ESXi server I was hoping to put a new CHR installation on I’ve struggled massively with noise levels with the kit. Even though I knew to expect “some” noise, I just can’t get the Dell quiet enough to live in my rack permanently.
My cave is a very nice tranquil place and even though my Ryzen build hums at times, the ESX server just wasn’t cutting the mustard for me.
I have now down / side graded back to my RB3011 however I have made a slight change to the network. As I receive service through FWA the cat5 comes down and goes into an RB260GSP where it is converted to fibre and then that is fed from the house out to my cave. The RB3011 having an SFP port is ideal so now is connected directly without going through further multiple copper links and patches.
The LAN has not been left alone either, a copper uplink into a CRS112 has been used (due to it’s 4 SFP slots) and also extend the RB3011’s 10 copper ports. The CRS112 is now feeding a Unifi 8 port PoE switch in the attic, a CRS125 (for non PoE) in the attic and also the PoE switch in the cave as well as the “Tutorial” RB2011.
A busy and disappointing weekend (week really), but it has left me wanting a bit more. I’m thinking about possibly looking in to a CCR1009 with 2 SFP slots (WAN and LAN) but that’s a fairly large amount of money that I won’t be getting my hands on with the new Ryzen Zen+ lineup launching in 2 months time.
For the time being I’ve also managed to tidy the attic up, I had been using 1m patch cables and it was getting extremely messy up there so now have properly mounted the Unifi switch with the CRS and things have neatened up a treat.
Quick update on the state of play with the router.
After the Dell server was phenomenally loud when running I had decided not to make the move over however some deep googling and checking through the Dell forums turned up that there were BIOS releases that addressed this problem. With the combination of the new BIOS and turning all the power settings onto custom and opting for power saver the server has quietened down now to what I would class as below acceptable levels.
Project CHR is back on track! I’m hoping that this weekend I can get the copper to fibre converter in so I can get the CHR spun up and routing as my main router.