RouterBoard (MikroTik) or Ubiquiti EdgeRouter - any good?

[Handruin]

My home router has been on the fritz more frequently lately so I suspect it may be on its way out. Does anyone have experience with either RouterBoard (MikroTik) and/or Ubiquiti products? I'm considering either the RouterBoard RB2011UiAS-IN or the EdgeRouter ERPoe-5. I'd like a router/firewall/NAT that offered some decent protection and flexibility. I would also add a wifi access point into the network as a separate device and just connect that into the LAN side of my network. I'm still undecided on that hardware but wanted to see if anyone had feedback on a decent home router/firewall. I've read decent feedback elsewhere on both products. The RouterBoard seems to be a bit complicated to setup but a beast in terms of functionality and the EdgeRouter also offers a lot of great functionality. I'm leaning toward the 5-port EdgeRouter right now.

 

[timwhit]

I've been running a Ubiquiti RouterStation Pro since 2011. After I got it setup it just runs, never had a problem with it.

 

[Handruin]

Did that device come with built-in WiFi or did you add it on as a separate access point?

 

[ddrueding]

At work one of my guys has set up some Edgerouter Lite units without issue, but I have no firsthand experience. I'm still running the beast RouterBoard at home (RBAH1100x2, modded with a 120mm top-mount fan). Got it to try for work, and didn't find the interface friendly enough to deploy elsewhere. It is super-powerful, but you would need to be a hardcore networking guy to be able to do anything without an online guide.

 

[timwhit]

Did that device come with built-in WiFi or did you add it on as a separate access point?

I just have a separate AP hooked into my switch.

 

[Mercutio]

On one of my home machines, I have an Untangle VM with a couple dedicated NICs for traffic control. It's essentially line speed for my cable modem and it wasn't hard at all to set up.

 

[Handruin]

I have not heard of Untange before; I'll have to read up on what it offers for functionality. I don't know if I want to run a full system with a VM used as my main firewall/NAT. I'd rather an appliance of some kind that is a little less complicated in its setup. I do have a couple systems I could use but they're rather noisy and power-hungry for this task.

In addition to replacing flakey router, I have a couple projects I want to work on. I'd like to setup an nginx cache for Steam downloads for when I have LAN parties. This would likely require me creating my own DNS server and/or proxy for any system that connects to my network. I also want to see if I can create an equivalent of an adblock for my entire house network rather than just per-browser. I haven't yet begun to research if this is possible and if-so how I might go about doing that. I'm hoping I can build this into my nginx config which is used for caching Steam content. It looks like Untangle supports this feature which is rather interesting.

 

[CougTek]

It is super-powerful, but you would need to be a hardcore networking guy to be able to do anything without an online guide.

Handruin has been working in a datacenter environment for the past, what, fifteen years. He probably qualifies as a hardcore networking guy.

I only have Ubiquity access points at work. They work ok. A notch below our Aruba wifi controller, but less than one third the price too.

 

[CougTek]

BTW, the best router/firewall I've dealt with are made by Watchguard. Overkill for a SOHO, but damn nice equipment nonetheless. We have a 3 Series and two 5 Series at work. Simple to configure, reliable, troublefree.

If you can afford it, an XTM-25W would probably be the best router you could have.

 

[CougTek]

Oh, I've seen the prices of the models you are considering. Forget my Watchguard recommendation. It is way above your budget. Sorry for wasting screen space.

 

[Handruin]

I appreciate the recommendations. I'm reading up on the Watchdog series now and it looks nice but I have concerns over the yearly superscription model for support and updates. The series 3 and series 5 are way beyond what I'm looking to spend for this project even if they are superior. The XTM-25W is also a bit higher than I was considering but looks like a solid device.

I also looked into the Aruba APs and they're also pretty expensive for my home needs. Right now I'm considering going with the Ubiquiti EdgeRouter ERPoe-5 ($175) and a Ubiquiti UniFi UAP-PRO ($200). I was considering the UniFi Long Range Access Point but it's confusing why they quote 300Mb performance when it only has a 100Mb Ethernet connection?

 

[ddrueding]

I suspect the 300Mb is between wireless devices? I have a pair of UAP-PRO at my house, and a half-dozen at work. They are almost perfect considering how much cheaper they are than the alternatives. Only complaint would be the management software, though they've probably improved it since I last had a look (couple years?)

 

[Handruin]

I was wondering that also if the 300Mb was between wireless devices only but I can't think of many situations where I would transfer any significant amount of data between wireless devices.

I ordered the EdgeRouter and UAP-PRO tonight to give it a try. If I don't like the new setup I'll ship it back to Amazon. I figure down the road when I have an 802.11ac device I can look into adding an access point which supports that speed. By then they should be less expensive and more mature. I'm psyched that I can place this access point anywhere I want in the house since it's decoupled from the router.

I also found a thread on how to setup an internal equivalent of DNS-based adblock plus inside the router. I'm eager to give that a try.

 

[Mercutio]

Remember that 802.11 loses about half its bandwidth to protocol overhead. 300Mbit for a point to point link is probably just enough to ensure actual 100Mbit operation.

With regard to running a router appliance as a VM, it actually works great if you have the resources to throw at it. It's one less piece of hardware to break and it's easy to port between machines if need be.

 

[CougTek]

Be sure to update your firmware and change the default password ASAP on your Ubiquity router. Otherwise, chances are good it will be controlled by someone else than you.

 

[timwhit]

Be sure to update your firmware and change the default password ASAP on your Ubiquity router. Otherwise, chances are good it will be controlled by someone else than you.

I looked into updating the firmware on my RouterStation Pro a couple months ago, but didn't find anything.

 

[Handruin]

Be sure to update your firmware and change the default password ASAP on your Ubiquity router. Otherwise, chances are good it will be controlled by someone else than you.

I plan to play around with it for a bit inside my LAN before exposing it to the WAN. I'll make sure to change the default login. One video review I watched recommended removing the default account and creating my own. I'm guessing this will help with this situation.

 

[Handruin]

I got the Unifi AP today and I've been doing a few tests via my laptop. When downloading a large file from my server I'm seeing about 164Mb/sec average and 188Mb/sec when uploading a file to my server. This is with the 5Ghz radio using WPA2 with a single client. I'm not sure what I should be expecting but these seem like pretty reasonable speeds for 802.11n. I'll try some iperf tests at a later time. I should also note that my wifi analyzer on my phone shows no other 5Ghz wifi's in my area which could be helping the situation.

 

[Handruin]

Handruin has been working in a datacenter environment for the past, what, fifteen years. He probably qualifies as a hardcore networking guy.

I only have Ubiquity access points at work. They work ok. A notch below our Aruba wifi controller, but less than one third the price too.

I have to admit there are a lot of features in the EdgeRouter OS that I've never played with before despite having numerous years in a datacenter. For example, I've never heard of OSPF until now and I'm still unclear if I will benefit from enabling it.

I'm slightly concerned with getting the router's config wrong. I realize this is the pros and cons with having a utility that offers much greater flexibility than an average consumer appliance like I previously used. Having to define all my own firewall rules leads me to investigate and research a lot more than I have in the past. If nothing else this serves as a good learning experience. There are several guides and forum threads with SOHO configs made freely available but I feel like I'll be cheating myself if I don't take the time to learn and understand what it is I'm configuring.

Overall I really like how I can separate the wireless LAN port from the local LAN and route between them all in the same device and use separate DHCP ranges. I am interested in configuring a guest Wifi SSID for those who don't need access to my LAN environment. At the moment I'm experimenting with the router connected to my laptop and nothing else. The firmware was super-simple to update and the default username has been deleted from the system to reduce security concerns you linked to. It may be a few more days before I feel comfortable replacing my existing router but I'm excited for the features and flexibility this thing offers. I can now also update my dynamic DNS name from the router vs from a Linux system that I've been using. I also found a place that sells a 1U 19" rack mount plate that I can use to mount this router into my rack in the basement.

 

[ddrueding]

That is pretty much how I felt about the MikroTik; a great opportunity to learn more about the guts of networking. Unfortunately, I procrastinated the swap until my existing router failed and had no choice but to jam the new one into place. I still have a "to do" list around here somewhere of QoS and port-forwarding stuff.

 

[Handruin]

I'm fortunate to be able to use my existing router even though it has been showing increasing signs of failure over the past couple months. I didn't want to get stuck in the same situation you described. I can share what I find in this thread if you think it'll be of any use. I know the hardware isn't the same nor are each of our environments but the concepts should transpose to each device.

 

[Howell]

You don't need any routing protocols (eg OSPF) unless you need this device to communicate routing tables to another router. Basically, if you have a second wan connection or multiple internal networks, and a second router it might be worth moving beyond static routes.

 

[Howell]

Anybody know the cheapest solution to get multiple ssids in the same device?

 

[Handruin]

Anybody know the cheapest solution to get multiple ssids in the same device?

The Unifi UAP supports 4 SSIDs per radio (one radio) and a isolated guest network and is roughly $65 on Amazon. I believe you should be able to run more than one of these with wifi handoff. I don't know if that qualifies as the cheapest or meets your needs. The UAP Pro which I just purchased offers 4 SSID per radio (two radios | 2.4Ghz and 5Ghz) for around $200 on Amazon and offers several other features. I'm sure there are other options but these are freshest in my head since I just researched them.

 

[CougTek]

For example, I've never heard of OSPF until now and I'm still unclear if I will benefit from enabling it.

I'm with Howell: you don't need any dynamic routing protocol like OSPF. At most, if you have a static IP from your ISP, you could set a static route in your router for the default gateway, which has a much lower metric than an OSPF-learned route (1 versus 110) and is safer. I don't know if there's a CLI on this router, but if there is and if it allows it, your could also program a static route to the WAN interface. Not all networking OS permit that though (like HP Provision).

 

[Howell]

I'm with Howell: you don't need any dynamic routing protocol like OSPF. At most, if you have a static IP from your ISP, you could set a static route in your router for the default gateway, which has a much lower metric than an OSPF-learned route (1 versus 110) and is safer. I don't know if there's a CLI on this router, but if there is and if it allows it, your could also program a static route to the WAN interface. Not all networking OS permit that though (like HP Provision).

The wan would be directly attached and so would not need a static route.

 

[Handruin]

I don't have a static IP from my ISP for this. I'll be configuring the WAN port as DHCP in my environment. There is a CLI on the router and it seems to be plentiful in it's abilities to configure the device. I don't know all the options yet so I can't say if the WAN interface would even allow for a static route.

 

[Handruin]

I'm a little stuck trying to figure out a minor situation with the configuration in the router. I have a domain name which is set to resolve to my personal ISP IP address through the use of dynamic DNS updating. Before changing the router, I was hosting a website on port 80 that's used for testing, etc and it resolved fine both inside and outside my home network. After the router change I've configured the same port forwarding but now whenever I try to browse the domain from within my home network I get redirected back to the ubiquiti admin login for the router but on port 443. If I browse the domain from my mobile phone (with wifi disabled) I can see the normal website home page and not the admin page (which is what I would expect). I've tried with and without hairpin NAT enabled and it didn't seem to make much difference. Is there some routing rule or NAT configuration I need to make to keep my domain name from being redirected to the admin login page on the router?

One suggestion I found was to change the port on the admin page but I would rather not do that unless there is no other way.

 

[ddrueding]

I don't host web pages anymore, but when I did I also ran a local DNS. This let me just put in a permanent record for that name pointing locally. A hack, I know, but it worked great.

 

[sdbardwick]

WAG: HTTPS everywhere extension on browser (or something similar) causing redirect to 443?

 

[Handruin]

WAG: HTTPS everywhere extension on browser (or something similar) causing redirect to 443?

No extension causing this. I tried on multiple machines with the same results.

 

[Howell]

I don't see mention of any service providing internal name resolution. Your computer did not change so I do not suspect use of a hosts file there. Which means there must have been a way to manually or automatically configure it on the router. Where does the dynamic dns update client run? Computer or router?

 

[Handruin]

No I don't use my own DNS server at the moment or any host file changes. The dynamic DNS update was running from the server which the domain resolves to but now it's running on the EdgeRouter. I confirmed it was updating the IP address because my IP changed when I released and renewed the address after switching routers.

 

[Howell]

It's hard to know exactly how you are arriving at the admin page. This might help you implement split dns directly on the router: http://serverfault.com/questions/48...ernal-server-when-dns-answers-with-external-i

 

[blakerwry]

The Unifi UAP supports 4 SSIDs per radio (one radio) and a isolated guest network and is roughly $65 on Amazon. I believe you should be able to run more than one of these with wifi handoff. I don't know if that qualifies as the cheapest or meets your needs. The UAP Pro which I just purchased offers 4 SSID per radio (two radios | 2.4Ghz and 5Ghz) for around $200 on Amazon and offers several other features. I'm sure there are other options but these are freshest in my head since I just researched them.

How are you liking the Ubiquiti gear? I was recently given a project at work that involved moving/replacing two consumer APs and a pfSense firewall and decided to replace the two APs with a single Ubiquiti UAP. First impressions on the software and the hardware are good. I'd like more time to play with it, but I'm thinking of getting a UAP/UAP-Pro for home. I'd likely pair it with my existing WRT-54G router (with the router's AP disabled), but could be persuaded to move to a Mikrotik or other appliance sized router.

 

[Mercutio]

I've been finding reasons to mess with Nanostations and UAP-LR devices. They're good, trouble free hardware, though everything uses weirdo non-compliant PoE. I haven't found the UAP-LR's range claims to match up with anything resembling reality so far, but next time I'm at that client site I'm actually going to test it with a 2.4GHz LocoM2, just to see if a better client device will get better reception than my phone or laptop can.

I especially like the software controller on the UAPs. That's not a level of refinement I expect to have on ~$70 access points.

 

[Handruin]

I've had a good experiences with my setup so far. It's been up and running for about a month so I don't have a ton of runtime with it yet. It took me a little bit of time to learn and configure but once I found some examples and help I was off and running with a solid config. The performance and reliability of the UAP-Pro has been perfect so far for my needs. The UAP-Pro is powered using PoE with no issues that I can tell so far. I'm not sure what Mercutio means by everything they offer having non-compliant PoE. I know some of their devices have a non-compliant PoE but I thought the UAP-Pro has a compliant PoE implementation. They list it in their documentation as "Passive Power over Ethernet (48V), 802.3af Supported". I'd be interested to know more about that being not PoE compliant specifically for the UAP pro (I can't speak for the other devices).

My router config isn't too complex. I bought a supported rack-mount which fits the EdgeRouter PoE so that it fits nicely in my rack in the basement. I do some limited port-forwarding to some VMs for various purposes. I make use of the dynamic DNS update with a domain hosted at namecheap and that works perfect so far. I feel like the range is decent for the UAP-Pro. My house isn't very large so I get good coverage anywhere in the house. The 5Ghz is a bit less in terms of coverage but from what I've read that seems normal given the frequency. I've not had any drops or connectivity issues with it that I know of. My Roku now works properly on Wifi whereas I couldn't get it to connect to my previous DLink AP/router. Prior to setting up the EdgeRouter I was using the UAP-Pro connected to my DLink and it worked well. I disabled the onboard AP like you had done with your WRT-54G.

The Mikrotik also seem to be very powerful in functionality. I've followed discussions of people who configure their Mikrotik routers with scripting to balance QoS based on load when their ISP offers limited out-going bandwidth. I haven't explored that much for scripting in the EdgeRouter but I do know it exists. I'm using the scripting for having a whole-house DNS-based ad-block. It seems to work well for the most part. I haven't seen an advertisement on YouTube in a month now (on my Roku).

 

[Mercutio]

The non-Pro UAP devices and the Nanostations I've gotten to use don't have 802.3af compliant PoE adapters. The Netgear Smartswitches I use in most of my installations should power PoE devices just fine but it seems that less expensive Ubiquiti devices don't support that option and run on some weirdo half-voltage derivative.

 

[ddrueding]

They do run on 24v instead of 48v. I thought all the devices that did this included a PoE adapter. I'm I'm going to have several of them I get one of their ToughSwitch Pro units (the pro supports 24v and 48v).

 

[Handruin]

I see options that let me configure my router to run at 24 or 48V for each port. My UAP-Pro is running at 48V but I don't recall if 24V is a supported option. I realize that's not the same for some of the other UAP gear.