Commerical Grade Router

[CaliZ]

Hello,

We took on a business that is already integrated with a mixed environment of Mikrotik (Routerboard hEX and cAP AC from what I can tell) and Ubiquiti (PoE Switch) equipment. The Ubiquiti equipment is very accessible to purchase replacements for, while Mikrotik in the past has been a special order, and last that I checked, requires a subscription for updates. Their internet is full 1 Gbps up and down, but are having issues with their VOIP phones sounding scrambled to the recipient. I've tried to check for vocoder/bitrate, but their provider only allows for profiles based on the phonesets they use. I can only guess that it may be a QoS problem.

The question(s) and troubles are:
Is it worthwhile for them as an SMB, to continue with the Mikrotik for VLAN (Guest WIFI) and VOIP configuration?
Or is there a reasonable SMB router to replace it with? (Ubnt's USG don't look to support full gig internet.)

 

[YeOldeStonecat]

Mikrotik are pretty darned inexpensive, yet stable and fast routers. They have a small and loyal fan base of IT guys that use them, been around a long time.

We're a big Ubiquiti house, have a lot of their product out there, but I'll say...we only use their gateways in the most basic of setups, when a client doesn't host any servers behind it (no port forwarding), no VPNs, single IP from the ISP, the most minimal of security needs. I love how the Unifi controller manages the whole stack when it's a gateway/switch(es)/AP(s)....but we're still happy with it when it's just switches and AP..and we have a better firewall at the edge. Our preferred router is Untangle.

The USG can do gigabit, just...not with any security features on.
The UDMs do.

 

[NETWizz]

I do not know what kind of metrics you have with Ubiquiti and Microtik, but you almost certainly have a QoS type problem. Can you diagram the setup or explain how it is configured?

Is the Voice delivered on the same Internet circuit or WAN circuit, or is it a completely different line? The reason I am asking is if it is separate QoS matters quite a bit less. Many switches have built in Voice QoS settings for example on Cisco you can specify a Voice VLAN then use "quto qos trust dscp" and you are 95% there provided your VoIP headsets actually use proper DSCP markings such as EF on the packets.

 

[Markverhyden]

To be able to properly take advantage of a real 1gb pipe you need a router that has the underlying hardware to support it. USG3, Microtik, etc won't do that. Never tested the higher end USG's. If you want to roll your own you can use Untangle on a PC chassis. No matter which way you go it'll be several hundred dollars.

VoIP problem? First thing I'd do is have them call me using their system. Just a really simple test. Next I'd schedule an onsite to go over everything. Evaluate cabling, test drops as needed, check settings on all networking equipment. One thought that pops up is do they have SIP "helpers" turned on the router(s). Those usually don't help at all and can actually cause problems

 

[thatdude]

Hmmm...so you're probably getting 100Mbps up and down due to the restrictions of the Mikrotik. How many clients are using the Internet (VOIP and computer)?

 

[SAFCasper]

To be able to properly take advantage of a real 1gb pipe you need a router that has the underlying hardware to support it. USG3, Microtik, etc won't do that.

Microtik absolutely can handle 1Gbps if you are willing to spend enough. Their flagship router is 72-core, 16GB RAM, dual SSD, 8x 10Gb ports.

Solid hardware, well priced and highly configurable... but I still wouldn't recommend unless you go all-in. Reason being they are basically the definition of "designed by techs for techs" on the expectation you know what you are doing and require no hand holding. It takes a bit of learning to become familiar with them. If you only have 1-2 deployed it's going to be a PITA every time you have to re-familiarise yourself because you haven't used one in a while.

I have this exact issue with a Juniper router we have deployed. It's the most reliable router I think I've ever came across. But when it comes to making any changes I absolutely hate the thing because nothing is intuitive and they use different terminology to your standard router. Since it's the only Juniper we have in production each change is usually several months apart so I never get familiar with it. Anything I learn is mostly forgotten by the time of my next interaction.

The question(s) and troubles are:
Is it worthwhile for them as an SMB, to continue with the Mikrotik for VLAN (Guest WIFI) and VOIP configuration?
Or is there a reasonable SMB router to replace it with? (Ubnt's USG don't look to support full gig internet.)

I can guarantee a Microtik Hex won't handle symmetrical 1Gb WAN although I doubt that's the root of your issue. VOIP doesn't need a lot of bandwidth it cares more about stability, low latency and low to zero packet loss. I'd configure QoS first as that should be relatively quick and your hardware already supports it.

Also try to pinpoint the source I like to run Axence Nettools. Setup a ping monitor to everything along the path such as a VOIP phone, switches, router, gateway, public DNS server etc. See if you can spot any patterns, spikes, packet loss etc.

PS.
SMB is defined as anything from 1-100 staff leaves a huge variable. How large are we talking here?

 

[thatdude]

@SAFCasper: I can guarantee a Microtik Hex won't handle symmetrical 1Gb WAN although I doubt that's the root of your issue. VOIP doesn't need a lot of bandwidth it cares more about stability, low latency and low to zero packet loss. I'd configure QoS first as that should be relatively quick and your hardware already supports it.

That was exactly my thought too. Which is why I asked, How many clients?

@CaliZ, you mentioned "We took on a business" I am wondering if the problem your new client is experiencing is another gremlin in the network from the previous IT firm that managed the network, not the Mikrotik. You could look in the switches, maybe they have some bandwidth throttling going on.

When our firm takes on new clients there is a long list of things to replace. We don't learn new stuff just because they have it. We don't know crap about Cisco and if that's their routing appliance, it's heading to the recycling center. HDDs in computers need to be cloned out and replaced with SSDs. Routing appliances and Access Points are usually at the top. @YeOldeStonecat loves Untangle and our firm loves pfSense. One thing in common @YeOldeStonecat and I have is our love of Ubiquiti switches and APs. They are quite nice and extremely reliable. Also another thing @YeOldeStonecat and I agree on is to skip the Ubiquiti Gateway/Firewall appliances. With that said, if you already have Ubiquiti switches in there it may be worth going with one of the Ubiquiti USGs as long as you don't need any fancy VPNs. I don't like Ubiquiti USGs but they could show you a lot of stats to isolate the issue in Ubiquiti's single pain of glass.

I guess this all comes down to what the client wants to pay, yeah, the tough part. Wondering if you could skip the router replacement by trying to create VLANs for the phones (if they aren't already on them) or creating aliases for them and then bandwidth throttling everything but the VOIP phones.

We've got a client that has a 150/20 connection with NO VLANs or Bandwidth throttling. They are a great client and we wanted to test no bandwidth throttling or traffic shaping/QOS to see how their VOIP phones would handle it. We did that two years ago and everything works perfectly. I still can't believe it. This is why I think you may have another gremlin in the network OR the ISP is the issue.

 

[NETWizz]

@CaliZ, you mentioned "We took on a business" I am wondering if the problem your new client is experiencing is another gremlin in the network from the previous IT firm that managed the network, not the Mikrotik. You could look in the switches, maybe they have some bandwidth throttling going on.

When our firm takes on new clients there is a long list of things to replace. We don't learn new stuff just because they have it. We don't know crap about Cisco and if that's their routing appliance, it's heading to the recycling center.

Don't you think that's kind of a bad attitude that you would send a device to the scrap heap because you do not understand it and do not want to learn anything new?

I have Cisco routing appliances such as the Cisco ASR (Aggregation Services Router) that would run circles around anything Microtik sells. It will do different media types, 10 Gbps, Multi-VRF routing, BGP, OSPF, EIGRP etc., and it will do it at real-time speeds without added latency can even match on NBAR2 and do QoS.

Merely saying because you do not want to learn it is not always in the customer's best interest to change to something you use.

Many consumer devices are toys. Case and point two decades ago had an IT guy with a 16 port Linksys Gigabit switch try to multicast image a bunch of laptops in a library. It said that it was going to take like 8 hours or something ridiculous. An old 100 Mbps Cisco Catylyst 2950 completed the re-image multicast in less than 45 minutes!

 

[thatdude]

@NETWixx said:
Don't you think that's kind of a bad attitude that you would send a device to the scrap heap because you do not understand it and do not want to learn anything new?

No I don’t think it’s a bad attitude. Why? Because of experience. When I was a one man show years ago I learned anything and everything and supported all types of different hardware in over 100 client offices I managed. So I was the quintessential jack of all trades and master of none.

I’ve learned it’s a mistake to try and be everything to everyone and support all different types of hardware setups. A cardiac specialist makes a lot more money than a General Practitioner because he specializes in one thing, the heart, whereas the General Practitioner does everything and specializes in nothing. Our firm specializes in the hardware we support allowing us and our clients to be more efficient. Replacing an existing routing appliance with a pfSense appliance ($500, and “what we know”) is a small price to pay if the client wants things to simply work.

@NETWixx said:
Merely saying because you do not want to learn it is not always in the customer's best interest to change to something you use.

That really depends on a lot of things. Is the client going to pay my firm the time to learn it? For years we’ve had clients use legacy software applications built in DOS or Visual FoxPro. The applications do exactly what the client needs BUT if something goes wrong they are going to pay us to learn it because we can’t really use that experience and knowledge we’ve gained somewhere else. Now, when things like visualization, Azure, and all sorts of other cloud based things have come up we DO learn those as we know we can use them across other clients.

I can’t begin to tell you how many clients we have taken on from other IT providers or a one man show where they have a ton of equipment that the previous IT provider didn’t set up correctly. Cisco, Sophos, SonicWall, Mikrotik, you name it. I’m not saying the equipment is bad we’re just going to do what we know.

@NETWixx, I’m not saying you’re wrong and I’m right. I just know what has worked best for me, my firm, and our clients.

 

[YeOldeStonecat]

One added note...if you want to stay in the Ubiquiti camp...but Unifi gateways are not checking the boxes you need, check out Ubiquitis EdgeRouters. Some of them are BRUTALLY fast and low latency. A totally different interface than Unifi gateways, a lot more granular. The ERX for example....for a tiny little thing that boogies, all the way up to an 80 gig aggregate throughput model.

Ubiquiti Store

Rethinking IT

store.ui.com

Sorta like Unifi, you can set these up in Ubiquitis free UNMS service...and manage them all through a central portal.
Edge switches and Edge Routers had been Ubiquitis strength for many years until Unifi matured a bit more, designed more for ISPs and WISPs (wireless ISPs).

 

[YeOldeStonecat]

Regarding learning lots of other products....IMO, you'll run yourself into the ground trying to learn all different brands/products out there. For the young and hungry, that's fine. Heck, myself...I used to love trying out new products, learning them, especially linux based routers.

But once you get busy, your plate is filled, and you get tired of working 90+ hours a week, you start to realize that "mastering" a small group of products and building your services off of that cookbook of standardized ingredients, becomes much easier to support. For my MSP clients, I only support certain things. We offer THIS top tier backup (Datto), or...well, I am down to "just Datto" now..either Siris for big clients, or Alto for little ones, or heck..just Datto Continuity for desktop. No more JungleDisk, no more iDrive, no more Solarwinds BDR, no more StorageCraft. We only do Bitdefender AV or..my colleague still does a few Eset clients, but I stopped Eset. I want only UI or Untangle for the edge appliances...we used to do PFSense a bit. My colleague also does a bit of Fortigate....I helped a bit of a big school project...all Forti stuff across the board from firewalls to switches to APs..and I hated it.

It becomes difficult to "stay on top of" 88 different brands of a product. IMO, at least for myself, I'd rather just focus on one, perhaps two. There's just too much time that needs to be spent on each, learning of nuances, tricks, best practices, and staying on top of updates, which firmware to avoid, which to stick with, etc. And of course you gather real world experience with a specific brand after doing install after install after install after install..it just becomes second nature to you and it's easy to support once you master if. Install of "Barely a Jack of all trades, master of none".

 

[YeOldeStonecat]

That said, I am considering checking out....
*Engenious...similar to Ubiquiti
*Aruba Instant On...since we used to be a big HP house before Ubiquiti....did a few HP and Aruba wireless installs in the past too. Instant On seems like a product lineup to compete with something on a smaller scale of Meraki or Ubiquiti.

 

[CaliZ]

The USG can do gigabit, just...not with any security features on.

We host a cloud controller as a courtesy to our clients that use UBNT, but this one is a new client. They are looking into allowing a VPN connection to their office for one proprietary software that is hosted in house.

Is the Voice delivered on the same Internet circuit or WAN circuit, or is it a completely different line?

Single internet line, I do not have access to their Mikrotik router to check configs as other IT company may/may not take it back under the client's lease. I am waiting on a reply if we are able to gain access/retrieve a config/company keep the router. With them having a Mikrotik AP, I'm not sure if it can run standalone, or requires the routerboard. (E.g. UBNT can allow for management of AP's with just a cloud controller hosted anywhere and does not require any additional hardware.)

We don't learn new stuff just because they have it.

This is a big challenge for us. We do try and utilize as much of the client's existing equipment as possible. In the area where we are, selling a $600+ router is not common, but using either the ISP router, or bridging it to an ASUS (RT-N66U anyone?) router is common. A high number of them are using ESET/BD, O365, cloud based file sharing (individual permissions), online backups, and no guest wifi (No need for VLAN's). So to sell them on something that primarily is just internet access with a basic firewall, and QoS, at a cheap price fits the bill more often than not.

However I 100% agree with being able to deploy a small range of preferred products would be ideal and is where part of this conversation leads on to. With watchguard, Juniper, and Mikrotik all having had some pretty bad exploits as with any, I would rather not have to check through our list of clients of whom may be affected, rather than pushing a formatted hardware layout. The question becomes, what is an all rounded stack for the sub ~60 employee business that gives enough functionality (VLAN, firewall, QoS, non-wifi, dedicated AP) and isn't going to break the bank. This client does have UBNT's 48 500w PoE switch, which we already have added in our cloud controller, but without a USG, I do not believe replacing their Mikrotik AP's with UAP-AC-Pro's is going to allow for proper VLAN to separate internal/guest networks.

How many clients are using the Internet (VOIP and computer)?

Roughly 15 desktops, 15 VOIP sets. (Polycom's linked to SIP trunk.)

 

[CaliZ]

*Engenious...similar to Ubiquiti

We have deployed some of EnGenius' early AP's when they first came out, as we pushed the output power a little more, but soon jumped on the UBNT bandwagon as pricing, availability, and way better management with a self hosted cloud controller to call home was a clear winner.

I can’t begin to tell you how many clients we have taken on from other IT providers or a one man show where they have a ton of equipment that the previous IT provider didn’t set up correctly.

This happens very often to me. In the customers mind, and what they have said time and time again, "Can you work with this?" leads to "Sure". That isn't to say it is without trouble as it's:
-Old
-Not updated regularly
-Low end model (Not sufficient for the demands)
-And the big one! Not documented or no login.

I do not have any problems with configuring a device, but I agree, having to learn and keep up to date with every platform is annoying and time wasting. UBNT has been pretty nice, but following the adventures with others experience (Lawrence Systems anyone?) makes me have mixed thoughts about only using UBNT or telling them to hit the highway.

Not to take off from the original topic, I'll see what I can do to check the QoS on the Mikrotik, but for now, What are the two common business router/firewall vendors?

we used to do PFSense

I've built a few test bench systems with it, but I do not trust the reliability of us homebrewing it, with our cost vs buying their hardware directly. Nice simple boxes, but the cost to import them here (In Canada) and wait for shipping does not seem realistic compared to a more commercial product.

 

[NETWizz]

No I don’t think it’s a bad attitude. Why? Because of experience. When I was a one man show years ago I learned anything and everything and supported all types of different hardware in over 100 client offices I managed. So I was the quintessential jack of all trades and master of none.

I’ve learned it’s a mistake to try and be everything to everyone and support all different types of hardware setups. A cardiac specialist makes a lot more money than a General Practitioner because he specializes in one thing, the heart, whereas the General Practitioner does everything and specializes in nothing. Our firm specializes in the hardware we support allowing us and our clients to be more efficient. Replacing an existing routing appliance with a pfSense appliance ($500, and “what we know”) is a small price to pay if the client wants things to simply work.



That really depends on a lot of things. Is the client going to pay my firm the time to learn it? For years we’ve had clients use legacy software applications built in DOS or Visual FoxPro. The applications do exactly what the client needs BUT if something goes wrong they are going to pay us to learn it because we can’t really use that experience and knowledge we’ve gained somewhere else. Now, when things like visualization, Azure, and all sorts of other cloud based things have come up we DO learn those as we know we can use them across other clients.

I can’t begin to tell you how many clients we have taken on from other IT providers or a one man show where they have a ton of equipment that the previous IT provider didn’t set up correctly. Cisco, Sophos, SonicWall, Mikrotik, you name it. I’m not saying the equipment is bad we’re just going to do what we know.

@NETWixx, I’m not saying you’re wrong and I’m right. I just know what has worked best for me, my firm, and our clients.

I actually agree with and respect a great deal of what you said. I too specialize because I have no desire to be a jack of all trades anymore and only seem to do that when it is my own money on the line. As for any appliance that is $500 that's dirt cheap. I have been recently buying transceivers that list at over $5,000... yeah they do 100 Gbps though


Scary right? I am putting them into Cisco Catalyst 9500 48-port x 1/10/25G + 4 40/100G switches.

 

[NETWizz]

Speaking of Aruba.

Here is my largest deployment of APs. Yes, there are 471 switchports dedicated to just APs alone.

 

[YeOldeStonecat]

I've built a few test bench systems with it, but I do not trust the reliability of us homebrewing it, with our cost vs buying their hardware directly. Nice simple boxes, but the cost to import them here (In Canada) and wait for shipping does not seem realistic compared to a more commercial product.

Yeah IMO/IMO (In My Experience)...and from what I've read in forums, the key to *nix routers is using good quality biz grade hardware. I see so many people get $199 micro PCs...put Untangle on them, and then complain that is slows down, needs weekly reboots, locks up. Yet, if they used some quality biz grade hardware that is well supported, good hardware based Intel NICs, standard chipset motherboards....like systems tested with and pre-built with PFSense, like from NexGenAppliances or Netgate .....you have routers that run forever, only need to reboot is when doing an update. Or even some of the better models if you want to build yourself, from MITXPC or Protectli.

 

[CaliZ]

Not to unnecessarily *bump* things, but are the Ubiquiti Edge Routers still the common/preferred choice? Or recommendations on an alternative that supports:
-Full Gig up/down,
-VLAN,
-QoS,
-Possibly VPN?

 

[thatdude]

OK. WTF? I am just now seeing everyone's responses thinking "Why did I not see these things pop up as alerts in my email!" I am conducting interviews for two new tech positions this week and feeling overwhelmed. However I feel like a real teenage dirt bag that I have not been in the conversation with all of you! Maybe I accidently archived/deleted the emails from technibble (I'll search my email) or maybe...just maybe....it was Microsoft's update Tuesday that is screwing with the technibble site.

Sorry fellow IT dudes. I feel like I've let you guys down. I'll try to thoroughly go through everyone's posts and lend what help I can to everyone.

 

[thatdude]

@YeOldeStonecat said:

check out Ubiquitis EdgeRouters.

OK there @YeOldeStonecat, that right there my friend....this is a completely different beast. Comparing the Ubiquiti USGs to and EdgeRouter is like comparing a Toyota Corolla to a Lexus...well anything Lexus. Same company but LOTS more bells and whistles and with that...lots more in price. I don't care for the USG's but the Edgewaters.....Check out what this thing can do! But it'll cost ya!

@YeOldeStonecat

IMO, you'll run yourself into the ground trying to learn all different brands/products out there

I meant absolutely no offense in my comments to you @NETWizz! @YeOldeStonecat made my point perfectly. I just wish I could have made my point to @NETWizz as eloquently as @YeOldeStonecat made the point. My sincere apologie s@NETWizz if I sounded like a jerk to you. That truly wasn't my intention.

@YeOldeStonecat

since we used to be a big HP house before Ubiquiti.

Oh please @YeOldeStonecat! We had so much going between you and me. And this! I'm hurt dude. HP? Really man! I thought we had a deep connection and I found my IT soul mate. I. HATE. HP. Always have, always will. Maybe they had one thing, at one time that worked great. I wouldn't know. They are the Sith...and I'm not falling for their Jedi mind tricks.

@CaliZ

This is a big challenge for us. We do try and utilize as much of the client's existing equipment as possible. In the area where we are, selling a $600+ router is not common, but using either the ISP router, or bridging it to an ASUS (RT-N66U anyone?) router is common. A high number of them are using ESET/BD, O365, cloud based file sharing (individual permissions), online backups, and no guest wifi (No need for VLAN's). So to sell them on something that primarily is just internet access with a basic firewall, and QoS, at a cheap price fits the bill more often than not.

Oh dude! I don't know where to begin. Same here. We try to utilize what they have as much as possible but you have to remove all emotion and know what has to go...has to go. (Think logically like Mr. Spock.) I've also integrated the Asus routers turned into access points with DD-WRT (which I find very cool by the way). BUT, more times than not, trying to save them money utilizing equipment o make things "work" always costs the client time and money in their efficiency.

One of the biggest challenges I when taking on a new client is this:

Me: We need to remove these "IT things". And spend money on what we know will work.
Client: Why? We just paid for these "IT things!"
Me: Just because you paid a lot of money for these "IT things" doesn't make sense that we have to use them. We need to stop the bleeding and not worry about how much blood lost.
Client: Why not? We want to get our money's worth. Can't you make them work?!!!
Me: We may be able to make them work but in the end it will cost you more in our IT firm's time and lost productivity to your business operations.

Bottom line. You have to gain your client's trust and knock it out of the park on everything you do. IT guys have a stereotype and it's not good. You must break that stereotype and have them trust you. You need to make them see you as NOT the guy or guys that fix their computer/internet crap. But as a Professional Consultant that works for their best interest. I know, it's hard and you will get better at it.

I tell my techs all the time. If we help make our client's successful we'll ride their coat tails and we'll be successful. It's a partnership. Yeah, it sounds utopian but it's worked out for me and my company for the last 20 years.