helian replaces my old Unifi USG 3P gateway. I wanted something a bit faster, more capable (like builtin Wireguard support), and more tweakable. The Unifi has been a solid performer, I just wanted more. I bought it and meant to get around to installing it, but needing to learn their interface for configuring the whole network again put me off it for a while. Until my Unifi router stopped working, so then there was no excuse.

helian is a Mikrotik RB5009UPr+S+IN, here's some info about it:

• a review and teardown: https://www.servethehome.com/mikrotik-rb5009upr-s-in-poe-router-mini-review-marvell-arm/

• the homepage: https://mikrotik.com/product/rb5009upr_s_in

I was eyeing off the CRS326-24G-2S+RM, then realised it'd be way more useful to get something with POE-out as well, otherwise I'd still be stuck dealing with two device for routing and switching, so the hilariously overkill number of ports was off the cards for now.

And the RB5009 is a really good replacement in that sense. I've replaced a separate router and bulky POE switch with a single, small device that does both, and puts out way less heat. Heat that probably knocked out the Unifi router >_>

Features and uses

• 1Gbps upstream to ISP (ethernet)
• PoE to switches and wifi APs
• DHCP IPv4 and IPv6 from ISP, provides a static public v4 address, and /48 delegated prefix to the LAN
• Custom firewalling of course
• Forwarded ports for SSH and HTTPS to internal servers
• Wireguard VPN server
• Separate VLAN for IOT devices (considered less trustworthy)
  • This was a bit tricky to nut out, I used bridge VLAN filtering to get the correct behaviour
  • Makes use of what the manual calls "hybrid ports", as they're untagged for the LAN and tagged for IOT, going to the Unifi wifi APs
• DHCP server for LAN and IOT segments, lots of static leases for everything on the network

Hardware

Marvell 88E6393X switch chip, which governs what features you can lean on and how they're handled. Mikrotik has a list of various switch chips and their features here: https://help.mikrotik.com/docs/spaces/ROS/pages/15302988/Switch+Chip+Features#SwitchChipFeatures-Introduction

The list isn't completely up to date, as the higher end CRS and CCR devices have chips that aren't listed there, but the 88E6393X is about as good as it gets when it comes to features. Of particular interest to us is hardware offloading of bridge VLAN filtering (with some listed caveats), which means performance shouldn't suffer even though we're doing something a little bit complex.

Access

This is just good practice stuff.

• Create a new user account, add an SSH key for auth, and set a strong password
• Disable the admin account
• Lock down access so it's only manageable from the LAN, and ideally from a couple of workstations on specific physical ports
• Get my wildcard TLS cert on there and protect the web UI
• Use winbox or CLI for management, this is pretty easy to setup

Stuff I want to do

• Get onto DN42 and learn some routing: https://dn42.eu/

• Monitor traffic with SNMP and whatever else they've got

• Setup a station to receive TZSP packet sniffing streams

  • This sounds like what I imagined a few years ago when I started at Arista, separating the packet capture from the analysis and visualisation
  • This can then be fed to something like Snort IDS, and Netflow/IPFIX-based traffic accounting

Future reading

• Stop myself from using social media at bedtime: https://help.mikrotik.com/docs/display/ROS/Kid+Control

  • Could also do this using Pihole, which I need to fix up again

• VLAN tagging and how it relates to bridging: https://help.mikrotik.com/docs/display/ROS/Basic+VLAN+switching

  • I'm using "hybrid ports" to hook up the Wifi APs, so normal traffic is untagged and the IOT VLAN 99 is tagged
  • The real ideal here would be to make all the WLANs VLAN-tagged, then only mgmt traffic is untagged to the APs

• https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching

• Understanding the global packet flow in RouterOS: https://help.mikrotik.com/docs/display/ROS/Packet+Flow+in+RouterOS

  • This is super important because I currently can't visualise how bridges and VLANs work once you add tags

Stuff to fix

mDNS

Apparently mDNS doesn't work properly. Unifi solves this by running an mDNS proxy between VLANs, which makes stuff like Chromecast just work if you put them into a separate IOT VLAN, but Mikrotik doesn't have that.

• https://forum.mikrotik.com/viewtopic.php?t=174354

• https://old.reddit.com/r/mikrotik/comments/grk6ci/mikrotik_and_mdns/

Just pipe all VLANs to a box and run an mDNS proxy/repeater on it. It should be in the avahi package on linux.

Only need to do this when I put all the IOT stuff on a separate VLAN though - at the moment the Google Nest and Hue hub stuff is on the main human VLAN.