helian replaces my old Unifi USG 3P gateway. I wanted something a bit faster, more capable (like builtin Wireguard support), and more tweakable. The Unifi has been a solid performer, I just wanted more. I bought it and meant to get around to installing it, but needing to learn their interface for configuring the whole network again put me off it for a while. Until my Unifi router stopped working, so then there was no excuse.
helian is a Mikrotik RB5009UPr+S+IN, here's some info about it:
a review and teardown: https://www.servethehome.com/mikrotik-rb5009upr-s-in-poe-router-mini-review-marvell-arm/
the homepage: https://mikrotik.com/product/rb5009upr_s_in
I was eyeing off the CRS326-24G-2S+RM, then realised it'd be way more useful to get something with POE-out as well, otherwise I'd still be stuck dealing with two device for routing and switching, so the hilariously overkill number of ports was off the cards for now.
And the RB5009 is a really good replacement in that sense. I've replaced a separate router and bulky POE switch with a single, small device that does both, and puts out way less heat. Heat that probably knocked out the Unifi router >_>
Features and uses
- 1Gbps upstream to ISP (ethernet)
- PoE to switches and wifi APs
- DHCP IPv4 and IPv6 from ISP, provides a static public v4 address, and /48 delegated prefix to the LAN
- Custom firewalling of course
- Forwarded ports for SSH and HTTPS to internal servers
- Wireguard VPN server
- Separate VLAN for IOT devices (considered less trustworthy)
- This was a bit tricky to nut out, I used bridge VLAN filtering to get the correct behaviour
- Makes use of what the manual calls "hybrid ports", as they're untagged for the LAN and tagged for IOT, going to the Unifi wifi APs
- DHCP server for LAN and IOT segments, lots of static leases for everything on the network
Access
This is just good practice stuff.
- Create a new user account, add an SSH key for auth, and set a strong password
- Disable the admin account
- Lock down access so it's only manageable from the LAN, and ideally from a couple of workstations on specific physical ports
- Get my wildcard TLS cert on there and protect the web UI
- Use winbox or CLI for management, this is pretty easy to setup
Stuff I want to do
Get onto DN42 and learn some routing: https://dn42.eu/
- Monitor traffic with SNMP and whatever else they've got
Setup a station to receive TZSP packet sniffing streams
- This sounds like what I imagined a few years ago when I started at Arista, separating the packet capture from the analysis and visualisation
- This can then be fed to something like Snort IDS, and Netflow/IPFIX-based traffic accounting
Future reading
Stop myself from using social media at bedtime: https://help.mikrotik.com/docs/display/ROS/Kid+Control
- Could also do this using Pihole, which I need to fix up again
VLAN tagging and how it relates to bridging: https://help.mikrotik.com/docs/display/ROS/Basic+VLAN+switching
- I'm using "hybrid ports" to hook up the Wifi APs, so normal traffic is untagged and the IOT VLAN 99 is tagged
- The real ideal here would be to make all the WLANs VLAN-tagged, then only mgmt traffic is untagged to the APs
https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching
Understanding the global packet flow in RouterOS: https://help.mikrotik.com/docs/display/ROS/Packet+Flow+in+RouterOS
- This is super important because I currently can't visualise how bridges and VLANs work once you add tags
Stuff to fix
mDNS
Apparently mDNS doesn't work properly. Unifi solves this by running an mDNS proxy between VLANs, which makes stuff like Chromecast just work if you put them into a separate IOT VLAN, but Mikrotik doesn't have that.
Just pipe all VLANs to a box and run an mDNS proxy/repeater on it. It should be in the avahi package on linux.
Only need to do this when I put all the IOT stuff on a separate VLAN though - at the moment the Google Nest and Hue hub stuff is on the main human VLAN.