I'm sorry, but asking someone to switch from Ubiquiti to a Mikrotik is like asking someone to go from macOS to 1990's Linux.
The user interface is beyond atrocious and even basic features you'd need in smaller/home setup need digging through Wikis to get the arcane settings you need to click. Basic things like NAT loopback or basic VPN setup. OpenVPN is still neutered and broken.
What's even worse - the defaults are all wrong. There's no simple "enable firewall" switch for basic use-cases like other equipment has. Instead you need to manually configure firewall rules in chains like working with raw IP tables and if you do a small misstep, you'll drill a hole in your network easily. Or make your internet horribly slow because you need to be careful about fasstrack rules and lack of NAT acceleration.
It's really about the most disappointing piece of hardware I bought in last few years and doesn't come close to niceness of Ubiquitis management. Sadly it's also the only company that makes a compact router with SFP and PoE+ to power Ubiquities.
While I'm a big Mikrotik advocate, I completely agree with you: Mikrotik is not even in the same league as Ubiquity when it comes to UX. Mikrotik is for professionals who desire control and know what they're doing, Ubiquity is for a non-technical prosumer audience.
Uniqiti has several product ranges; the EdgeMax line is the advanced one; Unifi is the simple one.
Yes, you can set up simple things with Unifi in a simple way, but the more advanced ones are a tragedy, that you must also google around, dig wikies and forums for arcane incantations of the right json keys, so you can deploy your config in json, there are even no arcane settings to click.
I don't think the EdgeMax is the 'advanced' line by any stretch. They both run a fork of Vayatta and share a CLI. The Unifi stuff has more features accessible via the GUI and receives far more attention from Ubiquity.
However, the biggest and most major difference between the two lines of products is the requirement of the Controller to run the Unifi line of devices. For that simple fact I would pin the Unifi line as more 'advanced'.
The controller and the sdn concept is exactly the difference.
They might share CLI, but that does not mean that your changes persist on USG. You can rely only on whatever you configured in GUI and half-rely on gateway.config.json; for example, they both have dnsmasq and I'm still figuring out how to configure it, so the changes persist. It would be otherwise trivial on edgemax or other pure dnsmasq-using system, like openwrt.
RouterOS is basically designed for network engineers. From our perspective, NAT loopback is extremely complex and has many implications, which RouterOS doesn't hide from you. And we typically don't run a VPN concentrator on the same device as a router. I think it's just a matter of different practices in different industries.
ETA:
> What's even worse - the defaults are all wrong.
There is a new-ish thing in the web UI called "QuickSet" for these use cases.
I agree. Mikrotik has great devices but they are great if you can cope with them. Imagine as getting Cisco Catalyst and then complaining it is not as good as Ubiquiti due to the sheer number of options. It just doesnt work that way, there is equipment for the masses which is "good enough" and the other side where you can tacle everything in transmission but you need to know what you are doing.
Anyway, I wouldnt recomend ubiquiti as replacement for microtik. It is just too complex for most home users and even technical users (on the other side I wouldnt use ubiquity even if it is a giveaway).
Honest question. What is the market for Mikrotik? I’ve only seen them in use at home by enthusiasts and a few SMBs trying to maximize bang for buck. There offerings just don’t seem very enterprisy.
Having had the displeasure of managing a network for a company that installed about 40 mikrotik switches behind a mikrotik firewall, I can safely say they belong in a small business with max 1 or 2 at a time.
Managing more than that is crazy with the current software. Not to mention these are some of the cheapest and lowest build quality switches you will find with these insanely powerful features.
Unifi switches are a materially better build quality.
If you want great carrier grade look at Arista. You can even score a 10Gbit 48 port Arista switch off eBay used for about $700 last I checked.
Yes, I fully understand that it was built for company admins to have fun and cover their use-cases.
But unfortunately I constantly see those admins recommend them for prosumer, unmanaged small business and home use-cases. In those cases they're horrible to manage and lack features users expect.
1. WinBox only works on Windows.
2. Android version of WinBox is buggy and also only works on Android
3. It may be better if you have expertise in network administration and know RouterOS inside and out. Most people who buy Ubiquiti gear do not, but their needs aren't met by regular consumer routers which do not allow any kind of "prosumer" settings.
MikroTik may well be better for you (I used it for 5km PTP links, but that's because it's cheap, if I had the budget I would've gotten LiteBeam or AirGrid), but that doesn't imply it's a suitable replacement for everyone. And it is most certainly not a suitable replacement of airOS for most people who use airOS.
It’s probably the wrong product for you. I like my Mikrotik devices as it doesn’t hide anything and is crazy configurable for the price.
I run my VPN server on a different device, I can understand why you might want to run it in your router, but again this isn’t plug and play trivial networking gear and most administrators will be doing the same as me.
> I run my VPN server on a different device, I can understand why you might want to run it in your router, but again this isn’t plug and play trivial networking gear and most administrators will be doing the same as me.
Which administrators? In what environments? Remember, the thread started with someone telling us that Mikrotik is a good replacement for Ubiquiti use-cases. Whose EdgeRouters and USGs have easily configurable VPNs with good defaults.
I'd also love to hear about any alternative products which support SFP for WAN and 802.3at PoE with ease of setup and use as Ubiquiti. Or even a SOHO ASUS router.
Just want to point out that the fact that there are CVEs does not mean they are insecure.
All kit has security issues but the important thing is how open the manufacturer is about the issues and how quickly they fix them, and Mikrotik have always been very good in this area, regularly releasing updates
Also, as all their devices run the same software, even devices that are years old will still be updated
I often see people saying “Mikrotik is insecure” but this seems to be based solely on the fact that there are published security issues which they have patched. In my opinion that is the opposite of insecure
Agree on the user friendliness though - I use them at home for personal stuff, but for work it is Unifi
the one linked is especially bad, i allows anybody to read the admin password.
the problem is also that a lot of them are running old versions because the update process is not as straightforward as ubiquitu for example.
i also run mikrotik at home and have deployed mikrotik and ubiquiti at out different offices. for the price you can hardly beat mikrotik and once you "get into it" it's fairly simple.
Yes, that’s bad but note that even unpatched it is only an issue if the GUI management port has been left open - which seems to be the case with all the security issues people highlight with Mikrotik
I wouldn’t disagree that management ports should probably be locked down out of the box but I would expect anyone reading this to apply some basic lockdown when setting up any device
I just want to offer a counterpoint to an assertion that I often see here claiming they are insecure which I don’t think is justified
Certainly if you are not into networking and want something that just works then Unifi is great, but if you want something with bucketloads more functionality and don’t mind getting your hands dirty then don’t be put off Mikrotik due to security concerns
Yes, and IMO its less likely to "ruin" the device (i.e. reset all settings on a roof-mounted CPE that you are upgrading remotely) than Unifi updates for LiteBeam... Though I have only used MikroTik SXT and SXTsq and Ubiquiti LiteBeam M5 so I am not the best to judge.
Disabling (access to) WinBox should be the first thing to do on a Mikrotik. Most of their serious security issues are in WinBox.
The Web UI seems to be a perfect equivalent if you want a GUI to manage your one box at home, and SSH should do the trick for automation. Is there any reason to use their proprietary (Windows-only) software to configure the router?
This one was for management port and was fixed before the CVE came out. There are two points: opening management interface to the internet is... Lets say... Weird. The second one, they are extremely responsive to security issues.
I have used Mikrotik at work and have been alarmed at how often professional network engineers make mistakes with them. I found some serious errors through testing (and some exploitation), and when putting them right I could see why the engineers had made that mistake. I caution against them. They don't just have a clunky gui they have a model of the network that people seem to find hard to understand. Shame on Unifi over GPL, but their kit is very good
