As I have never used a Mikrotik router before, there was quite a big learning curve.
I’ve only really used Cisco/Juniper like interfaces to configure routers, and I’m a fan of them. Even though I have gotten a little more used to the RouterOS command line, I must say I’m not a huge fan of it. Most of the reasons are quite minor reasons, but some of the reasons I don’t really like it is:
- I find it silly how the menus are structured. For example, I have to first configure an interface in “/interface” context first, then switch context to “/ip address” to add an IP address. Same goes for just getting an IP from a DHCP server. To do this, you can’t do it from the “/ip address” context, but rather “/ip dhcp-client” context. There are many other cases of this, and while none of this is really a big deal, I find it is quite inconvenient. I want to configure the options for a single interface in one place.
- There are a lot of little things I think ROS is lacking. For example, creating a GRE tunnel from the “/interface gre” context, you have to provide a local-address to source the packets from. This is a pain because if you are on a dynamic IP address, it involves an extra step of editing the address every time your address changes. On Cisco routers, you can just do “tunnel source $INTERFACE” and it’ll automagically use the correct source address. This is also for adding routes via the DHCP provided default gateway. On IOS, I can just do “ip route 18.104.22.168 255.255.255.255 dhcp” to route some packets explicitly via the DHCP assigned default gateway. This is useful because in order to reach my dedicated server, I need a single route via my DHCP assigned default gateway, before BGP from my dedicated server pushes down a new default route. In ROS you can’t do this, and have to add a static route manually yourself, and edit it each time your address changes. Again, these are minor things, but I’m sure there are some bigger things which I cannot remember at the moment.
To be fair, these reasons are quite minor, and considering the price difference between a Mikrotik router, and a Cisco/Juniper router, I guess it is acceptable.
In terms of setting up the RB2011UAS-RM, I wanted to keep the config as simple as possible:
- Make the DHCP client add the default route with a distance of 250. This allows the default route pushed from my dedicated server have priority, and be the active route.
- Add a static route to my dedicated server via the DHCP assigned default gateway.
- Setup VRRP on the “inside” interfaces of both edge routers
- Setup GRE tunnels back to my dedicated server
- Configure BGP between both edge routers to the dedicated server, and BGP peering to each other via the point-to-point connection.
- Added static routes to my internal network behind my ASAs.
I didn’t want to add any masquerading/NAT rules on the edge routers, because I felt it’ll add extra CPU load for no reason since the default route will be via the dedicated server, and NAT will be done there, but I dedicated it might be better to just add a rule to NAT any traffic going straight out to the internet (not via the GRE tunnels) just incase for whatever reason, the BGP sessions on both routers were down, and traffic was no longer going via my dedicated server.
That’s pretty much it for the edge routers. It’s simple, and it’s working well so far!
Again, I can share config files if anyone wants to look at them!