In small enterprises, there is an acute issue of savings in the purchase of equipment, often this issue is resolved by abandoning the purchase, if existing ones can be made to work. In this article, I want to share my experience in this matter and highlight the main reasons why many people do just that.
History and causes
Let's start with the story, for which we will return 7-10 years ago. In those days, the choice was not rich:
- Home routers from now respected Chinese manufacturers up to 2500 p., Functional enough for a micro company for 5 people in one room. The software component of such routers is extremely stingy, although the hardware has been quite frisky.
- Routers for small businesses from renowned manufacturers, the price is already from 8000r., But the functionality is not much richer. Somewhere support dual-wan, somewhere even IPSec.
- Old PC for specials Linux or with a self-configured general-purpose distribution (Windows apologists also met, but this is not my choice). There are already many possibilities, and the iron, although it is old, was very suitable for the needs of the lock. And besides the gateway, it can be a PBX, a mail server, and even a file server!
In most cases (and I myself adhered to this policy due to the lack of a decent alternative for money) the choice falls on the PC. For such a choice, the price is low (conditionally free, for the old man no one wants to work, but to throw it away: amphibotropic asphyxiation (Toad smothers)), and endless possibilities for working with the file.
')
Consequences of choosing
In the case of home routers, there is only one problem: it can’t do anything clever, neither QoS (and then VoIP was already starting to walk around the country), nor tunnels with decent encryption (PPtP is not protected in any way), or Dual-WAN failover. There is already, even if much perverted with alternative firmware, but you start to look in the direction of Linux, especially when for 8000 p. There is no great happiness either, and here it is, the choice of many.
Old PC with Linux: the power of the CPU (and it is much more powerful than the fact that in home routers (and in the initial level are not home too)), a lot of disk space, you can stir up proxy and traffic accounting and a lot of things, and plenty of RAM.
But problems come from a different front: old hardware tends to fail, and self-written scripts for Dual-WAN & Failover are often very fragile (writing a stable script is not an easy task). Add. Services also do not add stability.
And of course there are no special problems, as long as the company is still small, and there are also few branches, and there is no big dependence of services of one branch on services in another, especially if the Internet is not an important part of the business (yeah, now and without the Internet). But the further, the situation becomes worse. Unexpected communication dumps due to hardware or software (for example, LXC has a bad bug, after a large amount of traffic passes through the container interface, the interface falls into deadlock, which results in partial accessibility of the container, and when you try to restart the interface to deadlock lo host containerization, and then the need to completely restart the machine). And then there is greetings from the disgruntled bosses, employees and customers: the letters do not go, the PBX is silent, the files are inaccessible, and the admin is sad.
Our days, what can be done?
Routers Mikrotik and RoS attracted me initially with their price: for 3500 r. easy to purchase a router, which will be:
- Packet filter as in adult Linux (well, almost, why not, and there is something of its own: a global queue, for example)
- Good iron, and it is really good, not faster than the old PC, but it is quite stable
- Tunnels of different types, it's a pity a bit that OpenVPN is old, but everything works out well even without it
- Great stuff: winbox. Thanks to him, I began to understand the packet filter in Linux much better. Good visualization of settings is a very useful thing. And in general, the visualization of a number of points (tracking connections in real time, for example) helps a lot
- A good CLI, unlike many others (I don’t like Zyxel and D-Link very much), I learned it very quickly
- WiFi network controller (CAPsMAN): of course, it’s still far to the Cisco level, but much is already able, even the network is obtained with very smooth seams
- Compared to a PC, the output to the operating mode in 8-12 seconds, at the same time, the PC can only boot the BIOS. This is important for situations where business depends on the Internet and access to other branches, then every second of launch breaks the phone with calls: well, when! We have a client here! We need to work!
- Multi-WAN Balanced and Failover can be built without much difficulty.
- Very good wifi iron. I deployed WiFi at the exhibition (for the company's pavilion using RB951U2nd), as a result, with 600 WiFi clients in the district (about 20 employees and 15-20 guests were connected to our point) and 40 foreign points in the district, it was possible to pump about 2 Mbit / seconds I believe that this is a good result for a point not intended for such conditions, but given such a noisiness of the ether
- Operatively working those. support, they fixed a few bugs after my calls.
- MetaROUTER (does not work on all models): if anything, you can run several virtual routers or OpenWRT.
- Pretty advanced scripting
- Most are powered by power supplies with voltages from 7V to 30V and supports Static POE with the same voltage variation. It helps a lot when you need to change the power supply, almost anyone fits :)
The disadvantages include:
- No DNS proxy
- Built-in RADIUS server does not know how to authorize WiFi
- IPv6 is there, but its support is rather stingy, which is not yet very critical
- IPSec, which does not work in a number of specific cases (here is one of these: Mikrotik L2TP / IPSec for NAT: ipsec, error failed to pre-process ph2 packet )
- CAPsMAN does not know how to work as an intermediate controller, which does not allow managing all the company's WiFi throughout all branches. If the connection with the controller disappears, then WiFi is disabled: (
- Maybe something else, but I probably don't use it yet.
Epilogue
Of course, this is not a very technical article, but rather a collection of my impressions of RoS and RouterBoard. I have already bought many Mikrotik routers to my company, and so far I have not had to regret it. Avoiding older PCs eliminated the lion’s share of network problems.
If you are still using old PCs as gateways, think about it, you may want to move the gateway to a separate, dedicated solution. To your choice, and 5-port variations, and 24-port (with hardware VLAN), and many others, including models with hardware accelerated encryption. Separate attention, for a small office, deserves the
MIKROTIK CRS125-24G-1S-2HND-IN , here you have 24 ports and WiFi to the bot, the CPU can pump up to 50 Mbit / s with QoS as in this article:
Mikrotik: Balancing in the CPSU and adherence to speed or up to 20 Mbps through encrypted VPN (unfortunately, there is no hardware acceleration of encryption).