This is Why I Hate MikroTik

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

okay hi good morning everybody up here holding wasn't nice and refreshed this is my first presentation at a mom so I hope everything goes smoothly well aside from laptop related setup issues so this presentation is called this is why I hate my critic certainly have received some interesting comments about the subject prior to doing the presentation so let's see how this goes and and how we're doing just a little bit about myself my name is David savage and yes that is my real name get asked that question a lot and no I'm not a part of my critic Latvia in any way so my critique essay is a completely independent company we are from South Africa I'm a certified trainer and my critique support engineer been doing this for quite a while I delivered my first training session which was on the Moodle platform somewhere around 2004 so at that stage the current rank of mikrotik certified trainer didn't exist I just ran through a training program with the guys from micro taken off that they said well you can now garden and train people so through the years I've used mikrotik a lot definitely my platform of choice for just about anything I think I have one linked up to my coffee machine makes very good retailer based coffee and throughout the years I've been through a fair amount of conferences being to other mums and so on and there's a few threads of conversation that pop up again and again and again so it's generally people complaining about my critic and things that make critic can't do or things that make critic doesn't do very well and this is an attempt to try to outline just just a few of those but also to make a point that very often it's not make critical itself that's the problem it's the lack of understanding about what they're trying to do that is causing the issue so I'm from Cape Town I did mention South Africa and a little picture of what caps on looks like well just realize there's a lot of great quality but really it's very nice place okay so full disclosure I actually do love micro tech it's not it's not don't don't see don't read anything into that into that title so what is this presentation about first of all gonna outline four things common misconceptions so what do people think my critique can do versus what it is capable of unrealistic expectations you know people expect in the route to be able to do something at a certain speed or a certain level of performance and not understanding why they or why I can't do that lack of research of course this ties back into unrealistic expectations if you don't know what the hardware platform is then you're not gonna be able to leverage it correctly in terms of getting the best out of it and thirdly lack of understanding so again tying in to the three points beforehand not understanding what the product is about and and what it's meant to do so it all comes down to the statement right at the bottom first and says I love my critic but why can't I do this one very specific function that will make it absolutely perfect for me in my network and I think that's that's fair enough and I think it is because my critic is such a capable routine and switching platform and it has so many features that people are almost surprised when there's something that I can't do you know something very specific to their to the needs and requirements there was a great example of this yesterday and I hope the gentlemen that are sitting with on the tram is is in the audience right now there he is I saw him wave his hand how you doing and I was driving I was riding on the tram with him and telling him about this new girl of mikrotik got lots of them in the company but why can't he do I think it was radius based purport MAC address authentication in his network because he you want to be able to block certain MAC addresses by radius and I never thought about it before it's not something that I've ever had a need for but that would almost perfectly illest what this is about so can do everything inside the network but it cannot do that very one specific function that would make it absolutely perfect for his needs so I thought about it a bit and came up with some possible other ideas like perhaps it can't do that exact function but maybe you can work around it in this way perhaps you could use DHCP based radius authentication lock use that to create a MAC address list based on the DHCP lease and try to block the ports in in that way and I think that is stress it yet again so perhaps my critic can't perform the exact function that you want but very often there's a workaround it's extensible enough to be able to create the necessary scripts or handoff to some other device that may be able to do the job for you it does allow for that extensibility and and that expandability this is an actual conversation from a technical conference it was a couple of years back it was probably three to four months before tra 6:9 was released on the on the metric platform so it's a big IT tech support consultant from a very big telecoms provider in South Africa and the first thing he said to me after figuring out where I was was why doesn't Mirotic support here six nine I am deploying thousands of CPE devices on our ft TX Network and this would make my life so much easier as well I have seen rumors about it on the on the request list have a look around perhaps it will be there in a few months time and of course he went off mumbling and groaning about this fast-forward around six months I saw the same guy different conference this time and the first nurse a team was hey check it out make her check now supports tier six nine and his response back to me was well I wish they would stop wasting time on small things like that and bring out read Roy's version seven already okay so that is typical of the kinds of conversation that that I'm having with other consultants in the in the field so let's then look at some common misconceptions I'm going to start here with outdoor wireless because this is something that I deal with quite a lot as an aside aside from being a mikrotik trainer also run a moderately sized isp or a service provider in cape town and we use both wireless and fiber quite extensively in our network so I have experienced with many many different products from many many different vendors but time and time again we try something else out and we tend to end up coming back to my critique in the end so that's the the typical kind of complaint that I get well product a B C cambium mimosa ubiquity whatever there's so much better than my critic just plug it in and it works yes that is true to some extent yeah my critic doesn't have a setup everything at once button that just fix it all out for you however if my critic does have the more complex setup where does take longer to set up and fine-tune a link but it does give you very very fine-grained control over every single aspect of your wireless interface whereas with the other devices if they're one button setup doesn't work for you then that's it you stuck with the setup that you have there's not much space to experiment around the settings and try something different R to fine-tune and maybe tweak that particular link to get exactly what you want in from it so rather than dumbing things down and getting well we'll just give you this single click button that does everything for you Rick really gives you absolute control over every single aspect of the of the wireless interface however fair warning here you do need to know what you're doing you don't know how to set the device are probably you're not going to get the results that you you want or need another thing I want to highlight and this again is from working with many many different products is there is no magic bullet solution there's no one product that can service every single component of your of your network the various wireless manufacturers have various types of Technology goes under many different names I've heard about em xwj type ol canopy jet and so on ultimately though it all comes out of the same thing it's really just TDMA protocol that they've modified or massaged in somewhere so if you not aware of it my critic has its own version of TDMA time division duplex multiplexing and it's called env2 or in stream version 2 so in if you just want to call it in stream version 1 was a polling based system which is technologies sort of similar to token ring on Ethernet where it would poll various devices and ask them if they needed to send data so that solved various media access problems that you have with the standard arrow 2.11 protocol yeah problems with links over long distances problems with hidden node clients ie where two clients cannot see each other's wireless signals directly solved all of that so they built on that with leveraging TDMA in the env2 system in order to improve that in all aspects even better handling of multiple clients better handling over distance and and so on and as I said every single other product is just based on the same thing if you if you really drill down to the specifics of what those devices are doing they're just using some version of TDMA that they've tweaked massaged in their own way in order to D to deliver their product so yes perhaps they have antennas with some fancy beamforming technology and that can work very well I mean there's nothing wrong with the informant can be very very effective in terms of focusing signals to clients perhaps a bit more in terms of fancy and tele antenna elements and so on maybe slightly fancier software but ultimately if you're compared comparing the same technology with the same technology I believe there are similar enough to each other it says not to make that much of a difference maybe a few percentage other increases in performance here here and there when it comes down to Wireless the if you dealing with wireless a lot especially as we have in in Cape Town we have sites with huge numbers of wireless devices we can do a scan from one of our high sites and pick up anywhere from 400 to 500 a societies all at the same time so that's the kind of noise levels that you're dealing with and you can't change physics once you are out of spectrum you're out a spectrum there's no amount of magical beamforming isolation technology if that's going to get around that if the entire five gigahertz band is used up then it's used up and aside from moving to a different frequency there's nothing you can there's nothing you can really do there almost any amount of fancy technology is not going to do the trade so what are you going to do probably going to use the a giant-sized you know 1.2 meter antenna with a ultra high powered device that's just going to try to draw on everything else out but that's gonna work right up until the time your competitor it's exactly the same thing on his tower pointing right through your one set you're going to be back where you started and on the other side of that any wireless device will perform well under perfect network conditions so it's great seeing product X with a 500 megabits per second AC throughput but that would be an environment in an environment where there's no other noise and you can get that kind of performance because there's nothing else to interfere and the other common one is customer X will go well I replaced my mid critic worth a few notes whatever cambium and you know I went from 10 megabits per second on that link to 100 megabits per second on the link ago that's great but what what did you replace what was there before and so it was this old rusted grid with a cm 9 and 10 and a Rooter board 1 3 C that I think I might have put in there 10 years ago or so well of course it's going to be what's going to be different he had taken that system and replace it with let's say a new net metal AC with a nice new man 30 precision alignment antenna you're gonna get exactly the same level of improvement of course it's going to be at you know one third of the cost and I'm very very happy with that I'll be very happy with a solution like that so yes replace an old equipment with new equipment you're going to get an improvement there is absolutely no doubt about that and I think it would be very fair to say that manufacturer X is not so much better just because you use equipment that was 10 years newer and in those terms having a better modulation techniques AC whatever it might be just a few things you may not know a couple of things that makes the NV 2 protocol unique yeah I said all the manufacturers use TDMA with their own little software tweaks that mikrotik has the only little software tweaks as well and it does have some very very powerful features that can optimize your bandwidth distribution and also allow you to sync access points together so the first thing just to mention is something called uplink percentage so we're using uplink percentage what you can do is what the system will do is it'll prioritize the env2 time slots to favor either upload or download as is your requirement you see a little screen shot I have of just circled in red there where I have enabled fixed downlink and set my downlink ratio to 80 so what this will do is in instead of running the system at roughly 50/50 in terms of upload and download time slots it will now start prioritizing the downlink slots push 80 percent of the traffic towards the darling slot and only 20 percent towards the uplink so if you had a connection running at say you know 50 mega Don in 50 make up before that might not change to 80 McDon and 20 make up as a comparison so prioritizes sends more time slots to to one of the directions this is great in quite a few applications so for a lot of Internet service providers generally the download percentage is going to be much higher than the applets you'll tend to use probably 70 to 80 percent of your bandwidth on download to clients and you know for a smaller percentage on on their client upload so by using this you can leverage the higher percentage download in order to deliver a better service to your clients in terms of what they need on the download side if we look at the other side of it something like a CCTV camera system they were looking at the opposite thing so you're not download into the camera the camera is from inside uploading to your DVR so by switching that whole thing around assigning more time slots to the upload portion of it you can optimize your CCTV system to allow you to make better use of your link and not waste unnecessary time slots on the download section of it which is really hardly going to be hardly going to be used another feature of env2 and this is also a fairly new is the master slave conceived configuration so this is something that is prevalent across quite a number of different products however most of them use some kind of GPS sync in order to sync the time slots well not really sync the time slots sync the devices in terms of sending and receiving so the system from ubiquity what it does it make sure that all ApS are transmitting at the same time and you know the same goes for clients all clients transmit at the same time so make sure that you don't have a situation where one ap is transmitting while the other AP or client is replying back to to that same site mikrotik does it Sam did it slightly differently so what the env2 master slave does is it sinks the env2 time slots across all ApS at the same time so it means that the time slots are shared between multiple APIs on a site which gives you a couple of interesting options so for example you can use the same frequency on multiple access points at the same time on the same site because no none of those access points are going to be sending information that the at the same time so by syncing together all your ApS that run on the same frequency you can have much better utilization of let's face it very very scarce spectrum that you might have on your site no gps sync module is required which is not the case with just about every other product out there so that's bonus point number one and the other great thing which is - mikrotik is its backwards-compatible against every other metric product so it doesn't matter that your device doesn't support 80 2.11 n or AC or whatever it is you can roll this out in your network straight away again with every other product I've worked with this will only be supported on their latest products you must have latest AC e maximum product in order to run the new technology my critic likes making things backwards compatible across every platform out there so there's an example of setting up sync where I've set this up as a sync master you can still set the download ratio can work along with the syncing system and you just need to specify the same sync secret across devices that you want to sync together so by having different sync secrets you can have different devices that are running on the same frequency just sink into each other against all sticking with wireless just go into the indoor wireless side same same content again well product ABC and so on is so much better because you just plug it in and it works and it has such a cool management system look at this fancy web interface has lots of fancy pictures on it and lights blinking on and off however very often when you really drill down into that web management interface doesn't give you that much back looks great it's good for impressing clients look how expertly by managing your system but in terms of real useable useful information tends to be rather limiting maker click on the other hand have given us caps man doesn't look like anything but show you a quick preview so that's caps man in all its glory but it is by far one of the most powerful wireless management systems that I've seen it gives you absolute fine-grained control over every single aspect of your of your access point and I know Ron will agree with me we start there rania sorry Ron but yeah if you've ever seen Ron's presentations on caps man then that will give you of just how just how powerful it can be and how effective it is oh there is 18 how effective it is as a wireless device management platform just a quick rundown of the caps main features again doesn't require dedicated hardware you don't have to run it on your laptop or whatever it is I mean of you have had somebody set up you could is unify on the laptop and then leave the site and after that you can never ever manage those devices again yeah I've seen a few nods are on sir you're not going to have this problem yet any device running routes ro is provided it has a decent amount of memory and bit of processing power can run caps man so just install the package enable it and you have a caps man system ready to go supports unlimited caps IO access points 32 radios per cap device along with 32 virtual interfaces per master radio interface yeah having just last week in Cape Town set up a system for a client where they had 380 ubiquity access points and every single AP needed a different a society tied back to a VLAN his limitation of for SSI ADIZ per unified device and that became a real pain to set up I can tell you sir at that point I really wish they had gone with a mikrotik platform would have made everyone's life especially mine so so much easier can connect via Mac there is no need to have an IP address on the cap device whatsoever if your cap device is directly connected on layer 2 with your caps main server you have an instant set up where you have to do just about nothing make sure capsule menu set up make sure the cap is ready to be adopted and that's it once they once they start up it'll connect to the capsule and automatically set itself up and be be good to go it also has IP layer connection features again if the cap is not directly connected to caps man a little bit of extra configuration is required you have to tell it where the caps man server is but once you've done that again it can be set up run in that way and it can run as a central system where all the data moves through the caps man and then out onto the network or the cache man can just management from a setup point of view so you can the cap can have an independent internet connection or network connection and not have to be directly connected to the cap in order to move traffic through in that way next thing then is unrealistic space expectations so we're looking at hardware specification software specification and reasonable application so in terms of hardware specification this is probably the most common issue that I come across and I'm fairly sure a lot of you guys as well why is my reach is low why is this true to not perform in in the way that I expected to and it's really about clients not checking what it is that they purchase in so if you purchase in a Happ light was it cost $20 somewhere on there they're talking about a single core CPU six hundred and fifty megahertz 32 Meg's of RAM little 16 Meg flash on it anybody got an idea why that couldn't run as a pppoe server worth 200 connected clients when it would just be it would be insane you would think that I have a my client seemingly don't agree they would absolutely try to use the cheapest device they could right at the edge of the network to run all of their network traffic and then wonder why it is that a $20.00 device can't run the entire bandwidth for their for the whole network so you need to understand your hardware check the specification does the hardware suit my application is this built for what I wanted to do is this a small office/home office router if that's the case don't expect to work in a corporate environment with high in bandwidth and a high requirement for lots of processing could this be handle better on the chr platform as opposed to using a ready to go mercury recruiter and this would tie into the previous presentation that we had Kevin just went through quite a lot of detail around where you might want to use a CHR versus using the CCR or something similar as your as your routing platform so fortune's is just a bit of a repeat of what ad what has gone on in the previous presentation but if you're looking at CHR versus CCR first of all CCR is the talero based many cpu cores running at a relatively low clock speed versus the CHR which cloud-hosted Rooter of course being an x86 based usually much lower CPU count but at a much higher speed per CPU so you want to leverage your usage of the device based on what it was what it was pull to do so what are the benefits of using the CCR first of all it's got an excellent price versus performance ratio for the for the type of device it is with a number of force that you can get with the number of CPUs really there's not much that compares to it in terms of price versus performance ratio and the CCR it is designed or it's optimal when you need lots and lots of small loads balanced against many CPUs in multi thread capable situations examples of that is many parent or child queues in quality of service systems so you want to balance the flows of a whole lot of different types of traffic at the at the same time another example might be multiple pppoe accounts with you know many many cues or queues per per account in a system like that and this is an application we have seen the CCR quite commonly used and where it does perform really really well so we have the option there also on the CCR multiple ports either at one or ten gigabits per second so we can leverage multiple connections at the at the same time and also low power consumption so just took an example I've put the put the link up there can what it is it is quite interesting but this is an example of 30,000 pppoe connections on a on a CCR 1072 so if you can see the CPU load there it's running an average of 29% there's excellent performance when you are talking about lots and lots of small connections in that sense CHR or Bey metal what I mean by bare metal is you just install Rudra based directly on the device itself no other operating system just installed in Ross from scratch you are talking about high-speed performance on a single thread so this is excellent for applications that either can't or won't use multiple cores effectively examples are given BGP convergence that's a classic one you're trying to converge to full routing tables 1.2 or 1.4 million routes or something like that everything's going to try to run on a on a single call also firewall intrusion detection systems again the file will only leverages a single CPU at a time if you have and trying to handle many hundreds of thousands of millions of new connections through the connection tracking table that is really going to stress out that particular CPU in in a large way and combined with layer 7 full train where you have to have a lot of processing on several packets at a time so if you did in a layer 7 can't process something on the first packet it usually needs at least 10 packets in order to start the procession of the layer 7 filter again requires high single thread performance the other thing about bare metal is it's usually costly server platforms are not cheap so you're looking at several thousand dollars in order to have something like that and very high power consumption so if it's inside a data center that's usually not a problem if it's out on a remote site where you might be using solar power or something similar then you're probably not going to be able to use a platform like this because you know you just can't spare 500 watts of power to to run a x86 platform so again thanks to Kevin for his presentation from last year we see which is the CHR as a BGP edge router and he demonstrated there that BGP convergence of two routing tables over 500,000 roots on hyper-v took less than one minute on the I think was the Baltic Vengeance CHR CCR on the other hand to take anywhere up to 10 minutes to do the same thing it's a ridiculously long time and the reason is again it's going to only leverage a single CPU in order to try to do that so for that application it's all about the CPU speed that you have the higher the speed of the CPU and the better it's going to work even for example the root board for 40 11 converges PGP a lot faster so I've seen tests on a single root table full retail about 600,000 root so sir and I think the CCR took about a minute 40 seconds to do it and I think the 4011 was done in around 45 seconds or something like half the time on a on a 40 11 okay and again just coming down to the performance of the CPU itself the next thing then is lack of research and this ties into the other two points that I made so client says we've we run in IPSec on our network we've installed this mikrotik router might be a fairly expensive Rooter as well and it has slow IPSec performance so first of all is does the Rooter support IPSec hardware acceleration and if it does are you using authentication and encryption protocols that are accelerated on that device so I've put the I put the link up there where it shows every single mikrotik router and whether or not it supports IPSec hardware acceleration and what types of authentication and encryption it does support in terms of that so you need to match your Hardware along with what you're trying to do with it yeah if it doesn't support IPSec in hardware it's going to have to do it in software and it's going to be very very slow isn't it art about that a great example of this was the route aboard 3011 which for a very long time didn't support hardware acceleration I I know in the later versions of retirees that has been that has been sought routes and other 3011 does have hardware based IPSec as well but that was a fairly large problem prior to that Mexican one Malou mario has slow bridging or routine performance again ties into Jonah's presentation from yesterday need to understand what the hardware architecture is and how that ties together with what it is that you're trying to do so have you researched the board architecture which ports are connected to which switch chip if you're using it for routine how many paths to the CPU are there and which part which ports are connected to which path to the to the CPU are you using Hardware offload where it's available if you are using the hardware offload is the hardware offered on that particular device compatible with all the features that you are trying to years there is a great example the RB 753 gr 3 block diagram the extruder so if you were trying to route at high speed between the 1 and III they'll both on the same one gigabit line to the CPU it's going to not it's not going to perform as well as you expected just by shifting the routine to say between either 1 and E 2 you would effectively double up the performance of your of your system and put a little little hint a little idea for mikrotik there why don't you include this diagram in your device packaging let people actually understand what what's going on there lack of understanding one of my favorite quotes just because you can do something does not mean that does not mean that you should you like again ties into the rest of the of the presentation it's like yes so sure you can take a bootable 750 and it can run MPLS and you can run BGP and you can run our SPF and VPLS and you can do that all at the same time yeah that's not gonna do it very well is it it's going to be terrible in that in that application and again that's your decision if you want to take a low spec Reuter and use it for every single advanced application the performance is going to be terrible and that's not going to be to everyone's surprise it except perhaps your own because perhaps you weren't expecting that so when your performance does not match your expectation chances are using the wrong device or the device hasn't been configured in the correct way and there are many many other examples of this bandwidth test versus traffic generator versus the new speed test understand how those work and what they've been used for if you use the old bandwidth test the bandwidth test itself is going to generate a lot of CPU traffic so don't try to run a bandwidth test on the same device that you're actually trying to test for throughput because the CPU is going to spend 80% of its time running the bandwidth test the other 20% of its time trying to run the network card and almost no time on actually routing traffic through that through that device your performance is going to be poor and you're going to wonder why and that's probably going to be the reason other examples using a multi-core device which is great but running all of your queues in the root level of your simple queue structure the mikrotik system is optimized to use multiple CPUs in a queue tree type system so if you have a system of multiple parent and child queues it's going to allow the system to balance that out across multiple CPU cores at the same time and in that way again you're going to get very much improved performance and so on many many examples of that I could I could carry on giving examples of a bad client configuration until this afternoon sometime but probably sure you've heard enough of me talking by now so just to summarize finally understand what your hardware was built to do apply a software configuration in a smart way match your application with the correct configuration and your correct route specification and hopefully at the end of that you won't hate me crow take any longer okay thank you very much [Applause]

Info

Channel: MikroTik

Views: 58,047

Rating: undefined out of 5

Keywords: mikrotik, routerboard, routeros, latvia

Id: C3U06olRmEk

Channel Id: undefined

Length: 36min 7sec (2167 seconds)

Published: Sun Mar 10 2019