Review on 🔌 Mikrotik hEX RB750Gr3: High-Performance 5-Port Gigabit Ethernet Router by Anne Marie

April 2020 update: I've recently added two more RB750Gr3 units to my private stable, I have two RB450Gx4 RouterBOARDs and I see much larger Mikrotik boxes in the near future. I just sold the last of my many Ubiquiti products. What has changed? Well, maybe it's just the natural progression of the geek. In any case, I'll try to tell you about some of the shifts in thinking that made me want to return to Mikrotik in earnest. More recently I deployed pfSense and a weird IPFire block for routing/firewall. These were almost exclusively Ivy Bridge or Haswell Core i5 Optiplex boxes with plenty of fast RAM, Intel network cards and solid SATA SSDs. Nobody gave me any seizures; They all did what one would expect. Some of the usage of these powerful i5 boxes was due to the need for traffic shaping, in my case via FQ_Codel, but in the last few months some of my users have switched to an ISP that runs over fiber. A good percentage of those who remain, myself included, now have gigabit cable connections. Users with a fiber optic connection have little to no concerns about buffer overflows. For cable users, I don't know if this is due to migrating to DOCSIS 3.1 and using OFDM channels, or cake loading in the modem, or a combination of the two, but buffer overflow issues have been significantly mitigated on these gigabit channels . cable connections too. Sure, I can get rid of that buffer with FQ_Codel, pie, or pie, but at what cost? These Optiplex boxes are quite power intensive. And other projects like pfSense, IPFire and my homemade Debian routers and such were attractive in Mikrotik products mainly because of the lack of features/functionality in solutions like RouterOS. What functionality? Well, things like Squid, Snort, Suricata, pfBlockerNG and the like. But all this, as I understand it, comes with administrative costs. The packages need to be updated. Many additional rules will need to be gradually adjusted over time. And in today's era of encrypting all traffic or whatever, I see too many costs (maintenance/downtime) of hitting the line with fake certificates to bother using Squid. Snort and Suricata alone don't do anything interesting to me (they won't see encrypted traffic, which is really important to me). Even pfBlockerNG (or Pie-Hole or whatever) causes some breaks. The mere fact that most of these online ad blocking mechanisms kill affiliate links from places like deal news or tech deals is enough to make you not even try to employ them. Even on my own network, administration has become a nuisance. And the benefits... well, judging by my logs, they were all pretty minor. Network IDS/IPS and other fancy stuff isn't a panacea, and I look at my security in layers: my device's permissions are very limited, everything is patched and updated regularly, I'm careful when I click and ignore all but the most trusted ones emails. I don't worry too much about security, having been paranoid about it for decades, enough to know where real threat actors typically lurk and what tools they are likely to prefer. What if I could get exactly what I *need* with all the visibility I could want in a very low power consumption and small form factor? How would it look? Dream? Well, for me it looked like I would visit Mikrotik again. And now it looks like I'll be here for a long time. And I'm serious. I've studied two books about RouterOS, read many of their online docs, and perused a strange forum. I was trying to understand what it means to really understand RouterOS and its tools. I want to understand how to use the software to my advantage. And I'm impressed. I'm excited. This is a true Swiss Army knife cutter. And try as I might, I couldn't break it. I don't use any features that interrupt FastTrack, so most of my traffic is almost completely overhead. I think that means I'm seeing around 930Mbps over the WAN instead of the random 980-1Gbps I would see with my more powerful boxes. That's perfectly acceptable for a tiny 5W cooler. Nothing "feels" different to me. Nothing is left behind. No performance issues. This hEX works and doesn't hurt my stomach. If you need to disable FastTrack for any reason, you should look for a resource that can give you some insight into how overall performance is suffering. The tools are outrageous. It's almost unimaginably great. There is any visibility you want. See everything you can imagine in real time. And this thing can run a dude server on a $10 microSD card. The box restarts immediately. It will send you an email with what you want. If you're really having trouble breaking it and holding down the reset button for the wrong amount of time, netinstall is an easy and quick way to get your "bricked" router back to normal. Backup and restore can be done in a number of ways and you can even get a text file with all the settings, change an odd IP address or whatever and use that changed text file to deploy another hEX. Lots of options. Updating the firmware is very easy. Updating packages is very easy and there are several ways (long-term, stable, testing, developing). The web interface almost mimics the Winbox interface (you'll almost certainly prefer Winbox and it runs reliably on any desktop OS), and the command line interface follows exactly the same parent and child directory structure as the GUI, making it a nice makes experience. learn once you are familiar with the GUI. The iOS app I use on my iPhone isn't too ramshackle and certainly as good as I'd expect from a phone app for such a device (and again follows the same design principles so it feels as cohesive as others management methods). ). This thing just begs to be nudged and nudged, making it the most fun a net nerd can get for around $60. For beginners, you can do a quick setup/wizard setup (I don't know what it's called) and then browse the online Manual: Router Security page to learn how to change user/password, disable unwanted services, etc .and even stop at the firewall setup part (the default firewall is already fine for most homes/small businesses) and you have a very good, reasonably secure router for almost any home/small office (just as well, of course like any other device, built-in or otherwise shipped out of the box). Tip: Select a product on the Mikrotik website. See the flowchart in the Support & Downloads section for the product listed. This will give you an idea of how the hardware works. Pay special attention to switches/backplanes/ports. Combined with an understanding of RouterOS and FastTrack Bridges, you can probably figure out if this or another Mikrotik box is right for your environment. You'll likely also find IPsec test results on the product page if that's important to you, and some devices have hardware offloads for that. You will hear people complaining about everything. But those who complain about Winbox really confuse me. WinBox is great. You can resize a window, move it, and run it next to another window using the appropriate function. I usually look at three or four windows at a time in Winbox and it makes life so much nicer when you can get all the data you need in one space. I just think it's the coolest. In terms of overall firewall routing and performance (for most users in the most common configurations) I'm confident this will crush anything in its class and work with most other integrated boxes or just smoke for multiples of its price . . Also, I highly doubt anything can match in terms of useful tools. I always keep a couple of field modules running OpenWRT firmware, usually with 1.2GHz or faster dual-core processors, 802.11ac and all the extras. I don't think the routing performance is comparable. And I don't crash the OpenWRT project. I love it. It can do great things and offer advanced features. I don't meet many network devices as it seems that with rare exceptions they all have their place for the right user. And there's nothing stopping you from running RouterOS or OpenWRT on bare metal with tons of processing power and memory to level the playing field. Fun Fact: You can also run OpenWRT on this hEX. Um, so yes. I like it. Update February 2019: Anything seen as critical of Ubiquiti can safely be ignored. I now have 0 Mikrotik devices running and dozens of deployed Ubiquiti EdgeRouters, a few USGs, a few cloud keys, a cloud controller, various PoE switches, and a bunch of UAP-ACs (LITE, LR, PRO, models only). This shouldn't take away from my love for Mikrotik, but Ubiquiti is now the preferred choice for my deployment needs and has been for a little over a year. My initial review: Brilliant, like pretty much everything from Mikrotik. The hardware more or less speaks for itself. It's a beast and I have no way of really charging the router (mainly because my wired connection is limited to around 90/13Mbps, no working tunnels etc.). The RB750Gr3 is simply the best in its class. I have launched and deployed competing products namely EdgeRouter PoE, EdgeRouter Lite and EdgeRouter X. EdgeRouter is really good and I suspect most or all EdgeRouters are more capable in terms of PPS routing but my Mikrotik boxes NEVER have hiccups (tracking ongoing updates solely from patch and keeping firmware up to date is my personal policy). Regarding updates, I've had Ubiquiti AP and EdgeRouter updates a few times. I was always able to overcome myself, but not without frustration. And my customer's EdgeRouter X crashed more than 3 times, each 4-5 months apart, the reasons are still unknown. This hasn't happened to any of my Mikrotik boxes in 4 years. Also upgrading from Mikrotik is very easy, just click and done. Ubiquiti requires you to retrieve the update from the Internet, save it to disk, and send it to the router. Not difficult by any means, but it's just an extra step. Mikrotik works better. And winbox is the best customization tool ever made. Being able to drag windows across the screen for all the different configurations you want to play with is a delight. There's no need to remember IP or MAC addresses for anything, just put the relevant window aside to keep track of. These are the bee's knees. It's pretty much a no-limits device that pros will drool over. Backup, export, compact export, scripts. I do not know where to start. It does everything. And it runs with almost no electricity, no noise and no noticeable heat. So accessible is stupid. Take it.