Router advice

[Chrismallia]

Hi just want some experienced opinion for router in a small business. For business I use enterprise APs like Xclaim but as for router I have some thoughts that maybe someone can clear for me, I look at routers like mikrotik, edge router that have great features such as hotspot,vlan and much much more but for Example a Asus router is consumer gear but it has great monitoring, keeps usage statistics,Ai protection,dual wan (like some enterprise routers) but the most use full is the real time monitoring like bandwidth per client per App that other router does not look like they have, Asus routers have dual core processors and good amount of ram, so what will be the drawback of using a Asus router (wifi disabled)? Thank you for your replies in advance

 

[sfx2000]

it has great monitoring, keeps usage statistics,Ai protection,dual wan (like some enterprise routers)

It's a different class of device - and it's good enough for home/end-users...

Every one of these features can also be found on more purpose built devices for the Small Business/Small Enterprise markets...

Asus routers have dual core processors and good amount of ram, so what will be the drawback of using a Asus router

In a small business - everything - seriously - consumer router/AP's belong at home, when considering SmallBiz, it's all about stability and quality assurance, and this is where all consumer oriented Router/AP's start to fail...

 

[System Error Message]

mikrotik has routers with 36 cores and SODIMM slots for RAM so you can have as much ram as you want. Mikrotik routers support firewall at layer 2 (see bridging), very complicated QoS that you will never find with ubiquiti or any consumer router or even pfsense for that matter. Mikrotik also now has a 72 core router with 8 10Gb/s ports and 16 GB of ram, you wont find that with asus.

So whether dual core or quad core unless it has an x86 product it is surely still in the dark ages when it comes to CPU. 72 cores vs 4 cores that an embedded router has now which is considered top of the line.

ASUS only gives you a taste of what non consumer offers, not the whole thing. You dont get IDS on asus and while RMerlin firmware gives a lot of capability to ASUS it still is at the end of the day a dual core broadcom device that has a CPU that sucks (no hardware crypto, A9 instead of A15, none of broadcom's innovation like their media processors).

Some have used mikrotik CCRs for media encoding essentially hacking them and installing software on it. Those 36 cores doing other jobs quite impressively. many router based boards will have mini PCIe so you can upgrade wifi. Even mikrotik has routerboards that are meant for being APs but have mini PCIe so you can upgrade wifi. Do you see an ASUS router with miniPCIe slots? SODIMM RAM slots? with a good CPU? On mikrotik CCR the CPUs are actually interchangeable so you could desolder the CPU and solder it onto another CCR router.

You havent yet seen the cisco routers used at internet exchanges, blade configuration with very very high speed bus interconnects, loads of processing power and memory.

Routers like mikrotik which are configurable have monitoring, you just have to create the rules in order to obtain that capability (like in bridging, adding the IP of input of interface into address list). Adding hotspot or radius servers in mikrotik adds a statistic which you can see. On a linux server if you plan to use one as a router just install the software for it.

For your business stick to whats specially made for non consumer, they are much more reliable, are more secure and give you more options. Theres nothing that asus has which you wont find in mikrotik or any enterprise router or even pfsense or UTMs.

 

[garyd9]

I'll give you a contrasting opinion...

Over the past month, I've loaded every single free router package that can be loaded into a virtual machine, and NONE of them... None whatsoever... offer the level of detailed reporting that the current asus routers offer.

Don't take this to mean that they are poor packages. In fact, the Asus (and other consumer routers) really start to bog down and have difficulty routing when your WAN speed goes over a certain threshold (which many homes now have.) If you're in a situation where IPv6 is in use (or you can't use some of the broadcom routing cheats.. er.. acceleration..), then you'll start hitting that limit with an downlink around 180-200 megabit.

If your internet connection doesn't exceed that speed, then you'd be perfectly fine with a newer Asus router when used in a small business. Even if you have to replace it once a year, they are fairly cheap.

If you need a higher throughput, then you'll have to sacrifice the reporting and monitoring.

You dont get IDS on asus

You get something similar in their ai protection. There are pros and cons for each. The biggest negative to "ai protection" is that it sends usage info to trendnet. On the other hand, I believe their threat rules/signatures are probably significantly more current than the rules used by products such as 'snort.'

Theres nothing that asus has which you wont find in mikrotik or any enterprise router or even pfsense or UTMs.

Every one of these features can also be found on more purpose built devices for the Small Business/Small Enterprise markets...

Bullsh*t. I've been down this exact path over the past month or so. The OP specifically mentions reporting, and I haven't encountered a single "purpose built" OS that has reporting that comes anywhere near what the asus firmware has. As well, while I can't speak to the QOS in RouterOS (mikrotik), the QOS in pfsense is significantly more complicated, AND LESS USABLE for some cases than the asus firmware (due to the lack of any L7 support.) Based on what I've read on the mikrotik wiki, it appears that it DOES support L7, however they don't encourage it's use. (In cases when L7 support isn't needed, the pfsense QOS is probably quite a bit better than the asus stuff. For example, when you need to prioritize VOIP phones.)

Want QOS rules to give normal web browsing priority over youtube? Too bad. Can't do that with pfsense, because it can't differentiate between youtube SSL and HTTPS. It also can't detect P2P with any degree of accuracy. In fact, the only way to de-prioritize P2P with pfsense is to use a "catchall" bucket that also catches EVERYTHING that doesn't use a pre-defined port. (A large portion of modern software doesn't use a fixed port as it's (falsely) considered a security issue... so.. guess what that means?)

On a purpose built router OS, it appears that you might be lucky if you get reporting as basic as "this is how much data you're pushing/pulling over WAN - overall." Breaking it down to which hosts on your LAN are using that data seems beyond the capabilities of these products, and just completely forget about getting any data on what kind of apps might be using that data.

Some might support "netflow" (or something similar) that can be used to show "flows" of data between hosts (just the L3 details.) pfsense somewhat supports 'ntopng' which would be extremely useful if they'd finish the support (and update to the current version.) (ntopng does contain some L7 analysis, so using it does show some youtube/P2P type traffic with some accuracy, but the older version in pfsense isn't as accurate as the newer version, and neither are as accurate as I found the asus firmware to be.)

However, once again.. and this is really important: If your WAN link is faster than 180-200 megabits, and your supporting a business with it... A consumer router isn't a good choice. At that point, you'll just have to give up the reporting, and make do with what often feels like more primitive router software options.

 

[System Error Message]

to get reporting with mikrotik simply see the stats of the rules you make. You can use a script to tie the information together and show it to you using API.

Mikrotik's QoS is more complicated to use but easier to set up though relies on effective identification of traffic which the OS provides you with many from layer 2 all the way to layer 7, various different parts of the packet/connection/traffic can be identified.

 

[sfx2000]

On a purpose built router OS, it appears that you might be lucky if you get reporting as basic as "this is how much data you're pushing/pulling over WAN - overall." Breaking it down to which hosts on your LAN are using that data seems beyond the capabilities of these products, and just completely forget about getting any data on what kind of apps might be using that data.

pfSense and MicroTik have very rich SNMP implementations - so using that in conjunction with Cacti or MRTG (just as examples) can provide very in depth reporting - adding a nagios agent for events and rsyslog with Kibana and ElasticSearch...

 

[garyd9]

to get reporting with mikrotik simply see the stats of the rules you make. You can use a script to tie the information together and show it to you using API.

pfSense and MicroTik have very rich SNMP implementations - so using that in conjunction with Cacti or MRTG (just as examples) can provide very in depth reporting

Please show an example report or screen shot. We've all seen what the Asus router can show, but I've never seen pfSense or RouterOS with a good reporting showing per-host traffic - or any level 7 traffic report whatsoever. No examples, no screenshots, no nothing. Only people saying "it's possible in theory" (or something similar.) With pfSense in particular, there's no hope of per-app reporting whatsoever as L7 stuff was yanked out of it.

(I plan on downloading a VHD trial of routerOS this weekend and taking a look at that... until I do so, I can only speak to routerOS on what I've read on their wiki, forums, etc.)

Being possible "in theory" is nice.. in theory. Sadly, until it's actually done, it's only theory.

As I did in another thread, I'll post a link to a stackexchange thread showing one of the things possible with the asus firmware:
http://hardwarerecs.stackexchange.com/questions/1289/home-router-that-logs-per-device-internet-usage

Oh, and because the asus reporting shows hosts at L2 instead of L3, it's able to show per-host reporting... and has no issues when a single host has 1 IPv4 address and 3 IPv6 addresses. They're all shown as a single host.

Again, however, it's VERY important to note that while the asus reporting is probably some of the best and most useful I've seen for a small business or home user, it only comes on consumer routers that aren't capable of higher bandwidths. Ironic, isn't it?

 

[abailey]

Personally I have never seen any router (including Asus) have any where near the reporting capabilities of Untangle. If you need reports, graphs, etc. Untangle can't be beat. Take a look at the demo and you can see the widgets on the dashboard, but then there is a report section where there are a huge number of reports you can pull while applying filters to separate out what you want. You can even tell the report how you want the results, like in a chart format, list, etc.
http://demo.untangle.com/webui/startPage.do

 

[garyd9]

Personally I have never seen any router (including Asus) have any where near the reporting capabilities of Untangle.

It does have nice reporting. As well, it deals with the complications of IPv6 by... not really supporting ipv6. (You can do basic interface configuration for ipv6, but if client machines use it, don't expect to get any reporting from them.) I can't suggest untangle (or any other router software) to someone until it moves into the 21st century.

 

[sfx2000]

With pfSense in particular, there's no hope of per-app reporting whatsoever as L7 stuff was yanked out of it.

Because it was a duplication of other platforms that could do a better job - yes, folks did take umbrage at this, but those packages are slowly finding there way back in, and of course, like I mentioned earlier, SNMP and Nagios were not impacted here, nor was Rsyslog support...

These are old hat for datacenter and enterprise folks that need to monitor servers, routers, switches etc... and very rich interfaces to boot.

But if one is coming from a consumer router space, and not having been exposed to external monitoring systems - pfSense and others might seem a bit sparse..

 

[sfx2000]

Again, however, it's VERY important to note that while the asus reporting is probably some of the best and most useful I've seen for a small business or home user, it only comes on consumer routers that aren't capable of higher bandwidths. Ironic, isn't it?

Again, it's pretty important to note that while Asus reporting might be impressive in it's sandbox, trying to get data out of it is pretty difficult as it's pretty much all in house - there is some level of SNMP support, but it's pretty limited, and I've not seen a nagios or xymon agent in any of the third party trees...

It's not a business class router - simply put... and going back to OP's question - there are much better choices out there...

 

[abailey]

It does have nice reporting. As well, it deals with the complications of IPv6 by... not really supporting ipv6. (You can do basic interface configuration for ipv6, but if client machines use it, don't expect to get any reporting from them.) I can't suggest untangle (or any other router software) to someone until it moves into the 21st century.

lol, umm ok. Suit yourself...

 

[garyd9]

Again, it's pretty important to note that while Asus reporting might be impressive in it's sandbox, trying to get data out of it is pretty difficult as it's pretty much all in house - there is some level of SNMP support, but it's pretty limited, and I've not seen a nagios or xymon agent in any of the third party trees...

It's not a business class router - simply put... and going back to OP's question - there are much better choices out there...

For a medium to large business, I agree that the asus choices can't handle it. Yet, the OP did specifically reference those asus reports. Even you have to admit that there's NOTHING in pfsense that can do that. You can get a significant amount of data if you're willing to add more machines (and different software) for SNMP, consuming netflow, etc. You might be able to get data per IP address (and could, in theory, consolidate that to data per host if MAC addresses are part of the data flow.) You'd still be missing L7 information that the OP referenced.

Of course, at that point, you might as well mirror the WAN and LAN ports and have something extract the needed data from the raw packets. At least that way you'd have the raw packets to do DPI on and get the L7 reports.

...and it's still not something pfSense can do. (At that point, it'd be a completely separate product doing it.)

@sfx2000, don't get the wrong idea from my posts - I'm not bashing pfsense or any other product (except for untangle and the other non-ipv6 compatible products.) I'm responding directly to the OP in regards to the reporting capabilities. I've also clearly stated that for ROUTING capabilities, things like pfsense, routerOS, etc are superior. However, for reporting of "real time monitoring like bandwidth per client per App" (quote from the OP), at least pfSense doesn't have it, and there's nothing much you can do to add it. The closest I've seen is the incomplete (and out of data) ntopng package.

If I'm wrong, I'm good with that - but just typing that you can add this, that and the other thing without specifics, without examples, and without even screenshots.. isn't helpful. Perhaps a link showing something that can be done? A sample report? Anything? To be completely honest, I desperately WANT to be wrong. I'd love to be able to load up a couple pfsense packages and suddenly get real time per host per app usage data. If you remember, it was something I specifically asked for when I started this journey.

Oh, and as for mikrotik... RouterOS might be able to do some of this stuff, but it might take me a while to figure it out. So far (< 2 hours) routerOS seems like programming in assembly: Each individual instruction can only do the tiniest of things... but you can seemingly combine them in some interesting ways. (No, it's not literally like programming in assembly. In fact, there's a scripting language that appears similar to shell script.)

 

[kvic]

Asus routers have dual core processors and good amount of ram, so what will be the drawback of using a Asus router (wifi disabled)?

Most of Asus routers have 256MB RAM or less. Only the more expensive RT-AC88 has 512MB. However, in a small biz environment, people will use mainly the router for its routing functionality. Less likely Samba, DLNA, Torrent servers and other fringe add-ons will be deployed on the router itself. So 256MB is still plenty of RAM.

Say you go with RT-AC88, you put money on a significant part (i.e. wireless features) which won't be utilised. That doesn't appear like a sound business investment. On the other side, AsusWRT has DPI engine (that powers AiProtection, real-time statistics, knob-less QoS) that is lacking even in some of the business brands you mentioned.

AsusWRT may be among the best in consumer space. Believe it or not its features and robustness cannot compete against firmwares inside business routers. It boils down to specific features you need and how much downtime you can cope with. I would think small biz can tolerate a random reboot, say, once every few weeks. AsusWRT most likely handles better than that.

Daily support plays a major part in your investment. Preferably you want to have it in house. It's much easier to find or train up someone among the staff to act as front-line support for consumer routers. Vendor's support, however, is way higher quality from business routers. E.g. look at the sort of questions and answers on Asus forum vs Ubiquiti's.

The decision is easier if you're paying for day-to-day support or certain number of annual incidents. I would certainly pay for business routers rather than someone who install and support Asus.

With all that said Asus routers are good tools for many small biz. Perfect tools if you find staff to cover daily support. To me, really doesn't matter it's labelled as a consumer product or not. I guess that might be your main concern to begin with.

 

[System Error Message]

on mikrotik other than rules, API, graphing and stats there also is the network monitoring called dude. you can run the dude server on multicore routerboards and use that for network monitoring. See for yourself on mikrotik website the screenshots and examples of it.

Heres a random page you can find by using google.
http://mikrotik-q.blogspot.co.uk/2015/05/the-dude-netmonitor.html
So mikrotik does have fancy monitoring which only multicore routerboards and x86 are able to host the server instead of running on PC.

For mikrotik a theory can be implemented, sometimes easy sometimes with difficulty. If something doesnt work you can diagnose and get it working. On ubiquiti however which some may say has fancy reporting doesnt come close to mikrotik's capability in monitoring, functionality and how much of theory you can put into practice. Theoratically you can turn a ubiquiti edgerouter into a UTM, practically it is impossible (i tried).

 

[sfx2000]

@sfx2000, don't get the wrong idea from my posts - I'm not bashing pfsense or any other product (except for untangle and the other non-ipv6 compatible products.) I'm responding directly to the OP in regards to the reporting capabilities. I've also clearly stated that for ROUTING capabilities, things like pfsense, routerOS, etc are superior. However, for reporting of "real time monitoring like bandwidth per client per App" (quote from the OP), at least pfSense doesn't have it, and there's nothing much you can do to add it. The closest I've seen is the incomplete (and out of data) ntopng package.

I didn't take it as bashing pfSense (or any other platform for that matter)...

My point is that Consumer Grade Router/AP's are designed for a purpose and a target audience - that being the home... and the feature set that Asus/Netgear/Linksys/TP-Link/DLink/etc - those are suitable for the home markets.

I'm not bashing either - for the home market - they're great solutions... they just don't scale very well when having to manage more that a few machines... and then again, the issue of exporting data...

When you get into something a bit more - Small Business, as OP asks, the reporting can still be done - it's not spoon-fed, but there are plenty of options available, esp if one wants/needs to export out to another box for report generation and analysis...

Exporting good data out of consumer routers is a problem - because of the sandbox of internal development to generate those nifty reports in the first place.

 

[garyd9]

I've been playing with this whole thing... the OP references monitoring and real-time monitoring... not exporting. As well, requiring a second machine for reporting might not be the best solution for a small business. (I don't know.. the OP didn't state a preference and I think we've hijacked his thread.)

RouterOS might be able to do it, and I'll take SEM's word for it that it can. I'm having a hard time keeping myself interested in playing with RouterOS... probably because I can't drop down to a root shell and tinker. (I know.. that's a Good Thing for most people.)

For pfsense, I think ntopng might be the closest thing possible. Exporting SNMP and even netflows to another machine doesn't give enough information for L7 reporting.

To that end, I've started mucking around with ntopng 2.3 on pfsense, and already found a bug in regards to ipv6 for how pfsense starts the process (that I posed a fix for on the pfsense forum.) I'm going to spin up a freebsd VM and try to get acquainted with freeBSD, and then the pfsense dev environment... and finally try to see what I can do to get ntopng 2.4 working with pfsense. In the meantime, if no one posts a pull request with my fix before I get around to it, I'll do that.

That would, I think, address the OP's needs (though there is still one massive shortcoming: having to view the data per IP address instead of per host.

I wonder if pfsense would accept a modified version of ntopng that used arp and ndp to determine the hardware address of all the local seen IP's, and group them together based on MAC... hmm....

 

[sfx2000]

I've been playing with this whole thing... the OP references monitoring and real-time monitoring... not exporting. As well, requiring a second machine for reporting might not be the best solution for a small business. (I don't know.. the OP didn't state a preference and I think we've hijacked his thread.)

I don't think we've hijacked his thread - honestly...

When one looks at a small business (or a hospitality network) one must consider use cases - user privacy, payment cards (PCI compliance) or health care (HIPAA compliance here in the US) - and then work it thru...

There is a reason why business oriented routers have more finely grained logging and controls - some might elect not to log at all (traceability perhaps), or log everything and export to another appliance in the case of SOX/ISO/PCI/HIPAA for some companies, or just plain business reasons for companies that don't have those policy constraints as a business...

Hence my position again - home/consumer base Router/AP's are not a wise choice for business...

 

[garyd9]

I suppose it depends on what the small business is. If it's something in the medical field (requiring HIPAA) or something with other similar privacy requirements, then the needs would be different from... a small construction contracting office with 4-5 people (as an example.)

In this forum, when someone mentions a consumer (small office/home office) wireless router for a small business, I tend to think "small business" as being < 10 people.

However, "small" is very relative. It can also be 50 or 75 people - in which case that Asus wireless router might have a hard time. For THAT, you'd certainly want a dedicated box as your router. As well, at that point, those detailed usage monitors are going to be useless, as I seriously doubt that the Asus router (any of them) would have the horsepower to keep live stats on so many users.

There was a product I saw in passing that might work for that... "security onion" or something. That might be a possible solution for the OP if they have a larger "small office" and still want all the fancy reporting. (I didn't spend any time researching that particular product for some reason, so can't be sure it even does routing, but here's a link: https://securityonion.net/ )

Also consider "opnsense" which is a fork of pfSense. Without getting into all the politics of the fork, opnsense appears to have done some work adding netflow reporting in their UI. I have no idea if their reporting has any L7 data or not.

 

[sfx2000]

Also consider "opnsense" which is a fork of pfSense. Without getting into all the politics of the fork, opnsense appears to have done some work adding netflow reporting in their UI. I have no idea if their reporting has any L7 data or not.

Let's not discuss the whole opnsense thing on this thread - as you mention, there's a fair amount of politics behind that fork, and most of it non-technical to be honest...