MikroTik Best Practice Implementation – Part 1 of 2 – The big picture
MikroTik is a software-defined firewall and router. As such, it’s limited not only by the hardware it runs on but also by how it is configured. Just like a computer, running too many processes can overburden it, dragging performance down and causing network issues.
When a packet passes through your router, it passes through a variety of facilities including NAT, Mangle, Firewall and Bridging. This can happen hundreds of thousands of times per second. Since each facility typically has many rules, a packet traversing this digital maze may be touched numerous times. Issues can quickly compound with poorly configured routers causing resource exhaustion, which frustrates both you and your customers.
When you build your network, remember… packets are people, just like you and me. Sometimes packets are Facetiming with Grandma, holding your position in a first-person shooter game or stopping an attempted infiltration from a hostile hacker trying to acquire digital assets for a cyber war.
If you are going to undertake the responsibility of improving the efficiencies of your routers, then I highly recommend you read this MikroTik best practices overview and then spend some time deep in the study of exciting things like MikroTik’s packet flow diagrams.
Minimalize your router processes
Less is better, almost always. Asking your router to do extra work on every packet processed is likely to create problems at some point. Finding ways to process your packets with shortcuts can reduce processing loads.
One of my WISP clients had VoIP quality issues which turned out to be caused by an overused address-list lookup. The surprising part was that the router was among the most powerful, a Cloud Core Router running no higher than a couple of percent of CPU utilization.
We were able to determine that the address-list was being queried tens of thousands of times a second. The trick that lead to finding this overused address list was preceding the rule with a counter rule (without the address-list condition), so we could track how many packets per second were being processed. After removing the need to check the address list so often the VoIP quality was fixed.
I often see simple things being skipped such as accepting established and related traffic and no use of connection fasttrack or fastpath where possible. One of the “gotchas” with fasttrack to be aware of is that it will shortcut your router’s ability to account for data skipping router features like simple queues. This can, for example, affect your billing system’s ability to calculate usage. You can’t use it everywhere but it helps a lot with efficiency where you can use it.
Don’t forget that order matters so the biggest bang for your buck rules should be as high in the rule list as possible.
Secure your equipment
Your router and your network will be harassed by hackers and bots, so make sure you have rules that guard your gear. Best-practices include keeping your equipment on a protected management VLAN, protecting access to management networks and keeping software patched and updated. Permit only required traffic and block all else in your router’s input firewall filter chain.
One trick to implementing this in a live network is adding a log rule then watch the logs to catch anything you might have forgotten to add. Before you enable the “drop all” rule in your firewall filter input chain, turn on Safe Mode just in case. Don’t forget that if you are accepting established and related traffic you may not see existing connections from the log rule.
Monitoring with Notifications
One of the biggest differences I see between small and large networks is their monitoring. This is because you will reach a ceiling as an organization without a good monitoring system. It might kinda feel like I just switched topics, but honestly, the efficiency of your routing system is directly affected by how you watch it.
Watched metrics, as a rule, improve within an organization because you are able to see things like climbing CPU, interface errors, temperature alerts and many other metrics that indicate your system’s health. This can allow you to be proactive and not reactive when it comes to issues on your network.
Standardization, Configuration Backup and Management
The configuration of similar systems should be the same, excepting only the elements that need to be different given the physical differences at the site. This is easy to say, easy to understand, but hard to consistently implement.
If a high level of consistency is achieved, then a senior network administrator should be able to rebuild a config on the fly with limited information… this isn’t a best practice, but it is a good test of how clean, logical and consistent your configuration is within your network.
Keep current configuration backups and spare hardware handy. The last time a client had damaged hardware was yesterday, literally… it happens, it shouldn’t be the norm but, as a service provider, you need to be prepared.
In the second half of this article, I will discuss creating smart configurations including avoiding common and/or disastrous mistakes and some practical config building steps.
Unimus is a software solution which helps network administrators implement and improve upon every best practice mentioned in this article in one way or another.
Unimus excels in the area of backup and configuration management. It simplifies tasks like comparing configurations between devices, auditing your network for best practice implementations, and firmware and configurations deployment.
“Automating configuration management can save you a lot of time (and therefore a lot of money). Unimus for example can help with automating RouterOS upgrades on your MikroTiks, and manage the overall consistency of your network. With recent MikroTik exploits, you can easily check the health of your entire network in bulk, and automate the remediation of infected routers.” — Tomas Kirnak, Founder / CEO at NetCore (Unimus)
Part 2 of the MikroTik Router Efficiencies series is now available, you can read it here.
To be continued…