MikroTikhEX RB750Gr3 5-port Ethernet Gigabit Router

Apr 2020 update:I recently added two more RB750Gr3 units to my private stable, I have two RB450Gx4 RouterBOARDs shipping, and I see much bigger Mikrotik boxes in my near future. I have just sold the last of my many Ubiquiti products. What's changed? Well, maybe this is just the natural evolution of a geek. In any event, I'll try to walk you through some of the changes in thinking that have caused me to revisit Mikrotik in earnest.Most recently, I've been deploying pfSense and the odd IPFire box for routing/firewalling. These have almost exclusively been Ivy Bridge or Haswell Core i5 Optiplex boxes with an abundance of fast RAM, Intel NICs, and reliable SATA SSDs. None have given me any fits; they've all done what you'd expect.Part of the reason for using these high-horsepower i5 boxes was due to a need for traffic shaping, in my cases via FQ_Codel, but in recent months some of my users have switched to an ISP serving over fiber. A good percentage of the remaining, including myself, now have gigabit connections via cable. The fiber-connected users have essentially no bufferbloat worries. With the cable users, I don't know if it's the migration to DOCSIS 3.1 and its use of OFDM channels, or if it's pie shaping taking place inside the modem, or some combination thereof, but bufferbloat woes have been substantially mitigated on these gigabit cable connections as well.Sure, I can continue to feather this bufferbloat out with FQ_Codel, cake, or pie, but at what cost? These Optiplex boxes are pretty power thirsty. And the other projects, like pfSense, IPFire, and my roll-your-own Debian routers and whatnot were mostly attractive due to having features/functionality missing from solutions like RouterOS in the Mikrotik products. What functionality? Well, things like Squid, Snort, Suricata, pfBlockerNG, that kind of thing. But these all come with an administrative cost, I've learned. Packages need updates. Gobs of additional rules need to be tweaked, gradually over time. And in today's age of encrypt-all-the-traffic-or-else, I see too much cost (maintenance/breakage) in putting a bump on the wire with fake certificates to be bothered using Squid. Snort and Suricata by themselves don't do anything that's interesting to me (they won't peer into encrypted traffic, and that's all I'd really be concerned with). Even pfBlockerNG (or Pie-hole, or whatever) cause some amount of breakage. Just the fact that most of these network-based ad-block mechanisms will kill affiliate links from a place like dealnews or techbargains is enough of a nuisance that I can't even attempt to deploy them. Even on my own network, the administration overhead became tiring. And the benefits...well....according to my logs, they were all pretty inconsequential. Network IDS/IPS and whatever other fancy fangled thing is no panacea, and I consider my security in layers: my device's permissions are super restrictive, everything is patched and updated regularly, I'm careful where I click and ignore all but the most trusted emails. I'm not super worried about security, since I've been paranoid about it for decades, enough to learn where the real threat actors tend to lie and what tools they'll likely prefer.So what if I could get just the things that I *need*, with all the visibility I could want, with very low power consumption, and a small form factor? What would that look like? A dream? Well, for me, it looked like I'd be revisiting Mikrotik. And it now looks like I'll be here for a good while. And I'm serious about it. I consumed two books on RouterOS, I've read a ton of their online documents, and I've scoured the odd forum. I've tried to figure out what it's like to really understand RouterOS and its tooling. I want to understand how to utilize the software to my every advantage. And I'm impressed. I'm excited. This is genuinely a Swiss Army kniferouter. And try as I did, I couldn't break it.I don't use features that break FastTrack, so the bulk of my traffic passes almost completely without overhead. I think that means I see some 930Mbps over the WAN, instead of the occasional 980Mbps-1Gbps I'd see with my beefier boxes. This is absolutely acceptable for a tiny, cool-running box that's spec'd to max at 5W. Nothing "feels" any different to me. Nothing lags. No performance concerns whatsoever. This hEX works and doesn't bellyache. If you need FastTrack disabled for any reason, you'll want to find a resource that can give you some idea of how overall performance will suffer as a result.The tooling is outrageous. It's almost unimaginably great. There's any amount of visibility you desire. Watch anything you can imagine in real time. And this thing can run the Dude server on a $10 microSD card. The box reboots in no time flat. It'll email you about whatever you want it to. If you really try hard to break it and hold the reset button down for the wrong amount of time, you can take your otherwise "bricked" router back to good with netinstall simply and quickly. Backups and restores can be done multiple ways, and you can even snag a text file of all settings, modify the odd IP address or whatever, and use that revised text file to deploy another hEX. Options galore. Updating the firmware is dead simple. Updating packages is dead simple, and there are multiple tracks (long-term, stable, testing, development). The web interface nearly mimics the Winbox interface (you will almost surely prefer Winbox, and it can run reliably on any desktop OS), and the command line interface neatly follows the same parent>child directory structure as the GUI, which makes it a pleasure to learn, once you've found your way around the GUI. The iOS app I use on my iPhone isn't too shabby, and surely about as good as I could want from a phone app for such a device (and again the same design principles follow, so it feels as cohesive as the other administering methods).This thing just begs to be poked and prodded, which makes it just the most amount of fun a network nerd can have for $60 or so.For newbies, you can do the quick config/wizard setup thing (I don't know what it's called), then walk through the online page "Manual:Securing Your Router" to learn how to change user/password, disable unwanted services, etc., and even stop at the part about configuring the firewall (firewall defaults are already well suited to most homes/small businesses), and you'll have a very nice, suitably secure router for practically any home/SOHO (certainly just as good as any other device, embedded or otherwise, would ship out of the box).Pro tip: from Mikrotik's website, pick a product. Under Support & Downloads for said product, see the block diagram. This will give you some understanding of how the hardware is arranged. Pay careful attention to switches/backplanes/ports. Coupled with an understanding of RouterOS bridges and FastTrack, you can probably suss out whether this or any other Mikrotik box is right sized for your environment. You'll likely find IPsec test results from the product page too, if it's important to you, and some boxes have hardware offloading for this.You'll hear people gripe about anything. But the ones who complain about Winbox confuse me immensely. Winbox is brilliant. You can resize a window, move it around, run it next to another window about a related function...I usually find myself looking at three or four windows simultaneously within Winbox, and it makes life so much nicer when you can take in all the data you need in a single pane. I think this is just the coolest.In terms of overall routing and firewall performance (for most users in most common configurations) I’m convinced this will stomp anything in its class and run with or plain smoke most other embedded boxes at multiples its price. To boot, I very much doubt anything compares in terms of useful tooling. I keep some OpenWRT-flashed field units on hand at all times, usually with 1.2GHz or faster dual-core CPUs, 802.11ac, and all the trimmings. I don’t think routing performance compares. And I’m not knocking the OpenWRT project. I love it. It can do glorious things and provide bleeding edge functionality. I don’t knock many networks devices, since it seems that with only rare exceptions all have their place, for the right user. And nothing stops you from running RouterOS or OpenWRT on bare metal with gobs of compute and memory to level the playing field.Fun fact: you can run OpenWRT on this hEX, too.Um, so....yeah. I like this.........................Feb 2019 update:Anything that reads as critical of Ubiquiti can be safely ignored. I now have 0 Mikrotik units in service and dozens of Ubiquiti EdgeRouters deployed, a couple USGs, a couple Cloud Keys, a cloud-hosted controller, various PoE switches, and quite a darn big lot of UAP AC access points (LITE, LR, and PRO models only). This shouldn’t take anything away from my love of Mikrotik, but Ubiquiti is now favored for my deployment needs, and it’s been this way for a little more than a year.........................My original review:Amazing, just like practically everything from Mikrotik. Hardware more or less speaks for itself. This thing is an animal, and I don't have the ability to really stress the router at all (largely due to my cable connection being limited to about 90/13Mbps cable, no tunnels running, etc.). The RB750Gr3 is simply best of breed. I've run and deployed competing products, namely EdgeRouter PoE, EdgeRouter Lite, and EdgeRouter X. The EdgeRouters are really nice, and I suspect most or all of the EdgeRouters are more performant in terms of pps routing, but my Mikrotik boxes simply NEVER hiccup (running updates exclusively from the bugfix track and keeping firmware current is my personal policy). On the topic of updates, I've had Ubiquiti AP and EdgeRouter updates bork on me a few times. I've always been able to overcome, but not without some frustration. And I've had a client's EdgeRouter X fall over three times, spaced out 4-5 months per occurrence, reasons as yet unknown. Hasn't happened in 4 years with any of my Mikrotik boxes. Also, updating is dead simple with Mikrotik, click and done. Ubiquiti requires you to fetch the update from the web, save to disk, push to router. Isn't hard, by any means, but it's just an extra step. Mikrotik handles much more nicely. And winbox is the greatest config tool ever devised. To be able to drag windows around the screen for all of the various configs you wish to play with is bliss. No need to memorize IP or MAC addresses for anything, just park the relevant window off to the side to keep in view. It's the bee's knees. This is pretty much a no-limits device that professionals will drool over...backup, export, export compact, scripts...I don't even know where to begin...this does it all. And it runs on almost no power, with no noise, and no discernible heat. So affordable it's stupid. Get it.

Combined with a Netgear GS105Ev2 and a garden variety home wifi router or access point, this enables SIGNIFICANT security improvements over just the garden variety wifi routers.The hEX is a full-function firewall/router. As others have mentioned, this little piece of hardware costs less than licensing just the RouterOS software. The firewall software gives a very high level of control of traffic, and is far more sophisticated than most home network users would need.But most home wifi routers are LESS sophisticated than really needed. It is, for example, difficult or impossible to set up a "whitelist" firewall policy on most systems, so they tend to come with "blacklist" policies. Immediately on completion of "whitelist" policies on the Mikrotik the rule that finalized the policies began logging attempts from inside the firewall to establish connection outside. This kind of activity is tough to track down in a "blacklist" system. A quick web search on those two terms will provide better information than can fit in this review.It DOES take quite a bit of time and effort to build a "whitelist" policy. And even though the hEX DOES have a built-in sniffer capability, you'll need some way to sniff things the hEX is not connected to, and to filter through the results of both sniffer outputs. The Netgear GS105Ev2 complements the hEX nicely. it can be set up to "mirror" ports, which then allow you to sniff traffic normally not available to your local ethernet sniffer interface. And while the older GS105 needed a special windows client for administration, both the GS105Ev2 and the hEX can be managed with simple web interfaces. The sniffer output from the hEX is easy to download from the router and works flawlessly in the freely available Wireshark. The GS105Ev2 allows your local ethernet (if it has a promiscuous mode) to feed local Wireshark sniffing as well. Then the sophisticated filtering tools in Wireshark allow you to zero in on what traffic you do, and do not, want to allow.Once you know the addresses and ports of traffic you want, the hEX makes it straightforward to not only create the rules, but save them in case a rebuild is needed. For some rules it's easiest to use the web GUI, and some folks really cannot get comfortable with the command line. For those who CAN deal with the command line, hEX can allow telnet, ssh, and sftp access. Using the command set, these facilities can be used to save configurations in eye-readable formats, some of which can be pasted directly back into the router to recover from a rule error or system replacement. Since the sequence of rules is critical in a firewall, it's nice to know that Mikrotik makes it possible to add rules to specific places, especially if you use the generous comment facility to identify distinct rules and purposes. Such comments will be invaluable if the rules ever need to be translated into a different firewall "language."If more homeowners used whitelisting policies there would be more help on the web for making this work. In all likelihood, even the router makers would start shipping with a default whitelist policy. Meanwhile, the Mikrotik hEX is unmatched at its price for enabling significant home network security improvements.So far, highly recommended. I just hope it lasts!

The Mikrotik hEX RB750Gr3 5-port Ethernet Gigabit Router has been a reliable addition to my network setup. With its compact design and five Gigabit Ethernet ports, it offers efficient connectivity options for small networks and home offices.I appreciate its robust performance and capability to handle high-speed data transfers seamlessly. The router's advanced features include powerful firewall capabilities and customizable routing options, making it suitable for both basic and more complex network configurations.Setting up the Mikrotik hEX RB750Gr3 was straightforward, thanks to its user-friendly interface and comprehensive management capabilities. It's proven to be a dependable choice for ensuring stable and secure network connectivity.If you're looking for a cost-effective and versatile Gigabit router for small-scale networking needs, the Mikrotik hEX RB750Gr3 is an excellent option. It combines performance, reliability, and advanced features to meet various networking requirements effectively. Highly recommended!