Zenarmor performance @ Intel Atom C3758R

[nero355]

Mikrotik is great, IMHO.

I know and forgot to mention these two :
- https://tweakers.net/pricewatch/1280173/mikrotik-cloud-router-switch-305-1g-4s+in.html
- https://tweakers.net/pricewatch/1324602/mikrotik-crs309-1g-8s+in.html

Simply AMAZING value IMHO :)

[Patrick M. Hausen]

CRS326-24G-2S+IN here. Plus hAP-ax2 and hAP-ax3. Planning to investigate Capsman soon - at least for WiFi they seem to have a central control plane.

[Seimus]

Keep it that way if you are happy with the performance and stability ;)

I am, for me its perfect, the stuff it can do is above and beyond.

Honestly it never occurred to me to replace OpenWRT with anything else (yet). OpenWRT provides features that are on enterprise HW yet for fraction of the price lets say. Plus I like to mingle with OpenSource stuff and DIY.

So think about this VERY CAREFULLY before you buy anything... ;)

All of these are valid points, when I looked into the Management platform, at least the latest "revamp" sounded to me like a mess.

Mikrotik is great, IMHO. Cheaper, and very feature rich. And reliable, at least in my environment - using only layer 2, switches and APs. It's still called "Router OS" but I only use the layer 2 features. Plus, if you happen to live in the EU ... they are from Europe, too. Sovereignty, customer protection, GDPR, something something ...

This is kinda as well my mindset currently. And strongly plays into the decision making.

They lack a central management solution but if you actively seek to get rid of something like that ... SNMP works great and RANCID supports Mikrotik so you can automatically pull and version configurations in e.g. git.

Good to know!


Thank you both for your opinions and inputs!
Regards,
S.

[Seimus]

CRS326-24G-2S+IN > https://mikrotik.com/product/crs326_24g_2s_in

I like this one, I just wished it had 2.5G ports.

Regards,
S.

[OPNenthu]

- Linux OS
Which is not an issue.
But in certain situations you need to install old unsupported libraries that are no longer available in newer distors and thus also no longer patched/maintained and have open CVE's and that sucks!

You should consider ditching the standalone UniFi Network app at this point and install UniFi OS.  The Network application is preinstalled in it, and you can add additional ones as needed.  They provide installers for Windows, Linux and Mac.  @meyergru intoduced me to it some time ago and I haven't looked back.

The Linux installer works great on a plain Debian/Ubuntu VM.  It installs podman and is up and running in no time.  It manages its own dependencies.  Also, no routing weirdness to work around with Docker's internal networking (this used to cause issues in Proxmox).

AVX might still be required, though, I guess.

--

I do wish Mikrotik would figure out how to make the desktop switches fanless.  In my case the UniFi switch, OPNsense, and Proxmox node all sit on a small shelf on my desk within a meter or so of my left ear :P   

Fans are prohibited, with the exception of the CPU cooler on the HP Elite Mini.  It has a different problem however- coil whine.  Makes me want to throw it out the window sometimes.  I would love a word with whoever picks the inductors for these devices.  That is not a place to save pennies, IMO.

[meyergru]

Yes, correct:

The UniFi Controller has the following needs and issues :
- AVX/AVX2 compatible CPU
This puts older Intel NUCs and Raspberry Pi models in a weird corner where you need to do really weird things to keep it all running !!
- Linux OS
Which is not an issue.
But in certain situations you need to install old unsupported libraries that are no longer available in newer distors and thus also no longer patched/maintained and have open CVE's and that sucks!
- Java such as OpenJDK.
Now the crap starts...
- Mongo Database
This is linked to the AVX/AVX2 story above and gets even weirder :
Certain versions of the UniFi Controller are linked to certain versions of MongoDB that you need.

So the more we move into the future and use newer UniFi hardware the more chance you have got to run into the AVX/AVX2 issue !!

The AVX requirement is there, 100%. However, with Unifi OS Server, you do not need to install any dependencies yourself. That is the beauty of UOS when compared against UNC - it mirrors what Ubiquiti does in their own devices, like UDM, by running every module under podman internally.

Apart from that, even UNC with all of its dependencies can be maintained very easily, when you use Glenn R's easy install scripts (I use those scripts for UOS, too).

As for Protect, yes, there are projects to steal the protect container and run them on a similar platform, but they are limited to arm64, because Ubiquiti does not have an x64-based platform running protect.

[nero355]

You should consider ditching the standalone UniFi Network app at this point and install UniFi OS.

When someone says UniFi OS my first reaction would be : "Do they have their own full Linux OS now ?!"

But when you say :

The Network application is preinstalled in it, and you can add additional ones as needed.
They provide installers for Windows, Linux and Mac.

I guess that's not the case ?!

The Linux installer works great on a plain Debian/Ubuntu VM.  It installs podman and is up and running in no time.  It manages its own dependencies.
Also, no routing weirdness to work around with Docker's internal networking (this used to cause issues in Proxmox).

If I need Docker to run it I would rather avoid it completely!

AVX might still be required, though, I guess.

Check your Mongo Database Server version and you will know it ;)

The AVX requirement is there, 100%.

Thought so! :)

However, with Unifi OS Server, you do not need to install any dependencies yourself.

That is the beauty of UOS when compared against UNC - it mirrors what Ubiquiti does in their own devices, like UDM, by running every module under podman internally.

But...

Didn't they ditch Podman Containers at some point and continued without them because there were a lot of issues ?!

Apart from that, even UNC with all of its dependencies can be maintained very easily, when you use Glenn R's easy install scripts (I use those scripts for UOS, too).

I am aware of Glenn's work but I have never needed it to be honest so never used it either :)

As for Protect, yes, there are projects to steal the protect container and run them on a similar platform, but they are limited to arm64, because Ubiquiti does not have an x64-based platform running protect.

Ohh... right... also AARCH64 only indeed! Forgot about that :)

Basically means looking for that one special Mainboard that can hold enough storage or messing around with SAMBA/NFS to store everything on your (DIY) NAS instead...

[OPNenthu]

No, no Docker needed.  I meant that I used to use Docker for hosting the legacy Network controller but it was a bit cumbersome, especially under Proxmox. 

With UOS you just run the installer and it sets up its own environment with podman, which it installs from the OS repo.

[dirtyfreebooter]

https://ui.com/download/software/unifi-os-server

has an arm64 build, which installs on raspiberry pi without AXV, obviously. where is the AVX is required? maybe for x86? AVX2 was 2013, haswell, so even that isn't really a concern at this point.

i have no love for unifi and its lottery / gamble of software updates, i run unifi switches, APs, protect and its really a gamble sometimes (much like zenarmor!), but this thread seems like it has a lot of misinformation in it

[meyergru]

Yes, I was only talking about x64 as VM, which seems like the obvious choice for self-hosting.

I know you can use a Raspberry, yet I found it to have a high power envelope for what it can do and also, it cannot handle virtualisation for many different applications. The main reason that ARM image is supported seems to be that the UDM line of products is ARM64 as well.

The UNC can even be used as a package under OpnSense itself, it is available from Mimugmail's repository.

That AVX requirement on x64 platforms is mostly irrelevant anyway, because even an N100 has AVX2. Any fairly modern x64 CPU should have it.

[OPNenthu]

where is the AVX is required?

For MongoDB since version 5.0:  https://www.mongodb.com/docs/manual/administration/production-notes/

And for ARM you need at least ARMv8.2-A.

This change effectively rendered both my Intel NUC7PJYH (J5005) and RPi 3B+ incapable of running the Network controller with any still-supported version of Mongo.  Neither can my OPNsense box (N5105).

[dirtyfreebooter]

where is the AVX is required?

For MongoDB since version 5.0:  https://www.mongodb.com/docs/manual/administration/production-notes/

And for ARM you need at least ARMv8.2-A.

This change effectively rendered both my Intel NUC7PJYH (J5005) and RPi 3B+ incapable of running the Network controller with any still-supported version of Mongo.  Neither can my OPNsense box (N5105).

ah man, i am surprised the N5105 is missing AXV, just has SSE4.2. well that kinda sucks. i use an old unifi cloud key gen2 (the one without the hard drive), since its poe, uses 1-2w idle, and then i dont have think about it and move on with my life and not make homelab a 2nd full time job. i assume either that is arm64 is 8.2+ or unifi will figure it out, one way or the other.

[Greg_E]

With the 2.5g, Microtik doesn't really have any choices or I might have bought one. Knock the POE requirement away and the crs326-24s+2q+ and some 2.5g modules would do the trick. 2.5g modules are around $20 from Wiitek (I have a couple of these in service right now, not hot at all), hard to say if I'm getting real 2.5g speeds, but I'm getting more than 1.5g speeds through a Moca 2.5 pair of converters and about 100 feet of RG6, average 4ms ping times which is right in line with what the manufacturer says.

Now that said, I haven't priced any Mikrotik gear in a while, not since before the great AI wars, they might be goofy priced right now. Both of the crs326 that I have were under $600 new (one for my personal lab, and another for work because I liked it so much).

There are some Extreme Networks switches that fit your needs, but you are going to want to wait until you see a bounced of the truck sale. That's how I got my 5420m-48w-4ye (48 gigabit ports with 90 watts POE each port, and 4x25g, with 2x stacking that can be 2x10g, and dual 900 watt supplies) at $400 I couldn't resist. Was brand new in box, but I'm not going to register it.

Also look at some of the FS switches, again wait for a bounced off the truck sale on ebay.