10g Router
24 May 2025You might have heard me talk about the new 10Gbit/s setup I'm running. Plus there is a chance this is the first blog post in the series of: Nobody intends to build a data center in the basement. 1
How is that possible? Thanks to Fiber7 a product from Init7 people (me) have easy access to 1/10/25 Gibt/s. Before you asks this is symmetrical meaning up and download. (I decided against 25G because there is no way to saturate this much bandwidth right now)
Since this is the first blog post in the series lets start with where the Fiber meets the first device in my network. Which is the router as you might have suspected. I went with the CCR2004-1G-12S+2XS which has an awful name but great hardware for a decent price.
I also looked at the Zyxel AX7501-B1 which had mixed to bad reviews online and I'm not familiar with the configuration interface. The other thing I looked into where the different Ubiquiti UniFi Dream Machines which are probably also nice options. Due to personal preference I'm not a huge Ubiquiti fan anymore. And last but no least self build / custom hardware with something like OPNsense was also an option I considered. Because OPNsense is amazing and here is the specific hardware I looked at:
- Banana Pi BPI-R4
- NRG Systems IPU410S System https://www.ipu-system.de/produkte/ipu410s.html
In the end I ran out of time and the fact that I can copy & past a lot of my existing configuration lead to the decision to go with CCR2004-1G-12S+2XS, and it did not hurt that it is also recommended by Init7 and comes with example config.
My feelings about the UI and UX of RouterOS did not change but it got recently a new skin so yay progress I guess? You can read all about that and the IPv6 & OpenVPN setup in previous blog posts:
- Hex S The Good The Bad The Ugly
- Configure Ipv6 On A Mikrotik Hex S
- Opnsense To Mikrotik Site To Site Tunnel
- Mikrotik Openvpn Updated Params
The Config
Lets go to the config which I could as expected take over a lot from my previous setup. This makes this setup a mix of my old setup, the official Init7 example and Michael Stapelbergs config. (I like to note that I did not run into the Fan issues and DNS slow-downs which Michael had, I assume things improved in the last 4 years)
The core idea is to create 2 bridges one for wan and one for lan like this:
/interface/bridge/add name=lan
/interface/bridge/add name=wan protocol-mode=none
/interface ethernet set [ find default-name=sfp28-1 ] fec-mode=fec91
/interface bridge port add bridge=wan interface=sfp28-1
/interface bridge port
add bridge=lan interface=sfp-sfpplus1
add bridge=lan interface=sfp-sfpplus2
add bridge=lan interface=sfp-sfpplus3
add bridge=lan interface=sfp-sfpplus4
add bridge=lan interface=sfp-sfpplus5
add bridge=lan interface=sfp-sfpplus6
add bridge=lan interface=sfp-sfpplus7
add bridge=lan interface=sfp-sfpplus8
add bridge=lan interface=sfp-sfpplus9
add bridge=lan interface=sfp-sfpplus10
add bridge=lan interface=sfp-sfpplus11
add bridge=lan interface=sfp-sfpplus12
add bridge=lan interface=ether1
Getting network connectivity from the uplink is also simple:
/ip dhcp-client add disabled=no interface=wan
/ip address add address=192.168.XXX.1/24 interface=lan network=192.168.XXX.0
/ipv6 settings set accept-router-advertisements=yes
/ipv6 address add address=XXXX:XXXX:XXXX::1/64 interface=lan
/ipv6 dhcp-client
add add-default-route=yes interface=wan pool-name=v6pool pool-prefix-length=56 request=address,prefix
Setting up DHCP and neighbor discovery for IPv6:
/ip pool add name=dhcp_pool0 ranges=192.168.XXX.XXX-192.168.XXX.XX
/ip dhcp-server add address-pool=dhcp_pool0 disabled=no interface=lan name=dhcp1
/ipv6 dhcp-server add address-pool=v6pool interface=lan name=v6server
/ip dhcp-server network add address=192.168.XXX.0/24 gateway=192.168.XXX.1 domain=XXXX.network dns-server=192.168.XXX.5,192.168.XXX.6
/ipv6 nd
set [ find default=yes ] interface=lan managed-address-configuration=yes mtu=1500 other-configuration=yes dns=XXXX:XXXX:XXXX::5,XXXX:XXXX:XXXX::6
On the firewall side one of the more important things to setup is FastTrack to utilize the hardware otherwise it's possible that not the full performance can be utilized. (Needs to be done for v4 & v6)
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack
/ipv6 firewall filter
add action=accept chain=forward connection-state=established,related in-interface=wan out-interface=lan
And the other thing to setup on firewall side is the NAT for v4.
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wan
Last but not least I want to show how to setup port forwards / open the firewall for applications that should be available outside lets use the port 32400 (Plex) as an example.
/ip firewall nat
add chain=dstnat dst-port=32400 action=dst-nat protocol=tcp to-address=192.168.XXX.21 to-port=32400 in-interface=wan comment="Plex"
/ipv6 firewall filter
add chain=forward action=accept protocol=tcp dst-address=XXX:XX:XXX::21 dst-port=32400 comment="plex"
And the OpenVPN setup is 1:1 the same as before see the previous blog posts linked further up this post. I was able to export the certificates and just import them on the new device. Important note here is to export with password otherwise the required private key is not part of the export which took me some time to figure out.
/interface ovpn-client
add add-default-route=no auth=null certificate=site-to-site-mikrotik-client \
cipher=aes256-gcm connect-to=XXX.network disabled=no \
mac-address=02:40:XX:XX:XX:XX max-mtu=1500 mode=ip name=ovpn-edlibach \
port=1194 profile=default protocol=tcp route-nopull=no tls-version=any \
use-peer-dns=yes user=XXX verify-server-certificate=no
Testing
Now that we have our great setup we obvious want to test that and confirm that everything works. To test IPv6 i like ipv6-test.com and test-ipv6.com click on the site and get feedback.
The other thing is we want to test if we really are able to saturate the full 10G.
A word of advice if you test with something like speedtest.net depending
on your peer you are not able to test the full 10G.
So preferable use something like iperf3 with the official servers,
but there as well be careful as a single client stream can be not enough
to fully get the 10G speed so try with iperf3 --parallel n or -P n for short.
And last but not least no shout-out to netAlly for the LinkRunner® 10G. Despite marketing which looks like this: Advanced Multi-Gig/10G Cable & Network Tester. This thing is not really able to test a 10G link to a random endpoint. Which is weak for a 6000 euro device.