The intention is to place this in a structured media enclosure. It'll either be used with a hEX S 2025, GL.iNet Brume 3, or an OPNsense router. I'm still debating and figure out the direction that I want to go, but the RB5009UPr+S+IN seems like a very nice durable switch. What do you guys think? What, where, and how are you using your RB5009UPr+S+IN?
Preparing to do a wired home network for my new house once I move, and consumer routers aren't going to be able to do the VLANs I want. So, I found a 3011
What's new in 7.22.2 (2026-Apr-22 11:03):
*) app - fixed uptime-kuma and jupyter-notebook;
*) bgp - fixed stability issue when non-existent output select-chain was specified;
*) bridge - fixed missing dynamic "switch-cpu" VLAN entry in WiFi setup;
*) bridge - synchronize only local bridge MAC addresses for MLAG (introduced in v7.22);
*) console - rename "cpu-used-per-cpu" to "cpe-used-per-core" in "/system/resource/monitor";
*) container - fixed losing container after reboot;
*) ethernet - fixed false excessive broadcast warning (introduced in v7.20);
*) firewall - improved system stability;
*) ipsec - fixed expired SA handling to prevent “no such item” errors during listing;
*) ipv6,ra - use received prefix when RA on-link flag is 0 (introduced in v7.22);
*) isis - improved stability with fragmented CSNP;
*) leds - fixed default LED configuration for CCR2004-1G-12S+2XS;
*) leds - fixed LED dark mode for RB5009;
*) lte - fixed missing automatic redial when cellular connectivity is lost for R11e-LTE;
*) ospf - improved stability on configuration change;
*) ovpn - fixed OVPN push routes;
*) poe-out - firmware update for 802.3at capable boards (the update will cause a brief power interruption to poe-out interfaces);
*) poe-out - fixed occasional detection issue when using auto-on mode;
*) ptp - allow manual domain configuration for 802.1AS profile;
*) ptp - set DSCP (EF) for the default profile when using IPv4;
*) route - improved service stability when removing routes;
*) routerboard - fixed applying settings via WinBox on devices with fixed CPU frequency;
*) system - added FCC Part 15 Compliance label to "System/Regulatory" menu;
*) system - improved stability for internal RouterOS service communication;
*) system - improved system stability;
*) system - included full certificate chain to Windows executables;
*) usb - fixed crash when using Ethernet adapter (introduced in v7.22);
*) vrrp - fixed packet drop in CHR (introduced in v7.22);
*) wifi - improved authentication stability for WiFi 7 access points;
*) wifi-mediatek - fixed communication issues on 802.11ax access points with Intel clients;
*) wifi-mediatek - fixed HE capabilities IE on 2GHz band;
*) wifi-qcom-be - fixed forwarding of 4-address data from station to station;
*) winbox - added option to configure built-in trust store for all services;
*) www - improved service stability when cancelling REST API sessions;
I'm looking at two new wAP ax to put in a garage, mounted on a ceiling. But the ethernet cables are surface-mounted (routed along the ceiling) and not running through the ceiling. It is unclear to me, from the picture of the wAP ax, that a cable can attach to the device like that properly.
Can someone confirm that the ethernet cable can be connected like this with the enclosure mounted as well ? it is not 100% clear to me from this picture
and also, why does it come with a PoE injector ?
I've never heard of this brand until fairly recently. It seems like Mikrotik is mentioned a lot in the homelab community. Why?
How's the privacy, reliability, and security of Mikrotik's products? Phoning home and account requirements are a major turnoff for me.
I do see them on Amazon, but it seems like they're only sold by third-party sellers. Where do people typically buy Mikrotik products in Canada?
Typically, I would get the latest version, but it seems like one of the older models is compatible with OpenWRT. Would that be a better idea? What am I gaining with the 2025 version of the hEX S?
I really like the size and feastures of the hEX S (2025). However, I don't want to use it as a router. The fact that it's a router is also a good thing if I ever want to repurpose the device. Can I use this as a managed switch and connected to either an OPNsense router or GL.iNet Brume 3 router?
Kind of an odd one, does anyone know what board-temperature and rf-temperature are supposed to be tracking if you monitor a w60g client connection?
example ;
[admin@MikroTik] /interface/w60g> monitor 0
connected: no
baseband-temperature: 45.687
rf-temperature: 54.15
I can't seem to find any references or documentation on it.
so I had an edge router x, after 10 years of life it no longer works, because my brother had me looking into routers a few days ago, I found out this is effectively the only basic router you can buy anymore in the prosumer market without building a router from spare pc parts.
I had the router overnighted, it should be here between 7am and 11am, I am going to have a very long night waiting for it and setting it up.
I have 2 computers and a wifi network to make work with it that is ethernet into an access point. so far all I can really find video wise is very hard to understand (very very thick indian accents)
for now I just want this to work as a basic router that I never have to think about, if I do something a bit more advanced, that comes later, I just need everything to work now.
This script retrieves a blacklist from AbuseIPDB and adds addresses to the RouterOS firewall's address-list as [blocklist_reported].
Therefore, if you add a drop rule with [Src. Address List] as [blocklist_reported] in the RAW-PREROUTING chain, the router can efficiently drop packets from abused addresses.
Furthermore, the address list does not go through external servers or third-party repositories; instead, it requests the list from the AbuseIPDB server using the user's API key and is processed directly on the router.
As a known limitation, due to the variable size limit of the Fetch tool, the number of addresses that can be fetched at once is approximately 4,500 to 4,600 based on IPv4.
However, if you run the script daily via a scheduler, new blacklists (excluding duplicate addresses already added) are continuously added to the list, resulting in over 10,000 addresses within a few days. Therefore, I do not consider this a significant issue.
Initially, this script was written with simple functions (for my personal purposes) and has been very useful to me for almost 3 years. Recently, I modified it to support APIv2 filtering, allowing you to configure various parameters if desired.
Since RouterOS firewalls can provide effective IP address reputation-based protection by utilizing the free blacklists from AbuseIPDB and blocklist.de, I hope this script will be useful to many people.
*An AbuseIPDB API key is required to use this script. (Up to 5 API requests per day are allowed on the free plan)
**IPv6 blacklist requests are disabled by default, so if you wish, please refer to the instructions in the link and change the value of getIPv6 to [true].
What's new in 7.21.4 (2026-Apr-21 09:49):
*) bgp - fixed stability issue when non-existent output select-chain was specified;
*) bgp-vpn - allow modifying scopes with routing filters;
*) bgp-vpn - fixed non-working import filter after reboot;
*) bgp-vpn - use target scope for imported route;
*) bridge - fixed missing dynamic "switch-cpu" VLAN entry in WiFi setup;
*) bridge - fixed performance regression in complex setups with vlan-filtering (introduced in v7.20);
*) console - removed the "reset" command from shared settings menus (IP/IPv6/Bridge/L3HW/Neighbor-Discovery/Connection-Tracking);
*) container - fixed issue where the container might not start after upgrading if root-dir was not set;
*) container - improved error message if a container fails to start;
*) defconf - fixed L009 configuration (introduced in v7.21);
*) ethernet - fixed false excessive broadcast warning (introduced in v7.20);
*) firewall - improved system stability;
*) ipsec - improved aes256-ctr stability on L009;
*) ipsec - removed modp8192 proposal on MIPS architectures;
*) ipv6,ra - use received prefix when RA on-link flag is 0;
*) isis - improved stability with fragmented CSNP;
*) l2tp - improved system stability on TILE architecture;
*) l3hw - fixed missing VLAN counters after reboot (introduced in v7.21);
*) l3hw - fixed stability issue (introduced in v7.21);
*) leds - fixed default LED configuration for CCR2004-1G-12S+2XS;
*) log - do not provide non-existent logging topics for configuration;
*) lte - fixed framed route support for the first APN;
*) lte - fixed missing automatic redial when cellular connectivity is lost for R11e-LTE;
*) lte - fixed user set MTU not applied to LTE interface;
*) lte - override the "auto" or 0 MTU in "interface" menu to 1500;
*) ospf - fixed typos in log messages;
*) ospf - improved stability on configuration change;
*) ovpn - fixed OVPN push routes;
*) poe-out - firmware update for CRS354-48P-4S+2Q+ (the update will cause a brief power interruption to poe-out interfaces);
*) poe-out - fixed rare PoE-Out firmware upgrade failure on CRS354-48P-4S+2Q+;
*) ptp - allow manual domain configuration for 802.1AS profile;
*) ptp - set DSCP (EF) for the default profile when using IPv4;
*) qos-hw - display queue0 limits for CPU port;
*) qos-hw - fixed "offline" tx-manager ability to queue at least one packet (introduced in v7.21);
*) qos-hw - prohibit setting CPU port with "offline" tx-manager;
*) route - added SLAAC route redistribution for IPv6 capable routing protocols;
*) route - do not set blackhole flag for synthetic routes;
*) route - improved service stability when removing routes;
*) routerboard - fixed applying settings via WinBox on devices with fixed CPU frequency;
*) routing-filter - added possibility to match SLAAC and bgp-mpls-vpn route types;
*) ssh - make login process asynchronous;
*) switch - fixed stability issue when changing bridge multicast-router property on CRS1xx/2xx (introduced in v7.19);
*) system - added FCC Part 15 Compliance label to "System/Regulatory" menu;
*) system - improved stability for internal RouterOS service communication;
*) system - improved system stability;
*) system - improved upgrade service stability when the server is unreachable;
*) system - included full certificate chain to Windows executables;
*) user - properly apply login delay (introduced in v7.20);
*) wifi-mediatek - fixed communication issues on 802.11ax access points with Intel clients;
*) wifi-mediatek - fixed HE capabilities IE on 2GHz band;
*) winbox - fixed "Remote AS" setting under the "Routing/BGP/Connections" menu;
*) winbox - fixed "Src/Dst Address Type" under the "IP/Firewall/NAT" menu;
*) winbox - fixed L3HW default value for VLAN interface (introduced in v7.21);
*) winbox - properly display multiple bands for multi-link interface clients under registration table;
*) winbox - rearrange filter wizard parameters in tabs;
*) www - improved service stability when cancelling REST API sessions;
I’m getting more and more confused as I go down this microtech rabbit hole so basically I already have ubiquiti acesss points that I could use. I don’t mind using micro tech stuff with Wi-Fi if it’s improved performance, but I would just rather not so right now I’m looking at this
MikroTik L009UiGS-RM vs chateau pro ax
What I see online is that people say that Château is way faster but I just feel like I’m wasting money because of the Wi-Fi do you guys have a different router that does not have any Wi-Fi installed on it that I should use for a home lap my set up is only like 400 MB uploading download.
What's new in 7.23rc2 (2026-Apr-21 18:18):
*) app - fixed birdnet-go, cryptpad, lorawan-stack, mikrodash (introduced in v7.23beta5);
*) ethernet - fixed false excessive broadcast warning (introduced in v7.20);
*) ipsec – fixed expired SA handling to prevent “no such item” errors during listing;
*) lte - fixed AT modem dialer command timeout (introduced in v7.23beta5);
*) lte - fixed operator setting for QMI modems;
*) poe-out - firmware update for 802.3at capable boards (the update will cause a brief power interruption to poe-out interfaces);
*) poe-out - fixed occasional detection issue when using auto-on mode;
*) route - revert to old routing rule priorities for containers (introduced in v7.22);
*) sniffer - fixed missing VLAN tag in the TZSP packets (additional fixes);
*) system - improved system stability;
*) wifi-mediatek - fixed stability issue getting regulatory information and during initialization;
*) wifi-qcom-be - fixed stability issue during initialization;
*) www - improved service stability when cancelling REST API sessions;
Hi all,
Wondering if there's anyone in Melbourne, Australia who can help me with adding 2 new CRS328s to an existing network using VLANs.
Having trouble getting the switches communicating with the existing switches.
Thanks
I am torn between the following combos:
- 1x RB5009, 3x hap ax s
- 1x RB5009, 3x hap be3 media (available in June)
- 4x hap be3 media
I need one main router, the others will act like access points to cover all of my house. Which one you will go with? I can easily do any of those combos financially - just need a good choice now.
My internet connection is optic fiber 1/1 gbps with potential to be upgraded to 2.5gbps and i am more advanced user than normal internet consumer as i host homelab, securiity cameras. Etc
I have been trying to make this setup for like 3 weeks. Background, small home setup using the MikroTik RB750Gr3 hEX running 7.22.1. I want ether 2-4 to stay in LAN (defconf ether1). I want to create a VLAN2 isolated from LAN.
This is my first MikroTiK router. I am experienced in Linux but not so much in firewalls at the low level. I have been tying different AI generated solutions but each one fails at some point.
I am not looking for a detail by detail solution. More of a Winebox step by step. Example, step 1: go to Interfaces and create this... step 2: go to Bridge and... step 3: Go to IP...
I love my hEX! I had to leave my little Ubi behind long after it's EoL. Thanks so much for any help! Point me to a You Tube or other source if it is out there. I love to learn. I can use the ssh interface, but I find I learn more from using Winbox.
One more thought, I would like to create a 'Bridge-VLAN2' for future growth where I could move another ether(x) into the new bridge in the future. I also need DHCP and DNS to work in VLAN2. This I think is my biggest failing in firewalling.
