🅭

Review of the MikroTik hEX (3rd rev.) as a home router

The MikroTik hEX (RB750Gr3) (on Amazon) is an inexpensive Gigabit router with advanced capabilities. I’ve used it as my home router for the last five years. It’s not a consumer-grade product, and it certainly isn’t your grandma’s router!

The hEX features five Gigabit Ethernet ports, an 0,88 GHz dual-core MIPS processor, and 0,25 GB RAM in a compact enclosure (optional). That’s roughly double the processing power and two–four times the RAM found in most consumer routers. It’s just enough for it to handle package switching for a Gigabit internet connection. Yet, it costs only just shy of 50 Euro (60 US).

It can also do light virtual private network (VPN) server duties for a handful of clients. MikroTik comes with OpenVPN and L2TP/IPsec servers built-in, but there isn’t support for the newer WireGuard protocol. However, the server will be bottlenecked by the processor before reaching speeds above ≈60 Mbps. For comparison: the Vilfo VPN router is intended for a similarly sized network, but features a twice as fast processor and 2 GiB of RAM.

As you can see from the above photo, a section of the hEX’s plastic top chassis has turned yellow. The processor/heatsink is located directly underneath the yellowed area. The yellowing indicates that the router has struggled to shed excess heat which has accelerated aging in the plastic. The yellowing is the cosmetic price you pay for a quiet and passively cooled/fanless router.

MikroTik’s network products are powered by its proprietary RouterOS operating system. RouterOS can be configured to make anything you’d like out of your network. However, it has a steep learning curve. You’re required to know what you’re doing, or at least be willing to put in the time to learn it. Take a few minutes to explore the online demo of their web administration interface before you continue reading.

You can set up the Ethernet ports to act as a simple switch. Or, you can set up individually partitioned and managed networks for each or some of them. For example, you can create a privileged open network, and an isolated network for guests and your internet of things (IoT).

You don’t get niceties like support for Universal Plug’n’Play (UPnP) out of the box. UPnP is a method for devices inside your network to open public ports on the router. While it’s redundant in IPv6 networks and considered insecure in IPv4 networks; UPnP is nevertheless expected to work in residential networks. Your game consoles and apps simply won’t work without it. RouterOS supports UPnP, but it’s yet-another-thing you must configure and enable yourself.

The RouterOS documentation is fantastic compared to what you get from consumer-grade routers. You’ll likely wish for even more detailed documentation of each option if you aren’t familiar with network administration. It also tends to lag behind the public releases, so there might be some newer options that are undocumented.

RouterOS is very configurable, although there’s one feature that I miss: DHCP lease hostnames to DNS mapping. The built-in DNS server should respond to queries for hostnames on the local network. Luckily, it’s extensible through scripting, so I could add in the feature myself.

The RouterOS scripting language is … unique. It can be difficult to develop and debug your scripts, though. The script interpreter just quits when it encounters a syntax error without returning any error messages.

Similarly, RouterOS doesn’t support auto-updates out of the box. You can implement an auto-update service through a script that checks for updates, downloads, and reboots to install them. However, RouterOS updates aren’t meant to be performed unattended. You must read the changelog for each update and evaluate if the changes will impact your setup. Security advisories and updates are communicated through a syndication feed (yay, RSS!)

RouterOS has an optional slower-moving long-term support update ring that just gets the security updates. This update ring may be more suited for unattended updates, but sooner or later it’ll also roll forward with breaking changes and new features. MikroTik needs to address this and implement and support automated updates. You can’t have any device connected and directly exposed to the internet that doesn’t receive automated security updates.

You may have read about security issues in MikroTik products or RouterOS. I’ve reviewed the January 2017–July 2021 issues. Many of them are caused by misconfigurations; e.g. making administrative ports and services accessible to the public internet. It’s a powerful product, and it can be made to do stupid things. The most important takeaway from looking into MikroTik’s security track record is that the company quickly churns out security updates when they’re needed.

I’ve previously looked into the abysmal state of security and other firmware updates from network equipment manufacturers. You can buy off-the-shelf network equipment with ten years out of date software! You often get no guarantee of future security or software updates from the manufacturer.

I understand that business-critical routers can’t randomly go offline and reboot to install software updates. However, online kernel updates (or “live patching”) that don’t require a reboot have been a thing in the Linux kernel for over a decade already. Another solution could involve scheduling times and days when it’s okay to do a quick reboot to install updates. (Obviously, it would need to be more flexible than Windows 10’s Active Hours.)

“The device includes free software updates for the life of the product or a minimum of 5 years starting from date of purchase.”

RB750Gr3 product page, MikroTik website

MikroTik’s five-year software guarantee is unheard of on the consumer-grade router market. Mine is five years old now, but MikroTik and its resellers still sell it today. so, I can expect it to still be supported in another five years. I find it frustrating that consumer-grade routers — which are often more expensive — can’t even promise you software from the current decade!

So, who is this router for? If you haven’t been dismayed yet and you’re still reading, then this might be the ideal router for your home network! It’s a router for the enthusiast; or at least for someone who wants greater control over what happens on their network. You can get RouterOS on more powerful edge gateway routers if your needs demand it. The RB750Gr3 is a good entry-level device, and an inexpensive way to reviews RouterOS.

MikroTik kind of wins the prosumer network gateway router category by default as there aren’t many competitors in this price range. The Ubiquiti EdgeRouter series (on Amazon) is just about the only alternative that comes to mind. It is similarly priced, has almost identical hardware, and runs Ubiquiti EdgeOS. Whatever you may think of Ubiquiti’s ecosystem, the company doesn’t plan to support its entry-level routers any longer. MikroTik still has a whole slew of products in this category, however.

I don’t recommend that you get the MikroTik RB750Gr3 router for your home network. It can be a significant time-investment to set up, and it’ll require ongoing maintenance. It’s definitely not something you setup and forget about. You’ll know best whether it’s a product that’s appealing to you or not.

Related reading