Yesterday i became my 4011 (RB4011iGS+5HacQ2HnD-IN) and today i want to write down a few letters about this. First of all i use MK hardware since january this year and i be so impressed of the handling from this devices that the 4011 is my 3rd piece of hardware from this vendor. Im really not a fan boy but the functionality of the devices is just amazing and at least it is in my budget. Most of the hardware can be prepared with with *WRT software and this is a decisive point for me.

At this time i use the following MK hardware:

The only thing that bother me is the architecture (ARM32) which not allows me to put OpenBSD on it. That is very sad, but the advantages outweigh the disadvantages. So it is. For everyone who wanted a truely trustfull system from scratch should use a APU-Board from PC-Engines which is delivered with the open source BIOS coreboot and install a beautiful OpenBSD on this device.
I don’t want to write love letters to MikroTik in this post. I want to show how i configure this device for my usecase.

My requirements are:

  1. Many ethernet ports to seperate traffic physical for:

    1. Webservices
    2. Media traffic like KODI and so on
    3. Guest network
    4. Freifunk traffic
    5. Homeoffice network
    6. Unsafe network for HackTheBox and stuff like this
    7. And a admin network where i can maintenance all these things
  2. Two wifi interfaces

    1. One 5Ghz wifi for wireless devices like smartphones and laptops
    2. One 2Ghz wifi for the “Internet Of Shit” faction
  3. Different VPN setups on specific interfaces

    1. Road warrior setup
    2. Side by side setup
    3. Commercial VPN for daily use traffic
  4. Some of this devices must talk to each other

  5. Routing and tagging have to be easy

  6. The whole setup must be reproduceable

  7. Maintenace over ssh


In short: This device is the router of my dreams. I’m very happy :)

the full documentation of the requirements above find in the docs/stuff section