My homelab, after the MikroTik switch
I replaced my OPNsense box with a MikroTik CCR2004. People keep asking why. Here's why, here's the rough config, here's what I'd do differently.
The before
I had a small fanless x86 box running OPNsense for about four years. It worked. It mostly worked. Twice a year a kernel update would break the wireguard module and I'd lose remote access to my own network until I went home and plugged in a keyboard.
Why MikroTik
Three reasons. One: RouterOS is one piece of software written by one team. If you've ever debugged a BSD jail interacting with a Python plugin written by someone who left the project in 2019, you know the appeal. Two: the CCR2004 has a real CPU and four 10GbE SFP+ ports, which is overkill for a home network and exactly what I want for a homelab. Three: the CLI. I'd rather edit one config than click through ten panels.
What I actually run
- One WAN — gigabit fiber from a small German ISP.
- Three VLANs — trusted (10), iot (20), guest (30).
- A WireGuard server for me, on a non-default port.
- DNS via
adguard homeon one of the Lenovo tinies, MikroTik forwards to it. - Tailscale subnet routing from one node into VLAN 10 only.
What surprised me
RouterOS 7's container support is good enough that I genuinely considered running adguard on the router itself. I didn't, because I prefer the router to do one thing, but I considered it.
Wireguard performance on the CCR2004 is about 950 Mbit/s in my setup, CPU-limited on a single core. That's plenty for me. If you have a 10G uplink and want to push wireguard at line rate, this is not your box.
What I'd do differently
Buy the SFP+ DAC cables before you buy the router. I waited a week because I assumed I had spares. I did not.