Monday, May 2, 2011

Mikrotik Routers

Let me just say right up front that I think Mikrotik ( routers are great. I have no Mikrotik stock and I don't get a cut every time I install one at a site, but, to my mind, they really are the best thing since sliced bread.

I use Mikrotik routers for access points (APs), for firewalls, and for routers. I no longer use Cisco, Sonicwall, or whatever AP is hot at the moment. It is all done with the Mikrotik platform.

Mikrotik is a company whose corporate office is in Latvia. They have little market share in North America, but are very popular over much of the rest of the world. They have an extensive product line but I am only going to describe a single model that is useful in a small library, the Mikrotik 433AH with radio card and antenna.

Before I do though, I'll point out the down side. They are hard to learn and configure. You must be very familiar with TCP/IP to configure one. With that out of the way, I'll get to the upside.

This router is cheap. If your were to get a comparable Cisco device, you would spend multiple thousands of dollars. This is less than $300, sometimes closer to $200. It costs less to get a backup Mikrotik device to keep as a spare than the 1 year service contract you would spend with Cisco. Not that Cisco is the only alternative, but the features for the cost is unusual.

It is feature rich. This one device has three routable ports and can have 2 radios in it. Thus, in a small library, one port connects to the ISP, one to the public network, one to the staff network, and a radio card for the hotspot. This provides for segregation of the libraries' PCs.

I often use these as library hotspot APs. I require users to logon, but the logon is simply "patron" with no password. This is easy to inform the public about, and this technique can give me stats on the number of logons to the hotspot, a number our board likes to see. The hotspot can also be scheduled to turn off and on. I get better coverage than I did with Linksys, Netgear, Sonicwall, or Dlink APs, using the low end antenna.

I presently have about a dozen installed in various libraries and, for the past year, not a one has had to be rebooted to correct a problem. But I have been using these for about 2 years. I wasn't using the firewall correctly for the first year and it seemed like I had to reboot them about once a month. Since I figured out the firewall issue, they just sit and hum.

The feature that first attracted me to the 433AH are the 3 routable RJ45 ports and the separate radio port. It is very easy to segregate traffic with this device. One problem small libraries have is that public users will soak up all the library's bandwidth downloading movies and such. The Mikrotik can limit the bandwidth through a port, so you can allow the hotspot users only 2 Mbps as a group, or you can limit bandwidth by IP address, allowing each public PC no more than512Kbps.

I could go on, but maybe I should stop here. If you want to learn more and think you have sufficient tech support to manage one of these, drop me an email at I can help get you started. It will be fun. At least for me.


The 9 Suggestions

At MLA 2011, I presented on what a small library should be doing to keep its PCs running. I gave 9 suggestions for what a library should do. Here they are.

  1. Microsoft Updates: Do Microsoft updates, not just Windows updates. The second Tuesday of the month is when Microsoft releases many updates, but they also occasionally come at other times of the month too.
  2. Also keep your other applications current. Pay particular attention to Firefox, and Adobe Reader and Flash. But try to keep all your applications up to date. I agree with you though that it is a royal pain in the neck. Larry, our new IT guy at the Missoula Public Library, has some good ideas on that front. I hope to be posting about how to make this easier in a couple months.
  3. Use Firewalls. XP, ME, Vista, Windows 7 all have firewalls built in. Use them. Also use a firewall at your perimeter device. That's the device in the phone closet that connects to your ISP.
  4. Block SPAM. If a malicious email never shows up in your mailbox, it can't infect you. Most email clients have some kind of SPAM blocking feature. Also many ISP's provide a SPAM blocking service that will usually cost a little bit but will keep your mailbox cleaner.
  5. Protect your Browser: Al the major browsers have a variety of tools built into the application to protect you from a variety of malicious activities. For example, IE has the pop-up and active-x blockers, protected mode, and a variety of other things. Another useful tool is something called the WOT. It's a 3rd party app. Find it by googling "web-of-trust".
  6. PC Restrictions: This is something you would consider mostly for your public PCs. The primary product for this is Group Policies. It you had a week long class on this product you would just be scratching the surface. But there are much more user-friendly products such as SteadyState from Microsoft (It's free but it doesn't work on Windows 7) or Winselect from Faronics.
  7. Antivirus and antispyware: As time goes by, this genre of tools becomes less and less useful because the malware is getting too clever. But they are still useful. Use them. Keep them updated.
  8. Separate Public, Staff, and Hotspot PCs: Your staff will at least try to not get infected. The public doesn't care and so you can assume the public PCs are infected not long after a patron touches it. On the hotspot, patrons can use their own tools to hack into your environment. Stop all this by disallowing any communication between your staff, public, and hotspot users. See a previous post on ARP poisoning to learn how to do this easily.
  9. Passwords: Never leave a device with its default password, or no password, or "password", or any of dozens of silly selections. You have good locks on your doors? You should also have good locks on your software. This applies to both your vocation and your personal life. Don't always use the same password. Can someone watch you logon to your PC every morning and then know how to get into your online banking?

So there is a lot of stuff here. You are not going to go home and do all this right away, if at all. So people ask me for the short list. What three things from this list should they do?

If I had to say only three, I would say 1&2 first. Do the Microsoft and application updates regularly. Then 8, because you can always safely assume that your public PCs are infected, and you don't want that to spread to your staff PCs. Finally 9, passwords are locks, use good ones and use them correctly. There is a lot of good info about how to use passwords well.

But I would also put antivirus and antispyware in the top 3 as well. I know there are 4 items in the top 3 but they all need to be there. AV and AS are less important on public PCs if they are using Deep Freeze, but definitely important on PCs not running Deep Freeze.

Be careful out there.