I think you're underestimating how much is involved in being an ISP here.
On the actual question: No way in hell. The CRS510 has a single core 650Mhz processor, it's a switch. Queues and NAT both hit the CPU.
I'm not. It's a $50$K investment to only start the company. God knows how much more I need to actually operate it.im just asking anything I have on my mind in order to get the widest possible point of view. You never know who is better than you and who have better ideas than you unless you're asking. People on reddit are very versatile and they mostly creative or experienced. I like to get new ideas from them.
Thank God I'm not American. $50k is a good starting point for me here. But for sure it's just a start. If I managed to do it correctly, I'll be able to expand really fast.
I love this drive you have and I really want you to succeed, but I fear for your success that you need some more time with a proper ISP to see what is all involved and get some more hands on experience. Have you considered partnering up with someone that has experience or possibly spending some time with a company that’s been through it already? I’m all for working for yourself, believe me, but I think some hands on experience could go a super long way for you in achieving this dream of yours. Not trying to rain on your parade or be rude, I just want you to have the best shot at this possible
Thank you very much for the advice. I've already partnered with a huge ISP and they promised training and on premises engineer to help me start up. They can provide this after I aquarius all the required permissions from the government. At the moment, I have the people of the internet to help me gain knowledge about the field.
Sorry my original reply was needlessly hostile and more reflective of the day I was having.
Honestly I agree, $50K can go a long way in building a network. Where are you based in the world?
The things that give me pause about the current plan start with redundancy, if you're just using a single Fortinet 200F and something goes wrong it'll be immediate panic mode made worse by a large volume of customer calls.
You'll need monitoring to confirm the exact needs of the network but worrying about 40-100Gbps connections will likely be a lot further into the future of the project. When I was building out a new core for an ISP with around 3000 customers usage at peak times would top out at 4Gbps, this ISP was offering 1000Mbps fibre connections. Diverse paths are a much more important consideration unless your upstream is already providing redundancy. Actual network design and hardware selection will vary on a case by case basis.
I'm working in Israel. Very expensive but $50K is still much here.
Redundancy should be implemented on my side. That's why I'm looking into replacing the suggested fortigate. For the price of one fortigate, I can get 3 mikrotik. This way if something went wrong, I still have another 1 or 2 just in case.
I'm not going to have 3000 clients. I'll be lucky to get 50 at the first few months, but hopefully I'll get much more in the future.
Thank you for the nice update!
Absolutely no. CRS510 can do some hw offloaded routing but it has limitations not compatible with generic ISP needs. You mentioned NAT and I assume you will need basic firewall as well as queues.
* NAT and firewall are limited to 4k entries in HW. That may be ok in some cases, but not for ISP with many clients. You will without doubt have more than 4k connections active at a time. [L3 HW help](https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading) says
> When the HW limit of Fasttrack or NAT entries is reached, other connections will fall back to the CPU
CPU on CRS510 is worse than my hAP ac2 and it will instantly clog if it gets hit by ISP-level traffic
* Queues can be alegedly [HW offloaded since 7.10](https://help.mikrotik.com/docs/pages/viewpage.action?pageId=189497483) but since it is absolutely new feature, I wouldn't rely on it in any near future. Good for a home lab, but not for business' mission critical system.
In your case, [CCR2216](https://mikrotik.com/product/ccr2216_1g_12xs_2xq) might be an option if you are looking at 40-100Gbit links. It combines HW offload in switch chip with powerful CPU to handle remaining non-offloaded traffic and features. However, for greater reliability, I wouldn't recommend to rely your whole business on a single point of failure. Splitting the traffic across multiple routers (3 or 4) would be more reasonable. If one of them fails and needs maintenance, other need to handle the traffic.
Thank you very much for the detailed information. I didn't really know that they make a 100Gbps router!!
Do you have any 10Gbps or 20Gbps Routers that you can recommend? I'll try to do what you've suggested and use more Routers. I think 20Gbps would be the sweet spot for me.
L3HW on the 2216 has been buggy. Random packet drops, and the feature set is currently missing packet sampling to do traffic flows if you offload ports. Definitely stick to CPU for now.
No problem. In first place let me know which is the role of the fortigate. Is it just border router? Is it doing queueing or firewall? With this data web can start to pick some Mikrotik models
Thank you for the response. I really appreciate it.
I'm using the fortigate as a router only. My ISP suggested it and I didn't really like it. I don't need a firewall anyway.
I'm looking at the moment at the mikrotik CCR2261.
An hour ago someone offered me a used Cisco ASR9010 for about $900. It's very interesting since it's a Cisco but it's used and God knows what's wrong with it. I'll buy it anyway, I have money to spare but I'm also interested to know if it's worth it these day.
Any idea?
It really depends, you'd need to check the unit out. I'm not an expert in Cisco gear sorry. I've predominantly been a Juniper man for the past 7-8 years. I'm also not American so I have no idea of the cost of networking gear over there. There are 'used' and then there are 'used' though, so look at all your options.
I'd just say hold off on purchases until you find a consultant or are able to hire a Network Engineer to help you guide these decisions.
really a ISP, not mean hosting provider or similar?
> Would CRS510-8XS-2XQ-IN do the job, or so I still need a router?
that depend of what do you going to do specifically. Probably for begin is ok. Probably a router is necessary if you want to do CPU intensive / non offloading things, mikrotik have few routers.
I'm not a hosting provider and probably never will be. I had enough headache in that field.
Thank you for the suggestion. Does microtik have a 10Gbps router? Or even 40Gbps?
This is highly dependent on your network design, esp. where you will be deploying devices that perform carrier-grade NAT.
You might be able to leverage hardware traffic shaping in CRS3xx and CRS5xx devices.
[https://help.mikrotik.com/docs/display/ROS/CRS3xx%2C+CRS5xx%2C+CCR2116%2C+CCR2216+switch+chip+features#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-TrafficShaping](https://help.mikrotik.com/docs/display/ROS/CRS3xx%2C+CRS5xx%2C+CCR2116%2C+CCR2216+switch+chip+features#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-TrafficShaping)
The company I work for (and whose network I administer) is a small WISP in a smallish town with between 1500 and 2000 clients (more in tourist season). We use two Mikrotik routers, a ccr1036-8g-2s+ as our main router, a RB1100AHx4 as the router that our backbone provider uses to provide our 1GB line and an RB3011UiAS-RM as our in-office router.
We have 30 sites that are all powered by either HEX units or RB4011's, depending on how many links and sectors are on each tower.
From what you posted, your needs are clearly much different to ours but I wanted to let you know that, in our case, the CCR1036 has been more than adequate.
Good luck with your venture OP, wishing you nothing but success.
Thank you very much! I appreciate the support.
My needs are a bit similar. Instead of 1Gb, I'll get 40Gb. And instead of 1500 clients, IL starting with about 50 clients.
All of them are going to connect using GPON infrastructure that I'm going to deploy and they'll connect to me using VLANs.
Hopefully I'll do it and I'll do it correctly!
Hi,
I'm a network engineer at a wireless internet service provider, we have over 5k customers. I would ditch the Fortigate, and get the MikroTik CCR2116 as your core router, firewall, NAT, etc. When you get bigger you'll want to split these functions off into their own box, but for now, the CCR2116 will be just fine. When you need more than 10Gbps you can upgrade to the CCR2216, and move the CCR2116 down the line. If you need more ports, that's when you want / need a switch. But you need a router to do serious routing. Plus, you need something that will do full BGP tables, OSPF, etc...
No Problem, :) Remember you don't need a "Firewall" You're a pipe, you don't care the water that flows through your pipe, it's not your job to police the internet. The only "Firewall" rules you really should have are policies that allow specific things to access your equipment, (Like maybe some servers, snmp, access from specific IP's, etc... and then block everything else. Always just block everything, and only allow what you want. Your firewall rules should be very simple, if you have hundreds of rules, you're doing something wrong.
You are starting an ISP business. You don’t know whether you will succeed or not in the short term.
The customer won’t care whether you have juniper or mikrotik as long as they can access google.
Go for a CCR1036 to be safe. Old model, you can get it probably for cheap. When it falla short, probably you’ll have more cash to go for a 2216, and from there to an MX204 potentially.
Source: I helped many small ISPs to grow from a single linux gigabit server as router, to CCR1009, then to 1036, then to 1072 + 1036 for BNG, and way laater, you think about hardware routing
Thank you!!
I like the spirit and hopefully I'll go big one day.
I'll look into this for sure and for now I've manged to get 2 used Cisco ASR9010 for almost $900. I'm not sure if it's a good price or if it's a good hardware, but it's cabable of 400Gbps networking.
I'm still going to go with mikrotik. It's easier to use. Once I'm able to run Cisco like a pro, I'll move to their hardware!
We have been operating a WISP for 25+ years and are also doing FTTP. 12k customer base currently. I'm the only network engineer on staff and have been filling the CTO role for some time. We have been running Mikrotiks for our Edge, Core, and base routers for most of the lifespan of the company. Also utilizing them for our aggregation switches as well. I'm even utilizing Mikrotik to host our DHCP servers at our core and distributing subnets across our entire infrastructure using MPLS/VPLS on top of OSPF. Mikrotik works fine if you know what you are doing. Most people I've had to train or prove that it does, lacks general network/routing capacity so they look for a more simplistic product. Understanding your needs and looking/scaling products to meet your needs.
Also, threat protection is not the ISPs responsibility. That's like saying it's the states job to provide us insurance to drive our cars on their roads, that's not how that works. Your job as an ISP is to provide a stable road for them to operate on, not to provide them protection. Most ISPs that sell "protection as a service" do that to increase their MRR and is just another service to sell for additional revenue.
Given the technical and logistical complexity of running this business, this is not the place to ask unless your post is more hypothetical than real.
There are licensing, regulatory, technical, legal and a myriad of other complex things that can not be learned here.
There are ISPs in South America who heavily use MikroTik but personally I would not suggest it.
Your core devices will need to be high powered and have threat detection to protect your customers.
You could look at adtran for providing to customers. You can then provide an ONT and login details and they could either use their own router or one you provide.
An ISP’s job isn’t to provide “threat detection” for its customers, the ISP’s job is to give them internet service.
I’ll protect my own border TYVM.
I would be annoyed if I found an ISP was blocking traffic to my IP that was not otherwise explicitly agreed upon as “forbidden”/blocked from the service. If I was under some sort of DDoS attack, I could understand them blocking that in the guise of “network abuse,” but I don’t expect an ISP to be running any sort of threat intelligence on my inbound traffic (e.g. SSH or web compromise attacks are not the ISP’s problem, that is mine).
In a corporate world, yes, I would run a Fortigate or PaloAlto to help stop these threats, but I would not expect my ISP to do it for me (unless I was paying for that as a “managed service” add-on).
Also, thousands of small WISPs in the US use Mikrotik routers as both edge and core devices. But the switch the OP listed isn’t really suitable for routing… CCR2k series would be the best choice these days.
I second the ISPs are supposed to be fully open. Used Cisco and Juniper in the core works great, runs forever...
That being said maybe his offering is an isp that provides additional security services. If it's in a saturated market it could be a valid idea.
Fully open, probably not. But the filters should be very limited to the worst things possible. There is no reason to forward a SYN flood other crafted attacks. And as an ISP, unless you are serving commercial customers, port 25 is usually closed and to prevent rouge servers, 53 and DHCP is also blocked.
There are many ISP who do that (including Launtel here in Tasmania) but I am yet to hear about any of them using CRS as routers. That just does not work. All these ISPs will run CCRs. Some slower and more rural ISPs might get away with RB5009 or RB4011 and I have seed an indian village ISP running simple hEX. But that is rather funny story than a serious business example.
I've checked. Legally, I'm not obligated to protect anyone. My job is to connect them to the world. Protection is responsibly of the client.
Anyway, I can provide an extra secure connection by using DNS filtering and firewalls, but this should be on demand and for a price. So I'm safe when it comes to protection. For business clients, I'll provide pfSense or fortigate Routers/firewalls.
Any reason why you don't prefer mikrotik for such field?
Oh my…did someone said Adtran where people talk about Cisco and Mikrotik.. now with the Adtran it’ll be very simple, as it is a hard no!
Why?
Just because you simply will allow me 24 hours and I will go for shopping first thing in the morning, yes it is passed midnight here in Oz, anyways, then I will built one, not just any tho, one that will definitely be better than Adtran! Haha😉
I was just kidding I mean almost… I know Adtran is actually very good when it comes to biz solutions but terrible with the residential and I had to deal with their single port ONT/NTD which used by one of the fuckup wholesaler which has been just a nightmare on top of this wholesaler’s inadequate networking that is all!
The ONT is only meant to convert the fibre to copper and some other basic management functions, it would be expected to put a router on the end so is 1 port not sufficient? I know their 10Gbps model has 4 ports but typically from an service provider point of view each port of an ONT would be used for a seperate service. Management and monitoring of a circuit could then be done by placing an endpoint on the end and providing public IP to the customer this way or allowing them to connect directly with their own equipment if they want to do their own monitoring.
This wholesaler uses sdx611 if I remember correctly to provide FTTP service. This fiber generally dropped in the garage and they use a mix of different brands to service like Huawei, NEC, Dasan, Nokia/Alcatel, Adtran. And whenever they have problem in their network causing an outage generally the ones using this single port Adtran are the ones affected the worst. Some uses the 4 port Adtran which is not the same experience comparing to the single port Adtran! And my team just hates to deal with it!
I think you're underestimating how much is involved in being an ISP here. On the actual question: No way in hell. The CRS510 has a single core 650Mhz processor, it's a switch. Queues and NAT both hit the CPU.
I'm not. It's a $50$K investment to only start the company. God knows how much more I need to actually operate it.im just asking anything I have on my mind in order to get the widest possible point of view. You never know who is better than you and who have better ideas than you unless you're asking. People on reddit are very versatile and they mostly creative or experienced. I like to get new ideas from them.
$50k is not a lot for starting an ISP. you’d be better off starting a taco truck
Thank God I'm not American. $50k is a good starting point for me here. But for sure it's just a start. If I managed to do it correctly, I'll be able to expand really fast.
I love this drive you have and I really want you to succeed, but I fear for your success that you need some more time with a proper ISP to see what is all involved and get some more hands on experience. Have you considered partnering up with someone that has experience or possibly spending some time with a company that’s been through it already? I’m all for working for yourself, believe me, but I think some hands on experience could go a super long way for you in achieving this dream of yours. Not trying to rain on your parade or be rude, I just want you to have the best shot at this possible
Thank you very much for the advice. I've already partnered with a huge ISP and they promised training and on premises engineer to help me start up. They can provide this after I aquarius all the required permissions from the government. At the moment, I have the people of the internet to help me gain knowledge about the field.
Sorry my original reply was needlessly hostile and more reflective of the day I was having. Honestly I agree, $50K can go a long way in building a network. Where are you based in the world? The things that give me pause about the current plan start with redundancy, if you're just using a single Fortinet 200F and something goes wrong it'll be immediate panic mode made worse by a large volume of customer calls. You'll need monitoring to confirm the exact needs of the network but worrying about 40-100Gbps connections will likely be a lot further into the future of the project. When I was building out a new core for an ISP with around 3000 customers usage at peak times would top out at 4Gbps, this ISP was offering 1000Mbps fibre connections. Diverse paths are a much more important consideration unless your upstream is already providing redundancy. Actual network design and hardware selection will vary on a case by case basis.
I'm working in Israel. Very expensive but $50K is still much here. Redundancy should be implemented on my side. That's why I'm looking into replacing the suggested fortigate. For the price of one fortigate, I can get 3 mikrotik. This way if something went wrong, I still have another 1 or 2 just in case. I'm not going to have 3000 clients. I'll be lucky to get 50 at the first few months, but hopefully I'll get much more in the future. Thank you for the nice update!
More than happy to help you out here. With the expected client base you definitely won't need more than the 10Gbps link for quite some time.
Absolutely no. CRS510 can do some hw offloaded routing but it has limitations not compatible with generic ISP needs. You mentioned NAT and I assume you will need basic firewall as well as queues. * NAT and firewall are limited to 4k entries in HW. That may be ok in some cases, but not for ISP with many clients. You will without doubt have more than 4k connections active at a time. [L3 HW help](https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading) says > When the HW limit of Fasttrack or NAT entries is reached, other connections will fall back to the CPU CPU on CRS510 is worse than my hAP ac2 and it will instantly clog if it gets hit by ISP-level traffic * Queues can be alegedly [HW offloaded since 7.10](https://help.mikrotik.com/docs/pages/viewpage.action?pageId=189497483) but since it is absolutely new feature, I wouldn't rely on it in any near future. Good for a home lab, but not for business' mission critical system. In your case, [CCR2216](https://mikrotik.com/product/ccr2216_1g_12xs_2xq) might be an option if you are looking at 40-100Gbit links. It combines HW offload in switch chip with powerful CPU to handle remaining non-offloaded traffic and features. However, for greater reliability, I wouldn't recommend to rely your whole business on a single point of failure. Splitting the traffic across multiple routers (3 or 4) would be more reasonable. If one of them fails and needs maintenance, other need to handle the traffic.
Thank you very much for the detailed information. I didn't really know that they make a 100Gbps router!! Do you have any 10Gbps or 20Gbps Routers that you can recommend? I'll try to do what you've suggested and use more Routers. I think 20Gbps would be the sweet spot for me.
L3HW on the 2216 has been buggy. Random packet drops, and the feature set is currently missing packet sampling to do traffic flows if you offload ports. Definitely stick to CPU for now.
Ohno! That's a shame. Hope they fix it soon.
Hi! That's a switch. If you need some help designing the core and access of your network I can help you with that
Thank you very much!! I actually need a lot of help. I'm almost a noob.
No problem. In first place let me know which is the role of the fortigate. Is it just border router? Is it doing queueing or firewall? With this data web can start to pick some Mikrotik models
The fortigate is just a border router
Ok, so check the ccr2116. Is the top of the mountain for Mikrotik allowing you to connect tranceivers from 10, 25, 40 and 100 Gb
Thank you very much! I'll take a look at it.
From mikrotik point of your ccr2216 is your only choice.
Thank you! That router sounds like it's a beast!
[удалено]
Thank you for the response. I really appreciate it. I'm using the fortigate as a router only. My ISP suggested it and I didn't really like it. I don't need a firewall anyway. I'm looking at the moment at the mikrotik CCR2261. An hour ago someone offered me a used Cisco ASR9010 for about $900. It's very interesting since it's a Cisco but it's used and God knows what's wrong with it. I'll buy it anyway, I have money to spare but I'm also interested to know if it's worth it these day. Any idea?
It really depends, you'd need to check the unit out. I'm not an expert in Cisco gear sorry. I've predominantly been a Juniper man for the past 7-8 years. I'm also not American so I have no idea of the cost of networking gear over there. There are 'used' and then there are 'used' though, so look at all your options. I'd just say hold off on purchases until you find a consultant or are able to hire a Network Engineer to help you guide these decisions.
Thank you very much
really a ISP, not mean hosting provider or similar? > Would CRS510-8XS-2XQ-IN do the job, or so I still need a router? that depend of what do you going to do specifically. Probably for begin is ok. Probably a router is necessary if you want to do CPU intensive / non offloading things, mikrotik have few routers.
I'm not a hosting provider and probably never will be. I had enough headache in that field. Thank you for the suggestion. Does microtik have a 10Gbps router? Or even 40Gbps?
This is highly dependent on your network design, esp. where you will be deploying devices that perform carrier-grade NAT. You might be able to leverage hardware traffic shaping in CRS3xx and CRS5xx devices. [https://help.mikrotik.com/docs/display/ROS/CRS3xx%2C+CRS5xx%2C+CCR2116%2C+CCR2216+switch+chip+features#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-TrafficShaping](https://help.mikrotik.com/docs/display/ROS/CRS3xx%2C+CRS5xx%2C+CCR2116%2C+CCR2216+switch+chip+features#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-TrafficShaping)
Thank you very much for the suggestions!
i know an ISP that runs on CHR on powerful enough host. maybe that's an option?
The company I work for (and whose network I administer) is a small WISP in a smallish town with between 1500 and 2000 clients (more in tourist season). We use two Mikrotik routers, a ccr1036-8g-2s+ as our main router, a RB1100AHx4 as the router that our backbone provider uses to provide our 1GB line and an RB3011UiAS-RM as our in-office router. We have 30 sites that are all powered by either HEX units or RB4011's, depending on how many links and sectors are on each tower. From what you posted, your needs are clearly much different to ours but I wanted to let you know that, in our case, the CCR1036 has been more than adequate. Good luck with your venture OP, wishing you nothing but success.
Thank you very much! I appreciate the support. My needs are a bit similar. Instead of 1Gb, I'll get 40Gb. And instead of 1500 clients, IL starting with about 50 clients. All of them are going to connect using GPON infrastructure that I'm going to deploy and they'll connect to me using VLANs. Hopefully I'll do it and I'll do it correctly!
Hi, I'm a network engineer at a wireless internet service provider, we have over 5k customers. I would ditch the Fortigate, and get the MikroTik CCR2116 as your core router, firewall, NAT, etc. When you get bigger you'll want to split these functions off into their own box, but for now, the CCR2116 will be just fine. When you need more than 10Gbps you can upgrade to the CCR2216, and move the CCR2116 down the line. If you need more ports, that's when you want / need a switch. But you need a router to do serious routing. Plus, you need something that will do full BGP tables, OSPF, etc...
Thank you very much. This is actually very helpful!
No Problem, :) Remember you don't need a "Firewall" You're a pipe, you don't care the water that flows through your pipe, it's not your job to police the internet. The only "Firewall" rules you really should have are policies that allow specific things to access your equipment, (Like maybe some servers, snmp, access from specific IP's, etc... and then block everything else. Always just block everything, and only allow what you want. Your firewall rules should be very simple, if you have hundreds of rules, you're doing something wrong.
Thanks. I'll be running my own separated firewall to protect my services and servers. Otherwise, as you said, I'm not here to police the internet.
You are starting an ISP business. You don’t know whether you will succeed or not in the short term. The customer won’t care whether you have juniper or mikrotik as long as they can access google. Go for a CCR1036 to be safe. Old model, you can get it probably for cheap. When it falla short, probably you’ll have more cash to go for a 2216, and from there to an MX204 potentially. Source: I helped many small ISPs to grow from a single linux gigabit server as router, to CCR1009, then to 1036, then to 1072 + 1036 for BNG, and way laater, you think about hardware routing
Thank you!! I like the spirit and hopefully I'll go big one day. I'll look into this for sure and for now I've manged to get 2 used Cisco ASR9010 for almost $900. I'm not sure if it's a good price or if it's a good hardware, but it's cabable of 400Gbps networking. I'm still going to go with mikrotik. It's easier to use. Once I'm able to run Cisco like a pro, I'll move to their hardware!
We have been operating a WISP for 25+ years and are also doing FTTP. 12k customer base currently. I'm the only network engineer on staff and have been filling the CTO role for some time. We have been running Mikrotiks for our Edge, Core, and base routers for most of the lifespan of the company. Also utilizing them for our aggregation switches as well. I'm even utilizing Mikrotik to host our DHCP servers at our core and distributing subnets across our entire infrastructure using MPLS/VPLS on top of OSPF. Mikrotik works fine if you know what you are doing. Most people I've had to train or prove that it does, lacks general network/routing capacity so they look for a more simplistic product. Understanding your needs and looking/scaling products to meet your needs. Also, threat protection is not the ISPs responsibility. That's like saying it's the states job to provide us insurance to drive our cars on their roads, that's not how that works. Your job as an ISP is to provide a stable road for them to operate on, not to provide them protection. Most ISPs that sell "protection as a service" do that to increase their MRR and is just another service to sell for additional revenue.
Thank you. This sounds really interesting. I do lack a lot when it comes to networking, but hopefully I'll learn fast.
If you're asking reddit, you are clearly not prepared.
Well, you need start at some point. Asking more knowledgeable people is a good starting point.
Given the technical and logistical complexity of running this business, this is not the place to ask unless your post is more hypothetical than real. There are licensing, regulatory, technical, legal and a myriad of other complex things that can not be learned here.
These things are covered by my lawyer. Money things are covered by my accountant. I'll focus on the technical part of things.
Good luck.
There are ISPs in South America who heavily use MikroTik but personally I would not suggest it. Your core devices will need to be high powered and have threat detection to protect your customers. You could look at adtran for providing to customers. You can then provide an ONT and login details and they could either use their own router or one you provide.
An ISP’s job isn’t to provide “threat detection” for its customers, the ISP’s job is to give them internet service. I’ll protect my own border TYVM. I would be annoyed if I found an ISP was blocking traffic to my IP that was not otherwise explicitly agreed upon as “forbidden”/blocked from the service. If I was under some sort of DDoS attack, I could understand them blocking that in the guise of “network abuse,” but I don’t expect an ISP to be running any sort of threat intelligence on my inbound traffic (e.g. SSH or web compromise attacks are not the ISP’s problem, that is mine). In a corporate world, yes, I would run a Fortigate or PaloAlto to help stop these threats, but I would not expect my ISP to do it for me (unless I was paying for that as a “managed service” add-on). Also, thousands of small WISPs in the US use Mikrotik routers as both edge and core devices. But the switch the OP listed isn’t really suitable for routing… CCR2k series would be the best choice these days.
I second the ISPs are supposed to be fully open. Used Cisco and Juniper in the core works great, runs forever... That being said maybe his offering is an isp that provides additional security services. If it's in a saturated market it could be a valid idea.
Fully open, probably not. But the filters should be very limited to the worst things possible. There is no reason to forward a SYN flood other crafted attacks. And as an ISP, unless you are serving commercial customers, port 25 is usually closed and to prevent rouge servers, 53 and DHCP is also blocked.
There are many ISP who do that (including Launtel here in Tasmania) but I am yet to hear about any of them using CRS as routers. That just does not work. All these ISPs will run CCRs. Some slower and more rural ISPs might get away with RB5009 or RB4011 and I have seed an indian village ISP running simple hEX. But that is rather funny story than a serious business example.
Thank you very much for the suggestion!
I've checked. Legally, I'm not obligated to protect anyone. My job is to connect them to the world. Protection is responsibly of the client. Anyway, I can provide an extra secure connection by using DNS filtering and firewalls, but this should be on demand and for a price. So I'm safe when it comes to protection. For business clients, I'll provide pfSense or fortigate Routers/firewalls. Any reason why you don't prefer mikrotik for such field?
Oh my…did someone said Adtran where people talk about Cisco and Mikrotik.. now with the Adtran it’ll be very simple, as it is a hard no! Why? Just because you simply will allow me 24 hours and I will go for shopping first thing in the morning, yes it is passed midnight here in Oz, anyways, then I will built one, not just any tho, one that will definitely be better than Adtran! Haha😉
Please give me an actual reason? I've succesfully worked with these rolling out GPON to thousands of locations using privatised fibre infrastructure.
I was just kidding I mean almost… I know Adtran is actually very good when it comes to biz solutions but terrible with the residential and I had to deal with their single port ONT/NTD which used by one of the fuckup wholesaler which has been just a nightmare on top of this wholesaler’s inadequate networking that is all!
The ONT is only meant to convert the fibre to copper and some other basic management functions, it would be expected to put a router on the end so is 1 port not sufficient? I know their 10Gbps model has 4 ports but typically from an service provider point of view each port of an ONT would be used for a seperate service. Management and monitoring of a circuit could then be done by placing an endpoint on the end and providing public IP to the customer this way or allowing them to connect directly with their own equipment if they want to do their own monitoring.
This wholesaler uses sdx611 if I remember correctly to provide FTTP service. This fiber generally dropped in the garage and they use a mix of different brands to service like Huawei, NEC, Dasan, Nokia/Alcatel, Adtran. And whenever they have problem in their network causing an outage generally the ones using this single port Adtran are the ones affected the worst. Some uses the 4 port Adtran which is not the same experience comparing to the single port Adtran! And my team just hates to deal with it!