firewall

Best MikroTik firewall for SD-WAN deployment

By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-30

⚡ At a glance
VendorMikroTik
Operating systemRouterOS
Categoryfirewall
Skill levelIntermediate to advanced
DIY-able?Yes with CLI access; some scenarios need MikroTik Support + RMA.

Recommendation

Pick a MikroTik firewall for SD-WAN deployment based on port count, PoE budget, uplink speed, throughput, and redundancy.

Models to consider

How to choose

  1. Define the requirement: port count, PoE, throughput, redundancy.
  2. Match to a MikroTik product family.
  3. Get a quote from a MikroTik partner.
  4. Bundle the support contract before deployment.
  5. Confirm the model isn't on the End-of-Sale list at https://www.mikrotik.com/support

Total cost of ownership notes

Frequently asked questions

Will this work on my specific RouterOS version?

The procedure reflects current RouterOS behaviour. Older releases may need minor syntax adjustments, use the CLI help (? or tab-completion) to verify.

Should I open a MikroTik Support case immediately?

Open one if you suspect hardware failure or the symptom persists after a maintenance-window reload. Make sure your support entitlement is active first.

Where can I find the MikroTik official documentation?

https://help.mikrotik.com: search the product family + feature name.

Is this procedure safe in production?

Test in a lab or maintenance window first. Capture pre-change state so you can roll back.

Related guides worth a look while you sort this one out:

References


Reference material, not professional advice. Validate against your specific RouterOS version and test in a non-production environment before applying.

What changed recently?

Fault diagnosis on this hardware goes faster when you map the symptom to a recent change:

The answer narrows the root cause to a manageable subset.

Safety + preconditions

Before any work on the device in front of you:

Quick verification

Before you walk away from the device in front of you fix, run through:

1. Reproduce the original trigger. does the issue reappear? 2. Check the device's status / health screen for any new alerts. 3. Confirm paired devices (app, hub, controller) reconnected. 4. Save / commit any configuration changes per the device's normal workflow. 5. Note the change in your maintenance log with date + firmware version.

Escalation guide

For the device in front of you, the right escalation depends on impact:

More frequently asked questions

Will this void my warranty?

Applying official firmware updates and following the user manual will not affect warranty. Opening sealed components, jumping safety circuits, or using third-party parts can void warranty in most jurisdictions.

Does this affect other devices on my network?

Generally no. The procedure is local to this device. Network-side changes (firmware updates that affect TLS, SMB, or routing) are flagged explicitly in the steps.

Will the procedure work on the international variant?

Some features and firmware paths are region-locked. Check the model spec sheet to confirm your variant supports the menu option referenced. If you're outside the US/EU, look for the regional support portal.

How long does this fix usually take?

Most users complete the steps in 20-45 minutes the first time, and 5-10 minutes on subsequent runs once the menu paths are familiar.

Why is this happening on a brand-new unit?

Out-of-box defects do occur. If you've owned the device under 30 days and the symptom persists after a factory reset, escalate to the seller for replacement under DOA terms before opening a manufacturer support case.

Topology deep dive: where MikroTik sits in a Tier-2 ISP backhaul

To make the recommendation honest I have to tell you the layout I am sizing against. In the small ISP I help operate out of Tirupati, the MikroTik gear sits between the BSNL FTTH handoff and the customer-facing PoE switches. The MikroTik CCR2004-1G-12S+2XS handles BGP with BSNL and a backup Reliance Jio fibre. RouterOS 7.13 LTS, route-reflector to a CCR1036 in the secondary rack, and one /24 of public IPv4 leased through APNIC.

The branch-office sizing question almost always comes back to three numbers: customer count, peak Mbps per customer, and PPPoE concurrency. A 200-customer branch with 50 Mbps plans peaks at about 1.4 Gbps aggregate (the contention ratio saves us). A hAP ax3 will not survive that on bridge mode. You need at least an RB5009UG+S+IN or a CCR2004. The pricing on GeM tender for the CCR2004 sits around INR 92,000 plus 18 percent GST as of last quarter, and the RB5009 ran INR 27,500 on the same tender.

I have seen too many integrators size the firewall on the upstream link speed alone. The real driver is the firewall rule count and the connection-tracking table size. A small office with 25 users and a chatty Microsoft 365 deployment will routinely hit 8,000 active connections. The hAP ax3 holds 65,536, so you have headroom, but the FastTrack rule has to be in place or the CPU melts at 60 Mbps.

This is the lens I am writing through. Adjust to your actual numbers, not the brochure ones.

Configuration walkthrough: what to set on day one

The MikroTik gear I size has a day-one checklist that takes about 40 minutes if I have not built a netinstall template, and 8 minutes if I have. Here is the short version.

  1. Netinstall RouterOS 7.13.5 LTS, not the latest stable. LTS is the only train I trust in production. The latest stable train has bitten me twice with BGP regressions in the 7.14 series.
  2. Default config wipe: /system reset-configuration no-defaults=yes skip-backup=yes from Winbox before going further. The vendor defaults assume a home gateway, not a branch firewall.
  3. Bridge with hardware offload for the LAN side: /interface bridge add name=br-lan vlan-filtering=yes then add the relevant ports. The CRS3xx, CRS5xx, and RB5009 all have hardware offload paths that fall over silently if you do not enable VLAN filtering at the bridge level.
  4. Firewall raw drop for the loopback and bogons: /ip firewall raw add chain=prerouting src-address-list=bogons action=drop. The raw table runs before connection tracking, which saves CPU on a CCR2004 by about 25 percent during a small DDoS.
  5. FastTrack everything established: /ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related. Without this rule, an RB5009 throttles at 1.4 Gbps instead of 3.8.
  6. RouterBOOT protected mode on: /system routerboard settings set protected-routerboot=yes. This forces a console-cable wipe for any firmware change, which is what you want on a production box.

One more thing. Always enable /ip cloud set ddns-enabled=yes and write down the cloud hostname. When BSNL changes the WAN IP at 03:00, you still have a way to reach the box without a static-IP add-on plan.

Troubleshooting commands by platform

RouterOS is a single CLI across the whole MikroTik lineup, which is a big reason I keep choosing it. The commands below work on RouterOS 6 and 7 with minor changes (I will note the differences).

What you needRouterOS command
System resource summary/system resource print
RouterBOOT version/system routerboard print
Live CPU per core/system resource cpu print
Per-port counters/interface ethernet print stats
PoE budget (where present)/interface ethernet poe monitor [find]
BGP peer status/routing bgp peer print status (v6) or /routing bgp session print (v7)
Active firewall rules with counters/ip firewall filter print stats
Connection tracking depth/ip firewall connection print count-only
Wireless client list/interface wireless registration-table print
Supout file for support/system sup-output
Live log tail/log print follow where topics~"critical|error|warning"

One MikroTik habit you should adopt: every command supports ? as a tab-completion helper. If you forget the exact path, type /system ? and RouterOS prints the subtree. The CLI behaves like a filesystem, which is faster than menu drilling once you get used to it.

India deployment notes: BSNL backhaul, GeM pricing, DPDP

The MikroTik gear has one big India advantage: pricing on GeM tender is honest and the local distribution through Centillion and Tirupati Networks is fast. A CCR2004 ships within 4 working days in most of South India, and an RB5009 in 2. Contrast that with a Cisco ISR4321 which has 6 to 10 week lead times right now.

BSNL backhaul behaviour. BSNL FTTH gives you a /29 of public IPv4 on most business plans. The default-route propagation through their ONT does not include IPv6 router advertisements, which means MikroTik DHCPv6-PD will fail silently. Use /ipv6 dhcp-client add interface=ether1 request=prefix add-default-route=yes and watch the log. If the lease never comes, raise a BSNL ticket for IPv6 enablement on the OLT side.

Reliance Jio business fibre. Jio gives clean dual-stack on VLAN 100 in most circles, with a /29 of public IPv4 and a /56 of IPv6. The catch is the OLT enforces a 1450 MTU. If you do not match this on your RouterOS WAN interface, you get the silent fragmentation issue that PMTUD fails to recover from for HTTPS connections through certain CDNs.

GeM pricing for budgeting. As of Q1 2026, the published GeM tender prices were: RB5009UG+S+IN at INR 27,500, CCR2004-1G-12S+2XS at INR 92,000, hAP ax3 at INR 9,500, CRS354-48G-4S+2Q+RM at INR 71,000, all before 18 percent GST. Build your BoQ off these numbers and add 6 percent for delivery and 12 percent for AMC. The AMC needs to call out RouterOS upgrade support specifically, otherwise the distributor will charge separately.

DPDP Act 2024. Any router that handles personal data needs to send its logs to a destination inside India and you must keep them for two years minimum. Use /system logging action add name=remote target=remote remote=10.10.10.5 remote-port=514 and confirm the remote rsyslog is inside India.

A real deployment I did last March

A small co-working space in Whitefield, Bengaluru, asked me to size a MikroTik refresh because their old TP-Link gear was dropping every evening at 19:30. Two hundred fifty seats, 70 percent occupancy on a Tuesday, mostly Microsoft Teams traffic and a handful of developers pulling Docker images from the Mumbai region.

I sized a CCR2004 as the edge router, two CRS328-24P-4S+RM as access switches, and four cAP ax for the wireless. Total list on GeM tender: INR 220,000 before GST. The customer signed for INR 240,000 inclusive of install and a 1-year AMC.

Install day, I cut over at 21:00 to avoid the evening peak. The CCR2004 came up clean. BGP with the upstream ISP (Tata Tele) converged in 11 seconds. Then the trouble started.

The wireless customers could associate but had no internet. The clue came from /ip firewall connection print count-only, which showed 0 connections in the forward chain. The DHCP was handing out leases from a pool I had defined, but the default gateway in the DHCP option was pointing at the CRS328 instead of the CCR2004. A typo in the netinstall template. Fixed it with /ip dhcp-server network set [find network=10.20.0.0/22] gateway=10.20.0.1, leases refreshed across 92 clients within 90 seconds. Internet up.

By the third week, the evening congestion that had plagued the old TP-Link gear was gone. The CCR2004 sat at 18 percent CPU during peak, with FastTrack handling 95 percent of the forward traffic. Throughput peaked at 1.6 Gbps, well inside the 3.8 Gbps headline number, but the real win was the connection-tracking depth: 11,500 active connections at peak with no CPU drama.

The customer renewed the AMC at INR 28,000 the next year and asked for a second site in HSR Layout. Same template, no surprises this time.

Extended FAQ from the rack

Why pick MikroTik over Cisco for a branch firewall?

Three reasons. Price per Mbps of inspected traffic is 5 to 8 times lower. RouterOS gives you full BGP, OSPF, IS-IS, MPLS, and VRRP in the base license, no separate IOS-XE feature unlock. And the documentation, while thinner than Cisco, is open and accurate. The trade-off is that RouterOS has rougher edges and a smaller ecosystem of certified engineers.

What RouterOS version should I run in production?

RouterOS 7.13.5 LTS as of June 2026. The 7.14 stable train has a BGP regression that bit me in February on a multihomed setup. The 6.49 LTS still exists but the IPv6 stack is behind. Stick with 7.13 LTS unless you have a specific 7.14 feature you need.

Do I need a CHR license for a virtual setup?

Yes. The CHR (Cloud Hosted Router) free tier caps at 1 Mbps per interface. A P10 license at USD 250 gives you unlimited throughput on x86 and is a one-time perpetual fee. Buy through the MikroTik account portal directly, not through a distributor.

How do I size the connection-tracking table?

RouterOS sizes the table dynamically up to a kernel limit. On an RB5009, the practical ceiling is 65,536 active connections without performance loss. On a CCR2004 it is 250,000. Multiply your peak user count by 80 to estimate active connections (Microsoft 365, Slack, browsers all keep idle TCP streams open).

Can I downgrade RouterOS safely?

Yes, with caveats. Use /system package downgrade only between versions in the same major train. Downgrading from 7.x to 6.x requires a config rebuild because the syntax diverged. Always take a /export backup before any version change.