MikroTik CRS309-1G-8S+IN in 2023

In late 2019, ServeTheHome reviewed the MikroTik CRS309-1G-8S+IN. TL;DR it's an 8x SFP+, 1x 1G RJ45 managed switch that retails around $350 CAD. When these came out, nothing else on the market came close on cost per port, even unmanaged. STH called it an "absolutely great buy".
In 2021 I picked the CRS309 as the 10G backbone for my new home network and vSphere lab. Out of the box, running RouterOS 6, it did everything I needed at the time: I wanted a 10G switch to play with VSAN, upgrade my NAS to 10G, and a few ports for future projects. I set it up and basically forgot about it. The CRS309 was a slam dunk then and I'm still happy with my decision.

Is the CRS309 still a good buy in 2023? 

There are now at least two other affordable fanless ~8 port 10G managed switches:
They'll do VLANs, ACLs, probably static routing, but not much else. If you are already in either the Omada or UniFi ecosystem, they still may be worth considering since you have richer functionality elsewhere, e.g. UDM Pro.

For me, MikroTik generally and the CRS309-1G-8S+IN specifically stand out for:
  • Low cost per 10G port and bonus 1G port with PoE-in
  • Rich feature set and customizability of RouterOS
  • Wide compatibility with third-party transceivers (and fairly priced first-party)
  • No controller required
  • Active community and product team that continue to enrich the platform
It's not to say there are no drawbacks:
  • Finding stock in Canada is challenging, Amazon sellers are charging a premium over MSRP
  • RouterOS is completely unlike IOS or JunOS, it takes some getting used to
  • The CRS series have more modest CPUs and care must be taken not to exhaust resources
Given the above, I would still recommend the CRS309, but there's more.

In the RouterOS changelog for 7.1 in late 2021 was the overture of the CRS309's transformation from a low-cost 10G L2 "plus" switch, to a capable L3 switch, router, and firewall:
support for Layer 3 hardware acceleration on all CRS3xx devices
Since May, I've been using the CRS309 (ROS 7.11beta2) for the following:
  • NAT gateway for 450/50mbps cable internet, 0-1% CPU at full speed
  • Stateful firewall
  • Inter-VLAN routing (testing still to come)
  • DHCP, DNS cache, and NTP
  • WireGuard L3 VPN (light usage, CPU-bound, max throughput approx. 100mbps)
How? L3 routing/forwarding and FastTrack have been offloaded to the switch chip. This means that after processing firewall policies on new connections, established/related flows are handled in hardware and don't consume any CPU. It's a game-changer.

The L3HW documentation gets into more detail, but there are a few main caveats:
  • If your configuration has multiple bridges, only one will be accelerated. Try to consolidate all of your switch ports to one VLAN-filtered bridge.
  • The switch and the each interface have toggles for hardware offload. If an interface is offloaded, its traffic will not hit the firewall. In a flat network, you might enable offloading on the switch and your LAN ports, but not your WAN port to preserve firewall functionality.
  • Firewall processing still consumes CPU. 
    • Use FastTrack to accelerate established/related connections and offload them to the switch chip.
    • Any time a policy doesn't need connection tracking, use the 'raw' table or a switch ACL, which is processed in hardware.
  • On the CRS309, only about 4.5K FastTrack connections can be offloaded, after which the lowest-traffic connections will overflow to the CPU. 
    • Overflowed connections are still fast-tracked and the occasional spill shouldn't slow you down much.
    • This hasn't been a problem my 2-person household, but if there were more users, higher throughput, or P2P sharing, it could be a bottleneck.
    • Details about the offload capability of the CRS309 and other switches are here.
    • There's a good discussion on the MikroTik forum that gets into how offload works in different situations.
If you can work within those constraints, the CRS309 is an incredible piece of kit for the price, and more features are being added regularly. Everyone's network is different, and if you already had a CRS309, I recommend testing whether you can consolidate some of the other devices (e.g. consumer/SMB routers) on your network thanks to its new features. 

What else is new?

The other big RouterOS news I wanted to share was Docker support. As of release 7.5, you can use excess capacity on your router to run containers. I haven't tested it, but MikroTik has posted some videos on YouTube showing off the functionality:
It's important to point out that the CRS309 doesn't have local storage connectivity, and only a tiny amount of flash available to persist configs. The tmpfs workaround above could suit if you're able to pull a ready-built image or build one at run time. Routers like the RB5009UG+S+IN, with more CPU/RAM and a USB port for storage, are a much better choice.

Additional code means additional risk. I generally believe routers should be routers, but I could see using embedded containers for services that are not supported or fully-featured on RouterOS like DHCP/DNS (dnsmasq), RADIUS (freeradius), or light NFS/SFTP for netboot or config backups.

Conclusions

As you can see, the CRS309 is not the humble 10G switch it was in 2019. Its new ability to offload routing to the ASIC has added massive value, which I don't see anywhere else at this price point. The possibility of running containers in the future, or even of RouterOS containerizing some of its functionality, makes the CRS309-1G-8S+IN a worthy part of any homelab in 2023.

Note: I didn't receive any consideration or demo equipment for this article. Links to products do not attract any commission.

Comments

Post a Comment

Popular posts from this blog

Secure Boot failure on ESXi 7.0 U3 - Solved

Image
At the beginning of April, an ice storm hit Quebec and caused power outages lasting several days, particularly in areas with older trees where utility lines are not underground. When I started my ESXi host after 5 days offline, I ran into an error I've never seen before: It seemed like all of the VIBs were now failing UEFI Secure Boot validation. My first instinct was that due to an unclean shutdown, data on the boot volume was corrupted, and a reinstall would be required. The voice of my VMware TAM was in the back of my mind: I'm running non- HCL hosts, with NVMe SSDs not on the VSAN HCL , I should be thankful this works at all. And he's right. And I am.  However, I'm happy to report this had a quick fix: while goofing around in the BIOS to see how I could bypass Secure Boot and load ESXi, I noticed that my system clock had rolled back to 2017! As it turns out, I had been foiled by a $1 CR2032 battery  meant to keep time while the board is not connected to power. By s
Read more

ADFS RelayState (IdP-initiated sign-on deep links)

The university, as part of its digital strategy initiative, is pushing harder than ever for SSO across its major services. Part of this means standardizing on an IdP infrastructure to tie everything into, and for a lot of reasons (future post) we chose ADFS. Recently a service provider asked us if, since we are working this way with our Shibboleth IdP now, we can provide a deep link on the IdP domain that will redirect to the SP after the authentication flow. I figured it was possible, but it was the first time we had to think about this with ADFS. Turns out it's quite easy, at least on ADFS v5 (Server 2019). I'm probably explaining this wrong, but in SAML parlance the flow where the user connects to the IdP first and then gets punted to an SP is called RelayState, and typically it is triggered by appending a query string to the IdP-initiated sign-on page. First, enable IdP-initiated sign-on if you haven't already: Set-AdfsProperties -EnableIdpInitiatedSignonPage $tr
Read more