Post

From Hoa Rack To My Own Micro Data Center How I Built An Isp And Learned Mikrotik Along The Way

Posted
By Usman Masood Ashraf
views 6 min read

From HOA Rack To My Own Micro Data Center: How I Built An ISP And Learned Mikrotik Along The Way

Introduction

When faced with the choice between 12 Mbps wireless for $80/month or 3 Mbps DSL for $40/month in a vacation community, most residents would reluctantly accept their fate. As a DevOps engineer with home automation experience but zero ISP infrastructure knowledge, I saw an opportunity to solve this problem at its core. This is the story of how a simple HOA network rack evolved into a full micro data center powering a community ISP - and how Mikrotik became the backbone of this transformation.

For DevOps engineers and system administrators, building network infrastructure from scratch represents the ultimate challenge in applied infrastructure-as-code. The journey touches critical aspects of our craft:

  • Network automation at scale
  • Carrier-grade service delivery
  • Hardware/software integration
  • Community-scale monitoring

This guide covers the complete technical journey including:

  1. Fundamentals of ISP-grade networking
  2. Mikrotik RouterOS deep dive
  3. Fiber network architecture
  4. PPPoE implementation at scale
  5. Monitoring and maintenance automation

Whether you’re building a homelab or managing enterprise infrastructure, these real-world lessons in network DevOps will transform how you approach infrastructure challenges.

Understanding Mikrotik in ISP Environments

What is Mikrotik RouterOS?

Mikrotik RouterOS is a Linux-based network operating system powering Mikrotik’s router hardware. Unlike consumer-grade gear, RouterOS provides carrier-grade features:

  • MPLS/VPLS support
  • BGP/OSPF routing protocols
  • QoS with hierarchical token bucket (HTB)
  • Stateful firewall with Layer 7 filtering
  • VPN technologies (IPsec, OpenVPN, SSTP)

Historical Context

First released in 1997, Mikrotik grew from a wireless ISP solution to a global networking player. Its current market position offers:

  • Cost Efficiency: 1/10th the price of Cisco alternatives
  • Feature Parity: 90% of carrier features in $200 devices
  • CLI Consistency: RouterOS CLI hasn’t changed radically since v3

Key Features for ISP Operations

FeatureEnterprise EquivalentImplementation Cost
BGP RoutingCisco ASR 1000$5,000 vs $300
Hotspot GatewayAruba Clearpass$15,000 vs $0 (OS)
Bandwidth ShapingPalo Alto QoS$10k/year vs $0

Real-World Performance Metrics

In our deployment using Mikrotik CCR1036 routers:

  • Sustained 10Gbps throughput with 64B packets
  • 500ms failover with OSPF
  • 10,000 concurrent PPPoE sessions

When to Choose Mikrotik

Optimal Use Cases:

  • Small-to-medium ISP deployments
  • Edge routing in distributed networks
  • Cost-sensitive BGP implementations

Less Suitable For:

  • Data center core routing (consider Juniper)
  • Enterprise WiFi (Ubiquiti better for APs)
  • Carrier MPLS core (Nokia/Alcatel-Lucent preferred)

Prerequisites for ISP Deployment

Hardware Requirements

Our deployment used:

  • Core Router: Mikrotik CCR1036-8G-2S+ ($1,200)
  • Access Switches: CRS354-48G-4S+2Q+RM ($600)
  • Fiber Handoff: Cisco ASR 920 (provided by utility)
  • Server Infrastructure:
    • Supermicro 1U for Radius (Xeon E-2236, 32GB RAM)
    • Raspberry Pi 4 cluster for monitoring

Network Considerations

  1. IP Allocation:
    • /29 public IP block for core infrastructure
    • /24 private IP space for customer CPE devices
  2. **Fiber Planning:
    • Single-mode vs multi-mode decision
    • SFP+ module compatibility matrix
    • dB loss calculations per strand

Security Pre-Planning

  • Physical access controls to HOA rack
  • Separate management VLAN (VLAN 666)
  • RADIUS authentication for admin access
  • Automated certificate management with ACME

Software Requirements

  • Mikrotik RouterOS v7.1+ (Long-term tree)
  • FreeRADIUS 3.0+ for PPPoE authentication
  • Grafana 8+ with Prometheus for monitoring
  • Oxidized 0.28+ for configuration backup

Installation & Core Configuration

Mikrotik Base Installation

1
2
3
4
5
6
7
8

# Download RouterOS image
wget https://download.mikrotik.com/routeros/7.1/chr-7.1.img.zip -O chr.img.zip

# Prepare USB installer
gunzip -c chr.img.zip | dd of=/dev/sdb bs=1M

# First boot initialization
/system reset-configuration no-defaults=yes

Interface Configuration

1
2
3
4
5
6
7
8
9
10

/interface bridge
add name=core_bridge

/interface ethernet
set [ find default-name=sfp-sfpplus1 ] name=uplink-fiber
set [ find default-name=ether1 ] name=mgmt

/interface bridge port
add bridge=core_bridge interface=uplink-fiber
add bridge=core_bridge interface=switch1-cpu

OSPF Routing Setup

1
2
3
4
5
6
7
8

/routing ospf instance
set [ find default=yes ] redistribute-connected=as-type-1 router-id=10.0.0.1

/routing ospf area
add name=backbone area-id=0.0.0.0

/routing ospf interface-template
add areas=backbone interfaces=core_bridge network-type=broadcast

PPPoE Server Configuration

1
2
3
4
5
6
7
8

/interface pppoe-server server
add authentication=pap,chap interface=core_bridge service-name=hoa-internet

/ppp profile
add name=hoa-profile local-address=10.1.0.1 remote-address=hoa-pool

/ppp secret
add name=user1 password=changeme profile=hoa-profile service=pppoe

Performance Optimization

QoS Configuration for Fair Usage

1
2
3
4
5
6

/queue type
add name=hoa-internet kind=pcq pcq-rate=20M pcq-classifier=dst-address

/queue tree
add name=download parent=core_bridge queue=hoa-internet
add name=upload parent=uplink-fiber queue=hoa-internet

TCP Optimization for High Latency

1
2
3
4
5

/ip firewall mangle
add action=change-mss chain=forward new-mss=1440 protocol=tcp tcp-flags=syn

/ip settings
set tcp-syncookies=yes

Monitoring with built-in Tools

1
2
3
4
5
6
7
8

# Enable SNMP
/snmp
set enabled=yes contact="noc@example.com"

# Netflow export
/ip flow-export
set version=9 template-refresh=60
add template=full interfaces=core_bridge server=192.168.88.10:2055

Security Hardening

Firewall Best Practices

1
2
3
4
5
6
7

/ip firewall filter
# Block everything first
add chain=input action=drop
# Allow established connections
add chain=input action=accept connection-state=established,related
# Limit SSH access
add chain=input protocol=tcp dst-port=22 src-address-list=admin_ips action=accept

Management Plane Protection

1
2
3
4
5
6
7
8
9
10
11
12

# Create separate management plane
/interface vlan
add interface=core_bridge name=mgmt_vlan vlan-id=666

/ip address
add address=192.168.88.1/24 interface=mgmt_vlan

# Restrict API access
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api-ssl require-encryption=yes

Operational Management

Automated Backups with Oxidized

1
2
3
4
5
6
7

# Mikrotik export configuration
/system script
add name=backup source="/export file=backup.rsc"

# Schedule daily backup
/system scheduler
add name=backup-schedule interval=1d on-event=backup

Firmware Upgrade Procedure

1
2
3
4
5
6

# Check for updates
/system package update check
# Download latest stable
/system package update download
# Schedule reboot
/system reboot

Monitoring Critical Metrics

Key metrics to alert on:

  1. Interface errors
  2. PPPoE session count
  3. Memory utilization
  4. BGP peer status

Sample Prometheus query for PPPoE sessions:

sum(mikrotik_pppoe_sessions_active) by (instance) > 80

Troubleshooting Guide

Common Issues and Solutions

Problem: PPPoE authentication failures
Solution:

1
2
3
4

# Check Radius logs
/radius monitor
# Verify user secrets
/ppp secret print

Problem: Interface flapping
Solution:

1
2
3

/interface monitor sfp1
# Check SFP parameters
/interface ethernet monitor sfp1

Debugging Routing Issues

1
2
3
4
5
6
7
8

# Show OSPF neighbors
/routing ospf neighbor print

# View routing table
/ip route print detail

# Packet capture
/tool sniffer quick protocol=ospf

Conclusion

Building a community ISP with Mikrotik transformed how I approach infrastructure challenges. The journey from a single HOA rack to a full micro data center taught lessons that apply equally to homelabs and enterprise environments:

  1. Networking is foundational: Understanding Layer 2/Layer 3 principles remains critical
  2. Automation scales: Oxidized for config management, Prometheus for monitoring
  3. Hardware matters: Right-size equipment for throughput requirements
  4. Security is layered: From physical access to encrypted management planes

For those embarking on similar projects, these resources are indispensable:

The greatest lesson? With the right tools and DevOps mindset, even complex network infrastructure becomes manageable - one RouterOS command at a time. ```

Open Source, Reddit Guides, Monitoring
homelab sysadmin how-to tools monitoring observability security hardening
This post is licensed under CC BY 4.0 by the author.