Saltearse al contenido
MKController

Blueprint MKController

Esta página aún no está disponible en tu idioma.

When you adopt a device at MKController you must copy a script to your Mikrotik. The goal of this material is to explain what the script does on your Mikrotik and what is going to happen if you remove some rules .

Basic Requirements

RouterOS must be at 6.39 version or higher.

1 – Certificate

  • The ovpn certificate that will be used for the ovpn connection is saved in the file system

  • The certificate is imported into Mikrotik. Can be accessed through the menu System -> Certificates

Command:

/certificate import file-name=”[ID DO CERTIFICADO]” passphrase=””

2 – Profile Creation

  • A profile rule, that will be used in the VPN, is created

Command:

/ppp profile add name=”[ID DO PROFILE]” use-encryption=yes comment=”MKController”

3 – The VPN Client Tunnel

The certificate from step 1 and the profile from step 2, are now used to create a ovpn connection with the server ovpn.mkcontroller.com

Command:

interface ovpn-client add connect-to=”ovpn.mkcontroller.com” user=”[ID DO USUARIO]” auth=sha1 cipher=aes256 certificate=”[ID DO CERTIFICADO]” port=443 profile=”[ID DO PROFILE” name=”MKController” comment=”MKController”

4 – Firewall

It is created a firewall rule ensuring that the vpn gateway (10.8.0.1) has access to the mikrotik trhough the tunnel created in step 3

Command:

/ip firewall filter add chain=input action=accept src-address=”10.8.0.1″ priority=0 comment=”MKController”

5 – Monitoring

A monitoring script is created in mikrotik to send data such as CPU usage, Disk usage, memory usage, etc.

Command:

/system scheduler add name=”resources-1d9ca987″ interval=”90″ on-event=”[EVENTO] comment=”MKController”

6 – User on Mikrotik

A user is created in mikrotik with administrator permission that will be managed in communication between MKController and Mikrotik. This user´s password is changed frequently to prevent brute force attacks

Command:

/user add name=”[ID do usuario]” group=full password=”[Senha temporaria]”

7 – Priority

The rule created in step 5 is placed first on the list, ensuring that MKController has access to the device even if there are other denial rules

Command:

:do {

:local n [/ip firewall filter find where comment=”MKController”];/ip firewall filter move numbers=$n destination=0

} on-error {

8 – Port Activation

  • The [webfig], ssh, api, [winbox] and [ftp] ports are activated
  • If the port is closed, it will be activated with permission to use the address 10.8.0.1, ensuring that only the ovpn can access
  • If the port is open, the address 10.8.0.1 will be added to the access permission list
  • All the services can be checked in IP -> Services

Commands:

/ip service enable www; /ip service set www address=”10.8.0.1″

/ip service enable winbox; /ip service set winbox address=”10.8.0.1″

/ip service enable ssh; /ip service set ssh address=”10.8.0.1″

/ip service enable api; /ip service set api address=”10.8.0.1″

/ip service enable ftp; /ip service set ftp address=”10.8.0.1″

What happens if each service is closed.

  • [www service] – The webfig connection will not work through web or the mobile app;

  • [winbox service] – The winbox connection will not work through web or the mobile app;

  • [ssh service] – Backup services, upload and download files will not work, ;

  • api service– The public API of the system, such as walled garden will not work
    (Full Documentation at https://app.mkcontroller.com/mkcontroller-puclic/);

  • [ftp service] – File system functionalities will not work like ftp integration, file listing and batch file upload

Access Here