Blueprint MKController

When you adopt a device at MKController you must copy a script to your Mikrotik. The goal of this material is to explain what the script does on your Mikrotik and what is going to happen if you remove some rules .

Basic Requirements

RouterOS must be at 6.39 version or higher.

1 – Importação do certificado VPN

  • The ovpn certificate that will be used for the ovpn connection is saved in the file system
  • The certificate is imported into Mikrotik. Can be accessed through the menu System -> Certificates


/certificate import file-name=”[ID DO CERTIFICADO]” passphrase=””

2 – Profile Creation

  • A profile rule, that will be used in the VPN, is created


/ppp profile add name=”[ID DO PROFILE]” use-encryption=yes comment=”MKController”

3 – The VPN Client Tunnel

The certificate from step 1 and the profile from step 2, are now used to create a ovpn connection with the server


interface ovpn-client add connect-to=”” user=”[ID DO USUARIO]” auth=sha1 cipher=aes256 certificate=”[ID DO CERTIFICADO]” port=443 profile=”[ID DO PROFILE” name=”MKController” comment=”MKController”

4 – Firewall

It is created a firewall rule ensuring that the vpn gateway ( has access to the mikrotik trhough the tunnel created in step 3


/ip firewall filter add chain=input action=accept src-address=”″ priority=0 comment=”MKController”

5 – Monitoring

A monitoring script is created in mikrotik to send data such as CPU usage, Disk usage, memory usage, etc.


/system scheduler add name=”resources-1d9ca987″ interval=”90″ on-event=”[EVENTO] comment=”MKController”

6 – User on Mikrotik

A user is created in mikrotik with administrator permission that will be managed in communication between MKController and Mikrotik. This user´s password is changed frequently to prevent brute force attacks


/user add name=”[ID do usuario]” group=full password=”[Senha temporaria]”

7 – Priority

The rule created in step 5 is placed first on the list, ensuring that MKController has access to the device even if there are other denial rules


:do {

:local n [/ip firewall filter find where comment=”MKController”];/ip firewall filter move numbers=$n destination=0

} on-error {

8 – Port Activation

  • The webfig, ssh, api, winbox and ftp ports are activated
  • If the port is closed, it will be activated with permission to use the address, ensuring that only the ovpn can access
  • If the port is open, the address will be added to the access permission list
  • All the services can be checked in IP -> Services


/ip service enable www; /ip service set www address=”″

/ip service enable winbox; /ip service set winbox address=”″

/ip service enable ssh; /ip service set ssh address=”″

/ip service enable api; /ip service set api address=”″

/ip service enable ftp; /ip service set ftp address=”″

What happens if each service is closed.

  • www service – The webfig connection will not work through web or the mobile app;
  • winbox service – The winbox connection will not work through web or the mobile app;
  • ssh service – Backup services, upload and download files will not work, ;
  • ftp service – File system functionalities will not work like ftp integration, file listing and batch file upload