When you adopt a device at MKController you must copy a script to your Mikrotik. The goal of this material is to explain what the script does on your Mikrotik and what is going to happen if you remove some rules .
Basic Requirements
RouterOS must be at 6.39 version or higher.
1 – Importação do certificado VPN
- The ovpn certificate that will be used for the ovpn connection is saved in the file system
- The certificate is imported into Mikrotik. Can be accessed through the menu System -> Certificates
Command:
/certificate import file-name=”[ID DO CERTIFICADO]” passphrase=””
2 – Profile Creation
- A profile rule, that will be used in the VPN, is created
Command:
/ppp profile add name=”[ID DO PROFILE]” use-encryption=yes comment=”MKController”
3 – The VPN Client Tunnel
The certificate from step 1 and the profile from step 2, are now used to create a ovpn connection with the server ovpn.mkcontroller.com
Command:
interface ovpn-client add connect-to=”ovpn.mkcontroller.com” user=”[ID DO USUARIO]” auth=sha1 cipher=aes256 certificate=”[ID DO CERTIFICADO]” port=443 profile=”[ID DO PROFILE” name=”MKController” comment=”MKController”
4 – Firewall
It is created a firewall rule ensuring that the vpn gateway (10.8.0.1) has access to the mikrotik trhough the tunnel created in step 3
Command:
/ip firewall filter add chain=input action=accept src-address=”10.8.0.1″ priority=0 comment=”MKController”
5 – Monitoring
A monitoring script is created in mikrotik to send data such as CPU usage, Disk usage, memory usage, etc.
Command:
/system scheduler add name=”resources-1d9ca987″ interval=”90″ on-event=”[EVENTO] comment=”MKController”
6 – User on Mikrotik
A user is created in mikrotik with administrator permission that will be managed in communication between MKController and Mikrotik. This user´s password is changed frequently to prevent brute force attacks
Command:
/user add name=”[ID do usuario]” group=full password=”[Senha temporaria]”
7 – Priority
The rule created in step 5 is placed first on the list, ensuring that MKController has access to the device even if there are other denial rules
Command:
:do {
:local n [/ip firewall filter find where comment=”MKController”];/ip firewall filter move numbers=$n destination=0
} on-error {
8 – Port Activation
- The webfig, ssh, api, winbox and ftp ports are activated
- If the port is closed, it will be activated with permission to use the address 10.8.0.1, ensuring that only the ovpn can access
- If the port is open, the address 10.8.0.1 will be added to the access permission list
- All the services can be checked in IP -> Services
Commands:
/ip service enable www; /ip service set www address=”10.8.0.1″
/ip service enable winbox; /ip service set winbox address=”10.8.0.1″
/ip service enable ssh; /ip service set ssh address=”10.8.0.1″
/ip service enable api; /ip service set api address=”10.8.0.1″
/ip service enable ftp; /ip service set ftp address=”10.8.0.1″
What happens if each service is closed.
- www service – The webfig connection will not work through web or the mobile app;
- winbox service – The winbox connection will not work through web or the mobile app;
- ssh service – Backup services, upload and download files will not work, ;
- api service– The public API of the system, such as walled garden will not work
(Full Documentation at https://app.mkcontroller.com/mkcontroller-puclic/);
- ftp service – File system functionalities will not work like ftp integration, file listing and batch file upload
