Table of Contents
Updated by Alex Moore
Read Time: 4 mins
If you've spent time reading the MikroTik: Setting Up a Sonar Controlled DHCP Server, you may have some familiarity with using a MikroTik device with Sonar already.
While both the DHCP Server article and this article focus on using a MikroTik, the DHCP Server and Inline Device are completely different tools. A DHCP server handles IP addresses and their assignment to accounts and inventory devices, while an inline device synchronizes address lists to control speeds and access. The Mikrotik portion that is shared by these two components of Sonar is only shared because the Mikrotik is a very versatile piece of hardware. You may need a DHCP server and an Inline Device - these functions aren't exclusive, it all depends on their network setup.
Adding a Sonar user to MikroTik
The first step to preparing the MikroTik for integration is to build a user within the MikroTik that Sonar can use to authenticate. Here are the steps to create and secure a user for Sonar access:
- Winbox into the MikroTik you would like to integrate and navigate to System > Users
- From the User List > Users tab, click the blue plus icon to create a new user, create a username and password and store this sign-in info temporarily to the side so that we can add it to the Sonar instance shortly. You will also want to set the group to "write" and set the allowed Address to the IP address for your Sonar instance. This address is currently the same for all instances and should be set to 220.127.116.11
Configuring SSL for your MikroTik
Next, API-SSL services need to be enabled on your MikroTik server. In most cases, you're able to use a self-signed certificate created right on the MikroTik itself following these steps:
Creating the SSL Certificate
- From a Winbox session of the MikroTik you'd like to generate the certificate for, open a new terminal session:
- Make the certificate template with the following commands in the MikroTik terminal:
add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign
- Sign the certificate and add a CRL URL. For this example, use the IP address of the Sonar Instance as CRL URL. This address is typically 18.104.22.168, but if you are unsure, you can ping your URL in command line to check:
sign ca-template ca-crl-host=22.214.171.124 name=myCaIf signing certificates on mipbe-CPU based devices(RB7xx, RB2011, RB9xx) then this process might take a while depending on the key size of a specific certificate. With values 4k and higher, it might take a substantial time to sign this specific certificate.Templates are automatically removed after signing the certificate.
- If the generated certificate does not have
Tflag then you need to set it as trusted before using it:
set myCa trusted=yes
Enable API-SSL Services
- In your Winbox session navigate to IP > Services
- Highlight the "
api-ssl" service and click the blue checkbox to enable then double click the service to edit. Select whichever port you want to use to access the service, add your instance IP address from Step 2 of this guide in the "Available From:" box, then select your certificate from the dropdown, then click "OK".
Adding the MikroTik to the Sonar Application Firewall
Next, the MikroTik needs to be added to allow it past the Application Firewall. If you have chosen not to enable the Application Firewall, you can skip ahead to Adding the MikroTik as an Inline Device in Sonar.
- Get the WAN IP Address from your MikroTik and in Sonar, under Settings > Security > Application Firewall Rules, then click the blue "Create" button in the top right. In this form, create a new firewall rule adding the WAN IP address under the Subnet field. General best practice would be to name the Description the same name as the device name in the MikroTik.
Adding the MikroTik as an Inline Device in Sonar
- Within your Sonar instance, navigate to Settings > Networking > Inline Devices, then click the blue "Create" button in the top right.
- Fill in the Name, IP Address, Port, MikroTik username, and MikroTik password.
The Name can be anything you want it to be but the general best practice would be to copy the name directly from the MikroTik stored under System > Identity to avoid any possible confusion.
The IP Address will usually be the same IP Address that you would use to access via Winbox unless you are using a port forward to allow multiple privately addressed devices to talk to Sonar through a single public IP.
The port needs to match the same port you set to the "api-ssl" service in step 4 and the username and password will need to match what was entered in step 2.
Lastly, add the Subnets based on which subnets you want this inline device to control. If you have not yet built these, here is the guide to set these up: IPAM: Setup, Policy, & Best Practices.
- Finally, on the current page in Sonar, click the "Validate Credentials" button to test that the link between Sonar and your MikroTik is functioning correctly. If you see the "Successfully Validated Inline Device Credentials" in the top left corner, everything is working correctly and you can send a Synchronize command from the dropdown to the right of the Inline Devices table. If you do not get this message, please refer to the Troubleshooting below. You can also continue to MikroTik: Controlling Speeds.