Table of Contents
Updated by Alex Moore
Read Time: 4 mins
If you've spent time reading the MikroTik: Setting Up a Sonar Controlled DHCP Server, you may have some familiarity with using a MikroTik device with Sonar already.
While both the DHCP Server article and this article focus on using a MikroTik, the DHCP Server and Inline Device are completely different tools. A DHCP server handles IP addresses and their assignment to accounts and inventory devices, while an inline device synchronizes address lists to control speeds and access. The Mikrotik portion that is shared by these two components of Sonar is only shared because the Mikrotik is a very versatile piece of hardware. You may need a DHCP server and an Inline Device - these functions aren't exclusive, it all depends on their network setup.
Adding a Sonar user to MikroTik
The first step to preparing the MikroTik for integration is to build a user within the MikroTik that Sonar can use to authenticate. Here are the steps to create and secure a user for Sonar access:
- Winbox into the MikroTik you would like to integrate and navigate to System > Users
- From the User List > Users tab, click the blue plus icon to create a new user, create a username and password and store this sign in info temporarily to the side so that we can add it to the Sonar instance shortly. You will also want to set the group to "write" and set the allowed Address to the IP address for your Sonar instance. This address is currently the same for all instances, and should be set to 188.8.131.52
Enabling API-SSL Service
Next, we want to enable API SSL services. To do this we will need to have a certificate that the API SSL services can use. If you do not already have a certificate, HERE is a guide to generate a self signed certificate for use. After you have a certificate you can use, here are the steps to enable the service:
- In your Winbox session navigate to IP > Services
- Highlight the "api-ssl" service and click the blue checkbox to enable then double click the service to edit. Select whichever port you want to use to access the service, add your instance IP address from Step 2 of this guide in the "Available From:" box, and select your certificate from the dropdown, then click "OK".
Adding the MikroTik to the Sonar Application Firewall
Next we will add the MikroTik to allow it past the Application Firewall. If you have chose not to enable the Application Firewall, you can skip ahead to Adding the MikroTik as an Inline Device in Sonar.
- Get the WAN IP Address from your MikroTik and in Sonar, under Settings > Security > Application Firewall Rules, then lick the blue "Create" button in the top right. In this form, create a new firewall rule adding the WAN IP address under the Subnet field. General best practice would be to name the Description the same name as the device name in the MikroTik.
Adding the MikroTik as an Inline Device in Sonar
- Within your Sonar instance, navigate to Settings > Networking > Inline Devices, then click the blue "Create" button in the top right.
- Fill in the Name, IP Address, Port, MikroTik username, and MikroTik password.
The Name can be anything you want it to be but general best practice would be to copy the name directly from the MikroTik stored under System > Identity as to avoid any possible confusion.
The IP Address will usually be the same IP Address that you would use to access via Winbox, unless you are using a port forward to allow multiple privately addressed devices to talk to Sonar through a single public IP.
The port needs to match the same port you set to the "ssl-api" service in step 4 and the username and password will need to match what was entered in step 2.
Lastly, add the Subnets based on which subnets you want this inline device to control. If you have not yet built these, here is the guide to set these up: IPAM: Setup, Policy, & Best Practices.
- Finally, on the current page in Sonar, click the "Validate Credentials" button to test that the link between Sonar and your MikroTik is functioning correctly. If you see the "Successfully Validated Inline Device Credentials" in the top left corner, everything is working correctly and you can send a Synchronize command from the dropdown to the right of the Inline Devices table. If you do not get this message, please refer to the Troubleshooting below. You can also continue to MikroTik: Controlling Speeds.