Table of Contents

MikroTik: Setting Up a Sonar Controlled DHCP Server

Kristen Fiddes Updated by Kristen Fiddes

Read Time: 8 mins

Supported firmware: This integration is officially supported only on releases from MikroTik's long-term release tree of RouterOS. Stable and development tree releases are not officially supported.

If you are running a non-long-term release and run into issues, roll back to the current long-term release before opening a support case. The current release trees are listed at mikrotik.com/download/changelogs.

A Sonar-controlled DHCP server allows Sonar to manage static DHCP reservations on a MikroTik router. Once configured, Sonar pushes DHCP reservations from IPAM to MikroTik and keeps them synchronized automatically or through a manual sync.

Sonar uses the MikroTik api-ssl service to connect securely to the router. Sonar also checks connectivity with the device every 5 minutes, which may appear in the MikroTik logs.

Sonar also signs in to the device every 5 minutes to confirm connectivity, which is visible in your MikroTik logs.

Prerequisites

Before setting up a Sonar-controlled DHCP server, make sure you have:

  1. A MikroTik router running RouterOS from the long-term release tree.
  2. Winbox access to the MikroTik router.
  3. IPAM configured in Sonar.
    If you haven't done this yet, start with IPAM: Basic Setup.
  4. The current Sonar inbound and outbound IP addresses from Sonar IP Addressing.
  5. Access to the MikroTik router’s WAN IP address.
  6. Access to Sonar settings for DHCP server configuration.

Permissions

Before getting started with the setup, your user roles will need to be adjusted to account for the permissions required to use the DHCP Server feature.

If you're a Super Admin, you already have full access, and no changes are needed. To learn more, see the Roles and Permissions article.
Permission Details
1. View all DHCP servers: Allows the user to view the DHCP Servers page and see existing DHCP server records in Sonar. This includes server names, configuration details, assigned IP pools, and sync-related information.
2. Update a DHCP server: Allows the user to edit existing DHCP server settings. This may include updating the server name, IP address, port, credentials, selected IP pools, and related configuration options.
3. Create a DHCP server: Allows the user to add a new DHCP server in Sonar. This permission is required to create the MikroTik DHCP server record and enter the connection details needed for Sonar to communicate with the device.
4. Delete a DHCP server: Allows the user to remove an existing DHCP server from Sonar. This should be limited to users who are responsible for managing network settings, because deleting a DHCP server can affect DHCP synchronization and reservation management.

How Sonar and MikroTik DHCP Work Together

Sonar maintains the list of static DHCP reservations based on IP assignments for Inventory Items, Uninventoried MAC Addresses, and IMSIs. When a synchronization occurs, Sonar pushes those reservations to the MikroTik and compares them against what's already there. A match requires the IP address, MAC address, and Sonar's internal DHCP server tag to all align.

For each reservation, one of three things happens:

  1. The IP exists in MikroTik but the MAC doesn't match Sonar — the MikroTik entry is deleted.
  2. The reservation exists in Sonar but not in MikroTik — it is created in MikroTik.
  3. The reservation matches in both systems — no action taken.

For more on Sonar's DHCP architecture and the optional lease script that enables dynamic lease tracking, see DHCP Delivery.

How Sonar Routes Reservations to the Right DHCP Server

When you have more than one DHCP server connected to Sonar, three things determine which server a reservation gets written to:

  • The IP assignment — the specific IP being reserved for an inventory item, MAC address, or IMSI.
  • The IP pool that IP belongs to — every reservation inherits the pool of its IP assignment.
  • The DHCP Server Identifier (if used) — an optional grouping that binds one or more pools to a specific DHCP server.

If a pool is part of a DHCP Server Identifier, Sonar writes reservations from that pool only to the matching DHCP server. If a pool isn't tied to an identifier, Sonar falls back to the DHCP server's default behavior — which, for MikroTik, is to write the reservation to all connected DHCP servers.

This matters most in setups where you have:

  • Multiple MikroTiks managing different parts of your network (for example, per region, per POP, or per VLAN)
  • A single MikroTik with multiple DHCP servers defined for different interfaces or VLANs
  • Separated pools for different service types (residential vs. commercial, IPv4 vs. dual-stack, etc.)

For single-server deployments, this is usually invisible — pools all go to the one server you've configured. For multi-server deployments, configure DHCP Server Identifiers (covered later in this article) to control exactly where each pool's reservations land.

Step 1: Add IP Addresses and Pools to MikroTik

If your production network already has the required subnets configured, skip to Step 2.

  1. In Winbox, go to IP > Addresses.
    1. Add each subnet that exists in Sonar IPAM.
    2. Assign each subnet to the correct outgoing interface.
    3. Add a comment using the subnet name.
  2. Go to IP > DHCP Server > Networks.
    1. Add the same subnets.
    2. Set your internal DNS servers.
    3. Add a comment using the subnet name.
  3. Go to IP > DHCP Server > DHCP.
    1. Add the IP pools from Sonar IPAM.
    2. Set Address Pool to static-only.
    3. Use the same interfaces configured for the subnet addresses.

Setting the address pool to static-only ensures MikroTik only hands out IPs that exist as assignments in Sonar.

Step 2: Create a Sonar User in MikroTik

Sonar needs a dedicated MikroTik user to authenticate with the router.

  1. In Winbox, go to System > Users.
  2. Click the blue + icon.
  3. Enter a username and password.
    1. Save the username and password for later use in Sonar.
    2. Set Group to write.
    3. Set Allowed Address to the current Sonar outbound (egress) IP address or addresses.

Step 3: Create the SSL Certificate

The integration requires the MikroTik api-ssl service. You can use a self-signed certificate generated on the MikroTik.

  1. In WinBox, open a new terminal.
  2. Create the certificate template:
    /certificate

    add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign
  3. Sign the certificate. Replace {sonar_ip_address} with the current Sonar IP address:
    sign ca-template ca-crl-host={sonar_ip_address} name=myCa
  4. If the certificate does not show a trusted flag, mark it as trusted:
    set myCa trusted=yes
On some mipsbe-CPU devices, such as RB7xx, RB2011, and RB9xx models, signing can take longer, especially with larger key sizes.

Step 4: Enable the api-ssl Service

Sonar communicates with MikroTik through the api-ssl service. The plain api service on port 8728 will not work for this integration.

  1. In Winbox, go to IP > Services.
  2. Select api-ssl.
    1. Click the blue checkmark to enable it.
  3. Double-click api-ssl to edit it.
    1. Set Port to 8729, unless you use a custom port.
    2. Set Available From to the current Sonar outbound (egress) IP address or addresses.
    3. Select the certificate created in Step 3.
  4. Click OK.
Confirm the plain api service on port 8728 is disabled unless it is needed for another purpose.

Step 5: Add the MikroTik to the Sonar Application Firewall

If you do not use the Sonar Application Firewall, skip to Step 6.
If you are enabling the Application Firewall for the first time, add the public IP addresses for the computers you use to access Sonar. Enabling the firewall with only the MikroTik IP may lock you out of your Sonar instance.
  1. Identify the MikroTik router’s WAN IP address.
  2. In Sonar, go to Settings > Security > Application Firewall Rules.
  3. Click Create.
  4. Add the MikroTik WAN IP address under Subnet.
  5. Use the MikroTik device name as the Description.
  6. Save the rule.

Step 6: Add the MikroTik as a DHCP Server in Sonar

  1. In Sonar, go to Settings > Networking > DHCP Servers.
  2. Click Create.
    1. Enter a Name. As a best practice, match the MikroTik name shown under System > Identity.
    2. Enter the IP Address used to reach the MikroTik in Winbox, unless you are using a port forward.
    3. Enter the Port used by api-ssl. The default is 8729.
    4. Enter the MikroTik Username and Password created earlier.
    5. Select the IP Pools managed by this DHCP server.
    6. Enable Use Source MAC Addresses only if you want MikroTik to use the MAC address of a DHCP relay instead of the requesting device.
  3. Click Validate Credentials.
  4. After validation succeeds, open the dropdown next to the DHCP server and click Synchronize.

How DHCP Synchronization Works

DHCP synchronization runs automatically when an IP assignment in a managed pool is created, updated, or deleted in Sonar.

You can also run synchronization manually from the dropdown next to the DHCP server in Sonar.

If reservations become out of sync and do not reconcile, delete the lease assignments on the MikroTik DHCP server and run a full synchronization from Sonar.

Using DHCP Server Identifiers

A DHCP Server Identifier groups one or more IP pools and connects them to a specific DHCP server on the MikroTik.

For MikroTik, the identifier name in Sonar must exactly match the DHCP Server name under IP > DHCP Server > DHCP in MikroTik.

If a pool does not have an identifier in Sonar, MikroTik uses its default behavior and writes the lease to all DHCP servers.

If the identifier name does not match the MikroTik DHCP server name exactly, leases may not appear correctly on accounts or may appear briefly and then disappear.

Add a DHCP Server Identifier

  1. In Sonar, go to Settings > Networking > DHCP Server Identifiers.
  2. Click Create DHCP Server Identifier.
  3. Enter a name that exactly matches the MikroTik DHCP Server name.
    1. Select the IP pool or pools the identifier should contain.
  4. Click Create.

Changes apply in real time to the applicable DHCP servers.

How did we do?

MikroTik: Controlling Speeds

Netflow On-Premise Integration: Setup and Overview

Contact