Table of Contents
Updated by Alex Moore
Adding IP Addresses and Pools to the MikroTik
If you are already running a production network, you can skip ahead to step 3. If this is a brand new network setup, if you have not already done so, you should begin with IPAM: General Overview. Once you have completed IPAM setup, here are the steps to build these networks in your MikroTik:
- Add the subnets built out in IPAM to the MikroTik under IP > Addresses. Make sure you assign the interface to the proper interface that goes out to the devices that will request from this address list. It is also best practice to comment the name of the subnet here.
- Next, navigate to IP > DHCP Server and Add the subnets from IPAM to the networks tab. You will also want to make sure that you set your internal DNS servers here. Similar to step one, it is best practice to comment the name of the subnet here.
- Lastly, navigate to the DHCP tab and add the pools built out in Sonars IPAM to the MikroTik. In this case, the "Address Pool" will be set to static only because Sonar will be submitting from the pools in its IPAM to the MikroTik in the form of a static lease. Leaving this as static only ensures that no IPs are assigned from these subnets unless the assignments exist in Sonar. Here you will want to select the same interfaces for each DHCP Server the same as you set them in step 1.
Preparing the MikroTik for Sonar Integration
The first step to preparing the MikroTik for integration is to build a user within the MikroTik that Sonar can use to authenticate. Here are the steps to create and secure a user for Sonar access:
Creating the Sonar User in the Mikrotik
- Winbox into the MikroTik you would like to integrate and Navigate to System > Users
- From the User List > Users tab, click the blue plus icon to create a new user, create a username and password and store this sign in info temporarily to the side so that we can add it to the Sonar instance shortly. You will also want to set the group to "write" and set the allowed Address to the IP address for your Sonar instance.
- For Sonar Legacy, This address can be looked up by typing your instance URL into https://mxtoolbox.com/DNSLookup.aspx.
- For Sonar V2, you need the following IP Address:
Next, we want to enable API SSL services. To do this we will need to have a certificate that the API SSL services can use. If you do not already have a certificate, HERE is a guide to generate a self signed certificate for use. After you have a certificate you can use, here are the steps to enable the service:
- In your Winbox session navigate to IP > Services
- Highlight the "api-ssl" service and click the blue checkbox to enable then double click the service to edit. Select whichever port you want to use to access the service, add your instance IP address from Step 2 of this guide in the "Available From:" box, and select your certificate from the drop down, then click "OK".
Adding the MikroTik to the Sonar Application Firewall
Next we will add the MikroTik to allow it past the Application Firewall. If you have chose not to enable the Application Firewall, you can skip ahead to Adding the MikroTik as a DHCP Server in Sonar.
- Get the WAN IP Address from your MikroTik and in Sonar, under Settings > Security > Application Firewall Rules, then lick the blue "Create" button in the top right. In this form, create a new firewall rule adding the WAN IP address under the Subnet field. General best practice would be to name the Description the same name as the device name in the MikroTik.
Adding the MikroTik as a DHCP Server in Sonar
- Within your Sonar instance, navigate to Settings > Networking > DHCP Servers, then click the blue "Create" button in the top right.
- Fill in the Name, IP Address, Port, MikroTik DHCP server username, and MikroTik DHCP server password. The Name can be anything you want it to be but general best practice would be to copy the name directly from the MikroTik stored under System > Identity as to avoid any possible confusion. The IP Address will usually be the same IP Address that you would use to access via Winbox, unless you are using a port forward to allow multiple privately addressed devices to talk to Sonar through a single public IP. The port needs to match the same port you set to the "ssl-api" service in step 4 and the username and password will need to match what was entered in step 2. Set the IP Pools based on which pools you have built. If you have not yet built these, here is the guide to set these up: IPAM: Setup, Policy, & Best Practices. You will also see a checkbox that says "Use Source MAC Addresses. If this is selected it will force the MikroTik to use the MAC address of a DHCP relay rather than the MAC address of the requesting device.
- Finally, on the current page in Sonar, click the "Validate Credentials" button to test that the link between Sonar and your DHCP server is functioning correctly. If you see the "Successfully Validated DHCP Server Credentials" in the top left corner, everything is working correctly and you can send a Synchronize command from the drop down to the right of the DHCP Servers table.