Table of Contents |
---|
Introduction
The introduction of the container feature into the RouterOS made it possible to run all kinds of servers for all sorts of tasks inside the router. This is especially relevant for people, who want to reduce the number of devices in their network. Instead of running a server on a separate device/machine, why not run it inside the router?
...
The image that we are going to use, can be found by following the hub.docker link.
Summary
Make sure to study our container guide before proceeding with the configuration. Make sure to check the disclaimer and requirements sections to understand all the risks and necessary steps you might be required to do.
...
Warning |
---|
A very basic and quick configuration will be shown. Make sure to checkmosquitto documentation page for more information about additional options and settings you can implement. If you want to use it for production, please make sure to harden the security in any way possible:
|
Container configuration
Sub-menu: /container
note: container package is required.
Container mode
Enable container mode:
Code Block | ||
---|---|---|
| ||
/system/device-mode/update container=yes |
You will need to confirm the device-mode with a press of the reset button, or a cold reboot, if using container on X86.
Networking
Add veth interface for the container:
...
Code Block | ||
---|---|---|
| ||
/ip firewall nat add action=dst-nat chain=dstnat dst-address=192.168.88.1 dst-port=1883 protocol=tcp to-addresses=172.19.0.2 to-ports=1883 |
Environment variables and mounts
Per the eclipse-mosquitto docker hub, define a mount for the configuration file. We will mount not just the configuration file, but the whole folder, because, for SSL MQTT, we will need to upload certificates into the folder as well:
Code Block | ||
---|---|---|
| ||
/container mounts add src=/mosquitto_mounted dst=/mosquitto/config name=msqt_config |
Getting image
To simplify the configuration, we will get the image from an external library but you can also import it via the .tar file.
...
After running the command, RouterOS should start "extracting" the package. Check "File System" for newly created folders and monitor container status with the command /container/print
.
Setting up mosquitto configuration file
To get the mosquttio.conf file, we will need to use SFTP (file transfer over SSH) protocol, so make sure that SSH service is enabled. You can also use FTP.
...
Make sure to wait for the container to stop (status=stopped
should be shown after using /container/print
command) before initiating it again.
Starting the container
After you make sure that the container has been added and the status changed to status=stopped
after using /container/print
→ you can initiate it:
...
Code Block | ||
---|---|---|
| ||
11:27:14 container,info,debug 1675416434: mosquitto version 2.0.15 starting 11:27:14 container,info,debug 1675416434: Config loaded from /mosquitto/config/mosquitto.conf. 11:27:14 container,info,debug 1675416434: Starting in local only mode. Connections will only be possible from clients running on this machine. 11:27:14 container,info,debug 1675416434: Create a configuration file which defines a listener to allow remote access. 11:27:14 container,info,debug 1675416434: For more details see https://mosquitto.org/documentation/authentication-methods/ 11:27:14 container,info,debug 1675416434: Opening ipv4 listen socket on port 1883. 11:27:14 container,info,debug 1675416434: Opening ipv6 listen socket on port 1883. 11:27:14 container,info,debug 1675416434: mosquitto version 2.0.15 running |
MQTT publish and subscribe
Sub-menu: /iot mqtt
note: iot package is required.
...
Code Block | ||
---|---|---|
| ||
12:47:28 container,info,debug 1675421248: New connection from 172.19.0.1:42240 on port 1883. 12:47:28 container,info,debug 1675421248: New client connected from 172.19.0.1:42240 as MTD8580EC793C4 (p2, c1, k60, u'test'). 12:47:38 container,info,debug 1675421258: Client MTD8580EC793C4 disconnected. |
SSL MQTT
Using non-SSL MQTT for a production environment is not secure. One can easily capture/sniff the packet exchange between the broker and the publisher and, as a result, will be able to obtain user credentials and other sensitive information.
...
Use the official mosquitto-tls user guide for the step-by-step.
Server configuration
You should have generated ca.crt (Certificate Authority file), server.crt (server certificate) and server.key (server's key):
...
Code Block | ||
---|---|---|
| ||
11:20:41 container,info,debug 1689160841: mosquitto version 2.0.15 starting 11:20:41 container,info,debug 1689160841: Config loaded from /mosquitto/config/mosquitto.conf. 11:20:41 container,info,debug 1689160841: Opening ipv4 listen socket on port 8883. 11:20:41 container,info,debug 1689160841: Opening ipv6 listen socket on port 8883. 11:20:41 container,info,debug 1689160841: mosquitto version 2.0.15 running 11:22:24 system,info,account user admin logged in from 10.5.217.34 via local |
Testing the connection
Upload CA certificate (ca.crt) into RouterOS, into the device's "File List":
...