Versions Compared

Old Version 75

changes.mady.by.user Deniss M.

Saved on

compared with

New Version 76

changes.mady.by.user Deniss M.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Introduction

The introduction of the container feature into the RouterOS made it possible to run all kinds of servers for all sorts of tasks inside the router. This is especially relevant for people, who want to reduce the number of devices in their network. Instead of running a server on a separate device/machine, why not run it inside the router?

...

The image that we are going to use, can be found by following the hub.docker link.

Summary

Make sure to study our container guide before proceeding with the configuration. Make sure to check the disclaimer and requirements sections to understand all the risks and necessary steps you might be required to do.

...

Warning

A very basic and quick configuration will be shown. Make sure to checkmosquitto documentation page for more information about additional options and settings you can implement. If you want to use it for production, please make sure to harden the security in any way possible:

  • Firewall, so that access to the container is allowed only from your trusted IP addresses;
  • Increasing security from the mosquitto broker/server-side → use strong passwords, non-standard ports ...etc;
  • Use SSL MQTT.

Container configuration

Sub-menu: /container

note: container package is required.

Container mode

Enable container mode:

Code Block
languageros
/system/device-mode/update container=yes

You will need to confirm the device-mode with a press of the reset button, or a cold reboot, if using container on X86.

Networking

Add veth interface for the container:

...

Code Block
languageros
/ip firewall nat add action=dst-nat chain=dstnat dst-address=192.168.88.1 dst-port=1883 protocol=tcp to-addresses=172.19.0.2 to-ports=1883

Environment variables and mounts

Per the eclipse-mosquitto docker hub, define a mount for the configuration file. We will mount not just the configuration file, but the whole folder, because, for SSL MQTT, we will need to upload certificates into the folder as well:

Code Block
languageros
/container mounts add src=/mosquitto_mounted dst=/mosquitto/config name=msqt_config

Getting image

To simplify the configuration, we will get the image from an external library but you can also import it via the .tar file.

...

After running the command, RouterOS should start "extracting" the package. Check "File System" for newly created folders and monitor container status with the command /container/print.

Setting up mosquitto configuration file

To get the mosquttio.conf file, we will need to use SFTP (file transfer over SSH) protocol, so make sure that SSH service is enabled. You can also use FTP.

...

Make sure to wait for the container to stop (status=stopped should be shown after using /container/print command) before initiating it again.

Starting the container

After you make sure that the container has been added and the status changed to status=stopped after using /container/print → you can initiate it:

...

Code Block
languagetext
 11:27:14 container,info,debug 1675416434: mosquitto version 2.0.15 starting
 11:27:14 container,info,debug 1675416434: Config loaded from /mosquitto/config/mosquitto.conf.
 11:27:14 container,info,debug 1675416434: Starting in local only mode. Connections will only be possible from clients running on this machine.
 11:27:14 container,info,debug 1675416434: Create a configuration file which defines a listener to allow remote access.
 11:27:14 container,info,debug 1675416434: For more details see https://mosquitto.org/documentation/authentication-methods/
 11:27:14 container,info,debug 1675416434: Opening ipv4 listen socket on port 1883.
 11:27:14 container,info,debug 1675416434: Opening ipv6 listen socket on port 1883.
 11:27:14 container,info,debug 1675416434: mosquitto version 2.0.15 running

MQTT publish and subscribe

Sub-menu: /iot mqtt

note: iot package is required.

...

Code Block
languagetext
 12:47:28 container,info,debug 1675421248: New connection from 172.19.0.1:42240 on port 1883.
 12:47:28 container,info,debug 1675421248: New client connected from 172.19.0.1:42240 as MTD8580EC793C4 (p2, c1, k60, u'test').
 12:47:38 container,info,debug 1675421258: Client MTD8580EC793C4 disconnected.

SSL MQTT

Using non-SSL MQTT for a production environment is not secure. One can easily capture/sniff the packet exchange between the broker and the publisher and, as a result, will be able to obtain user credentials and other sensitive information.

...

Use the official mosquitto-tls user guide for the step-by-step.

Server configuration

You should have generated ca.crt (Certificate Authority file), server.crt (server certificate) and server.key (server's key):

...

Code Block
languagetext
 11:20:41 container,info,debug 1689160841: mosquitto version 2.0.15 starting
 11:20:41 container,info,debug 1689160841: Config loaded from /mosquitto/config/mosquitto.conf.
 11:20:41 container,info,debug 1689160841: Opening ipv4 listen socket on port 8883.
 11:20:41 container,info,debug 1689160841: Opening ipv6 listen socket on port 8883.
 11:20:41 container,info,debug 1689160841: mosquitto version 2.0.15 running
 11:22:24 system,info,account user admin logged in from 10.5.217.34 via local

Testing the connection

Upload CA certificate (ca.crt) into RouterOS, into the device's "File List":

...