Introduction
The introduction of the container feature into the RouterOS made it possible to run all kinds of servers for all sorts of tasks inside the router. This is especially relevant for people, who want to reduce the number of devices in their network. Instead of running a server on a separate device/machine, why not run it inside the router?
In this guide, we will showcase how to install a basic MQTT broker (or in other words, server) called eclipse-mosquitto. MQTT protocol is a very popular choice, especially in IoT topologies. It is an open OASIS and ISO standard lightweight, publish-subscribe network protocol that transports messages between devices. A typical topology consists of an MQTT publisher (a device that sends information), an MQTT broker (a server where the data is stored), and an MQTT subscriber (a device that listens to the data published on the server).
RouterOS supports MQTT publish, subscribe feature, and, now, we can also run the MQTT broker as well.
The image that we are going to use, can be found by following the hub.docker link.
Summary
Make sure to study our container guide before proceeding with the configuration. Make sure to check the disclaimer and requirements sections to understand all the risks and necessary steps you might be required to do.
You can find supported architectures by following the link.
At the time, when the guide was published, eclipse-mosquitto image was available for ARM32, ARM64, and AMD64 (CHR and x86) devices. In this example, we will run it on an ARM32 architecture device → RB1100AHx4.
In this example, we will do a very basic and quick configuration demonstration. Make sure to check mosquitto documentation page for more information about additional options and settings you can implement. If you want to use it for production, please make sure to harden the security in any way possible:
- Firewall, so that access to the container is allowed only from your trusted IP addresses;
- Increasing security from the mosquitto broker/server-side → use strong passwords, non-standard ports ...etc;
- Use SSL MQTT.
Container configuration
Sub-menu: /container
note: container package is required.
Container mode
Enable container mode:
/system/device-mode/update container=yes
You will need to confirm the device-mode with a press of the reset button, or a cold reboot, if using container on X86.
Networking
Add veth interface for the container:
/interface/veth/add name=veth2 address=172.19.0.2/24 gateway=172.19.0.1
Create a bridge for containers and add veth to it:
/interface/bridge/add name=msqt /ip/address/add address=172.19.0.1/24 interface=msqt /interface/bridge/port add bridge=msqt interface=veth2
Forward TCP 1883 for non-SSL MQTT (where 192.168.88.1 is the device's LAN IP address) for testing purposes:
/ip firewall nat add action=dst-nat chain=dstnat dst-address=192.168.88.1 dst-port=1883 protocol=tcp to-addresses=172.19.0.2 to-ports=1883
Environment variables and mounts (optional)
Per the mosquito docker instructions, define mounts (optional):
/container mounts add dst=/mosquitto/config/mosquitto.conf name=msqt_config
Getting image
To simplify the configuration, we will get the image from an external library but you can also import it via the .tar file.
In this example, we use an SD card and its directory is "disk7". So if you see "disk7" in the configuration examples below, we are directing the files to be downloaded/installed there (to our external storage).
Make sure that you have "Registry URL" set accordingly, limit RAM usage (if necessary), and set up a directory for the image:
/container/config/set registry-url=https://registry-1.docker.io tmpdir=disk7/pull
Pull image:
/container/add remote-image=eclipse-mosquitto:latest interface=veth2 root-dir=disk7/mosquitto mounts=msqt_config logging=yes
After running the command, RouterOS should start "extracting" the package. Check "File System" for newly created folders and monitor container status with the command /container/print.
Starting the container
After you make sure that the container has been added and the status changed to status=stopped after using /container/print → you can initiate it:
/container/start 0
If you have enabled container logging, you would see something like this in the Logs section:
11:27:14 container,info,debug 1675416434: mosquitto version 2.0.15 starting 11:27:14 container,info,debug 1675416434: Config loaded from /mosquitto/config/mosquitto.conf. 11:27:14 container,info,debug 1675416434: Starting in local only mode. Connections will only be possible from clients running on this machine. 11:27:14 container,info,debug 1675416434: Create a configuration file which defines a listener to allow remote access. 11:27:14 container,info,debug 1675416434: For more details see https://mosquitto.org/documentation/authentication-methods/ 11:27:14 container,info,debug 1675416434: Opening ipv4 listen socket on port 1883. 11:27:14 container,info,debug 1675416434: Opening ipv6 listen socket on port 1883. 11:27:14 container,info,debug 1675416434: mosquitto version 2.0.15 running
Altering mosquitto configuration file
To access the mosquttio.conf file, we will need to use SFTP (file transfer over SSH) protocol, so make sure that SSH service is enabled. You can also use FTP.
Open your command terminal ("CMD", as Administrator, for Windows users, or "Linux Shell or Command Terminal" for Linux users) and navigate it to the directory where you want to download the configuration file. For example, to "Container" folder on your "Desktop":
C:\WINDOWS\system32>cd C:\Users\Administrator\Desktop\Container C:\Users\Administrator\Desktop\Container>
Initiate SFTP to the device's IP address:
C:\Users\Administrator\Desktop\Container>sftp admin@192.168.88.1 The authenticity of host '192.168.88.1 (192.168.88.1)' can't be established. RSA key fingerprint is SHA256:lfxxs+xMrXlvP7hiHi9ZAEZlPi6/c5US+r6J7ljhkaA. Are you sure you want to continue connecting (yes/no/[fingerprint])?yes Warning: Permanently added '192.168.88.1' (RSA) to the list of known hosts. Connected to 192.168.88.1. sftp>
Go to the mosquitto configuration file folder (use dir or ls command to see the content of the folder you are in and cd command to go to the folder of our choice). By default, per the container logs from RouterOS, the configuration was loaded from the "/mosquitto/config/mosquitto.conf", so, navigate there and use get command to download it:
sftp> cd disk7/mosquitto/mosquitto/config sftp> dir mosquitto.conf sftp> get mosquitto.conf Fetching /disk7/mosquitto/mosquitto/config/mosquitto.conf to mosquitto.conf /disk7/mosquitto/mosquitto/config/mosquitto.conf
Open "mosquitto.conf" via your preferred text editor (notepad or any other), and just overwrite it with two lines shown below (or you could have just created a new/fresh file, named it "mosquitto.conf" and added the two lines there via any text editor → same result):
In this section, we will configure a basic non-SSL MQTT setup for testing purposes. Non-SSL MQTT is not secure for a production environment unless you are certain the required security/restrictions are in place.
For a production environment, topologies where the MQTT traffic can be captured/sniffed and/or topologies where the MQTT traffic is routed directly via the internet (not locally), use SSL MQTT. Check the SSL MQTT section for more information.
listener 1883 allow_anonymous true
- The first line, listener 1883, will make the installation listen for incoming network connection on the specified port.
- The second line, allow_anonymous true, determines whether clients that connect without providing a username are allowed to connect.
Re-save the file/overwrite it using the same mosquitto.conf file name.
Once again, use SFTP from the directory where this newly edited file is located and put it back (overwrite the default file within the container):
C:\Users\Administrator\Desktop\Container>dir
Directory of C:\Users\Administrator\Desktop\Container
02/03/2023 12:09 PM <DIR> .
02/03/2023 12:09 PM <DIR> ..
02/03/2023 12:09 PM 40,449 mosquitto.conf
1 File(s) 40,449 bytes
2 Dir(s) 76,166,430,720 bytes free
C:\Users\Administrator\Desktop\Container>sftp admin@192.168.88.1
Connected to 192.168.88.1.
sftp> cd disk7/mosquitto/mosquitto/config
sftp> dir
mosquitto.conf
sftp> put mosquitto.conf
Uploading mosquitto.conf to /disk7/mosquitto/mosquitto/config/mosquitto.conf
mosquitto.conf 100% 40KB 2.5MB/s 00:00
Restart the container:
[admin@MikroTik] > /container/stop 0 [admin@MikroTik] > /container/start 0
Make sure to wait for the container to stop (status=stopped should be shown after using /container/print command) before initiating it again.
MQTT publish and subscribe
Sub-menu: /iot mqtt
note: iot package is required.
Add an MQTT broker:
/iot/mqtt/brokers/add name=mosquitto username=test address=172.19.0.2
Subscribe to the MQTT broker and the required topic:
/iot/mqtt/subscribe broker=mosquitto topic=test/topic
Publish a static MQTT message:
/iot/mqtt/publish broker="mosquitto" topic="test/topic" message="{\"test\":\"123\"}"
Check subscriptions for received messages:
/iot/mqtt/subscriptions/recv/print
0 broker=mosquitto topic="test/topic" data="{"test":"123"}"
time=2023-07-12 10:01:40
You can also check the container logs (if enabled), to confirm the mosquitto is operational:
12:47:28 container,info,debug 1675421248: New connection from 172.19.0.1:42240 on port 1883. 12:47:28 container,info,debug 1675421248: New client connected from 172.19.0.1:42240 as MTD8580EC793C4 (p2, c1, k60, u'test'). 12:47:38 container,info,debug 1675421258: Client MTD8580EC793C4 disconnected.
SSL MQTT
Using non-SSL MQTT for a production environment is not secure. You can easily capture/sniff the packet exchange between the broker and the publisher and it will show you user credentials, clientIDs, and other sensitive information.
To increase security, use SSL MQTT.
The first step is to generate the certificates. In this example, we will use a simple Root CA scenario (with no device/client certificate requirement).
Use the official mosquitto-tls user guide for the step-by-step.
You should have generated ca.crt (Certificate Authority file), server.crt (server certificate) and server.key (server's key).
C:\Users\Administrator\Desktop\Container>dir
Directory of C:\Users\Administrator\Desktop\Container
07/12/2023 10:58 AM <DIR> .
07/12/2023 10:58 AM <DIR> ..
07/12/2023 10:56 AM 1,322 ca.crt
07/12/2023 10:56 AM 1,854 ca.key
07/12/2023 09:57 AM 35 mosquitto.conf
07/12/2023 10:58 AM 1,164 server.crt
07/12/2023 10:57 AM 960 server.csr
07/12/2023 10:56 AM 1,704 server.key
6 File(s) 7,039 bytes
2 Dir(s) 52,401,184,768 bytes free
ROOT CA scenario.
Mosquitto conf:
tls_version tlsv1.2
port 8883
allow_anonymous true
cafile /mosquitto/certs/ca.crt
keyfile /mosquitto/certs/server.key
certfile /mosquitto/certs/server.crt
Permissions:
In this scenario, just import ROOT CA into ROS and do not choose any certs (leave certs at none) for the MQTT broker (in the settings).