Page 1 of 1

remotely manage MT's

Posted: Wed Aug 29, 2018 11:30 pm
by toxicfusion
Looking for general idea's how others are managing their customers MikroTik devices. Either as a CPE device or a managed router

I'm looking to setup a "jump box" central management server that has winbox, dude client as well as Radius. Then be seperate MikroTik CHR virtual machine.
-Windows Server 2012r w/ AD and Radius server - as well as Duo Two-Factor Authentication
-MikroTik CHR VM
-Local internal private VM network (Cloud based)

Remote routers will only allow winbox access on WAN port from the central server. Also configure Radius Authentication for remote login, only allow from this specified remote server. Then have a local admin account as backup.

Does anyone else do anything similar to this? Or do you have all your remotely managed devices connect to a central MikroTik or CHR via SSTP or VPN connection?

Opinions? Otherwise, I was looking at Splynx.. I'm trying to not over-complicate this.

Re: remotely manage MT's

Posted: Fri Aug 31, 2018 6:10 pm
by toxicfusion

Re: remotely manage MT's

Posted: Sat Sep 01, 2018 8:15 pm
by TheCiscoGuy
If you have a full mikrotik routed topology between the remote CPE's and the router that hosts them, then I would look into RoMon. It provides a layer 2 interface hosted from the edge mikrotik. You would then be able to open a winbox session from the site router to the CPE device. It does require direct layer 2 between the router and CPE, but it may be worth looking at:

A company I consult for just migrated to mikrotiks, so the solution I implemented revolves around VRF-aware services (ie SSH,SNMP,Winbox etc) and CPE's (currently under test) will be managed via RoMon on the WAN facing interface. As every CPE is behind a routed interface, L2 connectivity from the internet edge is not possible.

Re: remotely manage MT's

Posted: Tue Sep 04, 2018 6:39 pm
by toxicfusion

Unfortunately, Not operating as an ISP or WISP at moment. CPE's I consider are more so managed routers I provide to clients (MT's I config and install for clients for their offices).

Be nice if I was full on routed network for them (providing them Internet access) and I would 100% use MikroTik for complete network. But looking to narrow down managing the clients MT's remotely. Perhaps, I'll only open winbox to WAN to specific IP (cloud jump box)

Re: remotely manage MT's

Posted: Wed Sep 05, 2018 4:39 am
by jo2jo
You could have all remote / cpe MT's run a VPN client (add vpn interface) back to a central MT (either in a Datacenter or a cloud MT), then only allow management via the VPN network. All of this can be done in ROS at no additional charge (FYI if your new to mt / ros). The use of VPN client is nice as you dont need to know your target devices' Public IP (nor deal with NAT / port forwarding). ie if someone physically moves the MT to a new network, 99% of the time it will still connect to your vpn-server. + its secure / encrypted, and is good for controlling access to management (and can be centralized).

If you have not yet, also look into mikrotik Dude. We normally pull data from MTs via SNMP (not using Dude). But dude is free and can access even more data from MTs via winbox protocol.