Community discussions

MikroTik App
 
User avatar
anav
Forum Guru
Forum Guru
Topic Author
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Feature Request: Zero Trust Tunnel - Cloudflare Version

Thu Jan 05, 2023 5:47 pm

https://www.youtube.com/watch?v=BbDnBxlBTdY&t=134s

After watching this video it came rapidly clear to me that this feature touches functionality used by just about every config I have seen/worked on in these forums.
In other words, one should not use the word niche but more aptly mainstream to describe zero trust cloudflare tunnel. What do I mean..........?
Well we are talking about dstnat port forwarding to servers on the local LAN.

The method Normis describes seems relatively painless, to do the one thing that is not really possible on MT devices which is protect the public WANIP. MT devices are not that good at ddos and other edge router type functionalities and YET, I see bloated configs trying to contort the MT device into a magic box of security which amounts to not much.
Normis describes a methodology that surpasses anything the MT can do, besides creating source address lists for incoming users, which does increase security, but very rarely does this help the server admin who is unable or unwilling to take that step or its not possible in their scenario, and which still makes the public IP known.

Due to the sheer volume of users with servers, my contention is that this functionality should not be hidden in dockers/containers, limited to a certain number of devices AND with all its added complexities but should be mainstream on the menu. I would hazard a guess that more people will use this functionality than wireguard which is not hidden in a container/docker package.
Heck make it an optional package if not part of the normal ROS package.

Food for thought.
Last edited by anav on Fri Jan 20, 2023 9:25 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Topic Author
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Feature Request: Zero Trust Tunnel

Sat Jan 07, 2023 5:11 pm

Hmm, 132 gutless viewers LOL.

and MT by the way for gods sakes already add a client re-connect feature to MTs implementation of Wireguard, I just had to inform another person of scripts as a work around to your failure to address a known issue. Have some initiative for a change! :-) Now that you have won some awards doesnt mean ignore the users................. How many are using wireguard? YOU DO the math.
How many are using SERVERs? You do the math ( hint not just ARM users ;-PPP )

Me thinks MT staff need a math lesson.......... https://www.youtube.com/watch?v=NSfYKaJSawI&t=940s
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 871
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Feature Request: Zero Trust Tunnel

Sat Jan 07, 2023 10:19 pm

@anav … excellent suggestion and I agree that MT should fix the WG issue … long overdue …
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Feature Request: Zero Trust Tunnel

Sat Jan 07, 2023 10:33 pm

When containers first came out in some 7.x betas, it was on all MT platforms. I still think that's a good idea. For exactly things like this...

In this case, the Cloudfire container is distroless so it just need the C runtime lib for the MIPS/TILE/etc for a working image (e.g. NOT a Ubuntu for TILE). So I can't imagine it be that difficult for Mikrotik to compile the image with the non-ARM platform's glibc... that is if /container were exposed on non-ARM platforms.
 
User avatar
anav
Forum Guru
Forum Guru
Topic Author
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Feature Request: Zero Trust Tunnel

Mon Jan 09, 2023 9:31 pm

So let me get this straight in order to have a more secure SERVING experience by making use of zero trust tunnel, not only do I have to buy a specific advice to get access to containers,,,,,,, Now you WANT me to create the potential of a very high security risk scenario by being forced to use containers to get access to this functionality. Sounds so counter - intuitive if you ask me.......

Once again logic escapes MT.........

you need physical access to the router to enable support for the container feature, it is disabled by default;
once the container feature is enabled, containers can be added/configured/started/stopped/removed remotely!
if the router is compromised, containers can be used to easily install malicious software in your router and over network;
your router is as secure as anything you run in container;
if you run container, there is no security guarantee of any kind;
running a 3rd party container image on your router could open a security hole/attack vector/attack surface;
an expert with knowledge how to build exploits will be able to jailbreak/elevate to root;
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Feature Request: Zero Trust Tunnel

Tue Jan 10, 2023 3:33 pm

To be clear, I wasn't advocating against making this a package. I too like to see more "extra-packages" (over more containers examples). But I just don't think that's the direction Mikrotik is going...

So my point is if Mikrotik is going to be promoting container usage...they should try to make available on all platforms.

On Cloudflare's docker image... it's actually pretty efficiently built, so it's largely just the "exe" (vs. containers that are based on a a full Ubuntu/etc distro). So I'm not sure the attack profile changes much whether it's a container or an "extra-package". Mikrotik doesn't allow privileged containers, while bugs may expose things - that's true of all code that lives on RouterOS. By using a cloud service for your traffic, there is whole different set of risks to consider beyond RouterOS package styling...
 
User avatar
anav
Forum Guru
Forum Guru
Topic Author
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Feature Request: Zero Trust Tunnel

Tue Jan 10, 2023 11:13 pm

I get your point AMMO as zero tunnel uses a third party and its inherent risks.
 
User avatar
anav
Forum Guru
Forum Guru
Topic Author
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Feature Request: Zero Trust Tunnel

Thu Jan 19, 2023 4:15 pm

@mikrotik, if the reason not to include this in regular ROS is the amount of code, then create a separate package please.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Feature Request: Zero Trust Tunnel

Thu Jan 19, 2023 8:07 pm

To be clear, I'd perfer if Mikrotik did release packages for cloudflare. I don't use it today, but it sure does solve a lot of "advanced home" use cases. I think containers are "too fragile" and limited to ARM, which then makes using Cloudflare less useful if you can use it on ALL the Mikrotiks you may have...

Since I enjoy playing devil's advocate. Do think cloudflared is bit more complex than it appears, while Normis' YouTube shows the "tunnel". It offers other things like "proxy-dns", that acts as local resolver that then forwards DNS to cloudflare via DoH – which lives in same codebase as tunnel (and there are more features too). So I can see how it's not simple to shove into a Mikrotik package since there are a lot of options to map into the RouterOS CLI...

I was only saying if Mikrotik ain't going to do a package...they could at least allow containers on non-ARM. I get DockerHub won't help with MIPS or TILE, but bazel image builder used by cloudflared likely more easily deal with MIPS or TILE since it's distroless, it just need the TILE/etc linux kernel/glibc, NOT ubuntu/alpine/etc. That at least solve the all platform problem... And since cloudflared does have quite a few options, that does kinda work with the container cmd= method since you can cut-and-paste form Cloudflare's examples when setting up various features on their admin webpages (which do have Docker instructions).
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Feature Request: Zero Trust Tunnel

Thu Jan 19, 2023 10:46 pm

We are running almost everything through Cloudflare Zero Trust tunnel (and have been doing so for about a year). The tunnel in the modern day is entirely configured through the Cloudflare admin webpage, unless you are doing some weird/advanced things. There is a config file, but we've set up dozens of tunnels and haven't had to edit the config file once. You are not going to need many options in the CLI, if any.
 
User avatar
anav
Forum Guru
Forum Guru
Topic Author
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Feature Request: Zero Trust Tunnel

Thu Jan 19, 2023 11:24 pm

So in conclusion mducharm, do you agree that MT should make Zero Trust tunnel, if not part of the core ROS, at least available in a package. Do you also agree with AMMO that having such functionality will reduce the security risk self-imposed by users hosting servers on MT devices ??? Finally, do you agree that such functionality "FITS" with MTs 'reputation' of espousing excellent routing with concurrent security and good practices!
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Feature Request: Zero Trust Tunnel

Fri Jan 20, 2023 9:28 am

I would prefer an add on package for such a thing vs having to deploy a container, yes. I do not think it should be part of the core ROS as it is a third party solution, similar to ZeroTier, and so an add-on package would make the most sense.
 
User avatar
antonsb
MikroTik Support
MikroTik Support
Posts: 385
Joined: Sun Jul 24, 2016 3:12 pm
Location: Riga, Latvia

Re: Feature Request: Zero Trust Tunnel

Fri Jan 20, 2023 10:03 am

So my point is if Mikrotik is going to be promoting container usage...they should try to make available on all platforms.
Please show us tools for building containers for those platforms and working example.
 
Rox169
Member
Member
Posts: 432
Joined: Sat Sep 04, 2021 1:47 am

Re: Feature Request: Zero Trust Tunnel

Fri Jan 20, 2023 10:17 am

Hi, coul I use ZTT without public IP address?
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Feature Request: Zero Trust Tunnel

Fri Jan 20, 2023 12:21 pm

Hi, coul I use ZTT without public IP address?
Yes, there is no need for a public IP for it. You can be behind multiple levels of NAT and it will still work.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Feature Request: Zero Trust Tunnel

Fri Jan 20, 2023 5:31 pm

So my point is if Mikrotik is going to be promoting container usage...they should try to make available on all platforms.
I think my larger point, as a Mikrotik customer, while not a Cloudflare user, the offering looks solid & particular useful to "offload" security function that could never run on a common Mikrotik. You have other customers here saying they use it & I can see how Zero Trust native package cut @anav's workload on the forum by 50%. While informative/useful and apparently inspiring...Normis's video does gloss over multi-step process to enable container, which your customers can't so easily skip (to then find a security disclaimer in the containers docs, while trying to set up a tunnel to internet).

Your current tunnel types (IKEv2, WG, L2TP, even PPTP) cover other cloud services (AWS, Azure, etc) and major VPN providers, but the unique in Cloudflare is it's function are tied to their non-standard Zero Trust (Argo) tunnel. To me this, this looks to fills an opposite role of ZeroTier – centralization – but like ZeroTier, Zero Trust has it's own tunnel. Similarly native support be very handy.

I just use your ARM platforms for new projects to avoid worrying about whether a feature is going to be support. But yeah your products last a long time! Lots of MIPSBE things still working for closer to a decade in my world BUT also fair to say time for an upgrade ;)


Please show us tools for building containers for those platforms and working example.
I'm prone to oversimplification – I have no idea of the state of Linux toolchain for Tilera or xMIPSxE, which very well may be poor. Y'all did have container on other platforms in very early V7 alpha – so even if not immediately useful, maybe useful to someone more ambitious. Certainly not a project I'm looking to do, but the Mikrotik world is big.

But there are plenty of non-Docker ways to build a container image, see https://dev.to/thakkaryash94/how-many-w ... image-4g3p . Cloudflared and a lot of other containers use Google's tools, https://github.com/GoogleContainerTools/distroless , which essentially reduce Alpine container base image even further. And less dependencies would increase the chance of the underlying code in a container compiling for Tilera/xMIPSxE

To me, the central question is how well does Go code compiles on TILE, MIPSBE, etc. That's what matters whether you want to do a native package or container for cloudflared (since both cloudflared & most of the OCI/Docker tools too seem be in Go). But do think some C++-based application could be compiled into a container more easily, if RouterOS exposed the OCI interface for non-ARM. MetaROUTER used to run OpenWRT on V6 with MIPSBE after all, so I don't think containers on more platform is a stretch.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Feature Request: Zero Trust Tunnel

Fri Jan 20, 2023 5:59 pm

Please show us tools for building containers for those platforms and working example.
You could just skip container and have a WASM shim on non-ARM – which Docker supports – so all you'd need to do is code to compile to WASM. I'd imagine they'll be a WASM version of cloudflared, so another way to skin the cat. But a little off topic.

Image
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1025
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Feature Request: Zero Trust Tunnel

Fri Jan 20, 2023 7:14 pm

IMO, WASM is like of a poor man's container or even more of a Kubernetes pod.

EDIT:
Because the WASM ecosystem is slimmed down by design, it's perfectly suited to run in smaller environments, but all the dynamic dependencies are likely to be a challenge.
Last edited by Larsa on Fri Jan 20, 2023 7:25 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Topic Author
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Feature Request: Zero Trust Tunnel

Fri Jan 20, 2023 7:15 pm

Lets focus on the art of the logical/reasonable/possible and that is MIKROTIK get working on adding a Zero Trust tunnel as an addon package item !!!!!
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Feature Request: Zero Trust Tunnel

Fri Jan 20, 2023 7:32 pm

Lets focus on the art of the logical/reasonable/possible and that is MIKROTIK get working on adding a Zero Trust tunnel as an addon package item !!!!!
To add to your cause (which I already tried to do...), the token in the container run command poses some security concerns – any user can view it & export'ed config would expose it too. As a native package, the token could be "sensitive".
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Feature Request: Zero Trust Tunnel

Fri Jan 20, 2023 7:42 pm

but all the dynamic dependencies are likely to be a challenge.
All the same problem, Tile or MIPS just aren't common platforms.

The better question is would @anav be okay if "native cloudflared" was only on ARM/X86/CHR?
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1025
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Feature Request: Zero Trust Tunnel

Fri Jan 20, 2023 8:07 pm

Btw, to be honest I really don't get the idea in the current thread about a Zero Trust "Tunnel" in the context of implementing ZTNA. What objects in the bigger picture are mean to be untrusted and are to be verified for each access? In other words, what, why and how in layman's terms?
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Feature Request: Zero Trust Tunnel

Fri Jan 20, 2023 8:18 pm

Btw, to be honest I really don't get the idea in the current thread about a Zero Trust "Tunnel" in the context of implementing ZTNA.
He didn't mean a zero trust tunnel in a general sense. Instead a cloudflared Cloudflare Zero Trust tunnel, specifically for Cloudflare Access and Gateway. It is very vendor specific and not a general purpose zero trust solution.
 
User avatar
anav
Forum Guru
Forum Guru
Topic Author
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Feature Request: Zero Trust Tunnel

Fri Jan 20, 2023 8:32 pm

Thanks for the clarification mucharme. Absolutely correct.
Ask your self how many people do you see here that have servers on their MT damn near 100%. ( not just those with arm devices lol AMMO your killin me! )

Then you throw in the bloatware of DDOS, denial, raw rules, black holes, etc etc.......... its nuts....
Rarely do they use source address lists on dst-nat rules, probably because they cant be bothered to get friends or familys IP addresses or get them to get domain names or the users are random.

@Larsa the correct answer is ( to prevent trunk getting tied in a knot ;-) ) is to agree profusely!!
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1025
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Feature Request: Zero Trust Tunnel

Fri Jan 20, 2023 8:44 pm

Ok CloudFlare Gateway Access, I get it. @Anav, if this is meant for a specific vendor ie "CloudFlare" (ie CloudFlare Zero Trust Tunnel) I think you should change the subject to reflect this. Btw, is there a specific business case you have in mind for this solution?

@Larsa the correct answer is ( to prevent trunk getting tied in a knot ;-) ) is to agree profusely!!

Ok, I agree! :-) Cheers!
 
User avatar
anav
Forum Guru
Forum Guru
Topic Author
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Feature Request: Zero Trust Tunnel - Cloudflare Version

Fri Jan 20, 2023 9:26 pm

Thats my favourite elephant err mouse err butterfly or genetic abomination. ;-)
Took your point though, the title has been modified.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Feature Request: Zero Trust Tunnel

Fri Jan 20, 2023 9:45 pm

not just those with arm devices lol AMMO your killin me!
Oh I knew the answer. But I'm with you! I'm really not a fan of the platform-specific features in RouterOS myself. But reality bites.

The cloudflared code doesn't have a build target for MIPS or TILE, so just saying that doesn't bode well for you... And most Linux things doesn't either – kinda the problem @antonsb alludes to with non-ARM/X86.... I'm sure it possible to run on TILE/etc., but only Mikrotik know the effort required since they already build for it – but I'm sure not easily.

But since the Cloudflare's container/code contains a working binary for ARM (and X86/CHR) today, a native version is more about adding it to CLI/etc. in some rational way. An extra package would make perfect sense.
 
User avatar
anav
Forum Guru
Forum Guru
Topic Author
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Feature Request: Zero Trust Tunnel - Cloudflare Version

Fri Jan 20, 2023 10:05 pm

Understood, baby steps............ regret buying this CCR1009 POS orphan.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Feature Request: Zero Trust Tunnel - Cloudflare Version

Thu Aug 24, 2023 4:21 am

LOL. Apparently, starlink might have a cloudflare package before Mikrotik...
Elon Musk-owned SpaceX is working with Cloudflare (NET.N) to boost the performance of its satellite internet service Starlink, the Information reported on Wednesday, citing a person with direct knowledge of the project.
https://www.reuters.com/science/spacex- ... 023-08-23/

Who is online

Users browsing this forum: No registered users and 21 guests