The following guide provides guidance on the installation of NetFoundry OpenZiti Ziti-Edge-Tunnel software on to a MikroTik router. The functionality has been validated on a physical router (hAP ac^2). This guide has been developed with MikroTik Router OS 7.9.1 as of July 2023.
NOTE: the container functionality is not a default feature and needs to be downloaded and installed prior to beginning the following steps. You can find it in the extra packages download link
Container is MikroTik's own implementation of Docker(TM), allowing users to run containerized environments within RouterOS. The container feature was initially added in RouterOS v7.1rc4 for beta testing. It has now been released to the general code base with specific supported conditions. Please contact MikroTik support for information regarding support and security notices.
Enabling the container
Please note, the following steps demonstrated how to enable container on MikroTik. At the time of publication, these steps were working correctly. Please refer to MikroTik documentation if these steps do not yield the correct result.
Copy container-7.9.1-arm.npk (from extra packages) to the router.
Open a terminal window to the router. And issue the following command.
/system/device-mode/update container=yes
The system will prompt you to restart the router or hit the reset button. Please do so, and once system restarts, the container functionality is enabled.
Turn on logging to echo for container package. Go to system > Logging + Topic Container and Action Echo
In this article, we will demonstrate how to create container using dockerhub image. Alternatively, you can also create your own image.
You will need to create and download an endpoint identity file from the NetFoundry console. This file should be downloaded to a location where you can scp via cli or upload via WinBox UI. Instructions for creating the endpoint identity are found here:
https://support.netfoundry.io/hc/en-us/articles/360047133551-Create-and-Manage-Endpoints
Step 1.
Format an empty USB stick with ext4 and put it into the USB port of the Mikrotik router. (usb1-part1)
You should have something like this from your Disk List.
Step 2.
Create an identity for the MikroTik router in the console and save the JWT file for use in a later step.
Step 3.
Log in to Mikrotik RouterOS CLI (or use Winbox's terminal). Create a Virtual Interface for the Container environment. We chose an available network that does not overlap with any internal networks.
/interface/veth/add name=veth1 address=172.16.0.2/24 gateway=172.16.0.1
Step 4.
Create a Bridge for the Containers and add veth1 to the bridge.
/interface/bridge/add name=docker
/ip/address/add address=172.16.0.1/24 interface=docker
/interface/bridge/port/add bridge=docker interface=veth1
/ip/firewall/nat/add src-address=172.16.0.0/24 out-interface=ether1 action=masquerade chain=srcnat
Step 6 .
Create environment variables for your endpoint.
/container/envs/add name=ziti-edge-tunnel key=NF_REG_NAME value=regkey_name(without ".jwt")
example:
/container/envs/add name=ziti-edge-tunnel key=NF_REG_NAME value=newmikrotick1i
Step 7.
Create mountpoints for non-volatile data.
/container mounts add name netfoundry-volume src=/usb1-part1/ziti-edge-tunnel dst=/ziti-edge-tunnel
Step 8.
Setup the container configs.
/container/config/set ram-high=50M registry-url=https://registry-1.docker.io tmpdir=usb1-part1/pull
Step 9.
Create container from Tar image.
/container add remote-image=openziti/ziti-edge-tunnel:0.20.14 interface=veth1 root-dir=/usb1-part1/ziti-tunnel envlist=ziti-edge-tunnel mounts=netfoundry-volume hostname=zititunnel1 logging=yes start-on-boot=yes
NOTE:
- envlist value (ziti-edge-tunnel) is taken from Step 6 container/envs add name="envlist_name"
- mounts is created from Step 7
- version (0.20.14) of ziti-edge-tunnel is latest ARM32 release at the time of publishing. Please check docker hub for newer available ziti-edge-tunnel image.
Step 10.
Register identity. Make sure container is stopped. if not stop the container.
/container print
0 name="6aa18f42-26bf-4f3f-a702-ffbcef5cb692"
tag="openziti/ziti-edge-tunnel:0.20.14" os="linux" arch="arm"
interface=veth1 envlist="ziti-edge-tunnel" root-dir=/usb1-part1/ziti-tunnel
mounts=netfoundry-volume dns="" hostname="zititunnel1" logging=yes
status=stopped
copy the JWT file into the usb1-part1/ziti-edge-tunnel
Start the container
container start 0
And.. that is it.