"Connecting your cloud billing platform directly to your main core router introduces network risks. Follow this security guide to lock down your RouterOS API connections."
MikroTik routers are the backbone of most local ISPs. Linking your CRM to the router allows you to automate user profiles, queue updates, dynamic bandwidth control, and auto-disconnections. However, opening up ports to let external cloud systems communicate with your router creates a potential security threat if not configured properly.
Below is a comprehensive guide to securing your MikroTik RouterOS API connections.
1. Disable the Unencrypted API Service
By default, MikroTik's API operates on port 8728 without encryption, transmitting data (including admin passwords) in plain text. Disabling this service is step number one:
/ip service disable api
/ip service set api-ssl port=8729 disabled=no
2. Restrict API IP Access Rules
Never allow wildcard connections (`0.0.0.0/0`) on your API-SSL port. Restrict access strictly to the dedicated static IP addresses of your ISP CRM Cloud instance:
/ip service set api-ssl address=162.243.141.52/32,192.168.10.15/32
3. Generate an SSL Certificate
To secure traffic on port 8729, configure a self-signed or Let's Encrypt SSL certificate directly on RouterOS:
/certificate add name=api-cert common-name=your-router-ip days-valid=3650 key-size=2048 key-usage=key-cert-sign,crl-sign,digital-signature,key-encipherment
/certificate sign api-cert
/ip service set api-ssl certificate=api-cert
4. Create a Dedicated API User Group with Minimal Permissions
Never share your main admin password with third-party software. Create a separate group with limited read/write permissions (only `write`, `read`, `api` policies enabled, disabling `reboot`, `policy`, `sensitive` policies):
/user group add name=crm-group policy=read,write,api,!local,!telnet,!ssh,!ftp,!reboot,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!romon,!dude,!tikapp
/user add name=crm_api_user group=crm-group password=secure_random_password address=162.243.141.52/32
5. Implement Fail2Ban or Firewall Bruteforce Protections
Add firewall filter rules to detect and block brute-force attempts on port 8729:
// 1. Add connection to list if matching new connection on port 8729
/ip firewall filter add chain=input protocol=tcp dst-port=8729 connection-state=new action=add-src-to-address-list address-list=api_stage1 address-list-timeout=1m
// 2. Upgrade to block list on multiple rapid attempts
/ip firewall filter add chain=input protocol=tcp dst-port=8729 connection-state=new src-address-list=api_stage1 action=add-src-to-address-list address-list=api_blacklist address-list-timeout=24h
/ip firewall filter add chain=input protocol=tcp dst-port=8729 src-address-list=api_blacklist action=drop