RouterOS + tr069 staging process

Install RouterOS in a virtual machine and connect it to CONTROL

Overview

This guide walks you through installing RouterOS in a VirtualBox virtual machine and connecting it to CONTROL using the TR-069 protocol.

Prerequisites

Step 1: Download RouterOS

Visit the MikroTik download page and download the following files:

Download page screenshot

Step 2: Create the Virtual Machine

Configure VM Settings

  1. Open VirtualBox and create a new virtual machine

Create VM screenshot

  1. Enter the required information as shown below

VM name and type

  1. Allocate RAM memory (64 MB is sufficient for RouterOS)

RAM allocation

  1. Create a virtual hard disk with the following settings:

Hard disk creation - Step 1

Hard disk creation - Step 2

Hard disk creation - Step 3

Hard disk creation - Step 4

Configure Network Adapters

  1. After the VM is created, add an additional network adapter in the VM settings

VM summary

  1. The network configuration should look like this:

Network configuration

Step 3: Install RouterOS

Boot and Installation

  1. Start the virtual machine

Start VM

  1. Select the RouterOS ISO image and boot the VM

Select ISO

  1. When the package selection screen appears, press A to select all packages

Package selection - Before

Package selection - After

  1. Press I to start the installation and confirm when prompted

Installation confirmation

  1. After installation completes, unmount the ISO image to prevent the installation wizard from restarting

Unmount ISO

Step 4: Initial Configuration

Login to RouterOS

  1. Once the login screen appears, use the default credentials:
    • Username: admin
    • Password: (leave blank)

Login screen

Assign IP Address

  1. Add an IP address to enable remote access. For this example, we'll use 192.168.1.50:
ip address add address=192.168.1.50/24 interface=ether1

Add IP address

  1. Verify the IP address was added correctly:
ip address print

Verify IP address

Access Web Interface

  1. Open a web browser and navigate to the RouterOS web interface using the IP address you configured:
http://192.168.1.50/webfig/

Web interface login

  1. Click on WebFig to access the full configuration interface

WebFig interface

Step 5: Install TR-069 Package

  1. Navigate to Files in the WebFig interface and upload the TR-069 package

Files menu

  1. Extract the downloaded Extra packages archive and locate the TR-069 package file

Extract packages

Locate TR-069 package

  1. Reboot the router to complete the package installation

Reboot system

  1. After reboot, verify that TR-069 is enabled in the system

TR-069 enabled

Step 6: Obtain RouterOS License

RouterOS displays a warning message indicating you have 24 hours to use the software without a license. You must register to obtain a free demo license.

Save Software ID

  1. Note the Software ID displayed in the license warning message

Software ID

Generate License Key

  1. Register for a MikroTik account at the registration page

  2. After logging in, navigate to MAKE A DEMO KEY, enter your Software ID, and generate the license

Generate license - Step 1

Generate license - Step 2

Activate License

  1. Connect to RouterOS via SSH

SSH connection

  1. Paste the license key in the terminal and reboot to complete activation

Paste license key

  1. After reboot, a confirmation message indicates the license was successfully activated

[![License activated](https://docs.zequenze.com/uploads/images/gallery/2022-02/scaled-1680-/kxs0BYgcbsxaeEkM-image-1645825

IPsec Configuration

Overview

This guide explains how to configure an IPsec VPN tunnel between RouterOS and CONTROL. The configuration process involves setting up both endpoints to establish a secure site-to-site connection.

Part 1: RouterOS Configuration

Initial Access

  1. Log in to RouterOS using your default credentials
  2. Navigate to IPIPsec in the left-side menu

image.png

Step 1: Configure Profiles (Phase 1)

The profile defines Phase 1 parameters for the IPsec connection.

  1. Click the Profiles tab in the center panel
  2. Click Add New to create a new profile

image.png

  1. Configure the following Phase 1 parameters:

    • Name: Enter a descriptive name to identify the profile (e.g., "profile-to-ctl01.dev")
    • Hash Algorithms: Select a hash algorithm that matches the configuration on the remote endpoint
    • Encryption Algorithm: Choose an encryption algorithm that matches the remote endpoint configuration
    • Lifetime: Leave the default value (measured in seconds)
    • NAT Traversal: Enable this option if the router is behind NAT
    • DPD Interval: Leave the default value for Dead Peer Detection and note this number
    • DPD Maximum Failures: Leave the default value

  2. Click Apply, then click OK

image.png

Step 2: Configure Peers

The peer configuration defines the remote VPN endpoint.

  1. Click the Peers tab
  2. Click Add New

image.png

  1. Configure the following fields:

    • Name: Enter a name to identify the remote peer
    • Address: Enter the remote public IP address (e.g., 35.35.35.22/32)
    • Profile: Select the profile created in Step 1
    • Exchange Mode: Select the exchange mode (IKE2 is recommended)

  2. Click Apply, then click OK

image.png

Step 3: Configure Identities

The identities configuration defines authentication credentials.

  1. Click the Identities tab
  2. Click Add New

image.png

  1. Configure the following fields:

    • Peer: Select the peer configured in Step 2
    • Auth. Method: Select "pre shared key"
    • Secret: Enter the pre-shared key that will be configured on both endpoints

  2. Click Apply, then click OK

image.png

Step 4: Configure Proposals (Phase 2)

The proposal defines Phase 2 parameters for the IPsec connection.

  1. Click the Proposals tab
  2. Click Add New

image.png

  1. Configure the following Phase 2 parameters:

    • Name: Enter a name to identify this proposal
    • Auth. Algorithms: Select the authentication algorithm to be used on both endpoints
    • Encr. Algorithms: Select the encryption algorithm to be used on both endpoints
    • Lifetime: Set the lifetime for Phase 2
    • PFS Group: Select the Diffie-Hellman group for Perfect Forward Secrecy (PFS). This determines the session key generation during key exchange

  2. Click Apply, then click OK

image.png

Step 5: Configure Policies

The policy defines which traffic should pass through the VPN tunnel.

  1. Click the Policies tab
  2. Click Add New

image.png

  1. Configure the following fields:

    • Peer: Select the peer configured in Step 2
    • Tunnel: Enable this option to establish the tunnel between both sites
    • Src. Address: Enter the local IP address or network that will pass through the tunnel
    • Dst. Address: Enter the remote IP address or network that will be received from the other end
    • Level: Select "unique"
    • Proposal: Select the proposal created in Step 4

  2. Click Apply, then click OK

image.png

Part 2: CONTROL Configuration

Initial Navigation

image.png

Step 1: Create IPsec Security Service (Phase 1)

  1. Configure the basic information:

    • Name: Enter a name to identify Phase 1
    • Short-name/code: Enter a short identifier for quick reference
    • Organization: Select the organization that will use this connection
    • Type: Select "IPsec Security"

  2. Click Save at the bottom

image.png

  1. Configure the Phase 1 parameters to match your RouterOS configuration:

    • Authentication method: Select "PSK"
    • IKE version: Select "Version 2"
    • Encryption algorithm: Enter "aes256"
    • Integrity algorithm: Enter "sha256" or "sha2_256"
    • Diffie Hellman group (PFS): Enter "modp1024"
    • Lifetime: Enter 1200 (equivalent to 20 minutes)
    • Key negotiation retries: Enter "0"
    • Aggressive Mode: Enable this option

  2. Click Save and close at the bottom

image.png

Step 2: Create IPsec Configuration Service (Phase 2)

  1. In the Services tab, click +Add again to create another service

  2. Configure the basic information:

    • Name: Enter a name to identify Phase 2
    • Short-name/code: Enter a short identifier for quick reference
    • Organization: Select the organization that will use this connection
    • Type: Select "IPsec Configuration"

image.png

  1. Configure the Phase 2 parameters to match your RouterOS configuration:

    • Tunnel type: Select "Tunnel (ESP)"
    • Encryption algorithm: Enter "aes256"
    • Integrity algorithm: Enter "sha256" or "sha2_256"
    • Diffie Hellman group (PFS): Enter "modp1024"
    • Lifetime: Enter 1200 (equivalent to 20 minutes)

image.png

Step 3: Create Association

image.png

  1. Configure the following fields:

    • Name: Enter a name to identify this association
    • Short-name / code: Enter a short identifier for quick reference
    • Type: Leave "IPSec VPN" selected
    • Local gateway type: Leave "Private IP" selected
    • Remote gateway address: Enter the remote public IP address you are connecting to
    • Remote gateway id: Enter the WAN interface IP of the RouterOS device
    • Secret: Enter the pre-shared key (must match the secret configured in RouterOS)
    • Security service: Select the IPsec Security service created in Step 1
    • Configuration service: Select the IPsec Configuration service created in Step 2
    • Server: Select the internal server to use
    • Organization: Select the organization that will use this connection

image.png

image.png

  1. Configure the following fields:

    • Name: Enter a name to identify this link
    • Short-name / code: Enter a short identifier
    • Active: Enable this option to activate the link
    • Association: Select the association created in Step 3
    • Local network: Enter the local Zequenze IP address
      • For CONTROL: typically 172.31.255.254/32
      • For GATE: typically 172.31.255.253/32
      • (Verify the correct IP internally before configuring)
    • Remote network: Enter the remote network or IP address that will pass through the tunnel to Zequenze
    • Check services: Select "PING Connectivity test" to validate tunnel communication
    • Check address/hostname: Enter a remote IP address that is always active for connectivity testing (typically the remote gateway, e.g., 192.168.106.154)
    • Organization: Select the organization that will use this VPN connectivity

image.png

Verification and Summary

RouterOS Connection Status

Once the configuration is complete, you should see the connection established in RouterOS as shown below:

image.png

CONTROL Connection Status

image.png

This completes the IPsec VPN tunnel configuration between RouterOS and CONTROL. The tunnel should now be active and passing traffic between the configured networks.

Setting up TR-069 client on mikrotik hAP ac2

Prerequisites

Before configuring the TR-069 client, ensure your MikroTik hAP ac2 device has an active internet connection.

Required Configuration Parameters

You will need the following credentials and settings to configure the TR-069 client in CONTROL:

Note: These credentials should be provided by your CONTROL administrator or obtained from your CONTROL portal settings.

Configuration Steps

Follow the video tutorial below for step-by-step instructions on configuring the TR-069 client on your MikroTik hAP ac2:

Additional Information

The TR-069 protocol enables remote management and monitoring of your MikroTik device through the CONTROL platform. Once configured, your device will automatically establish communication with the ACS server and appear in your CONTROL dashboard.