MikroTips: Cloudflare Zero Trust Tunnel
Рет қаралды 38,505
Жыл бұрынNormunds from MikroTik explains how to set up the cloudflared tunnel in a MikroTik router using the container feature. Protect your server using the excellent Cloudflare Zero Trust family of services, using your MikroTik router.
Tip: make sure your VETH interface does not fall into the "WAN" interface list, in that case, firewall might want to block it.
@rubenduarte4909 Жыл бұрын
now THIS is pod-racing!!! this channel keeps getting better and better! Dont slow down guys!!! can l ask again for a possible future video about bridge vlans? something like "the definitive rOS v7 bridge vlan tutorial"? something that stops all forum discussions about the proper way of doing it?
@parhampourkhosravy5721 Жыл бұрын
As Cloudflare is one of the top CDN and widely used, I can see benefits of 2 features request as a maybe on extra package call Cloudflare to have DDNS and tunnel something like zero tier package which was game changer, Normunds counting on you.
@pasan. Жыл бұрын
Zerotier is a game changer. No more open ports on router and you can run services in a cgnat environment.
@Anavllama Жыл бұрын
Agreed would be used as much or more than wireguard which is on the ROS! Put in the ROS or in a package for all devices!!!
@hqcart1 Жыл бұрын
@@Anavllama i am unable to tunnel to the router itself with this, I tried 127.0.0.1:8290 to access winbox , but not working..
@hansvanderlinden6545 Жыл бұрын
Superbe. Was looking for months to deal with cg-nat situations. Until I hit on cf tunnels. I hope it will remain a free service. Many many thanks.
@Anavllama Жыл бұрын
Considering the security cautions MT provides in using containers, makes another strong case for Zero Trust Tunnel to be on the ROS or in a package and NOT on containers. Thus the functionality can be available to all MT devices. Users could access the Trust Tunnel without the added complexity as well. Its a logical approach and sane approach. Quote: you need physical access to the router to enable support for the container feature, it is disabled by default; once the container feature is enabled, containers can be added/configured/started/stopped/removed remotely! if the router is compromised, containers can be used to easily install malicious software in your router and over network; your router is as secure as anything you run in container; if you run container, there is no security guarantee of any kind; running a 3rd party container image on your router could open a security hole/attack vector/attack surface; an expert with knowledge how to build exploits will be able to jailbreak/elevate to root;
@mikrotik Жыл бұрын
As long as you stick to trusted containers, there is no more risk than integrating the cloudflared daemon directy into RouterOS. The warnings are there because people can also install containers from unknown sources. We can't integrate every useful tool into RouterOS. At one point we have to decide, what is core RouterOS that most people will use, and what should be optionally available through containers.
@Anavllama Жыл бұрын
@@mikrotik Understood I just strongly disagree with your decision and until you have better logic than mine I will keep insisting on what is best for users! Users that have non-arm devices, and that should not be forced into learning containers. Add Zerotrust as a package not in the core OS.
@filipefidalgo3003 Жыл бұрын
The video that I was looking for! 😮
@not_simp Жыл бұрын
Thanks! Another awesome video..
@linuxfornerds Жыл бұрын
Another wicked video.
Жыл бұрын
Thanks! I will try it.
@pinguinokde Жыл бұрын
Amazing!
@drumaddict89 Жыл бұрын
networkchuck did also a good video on that in general :) thanks for the mikrotik specific video though! cheers guys
@wreckedzilla Жыл бұрын
great, thanks
@ChuckNorris-lf6vo 3 ай бұрын
Good job.
@vanomel528 Жыл бұрын
It is so nice you using hap ax^2 at your home. I want too. But just don't say I shall buy it if I want to.
@mikrotik Жыл бұрын
It’s available in many distributors, but you probably need to place a reservation.
@RobertPenz Жыл бұрын
@@mikrotik I was told by my distributor that delivery to him is only at the beginning of April, does not fit really to your info here.
@JaZzDeOliveira Жыл бұрын
Hi, thanks for the great video , I followed the above and I have containers running on on my MikrotTik, when I go do create the container for this one I get a status error on the container? any advice
@majormalfunction0xffff Жыл бұрын
Same here, HAP AC3 > error response getting manifests: 404 / was unable to import, container b117621d-34a9-47ee-9be6-010a630b0d22. Tried to pull pihole, same error. What happen? It used to work on 7.6
@jekabsreinisperkons3366 Жыл бұрын
This docker is available only for newest mikrotik routers with ARM64
@archs182 Жыл бұрын
Does this work on mikrotik's 4G LTE routers? Wasn't able to setup cloudflare.
@itzizag2280 Жыл бұрын
awesome
@ps5gamepl4ys Жыл бұрын
When come the support of Docker Containers on CHR Devices, comes very handly
@Anavllama Жыл бұрын
You added wireguard to the core OS, please add zerotrust cloudflare as AT LEAST as an options package!! That is a reasonable compromise. What do I need to do, send you cases of Canadian Beer or visit Latvia and cook you pancakes with Canadian Maple syrup and back bacon ???
@taqialghanimi4301 Жыл бұрын
we need tutorial about setting up warp+ on mikrotik
@josefsramek8491 Жыл бұрын
Nice. Unfortunately,, does not work with RB3011 - no manifest found for this architecture.....
@vontarx4026 9 ай бұрын
hmm, my AC3 also got no manifest for the arhitecture error :( looks like arm32 is not supported - hopefully, for a while
@mikkio5371 Жыл бұрын
Hello mikrotik .RIP seems not to be working in os version 7 . Pls show me how . ? I know other routing protocol in os 7 but rip seems not to be working . Why ?
@EthanLiu Жыл бұрын
Cloudflare zero trust tunnel won't forward the visitor ip address, which in your website logs only show localhost or 127.0.0.1 ip
@itdo3813 Жыл бұрын
How to use tcp type tunnel to access svn services?
@faraonx3m 4 ай бұрын
I running Cloudflare tunnel in Proxmox LXC container. How to set local DNS entries for services on same server but different ports? I have hairpin on Mikrotik but how can I see all traffic goes thru tunnel.. Client PC in LAN->WAN->Tunnel->LAN Server
@Anavllama Жыл бұрын
If you need to make room for zerotrust tunnel as an options package or part of ROS, just remove the OVPN code. :-)
@radioncreation 8 ай бұрын
@Normunds? The solution will work fine while I'm using LTE mobile connection so I get dynamic IP, and my ISP nats my connection?
@mikrotik 8 ай бұрын
No NAT, the ZeroTier servers do some magic called UDP hole punching
@Richard-kl8wr Жыл бұрын
what are the speed limit ? for example uploading files to NAS
@mikrotik Жыл бұрын
We tested 500Mbits. Cloudflare is fast and has severs in many countries
@marcin1987aa Жыл бұрын
hello , great news , but i have question , it`s possible to access mikrotik admin gui (webfig mikrotik) via cloudflare tunnels ?
@mikrotik Жыл бұрын
Yes, you should use almost the same instructions as in the video.
@johnr9243 Жыл бұрын
hey I have one issue though, I have 2 containers which are working fine but after reboot only one is starting even both are set to start on boot, what is the reason for this behavior? how can I ensure both are actually starting?
@mikrotik Жыл бұрын
Send your RIF file to support, could be a big somewhere
@RB01-lite Жыл бұрын
If you put your containers in the routers default storage, it could be that one got partially saved in a RAM drive and after a reboot it's missing files.
@johnr9243 Жыл бұрын
@@RB01-lite nope I am using a usb stick for storage
@titiuph Жыл бұрын
awesome content as aways! does any one run some traefik on routerOS? can we have a video about that?
@salemyaslem9792 Жыл бұрын
Yggdrasil Network next 😃
@adagioleopard6415 7 ай бұрын
I'm getting "no manifest found for this architecture" I'm running a RB3011 - ARM64. It should have one. Am I missing a step?
@gaspoweredflea Ай бұрын
rb3011 is arm32 not 64, no arm32 available from cf official
@Akram-MercuryIT 8 күн бұрын
can we do the same for TWINGate connectors ?
@user-ky2dq3vx4h Жыл бұрын
Is it possible to use this to remotely access the winbox itself?
@Fantastika 11 ай бұрын
I mean yea why not
@herctrap Жыл бұрын
Does not work on RB1100 with 32bit arm
@Anavllama Жыл бұрын
Why is this functionality hidden in dockers/containers, can it be brought up to the normal router level (like wireguard etc)...........
@mikrotik Жыл бұрын
All features can’t be included, OS will become too large. For less popular features you can use container
@FinlayDaG33k Жыл бұрын
It's a pretty niche feature and would give the MikroTik team a lot more resources to maintain, rather than spending those resources on something else. CloudFlare maintains this docker image so it doesn't cost MikroTik any resources to maintain. If we'd include every small feature some users may want into ROS, it'd become a pain to maintain.
@Problembaer4 Жыл бұрын
@@mikrotik why not designing ros7 like ros6 and let us uninstall things we dont need? I have tons of stuff in my ros7 devices i will NEVER use and have disabled on ros6. i dont like this "all installed and enabled" approach in ros7. plus it gives way more attack surface.
@Anavllama Жыл бұрын
@NORMUS & Aroop I think it should NOT be considered niche and should be mainstream on the router. Since the router is really not capable of protecting attacks against the WANIP (not an edge device) it makes sense to push all users to being able to use cloudflare for the port forwarding of any server to a safe, non public WANIP setup. It makes infinite sense to me as that is a huge use of many of the devices. I can see this easily being much more widely used than wireguard for example. This is one functionality that MT should make mainstream or available as a separate package. Many home users have NAS servers or other servers and using the MT right now, makes their WANIP a target. For instance, my CCR1009 is not capable of running dockers....... So unless MT plans on add dockers to all architectures, then containers are not a panacea and not able to take advantage of zero trust tunnel, which makes MT implementations more secure for many server users is just plain wrong! Do the right thing! All MT users, many of them home users who may not have arm or docker savvy, will appreciate it.
@mikrotik Жыл бұрын
Why do you insist RouterOS is unable to protect? There are plenty of existing features that can do that
@lucasr4204 Жыл бұрын
when i activate cloudfleare on mikrotik it stops, why?
@mikrotik Жыл бұрын
Check what is written in "Log"
@lucasr4204 Жыл бұрын
@@mikrotik No error comes out
@lucasr4204 Жыл бұрын
@@mikrotik error was unable to import, container 1212803f-9581-4a61-bfea-d12f7944774d
@mikrotik Жыл бұрын
Do you have enough space in your device?
@lucasr4204 Жыл бұрын
@@mikrotik I have USB 128 gb
Jim's Garage
Рет қаралды 43 М.
ARTBUCKS TECH
Рет қаралды 8 М.
Lawrence Systems
Рет қаралды 180 М.
KOMPUKTER
Рет қаралды 169 М.
MaviGadget
Рет қаралды 9 МЛН