With the release of new mikrotik ARM based routers, all mikrotik ARM based routers including older ones with the latest routerOS gained added functionality such as SMB3 and containers. This makes mikrotik a perfect storage companion to proxmox as an image/template/backup store and a device to run basic containers. due to unupgradeable ram on 99% of ARM based products and limited capacity i recommend using very light containers based on linux alpine for example. With it being a router i recommend sticking to light tasks like adguard or nginx proxy. In this example we will look at how to install adguard dns onto mikrotik.
First update the router to the latest routerOS. head over to https://mikrotik.com/downloads and download the latest release. There is a major difference between some versions within 7 for containers so it is best to have the latest one. Only ARM based routers can do containers so your choices are only between the 32 bit and 64 bit ARM CPUs (Depends on what your device has). unlike x86 they are not intercompatible so make sure to pick the right one.
Then enable the container feature on mikrotik, to do this we need to change the security settings to allow it
> system/device-mode/print
mode: enterprise
> /system/device-mode/update container=yes
update: please activate by turning power off or pressing reset or mode button in 4m33s
— [Q quit|D dump|C-z pause]
Then reboot the router by unplugging it and plugging it back in. However this may not work. enterprise mode may only force features rather than let you configure them. You can solve this by changing the mode to home. More info here: Device-mode – RouterOS – MikroTik Documentation
The command for this is: system/device-mode/update mode=home
Before we proceed make sure you have some form of external storage, it can be a micro SD card or even a usb drive or even m.2. Few mikrotik models have m.2 storage however it is too bad that TILE based routers did not get this feature because some of them have upgradeable ram making them very good for this task given mikrotik is replacing TILE with ARM given that nvidia bought Tilera over who makes these CPUs to make their own special NICs and is being expensive about the whole ordeal. Both facebook and mikrotik were some of the main customers of TIlera prior have now been unable to continue products based on this due to NVIDIA’s pricing and proprietary direction to only using it as part of their premium enterprise server NIC line. In the past facebook used TILE CPUs to offload webserver and firewall duties from the CPU while mikrotik used them for routing. That CPU beat the MIPS64 used by ubiquiti and given who the customers were for these products, ubiquiti’s reliance on hardware acceleration made them inferior by a huge margin despite having more total cores and clocks.
A little bit of history, in order to make use of mikrotik devices including TILE based ones to perform other task, you would need to boot the device using a live linux distribution like openwrt without installing it on the device, then proceed over to the protected system directory of the internal storage of the device and add a few utilities. TILE based devices did really well performing these tasks including muitiple streams of live media encoding in parallel of the CCR1036. Sadly all tutorials of doing this was silenced by mikrotik and we are only left with containers in order to make the most out of mikrotik devices, however compared to rmerlin firmware this option is far superior for making more use of your routers without adding more devices or power. This means if your device is barely being used and has the CPU and memory to spare, this is a great option given the ease of install compared to other methods. On wifi APs or routers you use only as APs they have lots of resources to spare but sadly this feature has not come to consumer/enthusiast routers. I will try to grab ahold of RMerlin for the idea to consider containers. Mikrotik devices perform well because of their focus of being a router, so make sure all containers you install on them are also just as lightweight and optimised. Mikrotik devices perform very poorly dealing with large datasets and will sometimes error and reboot due to device hang (unresponsive for too long) internal watchdog. This is not a hardware bug, this is just mikrotik’s way of optimising their routers to be efficient in hardware resources.
Before we create the container lets setup the prerequisites which are networking and storage. For this you will need to add more L3 to your network as while the router supports it, i find that putting the container network on the same layer 3 network as your main network doesnt work. For example if your network is 192.168.88.0/24 you will need to make a new network In this case lets make a new network 192.168.89.0/24 just for our containers from mikrotik. You can shorten it if you like and use /25 for just 128 IPs. Just make sure this mikrotik device is said to be the gateway to our new network if we have multiple routers on the network. It is not necessary to configure anything else for networking. FIrst, create the bridge in mikrotik.
Then add the new L3 network by going to ip/address
At this point of this mikrotik is the only router in your network and the main one then theres nothing you need to touch elsewhere like in routes both on mikrotik or any devices as this is automatically handled.
Add the virtual ethernet that the container will use. Head to interface, new and select VETH.
Assign the VETH to the newly made bridge for containers.
Create the folder for your containers. For example in the root directory of the external drive, make a new folder, i call it container. Then make new folders, pull, adguard and adguard/root in this folder.
Configure the container settings
You can use container files or your own container registry. I strongly recommend to use a registry to allow for the containers to be updated easily even make your own if you want.
You can limit ram if you want but both adguard and nginx proxy are light on this, main concern for both is disk space given they can log the device storage to hell so make sure within container’s own application settings you limit their fixed storage usage.
for adguard, head over to hub.docker.com/r/adguard/adguardhome to see more information and links for their container. heres how the entry would look like in mikrotik
Apply/OK, make sure the container is running before changing more settings. Also the root dir will be different for you depending on where you want to store the container files but workdir will be the same (it will error otherwise, depends on what you defined in your dockerfile but this is for adguard).
Once it is running head over to the VETH interface ip you used and set up adguard dns. Thats not a related tutorial and would unnecessarily lengthen this. The default settings will work to overcome forced dns filtering but you must enable various secure dns communication features as well.
Then head over to dhcp server, networks and change the network dns servers
you can have as many dns servers on the network that you want. this gives the IP for the container rather than using the mikrotik router as the in between. You can go further and redirect dns traffic to this from within your own network under the NAT firewall, just dont forget to exclude the containers themselves.