Container Management in MikroTik RouterOS v7: Complete Docker Integration Guide

0 Shares

MikroTik introduced container support in RouterOS v7.4. This feature enables network engineers to run Docker-compatible containers directly on RouterBOARD hardware. The router becomes both a network device and an edge computing platform.

1. Introduction: The Evolution of MikroTik Container Support

Why Containers on Routers Matter

Reduced Hardware: Eliminate dedicated servers for lightweight network services
Edge Computing: Process data locally before sending to central systems
Simplified Deployment: Package network tools as portable containers
Cost Savings: Consolidate functions onto existing router hardware

What This Guide Covers

Container architecture and requirements
Complete setup and configuration procedures
Practical deployment examples with real configurations
Management, security, and troubleshooting
Limitations and alternative approaches

2. Understanding MikroTik Container Architecture

2.1 What Are Containers in RouterOS v7?

MikroTik containers are OCI-compatible runtime environments. They execute isolated Linux applications on RouterOS. The implementation supports standard Docker images without modification.

Key Characteristics

OCI (Open Container Initiative) compliant
Compatible with Docker Hub images
Isolated from RouterOS core processes
Persistent storage support via mounts
Network integration through virtual interfaces

2.2 How MikroTik Container Implementation Works

Component	Function
Container Runtime	Executes OCI images in isolated namespaces
VETH Interface	Provides virtual network connectivity
Mount Points	Maps external storage for persistence
Environment Files	Passes configuration variables to containers
Registry Client	Pulls images from Docker Hub or private registries

2.3 Supported Hardware and Requirements

Compatible Architectures

ARM 32-bit: hAP ac², RB3011, RB2011 series
ARM 64-bit: RB5009, CCR2004, CCR2116, Chateau series
x86/x86_64: CHR (Cloud Hosted Router), RB1100AHx4, x86 installations

Minimum Requirements

Resource	Minimum	Recommended
RAM	256 MB free	1 GB+ free
Storage	External USB/disk	USB 3.0 or NVMe SSD
RouterOS Version	7.4beta4	7.8 or newer stable

2.4 Use Cases for MikroTik Containers

Network Services

DNS filtering (Pi-hole, AdGuard Home)
DHCP servers with advanced features
DNS-over-HTTPS/TLS proxies
Network monitoring agents

Security Applications

Intrusion detection agents (Suricata, Zeek)
Log collectors and forwarders
VPN endpoint services
Certificate management tools

Automation and Monitoring

SNMP collectors and processors
NetFlow/sFlow exporters
Prometheus exporters
Custom Python/Go automation scripts

3. Prerequisites and Initial Setup for MikroTik Containers

3.1 RouterOS Version Requirements

Check Current Version

/system resource print

Upgrade RouterOS

# Check for updates
/system package update check-for-updates

# Download and install
/system package update download
/system package update install

Version Recommendations

Minimum: RouterOS 7.4beta4 (initial container support)
Stable: RouterOS 7.8+ (production environments)
Latest: RouterOS 7.12+ (newest features and fixes)

3.2 Enabling Container Mode in RouterOS

Warning: Enabling container mode reduces system security. Only enable on devices requiring container functionality.

Enable Container Package

# Set device mode to allow containers
/system/device-mode/update container=yes

# System requires reboot - confirm when prompted
# Router will reboot automatically

Verify Container Mode

/system/device-mode/print

# Expected output:
# container: yes

3.3 Preparing External Storage for Containers

MikroTik strongly recommends external storage for containers. Internal flash storage has limited write cycles and capacity.

Format USB Drive

# List available disks
/disk print

# Format disk (replace disk1 with actual disk name)
/disk format-drive disk1 file-system=ext4 label=containers

Create Container Directories

# Create directory structure on external storage
/file add name=disk1/containers type=directory
/file add name=disk1/containers/pihole type=directory
/file add name=disk1/containers/adguard type=directory
/file add name=disk1/pull type=directory

Storage Best Practices

Use USB 3.0 drives for better performance
Choose industrial-grade USB drives for reliability
Format with ext4 filesystem for Linux compatibility
Create separate directories per container
Monitor storage usage regularly

3.4 Network Configuration Prerequisites

Container Network Components

VETH Interface: Virtual ethernet connecting container to RouterOS
Bridge: Layer 2 domain for container networking
IP Address: Network addressing for container communication
NAT/Masquerade: Internet access for containers

Create Container Bridge

# Create dedicated bridge for containers
/interface bridge add name=bridge-containers

# Add IP address to bridge (this becomes container gateway)
/ip address add address=172.17.0.1/24 interface=bridge-containers

Configure NAT for Container Internet Access

# Masquerade container traffic for internet access
/ip firewall nat add chain=srcnat src-address=172.17.0.0/24 action=masquerade comment="Container NAT"

4. Step-by-Step MikroTik Container Configuration

4.1 Creating Virtual Ethernet Interfaces (VETH)

VETH interfaces connect containers to RouterOS networking. Each container requires one VETH interface.

Basic VETH Creation

# Create VETH interface for container
/interface veth add name=veth-pihole address=172.17.0.2/24 gateway=172.17.0.1

VETH Parameters Explained

Parameter	Description	Example
name	Interface identifier	veth-pihole
address	Container IP address with CIDR	172.17.0.2/24
gateway	Default gateway for container	172.17.0.1

Add VETH to Bridge

# Connect VETH to container bridge
/interface bridge port add interface=veth-pihole bridge=bridge-containers

4.2 Configuring Container Networking

Complete Network Setup Example

# Create bridge
/interface bridge add name=bridge-containers

# Assign gateway address to bridge
/ip address add address=172.17.0.1/24 interface=bridge-containers

# Create VETH for first container
/interface veth add name=veth-container1 address=172.17.0.2/24 gateway=172.17.0.1

# Add VETH to bridge
/interface bridge port add interface=veth-container1 bridge=bridge-containers

# Enable NAT for internet access
/ip firewall nat add chain=srcnat src-address=172.17.0.0/24 action=masquerade

# Add DNS server for containers
/ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

Port Forwarding to Container Services

# Forward external port 8080 to container port 80
/ip firewall nat add chain=dstnat protocol=tcp dst-port=8080 action=dst-nat to-addresses=172.17.0.2 to-ports=80

# Forward DNS queries to Pi-hole container
/ip firewall nat add chain=dstnat protocol=udp dst-port=53 action=dst-nat to-addresses=172.17.0.2 to-ports=53
/ip firewall nat add chain=dstnat protocol=tcp dst-port=53 action=dst-nat to-addresses=172.17.0.2 to-ports=53

4.3 Setting Up Container Environment Variables

Create Environment File

# Create environment file on disk
/file add name=disk1/containers/pihole.env contents="TZ=America/New_York
WEBPASSWORD=SecurePassword123
DNSMASQ_LISTENING=all
PIHOLE_DNS_=8.8.8.8;8.8.4.4"

Common Environment Variables

Variable	Purpose	Example
TZ	Timezone setting	America/New_York
PUID	User ID for permissions	1000
PGID	Group ID for permissions	1000

4.4 Configuring Container Mounts

Create Mount Configuration

# Create mount for container data persistence
/container mounts add name=pihole-data src=disk1/containers/pihole dst=/etc/pihole

# Create mount for DNS masq configuration
/container mounts add name=pihole-dnsmasq src=disk1/containers/pihole-dnsmasq dst=/etc/dnsmasq.d

Mount Parameters

Parameter	Description
name	Mount configuration identifier
src	Path on MikroTik filesystem
dst	Path inside container

5. Deploying Docker Images on MikroTik RouterOS

5.1 Understanding Container Image Sources

Image Source Options

Docker Hub: Public registry with official images
Private Registry: Self-hosted or enterprise registries
Local Import: Tar files transferred to router

Architecture Matching

Select images matching your RouterBOARD architecture:

RouterBOARD	Architecture	Docker Tag
RB5009, CCR2004	ARM64	arm64, aarch64
hAP ac², RB3011	ARM	arm, armv7
CHR, x86 boards	x86_64	amd64, x86_64

5.2 Pulling Container Images via Registry

Configure Registry Access

# Configure Docker Hub registry
/container config set registry-url=https://registry-1.docker.io tmpdir=disk1/pull

Pull Image from Docker Hub

# Pull Pi-hole image for ARM64
/container add remote-image=pihole/pihole:latest interface=veth-pihole root-dir=disk1/containers/pihole-root mounts=pihole-data,pihole-dnsmasq envlist=pihole.env logging=yes

# Pull AdGuard Home for ARM64
/container add remote-image=adguard/adguardhome:latest interface=veth-adguard root-dir=disk1/containers/adguard-root logging=yes

Verify Image Download Progress

# Check container status
/container print

# Expected output during download:
# 0 name="" tag="pihole/pihole:latest" status=pulling

5.3 Importing Local Container Images

Export Image from Docker Host

# On Docker host - export image to tar file
docker pull pihole/pihole:latest
docker save pihole/pihole:latest -o pihole-latest.tar

Transfer and Import to MikroTik

# Transfer via SCP or FTP to router
# Example using SCP:
scp pihole-latest.tar admin@192.168.88.1:disk1/

# Import image on RouterOS
/container add file=disk1/pihole-latest.tar interface=veth-pihole root-dir=disk1/containers/pihole-root

5.4 Managing Container Images

List Container Images and Status

/container print
/container print detail

Remove Container

# Stop container first
/container stop 0

# Remove container
/container remove 0

Image Storage Management

# Check storage usage
/file print where name~"disk1/containers"

# Clean up unused files
/file remove [find where name~"disk1/pull"]

6. Practical MikroTik Container Deployment Examples

6.1 Example 1: Deploying Pi-hole DNS Sinkhole

Pi-hole blocks advertisements and tracking at DNS level. This deployment runs Pi-hole as the primary DNS server for your network.

Complete Pi-hole Configuration

# Step 1: Create required directories
/file add name=disk1/containers/pihole type=directory
/file add name=disk1/containers/pihole-root type=directory
/file add name=disk1/containers/pihole-dnsmasq type=directory

# Step 2: Create VETH interface
/interface veth add name=veth-pihole address=172.17.0.2/24 gateway=172.17.0.1

# Step 3: Add VETH to bridge
/interface bridge port add interface=veth-pihole bridge=bridge-containers

# Step 4: Create environment file
/file add name=disk1/pihole.env contents="TZ=America/New_York
WEBPASSWORD=YourSecurePassword
DNSMASQ_LISTENING=all
FTLCONF_LOCAL_IPV4=172.17.0.2
PIHOLE_DNS_=8.8.8.8;1.1.1.1"

# Step 5: Create mounts
/container mounts add name=pihole-etc src=disk1/containers/pihole dst=/etc/pihole
/container mounts add name=pihole-dnsmasq src=disk1/containers/pihole-dnsmasq dst=/etc/dnsmasq.d

# Step 6: Create container
/container add remote-image=pihole/pihole:latest interface=veth-pihole root-dir=disk1/containers/pihole-root mounts=pihole-etc,pihole-dnsmasq envlist=pihole.env start-on-boot=yes logging=yes

# Step 7: Configure RouterOS to use Pi-hole as DNS
/ip dns set servers=172.17.0.2

# Step 8: Start container
/container start 0

Verify Pi-hole Operation

# Check container status
/container print

# Test DNS resolution through Pi-hole
/tool dns-test name=google.com server=172.17.0.2

# Access web interface at http://172.17.0.2/admin

6.2 Example 2: Running AdGuard Home Container

AdGuard Home provides DNS filtering with a modern web interface. This example includes DNS-over-HTTPS support.

Complete AdGuard Home Configuration

# Step 1: Create directories
/file add name=disk1/containers/adguard type=directory
/file add name=disk1/containers/adguard-root type=directory
/file add name=disk1/containers/adguard-work type=directory
/file add name=disk1/containers/adguard-conf type=directory

# Step 2: Create VETH interface
/interface veth add name=veth-adguard address=172.17.0.3/24 gateway=172.17.0.1

# Step 3: Add VETH to bridge
/interface bridge port add interface=veth-adguard bridge=bridge-containers

# Step 4: Create mounts
/container mounts add name=adguard-work src=disk1/containers/adguard-work dst=/opt/adguardhome/work
/container mounts add name=adguard-conf src=disk1/containers/adguard-conf dst=/opt/adguardhome/conf

# Step 5: Create container
/container add remote-image=adguard/adguardhome:latest interface=veth-adguard root-dir=disk1/containers/adguard-root mounts=adguard-work,adguard-conf start-on-boot=yes logging=yes

# Step 6: Port forward for external access (optional)
/ip firewall nat add chain=dstnat dst-port=3000 protocol=tcp action=dst-nat to-addresses=172.17.0.3 to-ports=3000 comment="AdGuard Setup"
/ip firewall nat add chain=dstnat dst-port=80 protocol=tcp action=dst-nat to-addresses=172.17.0.3 to-ports=80 comment="AdGuard Web"

# Step 7: Start container
/container start [find where remote-image~"adguard"]

Initial AdGuard Setup

Access http://172.17.0.3:3000 for initial setup wizard
Configure admin credentials
Set DNS listening interfaces
Configure upstream DNS servers
Enable DNS-over-HTTPS if required

6.3 Example 3: Network Monitoring with Prometheus Node Exporter

Node Exporter collects system metrics for Prometheus monitoring. This lightweight container reports router performance data.

Node Exporter Configuration

# Step 1: Create directories
/file add name=disk1/containers/nodeexporter type=directory
/file add name=disk1/containers/nodeexporter-root type=directory

# Step 2: Create VETH interface
/interface veth add name=veth-nodeexp address=172.17.0.4/24 gateway=172.17.0.1

# Step 3: Add VETH to bridge
/interface bridge port add interface=veth-nodeexp bridge=bridge-containers

# Step 4: Create container (using ARM64-compatible image)
/container add remote-image=prom/node-exporter:latest interface=veth-nodeexp root-dir=disk1/containers/nodeexporter-root start-on-boot=yes logging=yes

# Step 5: Start container
/container start [find where remote-image~"node-exporter"]

Prometheus Scrape Configuration

# Add to prometheus.yml on monitoring server
scrape_configs:
  - job_name: 'mikrotik-container'
    static_configs:
      - targets: ['172.17.0.4:9100']

6.4 Example 4: Custom Python Automation Container

Deploy custom scripts in containers for network automation. This example runs a Python application interacting with RouterOS API.

Prepare Custom Image (on Docker Host)

# Dockerfile
FROM python:3.11-alpine
RUN pip install routeros-api requests
COPY automation_script.py /app/
WORKDIR /app
CMD ["python", "automation_script.py"]

# Build and export
docker build -t mikrotik-automation:latest .
docker save mikrotik-automation:latest -o mikrotik-automation.tar

Deploy Custom Container

# Transfer tar file to router
# scp mikrotik-automation.tar admin@192.168.88.1:disk1/

# Create VETH
/interface veth add name=veth-automation address=172.17.0.5/24 gateway=172.17.0.1

# Add to bridge
/interface bridge port add interface=veth-automation bridge=bridge-containers

# Import and create container
/container add file=disk1/mikrotik-automation.tar interface=veth-automation root-dir=disk1/containers/automation-root start-on-boot=yes logging=yes

# Start container
/container start [find where root-dir~"automation"]

7. MikroTik Container Management and Operations

7.1 Starting, Stopping, and Restarting Containers

Basic Lifecycle Commands

# List all containers
/container print

# Start container by number
/container start 0

# Stop container by number
/container stop 0

# Start container by name/property
/container start [find where remote-image~"pihole"]

# Stop all containers
/container stop [find]

Auto-Start Configuration

# Enable start on boot
/container set 0 start-on-boot=yes

# Disable start on boot
/container set 0 start-on-boot=no

# Verify setting
/container print detail where start-on-boot=yes

7.2 Monitoring Container Performance

View Container Status

# Basic status
/container print

# Detailed information
/container print detail

# Expected output:
#  0 name="" tag="pihole/pihole:latest" os="" arch="" interface=veth-pihole 
#    root-dir=disk1/containers/pihole-root mounts=pihole-etc,pihole-dnsmasq 
#    status=running

Monitor Resource Usage

# Check system resources
/system resource print

# Monitor CPU and memory
/system resource monitor

Access Container Logs

# View recent logs (if logging=yes enabled)
/log print where topics~"container"

# Filter by container
/log print where message~"pihole"

7.3 Updating Container Images

Update Procedure

Stop running container
Remove existing container
Pull new image version
Create container with existing mounts
Start updated container

# Step 1: Stop container
/container stop 0

# Step 2: Remove container (preserves mount data)
/container remove 0

# Step 3: Pull and create updated container
/container add remote-image=pihole/pihole:latest interface=veth-pihole root-dir=disk1/containers/pihole-root-new mounts=pihole-etc,pihole-dnsmasq envlist=pihole.env start-on-boot=yes logging=yes

# Step 4: Start container
/container start 0

7.4 Troubleshooting Common Container Issues

Container Fails to Start

Symptom	Cause	Solution
Status: error	Image architecture mismatch	Pull correct architecture image
Status: stopped immediately	Missing environment variables	Check envlist configuration
Status: extracting (stuck)	Insufficient storage	Free disk space or use larger drive

Network Connectivity Problems

# Verify VETH exists and has correct IP
/interface veth print

# Check bridge port membership
/interface bridge port print

# Verify NAT rule exists
/ip firewall nat print where src-address=172.17.0.0/24

# Test connectivity from RouterOS
/ping 172.17.0.2 count=3

Storage and Permission Errors

# Check mount configuration
/container mounts print

# Verify directories exist
/file print where name~"containers"

# Check disk space
/disk print

Debug Commands

# Enable container logging
/container set 0 logging=yes

# View system log
/log print where topics~"container"

# Check container shell (if supported)
/container shell 0

8. Security Best Practices for MikroTik Containers

8.1 Container Isolation and Network Segmentation

Isolate Container Network from Management

# Create separate bridge for containers (not connected to LAN)
/interface bridge add name=bridge-containers-isolated

# Block container access to router management
/ip firewall filter add chain=input src-address=172.17.0.0/24 dst-port=22,80,443,8291,8728,8729 protocol=tcp action=drop comment="Block container management access"

# Allow only specific container services
/ip firewall filter add chain=forward src-address=172.17.0.0/24 action=accept comment="Allow container outbound"
/ip firewall filter add chain=forward dst-address=172.17.0.0/24 connection-state=established,related action=accept comment="Allow container return traffic"

VLAN Integration for Container Traffic

# Create VLAN interface for container network
/interface vlan add name=vlan-containers vlan-id=100 interface=ether1

# Add VLAN to container bridge
/interface bridge port add interface=vlan-containers bridge=bridge-containers

8.2 Resource Limits and Quotas

Note: RouterOS currently has limited resource control for containers. Implement these mitigations:

Monitor Resource Usage

# Create script to check resources
/system script add name=container-monitor source="
:local cpuLoad [/system resource get cpu-load]
:local freeMem [/system resource get free-memory]
:if (\$cpuLoad > 80) do={
    /log warning \"High CPU usage: \$cpuLoad%\"
}
:if (\$freeMem < 100000000) do={
    /log warning \"Low memory: \$freeMem bytes free\"
}
"

# Schedule monitoring
/system scheduler add name=monitor-containers interval=5m on-event=container-monitor

Storage Quotas

# Monitor storage usage
/file print detail where name~"containers"

# Set up alert for storage threshold
/system script add name=storage-check source="
:local diskUsed [/file get [find name=\"disk1\"] size]
:if (\$diskUsed > 10000000000) do={
    /log warning \"Container storage exceeds 10GB\"
}
"

8.3 Image Security Considerations

Trusted Image Sources

Use official images from verified publishers
Prefer images with “Official Image” or “Verified Publisher” badges
Check image update frequency and maintenance status
Review Dockerfile sources when available

Minimal Base Images

Base Image	Size	Security
Alpine	~5MB	Minimal attack surface
Distroless	~20MB	No shell, no package manager
Debian Slim	~80MB	Reduced packages
Ubuntu	~70MB	More packages, larger surface

8.4 Access Control and Authentication

Restrict Container Management Access

# Create container admin group
/user group add name=container-admin policy=read,write,test,api

# Create limited user for container management
/user add name=containeradmin group=container-admin password=SecurePassword

# Limit API access
/ip service set api address=192.168.88.0/24

Secure Exposed Container Services

# Limit access to container web interfaces
/ip firewall filter add chain=forward dst-address=172.17.0.2 dst-port=80 src-address=192.168.88.0/24 action=accept comment="Allow LAN to Pi-hole web"
/ip firewall filter add chain=forward dst-address=172.17.0.2 dst-port=80 action=drop comment="Block external Pi-hole web access"

9. Advanced MikroTik Container Configurations

9.1 Multi-Container Deployments

IP Address Planning

Container	VETH Interface	IP Address
Pi-hole	veth-pihole	172.17.0.2
AdGuard Home	veth-adguard	172.17.0.3
Node Exporter	veth-nodeexp	172.17.0.4
Custom App	veth-custom	172.17.0.5

Inter-Container Communication

# Containers on same bridge communicate directly
# Example: Custom app connecting to Pi-hole DNS
# Configure custom app to use 172.17.0.2 as DNS server

# Verify connectivity between containers
# (From container shell if available)
# ping 172.17.0.2

9.2 Container Orchestration with Scripts

Startup Script for All Containers

/system script add name=start-all-containers source="
:delay 30s
/container start [find where start-on-boot=yes]
:log info \"All containers started\"
"

# Run on boot
/system scheduler add name=container-startup on-event=start-all-containers start-time=startup

Health Check Script

/system script add name=container-health-check source="
:foreach container in=[/container find] do={
    :local status [/container get \$container status]
    :local image [/container get \$container remote-image]
    :if (\$status != \"running\") do={
        :log warning \"Container \$image is \$status - attempting restart\"
        /container start \$container
    }
}
"

# Schedule health checks
/system scheduler add name=health-check interval=5m on-event=container-health-check

9.3 Integration with RouterOS Services

DNS Integration Pattern

# Use container as upstream DNS for RouterOS
/ip dns set servers=172.17.0.2 allow-remote-requests=yes

# Forward specific domains to container DNS
/ip dns static add name=internal.example.com address=172.17.0.2 type=FWD

RouterOS API Access from Container

# Enable API for container network
/ip service set api address=172.17.0.0/24,192.168.88.0/24 disabled=no

# Create API user for container
/user add name=container-api group=read password=APIPassword123

# Python example (in container):
# from routeros_api import RouterOsApiPool
# connection = RouterOsApiPool('172.17.0.1', username='container-api', password='APIPassword123')
# api = connection.get_api()

9.4 Performance Optimization Tips

Storage Optimization

Use USB 3.0 or NVMe storage for better I/O
Place frequently accessed data on faster storage
Use Alpine-based images for smaller footprint
Clean unused images and temporary files regularly

Memory Management

# Monitor memory during container operation
/system resource print

# Restart containers if memory constrained
:if ([/system resource get free-memory] < 50000000) do={
    /container stop [find]
    :delay 5s
    /container start [find where start-on-boot=yes]
}

Network Performance

Keep container bridge separate from main LAN bridge
Use hardware offloading where available
Minimize NAT rules for container traffic
Consider direct routing instead of NAT for internal services

10. Limitations and Considerations of MikroTik Containers

10.1 Current Platform Limitations

Feature Limitations

No Docker Compose: Cannot deploy multi-container applications from compose files
No Container Networks: No built-in container networking (CNI) – must use VETH
No Resource Limits: Cannot set CPU/memory limits per container
No Container Restart Policies: No automatic restart on failure
Limited Registry Support: Basic authentication only for private registries
No Volume Drivers: Only local filesystem mounts supported

Hardware Constraints

Device Class	Practical Container Limit	Recommended Use
Entry (hAP ac²)	1-2 lightweight	Single DNS filter
Mid-range (RB5009)	3-5 containers	DNS + monitoring
High-end (CCR2004+)	5-10 containers	Multiple services

10.2 When NOT to Use MikroTik Containers

Avoid Containers For:

Database servers: Performance and storage limitations
High-traffic web applications: CPU constraints
Production-critical services: Limited HA options
Complex multi-container apps: No orchestration
GPU workloads: No GPU passthrough
Windows containers: Linux only

Better Alternatives

Workload	Alternative Solution
Heavy applications	Dedicated Docker host
Kubernetes workloads	K3s on edge device
Windows services	Windows Server container host
Complex deployments	Docker Swarm or Kubernetes

10.3 Future Development

Potential Improvements (Community Requests)

Resource limits (CPU, memory)
Restart policies
Better logging integration
Container metrics export
Docker Compose support

Stay Updated

Check MikroTik changelog for new releases
Monitor MikroTik forum for container discussions
Test new features in lab before production

11. MikroTik Containers vs. Alternative Solutions

11.1 MikroTik Containers vs. Dedicated Docker Hosts

Factor	MikroTik Containers	Dedicated Docker Host
Hardware Cost	None (uses existing router)	Additional server required
Power Consumption	Minimal increase	Additional power draw
Performance	Limited by router hardware	Scalable to needs
Features	Basic container runtime	Full Docker ecosystem
Management	RouterOS CLI/GUI	Docker CLI, Portainer, etc.
Network Integration	Direct RouterOS integration	Separate network configuration

11.2 MikroTik vs. Other Router Container Solutions

Platform	Container Support	Maturity	Use Case
MikroTik RouterOS 7	OCI containers via VETH	Growing	Edge services
OpenWrt	LXC, Docker (limited)	Mature	Hobbyist/SOHO
VyOS	Docker support	Mature	Enterprise routing
pfSense	No native containers	N/A	Use separate host
Cisco IOS-XE	App hosting (IOx)	Mature	Enterprise edge

11.3 Hybrid Architecture Recommendations

When to Combine MikroTik + External Docker

Light on MikroTik: DNS filtering, monitoring agents, log forwarders
Heavy on Docker host: Databases, web apps, media services
Edge processing: Initial data filtering on MikroTik, analysis on server

Example Hybrid Architecture


┌─────────────────────────────────────────────────────────────┐
│                     Network Architecture                     │
├─────────────────────────────────────────────────────────────┤
│                                                              │
│  ┌──────────────┐     ┌──────────────────────────────────┐  │
│  │   MikroTik   │     │       Docker Host (Server)       │  │
│  │   Router     │     │                                   │  │
│  │              │     │  ┌─────────┐  ┌─────────────────┐ │  │
│  │ ┌──────────┐ │     │  │ Grafana │  │ Database Server │ │  │
│  │ │ Pi-hole  │ │────▶│  └─────────┘  └─────────────────┘ │  │
│  │ └──────────┘ │     │                                   │  │
│  │              │     │  ┌─────────┐  ┌─────────────────┐ │  │
│  │ ┌──────────┐ │     │  │Prometheus│ │   Web Apps      │ │  │
│  │ │Node Exp. │─┼────▶│  └─────────┘  └─────────────────┘ │  │
│  │ └──────────┘ │     │                                   │  │
│  └──────────────┘     └──────────────────────────────────┘  │
│                                                              │
└─────────────────────────────────────────────────────────────┘

12. Conclusion: Maximizing MikroTik Container Potential

Key Takeaways

Container support transforms MikroTik routers into edge computing platforms
Use external storage for all container deployments
VETH interfaces provide network connectivity for containers
Match image architecture to your RouterBOARD hardware
Implement security controls to isolate container traffic
Monitor resources to prevent router performance issues
Know the limitations and use dedicated hosts for heavy workloads

Best Practices Summary

Start with one container and scale gradually
Test in lab environment before production
Use official, minimal images (Alpine-based)
Document your container configurations
Create backup scripts for container settings
Schedule regular updates and maintenance

Recommended First Container Projects

Pi-hole or AdGuard Home: Immediate value for network-wide ad blocking
Node Exporter: Lightweight monitoring without complexity
Custom scripts: Automate repetitive network tasks

Next Steps

Verify your RouterBOARD meets hardware requirements
Upgrade to RouterOS 7.8 or newer
Prepare external USB storage
Deploy your first container using examples in this guide
Join MikroTik forums to share experiences and learn from community

13. Additional Resources and References

Official Documentation

Tested Container Images for MikroTik

Image	Purpose	ARM64 Support
pihole/pihole	DNS ad blocking	Yes
adguard/adguardhome	DNS filtering	Yes
prom/node-exporter	System metrics	Yes
nginx:alpine	Web server	Yes
alpine	Base for custom images	Yes

Community Resources

Quick Reference Commands

# Enable container mode
/system/device-mode/update container=yes

# Create VETH
/interface veth add name=veth-app address=172.17.0.2/24 gateway=172.17.0.1

# Create bridge
/interface bridge add name=bridge-containers
/ip address add address=172.17.0.1/24 interface=bridge-containers
/interface bridge port add interface=veth-app bridge=bridge-containers

# Configure registry
/container config set registry-url=https://registry-1.docker.io tmpdir=disk1/pull

# Pull and create container
/container add remote-image=image:tag interface=veth-app root-dir=disk1/containers/app-root

# Container management
/container print
/container start 0
/container stop 0
/container remove 0

Check our list of MikroTik guides