How-To: Installing & Using Docker Container and Pihole in MikroTik CHR
As of the latest exciting news around MikroTik and their fresh release of the docker container in MikroTik, you may have heard that adding docker to RouterOS brings some interesting possibilities. Like managing some micro services on a web level. But the question now is how to install it and use the latest addition?
This hands-on tutorial will show you the steps and the proper way for installing docker and Pi-hole.
What Is MikroTik Container
In brief, using container in MikroTik is the implementation of Linux containers that enable users to run containerized environments within MikroTik Router Operating System. One important thing to know is that you must use a trusted hosting service provider, otherwise if your MikroTik CHR is compromised in any way, containers become an easy way for cyber attackers who want to install malicious software in the router and over your network.
Hands-on: What Is Pi-hole And How To Use Pi-hole With MikroTik Router
Pi-hole is a DNS based adblocker. It can block all ads in all your devices in your network. Since RouterOS v7.5, you can integrate it in your MikroTik router. This tutorial is for all ARM, ARM64 and x86 based MikroTik devices.
You can run docker containers in our Cloud Hosted Routers as well. Docker works in our Standard, Licensed and Dedicated MikroTik server plans. Choose the appropriate plan for your needs.
You can also watch our video guide:
In this tutorial, our Docker subnet will be 192.168.34.0/24
- Update your router to the latest version of RouterOS. You can do it from System>Packages>”Check for updates”. Then download the latest version and install it.
- Make sure that your router is secured. If hackers gain access to your MikroTik CHR, they can make malicious docker containers.
- Download the extra packages from the Cloud Hosted Router section in Mikrotik.com/downloads
- Extract only the container-7.X.npk file and upload it to your CHR by dragging it and dropping it in the Files window in MikroTik Winbox.
- Reboot your router to install the container package.
- Open a new terminal and enter /system/device-mode/update container=yes
- Power off your CHR from the Client VPS Control panel and then start the CHR
- After containers are enabled, we will create another bridge by going to Bridge and clicking on “+”. Name it as you like and save it.
/interface/bridge/add name=docker
- Assign an IP address of your choice to that bridge by going to IP>Addresses and clicking on “+”. Enter the IP and select the bridge as the interface.
/ip/address/add address=192.168.34.1/24 interface=docker
- Now we will create a virtual Ethernet interface. Go to Interfaces>VETH and click on “+”. You can name it as you like. Enter a free IP address from the subnet (e.g. 192.168.34.2/24) and the bridge IP as a gateway.
/interface/veth/add name=veth1 address=192.168.34.2/24 gateway=192.168.34.1
- Assign the newly created VETH interface to the bridge. Go to Bridge>Ports and click on “+”, then select the interface and the bridge.
/interface/bridge/port add bridge=dockers interface=veth1
- To allow internet access for our container instances, we will need to create a NAT rule in our Firewall. Go to IP>Firewall>NAT and click on “+”. Enter:
Chain: srcnat
Address: your subnet for your docker instances
action: masquerade/ip/firewall/nat/add chain=srcnat action=masquerade src-address=192.168.34.0/24
Now you can run docker containers in your MikroTik cloud hosted router. - To install Pi-hole, we will need to add some mounts and variables. Go to Container and add these mounts and envs
Envs:
Name=”pihole_envs” Key=TZ Value=”Europe/Sofia” (your timezone)
Name=”pihole_envs” Key=WEBPASSWORD Value=”yourpassword” (your password)
Name=”pihole_envs” Key=DNSMASQ_USER Value=”root” (root user for DNSMASQ)
Mounts:
Name=”etc_pihole” src=”disk1/etc” dst=”/etc/pihole”
Name=”dnsmasq_Pi-hole” src=”disk1/etc-dnsmasq.d” dst=”/etc/dnsmasq.d”/container/envs/add name=pihole_envs key=TZ value="Europe/Sofia"
/container/envs/add name=pihole_envs key=WEBPASSWORD value="yourpassword"
/container/envs/add name=pihole_envs key=DNSMASQ_USER value="root"
/container/mounts/add name=etc_pihole src=disk1/etc dst=/etc/pihole
/container/mounts/add name=dnsmasq_pihole src=disk1/etc-dnsmasq.d dst=/etc/dnsmasq.d - Configure the Docker container on MikroTik service by going to Container tab and clicking on “Config” Then set:
RAM High: Max ram usage in MB, set 0 for unlimited
Registry URL: https://registry-1.docker.io
Tmp dir: disk1/pull
/container/config/set registry-url=https://registry-1.docker.io tmpdir=disk1/pull
- Now we will create the container, click on “+” and enter:
Remote Image: pihole/pihole:latest
Interface: veth1 (the virtual interface you created)
Envlist: pihole_envs
Root Dir: disk1/pihole
Mounts: etc_pihole and dnsmasq_pihole
/container/add remote-image=pihole/pihole:latest interface=veth1 root-dir=disk1/pihole mounts=dnsmasq_pihole,etc_pihole envlist=pihole_envs
- When the package is extracted, click on “Start” to run your container
/container/start 0
- To control Pi-hole, we will need to create a port forwarding rule in our Firewall. Go to IP>Firewall>NAT and click on “+”. Enter:
Chain: dstnat
Protocol: TCP
Dst. Address: address of your choice in your subnets or your CHR’s IP address.
Dst. Port: Port of your choice
action: dst-nat
To Addresses: Your docker container (virtual interface) IP address
To Ports: 80(HTTP)/ip firewall nat add action=dst-nat chain=dstnat dst-address=YourMCHRIP dst-port=PortOfYourChoice protocol=tcp to-addresses=192.168.34.2 to-ports=80
- Set the DNS servers to the newly created docker container on MikroTik. Click on IP>DNS and set the servers to the docker container (virtual interface) IP address
/ip dns set servers=192.168.34.2
-
Enter the IP address and port in your browser and now you’re in your Pi-hole. Click on the link to enter the Admin Panel.
- Log in the admin panel. Your password is the value of the WEBPASSWORD ENV you set in step 12.
- And you’re done. Continue setting up Pi-hole with your favourite adblock lists.
In case you have any questions, do not hesitate to contact us.