How-To: Installing & Using Docker Container and Pihole in MikroTik CHR

As of the latest exciting news around MikroTik and their fresh release of the docker container in MikroTik, you may have heard that adding docker to RouterOS brings some interesting possibilities. Like managing some micro services on a web level. But the question now is how to install it and use the latest addition?

This hands-on tutorial will show you the steps and the proper way for installing docker and Pi-hole.


What Is MikroTik Container

In brief, using container in MikroTik is the implementation of Linux containers that enable users to run containerized environments within MikroTik Router Operating System. One important thing to know is that you must use a trusted hosting service provider, otherwise if your MikroTik CHR is compromised in any way, containers become an easy way for cyber attackers who want to install malicious software in the router and over your network.


Hands-on: What Is Pi-hole And How To Use Pi-hole With MikroTik Router

Pi-hole is a DNS based adblocker. It can block all ads in all your devices in your network. Since RouterOS v7.5, you can integrate it in your MikroTik router. This tutorial is for all ARM, ARM64 and x86 based MikroTik devices.

You can run docker containers in our Cloud Hosted Routers as well. Docker works in our Standard, Licensed and Dedicated MikroTik server plans. Choose the appropriate plan for your needs.

You can also watch our video guide:

In this tutorial, our Docker subnet will be

  1. Update your router to the latest version of RouterOS. You can do it from System>Packages>”Check for updates”. Then download the latest version and install it.

  2. Make sure that your router is secured. If hackers gain access to your MikroTik CHR, they can make malicious docker containers.

  3. Download the extra packages from the Cloud Hosted Router section in
    Mikrotik download CHR section

  4. Extract only the container-7.X.npk file and upload it to your CHR by dragging it and dropping it in the Files window in MikroTik Winbox.
    Uploading the file to your CHR

  5. Reboot your router to install the container package.

  6. Open a new terminal and enter /system/device-mode/update container=yes
    Enabling containers in CHR

  7. Power off your CHR from the Client VPS Control panel and then start the CHR
    Clicking on the power icon

  8. After containers are enabled, we will create another bridge by going to Bridge and clicking on “+”. Name it as you like and save it.
    Making the bridge

    /interface/bridge/add name=docker

  9. Assign an IP address of your choice to that bridge by going to IP>Addresses and clicking on “+”. Enter the IP and select the bridge as the interface.
    Assigning the IP address to the bridge

    /ip/address/add address= interface=docker

  10. Now we will create a virtual Ethernet interface. Go to Interfaces>VETH and click on “+”. You can name it as you like. Enter a free IP address from the subnet (e.g. and the bridge IP as a gateway.
    Creating the Virtual Ethernet interface

    /interface/veth/add name=veth1 address= gateway=

  11. Assign the newly created VETH interface to the bridge. Go to Bridge>Ports and click on “+”, then select the interface and the bridge.
    Assigning the VETH to the bridge

    /interface/bridge/port add bridge=dockers interface=veth1

  12. To allow internet access for our container instances, we will need to create a NAT rule in our Firewall. Go to IP>Firewall>NAT and click on “+”. Enter:
    Chain: srcnat
    Address: your subnet for your docker instances
    action: masquerade
    Creating a NAT rule for Docker internet access
    Setting the action for the nat rule

    /ip/firewall/nat/add chain=srcnat action=masquerade src-address=

    Now you can run docker containers in your MikroTik cloud hosted router.

  13. To install Pi-hole, we will need to add some mounts and variables. Go to Container and add these mounts and envs
    Container envs and mounts

    Name=”pihole_envs” Key=TZ Value=”Europe/Sofia” (your timezone)
    Name=”pihole_envs” Key=WEBPASSWORD Value=”yourpassword” (your password)
    Name=”pihole_envs” Key=DNSMASQ_USER Value=”root” (root user for DNSMASQ)

    Name=”etc_pihole” src=”disk1/etc” dst=”/etc/pihole”
    Name=”dnsmasq_Pi-hole” src=”disk1/etc-dnsmasq.d” dst=”/etc/dnsmasq.d”

    /container/envs/add name=pihole_envs key=TZ value="Europe/Sofia"
    /container/envs/add name=pihole_envs key=WEBPASSWORD value="yourpassword"
    /container/envs/add name=pihole_envs key=DNSMASQ_USER value="root"
    /container/mounts/add name=etc_pihole src=disk1/etc dst=/etc/pihole
    /container/mounts/add name=dnsmasq_pihole src=disk1/etc-dnsmasq.d dst=/etc/dnsmasq.d

  14. Configure the Docker container on MikroTik service by going to Container tab and clicking on “Config” Then set:
    RAM High: Max ram usage in MB, set 0 for unlimited
    Registry URL:
    Tmp dir: disk1/pull
    MikroTik Docker settings

    /container/config/set registry-url= tmpdir=disk1/pull

  15. Now we will create the container, click on “+” and enter:
    Remote Image: pihole/pihole:latest
    Interface: veth1 (the virtual interface you created)
    Envlist: pihole_envs
    Root Dir: disk1/pihole
    Mounts: etc_pihole and dnsmasq_pihole
    MikroTik first docker instance

    /container/add remote-image=pihole/pihole:latest interface=veth1 root-dir=disk1/pihole mounts=dnsmasq_pihole,etc_pihole envlist=pihole_envs

    Then click apply and wait for the package to be downloaded and extracted. You can also use local uploaded images in .tar format. 
  16. When the package is extracted, click on “Start” to run your container
    Starting the Docker container

    /container/start 0

  17. To control Pi-hole, we will need to create a port forwarding rule in our Firewall. Go to IP>Firewall>NAT and click on “+”. Enter:

    Chain: dstnat
    Protocol: TCP
    Dst. Address: address of your choice in your subnets or your CHR’s IP address.
    Dst. Port: Port of your choice
    action: dst-nat
    To Addresses: Your docker container (virtual interface) IP address
    To Ports: 80(HTTP)
    Making a DST NAT for Pihole
    Setting the DST NAT to the pihole

    /ip firewall nat add action=dst-nat chain=dstnat dst-address=YourMCHRIP dst-port=PortOfYourChoice protocol=tcp to-addresses= to-ports=80

  18. Set the DNS servers to the newly created docker container on MikroTik. Click on IP>DNS and set the servers to the docker container (virtual interface) IP address
    DNS setting

    /ip dns set servers=

  19. Enter the IP address and port in your browser and now you’re in your Pi-hole. Click on the link to enter the Admin Panel.
    Pi-hole landing page

  20. Log in the admin panel. Your password is the value of the WEBPASSWORD ENV you set in step 12.
    Pi-hole login page

  21. And you’re done. Continue setting up Pi-hole with your favourite adblock lists.
    Pi-hole Admin Panel


In case you have any questions, do not hesitate to contact us.

Experience a powerful MikroTik CHR VPS with unlimited traffic & get more from your VPS with our unlimited traffic option.

Get Started!
icon knowledge

Also Read

MikroTik CHR Licensing

The CHR has 4 license levels: free p1 perpetual-1($45) p10 perpetual-10($95) p-unlimited...

MikroTik CHR: Getting the License

After the initial setup, a CHR instance will have a free license assigned. From there, it is...

MikroTik CHR: Setup Secure VPN access between client and server

  This guide will describe one of the many possible usages of MikroTik CHR and Virtual Private...

MikroTik CHR: First Run and Default Password

Hello, thank you for buying one of our MikroTik Cloud Hosted Routers.  As every other MikroTik...