RouterOS v7 introduced a game‑changing feature: container support. You can now run lightweight Linux containers – like Pi‑hole, AdGuard Home, Unbound, or even WireGuard clients – directly on your MikroTik router. No need for a separate Raspberry Pi or server. This guide walks you through the entire process, from enabling container mode to deploying your first container.
Why Run Containers on Your Router?
- Save hardware – Use the router you already own as an application platform.
- Reduce latency – DNS filtering or caching happens on‑device.
- Simplify management – One device instead of a router plus separate mini‑PC.
- Learn modern tech – Experiment with Docker‑style containers on networking hardware.
Prerequisites
- MikroTik router with RouterOS v7.11 or later (container support is stable in newer v7 versions).
- ARCH = arm64, arm, or x86_64 (check:
/system resource print). - At least 1GB of RAM (2GB+ recommended).
- Storage: a USB drive or microSD card (routerboard internal flash is too small).
- Basic Linux command line knowledge (helpful but not required).
Step 1: Prepare Storage for Containers
Containers require a separate ext4‑formatted partition. Most internal flash is too small and not recommended. Use a USB drive or SD card.
1.1 Insert and format the drive
/disk print
/disk format-drive 0 file-system=ext4Replace 0 with your disk number. This will erase the drive. Once formatted, RouterOS will automatically mount it (usually under /disk1).
1.2 Set the container directory
/container config set registry-url=https://registry-1.docker.io tmpdir=disk1/containerCreate the directory:
/file mkdir disk1/containerStep 2: Enable Container Mode
You may need to enable container support if it's not already active.
/container config set ram-high=0 (unlimited)
/container config set logging=yesStep 3: Pull a Container Image
Let's pull a small Alpine Linux container to test with.
/container add remote-image=alpine:latest interface=veth1 root-dir=disk1/container/alpineNote the container ID from the output. Then start it:
/container start 0Enter the container shell to verify:
/container shell 0You're now inside Alpine. Type exit to leave.
Step 4: Set Up Networking for Containers
Containers need a dedicated virtual Ethernet interface (veth) and an IP address. Create a bridge for containers (optional but clean).
/interface bridge add name=bridge-containers
/ip address add address=172.18.0.1/24 interface=bridge-containersWhen adding a container, specify the veth interface and assign an IP from this subnet.
Step 5: Deploy a Real Container – Pi‑hole (DNS Ad Blocker)
Pi‑hole blocks ads network‑wide. Here's how to run it on MikroTik.
5.1 Pull Pi‑hole image
/container add remote-image=pihole/pihole:latest interface=veth1 root-dir=disk1/container/pihole envlist="TZ=UTC, WEBPASSWORD=yourpassword"Set environment variables: TZ (timezone), WEBPASSWORD (admin password).
5.2 Configure container networking
/interface veth add name=veth1 address=172.18.0.2/24 gateway=172.18.0.1Then assign this veth to the container:
/container set 0 veth=veth15.3 Start and check
/container start 0
/container printAccess Pi‑hole web interface at http://172.18.0.2/admin.
5.4 Point your LAN clients to Pi‑hole
Set the container's IP as the DNS server in DHCP:
/ip dhcp-server network set [find] dns-server=172.18.0.2Step 6: Deploy AdGuard Home (Alternative DNS Filter)
AdGuard Home is another popular DNS sinkhole with a more modern UI.
/container add remote-image=adguard/adguardhome:latest interface=veth2 root-dir=disk1/container/adguard
/interface veth add name=veth2 address=172.18.0.3/24 gateway=172.18.0.1
/container set 1 veth=veth2
/container start 1AdGuard Home listens on port 80 inside the container. You need to expose it.
/container add host-ports=8080:80Then access at http://172.18.0.3:8080 for initial setup.
Step 7: Advanced – Running Unbound (Recursive DNS Resolver)
Unbound performs DNS resolution directly from root servers, increasing privacy.
/container add remote-image=mvance/unbound:latest interface=veth3 root-dir=disk1/container/unbound envlist="TZ=UTC"
/interface veth add name=veth3 address=172.18.0.4/24 gateway=172.18.0.1
/container set 2 veth=veth3
/container start 2Configure Unbound via its config file inside the container (requires /container shell 2 and editing /opt/unbound/etc/unbound/unbound.conf).
Step 8: Persistence and Auto‑Start
To make containers start automatically after router reboot, set:
/container set 0 auto-start=yes
/container set 1 auto-start=yesStep 9: Monitoring and Logs
View container logs:
/container log print where container=0Check resource usage:
/container print detailMonitor CPU/RAM:
/tool profileTroubleshooting Containers on MikroTik
- Container won't start: Check
/container logfor errors. Common issues: missing veth interface, insufficient storage, unsupported architecture. - No internet from inside container: Ensure the veth interface is assigned and the container's gateway is correct. Also verify that NAT masquerade includes the container bridge:
/ip firewall nat add chain=srcnat src-address=172.18.0.0/24 action=masquerade. - High CPU usage: Containers share router CPU. Pi‑hole on a low‑end device (e.g., hEX) may cause high load. Use a RB5009, CCR, or CHR for heavy containers.
- Disk full or mount errors: Use external USB 3.0 drive or SD card. Avoid internal flash.
Hardware Recommendations for Containers
| Router Model | Container Capability | Best For |
|---|---|---|
| hEX (RB750Gr3) | Minimal – one light container (e.g., Alpine) with low traffic | Testing only |
| RB5009, RB4011 | Good – Pi‑hole, AdGuard, or Unbound with moderate traffic | Home/SMB |
| CCR2004, CCR2116 | Excellent – multiple containers, heavy DNS caching | ISP/Enterprise |
| CHR (on VM) with 2+ cores | Great – run many containers | Homelabs, cloud |
Security Considerations
- Keep container images updated (pull fresh tags periodically).
- Do not run containers as
rootif avoidable (check container documentation). - Restrict container internet access via firewall if not needed.
- Use
/container envlistsafely – avoid plaintext secrets; use RouterOS secrets where possible.
Real‑World Use Cases
Home Network with Ad Blocking
Run Pi‑hole in a container on your RB5009. Set DHCP DNS to the container's IP. Every device on your network gets ad blocking automatically, with zero configuration.
Small Business with Local DNS Caching
Deploy Unbound container to resolve internal hostnames and cache external queries. Improves browsing speed and reduces dependency on external DNS providers.
ISP Edge Router with Custom Monitoring
Run a Prometheus node exporter or speedtest container to gather metrics and schedule periodic speed tests.
Conclusion
Containers on RouterOS v7 open up a world of possibilities. Start with a simple Alpine container to verify the setup, then deploy Pi‑hole or AdGuard Home for immediate benefit. For production, invest in a router with sufficient RAM and CPU, and always use external storage. Containers are still evolving on MikroTik – keep your RouterOS updated and check release notes for new features.
Next steps: explore running WireGuard in a container (advanced), or set up Docker Compose equivalents using RouterOS scripts. For deeper learning, read MikroTik's official Container Documentation.