Running gateway on MikroTik routers

By leveraging the ability of some MikroTik routers to run Docker containers it is possible to deploy the gateway directly on your router.

Proceed with extra caution when working with your core infrastructure. All official RouterOS containers warnings still apply.

Prerequisites

  • RouterOS device with ARM or ARM64 architecture (popular homelab choices include RB4011 or RB5009)

  • Container package installed and enabled

  • running defguard core instance with a WireGuard location configured

  • (optional) self-signed certificate generated by following gRPC SSL setup guide

Setup

This guide assumes you do not have other Docker containers deployed on your router yet. If this is not the case adjust accordingly.

The same applies if you have some more specific network configuration requirements.

For brevity we'll be using RouterOS terminal commands, but everything can also be accomplished through WinBox GUI.

Prepare network to install Docker container

  • first create a bridge interface for Docker containers and assign it an IP address in a dedicated Docker subnet (172.17.0.0/24 in our example):

/interface/bridge/add name=docker
/ip/address/add address=172.17.0.1/24 interface=docker

  • each container must have a dedicated VETH interface; create a veth1 interface and assign it an IP address in the chosen Docker subnet:

/interface/veth/add name=veth1 address=172.17.0.2/24 gateway=172.17.0.1

  • add the virtual interface to the Docker bridge:

/interface/bridge/port add bridge=docker interface=veth1

Setup firewall rules

  • set up NAT for outgoing traffic from containers:

/ip/firewall/nat/add chain=srcnat action=masquerade src-address=172.17.0.0/24

  • add port forwarding rule to send UDP traffic from the public WireGuard port to the gateway container:

/ip/firewall/nat/add chain=dstnat protocol=udp dst-address=<YOUR PUBLIC IP> dst-port=<YOUR PUBLIC WG PORT> action=dst-nat to-addresses=172.17.0.2 to-ports=<YOUR PUBLIC WG PORT>

Container port being forwarded to must match your public WireGuard port.

  • add routing for your chosen WireGuard subnet configured in defguard UI location settings:

/ip/route/add dst-address=<YOUR WG SUBNET> gateway=172.17.0.2

Run gateway container

  • configure environment variables for the gateway container:

/container/envs/add name=defguard_env key=DEFGUARD_TOKEN value=<YOUR TOKEN>
/container/envs/add name=defguard_env key=DEFGUARD_GRPC_URL value=<YOUR DEFGUARD GRPC URL>

  • (optional) to use SSL for communication between the gateway and your defguard instance copy the root certificate to your router's filesystem and add a following mount and environment variable:

/container/mounts/add name=defguard_cert src=<PATH TO CERT DIR> dst=/certs
/container/envs/add name=defguard_env key=DEFGUARD_GRPC_CA value=/certs/myCA.pem

Put the root certificate in a directory and mount the whole directory. Trying to mount a specific file can cause unexpected issues.

  • add GitHub container registry to config:

/container/config/set registry-url=https://ghcr.io

  • finally create the actual container:

/container/add remote-image=ghcr.io/defguard/gateway:latest interface=veth1 envlist=defguard_env

At this point you should see that the gateway is connected in your defguard instance's web UI.

PreviousGatewayNextPre-production and development releases

Last updated