Attention MikroTik enthusiasts! It’s time to explore the world of Containers! MikroTik’s implementation of Linux containers allows users to run containerized environments within RouterOS. This feature was introduced in version 7 of the operating system.
Personally, I’ve decided to leverage my MikroTik Cloud Hosted Router (CHR) to host my WordPress blog, complete with a multisite network. You may ask, “why?” Well, as George Bernard Shaw once said, “There are those who look at things the way they are and ask why…I dream of things that never were, and ask why not?”
Great, let’s break down your plan into several steps:
- Initial CHR configuration:
- Install container-7.X.npk package
- Enable Container mode on your router
- Configure the VETH interface and a bridge to create a network
- Configure IP Masquerade for NAT
- Docker-specific settings:
- Add Docker image repository
- Identify and add necessary environment variables and mounts
- Run the containers
- Port forwarding:
- Set up destination NAT to allow traffic to reach the containers from the Internet
- Cloudflare Zero Trust Tunnel:
- Set up a Cloudflare Zero Trust Tunnel to provide secure access to the containers from a remote location
Please, consider the selected approach as a concept and adopt it as you prefer.
Initial CHR configuration
Enabling the container mode is a necessary step to run containerized environments within RouterOS. Here’s how to do it on MikroTik RouterOS:
A cold reboot, a stop-start (a soft restart will do the job), was needed:
/system/device-mode/print mode: enterprise container: yes
Great, configuring the VETH interfaces is an important step for container networking. Here’s an example of how to set up the VETH interfaces on your MikroTik CHR:
/interface/veth/ add address=18.104.22.168/24 gateway=22.214.171.124 name=WORDPRESS add address=126.96.36.199/24 gateway=188.8.131.52 name=MYSQL add address=184.108.40.206/24 gateway=220.127.116.11 name=PHPMYADMIN
You can adjust the IP addresses and interface names to fit your specific network setup.
To create a bridge interface and add the VETH interfaces as ports, you can use the following commands in the MikroTik RouterOS terminal:
/interface/bridge/ add name=docker /interface/bridge/port/ add bridge=docker interface=WORDPRESS add bridge=docker interface=MYSQL add bridge=docker interface=PHPMYADMIN
As the bridge interface (named docker) is the gateway, then IP is needed:
/ip/address/ add address=18.104.22.168/24 interface=docker network=22.214.171.124
To assign an IP address to the bridge interface, you can use the following command:
/ip/firewall/nat/ add action=masquerade chain=srcnat src-address=126.96.36.199/24
To pull an image from Docker Hub, you can use:
/container/config/ set registry-url=https://registry-1.docker.io tmpdir=disk1/pull
Yes, that’s correct. When running a Docker container, it’s important to specify any necessary mounts to ensure that important data (such as the database files or website content) is saved outside of the container itself. This allows the container to be destroyed and re-created without losing any important data.
/container/mounts/ add dst=/var/www/html name=wordpress_html src=/disk1/docker/wordpress/html add dst=/docker-entrypoint-initdb.d name=mysql_dump src=/disk1/docker/mysql/dump add dst=/var/lib/mysql name=mysql_data src=/disk1/docker/mysql/data
Adding environment variables can be very helpful to configure and customize the behavior of the container. It allows you to pass runtime parameters to the container that affect its operation, such as setting configuration values or specifying authentication credentials
/container/envs/ add name=MYSQL key=MYSQL_DATABASE value=wordpress add name=MYSQL key=MYSQL_ROOT_PASSWORD value=t00R add name=MYSQL key=MYSQL_USER value=wordpress add name=MYSQL key=MYSQL_PASSWORD value=dr0wssaP add name=WORDPRESS key=WORDPRESS_DB_HOST value=188.8.131.52 add name=WORDPRESS key=WORDPRESS_DB_USER value=wordpress add name=WORDPRESS key=WORDPRESS_DB_PASSWORD value=dr0wssaP add name=WORDPRESS key=WORDPRESS_DB_NAME value=wordpress add name=WORDPRESS key=WORDPRESS_TABLE_PREFIX value=wp_ add name=PHPMYADMIN key=PMA_HOST value=184.108.40.206
Here are the commands to add the latest versions of the official Docker images for WordPress, MySQL, and phpMyAdmin:
/container add remote-image=wordpress:latest envlist=WORDPRESS hostname=wordpress interface=WORDPRESS mounts=wordpress_html root-dir=disk1/docker/wordpress/WORDPRESS add remote-image=phpmyadmin:latest envlist=PHPMYADMIN hostname=phpmyadmin interface=PHPMYADMIN root-dir=disk1/docker/cloudflare/PHPMYADMIN add remote-image=mysql:latest envlist=MYSQL hostname=mysql interface=MYSQL mounts=mysql_data,mysql_dump root-dir=disk1/docker/mysql/MYSQL
To start the containers*
/container/start number=2 /container/start number=0 /container/start number=1 /container/start number=3
- Change the RouterOS default web access (www) port from 80 appropriate (/ip/service/set www port=8081)
- Set containers to start on boot (/container/set start-on-boot=yes 0,1,2,3)
- What until MySQL is up and ready, then start the WORDPRESS container
- Enable logging, if you what to have the logs for troubleshooting (/container/set logging=yes 0,1,2,3) and review your logs (/log/print follow)
- Be consistent with your name convention
Port forwarding (Setup destination NAT)
If you have a public IP address on your router, a simple port forwarding will help you to provide access to your WordPress blog (and phpMyAdmin) from the Internet.
/ip/firewall/nat/ add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=220.127.116.11 to-ports=80 add action=dst-nat chain=dstnat dst-port=8080 protocol=tcp to-addresses=18.104.22.168 to-ports=80
It sounds like you have successfully set up your WordPress blog and database on MikroTik RouterOS using Docker containers. Congratulations! To access your WordPress installation from the internet, you can use the public IP address of your router and the port that you forwarded to your WordPress container. You can also access phpMyAdmin to manage your database by appending:8080 to your WordPress URL.
Just keep in mind that exposing your WordPress blog to the internet can also make it vulnerable to attacks. It’s important to implement security measures, such as using strong passwords, keeping your WordPress and plugins up-to-date, and using a security plugin to protect your site from malicious attacks. You may also want to consider using Cloudflare or other content delivery networks to protect your website from DDoS attacks and other threats.
Looking forward to it! Let me know if you have any questions or need any assistance.