The MikroTik router serves as the network gateway, firewall, and DHCP server for the entire homelab at 192.168.88.1.
| Function | Details |
|---|---|
| IP Address | 192.168.88.1 |
| LAN Subnet | 192.168.88.0/24 |
| DHCP | Serves LAN clients with static leases for all infrastructure |
| DNS | Forwards DNS queries to Technitium instances (K8s + MikroTik container) |
| WAN Interface | WAN-VNPT (in WAN interface list) |
| VLANs | vlan88-work (192.168.88.0/24), vlan20-home (192.168.20.0/24) — isolated from each other |
| WireGuard | wireguard1, 192.168.100.0/24, UDP 13231 — clients get full LAN access |
| Firewall | NAT, VLAN isolation, geo-blocking (Vietnam ALLOWED_COUNTRIES list) |
| Syslog | Sends logs to Vector (K8s) via UDP port 514 |
| Containers | RouterOS container runtime — runs cloudflared and (optionally) Technitium |
| Router Backup | Daily RSC export → MinIO FTP → ntfy notification |
The MikroTik forwards all DNS queries to Technitium instances:
This ensures all LAN clients benefit from ad-blocking (blocklists), DNSSEC validation, and custom local DNS resolution without any client-side configuration. The MikroTik-hosted instance stays available during K8s cluster outages.
MikroTik router logs are sent via UDP syslog to a Vector DaemonSet running in Kubernetes. Vector parses the BSD syslog format and forwards structured logs to VictoriaLogs:
Fields extracted: _msg, _time, topic, host, source: mikrotik
All infrastructure hosts have static DHCP leases to maintain consistent IP assignments:
| IP | Hostname | MAC (example) |
|---|---|---|
| 192.168.88.12 | traefik-vip | (MetalLB virtual) |
| 192.168.88.19 | synology-nas | (Synology NIC) |
| 192.168.88.100 | proxmox | (Proxmox NIC) |
| 192.168.88.247-250 | k8s-node-* | (VM NICs) |
MikroTik metrics are collected via SNMP by the SNMP exporter running on the utility server (192.168.88.245) or Synology NAS. The metrics are scraped by vmagent and visualized in Grafana using the Mikrotik dashboard (Grafana ID: 14857).
See the full Network Topology page for all IP assignments and service URLs.
MikroTik supports running OCI-compatible (Docker) containers natively via the RouterOS Container feature. Containers require ARM64 images and run in isolated veth networks.
Each container has its own dedicated veth interface and /24 subnet so they are isolated from each other and from the main LAN. The MikroTik holds .1 in every container subnet (gateway role); the container itself uses .2 (single-instance services) or .100 (apps with extra address space reserved for future siblings).
| Interface | Subnet | Container | Purpose |
|---|---|---|---|
veth-upsnap |
192.168.200.0/24 |
app-upsnap (.100) |
UpSnap WoL controller |
veth-cloudflared |
192.168.202.0/24 |
app-cloudflared (.2) |
Cloudflare tunnel terminator |
veth-uptime-kuma |
192.168.203.0/24 |
app-uptime-kuma (.100) |
Uptime Kuma |
| (router-internal) | — | app-technitium |
Tertiary Technitium DNS instance (AXFR secondary, no LAN-routable IP) |
Firewall rules allow bidirectional traffic between each container subnet and LAN (192.168.88.0/24). A srcnat masquerade on vlan88-work translates the container source IP to the router's LAN IP (192.168.88.1) so NAS and other LAN hosts see traffic from a known IP and can route replies back.
Subnet history (2026-04-28): Uptime Kuma was originally given
192.168.202.100on the cloudflared veth, which conflicted with cloudflared's own forwarding rules. Moving it to its ownveth-uptime-kuma/192.168.203.0/24cleared the conflict. Always give a new container its own veth subnet rather than squatting in an existing one.
| Container | Image | Network | Purpose |
|---|---|---|---|
app-cloudflared |
cloudflare/cloudflared |
192.168.202.2/24 |
Cloudflare tunnel homelab-k8s — exposes 7 public hostnames (wiki/ntfy/vault/tracker/auth/accounts/dns.vyanh.uk) without port forwarding |
app-upsnap |
seriousm4x/upsnap |
192.168.200.100/24 |
Wake-on-LAN web UI at wol.homelab.vyanh.uk (proxied via K8s nas-ingress HTTPRoute → Endpoint pointing at this container) |
app-uptime-kuma |
louislam/uptime-kuma |
192.168.203.100/24 |
Status page + monitors — moved off NAS Docker on 2026-04-28; serves uptime.homelab.vyanh.uk and status.vyanh.uk |
app-technitium |
technitium/dns-server |
router-internal | Tertiary Technitium instance (AXFR secondary of K8s primary). Lives in MikroTik so DNS still resolves if the entire K8s cluster is down. |
cloudflared config:
cmd="tunnel run" (default CMD is version — must override)env=TUNNEL_TOKEN=<token> — token managed in Cloudflare Zero Trust dashboarddns=192.168.88.11 — uses Technitium for name resolutionstart-on-boot=true, auto-restart-interval=1mWhy apps run on the router:
app-cloudflared — moving it off K8s means the public tunnel stays up during full cluster outages.app-upsnap — UpSnap needs to send WoL magic packets directly onto the LAN broadcast; that's awkward from a Cilium overlay pod.app-uptime-kuma — keeping the status page outside the cluster keeps the alerting honest. If K8s is dead, the monitor that tells me K8s is dead must not also be dead.app-technitium — tertiary DNS for the same disaster-recovery reason; described in DNS.# 1. Create veth interface
/interface veth add name=veth-<app> address=192.168.X.1/24
# 2. Add bridge (if needed) or use the veth directly
# 3. Create container
/container add remote-image=<image> interface=veth-<app> \
cmd="<command>" env=<KEY>=<VALUE> dns=192.168.88.11 \
start-on-boot=yes auto-restart-interval=1m
# 4. Add firewall forward rules
/ip firewall filter add chain=forward in-interface=vlan88-work \
out-interface=veth-<app> action=accept comment="LAN to <app>"
/ip firewall filter add chain=forward in-interface=veth-<app> \
out-interface=vlan88-work action=accept comment="<app> to LAN"
# 5. Add srcnat masquerade (so LAN hosts can route replies to container)
/ip firewall nat add chain=srcnat src-address=192.168.X.0/24 \
out-interface=vlan88-work action=masquerade comment="<app> container NAT"
RouterOS is backed up daily via scheduled script. See Backup Strategy — MikroTik for full details.
Quick reference:
| Setting | Value |
|---|---|
| Script | Backup-Run |
| Scheduler | Daily-Backup-Job at 03:00 |
| Policy | ftp,read,write,test,password,sensitive |
| Output | RSC file via /export show-sensitive |
| Destination | MinIO router-backups bucket via FTP port 2121 |
| Notification | ntfy homelab-ops topic |
| Cleanup | Backup-Cleanup script deletes files >30 days |
ssh -i ~/.ssh/id_ed25519 -o KexAlgorithms=curve25519-sha256 [email protected]