The MikroTik router serves as the network gateway, firewall, and DHCP server for the entire homelab at 192.168.88.1.
| Function | Details |
|---|---|
| IP Address | 192.168.88.1 |
| LAN Subnet | 192.168.88.0/24 |
| DHCP | Serves LAN clients with static leases for all infrastructure |
| DNS | Forwards DNS queries to Technitium instances (K8s + MikroTik container) |
| WAN Interface | WAN-VNPT (in WAN interface list) |
| VLANs | vlan88-work (192.168.88.0/24), vlan20-home (192.168.20.0/24) — isolated from each other |
| WireGuard | wireguard1, 192.168.100.0/24, UDP 13231 — clients get full LAN access |
| Firewall | NAT, VLAN isolation, geo-blocking (Vietnam ALLOWED_COUNTRIES list) |
| Syslog | Sends logs to Vector (K8s) via UDP port 514 |
| Containers | RouterOS container runtime — runs cloudflared and (optionally) Technitium |
| Router Backup | Daily RSC export → MinIO FTP → ntfy notification |
The MikroTik forwards all DNS queries to Technitium instances:
This ensures all LAN clients benefit from ad-blocking (blocklists), DNSSEC validation, and custom local DNS resolution without any client-side configuration. The MikroTik-hosted instance stays available during K8s cluster outages.
MikroTik router logs are sent via UDP syslog to a Vector DaemonSet running in Kubernetes. Vector parses the BSD syslog format and forwards structured logs to VictoriaLogs:
Fields extracted: _msg, _time, topic, host, source: mikrotik
All infrastructure hosts have static DHCP leases to maintain consistent IP assignments:
| IP | Hostname | MAC (example) |
|---|---|---|
| 192.168.88.12 | traefik-vip | (MetalLB virtual) |
| 192.168.88.19 | synology-nas | (Synology NIC) |
| 192.168.88.100 | proxmox | (Proxmox NIC) |
| 192.168.88.247-250 | k8s-node-* | (VM NICs) |
MikroTik metrics are collected via SNMP by the SNMP exporter running on the utility server (192.168.88.245) or Synology NAS. The metrics are scraped by vmagent and visualized in Grafana using the Mikrotik dashboard (Grafana ID: 14857).
See the full Network Topology page for all IP assignments and service URLs.
MikroTik supports running OCI-compatible (Docker) containers natively via the RouterOS Container feature. Containers require ARM64 images and run in isolated veth networks.
Containers use a dedicated virtual ethernet interface separate from the main LAN:
| Interface | Subnet | Purpose |
|---|---|---|
veth-cloudflared |
192.168.202.0/24 |
cloudflared container network |
| MikroTik IP on veth | 192.168.202.1/24 |
Container gateway |
| cloudflared container IP | 192.168.202.2/24 |
Container address |
Firewall rules allow bidirectional traffic between the container subnet and LAN (192.168.88.0/24). A srcnat masquerade rule on vlan88-work interface translates the container IP to the router's LAN IP (192.168.88.1) so NAS and other LAN hosts see traffic from a known IP and can route replies back.
| Container | Image | Network | Purpose |
|---|---|---|---|
app-cloudflared |
docker.io/cloudflare/cloudflared:latest |
192.168.202.2/24 |
Cloudflare Tunnel — exposes public hostnames without port forwarding |
cloudflared config:
cmd="tunnel run" (default CMD is version — must override)env=TUNNEL_TOKEN=<token> — token managed in Cloudflare Zero Trust dashboarddns=192.168.88.11 — uses Technitium for name resolutionstart-on-boot=true, auto-restart-interval=1m# 1. Create veth interface
/interface veth add name=veth-<app> address=192.168.X.1/24
# 2. Add bridge (if needed) or use the veth directly
# 3. Create container
/container add remote-image=<image> interface=veth-<app> \
cmd="<command>" env=<KEY>=<VALUE> dns=192.168.88.11 \
start-on-boot=yes auto-restart-interval=1m
# 4. Add firewall forward rules
/ip firewall filter add chain=forward in-interface=vlan88-work \
out-interface=veth-<app> action=accept comment="LAN to <app>"
/ip firewall filter add chain=forward in-interface=veth-<app> \
out-interface=vlan88-work action=accept comment="<app> to LAN"
# 5. Add srcnat masquerade (so LAN hosts can route replies to container)
/ip firewall nat add chain=srcnat src-address=192.168.X.0/24 \
out-interface=vlan88-work action=masquerade comment="<app> container NAT"
RouterOS is backed up daily via scheduled script. See Backup Strategy — MikroTik for full details.
Quick reference:
| Setting | Value |
|---|---|
| Script | Backup-Run |
| Scheduler | Daily-Backup-Job at 03:00 |
| Policy | ftp,read,write,test,password,sensitive |
| Output | RSC file via /export show-sensitive |
| Destination | MinIO router-backups bucket via FTP port 2121 |
| Notification | ntfy homelab-ops topic |
| Cleanup | Backup-Cleanup script deletes files >30 days |
ssh -i ~/.ssh/id_ed25519 -o KexAlgorithms=curve25519-sha256 [email protected]