Beginner Basics • Pihole on MikroTik Container with IPv4 and IPv6 support

1. Enable Container support

Mostly change the device mode to enable running containers. Also install the container package. Containers are only supported on ARM64 and X86.
Instructions on how to change device mode can be found here https://help.mikrotik.com/docs/spaces/R ... quirements.

2. Set up a VETH for pihole

Pihole wants to use port 53 (DNS), 80 (HTTP) and 443 (HTTPS), which might already be in use by ROS. It can also act as a DHCP server, and wants to send and receive NDP packets. This means bridging is a better option over NAT, giving the Pihole a unique address instead of hiding behind the host. We set up the VETH interface:
Obviously adapt the subnet (192.168.105.x) to your own. We leave out any IPv6 addresses or gateway, since IPv6 container support in ROS is not reliable. (A general word of caution, just stopping/starting a container is not reliable for testing - there seems to be quite some invisible state persisting. All steps explained here were tested with a blank router, and afterwards multiple reboots.)

Another problem with VETH interfaces is that their MAC address will be randomized every time the router reboots. That means:

• Using DHCP for static IPv4 reservations is impossible - a static address needs to be set

• SLAAC will assign a different IPv6 address as well, even for link-local and ULA, even with their prefixes being static

• Since Pihole is going to be our DNS server, it needs to have a static address anyway, and can't be resolved through a name

Add the veth1 interface as a port to your local bridge:

3. Create the container

Most MikroTik devices won't have enough space on internal flash, so you will either have to install a USB drive, or an NVMe drive. After formatting, set up the tmp directory (with your path):
Set up environment variables (change mysecretpwd to your liking):
And the mount for etc (adapt path to your own drive):
Finally create the container:
The tricky part is the cmd and entrypoint. It instructs pihole to install a default route and a static IPv6 address and only then run the actual service. You might need to change fe80::0 to your actual router address, and fe80::1/64 will be the IPv6 address of your pihole, which you might want to change as well.

Afterwards start the container. If everything went well:

• Your pihole will be available under 192.168.105.250 (or whatever static address you assigned)

• Your pihole will be available under fe80::1 (or whatever static address you assigned)

• Your pihole should be able to connect to IPv4 and IPv6 upstream DNS servers on the internet (it takes a few seconds for pihole after starting to receive the RA and generate a GUA via SLAAC)

• Login via "mysecretpwd" instead of the tedious auto-assignment (you can change the value in the environment variables)

Then you can either assign forwarders, or instruct your DHCP server to assign the pihole as the primary DNS, or even use pihole itself as a DHCP server. Making clients contact pihole instead of your normal router as a DNS is beyond the scope of this post. I personally choose to assign the pihole IPv4 and IPv6 addresses as the primary DNSes in my router.

If you tested this, and have any additions, please comment. Tested on 7.18.2 (stable).

Statistics: Posted by graealex — Mon Apr 21, 2025 3:09 pm

---