The ZeroTier network hypervisor is a self-contained network virtualization engine that implements an Ethernet virtualization layer similar to VXLAN built atop a cryptographically secure global peer-to-peer network. It provides advanced network virtualization and management capabilities on par with an enterprise SDN switch, but across both local and wide area networks and connecting almost any kind of app or device.
MikroTik has added ZeroTier to RouterOS v7.1rc2 as a separate package for the ARM/ARM64 architecture.
Zerotier has been upgraded to 1.14.0 on 7.17rc6 ROS version.
Wait, so what can I use it for?
- Hosting a game server at home (useful for LAN only games) or simply creating a LAN party with your friends;
- Accessing LAN devices behind NAT directly;
- Accessing LAN devices via SSH without opening port to the Internet;
Level up your networking skills with our flagship MikroTik Masters courses — designed for real-world deployments, hands-on configs, and lifelong access.
Whether you’re just getting started with MikroTik routers or want to master high-performance Wi-Fi and CAPsMAN wireless networks, there’s a course here for you.
One payment, lifetime access.
In this guide, we’ll walk you through setting up WireGuard on your MikroTik router.
If you’ve ever needed to limit download/upload speed for a specific user, subnet, or an entire interface, Mikrotik’s simple queues are an easy way to achieve just that.
Using the built in Mikrotik scripting and email tools is an easy way to create automatic backups, that are emailed to you everyday at scheduled times. This guide will give you a detailed walk through of the 3 parts to setting this up.
Netinstall is a tool for installing and reinstalling MikroTik devices running RouterOS. Always try using Netinstall if you suspect that your device is not working properly. The tool is available for Windows (with a graphical interface) and for Linux (as a command line tool).
In short, the Netinstall procedure goes like this: Connect your PC directly to the boot port (Usually Ether1, the port labeled BOOT or as otherwise indicated in the product manual) of the device you will be reinstalling. Turn on the device while holding the reset button until it shows up in the Netinstall tool.
Careful. Netinstall re-formats the system's drive, all configuration and saved files will be lost. Netinstall does not erase the RouterOS license key, nor does it reset RouterBOOT related settings, for example, CPU frequency is not changed after reinstalling the device.
///
Traffic graphs will be deleted. Backup and restore if this history is desirable.
RouterBOOT reset button has three functions:
- Hold this button during boot time until the LED light starts flashing, and release the button to reset the RouterOS configuration (total 5 seconds)
- Keep holding for 5 more seconds, LED turns solid, release now to turn on CAPs mode (total 10 seconds)
- Or Keep holding the button for 5 more seconds until the LED turns off, then release it to make the RouterBOARD look for Netinstall servers
AP modes (advanced wireless settings):
- ap-bridge - Basic access point mode.
- bridge - Same as ap-bridge, but limited to one associated client.
- wds-slave - Same as ap-bridge, but scan for AP with the same ssid and establishes WDS link. If this link is lost or cannot be established, then continue scanning. If dfs-mode is radar-detect, then APs with enabled hide-ssid will not be found during scanning.
We have setup MikroTik in different environments, its time for us to build IPsec tunnel between two sites where we have MikroTik routers.
The steps below aim to illustrate how to setup a site to site VPN between two Mikrotik devices using WireGuard. Pre-existing local networks and firewalls exist on both R1 and R2. Between R1 and R2 the WireGuard tunnel will use 172.17.0.0/30. R2 has 172.17.0.1 assigned to its WireGuard interface, while R1 has 172.17.0.2 assigned to its WireGuard interface. The network used, or the order in which IP addresses are assigned is not important, however it is considered best practice to use a point to point subnet between peers.
Site to Site WireGuard tunnel
Consider setup as illustrated below. Two remote office routers are connected to the internet and office workstations are behind NAT. Each office has its own local subnet, 10.1.202.0/24 for Office1 and 10.1.101.0/24 for Office2. Both remote offices need secure tunnels to local networks behind routers.
VPN (Virtual Private Network) is a technology that provides a secure tunnel across a public network. A private network user can send and receive data to any remote private network using VPN Tunnel as if his/her network device was directly connected to that private network.
MikroTik provides EoIP (Ethernet over IP) tunnel that is used to create a site to site VPN. EoIP tunneling is a MikroTik RouterOS protocol that creates an Ethernet tunnel between two MikroTik Routers on top of an IP connection. EoIP adds an outer header mentioning the entry point of the tunnel (SourceIP) and the exit point of the tunnel (DestinationIP) but the inner packet is kept unmodified.
Stupid simple setting up WireGuard - Server and multiple peers
jaclaz
Preamble and disclaimer:
The following is a set of Rules that are intended as advice useful to avoid the most common errors observed in configuration posted on this forum.
It is my personal take on the matter, and in no way approved, endorsed or recommended, officially or unofficially, by Mikrotik or their partners or by anyone else.
In other words you are perfectly free to ignore them, though they represent (IMHO) a sort of (good) cheat sheet/reminder for people starting to use these devices.
Experts already know all these issues (and many more) and they already have their own ways to avoid them.
In today's post, we're going to dive into setting up your MikroTik router. I'm working with the MikroTik hAP AX2, but you'll find that these steps are pretty much the same for any MikroTik router.
a practical guide on setting up WireGuard VPN on the MikroTik router.
MikroWizard is designed to help MikroTik users monitor and manage their routers from an IT administrator's viewpoint. Beyond being merely a monitoring and management tool, it functions as a complete management solution that offers PAM-like capabilities specifically for MikroTik devices.
Before developing MikroWizard, which originated from a customer request, I explored existing central management software for MikroTik devices. While "Dude" and other free or commercial tools are available, they didn’t meet my requirements. Many commercial options looked promising but posed security concerns, as trusting a cloud provider to access our network—or relying on the internet for server access—was not an acceptable risk, also they are not offering what I actually looking for.
Here’s what I was searching for MikroTik Managment:
✔ The ability to manage all users who access MikroTik devices, including coworkers, admins, support center staff, customers, and even IT administrators themselves.
✔ A logging system to track all actions performed by admins, customers, and support operators on the router, with historical data showing who made changes and when—similar to the logs provided in PAM solutions.
✔ Centralized creation and editing of system users and groups.
✔ Scheduled firmware updates without requiring internet access on MikroTik routers.
✔ A syslog grabbing and storage feature with filtering and search capabilities.
✔ A centralized, reliable backup solution with differential backups and scheduling options.
Hi All,
I want to set up WireGuard VPN for remote work with 2 MikroTik routers: “home router” and “travel router”. Could you review my hardware and and config?
Requirements:
- “Home router” is connected to the internet in my home
- “Travel router” will be traveling with me.
- It should be possible to connect a “travel router” to any available internet - phone tethering (most often), another router, WIFI
- Traffic from any devices connected to the "travel router" should be visible as traffic from my “home router”.
- “Home router” will be connected to the router with dynamic public IP