Installing Ziti-edge-tunnel on MikroTik Router - Docker



The following guide provides guidance on the installation of NetFoundry Ziti-Tunnel software on to a MikroTik router. The functionality has been validated on a default base virtual router with but should operate the same with a physical router with 7.1.4c development operating system.



NOTE: the is not a production feature in RouterOS and is currently in development.


Container is MikroTik's own implementation of Docker(TM), allowing users to run containerized environments within RouterOS. The container feature was added in RouterOS v7.1rc4.  In addition to running RouterOS 7.1rc3 or better the container software must be downloaded to the router. It can be downloaded from the "Extra Packages" download location.



Turn on logging to echo for container package. Go to system > Logging + Topic Container and Action Echo



Additionally, to get started you will need to have a computer with Docker installed. MikroTik RouterOS does not have a "Pull" function so it is necessary to pull the NetFoundry Ziti-Tunnel image to a computer running Docker. You will be required to convert to Tar file before copying to Mikrotik Router.


Step 1.

docker pull netfoundry/ziti-tunnel:latest
docker save netfoundry/ziti-tunnel:latest > ziti-tunnel.tar


Step 2.

Copy ziti-tunnel.tar file to MikroTik router. (WinSCP, SCP or other to default root directory)


Step 3.

Create an identity for the router in the console and copy to Mikrotik router(default root directory).


Step 4.

Log in to Mikrotik RouterOS CLI. Create a Virtual Interface for the Container environment. We chose an available network that does not overlap with any internal networks.

/interface/veth/add name=veth1 address= gateway=


Step 5.

Create a Bridge for the Containers and add veth1 to the bridge.

/interface/bridge/add name=docker
/ip/address/add address= interface=docker
/interface/bridge/port add bridge=docker interface=veth1
Step 6 .
Add Firewall NAT from the Web interface. From the IP Menu, Select Firewall and the NAT tab. Select NAT, add srcnat, your docker network and select ether1 for your out Interface. Also from the Actions tab, select Masquerade.



Step 7. 

Create environment variables

container envs add list=netfoundry name=NF_REG_NAME value=regkey(without ".jwt")


Step 8.

Create mountpoints for non-volatile data.

container mounts add name netfoundry-volume src=/netfoundry dst=/netfoundry


Step 9.

Create container from Tar image.

container add file=ziti-tunnel.tar interface=veth1 envlist=netfoundry mounts=netfoundry-volume hostname=ziti-host logging=yes


Step 10.

container print

0 file=ziti-tunnel.tar name="39f27176-5f07-44a9-93fb-1f2b55563cab" tag="netfoundry/ziti-tunnel:latest" os="linux"
arch="amd64" interface=veth1 envlist="netfoundry" mounts=netfoundry-volume dns="" hostname="ziti-host"
logging=yes status=stopped

container start 0


Step 11.

The container will fail as the identity.jwt file is located in the root directory from Step 3.  The system will attempt at starting the container at which point the /netfoundry folder will be created on the mikrotik router. Once created, return to scp or ftp and copy the identity.jwt file from your local machine again but into the netfoundry directory. NOTE: This is required as users are not allowed to create directory in the file system. Example below:

scp identities/K8s-Endpoint-Skip.jwt admin@


Step 12. 

container start 0



Was this article helpful?
4 out of 5 found this helpful


1 comment

  • Hi can your try it with 7.4beta4 ? I tried it but I can't make it work. Thanks.


Please sign in to leave a comment.