Configure a production-ready MikroTik RouterOS 7 firewall — understand filter, NAT, mangle, and raw tables, enable FastTrack for wire-speed forwarding, implement connection tracking state rules, and build brute force protection with dynamic address lists.
Run Docker containers directly on MikroTik RouterOS 7 — enable container mode, configure veth bridges, pull images from Docker Hub, and deploy Pi-hole or AdGuard Home without extra hardware.
Configure DNS over HTTPS and the built-in DNS Adlist feature on MikroTik RouterOS 7 to block ads, trackers, and malware network-wide — no Pi-hole, no extra hardware, no containers needed.
A complete guide to configuring MikroTik CAPsMAN with VLANs in RouterOS 7 — local forwarding mode, bridge VLAN filtering, provisioning rules for multiple SSIDs, DHCP per VLAN, and real troubleshooting for the common mistakes that break CAPsMAN VLAN setups.
Consumer routers give you one flat LAN. Everything talks to everything. That’s fine for five devices. Not fine for a homelab with IoT toasters, security cameras, a NAS with your whole life on it, and a gaming PC that absolutely does not need to see the Frigate NVR’s admin interface. MikroTik’s RouterOS handles VLANs natively — bridge VLAN filtering, inter-VLAN routing, per-VLAN DHCP, and firewall rules to control traffic between segments. All from the CLI. No third-party tools, no extra switches, no license fees. ...
If you have fiber-to-the-home (FTTH), your ISP almost certainly gave you a combo ONT/router. It’s a locked-down all-in-one box that does GPON optical termination, routing, Wi-Fi, and often double NAT. For a homelab with VLAN segmentation and a proper router like MikroTik, that box is a bottleneck — and you can bypass it entirely. This post covers replacing the ISP ONT/router with a MikroTik router using an SFP GPON stick, covering the hardware, VLAN configurations, PPPoE quirks, and the gotchas that aren’t in the marketing material. This is specifically from my experience with Dominican Republic FTTH providers, but the patterns apply to most GPON deployments globally. ...
Cloudflare Tunnel gives you a secure outbound-only connection from your homelab to Cloudflare’s edge, proxying public traffic without opening any firewall ports. No pinholes, no DMZ, no exposing your home IP. The usual deployment is a Docker container or a systemd service on a Linux box. But if you have a MikroTik router running RouterOS 7.6+ with container support, you can run cloudflared directly on the router — zero extra hardware, zero extra VMs. ...
WireGuard on MikroTik RouterOS is production-ready as of RouterOS 7.x, and it’s dramatically simpler than IPsec or OpenVPN for homelab use. No certificate authorities, no confusing phase 1/phase 2 settings, no userspace daemon eating CPU — just a kernel module, a private key, and a peer config. This post covers two WireGuard topologies running on the same MikroTik router (R1 from the previous deployment post): Road Warrior — remote devices (phone, laptop) connect to the homelab Site-to-Site — two MikroTik routers connected across the internet Both share the same base config and coexist on the same router. ...
Every homelab needs a solid network foundation. This guide walks through the full configuration of R1 — a MikroTik edge router with segmented VLANs, inter-VLAN firewalling, WireGuard VPN, and a Cloudflare Tunnel running directly on the router. The config below is based on RouterOS 7.22.1. Commands are split by section so you can follow along step-by-step. Replace anything in <> with your own values. Hardware Model: MikroTik E62iUGS-2axD5axT OS: RouterOS 7.22.1 WAN: GPON FTTH (PPPoE on VLAN 100) Port Layout Port Role Access VLAN Notes SFP1 WAN — GPON ONT, native vlan 1 for ONT access Ether1 CCTV 50 Untagged, camera network Ether2 MGMT 99 Untagged, management Ether3 MGMT 99 Untagged, secondary management Ether4 HOME 10 Untagged, main home LAN Ether5 Trunk Tagged Inter-switch link carrying all VLANs Step 1 — Bridge Setup Create the main bridge with VLAN filtering enabled, and a separate bridge for container veth interfaces: ...