# MikroTik AdGuard Home Setup Script # Created: 2026-01-25 # Repository: https://git.xtrm-lab.org/jazzymc/infrastructure # # Prerequisites: # - RouterOS 7.4+ with container package # - USB storage mounted as usb1 # - Container mode enabled: /system/device-mode/update container=yes #------------------------------------------------------------ # Variables #------------------------------------------------------------ :local containerName "adguardhome" :local containerImage "adguard/adguardhome:latest" :local vethName "veth-adguard" :local containerIP "172.17.0.2" :local gatewayIP "172.17.0.1" :local containerNet "172.17.0.0/24" :local lanNet "192.168.31.0/24" :local unraidAdguard "192.168.31.4" :local wanInterface "eth1_WAN" #------------------------------------------------------------ # 1. Create veth interface #------------------------------------------------------------ /interface veth add name=$vethName address=$containerIP/24 gateway=$gatewayIP #------------------------------------------------------------ # 2. Add IP to veth (MikroTik side) #------------------------------------------------------------ /ip address add address=$gatewayIP/24 interface=$vethName #------------------------------------------------------------ # 3. Create container mounts #------------------------------------------------------------ /container mounts add name=agh-config src=usb1/adguard/conf dst=/opt/adguardhome/conf /container mounts add name=agh-work src=usb1/adguard/work dst=/opt/adguardhome/work #------------------------------------------------------------ # 4. Pull and create container #------------------------------------------------------------ /container add remote-image=$containerImage interface=$vethName root-dir=usb1/adguard/root \ mounts=agh-config,agh-work logging=yes start-on-boot=yes dns=8.8.8.8 \ hostname="mikrotik-adguard" name=$containerName #------------------------------------------------------------ # 5. Firewall - Allow container network traffic #------------------------------------------------------------ # Input chain /ip firewall filter add chain=input action=accept dst-address=$containerNet comment="Allow container network" /ip firewall filter add chain=input action=accept src-address=$containerNet comment="Allow from container network" # Forward chain /ip firewall filter add chain=forward action=accept dst-address=$containerNet comment="Allow to container network" /ip firewall filter add chain=forward action=accept src-address=$containerNet comment="Allow from container network" #------------------------------------------------------------ # 6. NAT Rules - DNS Redirect #------------------------------------------------------------ # Allow container outbound DNS (prevent redirect loop) /ip firewall nat add chain=dstnat action=accept protocol=udp src-address=$containerNet dst-port=53 \ comment="Allow MikroTik AdGuard outbound DNS" # Allow Unraid AdGuard outbound DNS /ip firewall nat add chain=dstnat action=accept protocol=udp src-address=$unraidAdguard dst-port=53 \ comment="Allow Unraid AdGuard outbound DNS" /ip firewall nat add chain=dstnat action=accept protocol=tcp src-address=$unraidAdguard dst-port=53 \ comment="Allow Unraid AdGuard outbound DNS TCP" # Redirect LAN DNS to container /ip firewall nat add chain=dstnat action=dst-nat to-addresses=$containerIP to-ports=53 \ protocol=udp src-address=$lanNet dst-port=53 comment="Redirect DNS to MikroTik AdGuard" /ip firewall nat add chain=dstnat action=dst-nat to-addresses=$containerIP to-ports=53 \ protocol=tcp src-address=$lanNet dst-port=53 comment="Redirect DNS to MikroTik AdGuard TCP" # Masquerade for return traffic /ip firewall nat add chain=srcnat action=masquerade protocol=udp src-address=$lanNet \ dst-address=$containerIP dst-port=53 comment="Masquerade DNS to MikroTik AdGuard" /ip firewall nat add chain=srcnat action=masquerade protocol=tcp src-address=$lanNet \ dst-address=$containerIP dst-port=53 comment="Masquerade DNS to MikroTik AdGuard TCP" #------------------------------------------------------------ # 7. NAT Rules - External Access (DoT/DoH) #------------------------------------------------------------ # DoT (DNS over TLS) - port 853 /ip firewall nat add chain=dstnat action=dst-nat to-addresses=$containerIP to-ports=853 \ protocol=tcp in-interface=$wanInterface dst-port=853 comment="DNS over TLS (DoT)" # DoH (DNS over HTTPS) - port 8443 external -> 443 internal /ip firewall nat add chain=dstnat action=dst-nat to-addresses=$containerIP to-ports=443 \ protocol=tcp in-interface=$wanInterface dst-port=8443 comment="DNS over HTTPS (DoH)" # Web UI access - port 3000 -> 80 /ip firewall nat add chain=dstnat action=dst-nat to-addresses=$containerIP to-ports=80 \ protocol=tcp dst-address=192.168.31.1 dst-port=3000 comment="AdGuard Web UI" #------------------------------------------------------------ # 8. Set MikroTik DNS to use container #------------------------------------------------------------ /ip dns set servers=$containerIP allow-remote-requests=yes #------------------------------------------------------------ # 9. Start container #------------------------------------------------------------ /container start $containerName :log info "AdGuard Home container setup complete" :log info "Web UI: http://192.168.31.1:3000" :log info "Complete initial setup, then configure TLS for DoT/DoH"