jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6320c0f8d9b268893f4d4155e8e14ab92d10f852
infrastructure/scripts/mikrotik-adguard-setup.rsc
XTRM-Unraid ab5db7429a
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
Add MikroTik AdGuard setup script and complete documentation 
- Added scripts/mikrotik-adguard-setup.rsc with full setup commands
- Created docs/09-MIKROTIK-ADGUARD-DOT-DOH.md with:
  - Architecture diagram
  - Complete NAT/routing rules documentation
  - Container configuration details
  - TLS/DoT/DoH setup
  - Troubleshooting guide
- Removed WIP document (moved to completed docs)
2026-01-25 14:55:04 +02:00

110 lines
5.3 KiB
Plaintext
Raw Blame History

# MikroTik AdGuard Home Setup Script
# Created: 2026-01-25
# Repository: https://git.xtrm-lab.org/jazzymc/infrastructure
#
# Prerequisites:
# - RouterOS 7.4+ with container package
# - USB storage mounted as usb1
# - Container mode enabled: /system/device-mode/update container=yes
#------------------------------------------------------------
# Variables
#------------------------------------------------------------
:local containerName "adguardhome"
:local containerImage "adguard/adguardhome:latest"
:local vethName "veth-adguard"
:local containerIP "172.17.0.2"
:local gatewayIP "172.17.0.1"
:local containerNet "172.17.0.0/24"
:local lanNet "192.168.31.0/24"
:local unraidAdguard "192.168.31.4"
:local wanInterface "eth1_WAN"
#------------------------------------------------------------
# 1. Create veth interface
#------------------------------------------------------------
/interface veth add name=$vethName address=$containerIP/24 gateway=$gatewayIP
#------------------------------------------------------------
# 2. Add IP to veth (MikroTik side)
#------------------------------------------------------------
/ip address add address=$gatewayIP/24 interface=$vethName
#------------------------------------------------------------
# 3. Create container mounts
#------------------------------------------------------------
/container mounts add name=agh-config src=usb1/adguard/conf dst=/opt/adguardhome/conf
/container mounts add name=agh-work src=usb1/adguard/work dst=/opt/adguardhome/work
#------------------------------------------------------------
# 4. Pull and create container
#------------------------------------------------------------
/container add remote-image=$containerImage interface=$vethName root-dir=usb1/adguard/root \
mounts=agh-config,agh-work logging=yes start-on-boot=yes dns=8.8.8.8 \
hostname="mikrotik-adguard" name=$containerName
#------------------------------------------------------------
# 5. Firewall - Allow container network traffic
#------------------------------------------------------------
# Input chain
/ip firewall filter add chain=input action=accept dst-address=$containerNet comment="Allow container network"
/ip firewall filter add chain=input action=accept src-address=$containerNet comment="Allow from container network"
# Forward chain
/ip firewall filter add chain=forward action=accept dst-address=$containerNet comment="Allow to container network"
/ip firewall filter add chain=forward action=accept src-address=$containerNet comment="Allow from container network"
#------------------------------------------------------------
# 6. NAT Rules - DNS Redirect
#------------------------------------------------------------
# Allow container outbound DNS (prevent redirect loop)
/ip firewall nat add chain=dstnat action=accept protocol=udp src-address=$containerNet dst-port=53 \
comment="Allow MikroTik AdGuard outbound DNS"
# Allow Unraid AdGuard outbound DNS
/ip firewall nat add chain=dstnat action=accept protocol=udp src-address=$unraidAdguard dst-port=53 \
comment="Allow Unraid AdGuard outbound DNS"
/ip firewall nat add chain=dstnat action=accept protocol=tcp src-address=$unraidAdguard dst-port=53 \
comment="Allow Unraid AdGuard outbound DNS TCP"
# Redirect LAN DNS to container
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=$containerIP to-ports=53 \
protocol=udp src-address=$lanNet dst-port=53 comment="Redirect DNS to MikroTik AdGuard"
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=$containerIP to-ports=53 \
protocol=tcp src-address=$lanNet dst-port=53 comment="Redirect DNS to MikroTik AdGuard TCP"
# Masquerade for return traffic
/ip firewall nat add chain=srcnat action=masquerade protocol=udp src-address=$lanNet \
dst-address=$containerIP dst-port=53 comment="Masquerade DNS to MikroTik AdGuard"
/ip firewall nat add chain=srcnat action=masquerade protocol=tcp src-address=$lanNet \
dst-address=$containerIP dst-port=53 comment="Masquerade DNS to MikroTik AdGuard TCP"
#------------------------------------------------------------
# 7. NAT Rules - External Access (DoT/DoH)
#------------------------------------------------------------
# DoT (DNS over TLS) - port 853
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=$containerIP to-ports=853 \
protocol=tcp in-interface=$wanInterface dst-port=853 comment="DNS over TLS (DoT)"
# DoH (DNS over HTTPS) - port 8443 external -> 443 internal
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=$containerIP to-ports=443 \
protocol=tcp in-interface=$wanInterface dst-port=8443 comment="DNS over HTTPS (DoH)"
# Web UI access - port 3000 -> 80
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=$containerIP to-ports=80 \
protocol=tcp dst-address=192.168.31.1 dst-port=3000 comment="AdGuard Web UI"
#------------------------------------------------------------
# 8. Set MikroTik DNS to use container
#------------------------------------------------------------
/ip dns set servers=$containerIP allow-remote-requests=yes
#------------------------------------------------------------
# 9. Start container
#------------------------------------------------------------
/container start $containerName
:log info "AdGuard Home container setup complete"
:log info "Web UI: http://192.168.31.1:3000"
:log info "Complete initial setup, then configure TLS for DoT/DoH"
Reference in New Issue View Git Blame Copy Permalink