Skip to content

Instantly share code, notes, and snippets.

@AskinNet

AskinNet/MikroTik NetBird installation.md

Forked from xdenb43/MikroTik NetBird installation.md
Created April 17, 2026 01:24
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save AskinNet/bf18055a5975d6a4f4893dbdd919d4b7 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save AskinNet/bf18055a5975d6a4f4893dbdd919d4b7 to your computer and use it in GitHub Desktop.
Download ZIP
MikroTik NetBird installation
Raw
MikroTik NetBird installation.md

--> netbird mikrotik | by @xdenb43
--> tested on hap ax3/ROS 7.22.1

Install NetBird to MikroTik using container

This guide describes briefly how to setup NetBird on MikroTik with DNS FWD and VPN solutions for all NetBird clients
Official NetBird container guide: https://docs.netbird.io/use-cases/homelab/client-on-mikrotik-router
Quick NetBird video guide (Rus): https://www.youtube.com/watch?v=eKYHmdY8ikw

Important

Netbird network 100.64.88.0/24
MikroTik LAN network 192.168.88.1/24
MikroTik acts as DNS resolver (allow remote requests)
Docker network 192.168.254.1/24
NetBird clients are seen by MikroTik as 192.168.254.100 (masquerade inside container ENABLED)

Additional prerequisites

/system/device-mode/update container=yes
  • USB flash drive is formatted to ext4 and connected as /usb1
    It's also possible to use RAM and Network spaces, but please update path to follow yours config then
  • Firewall is configured (at least defconf)
  • Fasttrack tuned up (connection mark = no mark)
/ip/firewall/filter/set [find action=fasttrack-connection ] connection-mark=no-mark
  • VPN routes are configured (vpn_out routing table used below)
  • DNS redirected to router
# example for clouldflare DoH (import cert by yourself or use built-in)
/ip dns set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
# redirect all DNS requests to router
/ip firewall nat
add action=redirect chain=dstnat comment="Incoming DNS redirect" dst-address-type=!local dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=redirect chain=dstnat comment="Incoming DNS redirect" dst-address-type=!local dst-port=53 \
    in-interface-list=LAN protocol=tcp

Netbird side:

  1. Register account (if not done yet)
  2. Create p2p network
  3. Dashboard -> Settings -> Networks configure netbird network range (or left default)
  4. get new YOUR_NETBIRD_KEY for MikroTik device

MikroTik side:

Create a bridge interface for containers and VETH interface for NetBird container

/interface bridge add name=Bridge-Docker port-cost-mode=short
/ip address add address=192.168.254.1/24 interface=Bridge-Docker network=192.168.254.0
/interface veth add address=192.168.254.100/24 gateway=192.168.254.1 name=NETBIRD
/interface bridge port add bridge=Bridge-Docker interface=NETBIRD

defconf NAT masquerade is enough for containers

/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN

skip this if you don't need to connect from MikroTiks LAN to netbird clients

add comment=NetBird dst-address=100.64.88.0/24 gateway=192.168.254.100

Container (using of USB-drive to store everything):
WARNING: start-on-boot not used by default! Set this by yourself
See details in official guide

/container config set registry-url=https://registry-1.docker.io tmpdir=/usb1/docker/pull
/container mounts add dst=/etc/netbird list=NETBIRD src=/usb1/docker_configs/netbird

/container envs 
add key=NB_DISABLE_CUSTOM_ROUTING list=NETBIRD value=true
add key=NB_HOSTNAME list=NETBIRD value=YOUR_HOSTNAME
add key=NB_LOG_LEVEL list=NETBIRD value=info
add key=NB_NAME list=NETBIRD value=YOUR_HOSTNAME
add key=NB_SETUP_KEY list=NETBIRD value=YOUR_NETBIRD_KEY
add key=NB_USE_LEGACY_ROUTING list=NETBIRD value=true

/container 
add dns=1.1.1.1,8.8.8.8,9.9.9.9 envlists=NETBIRD hostname=netbird interface=NETBIRD mountlists=NETBIRD name=netbird \
    remote-image=netbirdio/netbird root-dir=/usb1/docker/netbird logging=yes

/container/start [find where interface=NETBIRD]

At this point netbird connection should work.
Check Peer is seen in the Netbird Dashboard

Netbird routing

Goto NetBird Dashboard:

  • Choose your MikroTik peer and add Exit node (exit to Internet), use all things by default

Now your other netbird clients should go internet via netbird MikroTik container
But DNS resolution by MikroTik and DNS FWD are not working yet

DNS setup

allow request from container Mikrotik Side

/ip firewall filter add action=accept chain=input comment="netbird dns access" src-address=192.168.254.100

NetBird side:

  • Dashboard -> DNS - add nameserver 192.168.254.1
  • add new route to 192.168.254.1/32 via MikroTik peer (all settings by default)

At this step netbird clients should have an access to DNS server and internet via MikroTik peer

Policy based routing (DNS FWD address iist + VPN)

MikroTik side
Check your configured routes to VPN connections

/ip firewall mangle
add action=mark-connection chain=prerouting comment="netbird to VPN" connection-mark=no-mark dst-address-list=to_VPN_FWD \
    new-connection-mark=netbird_to_vpn src-address=192.168.254.100
add action=mark-routing chain=prerouting comment="netbird to VPN" connection-mark=netbird_to_vpn new-routing-mark=vpn_out \
    passthrough=no src-address=192.168.254.100

Now ALL NetBird clients will use your MikroTik as a VPN server with pre-configured routing

Tests

Speed measured with "Force relay usage" turned off on both LTE and WiFi networks.
WiFi (cabel) channel bandwidth is 200 Mbps
Screenshot_20260416_031128

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment