*Cube-Host– full cloud services!!

get a consultation

WhatsApp

Telegram

EN
cube-host-logo.svg
LOG IN

Installing MikroTik RouterOS CHR on VPS

Installing MikroTik RouterOS CHR on VPS

What you will need

  • VPS with Ubuntu 20.04 (preferably) and root/sudo access.
  • Provider network data: IP/prefix and default gateway — write them down in advance.
  • Access to the emergency console (VNC/Serial) in the provider’s panel in case the network is not yet up after recording.

Check and record network settings before rewriting the disk (required)

This step is performed before rewriting the disk and installing MikroTik CHR. After writing the RAW image, the current Ubuntu will be completely removed, SSH access will disappear, and you will only be able to configure the network in CHR manually via the emergency console, using the previously saved settings. Therefore, before continuing, be sure to record the network settings provided by the provider.

What data needs to be saved

  1. IP address and mask (prefix)

Example: 203.0.113.10/24

This value will be used when adding an IP address to CHR.

  1. Default gateway

Example: 203.0.113.1

This address will be needed to configure the default route.

  1. Network type — normal or /32

If the IP is issued with a /32 mask (often found with VPS providers), this will require special configuration on the CHR side.

Example of a network with /32:

  • IP: 85.85.85.85/32
  • Gateway: 10.0.0.1

For such networks, the gateway is specified manually when adding an IP address.

				
					sudo -i
ip -c a
ip -c r

Preparing Ubuntu and fixing network settings

				
					sudo -i
apt update && apt -y install unzip
ip -c a   # record your IP/prefix, for example 203.0.113.10/24
ip -c r   # write down the default gateway, for example 203.0.113.1

This will be useful when initially configuring CHR via the console after rebooting.

Download the Cloud Hosted Router RAW image

				
					cd /tmp
wget https://download.mikrotik.com/routeros/<VER>/chr-<VER>.img.zip
unzip chr-<VER>.img.zip   # we will receive chr-<VER>.img

Where <VER> is the stable version. If the latest version does not load, use 6.49.10, then update via CHR.

Define the target disk

				
					fdisk -l
# For example, the target disk /dev/sda

Caution: ensure the device is correct, as writing will be destructive.

Convert file systems to read-only

				
					echo u > /proc/sysrq-trigger
sync

This reduces the risk of a “broken” image when using dd (there have been cases of xz-compressed data is corrupt).

Write the image to disk (dd)

				
					dd if=chr-<VER>.img of=/dev/sda bs=4M oflag=sync status=progress

Wait until it finishes without errors. This will completely overwrite your current Ubuntu.

Hard reboot in CHR

				
					echo 1 > /proc/sys/kernel/sysrq
echo b > /proc/sysrq-trigger

SSH will disconnect. The VPS will boot under CHR in its default state — there is no network yet.

First login to the emergency console

  • Open the emergency console in the provider’s panel.
  • Login admin, password blank → confirm license viewing → set a new password immediately.
  • Newer models/builds may have different defaults, but for CHR, the typical scenario is admin without a password on first login.

Configuring the IP address in RouterOS (CLI)

In the RouterOS console (menu-oriented CLI):

				
					ip
address
add
address=203.0.113.10/24
interface=ether1

RouterOS will calculate the network/broadcast based on the prefix; the address can also be added to a single line:

				
					/ip address add address=203.0.113.10/24 interface=ether1

Case with /32 (often in clouds)

If the provider issues a public IP with a /32 mask and an “external” gateway (for example, 10.0.0.1), set the network manually:

				
					/ip address add address=85.85.85.85/32 interface=ether1 network=10.0.0.1

Then the default route:

				
					/ip route add gateway=10.0.0.1

This is a standard working recipe for /32, confirmed by practice.

Default route

Short form:

				
					/ip route add gateway=203.0.113.1

After setting the address and gateway, CHR will be accessible over the network.

Accessing WebFig/Winbox

  • Open http://<IP> for WebFig (or https://<IP> when HTTPS is enabled).
MikroTik RouterOS
  • Alternatively, connect to Winbox (default TCP 8291).
MikroTik RouterOS
MikroTik RouterOS
  • Login admin + your new password.

What to do immediately after bringing up the network

Mini-security (disable unnecessary services, change service ports)

				
					/ip service print
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes         # enable www-ssl instead of plain-HTTP
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/ip service set ssh address=0.0.0.0/0    # narrow if necessary
/ip service set winbox port=8291         # change the port if desired

WebFig and Winbox are similar managers in terms of capabilities; by default, WebFig uses HTTP on port 80 (it is better to enable HTTPS), while Winbox uses TCP 8291.
Enable HTTPS for WebFig:

				
					/user add name=ops group=full password="ComplexPassword123!"
/user disable admin

Username and password

				
					/ip service set www disabled=yes
/ip service set www-ssl disabled=no certificate=<yours-cert>

(or leave admin, but set a complex password and restrict access by address)

Time and NTP

				
					/system clock set time-zone-name=Etc/UTC
/system ntp client set enabled=yes servers=pool.ntp.org

Basic NAT (if this is your “internet router”)

				
					/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade

Mini firewall for management

				
					/ip firewall filter
add chain=input connection-state=established,related action=accept
add chain=input connection-state=invalid action=drop
add chain=input protocol=tcp dst-port=22,8291,443,80 src-address-list=mgmt action=accept
add chain=input in-interface=ether1 action=drop comment="drop rest from WAN"

/ip firewall address-list
add list=mgmt address=203.0.113.0/24

Updates and CHR license

Check and update RouterOS:

				
					/system package update check-for-updates
/system package update install

Check CHR license:

				
					/system license print

(For production loads, select p1/p10/p-unlimited — see the official CHR section)

Debugging: typical problems

  • “xz-compressed data is corrupt / System halted” after dd
  • A common cause is writing to a “live” FS. Converting the FS to read-only before dd helps. If you encounter problems, use 6.49.10, boot up, then update to 7.x.
  • No ping after reboot
  • Check that you have set the address and gateway in CHR (steps 8–9). For /32, specify network=<gateway> when adding the address and set the route gateway=<gateway>.
  • +WebFig/Winbox opens
  • Log in via the emergency console, check /ip service print, the firewall, and that you are looking at the correct port (Winbox 8291/TCP).

Additional: quick configuration grid

Login via DHCP (if the cloud assigns the address dynamically)

				
					/ip dhcp-client add interface=ether1 use-peer-dns=yes use-peer-ntp=yes

(For server environments, a static address is preferable.)

Bridge (if there will be multiple interfaces in CHR)

				
					/interface bridge add name=br0
/interface bridge port add bridge=br0 interface=ether1
/ip address add address=192.0.2.10/24 interface=br0

VLAN on the interface

				
					/interface vlan add name=wan.100 vlan-id=100 interface=ether1
/ip address add address=203.0.113.10/24 interface=wan.100
/ip route add gateway=203.0.113.1

Table of Contents

More articles:

Load more