From MikroTik Wiki
Revision as of 14:27, 21 May 2009 by Marisb (talk | contribs)
Jump to navigation Jump to search


MetaRouter is a new feature in RouterOS 4.0 beta 1 and RouterOS v3.21

Currently MetaRouter can be used for the RB400 series boards to create virtual machines, but more hardware platforms will be added in future.


Each Metarouter instance uses just as much resources as a stand-alone RouterOS installation. This means you need a minimum of 16Mb of RAM for each machine, plus some for the main Router that hosts it. 16Mb is the absolute minimum - it is suggested to have more memory available per each Metarouter.

Currently you can create up to 8 metarouter virtual machines, this number will be increased to 16 in future versions.

In the main machine, you can create up to 8 virtual interfaces that will be connected to the metarouters. Currently the only way to add more, is to use VLAN. Currently it is not possible to use external storage devices (Store) in the metarouter virtual devices.


The MetaRouter function is useful for allowing clients or lower-privilege users access to their own 'router' and config to configure as they like, without the need for a complete second router, or giving them access to the main router configuration.

For example; a WISP can create a virtual router for the clients ethernet port allowing them to define their own firewall settings, while leaving the WISP's wireless settings untouched.


The /metarouter menu gives the following:

  • add - allows you to create a new virtual router
  • print - lets you list any virtual routers
  • enable - to enable a virtual router
  • disable - to disable a virtual router
  • console - lets you access the console of a virtual router
  • interface - lets you make network interface mappings

Creating a Metarouter

 [admin@RB_Meta] /metarouter> add name=mr0 memory-size=32 disk-size=32000  disabled=no
 [admin@RB_Meta] /metarouter> print
 Flags: X - disabled 
 #   NAME                 MEMORY-SIZE DISK-SIZE     USED-DISK     STATE        
 0   mr0                  16MiB       0kiB          377kiB        running      
  • name: the name of the virtual router
  • memory-size: amount of RAM allocated to the virtual router
  • disk-size: amount of HDD in kiB allocated to the virtual router (if 0, size is dynamic) *
  • used-disk: currently used disk space
  • state: identifies if the metarouter is running or disabled

Note: * be careful when using dynamic HDD size for metarouters, a proxy could fill up all your hosts storage!

Example with no settings

If you will add a new metarouter without specifying any parameters, it will be added with Dynamic HDD size, and 16MiB of RAM:

[admin@RB_Meta] /metarouter> add name=mr1
[admin@RB_Meta] /metarouter> print
Flags: X - disabled
 #   NAME                 MEMORY-SIZE DISK-SIZE     USED-DISK     STATE
 1   mr1                  16MiB       0kiB          3kiB          running

OpenWRT as virtual machine

Starting from v3.24 metarouter has the ability to import custom built images.

Importing image

If you don't have any specific needs, you can import our prebuilt OpenWRT image, which is downloadable here. Upload openwrt image to the router and import it by 'import-image' command:

[admin@MikroTik] /metarouter> import-image file-name=openwrt.tgz
 imported: 100%
[admin@MikroTik] /metarouter> print
Flags: X - disabled
0   mr1       16MiB       unlimited     7383kiB       running

As you can see OpenWRT is running, now you can start configuration process, which is explained in sections below.

Building your own OpenWRT image

Install svn and get the latest source from

svn co svn://

Now you have to path downloaded source with our patch

cd trunk/
patch -p0 <openwrt-metarouter.patch

When source is patched, you have to set up configuration options

make menuconfig

Go to Target System menu and choose 'Mikrotik MetaROUTER' from the list Snapshot2.png

Other options depends on what you need, you can stick with defaults.

If you see any error messages whyle trying to launch menuconfig, like

Build dependency: Please install ncurses. (Missing or ncurses.h)

It means that required libraries are not installed, check the output and install all required libraries.

When you are done with build configuration, type


It will take a while to build everything so you can go and have a cup of tea.

After the build process is done, upload newly built image to the router and import it as described in section above.

Adding Interfaces

First, you need to add a new interface to your virtual router. This is done in the interface menu.

The interface command has the following options:

 [admin@MikroTik] /metarouter> interface add 
 comment    disabled        dynamic-mac-address  type            virtual-machine
 copy-from  dynamic-bridge  static-interface     vm-mac-address

Let's add one interface:

[admin@MikroTik] /metarouter> interface add virtual-machine=mr1 type=dynamic

On the host physical router the interface appears as a virtual interface:

 [admin@MikroTik] > /interface print 
 Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                              TYPE             MTU  
 8  R  ether9                                            ether            1500 
 9  R  test                                              bridge           1500 
10 DR  vif1                                              vif              1500

Connecting to the virtual machine

To connect to your virtual machine, use the console command:

/metarouter console 0

You will see your newly added virtual interface here:

[admin@mr0] > interface print 
 Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                              TYPE             MTU  
 0  R  ether1                                            ether            1500

To disconnect from the metarouter virtual machine console, hit CTRL + A and then Q to Quit back to your Host console:

[admin@MikroTik] >
[Q - quit connection]      [B - send break]
[A - send Ctrl-A prefix]   [R - autoconfigure rate]
 Welcome back!

Configuring a virtual network

Right now you saw that the virtual interface is visible in the Host Interfaces menu as vif1 and also in the metarouter interfaces menu as ether1. You can add an IP address on both interfaces, and set up networking. Creating a bridge between the virtual interface and a physical interface allows traffic to pass.

Configuration examples

Creating isolated Metarouter for client

This Example will show how to use Metarouter feature to create a isolated router on top of the WISP client site router. The setup for the example is shown on the diagram below:

1. Adding a Metarouter for client:

[admin@RouterGW] /metarouter> add name=client1 memory-size=32     
[admin@RouterGW] /metarouter> print
Flags: X - disabled 
 #   NAME                            MEMORY-SIZE DISK-SIZE     USED-DISK     STATE        
 0   client1                         32MiB       0kiB          189kiB        running      
[admin@RouterGW] /metarouter>

2. Adding Metarouter Interfaces for the new created Metarouter:

[admin@RouterGW] /metarouter interface> add virtual-machine=client1
[admin@RouterGW] /metarouter interface> add virtual-machine=client1 
[admin@RouterGW] /metarouter interface> print
Flags: X - disabled, A - active 
 #   VIRTUAL-MACHINE                                             TYPE    VM-MAC-ADDRESS   
 0 A client1                                                     dynamic 02:49:E8:55:8E:E8
 1 A client1                                                     dynamic 02:16:16:90:EF:0E
[admin@RouterGW] /metarouter interface> 

3. Creating a Bridge Interface for bridging metarouter interface together with ethernet interface where the client is physically connected:

[admin@RouterGW] /interface bridge> add         
[admin@RouterGW] /interface bridge> print
Flags: X - disabled, R - running 
 0  R name="bridge1" mtu=1500 arp=enabled mac-address=00:00:00:00:00:00 protocol-mode=none 
      priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s 
      forward-delay=15s transmit-hold-count=6 ageing-time=5m 

[admin@RouterGW] /interface bridge port> add interface=ether2 bridge=bridge1 
[admin@RouterGW] /interface bridge port> add interface=vif2 bridge=bridge1 
[admin@RouterGW] /interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE                    BRIDGE                   PRIORITY PATH-COST  HORIZON   
 0    ether2                       bridge1                  0x80     10         none      
 1    vif2                         bridge1                  0x80     10         none      

4. Adding IP configuration for the new Metarouter interface which will be used for connecting between Metarouter and Metarouter Host system:

[admin@RouterGW] /ip address> add address= interface=vif1 
[admin@RouterGW] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE                         
 0 D      ether1                            
 1      vif1                              
[admin@RouterGW] /ip address> 

5. Connecting to Metarouter using the Console

[admin@RouterGW] /metarouter> console client1

[Ctrl-A is the prefix key]

Starting services...

MikroTik 3.21
MikroTik Login: admin

[admin@MikroTik] > /sys identity set name=Client1

6. Configuring Metarouter to make it easy for client to understand the configuration:

[admin@Client1] /interface ethernet> p
Flags: X - disabled, R - running, S - slave 
 #    NAME                                              MTU   MAC-ADDRESS       ARP       
 0 R  ether1                                            1500  02:49:E8:55:8E:E8 enabled   
 1 R  ether2                                            1500  02:16:16:90:EF:0E enabled   
[admin@Client1] /interface ethernet> set 0 name=public
[admin@Client1] /interface ethernet> set 1 name=local
[admin@Client1] /interface ethernet> print
Flags: X - disabled, R - running, S - slave 
 #    NAME                                              MTU   MAC-ADDRESS       ARP       
 0 R  public                                            1500  02:49:E8:55:8E:E8 enabled   
 1 R  local                                             1500  02:16:16:90:EF:0E enabled   
[admin@Client1] /interface ethernet> 

[admin@Client1] /ip address> add address= interfae=public
[admin@Client1] /ip address> add address= interface=local 
[admin@Client1] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE                         
 0      public                            
 1      local

[admin@Client1] /ip route> add gateway=
[admin@Client1] /ip route> print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        G GATEWAY                   DISTANCE INTERFACE 
 0 A S                          r                  1        public    
 1 ADC                                    0        public    
 2 ADC                                    0        local     
[admin@Client1] /ip route> 

[admin@Client1] /ip firewall nat> add action=masquerade out-interface=public chain=srcnat