Good day!
At the moment, thanks to the rebuilt Xray-core and hev-socks5-tunnel containers (Thanks a lot for this Snegowiki! https://hub.docker.com/r/snegowiki/vless-mikrotik and https://hub.docker.com/r/snegowiki/hev-socks5-tunnel-mikrotik) - it has become much easier to launch containers.
In addition to preparing the router for the installation of containers, it is also necessary to prescribe routing for marked traffic.
In short, these are the settings you need:
- Create 2 virtual interfaces for each container, select an IP for them from a range of private addresses
/interface veth add address=172.17.0.2/24 gateway=172.17.0.1 gateway6="" name=veth1-xray
/interface veth add address=172.17.0.3/24 gateway=172.17.0.1 gateway6="" name=veth2-tun
- Create a bridge for veth and containers, аssign him an IP and network:
/interface/bridge/add name=containers
/ip/address/add address=172.17.0.1/24 network=172.17.0.0 interface=containers
- Add veth interfaces to the bridge:
/interface/bridge/port add bridge=containers interface=veth1-xray
/interface/bridge/port add bridge=containers interface=veth2-tun
- Add a bridge to the LAN list
/interface list member add interface=containers list=LAN
- Add a routing table for tagged traffic
/routing table add disabled=no fib name=proxy_mark
- Setup NAT for outgoing traffic:
/ip firewall nat add action=masquerade chain=srcnat comment="Containers through NAT" out-interface-list=WAN src-address=172.17.0.0/24
- Setup firewall for mark-routing traffic:
/ip firewall mangle add action=mark-routing chain=prerouting dst-address-list=route_proxy new-routing-mark=proxy_mark passthrough=yes
#Optional /ip firewall mangle add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=containers passthrough=yes protocol=tcp tcp-flags=syn
- Add resources to the address-list:
/ip firewall address-list add address=microsoft.com list=route_proxy
/ip firewall address-list add address=www.microsoft.com list=route_proxy
- Add traffic routing for tagged traffic
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.17.0.3 routing-table=proxy_mark
- Set the Environment for the Xray vless container
/container envs add key=SOCKS_PORT name=vless value=@port@
/container envs add key=REMOTE_ADDRESS name=vless value=@your_adress/ip_vps@
/container envs add key=REMOTE_PORT name=vless value=443
/container envs add key=ID name=vless value=@ID from panel 3x-ui@
/container envs add key=ENCRYPTION name=vless value=none
/container envs add key=FLOW name=vless value=xtls-rprx-vision
/container envs add key=FINGER_PRINT name=vless value=chrome
/container envs add key=SERVER_NAME name=vless value=@the domain you're masquerading as@
/container envs add key=PUBLIC_KEY name=vless value=@PUBLIC_KEY@
/container envs add key=SHORT_ID name=vless value=@SHORT_ID@
- Set the Environment for the Tun containr
/container envs add key=SOCKS5_ADDR name=tun value=172.17.0.2
/container envs add key=SOCKS5_PORT name=tun value=@port@
/container envs add key=SOCKS5_UDP_MODE name=tun value=udp
/container envs add key=LOCAL_ROUTE name=tun value="ip r a @your network@ via 172.17.0.1"
- Add container (in this case, the settings are not complete, the path from where to install from the hub directly, or from a file from the router is not specified)
/container add dns=@your network@ envlist=vless interface=veth1-xray root-dir=@your directory sample - usb1/Containers/vless-mikrotik@ start-on-boot=yes workdir=/root
/container add envlist=tun interface=veth2-tun root-dir=@your directory sample - usb1/Containers/Hev-Tun@ start-on-boot=yes