Skip to content
MikroTik RouterOS Docs

CHR: Installing on Google Cloud Platform

CHR: Installing on Google Cloud Platform

Section titled “CHR: Installing on Google Cloud Platform”

RouterOS CHR can be deployed on Google Cloud Platform (GCP) by importing the MikroTik RAW disk image into Compute Engine as a custom image. GCP does not currently offer CHR through the Marketplace, so image import is required.

Prerequisites

Section titled “Prerequisites”
  • Google Cloud account with billing enabled
  • gcloud CLI installed and authenticated (gcloud auth login)
  • qemu-img installed for image conversion

Step 1: Download and Convert the CHR Image

Section titled “Step 1: Download and Convert the CHR Image”

GCP Compute Engine requires images in RAW format (.img). The MikroTik VMDK must be converted:

Terminal window
# Download the CHR VMDK image
wget https://download.mikrotik.com/routeros/7.x/chr-7.x.vmdk


# Convert VMDK to RAW format
qemu-img convert -f vmdk -O raw chr-7.x.vmdk chr-7.x.img


# GCP requires the RAW image to be named 'disk.raw' inside a tar.gz archive
mv chr-7.x.img disk.raw
tar -czf chr-7.x.tar.gz disk.raw

Step 2: Upload the Image to Google Cloud Storage

Section titled “Step 2: Upload the Image to Google Cloud Storage”
Terminal window
# Create a Cloud Storage bucket (bucket names must be globally unique)
gsutil mb gs://my-mikrotik-images


# Upload the compressed image
gsutil cp chr-7.x.tar.gz gs://my-mikrotik-images/chr-7.x.tar.gz

Step 3: Import the Image into Compute Engine

Section titled “Step 3: Import the Image into Compute Engine”
Terminal window
# Create a Compute Engine image from the GCS object
gcloud compute images create mikrotik-chr-7x \
  --source-uri gs://my-mikrotik-images/chr-7.x.tar.gz \
  --description "MikroTik RouterOS CHR 7.x" \
  --family mikrotik-chr

Import may take several minutes. Track progress:

Terminal window
gcloud compute images list --filter="family=mikrotik-chr"

Step 4: Create the VM Instance

Section titled “Step 4: Create the VM Instance”
Terminal window
# Create the CHR instance
gcloud compute instances create chr-router \
  --image mikrotik-chr-7x \
  --image-project $(gcloud config get-value project) \
  --machine-type e2-small \
  --network-interface network-tier=PREMIUM,subnet=default,address='' \
  --can-ip-forward \
  --metadata startup-script='' \
  --zone us-central1-a

The --can-ip-forward flag is required for CHR to function as a router. Without it, GCP drops forwarded packets at the VPC level regardless of RouterOS configuration.

Section titled “Recommended Machine Types”
Use CaseMachine TypevCPUsRAM
Lab / testinge2-micro2 (shared)1 GB
Small routere2-small2 (shared)2 GB
Productionn2-standard-228 GB
High throughputc2-standard-4416 GB

Step 5: Configure Firewall Rules

Section titled “Step 5: Configure Firewall Rules”

GCP VPC firewall rules control traffic to and from your CHR instance. Create rules for management access:

Terminal window
# Allow SSH from your management IP
gcloud compute firewall-rules create allow-chr-ssh \
  --direction=INGRESS \
  --action=ALLOW \
  --rules=tcp:22 \
  --source-ranges=203.0.113.0/24 \
  --target-tags=chr-router


# Allow WinBox from your management IP
gcloud compute firewall-rules create allow-chr-winbox \
  --direction=INGRESS \
  --action=ALLOW \
  --rules=tcp:8291 \
  --source-ranges=203.0.113.0/24 \
  --target-tags=chr-router


# Apply the tag to the instance
gcloud compute instances add-tags chr-router --tags=chr-router --zone=us-central1-a

Step 6: Initial Login and Configuration

Section titled “Step 6: Initial Login and Configuration”

Get the external IP address:

Terminal window
gcloud compute instances describe chr-router \
  --zone=us-central1-a \
  --format='get(networkInterfaces[0].accessConfigs[0].natIP)'

Connect via SSH:

Terminal window
ssh admin@<external-ip>

Default login is admin with no password. Set a password immediately on first login to prevent unauthorized access.

# Set admin password immediately
/user set admin password=StrongPassword123!


# View detected interfaces
/interface print


# Configure management IP (GCP assigns it via DHCP — verify it matches)
/ip address print


# Set DNS
/ip dns set servers=8.8.8.8,8.8.4.4


# Enable SSH
/ip service enable ssh


# Set router identity
/system identity set name=gcp-chr-01

Multiple Network Interfaces

Section titled “Multiple Network Interfaces”

GCP supports attaching additional network interfaces to a CHR instance. Each interface must be in a different VPC network:

Terminal window
# Add a second interface at instance creation
gcloud compute instances create chr-router \
  --image mikrotik-chr-7x \
  --image-project $(gcloud config get-value project) \
  --machine-type e2-small \
  --can-ip-forward \
  --network-interface network=default,subnet=default \
  --network-interface network=internal-vpc,subnet=internal-subnet,no-address \
  --zone us-central1-a

GCP does not support adding network interfaces to a running instance. Plan your multi-NIC topology before creating the VM.

Inside RouterOS, interfaces appear in the order they were attached:

/interface print
# ether1 = first interface (default/WAN)
# ether2 = second interface (internal/LAN)

Static External IP Address

Section titled “Static External IP Address”

GCP assigns ephemeral external IPs by default. Reserve a static IP for production deployments:

Terminal window
# Reserve a static regional IP
gcloud compute addresses create chr-external-ip --region=us-central1


# Assign during instance creation
gcloud compute instances create chr-router \
  --image mikrotik-chr-7x \
  --machine-type e2-small \
  --can-ip-forward \
  --network-interface network=default,subnet=default,address=chr-external-ip \
  --zone us-central1-a

Cloud-Init / Startup Script

Section titled “Cloud-Init / Startup Script”

GCP supports passing startup metadata to instances. CHR reads the startup-script metadata key and executes it as a RouterOS script on first boot:

Terminal window
# Pass initial configuration as metadata
gcloud compute instances create chr-router \
  --image mikrotik-chr-7x \
  --machine-type e2-small \
  --can-ip-forward \
  --metadata startup-script='/user set admin password=StrongPassword123!
/ip service disable telnet,ftp,www,api
/system identity set name=gcp-chr-01' \
  --zone us-central1-a

For longer scripts, use a file:

Terminal window
gcloud compute instances create chr-router \
  --image mikrotik-chr-7x \
  --machine-type e2-small \
  --can-ip-forward \
  --metadata-from-file startup-script=chr-init.rsc \
  --zone us-central1-a

See CHR: Cloud-Init Configuration for script examples.

Licensing

Section titled “Licensing”

GCP deployments use standard CHR licensing. After deployment:

/system/license renew
account=your-mikrotik-account
password=your-password
level=p1

If you create multiple CHR instances from the same image, each instance may share the same system ID. Run /system license generate-new-id on each instance before requesting a license.

Troubleshooting

Section titled “Troubleshooting”

Instance Has No External Connectivity

Section titled “Instance Has No External Connectivity”

Ensure --can-ip-forward was set at instance creation. This flag cannot be changed after creation — you must delete and recreate the instance.

SSH Connection Refused

Section titled “SSH Connection Refused”
  1. Verify GCP firewall rules allow TCP/22 from your source IP
  2. Check the instance is running: gcloud compute instances list
  3. Use the GCP Serial Console if SSH is unavailable:
    Terminal window
    gcloud compute connect-to-serial-port chr-router --zone=us-central1-a

Image Import Fails

Section titled “Image Import Fails”
  • Ensure the image archive contains a file named exactly disk.raw
  • Verify the Cloud Storage bucket and image are in the same project/region
  • Check IAM permissions: the Compute Engine service account needs Storage Object Viewer access to the bucket
Section titled “Related Topics”