How to install MikroTik CHR on a virtual and cloud server - Complete guide to installation, configuration and best settings

Why should you install CHR on a virtual or cloud server?

Installation MikroTik CHR On a VPS or cloud server, a quick and Flexible For creating virtual routers, advanced firewalls, BGP, VPNs, and traffic management. This guide is written for network administrators, DevOps engineers, gamers, traders, and anyone who needs to control their network at the IP layer, and includes practical commands, KVM/Proxmox/VMware/Hyper-V examples, security tips, and optimization recommendations.

CHR Overview and Prerequisites

What is CHR?
MikroTik CHR A version of RouterOS designed to run in virtual and cloud environments. Suitable for virtual routers, NAT, VPN, BGP, and advanced routing.

License and restrictions
CHR operates under the RouterOS licensing model; some performance levels may require a license. Before deploying to production, check the license status from Mikrotik download page Check.

Recommended hardware requirements for a virtual server

• CPU: Minimum 2 vCPU (4+ vCPU for production)
• RAM: Minimum 2GB (4GB+ recommended)
• Disk: SSD/NVMe for low latency I/O
• Network: virtio/VMXNET3 network card with MTU support up to 9000 if needed

Preparing the CHR image for different environments

Download official image

Visit the MikroTik download page and download the CHR file (qcow2/vmdk/vhdx/iso) for the desired version. For this purpose, use Mikrotik download page Use.

Convert or prepare image with qemu-img (KVM example)

Example of converting ZIP containing qcow2 and preparing the disk:

wget https://download.mikrotik.com/routeros/7.xx/chr-7.xx.qcow2.zip
unzip chr-7.xx.qcow2.zip
qemu-img convert -f qcow2 -O qcow2 chr-7.xx.qcow2 mikrotik-chr.qcow2

How to install Mikrotik CHR on a virtual and cloud server — Conventional methods

Installing on KVM/libvirt (Linux)

Place the disk in the VM path and create the virtual machine with import:

sudo mv mikrotik-chr.qcow2 /var/lib/libvirt/images/
sudo virt-install --name mikrotik-chr \
  --ram 4096 --vcpus 2 \
  --disk path=/var/lib/libvirt/images/mikrotik-chr.qcow2,format=qcow2 \
  --os-type=linux --import \
  --network network=default,model=virtio \
  --graphics none

Note: For better network performance than the model virtue Use and if possible set CPU pinning.

Installation on Proxmox

Upload qcow2 to Storage or use qm importdisk:

qm create 9000 --name mikrotik-chr --memory 4096 --net0 virtio,bridge=vmbr0
qm importdisk 9000 mikrotik-chr.qcow2 local-lvm
qm set 9000 --scsihw virtio-scsi-pci --scsi0 local-lvm:vm-9000-disk-0
qm set 9000 --boot c --bootdisk scsi0

Set network to virtue And don't forget the right bridge.

Installing on VMware ESXi

Using VMDK: Upload vmdk file to datastore, create VM with Guest OS Linux (Other 64-bit), use VMXNET3 or e1000e and attach vmdk then boot.

Installing on Hyper‑V

Convert QCOW2/VMDK to VHDX and create VM:

qemu-img convert -f qcow2 -O vhdx mikrotik-chr.qcow2 mikrotik-chr.vhdx

Then create a Gen1 VM and attach the vhdx; set the adapter to synthetic.

Installation in public Cloud environments (AWS/GCP/your company)

Most clouds allow you to upload custom images. Convert the CHR image to the format required by the platform and then import it.

Important note: In public cloud services, use image import and select the NIC type with the best driver (virtio, ena, e1000).

Initial CHR setup after boot

Initial access is via the hypervisor console, SSH, or Winbox. Note that RouterOS defaults to IP 192.168.88.1 and user admin It has no password (may vary depending on the image).

/user add name=ops password=StrongPass group=full
/user remove admin
/ip address add address=192.168.88.1/24 interface=ether2

Example of NAT configuration for Internet output

/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade

Setting DNS and Gateway

/ip dns set servers=8.8.8.8,8.8.4.4 allow-remote-requests=yes
/ip route add gateway=203.0.113.1

Configuring BGP, VPN, and Routing (Examples)

Basic BGP configuration

Before setting up BGP in the cloud, you will need a public IP and ASN; your provider may provide IP/ASN or enable BGP over a dedicated VLAN.

/routing bgp instance set default as=64512 router-id=1.1.1.1
/routing bgp peer add name=isp peer-address=203.0.113.2 remote-as=65001 out-filter=none in-filter=none

Creating an IPSec Site-to-Site VPN Example

/ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-256-cbc
/ip ipsec peer add address=198.51.100.2 auth-method=pre-shared-key secret=MySecret exchange-mode=ike2
/ip ipsec policy add src-address=10.0.0.0/24 dst-address=10.1.0.0/24 sa-src-address=203.0.113.1 sa-dst-address=198.51.100.2 tunnel=yes

Security tips and best practices after installation

Change SSH port and activate RSA key:

/ip service set ssh port=2222

Disabling unnecessary services:

/ip service disable telnet ftp www api api-ssl

Enabling the basic firewall:

/ip firewall filter add chain=input connection-state=established,related action=accept
/ip firewall filter add chain=input protocol=tcp dst-port=22 action=accept
/ip firewall filter add chain=input action=drop

Configuring logging and monitoring:

/snmp set enabled=yes
/system logging action add name=remote target=remote remote=10.10.10.10

Performance optimization for a variety of applications

For trading (lowest latency, stability)

Choosing a location close to trading servers and exchanges (NY, London, Frankfurt, Tokyo, Singapore) is of great importance. Our company is 85+ global locations It provides the possibility of establishing locations close to markets.

Use low latency NIC (virtio/VMXNET3), dedicated CPU allocation or pinning, and NVMe SSD. Enabling BGP/Route optimization and AS-path filters for better routing is recommended.

For gaming (low ping)

It is recommended to choose data centers close to the gamer's gaming POP/ISP and use a gaming-specific VPS with low-latency networking and Anti-DDoS.

Configuring the appropriate MTU and enabling fastpath if supported by the hardware and image can reduce ping.

For AI / Render / High Bandwidth

CHR is good for routing, but for GPU computing, use a graphics server (GPU Cloud). It is recommended for high-speed routing, network resource allocation, and cloud server usage with Line-rate NIC.

Backup, update and maintenance

Preparing export of config:

/export file=full-config-backup

Download the file via FTP/SCP. Also use a snapshot or backup at the hypervisor level before making major changes.

RouterOS update:

/system package update check-for-updates
/system package update download
/system reboot

Practical tips and common problems

• Console access problem: Use the Virtual Console of the hypervisor environment and check if the image is booted.
• Low speed issue: Check NIC type, offloading, CPU steal, and throttling at the hypervisor level.
• Licensing and throughput limits: Review CHR licensing and limitations before deploying to production.

Why does it make sense to use CHR in our company's cloud infrastructure?

• Attendance at 85+ global locations For close proximity to customers, trade markets and POP gaming.
• Providing trading VPS and gaming VPS with low-latency network and Anti-DDoS.
• BGP, VLAN, private network, and IP sharing capabilities for multi-homing solutions and secure connectivity between data centers.
• High-performance cloud server, maintenance, backup, and technical support for CHR installation and setup.

Summary

This guide covers the steps of downloading the image, preparing it for KVM/Proxmox/VMware/Hyper-V, initial configuration, security, BGP, and performance optimization for various uses. By following the security tips and testing in a test environment, you can safely and stably deploy CHR in your cloud infrastructure.

Frequently Asked Questions