Dedicated servers with AMD EPYC™ 9254 and 9554 processors are now available in our stock. Click here to order.

Knowledgebase

  Categories

Account security
1
FAQ
12
Guides
2
How to
15
IPMI
2
Online Backup
6
Pre-Sales questions
97
Thinstuff
2

  Categories

  Support

My Support Tickets
Open Ticket
Knowledgebase
Downloads
DC Status

Print

When you run bare-metal or virtualized servers, a dedicated router gives you a hardened, centralized edge for your rack or cluster. Below is a practical, infrastructure-focused guide—why to use one, how MikroTik (hardware and CHR) fits, and a few proven blueprints you can implement immediately.

What a dedicated router does for server infrastructure

1) Edge security & origin IP hiding
Place your servers on private subnets (RFC1918) and let the router handle stateful firewalling and NAT/port forwarding. That keeps real server IPs off the Internet and shrinks the attack surface; only the ports you publish are reachable. (NAT + connection tracking in RouterOS).

Note: NAT/origin hiding ≠ DDoS scrubbing. For volumetric attacks, pair your setup with upstream mitigation or a CDN/WAF.

2) Clean network segmentation inside a rack
Use VLANs for L2 separation and VRFs for L3 separation—ideal for multi-tenant bare metal, prod vs. staging, or overlapping address spaces. RouterOS v7 supports multiple VRFs to isolate routing tables per tenant or app tier.

3) Secure office↔data-center links
Terminate site-to-site VPNs on the router (e.g., WireGuard for simplicity/performance, or IPsec for cross-vendor interoperability) so that your office subnets can reach servers over an encrypted channel.

4) Route at scale
When static routes don’t suffice, enable BGP (for multi-homing or own ASN) and OSPF (for internal routing across multiple racks/rooms). RouterOS v7 brings an updated routing stack for these use cases.

Why MikroTik on the server edge?

  • Feature-rich edge in one OS: stateful firewall, NAT, VPNs (WireGuard/IPsec/L2TP/SSTP/OpenVPN), VLAN/bridging, VRF, BGP/OSPF—no per-feature add-ons.

  • Hardware options for racks: e.g., RB1100AHx4 and CCR2004-1G-12S+2XS (with numerous SFP+ ports for 10G fabric). Available from providers for rack deployments.

  • Virtual edition (CHR) when you want the router inside your dedicated server host (Proxmox/KVM/VMware/Hyper-V): same RouterOS features with VM-friendly licensing.

CHR licensing (quick view)

  • Free: runs indefinitely, 1 Mbps upload per interface (great for labs/OOB).

  • P1: 1 Gbps per interface.

  • P10: 10 Gbps per interface.

  • P-Unlimited: no throughput cap.
    (60-day trials available through MikroTik.)

Blueprints you can deploy today

A) Rack edge that hides origins (NAT + ACLs)

  • Servers on 10.10.10.0/24 behind the router.

  • Publish only app ports via dst-NAT; block SSH/RDP from WAN; admin via VPN only.

  • Ideal for single-rack web/app stacks and CI/CD builders.

B) Office ↔ DC tunnel for admin & monitoring

  • MikroTik at the rack terminates WireGuard; office MikroTik/clients are peers.

  • Route only monitoring/management prefixes; enforce with firewall address-lists.

C) Private fabric inside a virtualization host (CHR)

  • Deploy CHR as a VM on your dedicated server (Proxmox/KVM/etc.).

  • Attach multiple vNICs/VLANs to CHR (e.g., dmz, apps, db) and build VRFs when tenants overlap.

  • CHR handles east-west filtering, NAT, and the VPN out to your office—without exposing guest VMs to the public Internet.

Minimal RouterOS examples (conceptual)

Publish HTTPS for a single server, block everything else on WAN

 
/ip firewall nat add chain=dstnat dst-port=443 protocol=tcp in-interface=wan \ action=dst-nat to-addresses=10.10.10.50 to-ports=443 /ip firewall filter add chain=input in-interface=wan action=drop

(NAT + firewall concepts per RouterOS docs; refine with established/related and address-lists.)

WireGuard site-to-site (DC side)

 
/interface wireguard add name=wg-office listen-port=51820 private-key="DC_PRIVATE_KEY" /interface wireguard peers add interface=wg-office public-key="OFFICE_PUBKEY" \ allowed-address=192.168.50.0/24 endpoint-address=OFFICE_IP endpoint-port=51820 /ip address add address=10.0.0.1/30 interface=wg-office /ip route add dst-address=192.168.50.0/24 gateway=10.0.0.2

(Adjust keys/subnets; pair with input/filter rules.)

BGP for multi-homed racks (high level)
Use RouterOS v7 BGP to advertise your prefixes to two ISPs; apply out-filters and MED/local-pref policies. (See RouterOS v7 BGP docs.)

Where Bacloud fits

  • MikroTik hardware as dedicated routers for racks (e.g., RB1100AHx4, CCR2004-1G-12S+2XS)—drop-in edge for single or multiple dedicated servers.

  • MikroTik VPS—spin up RouterOS as a managed virtual router if you don’t need a full server.

  • CHR on dedicated servers—Bacloud details how CHR pairs with its dedicated servers for flexible, VM-based routing inside your host.

Choosing physical vs. CHR for dedicated servers

  • Pick hardware (CCR/RB) when you need many physical ports, 10G/25G optics, or strict separation from compute.

  • Pick CHR when you want the fastest deployment, integration with guest VMs/containers, snapshots/backups, and licensing that scales with throughput (P1/P10/P-Unlimited).

Quick FAQ

Does MikroTik support real stateful firewalling?
Yes—connection tracking enables stateful rules (and underpins NAT).

Which VPN should I use?
Use WireGuard for simple, high-performance tunnels; IPsec for strict standards/cross-vendor setups.

Can I lab this without buying hardware?
Yes—run CHR Free (1 Mbps/interface) in a VM to prototype VLAN/VRF/VPN designs before moving to P1/P10/P-Unlimited.

Was this answer helpful?

Related Articles

Announcement of Your IP or AS with Bacloud We offer the ability to announce your own IP addresses and Autonomous System (AS) number through... Private VLAN with Bacloud Dedicated Servers We offer the possibility to create a private VLAN between multiple dedicated servers hosted with...
« Back

  Support

My Support Tickets
Open Ticket
Knowledgebase
Downloads
DC Status