We create routing marks for the traffic we want to bypass censorship. For example, route all traffic to non-China IPs through the V2Ray gateway.
# Step A: Mark connections from LAN
/ip firewall mangle add chain=prerouting src-address=192.168.1.0/24 dst-address-type=!local action=mark-connection new-connection-mark=v2ray-conn
/ip socks
set enabled=yes port=1080
/ip firewall nat
add chain=dstnat protocol=tcp dst-port=80,443 action=redirect to-ports=1080
But this only forwards to MikroTik’s SOCKS, not to V2Ray. Better to use Method 1 with a proxy box.
Set up a V2Ray client (such as v2ray-core, xray, or sing-box) on a separate device (e.g., a Raspberry Pi, a spare PC, or a VM). v2ray mikrotik
Step 1: Enable Container Mode
/container config set registry-url=https://registry-1.docker.io tmpdir=usb1/pull
Step 2: Pull a V2Ray Core Image
We will use v2fly/v2fly-core (the community standard).
/container add remote-image=v2fly/v2fly-core:latest interface=veth1 root-dir=usb1/v2ray
/container start 0
Step 3: Configure V2Ray Inside the Container
You need a config.json file. Create it on your USB drive:
"inbounds": [
"port": 1080,
"protocol": "socks",
"settings": "auth": "noauth", "udp": true
],
"outbounds": [
"protocol": "vmess",
"settings":
"vnext": [ "address": "your-server.com", "port": 443, "users": [ "id": "UUID-HERE" ] ]
,
"streamSettings": "network": "ws", "security": "tls"
]
Bind this volume to the container. You will need to transfer the file using FTP/SCP. We create routing marks for the traffic we
Step 4: Route MikroTik Traffic to the Container
By default, the container gets a virtual IP (e.g., 172.17.0.2). Use Mangle to send traffic there:
/ip firewall mangle add chain=prerouting dst-port=80,443 protocol=tcp action=mark-routing new-routing-mark=via_v2ray
/ip route add gateway=172.17.0.2 routing-mark=via_v2ray
Pros: Ultra-low latency, no extra hardware.
Cons: Requires ARM64; steep learning curve for container management.
Since most MikroTik routers lack the RAM to run V2Ray containers smoothly, the industry-standard approach is to use MikroTik as the "Traffic Director" and let a separate device handle the decryption.
Topology:
Internet <--> MikroTik <--> V2Ray Client Device (Raspberry Pi/VM) <--> LAN But this only forwards to MikroTik’s SOCKS, not to V2Ray
This paper reviews V2Ray, a versatile proxy platform for network privacy and circumvention, and provides a practical deployment guide for running V2Ray with MikroTik routers (RouterOS). It covers architecture, protocol options, security considerations, performance tuning, common configurations, and a sample setup using a separate V2Ray server with MikroTik handling routing and firewalling.
# Socks proxy chain
/ip proxy set enabled=yes parent-proxy=10.0.0.1:1080
To follow this guide, you need:
Important: Not all MikroTik devices support containers. Check the official MikroTik Container Documentation.