This guide explains how to configure MikroTik RouterOS (CHR) to connect to a Hetzner Cloud Private Network using a /32 IP address β the default setup in Hetzner.
-
Youβve created a Hetzner Cloud Network (e.g., 172.16.64.0/21)
-
A subnet (e.g., 172.16.64.0/28) is attached to your CHR instance
-
You can access the MikroTik terminal (serial, SSH, or Winbox)
Hetzner internal networking uses encapsulation, so you must lower the MTU:
/interface ethernet set ether2 mtu=1450
Replace ether2 with the correct interface attached to the private network.
###π 2. Assign a Private IP (/32) Hetzner provides IPs with /32 masks, so set the IP like this:
/ip address add address=172.16.64.2/32 interface=ether2
Tell MikroTik to reach the Hetzner gateway (172.16.64.1) via the interface:
/ip route add dst-address=172.16.64.1/32 gateway=ether2
This allows MikroTik to reach all IPs in the Hetzner network (across subnets):
/ip route add dst-address=172.16.64.0/21 gateway=172.16.64.1 target-scope=31
target-scope=31 is critical β it tells RouterOS to accept the /32 gateway route as valid.
/tool ping 172.16.64.1
/tool ping 172.16.64.133 # Example target VM
/ip firewall filter add chain=input protocol=icmp action=accept
/ip firewall filter add chain=forward action=accept
/interface ethernet set ether2 mtu=1450
/ip address add address=172.16.64.2/32 interface=ether2
/ip route add dst-address=172.16.64.1/32 gateway=ether2
/ip route add dst-address=172.16.64.0/21 gateway=172.16.64.1 target-scope=31
π§ Notes Hetzner private IPs are always assigned as /32
MikroTik requires a manual route to enable ARP resolution to the gateway
MTU must be reduced to 1450 to avoid packet fragmentation
No DHCP is used β IPs must be configured statically