Testwiki/Managing MikroTik devices

From MikroTik Wiki
Jump to: navigation, search

Managing MikroTik devices


The RouterOS is MikroTik’s stand-alone operating system based on linux 2.6 kernel. That runs on all MikroTik’s RouterBOARD devices and can also be installed on a PC. RouterOS software provides all necessary features for router: routing, firewall, bandwidth management, wireless access point, user management and more.

RouterOS supports multi-core and multi-CPU computers (SMP). You can run it on the latest Intel motherboards and use the newest multicore CPUs as well as RouterOS support installation on IDE, SATA and USB storage devices, this includes HDDs, CF and SD cards, SDD disks and more. You need at least 64MB of space to install RouterOS, which will format your partition and become the default operating system of the device. RouterOS has licensed and license can be used only in one system. You can read more about MikroTik licenses here.

How get access to MikroTik router

The console is used for accessing the MikroTik Router's configuration and management features using text terminals. When you connect to MikroTik router you can to configure it, change and verify configuration, get statistics and other useful information. There are different ways to do this, routers that have consol port can set up configuration using this port. RouterBOARDs whom haven’t serial consol, usually comes from factory with pre-configured IP address on one of interface therefore can be configured through a network. Many of routerBOARDs have serial console port available, so quite often, first configuration is installed using this interface. For connecting through consol port can be used various terminal emulation programs, for example HyperTerminal for windows OS and minicom for Unix-like OS. The serial port configuration is set by default to:

  • Bits per second = 115200 bit/s
  • Data bits = 8
  • Parity = None
  • Stop bits = 1 stop bits
  • Flow control = None

By default, MikroTik routers use “admin” as the username (login) and password doesn’t set. There may be also available other ways to log into console, not only serial console port:

  • console (screen and keyboard) – in case when RouterOS is installed on PC
  • telnet, SSH protocols – in case when connect to MikroTik router through network interface, using specific programs that support these protocols, for example PuTTY.
  • mac-telnet – connect to router using Ethernet (MAC) address of interface, in case when network interface doesn’t pre-configured (IP address isn’t sets up).
  • winbox terminal – GUI tool for configuring MikroTik routers

User interfaces

RouterOS supports various methods how to configure MikroTik router using serial console with a terminal application, telnet and ssh access over network, simple web interface as well as GUI tool called Winbox.

Command-Line Interface

The console support CLI (Command Line Interface) to allowing configure of the router's settings using text commands. It’s really important to understand command prompt of MikroTik router. Since there are a lot of available commands, they are split into groups organized in a way of hierarchical menu levels. The name of a menu level reflects the configuration information accessible in the relevant section, eg. /ip; /ip route; /ip address.

You can to find list of all available sub-commands at any prompt using question mark “?”(similarly to pressing [Tab] key twice, but in verbose form and with explanations):

For example: Press Enter to execute command any command on command prompt.

[admin@MikroTik] > routing ?

[admin@MikroTik] > routing ospf ?

[admin@MikroTik] > routing ospf network ?

Instead of typing command path step by step, the command path can be typed only once to move into this particular branch of menu hierarchy. Thus, the example above could also be executed like this:

 [admin@MikroTik]> routing ospf network
 [admin@MikroTik] /routing ospf network>


Note: Use up arrow to recall previous commands from command history, TAB key to automatically complete words in the command you are typing.

To move back to one command level, type “..”

 [admin@MikroTik] /ip route rule> ..
 [admin@MikroTik] /ip route> ..
 [admin@MikroTik] /ip> ..
 [admin@MikroTik] > 

Exit to the top level of command prompt, type ”/”

 [admin@MikroTik] ip route rule > / 

You can execute commands from other menu levels without changing the current level using “/” mark before the input full command from another menu level. For example:

 [admin@MikroTik] /ip route> /ip address add address= 
 netmask= interface=ether1

Many of the command levels operate with arrays of items: interfaces, routes, users etc.

For example:

 [admin@MikroTik] > interface print
 Flags: X - disabled, D - dynamic, R - running
   #    NAME                 TYPE             MTU
   0  R ether1               ether            1500
   1  R ether2               ether            1500
   2  R ether3               ether            1500
   3  R ether4               ether            1500

All items in the list have an item number followed by flags and appropriate parameter values. To change properties of an item, you have to use [file:///D:\Mikrotik\Console%20hierarhija.htm#set set'] command and specify name or number of the item. Set – this command change some of existing configuration item whereas add' – command is used for adding a new items.

For example:

 [admin@MikroTik] /interface> set 0 name=ethernetLAN
 [admin@MikroTik] /interface> print
 Flags: X - disabled, D - dynamic, R - running
   #    NAME                 TYPE             MTU
   0  R ethernetLAN          ether            1500
   1  R ether2               ether            1500
   2  R ether3               ether            1500
   3  R ether4               ether            1500

Commonly used commands

There are some commands that are common to nearly all menu levels, namely: print, set, remove, add, find, export, enable, disable, comment, move. These commands have similar behavior throughout different menu levels.

Add – this command adds a new item with the values you have specified. There are some required properties that you have to supply, such as the interface for a new address, while other properties are set to defaults unless you explicitly specify them.

Disabled – control disabled/enabled state of the newly added item(-s)

Comment – hold the description of a newly created item(-s)

Set – allows change configuration values of existing item. If there is a list of items in this command level, you need to indicate number of item you exactly want to change.

Enable – enable specific item from list

Disable – disable specific item from list

Move – changes the order of items in list.

Find – returns internal numbers of all items that have the same values of arguments as specified.

Print – shows all information that's accessible from particular command level. For example, ip address print shows ip addresses of all interface, ip route print shows routing table on MikroTik router. Print command also include additional parameters, some of these are:

where - show only items that match specified criteria. The syntax of where property is similar to the [file:///D:\Mikrotik\Console%20hierarhija.htm#find find] command.

brief - forces the print command to use tabular output form

detail - forces the print command to use property=value output form

file - prints the contents of the specific submenu into a file on the router.

oid - prints the OID value for properties that are accessible from SNMP

Remove – removes specified item(-s) from a list.


Winbox tool is graphical user interface (GUI) for MikroTik router configuration. All RouterOS functionality can be controlled with this application. It provides huge of configuration, status checking, monitoring, user accounting and other router commands that can be configured through GUI. Winbox tool (winbox.exe can be downloaded from http://www.mikrotik.com/download.html.


Figure 4.1. Main windows from Winbox configuration tool


This is a web based configuration interface for RouterOS. This is used to help you configure a router from an HTTP interface. It is designed to ensure the user a simple way to configure router through network interface. Some of the most important RouterOS features can be controlled within this interface for advanced configuration you have use terminal console (CLI) or Winbox (GUI). Network interface must be preconfigured (IP address is set up) before you can to connect to Webbox. Use your web browser to make http connection to router, for example, enter your router username and password the upper right corner of page.


When you’ve completed the login process, new page with Webbox interface is opened.


Figure 4.2. Webbox main window


Soon will be available a new web interface for RouterOS, with much wider configurability as Webbox applies to RouterOS v5.x.

Connect to router where RouterOS version 5.x or newer is installed. Open web browser and enter router’s IP address, RouterOS welcome page will be displayed, like given below and choose Webfig:


Webfig beta version:


Users access control on MikroTik router

MikroTik RouterOS allows to manage router’s user access facility connecting on router from the local console, via serial terminal, telnet, SSH or Winbox. The users are authenticated using either local database or designated RADIUS server.

Each user is assigned to a user group, which denotes the rights of this user. A group policy is a combination of individual policy items.

User group – provides to define specific, different users permissions profiles.

[admin@MikroTik_CE1] /user group> print 
 0 name="read" 
 1 name="write" 
 2 name="full" 
[admin@MikroTik_CE1] /user group>

Exclamation sign '!' just before policy item name means NOT.

Example how to add new user group:

To add reboot group that is allowed to reboot the router locally or using telnet, as well as read the router's configuration, enter the following command:

 [admin@ MikroTik_CE1] user group> add name=reboot policy=telnet,reboot,read,local

Router user database stores the information such as user name, allowed access addresses password, and group about router management personnel.

[admin@MikroTik_CE1] /user> print 
Flags: X - disabled 
 #   NAME                              GROUP                 ADDRESS           
 0   ;;; system default user
     admin                             full       

There we can to see one predefined user “admin” with attached group – “full” and address means that user can login from any network.


Note: There always should be at least one user with full access rights. If the user with full access rights is the only one, it cannot be removed.

Example how to add new user with previous defined user group ‘reboot’:

[admin@MikroTik_CE1] /user> add name=user2 group=reboot address= password=12345
[admin@MikroTik_CE1] /user> print 
Flags: X - disabled 
 #   NAME                              GROUP                     ADDRESS           
 0   ;;; system default user
     admin                             full                    
 1   user2                             reboot                  
[admin@MikroTik_CE1] /user>

Using Winbox this can be configured through System/Users>User List

More information can be found here.

Upgrading RouterOS package

To do this process here are two prerequisite:

  1. you have a license that allows upgrading
  2. you have installed an some of FTP programs that can transfer files (in this case new version of RouterOS) to your router.

Whereas RouterOS is licensed so upgrading process is depends on these licenses. Licenses determine version of RouterOS until the RouterOS may be updated without purchase of the new licenses. You can check your upgrading level as follows:

[admin@MikroTik_CE1] /system license> print 
    software-id: "X3ZQ-AJUJ"
  upgradable-to: v5.x
         nlevel: 4

In this example I can upgrade RouterOS only until to the last version of RouterOS v5. . More about licenses can be read here.

Step by step upgrade process using Winbox, as well as using FTP programs are explained here. One of potential FTP program for linux like machines may be Filezilla and for Windows may to use WinSCP.

Backing up the MikroTik router configuration

To make copies of configuration data (called “backups”) is one of important features when we think of the original router’s configuration security. There are a number of functions that are associated with the router configuration creation, storage, restoring and resetting.

Create backup - configuration backup is a binary file of MikroTik RouterOS configuration, which can be stored on the router or downloaded from it using FTP for future use.

Reload system from backup - configuration restore can be used for restoring the router's configuration, exactly as it was at the backup creation moment, from a backup file.


Note: The restoration procedure assumes the configuration is restored on the same router, where the backup file was originally created, so it will create partially broken configuration if the hardware has been changed.

Reset system configuration – System reset command is used to erase all configuration on the router. Before doing that, it might be useful to backup the router's configuration.

Configuration export - The configuration export can be used for dumping out complete or partial MikroTik RouterOS configuration to the console screen or to a text (script) file, which can be downloaded from the router using FTP protocol.

Configuration import - The configuration import facility executes a batch of console commands from export (script) file.

Create and restore backup configuration

You can create configuration backup with backup save command that store the entire router configuration in a backup file. By default backup file is stored within File directory by router, looks up router’s file directory can using file print command.

To restore the system configuration using backup file that can be uploaded to router via FTP with backup load command.

For example:

To save configuration’s backup file – testbackup to file directory:

 [admin@MikroTik_CE1] system backup> save name=testbackup
 Configuration backup saved
 [admin@MikroTik_CE1] system backup>


Note: We recommend do not store your backup files inside the router's Files directory because backup file contains sensitive information, instead, download backup, and keep them in a secure location.

To see this backup file on the router:

[admin@MikroTik_CE1] > file print
 # NAME                           TYPE         SIZE       CREATION-TIME
 0 testbackup.backup             backup       10524   feb/02/2102 17:07:50
 [admin@MikroTik_CE1] >

To reload router with backup configuration file:

 [admin@MikroTik_CE1] > system backup load name=testbackup
 Restore and reboot? [y/N]:
 Restoring system configuration
 System configuration restored, rebooting now

Reset router configuration

It can be done using command system reset-configuration. This command clear all configuration of the router and sets it to default also login name and password, IP address, firewall, is erased and all interface will become disabled.

Configuration export

If system backup file include all router configuration and this is binary file (in human unreadable way), then export command provides to store complete or partial router configuration as text script file (in human readable way) that can be used to restore configuration. The command can be invoked at any menu level, and it acts for that menu level and all menu levels below it. The output can be saved into a file, available for download using FTP.

For example, to save ip address configuration for all interface, can be done as follows:

[admin@MikroTik_CE1] > ip address print
[admin@MikroTik_CE1]ip address > export file=ipAddresses
[admin@MikroTik_CE1]  > file print
[admin@MikroTik_CE1] >

Configuration import

Command that executes export a (script) file, and allows to add the configuration from the specified file to the existing router’s configuration. For example, to load the saved export file use the following command:

[admin@MikroTik_CE1] > import ipAddresses.rsc
 Opening script file address.rsc
 Script file loaded and executed successfully
 [admin@MikroTik_CE1] >


Note: That it is impossible to import the whole router configuration using this feature. It can only be used to import a part of configuration (for example, firewall rules) in order to spare you some typing.

Configuring an IP address on router interface

IP addresses serve for a general host identification purposes in IP networks. For proper addressing the router also needs the network mask value, id set which bits of the complete IP address refer to the address of the host, and which - to the address of the network. The network address value is calculated by binary AND operation from network mask and IP address values.

MikroTik RouterOS has following types of addresses:

  • Static - manually assigned to the interface by a user
  • Dynamic - automatically assigned to the interface by DHCP protocol (how to configure DHCP will be explained a little later in this section)

Here’s an example of how to configure IP address on router interface:

 [admin@MikroTik_CE1] ip address> add address=

In most cases, it is enough to specify the address, the netmask, and the interface arguments. The network prefix and the broadcast address are calculated automatically.

Show ip addresses configured on router:

 [admin@MikroTik_CE1] ip address> print
 Flags: X - disabled, I - invalid, D - dynamic
   #   ADDRESS            NETWORK         BROADCAST       INTERFACE
   0       ether2
   1      ether1
   2    ether2
 [admin@MikroTik_CE1] ip address>

NOTE Use addresses from different networks on different interfaces. For example, the combination of IP address on the ether1 interface and IP address on the ether2 interface is invalid, because both addresses belong to the same network which includes IP address range from –

Configuring DHCP

Dynamic Host Configuration Protocol (DHCP) is a standard protocol defined by RFC 2131 that allows a server to dynamically distribute IP addressing and network configuration information to clients. Normally the DHCP server provides the client with at least this basic information:

  • IP Address
  • Subnet Mask
  • Default Gateway

There can be provided also other information, such as Domain Name Service (DNS) server addresses and Windows Internet Name Service (WINS) server addresses and etc. The network administrator configures the DHCP server with the options that are parsed out to the client.

Basic operation of DHCP

DHCP is basically insecure and should only be used in trusted networks. Uses a client-server model where one or more servers DHCP servers allocate IP addresses and other network configuration parameters to clients. DHCP server always listens on UDP 67 port, DHCP client - on UDP 68 port. Figure 4.4. shows the basic steps that occur when a DHCP client requests an IP address from a DHCP Server.


  1. The client is looking for available DHCP servers. When a DHCP client boots up for the first time, it send a broadcast DHCPDISCOVER message on its local physical subnet over User Datagram Protocol (UDP) port 67. The DHCPDISCOVER massage includes as destination IP address (massage is intended for all subnets) and as source IP address, indicating the client does not currently have an IP address.
  2. The server response to the client DHCPDISCOVER massage. A DHCP Server offers configuration parameters (such as an IP address, a subnet mask, default gateway and a lease time for the IP address) by sending DHCPOFFER unicast message to the client.
  3. The client returns a formal request for the offered IP address to the DHCP Server, indicating its intent to accept the parameters in a DHCPREQUEST broadcast message.
  4. After the DHCP server receives the DHCPREQUEST, it acknowledges the request with a DHCPACK message, thus completing the initialization process.

There are also other DHCP massages used for specific purpose.

Configuring DHCP client

The MikroTik RouterOS DHCP client may be enabled on any Ethernet-like interface at a time. The client will accept an address, netmask, default gateway, and two dns server addresses. The received IP address will be added to the interface with the respective netmask. The default gateway will be added to the routing table as a dynamic entry. Should the DHCP client be disabled or not renew an address, the dynamic default route will be removed. If there is already a default route installed prior the DHCP client obtains one, the route obtained by the DHCP client would be shown as invalid.

Basic DHCP client configuration example on ethernet1 interface:

[admin@MikroTik_CE1] /ip dhcp-client> add interface=ether1 disabled=no
 [admin@MikroTik_CE1] ip dhcp-client> print detail
 Flags: X - disabled, I - invalid
  0   interface=ether1 add-default-route=yes use-peer-dns=yes use-peer-ntp=yes
      status=bound address= gateway=
      dhcp-server= primary-dns= primary-ntp=
 [admin@MikroTik_CE1] ip dhcp-client>

In this case Ethernet interface is ready to get IP address and other information by sending request massage to the DHCP server by executing this process, "ether1" interface has obtained an IP address, information about default gateway and DNS server.

Configuring DHCP server

The router supports an individual server for each Ethernet-like interface. The MikroTik RouterOS DHCP server supports the basic functions of giving each requesting client an IP address/netmask lease, default gateway, domain name, DNS-server(s) and WINS-server(s) (for Windows clients) information (set up in the DHCP networks submenu).

In order DHCP server to work, you must set up also IP address pool(-s). The DHCP server must have an appropriate IP pool scope configured for the specific subnet from where the DHCP request came. The server takes appropriate IP addresses from this pool and assign its to the requesting client. For example, if the DHCP client subnet is, then DHCP server must have an IP pool configured to assign addresses within the range


Note: Do not include the DHCP server's IP address into the pool range.

Example of DHCP server setup:

1. Create IP address pool:

 [admin@MikroTik_CE1]/ip pool> add name=test-pool ranges=

2. Define the network on which operate a DHCP server and indicate network parameters that can be distributed to clients:

[admin@MikroTik_CE1] /ip dhcp-server network> add address= 
/gateway= dns-server=

3. Finally, add a DHCP server to specific interface:

 [admin@MikroTik_CE1] /ip dhcp-server add interface=ether1 address-pool=test-pool

There are also available configuration wizard of DHCP server that provides question-answer based configuration.

Example of wizard:

[admin@MikroTik_CE1] /ip dhcp-server> setup 
Select interface to run DHCP server on 
dhcp server interface: ether2
Select network for DHCP addresses 
dhcp address space:
Select gateway for given network 
gateway for dhcp network:
Select pool of ip addresses given out by DHCP server 

addresses to give out:
Select DNS servers 
dns servers:

Select lease time 
lease time: 3d

This wizard configures DHCP server on ether2 interface to lend addresses from to which belongs to the network with gateway and DNS server for the time of 3 days.

More information about configuring the DHCP server is available here.