MIKROTIK - Base Commands
Identity, Time and System Management
System Identity
Set a unique router name for management and logging clarity.
/system identity set name=CORE-RTR-01
System Clock and Timezone
Correct time is essential for logs, certificates, and security auditing.
/system clock set time-zone-name=Europe/Paris
Enable NTP client:
/system ntp client set enabled=yes servers=pool.ntp.org
RouterOS Packages
List and manage installed packages.
/system package print /system package update check-for-updates /system package update download
Security note: keep RouterOS updated to mitigate known vulnerabilities.
Interface Management
Physical Interfaces
List all interfaces:
/interface print
Rename interfaces for clarity:
/interface ethernet set ether1 name=WAN /interface ethernet set ether2 name=LAN
Interface Status and Statistics
/interface monitor-traffic WAN /interface ethernet print stats
IP Addressing and Neighbor Discovery
IP Address Assignment
Assign static IP addresses:
/ip address add address=192.168.1.1/24 interface=LAN
Remove an IP:
/ip address remove [find address~"192.168.1.1"]
ARP Behavior
Restrict ARP for security-sensitive networks:
/interface ethernet set LAN arp=reply-only
Routing
Default Route
Add a default gateway:
/ip route add dst-address=0.0.0.0/0 gateway=192.0.2.1
Static Routes
/ip route add dst-address=10.10.0.0/16 gateway=192.168.1.254
Route Monitoring
/ip route print detail
Firewall and NAT
Firewall Filter Rules
Basic stateful firewall example:
/ip firewall filter add chain=input connection-state=established,related action=accept /ip firewall filter add chain=input connection-state=invalid action=drop /ip firewall filter add chain=input in-interface=WAN action=drop
NAT (Masquerade)
/ip firewall nat add chain=srcnat out-interface=WAN action=masquerade
Port Forwarding
/ip firewall nat add chain=dstnat protocol=tcp dst-port=443 \ action=dst-nat to-addresses=192.168.1.10 to-ports=443
Security note: expose only necessary services and restrict by source IP when possible.
Services and Management Access
RouterOS Services
List enabled services:
/ip service print
Disable insecure services:
/ip service disable telnet,ftp,www
Change management ports:
/ip service set ssh port=2222
Winbox Access Control
Restrict access by IP:
/ip service set winbox address=192.168.1.0/24
User Management and Permissions
User Accounts
Create a limited administrative user:
/user add name=netadmin group=full password=StrongPassword
Remove default admin user:
/user remove admin
User Groups
/user group print
Principle of least privilege should always be applied.
Logging and Monitoring
System Logging
Enable firewall logging:
/system logging add topics=firewall action=memory
Send logs to a remote server:
/system logging action add name=remote target=remote remote=192.168.1.50 /system logging add topics=info action=remote
Backup, Restore and Export
Binary Backup
/system backup save name=router-backup
Restore:
/system backup load name=router-backup
Configuration Export
Human-readable export:
/export file=router-config
Security note: exports may contain sensitive data; store securely.
Scripting and Automation
Simple Script Example
/system script add name=rebootNight source="/system reboot"
Scheduler
/system scheduler add name=nightly-reboot start-time=03:00 interval=1d \ on-event=rebootNight
Security Concepts
- Use **strong passwords** and disable unused accounts
- Limit management access by IP and interface
- Keep RouterOS updated
- Use firewall default-deny policies
- Separate management, user, and WAN traffic
- Monitor logs for anomalies
- Backup configurations regularly
Troubleshooting
Connectivity Issues
Check interface status:
/interface print
Verify IP configuration:
/ip address print
Test connectivity:
/ping 8.8.8.8
Routing Problems
/ip route print
Check gateway reachability:
/ping 192.0.2.1
Firewall Debugging
Temporarily log dropped packets:
/ip firewall filter add chain=input action=log log-prefix="DROP-INPUT"
CPU and Memory
/system resource print
