MIKROTIK - Base Commands: Difference between revisions
From IT-Arts.net
Created page with "Category:Wiki == Identity, Time and System Management == === System Identity === Set a unique router name for management and logging clarity. <nowiki> /system identity set name=CORE-RTR-01</nowiki> === System Clock and Timezone === Correct time is essential for logs, certificates, and security auditing. <nowiki> /system clock set time-zone-name=Europe/Paris</nowiki> Enable NTP client: <nowiki> /system ntp client set enabled=yes servers=pool.ntp.org</nowiki> =..." |
No edit summary |
||
| Line 26: | Line 26: | ||
Security note: keep RouterOS updated to mitigate known vulnerabilities. | Security note: keep RouterOS updated to mitigate known vulnerabilities. | ||
== Interface Management == | == Interface Management == | ||
| Line 45: | Line 45: | ||
/interface ethernet print stats</nowiki> | /interface ethernet print stats</nowiki> | ||
== IP Addressing and Neighbor Discovery == | == IP Addressing and Neighbor Discovery == | ||
| Line 63: | Line 63: | ||
/interface ethernet set LAN arp=reply-only</nowiki> | /interface ethernet set LAN arp=reply-only</nowiki> | ||
== Routing == | == Routing == | ||
| Line 80: | Line 80: | ||
/ip route print detail</nowiki> | /ip route print detail</nowiki> | ||
== Firewall and NAT == | == Firewall and NAT == | ||
| Line 102: | Line 102: | ||
Security note: expose only necessary services and restrict by source IP when possible. | Security note: expose only necessary services and restrict by source IP when possible. | ||
== Services and Management Access == | == Services and Management Access == | ||
| Line 124: | Line 124: | ||
/ip service set winbox address=192.168.1.0/24</nowiki> | /ip service set winbox address=192.168.1.0/24</nowiki> | ||
== User Management and Permissions == | == User Management and Permissions == | ||
| Line 143: | Line 143: | ||
Principle of least privilege should always be applied. | Principle of least privilege should always be applied. | ||
== Logging and Monitoring == | == Logging and Monitoring == | ||
| Line 157: | Line 157: | ||
/system logging add topics=info action=remote</nowiki> | /system logging add topics=info action=remote</nowiki> | ||
== Backup, Restore and Export == | == Backup, Restore and Export == | ||
| Line 176: | Line 176: | ||
Security note: exports may contain sensitive data; store securely. | Security note: exports may contain sensitive data; store securely. | ||
== Scripting and Automation == | == Scripting and Automation == | ||
| Line 189: | Line 189: | ||
on-event=rebootNight</nowiki> | on-event=rebootNight</nowiki> | ||
== Security Concepts == | == Security Concepts == | ||
| Line 201: | Line 201: | ||
* Backup configurations regularly | * Backup configurations regularly | ||
== Troubleshooting == | == Troubleshooting == | ||
| Line 235: | Line 235: | ||
/system resource print</nowiki> | /system resource print</nowiki> | ||
== Useful Links == | == Useful Links == | ||
Revision as of 17:10, 20 December 2025
Identity, Time and System Management
System Identity
Set a unique router name for management and logging clarity.
/system identity set name=CORE-RTR-01
System Clock and Timezone
Correct time is essential for logs, certificates, and security auditing.
/system clock set time-zone-name=Europe/Paris
Enable NTP client:
/system ntp client set enabled=yes servers=pool.ntp.org
RouterOS Packages
List and manage installed packages.
/system package print /system package update check-for-updates /system package update download
Security note: keep RouterOS updated to mitigate known vulnerabilities.
Interface Management
Physical Interfaces
List all interfaces:
/interface print
Rename interfaces for clarity:
/interface ethernet set ether1 name=WAN /interface ethernet set ether2 name=LAN
Interface Status and Statistics
/interface monitor-traffic WAN /interface ethernet print stats
IP Addressing and Neighbor Discovery
IP Address Assignment
Assign static IP addresses:
/ip address add address=192.168.1.1/24 interface=LAN
Remove an IP:
/ip address remove [find address~"192.168.1.1"]
ARP Behavior
Restrict ARP for security-sensitive networks:
/interface ethernet set LAN arp=reply-only
Routing
Default Route
Add a default gateway:
/ip route add dst-address=0.0.0.0/0 gateway=192.0.2.1
Static Routes
/ip route add dst-address=10.10.0.0/16 gateway=192.168.1.254
Route Monitoring
/ip route print detail
Firewall and NAT
Firewall Filter Rules
Basic stateful firewall example:
/ip firewall filter add chain=input connection-state=established,related action=accept /ip firewall filter add chain=input connection-state=invalid action=drop /ip firewall filter add chain=input in-interface=WAN action=drop
NAT (Masquerade)
/ip firewall nat add chain=srcnat out-interface=WAN action=masquerade
Port Forwarding
/ip firewall nat add chain=dstnat protocol=tcp dst-port=443 \ action=dst-nat to-addresses=192.168.1.10 to-ports=443
Security note: expose only necessary services and restrict by source IP when possible.
Services and Management Access
RouterOS Services
List enabled services:
/ip service print
Disable insecure services:
/ip service disable telnet,ftp,www
Change management ports:
/ip service set ssh port=2222
Winbox Access Control
Restrict access by IP:
/ip service set winbox address=192.168.1.0/24
User Management and Permissions
User Accounts
Create a limited administrative user:
/user add name=netadmin group=full password=StrongPassword
Remove default admin user:
/user remove admin
User Groups
/user group print
Principle of least privilege should always be applied.
Logging and Monitoring
System Logging
Enable firewall logging:
/system logging add topics=firewall action=memory
Send logs to a remote server:
/system logging action add name=remote target=remote remote=192.168.1.50 /system logging add topics=info action=remote
Backup, Restore and Export
Binary Backup
/system backup save name=router-backup
Restore:
/system backup load name=router-backup
Configuration Export
Human-readable export:
/export file=router-config
Security note: exports may contain sensitive data; store securely.
Scripting and Automation
Simple Script Example
/system script add name=rebootNight source="/system reboot"
Scheduler
/system scheduler add name=nightly-reboot start-time=03:00 interval=1d \ on-event=rebootNight
Security Concepts
- Use **strong passwords** and disable unused accounts
- Limit management access by IP and interface
- Keep RouterOS updated
- Use firewall default-deny policies
- Separate management, user, and WAN traffic
- Monitor logs for anomalies
- Backup configurations regularly
Troubleshooting
Connectivity Issues
Check interface status:
/interface print
Verify IP configuration:
/ip address print
Test connectivity:
/ping 8.8.8.8
Routing Problems
/ip route print
Check gateway reachability:
/ping 192.0.2.1
Firewall Debugging
Temporarily log dropped packets:
/ip firewall filter add chain=input action=log log-prefix="DROP-INPUT"
CPU and Memory
/system resource print
