MikroTik Cheat Sheet
Overview
MikroTik RouterOS is a Linux-based network operating system used on MikroTik hardware routers, switches, and access points. It provides comprehensive networking features including advanced routing (BGP, OSPF, RIP, MPLS), stateful firewall, NAT, VPN (IPsec, L2TP, PPTP, OpenVPN, WireGuard), traffic shaping (QoS), hotspot gateway, VLAN management, bonding, bridging, wireless management, and DHCP/DNS services. RouterOS can also run as a virtual machine (CHR - Cloud Hosted Router) on hypervisors.
MikroTik devices are managed through multiple interfaces: WinBox (Windows GUI), WebFig (web interface), the CLI (via SSH/Telnet/serial), and the API (for programmatic access). The CLI uses a hierarchical menu structure where commands are organized by function area (e.g., /ip/firewall, /interface, /routing). RouterOS is known for its exceptional value—providing enterprise-grade features at a fraction of the cost of competitors like Cisco or Juniper. The Dude monitoring tool and scripting system allow extensive network automation.
Installation
Accessing the Router
# SSH access (default credentials: admin / no password)
ssh admin@192.168.88.1
# First-time setup
/system identity set name=core-router
/password
# Enter new password
# WinBox download: https://mikrotik.com/download
# Connect via MAC or IP addressCloud Hosted Router (VM)
# Download CHR image from mikrotik.com
# Import into hypervisor (VMware, Hyper-V, KVM)
# Default: DHCP on ether1, admin with no password
# License for CHR
/system license print
# Free tier: 1Mbps upload limit
# P1 license: unlimited for one instanceCore Commands
| Command | Description |
|---|---|
/interface print | List all interfaces |
/ip address print | List IP addresses |
/ip route print | Show routing table |
/ip firewall filter print | List firewall rules |
/system resource print | Show CPU/RAM/uptime |
/system routerboard print | Show hardware info |
/system package update check-for-updates | Check for updates |
/export | Export full configuration |
/import file=backup.rsc | Import configuration |
/system backup save name=backup | Binary backup |
/system reboot | Reboot device |
Interface Management
# List interfaces
/interface print
# Set interface name and comment
/interface set ether1 name=WAN comment="ISP uplink"
/interface set ether2 name=LAN comment="Internal network"
# Enable/disable interface
/interface disable WAN
/interface enable WAN
# Create VLAN interface
/interface vlan add name=VLAN100 vlan-id=100 interface=LAN
# Create bridge
/interface bridge add name=bridge-LAN
/interface bridge port add bridge=bridge-LAN interface=ether2
/interface bridge port add bridge=bridge-LAN interface=ether3
/interface bridge port add bridge=bridge-LAN interface=ether4IP Configuration
# Add IP address
/ip address add address=192.168.1.1/24 interface=LAN
/ip address add address=10.0.0.2/30 interface=WAN
# Set default gateway
/ip route add dst-address=0.0.0.0/0 gateway=10.0.0.1
# DNS settings
/ip dns set servers=8.8.8.8,8.8.4.4 allow-remote-requests=yes
# DHCP server
/ip pool add name=dhcp-pool ranges=192.168.1.100-192.168.1.200
/ip dhcp-server add name=dhcp-lan interface=LAN address-pool=dhcp-pool
/ip dhcp-server network add address=192.168.1.0/24 gateway=192.168.1.1 dns-server=192.168.1.1Firewall Configuration
# Basic firewall setup (input chain)
/ip firewall filter
add chain=input connection-state=established,related action=accept comment="Allow established"
add chain=input connection-state=invalid action=drop comment="Drop invalid"
add chain=input protocol=icmp action=accept comment="Allow ICMP"
add chain=input in-interface=LAN action=accept comment="Allow LAN"
add chain=input action=drop comment="Drop all other input"
# Forward chain
add chain=forward connection-state=established,related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward in-interface=LAN out-interface=WAN action=accept comment="LAN to WAN"
add chain=forward action=drop comment="Drop all other forward"
# NAT (masquerade)
/ip firewall nat add chain=srcnat out-interface=WAN action=masquerade
# Port forwarding
/ip firewall nat add chain=dstnat in-interface=WAN protocol=tcp dst-port=8080 \
action=dst-nat to-addresses=192.168.1.10 to-ports=80
# Address list for blocking
/ip firewall address-list add list=blocklist address=203.0.113.0/24
/ip firewall filter add chain=input src-address-list=blocklist action=dropVPN Configuration
WireGuard
# Create WireGuard interface
/interface wireguard add name=wg0 listen-port=51820
# Show public key
/interface wireguard print
# Add peer
/interface wireguard peers add interface=wg0 \
public-key="peer-public-key-here" \
allowed-address=10.10.0.2/32 \
endpoint-address=203.0.113.50 \
endpoint-port=51820 \
persistent-keepalive=25
# Assign IP to WireGuard interface
/ip address add address=10.10.0.1/24 interface=wg0
# Firewall rule for WireGuard
/ip firewall filter add chain=input protocol=udp dst-port=51820 action=acceptIPsec Site-to-Site
# Phase 1 (IKE)
/ip ipsec profile add name=ike2-profile enc-algorithm=aes-256 hash-algorithm=sha256 \
dh-group=modp2048 lifetime=8h
/ip ipsec peer add address=203.0.113.2/32 profile=ike2-profile exchange-mode=ike2
/ip ipsec identity add peer=ipsec-peer auth-method=pre-shared-key \
secret="your-preshared-key"
# Phase 2 (ESP)
/ip ipsec proposal add name=esp-proposal enc-algorithms=aes-256-gcm \
auth-algorithms=null pfs-group=modp2048 lifetime=1h
/ip ipsec policy add src-address=192.168.1.0/24 dst-address=192.168.2.0/24 \
proposal=esp-proposal tunnel=yes sa-src-address=203.0.113.1 sa-dst-address=203.0.113.2Routing
OSPF
/routing ospf instance add name=default router-id=1.1.1.1
/routing ospf area add name=backbone area-id=0.0.0.0 instance=default
/routing ospf interface-template add interfaces=LAN area=backbone cost=10
/routing ospf interface-template add interfaces=ether5 area=backbone network-type=point-to-pointBGP
/routing bgp connection add name=upstream remote.address=10.0.0.1 remote.as=64501 \
local.role=ebgp local.address=10.0.0.2 as=64500 \
output.default-originate=always \
routing-table=mainAdvanced Usage
Scripting and Scheduling
# Create a script
/system script add name=backup-daily source={
/system backup save name=("daily-" . [:pick [/system clock get date] 0 10])
/export file=("daily-" . [:pick [/system clock get date] 0 10])
/tool e-mail send to="admin@example.com" subject="Router Backup" body="Daily backup attached"
}
# Schedule daily execution
/system scheduler add name=daily-backup interval=1d on-event=backup-daily start-time=02:00:00Queue (Traffic Shaping)
# Simple queue
/queue simple add name=client-limit target=192.168.1.100/32 \
max-limit=50M/100M burst-limit=80M/150M burst-threshold=40M/80M burst-time=10s/10s
# Queue tree (more flexible)
/queue tree add name=download parent=LAN max-limit=100M
/queue tree add name=upload parent=WAN max-limit=50MMonitoring
# Interface traffic
/interface monitor-traffic ether1
# Active connections
/ip firewall connection print
# System health
/system health print
# Log
/log print where topics~"firewall"
# Torch (real-time traffic analysis)
/tool torch interface=LANConfiguration Backup
# Export text config (partial or full)
/export file=config-backup
# Binary backup (includes passwords)
/system backup save name=full-backup encryption=aes-sha256 password=secretpass
# Restore binary backup
/system backup load name=full-backup password=secretpassTroubleshooting
| Issue | Solution |
|---|---|
| Locked out | Reset via reset button (hold during boot); or connect via MAC in WinBox |
| Slow performance | Check CPU with /system resource print; disable unnecessary services |
| Firewall blocking traffic | Add logging to rules: action=log log-prefix="BLOCKED"; check /log print |
| DHCP not working | Verify pool and network config; check interface is in bridge |
| VPN tunnel not establishing | Check firewall allows IKE (500/4500 UDP) and ESP (protocol 50) |
| DNS not resolving | Verify /ip dns print; check allow-remote-requests=yes |
| BGP peer not established | Verify peer address, ASN, and firewall allows TCP 179 |