Console

Console

Summary

The MikroTik RouterOS console provides powerful text-based access to all router configuration and management features. Whether connecting locally via serial cable, remotely through SSH or telnet, or using the console screen within WinBox, the console enables efficient router administration through a hierarchical command structure. This guide covers essential console operation principles, including menu navigation, command entry shortcuts, built-in help systems, and advanced features like safe mode for configuration protection. Master these fundamentals to streamline router management and automate tasks through scripting.

The console serves as the primary administrative interface for RouterOS, offering capabilities that exceed graphical tools in speed and automation potential. Text-based access proves essential for scripted deployments, remote management over unreliable network connections, and precise control over complex configurations. Understanding console operation unlocks the full potential of RouterOS, enabling administrators to configure everything from basic interface settings to advanced routing protocols through consistent command patterns.

Introduction

Access Methods

RouterOS console access is available through multiple pathways, each suited to different administrative scenarios and network conditions. Serial console access provides the most fundamental connection method, operating independently of network configuration and enabling management even when all network services fail. This method requires physical access to the device or a serial-over-IP infrastructure, making it essential for initial configuration and recovery scenarios. Serial connections use 115200 baud, 8 data bits, no parity, and 1 stop bit (115200-8N1) settings, with the console port typically located on the device’s rear panel.

SSH access offers secure remote console connectivity encrypted through the SSH protocol, ideal for administering routers across network connections where security matters. The RouterOS SSH implementation supports password authentication and public key authentication for automated scripts. Administrators connect using any standard SSH client, with the terminal providing the same command structure and features as local console access. SSH proves particularly valuable for managing routers in production environments, as encrypted sessions protect sensitive configuration data from network observation.

Telnet provides an alternative remote access method without encryption, suitable for internal networks where security concerns are minimal or when legacy system integration requires telnet compatibility. While telnet transmits all data, including passwords, in plaintext, it remains useful in controlled laboratory environments or troubleshooting scenarios where SSH may be unavailable. RouterOS telnet listens on port 23 by default, though this service should typically be disabled in production deployments.

WinBox console integration delivers console access within the graphical management interface, combining visual network topology views with powerful command-line capabilities. This hybrid approach allows administrators to navigate interfaces visually while executing precise console commands when needed. The WinBox terminal provides identical command behavior to standalone console sessions, with the added convenience of simultaneous access to graphical monitoring and configuration tools.

Console Purpose and Capabilities

The console extends beyond interactive configuration to serve as the primary interface for RouterOS scripting, enabling automated configuration deployment and complex administrative tasks. Script capabilities within the console support variables, loops, conditionals, and functions, allowing administrators to create sophisticated automation that responds to network conditions or implements consistent configuration standards across multiple devices. Understanding console operation directly translates to scripting proficiency, as the same command structures and navigation principles apply to both interactive and script-based configuration.

Menu Hierarchy

Understanding Hierarchical Structure

The RouterOS console organizes commands into a hierarchical menu structure reflecting the logical organization of router configuration and monitoring functions. Menu path names indicate the configuration area accessible within each level, such as /ip firewall for firewall rules or /system scheduler for scheduled tasks. This organization groups related functionality together, making it intuitive to locate specific configuration options and reducing the cognitive load of managing RouterOS’s extensive feature set.

Navigation through the hierarchy follows predictable patterns using path notation and relative movement commands. Absolute paths begin with a forward slash and specify the complete route from the root menu to the target location, such as /interface ethernet print to display interface settings. Relative navigation uses double periods (..) to move up one level or combines path elements with forward slashes to traverse the hierarchy without fully specifying each intermediate level. This flexibility allows administrators to work efficiently whether they prefer precise path specification or contextual movement through related configuration areas.

The root menu provides access to all top-level configuration categories, including system settings, interface configuration, IP settings, routing tables, and specialized feature menus. Each top-level menu contains submenus organizing related functionality, creating a tree structure that mirrors the logical organization of network configuration. For example, the /ip menu contains submenus for address, route, firewall, dns, and hotspot configurations, each further organized with their own command sets for viewing, modifying, and managing their respective configuration elements.

Practical Navigation Examples

Consider viewing the routing table as a practical navigation example. The command /ip route print displays all routes in the routing table with their flags, destinations, gateways, and interface assignments. The output shows route status through flags: X for disabled routes, A for active routes, D for dynamically learned routes, and S for static routes. Understanding these flags helps administrators quickly assess route status and identify potential connectivity issues.

The following example demonstrates viewing routing table output:

[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 # DST-ADDRESS PREF-SRC G GATEWAY DIS INTE...
0 A S 0.0.0.0/0 r 10.0.3.1 1 bridge1
1 ADC 1.0.1.0/24 1.0.1.1 0 bridge1
2 ADC 1.0.2.0/24 1.0.2.1 0 ether3
3 ADC 10.0.3.0/24 10.0.3.144 0 bridge1
4 ADC 10.10.10.0/24 10.10.10.1 0 wlan1
[admin@MikroTik] >

Context persistence allows administrators to remain within a submenu while executing operations, reducing repetitive path typing. After entering the /ip route context, subsequent commands execute within that menu without retyping the full path. The prompt reflects the current location in the hierarchy, providing constant visual feedback about the active configuration context. This context awareness proves especially valuable when performing multiple related operations within the same configuration area.

Movement commands provide flexibility in navigating the hierarchy. The forward slash (/) returns immediately to the root menu regardless of current depth, while double periods (..) move up one level. These commands can also prefix commands executed from other contexts, enabling operations in other menu areas without changing the current location. For example, executing /ping 10.0.0.1 from within the /ip route menu pings the target address without leaving the routing context.

Cross-Menu Command Execution

The console supports executing commands from other menu levels without changing the current context, enabling powerful one-off operations without disrupting workflow. Prefix any command with a forward slash to execute it from the root level, regardless of current position. This capability proves valuable when needing to perform unrelated operations during a configuration session, such as checking firewall rules while configuring routing, without losing the current context.

The following example demonstrates executing a command from another menu without changing context:

[admin@MikroTik] ip route> /ping 10.0.0.1
10.0.0.1 ping timeout
2 packets transmitted, 0 packets received, 100% packet loss
[admin@MikroTik] ip firewall nat> .. service-port print
Flags: X - disabled, I - invalid
# NAME PORTS
0 ftp 21
1 tftp 69
2 irc 6667
3 h323
4 sip
5 pptp
[admin@MikroTik] ip firewall nat>

This flexibility allows administrators to maintain context while performing administrative tasks across multiple configuration areas. The ability to reference other menus without navigating to them significantly speeds up complex configuration sessions where multiple areas require attention.

Item Names and Numbers

Working with Configuration Items

Many RouterOS configuration levels manage arrays of items, such as interfaces, firewall rules, IP addresses, or user accounts. Each item in these arrays has both an internal number assigned by the console and potentially a user-defined name that identifies the item. Understanding how to reference these items correctly is essential for effective console usage and reliable script development.

Item numbers serve as temporary identifiers assigned during print operations, facilitating quick command entry when the current configuration state is known. However, these numbers can change between print commands as the underlying configuration is modified, making them unreliable for persistent references. The console assigns numbers on a per-session basis, meaning that item numbers established in one console session do not persist when reconnecting. Additionally, numbers are assigned separately for each item list, so operations on one list do not affect numbering in other lists.

Item names provide stable, meaningful identifiers that persist regardless of print operations or configuration changes made by other sessions. Named items include interfaces, firewall rules, users, and many other configuration elements. Using names in commands and scripts ensures that operations target the intended items reliably, even as configuration evolves. Names also provide documentation value, making configurations more readable and self-documenting.

Practical Examples of Item References

The following example demonstrates setting MTU on multiple interfaces using both item numbers and understanding their behavior:

[admin@MikroTik] > interface print
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE MTU
0 R ether1 ether 1500
1 R ether2 ether 1500
2 R ether3 ether 1500
3 R ether4 ether 1500
[admin@MikroTik] > interface set 0,1,2 mtu=1460
[admin@MikroTik] > interface print
 Flags: X - disabled, D - dynamic, R - running
# NAME TYPE MTU
0 R ether1 ether 1460
1 R ether2 ether 1460
2 R ether3 ether 1460
3 R ether4 ether 1500
[admin@MikroTik] >

This example shows how item numbers can reference multiple items in a single command by using comma-separated lists. The set command applies the specified MTU value to items 0, 1, and 2 (ether1, ether2, and ether3) while leaving ether4 unchanged. The print output confirms the successful configuration change.

Scripting Considerations

Item numbers should never be used in scripts, as they create unreliable and potentially dangerous configuration operations. Scripts may execute in different contexts than when originally developed, or the configuration may have changed between development and execution. Instead, use the find command to locate items by their properties, creating reliable references based on item attributes rather than transient numbers.

The find command accepts the same arguments as set, plus flag arguments like disabled or active, returning the internal numbers of all matching items. These numbers can then be used directly in subsequent commands within the same script execution. This approach creates robust scripts that continue functioning correctly even as configuration changes over time.

Quick Typing Features

Tab Completion

The console includes intelligent tab completion that accelerates command entry and reduces typing errors. Pressing the Tab key after typing a partial word attempts to complete it based on valid options within the current context. If only one valid completion exists, the console automatically appends it followed by a space. This single-match completion provides the fastest path to command completion when the intended target is clear.

When multiple valid completions share a common prefix, pressing Tab completes to that shared prefix without adding a space. This partial completion helps narrow down options efficiently. Pressing Tab a second time displays all possible completions in compact form, showing available choices without leaving the command line. This two-stage approach balances speed with flexibility, allowing quick completion when intent is clear while providing options when more guidance is needed.

Tab completion works across many contexts, including command names, argument names, and values with limited options such as item names in lists or protocol names in firewall rules. However, completion does not work for free-form values like IP addresses, network prefixes, or numeric values. Understanding these limitations helps administrators anticipate when tab completion will assist versus when full typing is required.

Command Abbreviation

Beyond partial word completion, the console accepts abbreviated command names that uniquely identify the intended command. As long as the abbreviation is unambiguous, the console interprets it as the complete command name. This feature allows significant typing reduction for frequently used commands while maintaining readability.

For example, the following abbreviated command is equivalent to its full form:

[admin@MikroTik] > pin 10.1 c 3 si 100

This command expands to:

[admin@MikroTik] > ping 10.0.0.1 count 3 size 100

The abbreviation system extends beyond simple prefix matching to recognize distinctive substrings within command names. If an exact prefix match does not exist, the console searches for words containing the typed characters in sequence. This capability proves valuable when remembering only distinctive portions of command names or when wanting to minimize typing for long command names.

The following example demonstrates substring completion:

[admin@MikroTik] > interface x[TAB][TAB]_
dot1x  vxlan  export
[admin@MikroTik] > interface mt[TAB]_
[admin@MikroTik] > interface monitor-traffic _

General Commands

The RouterOS console provides a consistent set of commands across most configuration levels, reducing the learning curve for new administrators and enabling efficient navigation between different configuration areas. Understanding these universal commands provides the foundation for effective router management.

Adding Configuration Items

The add command creates new configuration items within the current menu level. Required arguments vary by item type, with some properties being mandatory (such as specifying an interface for a new IP address) while others default to reasonable values if omitted. The command returns the internal number of the newly created item, which can be used for immediate further configuration.

Common add command parameters include:

• copy-from: Creates a new item based on an existing one, copying default values while allowing specification of different values for properties that should change. When copying named items, a new name must typically be provided.
• place-before: Positions the new item before an existing item in the list, useful when order matters for rule processing such as firewall rules where position affects matching order.
• disabled: Controls the initial enabled/disabled state of the new item, defaulting to enabled unless explicitly disabled.
• comment: Adds descriptive text to the item, providing documentation value for future reference or script readability.

Modifying Configuration Items

The set command changes properties of existing configuration items. When operating on item lists, set accepts item numbers or names as targets and modifies the specified properties. The command provides no return value, confirming changes through the modified output when printing the updated configuration.

The edit command provides an alternative interface for modifying properties, launching a terminal-based editor suitable for large text values such as scripts. The editor type (full-screen or single-line) depends on detected terminal capabilities. Script editing through edit supports values up to 30,000 characters, adequate for complex automation scripts.

Finding Configuration Items

The find command locates items matching specified criteria, returning their internal numbers for use in subsequent operations. Arguments to find mirror those of set, plus flag arguments visible in print output headers. This command proves essential for reliable script development, enabling item references based on properties rather than potentially changing numbers.

Displaying Configuration

The print command shows all accessible information from the current menu level, including configuration items, their properties, and current values. Print assigns item numbers for lists, enabling subsequent commands to reference specific items. Numerous parameters control print behavior:

• from: Limits output to specified items, maintaining their original order.
• where: Filters output to items matching specified criteria using syntax similar to find.
• brief: Forces tabular output format for easier reading.
• detail: Forces property=value format for scripting compatibility.
• count-only: Shows only the number of matching items.
• file: Writes output to a file with .rsc extension.
• interval: Continuously updates output at specified second intervals for monitoring.
• oid: Includes SNMP OID values in output.
• without-paging: Displays all output without pausing between screens.

Managing Configuration Items

The remove command deletes specified items from configuration lists, accepting item numbers or names as targets. Removed items cannot be recovered except through backup restoration or reconfiguration.

The move command changes the order of items in lists where sequence matters, such as firewall rules or queue configurations. The command accepts the item to move as the first argument and the target position as the second argument. When the second argument is omitted, items move to the end of the list.

Configuration Export and Import

The export command outputs configuration from the current menu and its submenus in a format suitable for import into other routers or backup purposes. The exported format consists of RouterOS commands that recreate the configuration when executed. When a filename is specified, output writes to a file; otherwise, output displays in the console.

The get command retrieves a specific property value from an item without displaying it in normal output. Combining get with the :put command displays the retrieved value, useful for scripting and verification:

:put [system/resource/get version]

Enabling and Disabling

The enable and disable commands control the operational state of configurable items. Disabled items remain in configuration but do not function, useful for temporarily deactivating rules or interfaces without deleting their configuration. Enabled items activate according to their configuration, beginning to function immediately upon enabling.

Comments and Configuration History

The comment command adds or modifies descriptive text attached to configuration items, providing documentation within the configuration itself. Comments persist through exports and appear in configuration backups, making them valuable for explaining purpose, expected behavior, or special considerations.

Combined Command Operations

The console supports combining commands in creative ways to accomplish complex configuration tasks efficiently. Place-before operations combined with find queries enable adding new items in specific positions without separate move commands:

/ip firewall/filter/add chain=forward place-before=[find where comment=CommentX]
/ip/firewall/filter/add chain=forward place-before="CommentX"

These equivalent commands add a new firewall rule before the item identified by its comment, demonstrating how find queries enable position-aware configuration automation.

Console Modes

Single-Line and Multiline Modes

The console operates in either single-line or multiline mode depending on detected terminal capabilities. Multiline mode displays the complete input line regardless of terminal line length, using a full-screen editor for large text values like scripts. This mode proves essential when editing complex scripts or long configuration values that exceed single terminal lines.

Single-line mode uses only one terminal line for editing, truncating longer lines around the cursor position. This mode sacrifices visibility of complete lines for compatibility with terminals lacking advanced capabilities. The full-screen editor does not activate in single-line mode, limiting text editing to basic line-oriented operations.

Mode Selection

Terminal capability detection determines the initial mode, though administrators can influence this through terminal settings. Most modern terminals support multiline mode features, making it the default for SSH and modern terminal emulator connections. Serial console connections may default to single-line mode depending on the terminal emulation used.

Console Settings

Configuration Options

The /console/settings menu controls console behavior options affecting terminal interaction. These settings persist across sessions, applying to all console connections to the router.

The sanitize-names option controls how the console handles special characters in names that might cause problems in file systems or other contexts. When enabled, reserved characters (backslash, forward slash, colon, asterisk, question mark, pipe) are replaced with underscores in file operations and other contexts where special characters could cause issues.

[admin@MikroTik] /console/settings> print
              sanitize-names: no

This setting defaults to disabled, preserving original character usage in names. Administrators enabling this option should understand that it affects only specific operations where special characters might cause problems, not general command processing.

Keyboard Shortcuts

Navigation and Editing Keys

The console provides extensive keyboard shortcuts for efficient navigation, editing, and operation. These shortcuts significantly accelerate routine tasks when mastered, reducing the time required for common administrative operations.

• F1: Display available commands or help for the current command position, functioning similarly to pressing Tab twice but with verbose explanations.
• Tab: Complete the current word or display possible completions. Pressing once completes if unambiguous, twice shows all possibilities.
• F3 or Ctrl-R: Search through command history to repeat previous commands.
• F4 or Ctrl-X: Toggle safe mode, protecting configuration changes from accidental lockout.
• F5 or Ctrl-L: Repaint the terminal display, useful when output has been corrupted or screen scrolling has become confusing.
• F7: Toggle HotLock mode, automatically completing commands without requiring explicit Tab presses.
• F8: Display the entire multiline input currently being composed.
• Ctrl-\: Split the current line at the cursor position, useful when composing complex commands.
• Home or Ctrl-A: Move cursor to the beginning of the current line.
• End or Ctrl-E: Move cursor to the end of the current line.
• Ctrl-C: Interrupt the currently executing action, such as a long-running ping or continuous monitoring operation.
• Ctrl-D: Terminate the console session when at an empty prompt, or exit safe mode while discarding changes.
• Ctrl-K: Delete from the cursor position to the end of the line.
• Ctrl-U: Delete from the beginning of the line to the cursor position.
• Ctrl-T: Switch to a background task, allowing foreground operations to continue while monitoring other activities.

Navigation shortcuts for menu levels include:

• /: Move immediately to the root (base) level of the menu hierarchy.
• ..: Move up one level in the hierarchy, returning to the parent menu.
• /command: Execute a command at the root level without changing the current menu location.

The up and down arrow keys navigate through command history, while the split function (Ctrl-\) separates multi-part commands onto individual lines for clarity.

Built-in Help System

Accessing Help

The console includes comprehensive built-in help accessible through F1 key presses or double Tab presses. Help context adapts to the current cursor position, displaying relevant information about what can be typed at that point in the command. This contextual help proves invaluable when learning new commands or when the exact syntax is uncertain.

Help displays differ between F1 and double Tab based on verbosity. Double Tab provides compact summaries suitable for quick reference, while F1 offers detailed explanations of each option and argument. Both approaches serve different needs during configuration tasks, with F1 preferred for learning and double Tab for quick reminders.

Safe Mode

Configuration Protection

Safe mode protects administrators from accidental lockout when making configuration changes that could disrupt network connectivity. When activated, all configuration changes made during the safe mode session are tracked and automatically reverted if the session terminates abnormally. This protection ensures that mistakes made while configuring remotely cannot leave the router inaccessible.

Enter safe mode through the F4 key or Ctrl-X combination in the console, or through the Safe Mode button in WinBox. The prompt changes to indicate safe mode is active, typically adding <SAFE> to the menu path display:

[admin@MikroTik] ip route>[Ctrl]+[X]
[Safe Mode taken]
[admin@MikroTik] ip route<SAFE>

The message “Safe Mode taken” confirms activation, after which all subsequent configuration changes are recorded for potential rollback.

Safe Mode Rollback Behavior

When safe mode terminates abnormally, such as through connection loss, all tracked changes are automatically undone. The TCP timeout for detecting abnormal termination is approximately 9 minutes, providing a balance between protecting against brief network issues and ensuring changes can be recovered in a reasonable timeframe.

The system history command shows all changes made during safe mode, flagged with an F (floating) indicator to distinguish them from permanent changes. These tracked changes can be reviewed before safe mode exits to verify intended modifications:

[admin@MikroTik] /ip/route>
[Safe Mode taken]
[admin@MikroTik] /ip/route<SAFE> add
[admin@MikroTik] /ip/route<SAFE> /system/history/print
Flags: U, F - FLOATING-UNDO
Columns: ACTION, BY, POLICY
  ACTION                 BY     POLICY
F route 0.0.0.0/0 added  admin  write

Safe Mode Session Management

Multiple administrators can interact with safe mode sessions, with specific behaviors governing safe mode ownership transfer. If another user attempts to enter safe mode while one is active, they receive options to unroll (undo changes and take ownership), release (keep changes and take ownership), or do nothing:

[admin@MikroTik] >
Hijacking Safe Mode from someone - unroll/release/don't take it [u/r/d]:

Selecting ‘u’ undoes all current safe mode changes and transfers ownership to the new session. Selecting ‘r’ preserves all changes and transfers ownership, notifying the previous owner. Selecting ‘d’ leaves everything unchanged and does not enter safe mode.

Exiting Safe Mode

Exiting safe mode through Ctrl-D undoes all tracked changes, returning the configuration to its pre-safe mode state. This provides a clean exit path when changes made during safe mode prove problematic or when the administrator decides against implementing the changes. The /quit command exits without undoing changes, making them permanent.

The history buffer limits safe mode tracking to 100 most recent actions. If too many changes occur for the history to track, safe mode automatically exits without rolling back, potentially leaving problematic changes in place. Administrators should make configuration changes in small increments while in safe mode, exiting and re-entering to limit the number of tracked operations.

Safe mode operates only within user sessions and does not affect commands requiring system reboot, such as configuration reset or backup restoration. These system-level operations bypass safe mode protection.

HotLock Mode

Automatic Command Completion

HotLock mode automatically completes commands as they are typed, eliminating the need for explicit Tab key presses. This mode proves useful for experienced administrators who prefer continuous typing without interruption for completion actions.

Enter and exit HotLock mode through the F7 key. The prompt changes from a single > to double >> when HotLock mode is active:

[admin@MikroTik] /ip/address> [F7]
[admin@MikroTik] /ip/address>>

In HotLock mode, partial commands auto-complete as typing progresses. For example, entering /in et automatically expands to /interface/ethernet/ as the cursor advances, with auto-completion triggering when remaining characters are unambiguous.

HotLock mode trades some typing control for speed, making it most appropriate for experienced administrators familiar with command structures who can predict completion behavior accurately.

Lock Mode

Screen Locking

The :lock command locks the console screen, requiring password authentication to resume the session. This feature protects against unauthorized access when the administrative workstation is temporarily unattended, such as during breaks in physical console access scenarios.

When locked, the screen displays the MikroTik banner and indicates the locked state. Ctrl-D exits the lock screen, prompting for the administrator password. The password required is the same password used for console authentication:

[admin@MikroTik] > :lock
...
  MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 7.16rc1 (c) 1999-2024       https://www.mikrotik.com/


Session is locked       (Ctrl-D to Quit)

 password for admin:

The lock feature provides basic session protection but does not replace proper access controls or secure password practices. Physical security remains important for devices with console access.

Scripting Through Console

Command-Line Scripting

The RouterOS console serves as the foundation for scripting, with the same command structures used interactively available for script execution. Scripts combine multiple commands with variables, control structures, and functions to automate complex configuration tasks and network operations.

Basic scripting capabilities include variable assignment using the :local or :global commands, output using :put, arithmetic operations, and string manipulation. More advanced scripting features include loops, conditionals, functions, and error handling, enabling sophisticated automation solutions.

Scripts execute from files stored on the router or entered directly through the console, with the /system script facility managing script storage and execution scheduling. Scheduled scripts run at specified intervals or times, enabling automated monitoring, configuration backup, and network maintenance tasks.

Script Example

A simple script demonstrating basic console scripting concepts:

:local currentTime [/system clock get time]
:local currentDate [/system clock get date]
:put ("Current time: $currentTime")
:put ("Current date: $currentDate")

This script retrieves system time and date values using the clock menu’s get command and displays them using the put command with variable interpolation.

Related Documentation

• Scripting Manual - Advanced console commands and scripting syntax
• First Time Configuration - Initial router setup procedures
• WinBox - Graphical management interface with integrated console
• SSH - Secure remote console access configuration
• Serial Console - Physical console access and configuration