Management Tools

Management Tools

Summary

RouterOS provides multiple methods for accessing and managing your router, each suited to different scenarios, expertise levels, and network requirements. Understanding these access methods enables efficient router administration, troubleshooting, and configuration regardless of your physical location or available tools.

The choice of management interface depends on several factors including network connectivity, required capabilities, security requirements, and personal preference. CLI access provides the most comprehensive control and scripting capabilities. WebFig offers a visual interface accessible from any web browser. WinBox provides a dedicated Windows application with advanced features. The mobile app enables quick checks and basic management from smartphones. Serial console access remains essential for initial configuration and recovery scenarios when network connectivity is unavailable.

This guide covers all available management methods, their configuration requirements, security considerations, and best practices for each approach. Proper security configuration for management access is critical, as these interfaces provide significant control over your router and network.

Command Line Interface

Overview

The Command Line Interface (CLI) provides direct access to RouterOS functionality through text-based commands. This method offers complete control over all router features, supports scripting for automation, and operates efficiently even on low-bandwidth connections. The CLI follows a hierarchical menu structure that organizes related configuration options together.

CLI access is available through multiple transport mechanisms including SSH, Telnet, serial console cable, and direct keyboard/monitor on devices with VGA output. SSH provides encrypted access suitable for production environments. Telnet transmits data in plaintext and should only be used in trusted networks or for initial setup. Serial console access bypasses network connectivity entirely, making it essential for recovery scenarios.

The CLI uses a consistent syntax across all commands. Configuration commands modify settings in the running configuration. Operational commands perform actions without modifying configuration. The / character navigates between menu levels, and tab completion assists with command entry. This consistency means skills learned managing one RouterOS device transfer directly to any other RouterOS device.

SSH Access Configuration

SSH provides secure, encrypted remote access to the RouterOS CLI. This is the recommended method for routine administrative access in production environments. SSH authenticates users and encrypts all traffic, protecting credentials and configuration data from interception.

Enable and configure the SSH service:

/ip service enable ssh
/ip service set ssh port=22

By default, SSH listens on port 22. For additional security through obscurity, consider changing to a non-standard port:

/ip service set ssh port=2222

Restrict SSH access to trusted networks using the address parameter:

/ip service set ssh address=192.168.88.0/24

Enable strong cryptographic algorithms for SSH connections:

/ip ssh set strong-crypto=yes

Connect to the router using any SSH client:

ssh [email protected]
ssh [email protected] -p 2222

For key-based authentication, first upload the public key to the router, then import it. RouterOS does not interpret shell path expansions like ~:

scp ~/.ssh/id_ed25519.pub [email protected]:/

/user ssh-keys import public-key-file=id_ed25519.pub user=admin

Telnet Access

Telnet provides unencrypted CLI access useful for initial configuration in trusted networks or legacy system integration. Because Telnet transmits all data including passwords in plaintext, avoid using Telnet on any network where traffic could be intercepted, including public networks and untrusted LAN segments.

Enable Telnet service:

/ip service enable telnet

Connect via Telnet:

telnet 192.168.88.1

For environments requiring Telnet access, combine it with firewall rules restricting source addresses:

/ip firewall filter
add chain=input protocol=tcp dst-port=23 src-address=192.168.88.0/24 action=accept
add chain=input protocol=tcp dst-port=23 action=drop

Local Console Access

Some RouterBOARD devices include VGA output supporting direct keyboard and monitor connection. This provides CLI access without any network connectivity, essential for initial configuration when the router has no IP address configured or network connectivity is unavailable.

Connect a USB or PS/2 keyboard and VGA monitor to the device. The router displays boot messages and presents a login prompt. Log in with the same credentials used for remote access. The console provides full CLI functionality including all configuration and monitoring commands.

Serial Console Connection

Serial console access connects through the router’s serial port (DB9 or RJ45 depending on model), providing CLI access independent of network configuration. This method is critical for initial setup when the router has no IP connectivity and for recovery when network access becomes unavailable.

Connect to the serial port using a null modem cable. Common serial settings are 115200 baud, 8 data bits, no parity, 1 stop bit (8N1). Use terminal emulation software such as PuTTY, screen, or minicom to connect.

Connect with screen:

screen /dev/ttyUSB0 115200

Connect with PuTTY on Windows:

• Connection type: Serial
• Serial line: COM1 (or appropriate COM port)
• Speed: 115200

Once connected, press Enter to display the login prompt. Authentication uses the same credentials as other access methods.

Configure serial port settings if needed:

/system serial-console set port=serial0 baud-rate=115200

WebFig - Web Interface

Overview

WebFig provides a graphical web-based management interface accessible from any modern web browser. This method requires no client software installation and works across operating systems including Windows, macOS, and Linux. WebFig displays router status, configuration options, and real-time statistics in a visual format suitable for users who prefer graphical interfaces over command-line administration.

WebFig offers two modes: the legacy WebFig interface and the newer WebFig2 with enhanced features and modern styling. Both modes provide access to the same underlying functionality. The interface connects to the router over HTTP or HTTPS, presenting configuration options organized by function.

Access WebFig by navigating to the router’s IP address in a web browser:

https://192.168.88.1

The browser displays a login prompt. Enter administrative credentials to access the interface. The default admin account has no password on new installations, requiring immediate password configuration for security.

HTTP Service Configuration

Enable the HTTP web service:

/ip service enable www
/ip service set www port=80

Enable HTTPS for encrypted access:

/ip service enable www-ssl
/ip service set www-ssl port=443 certificate=router-cert

Configure a certificate for HTTPS:

/certificate add name=router-cert country="US" state="California" locality="San Francisco" organization="MyCompany" common-name="router.example.com" days-valid=365
/certificate sign router-cert

Restrict web access to trusted networks:

/ip service set www address=192.168.88.0/24
/ip service set www-ssl address=192.168.88.0/24

WebFig Features

WebFig organizes router configuration into logical sections displayed as tabs or menus. The interface shows current configuration values with dropdowns, text fields, and checkboxes for modification. Real-time statistics update automatically, showing interface traffic, resource usage, and connection states.

The Quick Set section provides simplified configuration for common scenarios including basic router setup, access point configuration, and hotspot setup. This accelerates initial deployment for users unfamiliar with advanced RouterOS concepts.

Advanced configuration accesses the full RouterOS feature set through the same hierarchical structure as the CLI. Changes made in WebFig apply immediately to the running configuration. A configuration history tracks changes, allowing rollback to previous states.

WebFig includes a terminal accessible from the Tools menu, providing CLI access within the browser interface. This combines graphical overview with command-line precision when needed.

Mobile WebFig

Modern smartphones and tablets can access WebFig through their mobile browsers. The interface adapts to smaller screens, presenting a mobile-optimized layout. Touch controls replace mouse interactions for selecting options and navigating menus.

Access WebFig from mobile browsers:

https://192.168.88.1

Mobile WebFig provides sufficient functionality for monitoring, basic configuration, and troubleshooting when desktop access is unavailable. Complex configurations requiring precise input benefit from larger screens and physical keyboards.

WinBox Configuration Utility

Overview

WinBox is a dedicated Windows application providing advanced graphical management of RouterOS devices. WinBox offers features unavailable in WebFig, including neighbor discovery for automatic device detection, traffic monitoring with graphical representations, and efficient bandwidth-efficient operation suitable for managing devices over limited-speed connections.

WinBox discovers MikroTik devices on the network through neighbor discovery protocols, displaying available routers with their identity, IP addresses, and current status. This capability accelerates management of networks with multiple routers by eliminating the need to manually enter IP addresses.

Download WinBox from the MikroTik website or access it directly from a router’s WebFig interface. The application requires no installation, running as a standalone executable. Wine on Linux and virtualization on macOS provide WinBox functionality on non-Windows platforms.

WinBox Connection

Launch WinBox and wait for neighbor discovery to populate the list of available routers. Select a router from the list or enter an IP address manually. Specify the login credentials and connect.

Connect via MAC address for devices without IP configuration:

/tool mac-server set allowed-interface-list=all

WinBox maintains a favorites list of frequently accessed routers, storing credentials for convenient reconnection. The application supports multiple simultaneous connections to different routers, enabling management of complex networks from a single interface.

WinBox Features

WinBox provides real-time traffic monitoring with graphical representations of throughput, packet rates, and connection counts. The Graphs section displays historical traffic patterns, useful for capacity planning and troubleshooting performance issues.

The Terminal in WinBox provides full CLI access with command history and tab completion. The Files section manages router file storage, including backup files, scripts, and uploaded packages. The Quick Set offers simplified configuration wizards for common scenarios.

The WebFig link opens the router’s web interface directly from WinBox, providing seamless transition between applications when needed. The Neighbor window shows all MikroTik devices discovered on the network, including their software versions and resource status.

WinBox Security

Configure WinBox access restrictions through the IP service configuration:

/ip service set winbox address=192.168.88.0/24

WinBox can use certificates for authenticated connections, preventing connection to rogue devices impersonating legitimate routers. Configure certificate-based authentication:

/certificate add name=winbox-cert country="US" state="CA" locality="SF" organization="MyOrg" common-name="winbox-auth"
/certificate sign winbox-cert
/ip service set winbox certificate=winbox-cert

MikroTik Mobile App

Overview

The MikroTik mobile application provides smartphone-based management for RouterOS devices. Available for iOS and Android, the app enables quick monitoring, status checks, and basic configuration from anywhere with network connectivity. The app is ideal for network administrators who need to verify router status or make simple changes while away from their primary management station.

The mobile app connects to routers via IP address or through neighbor discovery on local networks. QR code scanning simplifies adding routers to the device list. The app displays real-time resource monitoring, interface status, and traffic information in a mobile-optimized interface.

Install the MikroTik app from the Apple App Store or Google Play Store. The application is free and requires no RouterOS license beyond what the router already uses.

Connecting with the Mobile App

Add a router to the app by entering its IP address, or scan the local network for MikroTik devices. For remote access, configure the router with a VPN or DDNS address reachable from your mobile network.

Configure DDNS for remote access:

/ip cloud set ddns-enabled=yes

The router receives a cloud DNS name in the format xxxxxx.sn.mynetname.net. Use this name in the mobile app for remote connections.

Mobile App Features

The Dashboard displays key router metrics including CPU load, memory usage, interface status, and active connections. Touch gestures navigate between views and drill down into specific statistics.

Quick Actions provide one-tap access to common functions including reboot, interface enable/disoggle, and DHCP lease viewing. The Terminal provides command-line access for advanced operations.

The app supports multiple router profiles, enabling quick switching between devices. Save frequently accessed routers in the favorites list for instant connection.

Security Considerations

When using the mobile app over cellular networks or untrusted Wi-Fi, ensure the connection uses encryption. Avoid transmitting administrative credentials over unencrypted connections. Configure the router firewall to restrict management access to known networks or VPN interfaces.

/ip firewall filter
add chain=input protocol=tcp dst-port=8291 src-address-list=my-phone action=accept
add chain=input protocol=tcp dst-port=8291 action=drop

Store mobile device credentials securely and enable device encryption. Lost or stolen devices with saved router credentials represent a security risk requiring credential rotation.

TR-069 Remote Management

Overview

TR-069 (CPE WAN Management Protocol), also known as CWMP, provides automated remote management of customer premises equipment through an Auto Configuration Server (ACS). This protocol is essential for Internet Service Providers managing large numbers of routers, enabling firmware updates, configuration changes, and monitoring without manual intervention.

RouterOS includes a TR-069 client that implements the CWMP standard. The client initiates connections to the ACS, receiving configuration parameters and commands. Common ACS operations include provisioning new devices, pushing configuration profiles, upgrading firmware, and collecting operational data.

The TR-069 client operates at the application layer over HTTP or HTTPS, making it suitable for deployments where the router has internet connectivity but not necessarily direct management access.

TR-069 Configuration

Configure the TR-069 client with ACS connection parameters:

/tr069-client set enabled=yes
/tr069-client set acs-url=https://acs.example.com/cpe
/tr069-client set acs-username=acs_admin
/tr069-client set acs-password=acs_password

Configure the client certificate for mutual TLS authentication:

/certificate add name=tr069-client-cert country="US" state="CA" locality="SF" organization="MyOrg" common-name="client-auth"
/certificate sign tr069-client-cert
/tr069-client set certificate=tr069-client-cert
/tr069-client set verify-peer-certificate=yes

Set the connection request authentication that the ACS uses to connect to the CPE:

/tr069-client set connection-request-username=cpe_admin
/tr069-client set connection-request-password=cpe_password

TR-069 Remote Operations

The ACS can perform several remote operations through the TR-069 client. Firmware updates download and install new RouterOS versions automatically:

/tr069-client get parameter-values oid=1.3.6.1.2.1.1.5.0

Configuration management pushes complete configurations or configuration changes:

/tr069-client inform

The client initiates periodic informs to the ACS according to configured intervals:

/tr069-client set periodic-inform-interval=86400

Security Considerations

TR-069 communications should always use HTTPS to protect configuration data and credentials. Configure the firewall to allow outbound HTTPS connections to the ACS while blocking unauthorized inbound connections:

/ip firewall filter
add chain=output protocol=tcp dst-port=443 action=accept comment="Allow TR-069 ACS"
add chain=input protocol=tcp dst-port=7547 action=accept comment="Allow TR-069 connection request"

Use strong credentials for both ACS authentication and connection request authentication. Rotate credentials periodically and immediately upon suspected compromise.

Security Best Practices

Principle of Least Privilege

Each management access method should be available only to users and networks requiring that access level. Disable management services not in active use. Restrict source addresses for all management services to trusted networks or specific hosts.

/ip service set www address=192.168.88.0/24
/ip service set ssh address=192.168.88.0/24
/ip service set winbox address=192.168.88.0/24
/ip service set api address=192.168.88.0/24
/ip service disable telnet
/ip service disable ftp

Multi-Factor Authentication

For high-security environments, consider implementing additional authentication layers. RouterOS supports RADIUS authentication for centralized credential management and integration with enterprise authentication systems:

/radius add service=login address=10.0.0.1 secret=radius_secret
/user aaa set use-radius=yes

Audit Logging

Enable comprehensive logging for management access to track administrative actions:

/system logging add topics=info
/system logging add topics=account
/system logging action set remote remote=10.0.0.10
/system logging add topics=info action=remote

Regular Security Review

Periodically review management access configurations:

/ip service print
/user print detail
/ip ssh print

Verify that all management services use appropriate access restrictions, strong credentials, and current security settings.

Related Resources

Related Topics

• Securing Your Router - Comprehensive security hardening guide
• First Time Configuration - Initial router setup procedures
• User Management - User accounts and groups
• Certificates - Certificate-based authentication
• TR-069 Client - Detailed TR-069 configuration

Configuration Commands

• /ip service - Configure management services (SSH, Telnet, WWW, WinBox)
• /ip ssh set strong-crypto - Enable strong SSH cryptography
• /tool mac-server - Control MAC-based access services
• /system serial-console - Configure serial console settings
• /tr069-client - Configure TR-069/CWMP client
• /certificate - Manage certificates for encrypted management
• /ip cloud - Configure MikroTik cloud DDNS service
• /user ssh-keys - Configure SSH key-based authentication

Additional Resources

• Official MikroTik Documentation
• RouterOS Command Reference
• WinBox Download
• MikroTik Mobile App
• TR-069 Standard ( Broadband Forum)