Command Line Interface

Command Line Interface

Summary

The RouterOS Command Line Interface (CLI) provides direct, text-based access to all router configuration and management features. The CLI offers complete control over RouterOS functionality, supports powerful scripting capabilities, and operates efficiently even over low-bandwidth connections. Understanding the CLI is essential for effective RouterOS administration, as it provides capabilities and precision that graphical interfaces cannot match.

The CLI follows a consistent hierarchical menu structure that organizes related configuration options together. This design means skills learned managing one RouterOS device transfer directly to any other RouterOS device, regardless of model or hardware configuration. Commands use a predictable syntax that combines menu paths with action parameters, making complex configurations manageable through straightforward command entry.

CLI access is available through multiple transport mechanisms including SSH for encrypted remote access, Telnet for unencrypted connections in trusted environments, serial console for out-of-band management, and direct keyboard/monitor connections on supported devices. Each access method presents the same command interface, allowing administrators to choose the transport that best fits their security requirements and physical access needs.

Access Methods

SSH Access

SSH provides secure, encrypted remote access to the RouterOS CLI. This is the recommended method for routine administrative access in production environments. SSH authenticates users and encrypts all traffic, protecting credentials and configuration data from interception or eavesdropping.

Enable and configure the SSH service:

/ip service enable ssh
/ip service set ssh port=22

By default, SSH listens on port 22. For additional security through obscurity, changing to a non-standard port reduces automated attack attempts:

/ip service set ssh port=2222

Restrict SSH access to trusted networks using the address parameter:

/ip service set ssh address=192.168.88.0/24

Enable strong cryptographic algorithms for SSH connections:

/ip ssh set strong-crypto=yes

Connect to the router using any SSH client:

ssh [email protected]
ssh [email protected] -p 2222

For key-based authentication, first upload the public key to the router, then import it. RouterOS does not interpret shell path expansions like ~:

scp ~/.ssh/id_ed25519.pub [email protected]:/

/user ssh-keys import public-key-file=id_ed25519.pub user=admin

Telnet Access

Telnet provides unencrypted CLI access useful for initial configuration in trusted networks or legacy system integration. Because Telnet transmits all data including passwords in plaintext, avoid using Telnet on any network where traffic could be intercepted, including public networks and untrusted LAN segments.

Enable Telnet service:

/ip service enable telnet

Connect via Telnet:

telnet 192.168.88.1

For environments requiring Telnet access, combine it with firewall rules restricting source addresses:

/ip firewall filter
add chain=input protocol=tcp dst-port=23 src-address=192.168.88.0/24 action=accept
add chain=input protocol=tcp dst-port=23 action=drop

Serial Console Connection

Serial console access connects through the router’s serial port, providing CLI access independent of network configuration. This method is critical for initial setup when the router has no IP connectivity and for recovery when network access becomes unavailable.

Connect to the serial port using a null modem cable. Common serial settings are 115200 baud, 8 data bits, no parity, 1 stop bit (8N1). Use terminal emulation software such as PuTTY, screen, or minicom to connect.

Connect with screen:

screen /dev/ttyUSB0 115200

Connect with PuTTY on Windows:

• Connection type: Serial
• Serial line: COM1 (or appropriate COM port)
• Speed: 115200

Once connected, press Enter to display the login prompt. Authentication uses the same credentials as other access methods.

Configure serial port settings if needed:

/system console set port=serial0 baud-rate=115200

Local Console Access

Some RouterBOARD devices include VGA output supporting direct keyboard and monitor connection. This provides CLI access without any network connectivity, essential for initial configuration when the router has no IP address configured.

Connect a USB or PS/2 keyboard and VGA monitor to the device. The router displays boot messages and presents a login prompt. Log in with the same credentials used for remote access. The console provides full CLI functionality including all configuration and monitoring commands.

Command Prompt

At the end of the successful login sequence, the login process prints a banner and presents the command prompt, then hands over control to the user. The default command prompt consists of username, system identity, and current command path followed by a closing bracket and greater-than symbol.

[admin@MikroTik] >
[admin@MikroTik] /interface >
[admin@MikroTik] /interface wireless >

Change the current path from the root to a specific menu and back:

[admin@MikroTik] > interface
[admin@MikroTik] /interface> /
[admin@MikroTik] >

The prompt reflects the current menu level, showing administrators their position in the command hierarchy. This navigation feedback helps prevent configuration errors by clearly indicating where each command will execute.

Command History

Use the up arrow to recall previous commands from command history. Commands that added sensitive data, like passwords, are excluded from history for security. If a command spans multiple lines, press F8 to expand it for editing.

Context Help

Press the question mark (?) to display built-in help showing available commands and their parameters. In RouterOS v7, F1 provides the same context-sensitive help functionality:

[admin@MikroTik] > ?
[admin@MikroTik] /interface > ?

Command Execution

Press Enter to execute the entered command. Press Control-C to interrupt a currently running command and return to the prompt:

[admin@MikroTik] > ping 192.168.88.1
[admin@MikroTik] > ^C

Logout

The easiest way to log out of the console is to press Control-D at the command prompt while the command line is empty. Cancel the current command with Control-C, then press Control-D to log out:

[admin@MikroTik] > ^C
[admin@MikroTik] > ^D

Multiple Line Commands

RouterOS supports commands spanning multiple lines. When the entered line is not a complete command and more input is expected, the console shows a continuation prompt displaying all open parentheses, braces, brackets, and quotes. A trailing backslash indicates the previous line ended with backslash-whitespace:

[admin@MikroTik] > {
{... :put (\
{(... 1+2)}
3

When editing multiple line entries, the prompt shows the current line number and total line count instead of the usual username and system name:

line 2 of 3> :put (\

Some commands request additional input from the user. The prompt shows the name of the requested value followed by a colon:

[admin@MikroTik] > /password
old password: ******
new password: **********
retype new password: **********

Hierarchy Structure

The console allows configuration of router settings using text commands. Since RouterOS includes many available commands, they are split into groups organized into a hierarchical menu structure. The name of each menu level reflects the configuration information accessible in that section.

Navigate the hierarchy using forward slashes and dot-dot notation:

[admin@MikroTik] > /ip route print
[admin@MikroTik] > interface
[admin@MikroTik] /interface> ..
[admin@MikroTik] >

Execute commands at any level by preceding them with a full path:

[admin@MikroTik] > /ip address print
[admin@MikroTik] > /system resource print

Item Names and Numbers

Many command levels operate with arrays of items: interfaces, routes, users, DHCP leases, and others. These items display in tabular format with item numbers, flags, and parameter values. Use the set command with the item name or number to modify properties.

Item Names

Some lists have items with specific names assigned to each item. Examples include interface names and user levels. Use item names instead of item numbers for more stable and informative references:

[admin@MikroTik] /interface> print
Flags: X - disabled, D - dynamic, R - running
 0 R ether1
 1   ether2

[admin@MikroTik] /interface> set ether1 disable=yes

Item names are not assigned internally by the console but are properties of the items themselves. They remain stable even when multiple users change the router configuration simultaneously. Use item names when writing console scripts for consistency.

Item Numbers

Item numbers are assigned by the print command and are not constant between executions. Successive print commands may order items differently. However, the results of the last print command are memorized, so item numbers remain valid until the next print command or until you quit the console.

Item numbers are assigned on a per-session basis and separately for every item list. The /ip address print command will not change the numbering of the interface list. Specify multiple items as targets by providing a comma-separated list:

[admin@MikroTik] /interface> disable 0,1,2
[admin@MikroTik] /interface> set 0,1 disable=no

General Commands

Several commands are common across nearly all menu levels. These commands have consistent behavior throughout RouterOS:

Command	Description
print	Shows all information accessible from the current command level. Assigns item numbers for use by other commands.
set	Changes values of general parameters or item parameters. Takes arguments corresponding to editable values.
add	Creates a new item with specified values, usually at the end of the list. Returns the internal number of added items.
remove	Removes specified items from a list.
edit	Launches an editor to modify values containing large amounts of text, such as scripts.
find	Returns internal numbers of items matching specified criteria.
export	Exports configuration from the current menu level in a format suitable for import or backup.
enable	Activates a previously disabled item.
disable	Deactivates an item without removing it from configuration.
move	Changes the order of items in a list.

Print Command Options

The print command supports numerous parameters for customizing output:

/ip route print detail
/ip route print count-only
/ip route print without-paging
/ip route print where dst-address=0.0.0.0/0
/ip route print oid

Add Command Options

The add command supports parameters for controlling new item placement:

/ip firewall address-list add list=trusted address=192.168.88.0/24 comment="LAN network"
/ip firewall address-list add list=trusted address=10.0.0.0/8 disabled=yes

Use copy-from to create items based on existing configurations:

/ip firewall address-list add copy-from=0 address=172.16.0.0/12

Use place-before to insert items at specific positions:

/ip firewall filter add chain=input action=accept protocol=icmp place-before=0

Input Modes

RouterOS CLI supports several input modes for different use cases:

Normal Mode

Normal mode is indicated by the standard command prompt. This is the default mode for routine command entry and configuration.

Safe Mode

Safe mode is indicated by the word SAFE appearing after the command prompt. In safe mode, configuration changes are held in memory and saved to disk only when safe mode is turned off. This prevents accidental configuration changes from persisting if connectivity is lost during editing.

Toggle safe mode with Control-X or F4:

[admin@MikroTik] > ^X
[admin@MikroTik] SAFE>

Exit safe mode by pressing Control-X or F4 again. Configuration changes are then saved:

[admin@MikroTik] SAFE> ^X
[admin@MikroTik] >

Hot-Lock Mode

Hot-lock mode is indicated by an additional yellow greater-than symbol in the prompt. In this mode, the console automatically completes commands as you type, similar to traditional terminal behavior:

[admin@MikroTik] > F7
[admin@MikroTik] >>

Toggle hot-lock mode with F7.

Quick Typing Features

Two features help enter commands more quickly: tab completion and command abbreviations.

Tab Completion

Press the Tab key after typing part of a word to auto-complete commands within the current context. If only one match exists, the console appends the completion followed by a space:

[admin@MikroTik] > inte[Tab]
[admin@MikroTik] > interface

If multiple matches exist with a common prefix longer than what you typed, the console completes to the common part without adding a space:

[admin@MikroTik] > interface set e[Tab]
[admin@MikroTik] > interface set ether

Press Tab twice to show all possible completions when ambiguity exists:

[admin@MikroTik] > interface set ether[Tab][Tab]
ether1 ether2 ether3 ether4 ether5
[admin@MikroTik] > interface set ether

Tab completion works in contexts where the console can predict valid values, including command names, argument names, and item names from lists. Numbers, IP addresses, and similar values cannot be completed.

Command Abbreviations

Type only the beginning of command and argument names. If the input is unambiguous, the console accepts it as the full name:

[admin@MikroTik] > pi 10.1 c 3 si 100

This is equivalent to:

[admin@MikroTik] > ping 10.0.0.1 count=3 size=100

Substring Completion

Complete not only the beginning but also distinctive substrings within names. If no exact match exists, the console searches for words containing the typed letters in order:

[admin@MikroTik] > interface x[TAB]
[admin@MikroTik] > interface export

[admin@MikroTik] > interface mt[TAB]
[admin@MikroTik] > interface monitor-traffic

Console Search

Console search performs keyword search through RouterOS menus and command history. Access the search prompt with Control-R or F3. Type a search term to find matching commands and menu paths:

[admin@MikroTik] > ^R
search: rout

This feature helps locate commands whose exact syntax you remember partially, or discover new commands related to a topic.

Internal Chat System

RouterOS console includes a built-in internal chat system for communication between remotely located administrators. Prefix messages with the # symbol to broadcast to all logged-in users:

[admin@MikroTik] > # ready to configure the firewall?

All logged-in administrators see the message:

fake_admin: i was born ready

This capability is useful for coordinating configuration changes among multiple administrators, warning others about ongoing changes, or requesting assistance without leaving the console.

Keyboard Shortcuts

The RouterOS CLI supports extensive keyboard shortcuts for efficient navigation and editing:

Key	Action
Enter	Execute command
?	Display context help (F1 in v7)
Tab	Complete command/word
Tab+Tab	Show possible completions
Up Arrow	Previous command from history
Down Arrow	Next command from history
Control-C	Interrupt running command
Control-D	Log out (when line is empty)
Control-X / F4	Toggle safe mode
F7	Toggle hot-lock mode
Control-R / F3	Toggle console search
F6	Toggle cellar
Control-A / Home	Move to beginning of line
Control-E / End	Move to end of line
Control-B / Left	Move back one character
Control-F / Right	Move forward one character
Control-P / Up	Previous line / recall history
Control-N / Down	Next line
Control-H / Backspace	Delete character before cursor
Delete	Delete character at cursor
Control-U	Clear from cursor to line start
Control-K	Clear from cursor to line end
Control-L / F5	Reset terminal and repaint
Control-\	Split line at cursor

Banner and Messages

The login process displays the MikroTik banner and short help after validating credentials. The banner shows RouterOS version, copyright information, and quick reference commands:

  MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 7.x (c) 1999-2024       https://www.mikrotik.com/

[?]             Gives the list of available commands
command [?]     Gives help on the command and list of arguments

[Tab]           Completes the command/word. If the input is ambiguous,
                a second [Tab] gives possible options

/               Move up to base level
..              Move up one level
/command        Use command at the base level

After the banner, additional information may display including system notes from other administrators, critical log messages, demo version reminders, and default configuration descriptions.

Related Resources

Related Topics

• Management Tools Overview - Introduction to all management methods
• SSH Configuration - Detailed SSH setup and security
• Serial Console - Serial connection setup and usage
• Scripting Manual - Advanced scripting and automation
• Configuration Management - Safe mode and configuration handling

Configuration Commands

• /ip service - Configure management services (SSH, Telnet, WWW, WinBox)
• /ip ssh - Configure SSH settings and cryptography
• /system console - Configure serial console settings
• /user - Manage user accounts
• /user ssh-keys - Configure SSH key-based authentication

Additional Resources

• Official MikroTik Documentation
• RouterOS Command Reference
• RouterOS Scripting Manual