RouterOS Interfaces: A Complete Overview
RouterOS Interfaces: A Complete Overview
Section titled “RouterOS Interfaces: A Complete Overview”TL;DR (Quick Start)
Section titled “TL;DR (Quick Start)”RouterOS interfaces are the building blocks of your network configuration. Every packet enters and exits through an interface.
# View all interfaces/interface print
# View interface details/interface print detail
# Monitor real-time status/interface monitor-traffic ether1Overview
Section titled “Overview”What this covers: Interface types, naming conventions, interface lists, and how interfaces work together in RouterOS.
When you need this: Before configuring any network service - understanding interfaces is foundational to everything else in RouterOS.
Key concepts:
- Physical interfaces (Ethernet, SFP, wireless)
- Virtual interfaces (VLAN, bridge, bonding)
- Interface lists for firewall organization
- Hardware offload and performance considerations
Interface Types in RouterOS
Section titled “Interface Types in RouterOS”
RouterOS supports many interface types, each serving different purposes:
Physical Interfaces
Section titled “Physical Interfaces”| Type | Description | Common Names |
|---|---|---|
| Ethernet | RJ45 copper ports | ether1, ether2, etc. |
| SFP/SFP+ | Fiber or copper modules | sfp1, sfp-sfpplus1 |
| Wireless | WiFi radios | wlan1, wlan2 |
| LTE | Cellular modems | lte1 |
Virtual Interfaces
Section titled “Virtual Interfaces”| Type | Description | Use Case |
|---|---|---|
| VLAN | 802.1Q tagged sub-interface | Network segmentation |
| Bridge | Layer 2 switching | Combining ports |
| Bonding | Link aggregation (LACP/802.3ad) | Redundancy and bandwidth |
| PPPoE | Point-to-Point over Ethernet | ISP connections |
| Tunnel | VPN endpoints (WireGuard, IPSec) | Site-to-site connections |
Physical Interface Management
Section titled “Physical Interface Management”Viewing Interface Status
Section titled “Viewing Interface Status”# List all interfaces with status/interface print
# Detailed view with MAC addresses/interface print detail
# Real-time monitoring/interface ethernet monitor ether1 onceUnderstanding Interface Flags
Section titled “Understanding Interface Flags”When you print interfaces, flags indicate their state:
| Flag | Meaning |
|---|---|
R | Running - interface is operational |
S | Slave - part of a bridge or bond |
D | Dynamic - created automatically |
X | Disabled - administratively shut down |
Ethernet Interface Configuration
Section titled “Ethernet Interface Configuration”# View current settings/interface ethernet print detail
# Disable an interface/interface ethernet disable ether5
# Set auto-negotiation (recommended)/interface ethernet set ether1 auto-negotiation=yes
# Force specific speed (only when needed)/interface ethernet set ether1 auto-negotiation=no speed=100M-baseT-fullCommon Mistake
Don’t disable auto-negotiation unless you have a specific reason. Gigabit and faster speeds require auto-negotiation to be enabled on copper interfaces. Forcing speed incorrectly causes link failures or duplex mismatches.
Interface Lists
Section titled “Interface Lists”Interface lists group interfaces for use in firewall rules. They’re essential for scalable configurations.
Why Use Interface Lists?
Section titled “Why Use Interface Lists?”Without lists, you write separate rules for each interface:
# Without lists - hard to maintain/ip firewall filter add chain=input in-interface=ether1 action=drop/ip firewall filter add chain=input in-interface=pppoe-out1 action=drop/ip firewall filter add chain=input in-interface=lte1 action=dropWith lists, one rule covers all:
# With lists - clean and maintainable/interface list add name=WAN/interface list member add interface=ether1 list=WAN/interface list member add interface=pppoe-out1 list=WAN/interface list member add interface=lte1 list=WAN
/ip firewall filter add chain=input in-interface-list=WAN action=dropDefault Interface Lists
Section titled “Default Interface Lists”RouterOS creates default lists that correspond to the default configuration:
| List | Purpose |
|---|---|
WAN | Untrusted external interfaces |
LAN | Trusted internal interfaces |
Managing Interface Lists
Section titled “Managing Interface Lists”# Create a new list/interface list add name=DMZ
# Add interfaces to a list/interface list member add interface=ether5 list=DMZ/interface list member add interface=ether6 list=DMZ
# View list membership/interface list member print
# Use in firewall rules/ip firewall filter add chain=forward in-interface-list=DMZ out-interface-list=LAN action=acceptBridges: Layer 2 Switching
Section titled “Bridges: Layer 2 Switching”
Bridges combine multiple interfaces into a single Layer 2 domain, functioning like a switch.
Basic Bridge Creation
Section titled “Basic Bridge Creation”# Create a bridge/interface bridge add name=bridge1
# Add ports to the bridge/interface bridge port add bridge=bridge1 interface=ether2/interface bridge port add bridge=bridge1 interface=ether3/interface bridge port add bridge=bridge1 interface=ether4
# Assign IP to the bridge (not individual ports)/ip address add address=192.168.1.1/24 interface=bridge1Hardware Offload
Section titled “Hardware Offload”Hardware offload allows the switch chip to forward packets without CPU involvement, dramatically improving performance.
# Check hardware offload status/interface bridge port print# Look for "H" flag - indicates hardware offloading activeCommon Mistake
Multiple bridges disable hardware switching. Keep ports that need high-speed switching on the same bridge and switch chip. “Multiple bridges are not recommended as hardware switching between switch ports is disabled on all but the first bridge.”
Bridge Port Behavior
Section titled “Bridge Port Behavior”When an interface becomes a bridge member (slave):
- DHCP client must run on the bridge, not slave ports
- Firewall rules reference the bridge, not slave interfaces
- IP addresses should be on the bridge, not slave ports
Common Mistake
802.1x (dot1x) authentication does not work when the interface is a bridge member. The EAPOL process cannot complete on slave ports. Configure the port outside the bridge during authentication, or consider alternative authentication approaches.
VLAN Interfaces
Section titled “VLAN Interfaces”
VLANs create virtual network segments on a single physical interface.
Creating VLAN Interfaces
Section titled “Creating VLAN Interfaces”# Create VLAN interface on a bridge/interface vlan add name=vlan100-servers vlan-id=100 interface=bridge1/interface vlan add name=vlan200-users vlan-id=200 interface=bridge1
# Assign IP addresses/ip address add address=10.100.0.1/24 interface=vlan100-servers/ip address add address=10.200.0.1/24 interface=vlan200-usersBridge VLAN Filtering vs. VLAN Interfaces
Section titled “Bridge VLAN Filtering vs. VLAN Interfaces”There are two approaches to VLANs in RouterOS:
| Approach | Use Case | Hardware Offload |
|---|---|---|
| VLAN interfaces | Router participates in VLAN (gateway, DHCP) | CPU-bound |
| Bridge VLAN filtering | Switch traffic between ports | CRS3xx only |
Common Mistake
Enabling VLAN filtering on bridges disables hardware offload on most devices. Only CRS3xx series supports bridge VLAN filtering with hardware offload. On older devices (RB2011, etc.), configure VLANs through /interface ethernet switch for hardware acceleration.
Bonding: Link Aggregation
Section titled “Bonding: Link Aggregation”
Bonding combines multiple physical interfaces into a single logical interface for redundancy and increased bandwidth.
LACP Bonding Example
Section titled “LACP Bonding Example”/interface bonding add name=bond-core mode=802.3ad \ slaves=sfp-sfpplus1,sfp-sfpplus2 \ transmit-hash-policy=layer-2-and-3Common Mistake
Don’t confuse bonding with bridging. Bonding (802.3ad) creates a single aggregated channel between two devices. Bridging creates separate paths that RSTP will likely block to prevent loops. For true link aggregation, use bonding.
SFP/SFP+ Interfaces
Section titled “SFP/SFP+ Interfaces”SFP ports accept fiber or copper modules for flexible connectivity.
Common SFP Configuration
Section titled “Common SFP Configuration”# View SFP status and diagnostics/interface ethernet monitor sfp-sfpplus1 once
# For 1G SFP modules in SFP+ ports/interface ethernet set sfp-sfpplus1 auto-negotiation=no speed=1G-baseXSFP Naming Convention
Section titled “SFP Naming Convention”| Name Pattern | Meaning |
|---|---|
sfp-sfpplusX | SFP+ port capable of 1G and 10G |
sfpplusX | SFP+ port for 10G only |
sfpX | SFP port (1G max) |
Management Interface Considerations
Section titled “Management Interface Considerations”
RouterOS responds to management IPs from any interface at Layer 3. This surprises users expecting interface-specific isolation.
How Management Works
Section titled “How Management Works”When you SSH or WebFig to a MikroTik:
- The connection arrives via the input chain
- It’s processed at L3, not L2
- The router responds from any interface that can reach you
True Management Isolation
Section titled “True Management Isolation”For dedicated management access:
# Create management VLAN/interface vlan add name=vlan-mgmt vlan-id=99 interface=bridge1/ip address add address=10.99.0.1/24 interface=vlan-mgmt
# Restrict management access via firewall/ip firewall filter add chain=input in-interface=!vlan-mgmt \ dst-port=22,80,443,8291 protocol=tcp action=dropInterface Monitoring
Section titled “Interface Monitoring”Real-Time Traffic Monitoring
Section titled “Real-Time Traffic Monitoring”# Monitor traffic on interface/interface monitor-traffic ether1
# Monitor multiple interfaces/interface monitor-traffic ether1,ether2
# Monitor with interval/interface monitor-traffic ether1 interval=2Statistics and Counters
Section titled “Statistics and Counters”# View interface statistics/interface ethernet print stats
# Reset counters for clean baseline/interface ethernet reset-counters ether1Cable Testing (Copper Only)
Section titled “Cable Testing (Copper Only)”# Test cable quality (interface must be down)/interface ethernet cable-test ether2Results show distance to faults:
open:X- Cable disconnected at X metersshort:X- Cable shorted at X meters
Troubleshooting Common Issues
Section titled “Troubleshooting Common Issues”Interface Shows “No Link”
Section titled “Interface Shows “No Link””| Check | Command | What to Look For |
|---|---|---|
| Physical connection | Visual inspection | Cable seated, LEDs |
| Cable quality | /interface ethernet cable-test | Open/short faults |
| Speed mismatch | /interface ethernet monitor | Auto-negotiation status |
| Module issues (SFP) | /interface ethernet monitor | sfp-rx-loss, sfp-tx-fault |
Interface Running but No Traffic
Section titled “Interface Running but No Traffic”| Check | Command | Solution |
|---|---|---|
| Bridge membership | /interface bridge port print | Verify port in correct bridge |
| VLAN configuration | /interface bridge vlan print | Check tagged/untagged settings |
| Firewall rules | /ip firewall filter print | Look for blocking rules |
Performance Issues
Section titled “Performance Issues”| Symptom | Likely Cause | Solution |
|---|---|---|
| High CPU with traffic | No hardware offload | Check bridge and VLAN config |
| Speed negotiating low | Cable/module issue | Test cable, check SFP compatibility |
| Intermittent connectivity | Duplex mismatch | Enable auto-negotiation |
MTU and Fragmentation Issues
Section titled “MTU and Fragmentation Issues”MTU misconfigurations cause subtle problems: websites that partially load, VPN tunnels with limited throughput, or connections that stall on large transfers.
Common MTU scenarios:
| Tunnel Type | Recommended MTU | MSS Setting |
|---|---|---|
| L2TP | 1300 (max-mtu/max-mru) | n/a |
| IPIP with IPSec | 1420 | 1380 |
| EoIP | 1458 | n/a |
| WireGuard | 1420 | 1380 |
Diagnosing MTU problems:
# Test MTU by pinging with do-not-fragment flag# Decrease size until packets get through:put [/ping 8.8.8.8 size=1500 do-not-fragment count=1]Auto-Recovery for Frozen Interfaces
Section titled “Auto-Recovery for Frozen Interfaces”Some interfaces, particularly SFP modules, may freeze in “no-link” state after the connected device reboots. This script monitors and auto-recovers affected interfaces:
# Create the recovery script/system script add name=interface-recovery source={ :local ifName "sfp-sfpplus1" :local ifStatus ([/interface ethernet monitor [find default-name=$ifName] once as-value]->"status") :if ($ifStatus = "no-link") do={ /interface disable $ifName :delay 2s /interface enable $ifName :log warning "Auto-recovered interface $ifName from no-link state" }}
# Schedule periodic execution/system scheduler add name=interface-watchdog interval=1m \ on-event="/system script run interface-recovery"Customize ifName to match the interface that experiences freeze issues on your device.
Related Topics
Section titled “Related Topics”Interface Types
Section titled “Interface Types”- Ethernet Interfaces - physical Ethernet ports
- Bridge Configuration - software bridging
- VLAN Configuration - virtual LANs
- Bonding/LACP - link aggregation
Common Configurations
Section titled “Common Configurations”- IP Address Configuration - assign IPs to interfaces
- DHCP Server - DHCP on interface
- Firewall Basics - interface lists in rules
Wireless
Section titled “Wireless”- WiFi Basic Setup - wireless interfaces
- CAPsMAN - managed wireless
Reference
Section titled “Reference”Official Documentation
Section titled “Official Documentation”Quick Reference Commands
Section titled “Quick Reference Commands”# View all interfaces/interface print
# View running interfaces only/interface print where running
# Find interface by name pattern/interface print where name~"ether"
# Enable/disable interface/interface enable ether5/interface disable ether5
# View interface lists/interface list print/interface list member printResearch compiled from MikroTik forums and official documentation.