Skip to content
MikroTik RouterOS Docs

IP Services in RouterOS: A Complete Guide

IP Services in RouterOS: A Complete Guide

Section titled “IP Services in RouterOS: A Complete Guide”

RouterOS Version: 7.x+ Difficulty: Beginner Estimated Time: 20 minutes

Overview

Section titled “Overview”

IP Services controls access to your router’s management interfaces—SSH, WinBox, WebFig, API, and more. Properly configuring these services is one of the most important security measures you can take.

Key concepts:

  • Disable services you don’t use
  • Restrict remaining services to trusted networks
  • Never use unencrypted services (telnet, FTP) over untrusted networks
  • Combine with firewall rules for defense in depth

Critical: IP Services only controls IP-based access. MAC-based access (MAC-WinBox, MAC-Telnet) is controlled separately and bypasses IP firewall rules entirely.

Available Services

Section titled “Available Services”
ServicePortProtocolDescriptionDefault
telnet23TCPUnencrypted CLIEnabled
ftp21TCPFile transferEnabled
www80TCPWebFig (HTTP)Enabled
ssh22TCPSecure shellEnabled
www-ssl443TCPWebFig (HTTPS)Disabled
api8728TCPRouterOS APIDisabled
winbox8291TCPWinBox applicationEnabled
api-ssl8729TCPRouterOS API (TLS)Disabled

Security recommendations:

ServiceRecommendation
telnetDisable - Sends passwords in cleartext
ftpDisable - Sends passwords in cleartext
wwwDisable - Use www-ssl instead
sshKeep, restrict by address
www-sslEnable with certificate
apiKeep disabled unless needed
winboxKeep, restrict by address
api-sslEnable if API needed
Section titled “Menu Reference”
CommandPurpose
/ip service printShow all services
/ip service setModify service settings
/ip service enableEnable service(s)
/ip service disableDisable service(s)

Service Properties

Section titled “Service Properties”
PropertyTypeDescription
namestringService identifier (read-only)
portintegerTCP port (1-65535)
addressIP/prefix listAllowed source addresses
certificatestringTLS certificate (www-ssl, api-ssl)
tls-versionenumMinimum TLS version
disabledyes/noWhether service is disabled
vrfstringVRF for service binding (v7+)

Configuration Examples

Section titled “Configuration Examples”

Example 1: Basic Security Hardening

Section titled “Example 1: Basic Security Hardening”

Disable insecure services and restrict the rest:

# Disable insecure and unused services
/ip service disable telnet,ftp,www,api


# Restrict SSH and WinBox to LAN
/ip service set ssh address=192.168.88.0/24
/ip service set winbox address=192.168.88.0/24


# Verify
/ip service print

Expected output:

Flags: X - disabled, I - invalid
 #   NAME       PORT ADDRESS           CERTIFICATE
 0 X telnet       23
 1 X ftp          21
 2 X www          80
 3   ssh          22 192.168.88.0/24
 4 X www-ssl     443
 5 X api        8728
 6   winbox     8291 192.168.88.0/24
 7 X api-ssl    8729

Example 2: Enable HTTPS (WebFig with SSL)

Section titled “Example 2: Enable HTTPS (WebFig with SSL)”
# Create self-signed certificate
/certificate add name=webfig-cert common-name=router.local \
    key-size=2048 days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
/certificate sign webfig-cert


# Enable www-ssl with certificate
/ip service set www-ssl certificate=webfig-cert disabled=no


# Restrict to management network
/ip service set www-ssl address=192.168.88.0/24


# Disable HTTP
/ip service disable www

Example 3: Change Default Ports

Section titled “Example 3: Change Default Ports”

Reduce automated scanning attacks:

# Change SSH to non-standard port
/ip service set ssh port=2222


# Change WinBox port
/ip service set winbox port=18291

Connect with new ports:

  • SSH: ssh [email protected] -p 2222
  • WinBox: Enter 192.168.88.1:18291 in connection field

Example 4: Multiple Allowed Networks

Section titled “Example 4: Multiple Allowed Networks”

Allow access from LAN and VPN:

/ip service set ssh address=192.168.88.0/24,10.0.0.0/8
/ip service set winbox address=192.168.88.0/24,10.0.0.0/8

Example 5: Enable API with SSL

Section titled “Example 5: Enable API with SSL”

For automation tools:

# Create certificate
/certificate add name=api-cert common-name=api.local key-size=2048 days-valid=3650
/certificate sign api-cert


# Enable API-SSL only
/ip service set api-ssl certificate=api-cert address=192.168.88.0/24 disabled=no


# Keep plaintext API disabled
/ip service set api disabled=yes

Example 6: VRF-Specific Binding (v7+)

Section titled “Example 6: VRF-Specific Binding (v7+)”

Bind services to management VRF:

/ip service set ssh vrf=management-vrf
/ip service set winbox vrf=management-vrf

MAC Server Configuration (Critical!)

Section titled “MAC Server Configuration (Critical!)”
MAC Server Configuration (Critical!) diagram

IP Services only controls IP-based access. MAC-based access is completely separate and bypasses IP firewall rules.

Disable MAC-Based Access Entirely

Section titled “Disable MAC-Based Access Entirely”
/tool mac-server set allowed-interface-list=none
/tool mac-server mac-winbox set allowed-interface-list=none

Restrict MAC Access to Specific Interfaces

Section titled “Restrict MAC Access to Specific Interfaces”
# Create interface list
/interface list add name=mgmt-interfaces
/interface list member add list=mgmt-interfaces interface=ether1


# Apply to MAC servers
/tool mac-server set allowed-interface-list=mgmt-interfaces
/tool mac-server mac-winbox set allowed-interface-list=mgmt-interfaces

Complete Secure Configuration

Section titled “Complete Secure Configuration”
Complete Secure Configuration diagram

Combine IP Services with MAC Server and firewall:

# 1. Disable insecure services
/ip service disable telnet,ftp,www,api


# 2. Restrict remaining services to LAN
/ip service set ssh address=192.168.88.0/24 port=2222
/ip service set winbox address=192.168.88.0/24


# 3. Enable HTTPS if web management needed
/certificate add name=webfig common-name=router.local key-size=2048 days-valid=3650
/certificate sign webfig
/ip service set www-ssl certificate=webfig address=192.168.88.0/24 disabled=no


# 4. Restrict MAC access to management interface only
/interface list add name=mgmt-list
/interface list member add list=mgmt-list interface=ether1
/tool mac-server set allowed-interface-list=mgmt-list
/tool mac-server mac-winbox set allowed-interface-list=mgmt-list


# 5. Add firewall rules for defense in depth
/ip firewall filter add chain=input in-interface-list=WAN protocol=tcp \
    dst-port=22,2222,8291,80,443,8728,8729 action=drop \
    comment="Block management from WAN"

Common Problems and Solutions

Section titled “Common Problems and Solutions”

Problem 1: Locked Out After Address Restriction

Section titled “Problem 1: Locked Out After Address Restriction”

Symptom: Cannot connect after setting address restriction.

Cause: Current IP not in allowed list.

Solutions:

  1. Use MAC-WinBox - Open WinBox, go to Neighbors tab, connect by MAC address
  2. Serial console if available
  3. Netinstall as last resort

Prevention:

# Always include your current IP before restricting
/ip service set ssh address=192.168.88.0/24,YOUR.CURRENT.IP/32

Problem 2: Can Still Connect After Disabling Service

Section titled “Problem 2: Can Still Connect After Disabling Service”

Cause: MAC-based access (MAC-WinBox, MAC-Telnet) is still enabled.

Solution:

# Disable MAC access
/tool mac-server set allowed-interface-list=none
/tool mac-server mac-winbox set allowed-interface-list=none

Problem 3: www-ssl Shows “Invalid” Status

Section titled “Problem 3: www-ssl Shows “Invalid” Status”

Causes:

  • No certificate assigned
  • Certificate not signed
  • Certificate expired

Solution:

# Check certificate status
/certificate print


# Create and sign new certificate
/certificate add name=new-cert common-name=router.local key-size=2048
/certificate sign new-cert


# Assign to service
/ip service set www-ssl certificate=new-cert

Problem 4: SSH Brute Force Attacks

Section titled “Problem 4: SSH Brute Force Attacks”
Problem 4: SSH Brute Force Attacks diagram

Symptom: Logs show thousands of failed SSH login attempts.

Solutions:

  1. Change port and restrict address:

    /ip service set ssh port=2222 address=192.168.88.0/24

  2. Add firewall rate limiting:

    /ip firewall filter
    add chain=input protocol=tcp dst-port=22 connection-state=new \
        src-address-list=ssh_blocklist action=drop
    add chain=input protocol=tcp dst-port=22 connection-state=new \
        src-address-list=ssh_stage2 action=add-src-to-address-list \
        address-list=ssh_blocklist address-list-timeout=1w
    add chain=input protocol=tcp dst-port=22 connection-state=new \
        src-address-list=ssh_stage1 action=add-src-to-address-list \
        address-list=ssh_stage2 address-list-timeout=1m
    add chain=input protocol=tcp dst-port=22 connection-state=new \
        action=add-src-to-address-list address-list=ssh_stage1 \
        address-list-timeout=1m

Problem 5: WinBox Won’t Connect After Port Change

Section titled “Problem 5: WinBox Won’t Connect After Port Change”

Cause: WinBox defaults to port 8291.

Solution: Specify port in connection: 192.168.88.1:18291

Problem 6: API Connection Hangs

Section titled “Problem 6: API Connection Hangs”

Cause: API client not reading complete responses before sending new commands.

Solution: Ensure API client properly handles multi-word responses. API ignores new commands until previous response is fully read.

Security Best Practices

Section titled “Security Best Practices”
  1. Disable telnet and FTP immediately - Both transmit credentials in cleartext
  2. Restrict by source address - More effective than port changes
  3. Change default ports - Reduces automated scanning (secondary measure)
  4. Use SSL/TLS versions - www-ssl and api-ssl over plaintext
  5. Disable MAC access on untrusted interfaces - Often overlooked security hole
  6. Combine with firewall rules - Service address restriction is last defense
  7. Keep RouterOS updated - Security vulnerabilities are patched regularly

Defense in depth

Section titled “Defense in depth”
Defense in depth security layers showing Firewall Rules, IP Service Restrictions, MAC Server Restrictions, and User Authentication

Verification Commands

Section titled “Verification Commands”
# List all services with status
/ip service print


# Show only enabled services
/ip service print where disabled=no


# Check MAC server settings
/tool mac-server print
/tool mac-server mac-winbox print


# Test from external device
# ssh [email protected] -p 22
# curl http://192.168.88.1/

REST API (RouterOS 7+)

Section titled “REST API (RouterOS 7+)”

RouterOS 7.1+ includes REST API via www-ssl:

Terminal window
# Example: Get interface list
curl -k -u admin:password https://192.168.88.1/rest/interface

Requirements:

  • www-ssl enabled with certificate
  • User with API permission
  • HTTPS (not available via HTTP)
Section titled “Related Features”
  • Certificates (/certificate) - Required for SSL services
  • Firewall (/ip firewall filter) - Additional access control
  • Users (/user) - Authentication and authorization
  • MAC Server (/tool mac-server) - Layer 2 management access
  • SSH (/ip ssh) - SSH-specific settings (host keys, etc.)

Summary

Section titled “Summary”

Securing IP Services involves three steps:

  1. Disable unused services - Especially telnet and FTP
  2. Restrict remaining services - By source address and port
  3. Control MAC access - Often forgotten but critical

Key points:

  • IP Services and MAC Server are separate - configure both
  • Address restriction is more effective than port changes
  • Combine with firewall rules for defense in depth
  • Always verify you can still connect before disconnecting
  • Keep RouterOS updated for security patches
Section titled “Related Topics”

Security

Section titled “Security”

Remote access

Section titled “Remote access”

Other considerations

Section titled “Other considerations”