Skip to content
MikroTik RouterOS Docs

IP Settings

IP Settings

Section titled “IP Settings”

Summary

Section titled “Summary”

The IP Settings feature in RouterOS provides configurable kernel and system-wide parameters for both IPv4 and IPv6 protocols. These settings control fundamental networking behaviors including packet forwarding, ARP cache management, ICMP handling, TCP stack tuning, and security features such as source validation and SYN flood protection.

This documentation covers the /ip settings menu for IPv4 configuration and the /ipv6 settings menu for IPv6 configuration, providing detailed descriptions of each parameter, default values, recommended configurations for different deployment scenarios, and practical examples for common use cases.

Command Paths

Section titled “Command Paths”

The main configuration menus for IP settings are located at:

  • IPv4 Settings: /ip settings
  • IPv6 Settings: /ipv6 settings

Both menus contain configurable properties that affect how the router processes IP traffic at the kernel level. Changes to these settings take effect immediately without requiring a service restart, though some IPv6 settings may require a reboot to fully apply.

IPv4 Settings

Section titled “IPv4 Settings”

The IPv4 settings menu controls kernel-level parameters for IPv4 packet processing. These settings affect all IPv4 traffic passing through the router, regardless of interface or firewall configuration.

Basic Forwarding Configuration

Section titled “Basic Forwarding Configuration”

The fundamental forwarding setting determines whether the router acts as a simple host or as a router that forwards packets between interfaces.

/ip settings set ip-forward=yes

ip-forward (yes | no; Default: yes)

Enables or disables packet forwarding between interfaces. When set to yes, the router forwards IPv4 packets between all interfaces based on the routing table. When set to no, the router only processes packets destined for its own IP addresses or broadcast addresses.

Setting this parameter to no resets all configuration parameters to defaults according to RFC1812 for routers. This is useful when deploying a MikroTik device as a simple host or endpoint rather than a router.

For a router performing NAT or acting as a gateway, this setting must remain enabled. For a device that should only respond to traffic directed at its own IP addresses, disable this setting to prevent accidental packet forwarding.

ARP Cache Management

Section titled “ARP Cache Management”

The ARP cache stores mappings between IP addresses and MAC addresses for hosts on directly connected networks. Proper ARP configuration is essential for communication on Ethernet-based networks.

/ip settings set arp-timeout=30s

arp-timeout (time interval; Default: 30s)

Sets the Linux base_reachable_time on all interfaces that use ARP. The initial validity of an ARP entry is randomly picked from the interval [timeout/2 - 3*timeout/2], which defaults to 15-45 seconds after the neighbor was discovered.

The timeout value represents how long a valid ARP record remains considered complete if no communication occurs with the specific MAC/IP during this period. This is not the same as the time when an ARP entry is removed from the cache, which is controlled by the max-neighbor-entries setting.

Supported time units include ms (milliseconds), s (seconds), m (minutes), h (hours), and d (days). If no unit is specified, seconds are assumed.

/ip settings set max-neighbor-entries=16384

max-neighbor-entries (integer [0..4294967295]; Default: varies by RAM)

Sets the Linux gc_thresh3 parameter, which is the maximum number of allowed neighbors in the ARP table. Since RouterOS version 7.1, the default value depends on the installed amount of RAM:

RAM SizeDefault Entries
64 MB2048
128 MB4096
256 MB8192
512 MB or higher16384

Setting a higher value than the default increases the risk of out-of-memory conditions, particularly on devices with limited RAM. The ARP cache stores both complete entries (resolved MAC addresses) and incomplete entries (pending resolution).

Incomplete ARP entries remain in the cache only if the total number of entries is less than one-fourth of the maximum allowed. This prevents the garbage collector from running unnecessarily when the ARP table is not close to capacity.

For networks with thousands of directly connected devices, such as large LANs or ISP distribution networks, consider increasing this value to accommodate all expected neighbors.

ICMP Configuration

Section titled “ICMP Configuration”

ICMP messages are used for network diagnostics, error reporting, and control functions. Proper ICMP configuration balances network functionality with security considerations.

/ip settings set icmp-rate-limit=10 icmp-rate-mask=0x1818

icmp-rate-limit (integer [0..4294967295]; Default: 10)

Limits the maximum rate for sending ICMP packets whose type matches the icmp-rate-mask. A value of 0 disables all limiting. Other values indicate the minimum space between responses in milliseconds.

Lower values provide more protection against ICMP-based attacks but may interfere with legitimate network diagnostics. Higher values allow more ICMP traffic but increase vulnerability to amplification attacks.

icmp-rate-mask (hexadecimal [0..FFFFFFFF]; Default: 0x1818)

Specifies which ICMP types are subject to rate limiting. The mask is a hexadecimal value representing ICMP message types. Refer to the Linux icmp man page for complete documentation of ICMP type values.

The default mask 0x1818 typically includes echo request (type 8) and destination unreachable (type 3) messages, providing balanced protection while allowing basic connectivity testing.

/ip settings set accept-redirects=no send-redirects=yes

accept-redirects (yes | no; Default: no)

Controls whether the router accepts ICMP redirect messages. These messages inform the router about better routes to specific destinations.

Enable this on host devices that should learn optimal routes from routers on the network. Disable this on routers to prevent potentially malicious redirect messages from altering routing behavior.

send-redirects (yes | no; Default: yes)

Controls whether the router sends ICMP redirect messages when it forwards packets out the same interface they arrived on. This indicates to the source host that a better first-hop gateway exists.

Routers should generally send redirects to help hosts learn optimal paths. Hosts receiving redirects may update their routing tables accordingly.

/ip settings set secure-redirects=yes

secure-redirects (yes | no; Default: yes)

When enabled, the router accepts ICMP redirect messages only from gateways listed in the default gateway list. This prevents malicious redirects from unauthorized sources.

Disable this setting only in controlled environments where redirect messages from non-default gateways are trusted and necessary.

Source Validation and Spoofing Protection

Section titled “Source Validation and Spoofing Protection”

Source validation helps prevent IP spoofing attacks where an attacker sends packets with forged source IP addresses.

/ip settings set rp-filter=strict

rp-filter (loose | no | strict; Default: no)

Disables or enables source validation according to RFC3704 guidelines.

  • no - No source validation is performed. All incoming packets are accepted regardless of their source address reachability.
  • strict - Strict Reverse Path mode. Each incoming packet is tested against the FIB (Forwarding Information Base), and if the receiving interface is not the best reverse path interface, the packet check fails. Failed packets are discarded by default.
  • loose - Loose Reverse Path mode. Each incoming packet’s source address is tested against the FIB, and if the source address is not reachable via any interface, the packet check fails.

RFC3704 recommends enabling strict mode to prevent IP spoofing from DDoS attacks. However, strict mode does not work with multiple routing tables or VRRP configurations. In these scenarios, use loose mode instead.

Asymmetric routing topologies where return traffic uses a different path than incoming traffic require either loose mode or source validation disabled.

/ip settings set accept-source-route=no

accept-source-route (yes | no: Default: no)

Controls whether the router accepts packets with the Strict Source Route (SRR) option set. Source-routed packets specify the exact path the packet should take through the network, which can be exploited for traffic engineering or attacks.

This should generally remain disabled on both routers and hosts. The default value of no provides protection against source routing attacks.

TCP Stack Tuning

Section titled “TCP Stack Tuning”

TCP-related settings affect how the router handles TCP connections, both for traffic passing through and connections terminated on the router.

/ip settings set tcp-syncookies=yes

tcp-syncookies (yes | no; Default: no)

Enables SYN cookies when the SYN backlog queue of a socket overflows. SYN cookies are a defense against SYN flood attacks, where an attacker sends many connection requests without completing the handshake, exhausting server resources.

When enabled, the server does not allocate resources until the client completes the three-way handshake, preventing resource exhaustion from half-open connections.

SYN cookies violate TCP protocol specifications and disable some TCP extensions, which can result in degraded service for protocols like SMTP. The performance impact is typically negligible compared to the protection provided.

Enable this setting on routers or servers exposed to the public internet or untrusted networks.

/ip settings set tcp-timestamps=random-offset

tcp-timestamps (disabled | enabled | random-offset; Default: random-offset)

Controls TCP timestamp handling:

  • disabled - TCP timestamps are completely disabled, which may help reduce performance spikes in some scenarios.
  • enabled - TCP timestamps are used normally for TCP round-trip time measurement.
  • random-offset - A random offset is added to TCP timestamps (default behavior), providing some privacy while maintaining timestamp functionality.

The random offset setting provides a balance between timestamp utility for connection management and privacy protection.

Fast Path Configuration

Section titled “Fast Path Configuration”

Fast Path is a high-performance packet processing path that bypasses the standard routing code path for known traffic patterns.

/ip settings set allow-fast-path=yes route-cache=yes

allow-fast-path (yes | no; Default: yes)

Enables or disables Fast Path processing. When enabled, packets that match known traffic patterns are processed in the fast path, significantly improving throughput for stable traffic flows.

Disable fast path when troubleshooting network issues, as fast path traffic bypasses firewall rules, connection tracking, and other processing chains that may be relevant for diagnostics.

route-cache (yes | no; Default: yes)

Controls whether the Linux route cache is enabled. The route cache stores recently used routing decisions to accelerate packet forwarding.

Disabling the route cache also disables fast path, as fast path relies on cached routing information. Use this setting when you need to ensure all routing decisions go through the full routing table lookup process.

ECMP Hash Policy

Section titled “ECMP Hash Policy”

For routers performing Equal-Cost Multi-Path (ECMP) routing with multiple equal-cost paths to the same destination, the hash policy determines how traffic is distributed across paths.

/ip settings set ipv4-multipath-hash-policy=l4

ipv4-multipath-hash-policy (l3 | l4 | l3-inner; Default: l3)

  • l3 - Layer-3 hashing using source IP and destination IP addresses only.
  • l3-inner - Layer-3 hashing or inner layer-3 hashing if available (for encapsulated traffic).
  • l4 - Layer-4 hashing using source IP, destination IP, IP protocol, source port, and destination port.

For flows that should remain on a single path (such as some VPN or tunneling protocols), use layer-3 hashing. For better load distribution across ECMP paths for Internet traffic, layer-4 hashing typically provides better distribution.

Read-Only Status Properties

Section titled “Read-Only Status Properties”

The following read-only properties display fast path and fasttrack statistics:

/ip settings print
  • ipv4-fast-path-active - Indicates whether fast path is currently active for IPv4 traffic.
  • ipv4-fast-path-bytes - Total bytes processed through fast path.
  • ipv4-fast-path-packets - Total packets processed through fast path.
  • ipv4-fasttrack-active - Indicates whether fasttrack is active for IPv4 traffic.
  • ipv4-fasttrack-bytes - Total bytes processed through fasttrack.
  • ipv4-fasttrack-packets - Total packets processed through fasttrack.

Fasttrack is an even faster processing path that bypasses connection tracking for established connections, providing near-wire-speed throughput for permitted traffic.

IPv6 Settings

Section titled “IPv6 Settings”

The IPv6 settings menu controls kernel-level parameters for IPv6 packet processing. Many concepts from IPv4 settings apply to IPv6, though some parameters have IPv6-specific implementations.

IPv6 Forwarding

Section titled “IPv6 Forwarding”
/ipv6 settings set forward=yes

forward (yes | no; Default: yes)

Enables or disables packet forwarding between interfaces for IPv6 traffic. The behavior is analogous to the IPv4 ip-forward setting.

IPv6 Neighbor Discovery

Section titled “IPv6 Neighbor Discovery”

IPv6 does not use ARP but instead uses Neighbor Discovery (ND) protocol for address resolution and other link-layer functions.

/ipv6 settings set max-neighbor-entries=8192

max-neighbor-entries (integer [0..4294967295]; Default: varies by RAM)

Sets the maximum number of IPv6 neighbors in the neighbor cache. Default values since RouterOS 7.1:

RAM SizeDefault Entries
64 MB1024
128 MB2048
256 MB4096
512 MB8192
1024 MB or higher16384

The neighbor cache stores both resolved addresses (complete) and addresses being resolved (incomplete), similar to the IPv4 ARP cache.

/ipv6 settings set stale-neighbor-timeout=60m

stale-neighbor-timeout (time; Default: 60m)

Timeout after which stale IPv6 neighbor entries should be purged. Stale entries are those that have not been confirmed recently but may still be valid.

/ipv6 settings set min-neighbor-entries=4096 soft-max-neighbor-entries=8192

min-neighbor-entries (integer; Default: 4096)

The minimum number of neighbor entries for which the device must allocate memory, ensuring resources are available even before the cache fills.

soft-max-neighbor-entries (integer; Default: 8192)

The expected maximum number of neighbor entries that the system should handle, used for memory allocation planning.

IPv6 ICMP Configuration

Section titled “IPv6 ICMP Configuration”
/ipv6 settings set accept-redirects=yes-if-forwarding-disabled

accept-redirects (no | yes | yes-if-forwarding-disabled; Default: yes-if-forwarding-disabled)

Controls ICMP redirect message acceptance. The yes-if-forwarding-disabled value enables redirects only when the router is not forwarding traffic (acting as a host).

/ipv6 settings set accept-router-advertisements=yes-if-forwarding-disabled

accept-router-advertisements (no | yes | yes-if-forwarding-disabled; Default: yes-if-forwarding-disabled)

Controls whether the router accepts Router Advertisement (RA) messages for stateless address autoconfiguration (SLAAC).

When enabled, the router can automatically configure IPv6 addresses based on prefix information received in RAs from upstream routers.

/ipv6 settings set accept-router-advertisements-on=all

accept-router-advertisements-on (interface list; Default: all)

Specifies which interfaces listen for incoming router advertisements. Use interface lists to limit RA reception to trusted networks.

Section titled “IPv6 Link-Local Addresses”
/ipv6 settings set disabled-link-local-address=no

disabled-link-local-address (no | yes; Default: no)

Disables automatic link-local address generation for non-VPN interfaces. Enable this when manually configured link-local addresses are in use.

Link-local addresses (fe80::/10) are automatically generated on all interfaces and are essential for IPv6 neighbor discovery and local communication. Only disable this when specific configurations require manual link-local addressing.

Important: Link-local addresses cannot be manually removed while the interface is active. Attempting to remove a link-local address will not persist—the address will automatically regenerate as soon as the interface is enabled or the router is restarted. This is by design, as link-local addresses are required for IPv6 operation.

IPv6 EUI-64 Address Configuration

Section titled “IPv6 EUI-64 Address Configuration”

When configuring IPv6 addresses with eui-64=yes, the interface identifier is automatically generated from the interface’s MAC address using the EUI-64 format.

/ipv6 address add address=2001:db8:1::/64 interface=ether1 eui-64=yes

Critical Requirement: When using eui-64=yes, the address prefix must have zero host bits (the host portion must be all zeros). For example:

  • Valid: 2001:db8:1::/64 (host bits are all ::)
  • Invalid: 2001:db8:1::1/64 (host bit is set to 1)

If you specify an address with non-zero host bits combined with eui-64=yes, the address configuration will fail or behave unexpectedly. The EUI-64 process automatically generates the interface identifier from the MAC address, so any host bits you specify will be overwritten.

IPv6 Forwarding and ECMP

Section titled “IPv6 Forwarding and ECMP”
/ipv6 settings set multipath-hash-policy=l4

multipath-hash-policy (l3 | l4 | l3-inner; Default: l3)

Hash policy for IPv6 ECMP routing:

  • l3 - Layer-3 hashing using source IP, destination IP, flow label, and IP protocol.
  • l3-inner - Layer-3 hashing or inner layer-3 hashing for encapsulated traffic.
  • l4 - Layer-4 hashing using source IP, destination IP, IP protocol, source port, and destination port.

IPv6 Fast Path

Section titled “IPv6 Fast Path”
/ipv6 settings set allow-fast-path=yes

allow-fast-path (yes | no; Default: yes)

Enables fast path processing for IPv6 traffic. The behavior is identical to the IPv4 allow-fast-path setting.

IPv6 Read-Only Status Properties

Section titled “IPv6 Read-Only Status Properties”
/ipv6 settings print
  • ipv6-fast-path-active - Indicates whether fast path is currently active.
  • ipv6-fast-path-bytes - Total bytes processed through fast path.
  • ipv6-fast-path-packets - Total packets processed through fast path.
  • ipv6-fasttrack-active - Indicates whether fasttrack is active.
  • ipv6-fasttrack-bytes - Total bytes processed through fasttrack.
  • ipv6-fasttrack-packets - Total packets processed through fasttrack.

IPv6 Security Overview

Section titled “IPv6 Security Overview”

IPv6 requires different security considerations compared to IPv4. Unlike IPv4, where NAT (Network Address Translation) often provides implicit protection by hiding private addresses, IPv6 uses globally routable addresses by default. This means IPv6-enabled devices are directly reachable from the internet unless explicitly firewalled.

Key IPv6 Security Considerations:

  • Firewall is Essential: Every IPv6-enabled interface should have firewall filter rules. Unlike IPv4 NAT deployments, IPv6 traffic passes through unmodified, so a router without IPv6 firewall rules provides no protection.

  • Router Advertisement (RA) Guard: Configure RA guard on switch ports to prevent rogue routers from sending malicious router advertisements that could redirect traffic.

  • NDP Spoofing Protection: Use the IPv6 firewall to validate Neighbor Discovery Protocol (NDP) messages and prevent NDP spoofing attacks where an attacker claims to be a router or duplicates another host’s address.

  • Disable IPv6 if Not Used: If IPv6 is not required, disable it entirely using /ipv6 settings set forward=no or via the IPv6 package settings to reduce attack surface.

  • Unique Local Addresses (ULA): Use fc00::/7 ULAs for private internal networks instead of assuming NAT will provide isolation.

Basic Router Configuration

Section titled “Basic Router Configuration”

This example shows typical IP settings for a router performing NAT and acting as a network gateway:

/ip settings set \
    ip-forward=yes \
    arp-timeout=30s \
    accept-redirects=no \
    send-redirects=yes \
    secure-redirects=yes \
    rp-filter=strict \
    tcp-syncookies=yes \
    allow-fast-path=yes

The router accepts redirects only from configured default gateways (secure-redirects), validates source addresses strictly (rp-filter), and enables SYN cookie protection for TCP connections.

ISP Edge Router with DDoS Protection

Section titled “ISP Edge Router with DDoS Protection”

For routers at the network edge exposed to potential attacks:

/ip settings set \
    ip-forward=yes \
    accept-redirects=no \
    accept-source-route=no \
    rp-filter=strict \
    tcp-syncookies=yes \
    icmp-rate-limit=5 \
    icmp-rate-mask=0x1818 \
    max-neighbor-entries=65536

Lower ICMP rate limiting provides additional protection while still allowing connectivity testing. Increased neighbor entries accommodate large-scale networks.

Host-Only Configuration

Section titled “Host-Only Configuration”

When MikroTik devices are deployed as hosts rather than routers:

/ip settings set \
    ip-forward=no \
    accept-redirects=yes \
    rp-filter=no

The device only processes traffic destined for itself and learns routes from ICMP redirects. Source validation is disabled to accommodate potential asymmetric routing.

ECMP Load Balancing Configuration

Section titled “ECMP Load Balancing Configuration”

For routers distributing traffic across multiple ISP links:

/ip settings set \
    ip-forward=yes \
    ipv4-multipath-hash-policy=l4 \
    allow-fast-path=yes
/ipv6 settings set \
    forward=yes \
    multipath-hash-policy=l4 \
    allow-fast-path=yes

Layer-4 hashing ensures individual TCP connections and UDP flows stay on a single path while distributing overall traffic evenly across links.

Troubleshooting

Section titled “Troubleshooting”

Common Issues

Section titled “Common Issues”

ARP Cache Exhaustion

When the ARP table fills and new devices cannot connect, increase max-neighbor-entries or optimize network design to reduce directly connected devices.

ICMP Redirect Loops

If redirect messages cause routing loops, disable accept-redirects on the affected interfaces.

SYN Flood Detection

Enable tcp-syncookies on routers handling public-facing services:

/ip settings set tcp-syncookies=yes

Verify SYN cookie status:

/ip settings print

Source Address Validation Failures

If legitimate traffic is dropped with rp-filter failures in asymmetric routing environments, change to loose mode:

/ip settings set rp-filter=loose

Diagnostic Commands

Section titled “Diagnostic Commands”

View current IPv4 settings:

/ip settings print

View current IPv6 settings:

/ipv6 settings print

Monitor ARP/neighbor table:

/ip arp print
/ipv6 neighbors print

Check fast path statistics:

/ip settings print detail
/ipv6 settings print detail
Section titled “Related Features”
  • Firewall Filter Rules - Filter specific traffic with /ip firewall filter
  • Firewall NAT - Network address translation with /ip firewall nat
  • Connection Tracking - Connection state tracking with /ip firewall connection tracking
  • Routing - Routing table management with /ip route
  • Interfaces - Interface-specific settings with /interface

References

Section titled “References”
  • RFC 1812 - Requirements for IP Version 4 Routers
  • RFC 3704 - Ingress Filtering for Multihomed Networks
  • RFC 4861 - Neighbor Discovery for IPv6
  • RFC 4862 - IPv6 Stateless Address Autoconfiguration
  • Linux kernel documentation for net.ipv4 parameters