MikroTik RouterOS RoMON: Router Management Overlay Network

MikroTik RouterOS RoMON: Router Management Overlay Network

RouterOS Version: 6.x / 7.x (v7.17+ has improved switch chip handling) Difficulty: Intermediate Estimated Time: 20 minutes

Overview

RoMON (Router Management Overlay Network) creates an independent Layer 2 management network that operates regardless of your IP configuration. When routing is broken, firewalls are misconfigured, or IP addresses are wrong, RoMON still works - allowing you to access and fix devices that would otherwise be unreachable.

Key benefits:

• Works when IP is broken - Access devices even with misconfigured routes or firewalls
• Hop through devices - Connect to a distant router through intermediate MikroTik devices
• No VPN required - Direct Layer 2 management path
• Discovery - Find all RoMON-enabled devices on the network

How it works: RoMON uses special Layer 2 frames (EtherType 0x88bf, multicast MAC 01:80:c2:00:88:bf) to create a virtual overlay network. Each device gets a RoMON ID (MAC address format), and devices forward RoMON traffic independently of normal switching/routing.

Important: RoMON is MikroTik-proprietary - it only works between MikroTik devices.

Configuration Steps

Step 1: Enable RoMON

/tool romon set enabled=yes

Step 2: Set a Secret (Recommended)

The secret authenticates RoMON neighbors and prevents accidental peering with unknown devices:

/tool romon set secrets=YourSecretPassword

Important: Use the same secret on all devices that should communicate via RoMON.

Step 3: Verify Configuration

/tool romon print

Expected Output:

        enabled: yes
             id:
     current-id: 6C:3B:6B:48:0E:8A
        secrets: YourSecretPassword

The current-id shows the automatically assigned RoMON ID (derived from MAC address).

Step 4: Configure Ports (Optional)

By default, RoMON operates on all interfaces. To restrict to specific interfaces:

# Remove the default "all" entry
/tool romon port remove [find interface=all]

# Add specific interfaces
/tool romon port add interface=ether1 cost=100
/tool romon port add interface=ether2 cost=100

Using RoMON

Discover RoMON Devices

Find all RoMON-enabled devices on the network:

/tool romon discover

Example Output:

 # ADDRESS           COST    HOPS   PATH                          AGE
 0 6C:3B:6B:48:0E:8A    0       0                                   1s
 1 6C:3B:6B:48:0E:8B  100       1   6C:3B:6B:48:0E:8A               3s
 2 6C:3B:6B:48:0E:8C  200       2   6C:3B:6B:48:0E:8A,6C:3B:6...   5s

• ADDRESS - RoMON ID of discovered device
• COST - Total path cost to reach device
• HOPS - Number of intermediate devices
• PATH - RoMON IDs of intermediate devices

Ping a RoMON Device

Test connectivity to a specific device:

/tool romon ping id=6C:3B:6B:48:0E:8B count=5

Connect via SSH

Open a terminal session through RoMON:

/tool romon ssh 6C:3B:6B:48:0E:8B user=admin

Connect via WinBox

In WinBox, use the RoMON tab at the bottom of the connect window, or from command line:

winbox.exe --romon 192.168.88.1 6C:3B:6B:48:0E:8B admin ""

Where:

• 192.168.88.1 - IP of the RoMON “entry point” router you can reach
• 6C:3B:6B:48:0E:8B - RoMON ID of the target device
• admin "" - Username and password

Port Configuration

Port Properties

Property	Default	Description
interface	-	Interface name or interface-list
cost	100	Path metric (lower = preferred)
disabled	no	Disable RoMON on this port
secrets	-	Port-specific secrets (overrides global)

View Port Configuration

/tool romon port print

Default Output:

Flags: X - disabled
 #   INTERFACE   COST     SECRETS
 0   all         100

Adjust Port Cost

Prefer certain paths by lowering their cost:

/tool romon port set [find interface=ether1] cost=50

Disable RoMON on Specific Interfaces

/tool romon port add interface=ether1-wan disabled=yes

Or remove from participation entirely:

/tool romon port remove [find interface=ether1-wan]

Security with Secrets

How Secrets Work

Secrets authenticate RoMON messages using MD5 hashing. Devices only become neighbors if they share at least one common secret.

Important: Secrets provide authentication, not encryption. Use SSH or secure WinBox for encrypted management sessions.

Multiple Secrets (Rolling Updates)

You can configure multiple secrets to allow gradual migration:

/tool romon set secrets=OldSecret,NewSecret

Devices accept messages hashed with any configured secret, allowing you to:

1. Add new secret to all devices
2. Remove old secret from all devices

This prevents service interruption during secret rotation.

Per-Port Secrets

Override global secrets on specific ports:

/tool romon port set [find interface=ether5] secrets=SpecialSecret

Common Configuration Scenarios

Scenario 1: Basic RoMON Network

Enable RoMON on all devices with a shared secret:

/tool romon set enabled=yes secrets=MyNetworkSecret

Repeat on all MikroTik devices.

Scenario 2: Restrict RoMON to Management VLAN

Only allow RoMON on the management VLAN interface:

# Remove default all-interface entry
/tool romon port remove [find interface=all]

# Add only management interface
/tool romon port add interface=vlan-mgmt cost=100

Scenario 3: Hub-and-Spoke Topology

Configure lower costs on backbone links:

# On backbone interfaces
/tool romon port set [find interface=sfp1] cost=10

# On access interfaces
/tool romon port set [find interface=ether1] cost=100

Scenario 4: Exclude WAN from RoMON

Prevent RoMON traffic on internet-facing interfaces:

/tool romon port add interface=ether1-wan disabled=yes

Verification

Check 1: Verify RoMON is Enabled

/tool romon print

Expected: enabled: yes and current-id populated.

Check 2: Discover Neighbors

/tool romon discover

Expected: List of all RoMON-enabled devices on the network.

Check 3: Test Connectivity

/tool romon ping id=TARGET_ROMON_ID count=5

Expected: Successful replies.

Check 4: Verify Port Configuration

/tool romon port print

Expected: Correct interfaces enabled with appropriate costs.

Troubleshooting

Problem: “Device not appearing in discover”

Causes:

• RoMON not enabled on target device
• Different secrets configured
• No Layer 2 path between devices
• RoMON disabled on intermediate ports

Solution:

1. Verify RoMON enabled on target: /tool romon print
2. Check secrets match on all devices
3. Verify physical connectivity
4. Check port configuration on intermediate devices

Problem: “RoMON ping works but SSH/WinBox fails”

Cause: RoMON provides connectivity, but authentication fails at the application level.

Solution:

1. Verify username and password
2. Check if the target device allows the connection (MAC server settings)
3. Try different authentication methods

Problem: “RoMON stopped working after upgrade to 7.17+”

Cause: RouterOS 7.17 changed how switch chips handle RoMON packets.

Solution:

1. Devices with ACL-capable switch chips should work automatically
2. For non-ACL switches, ensure CPU and RoMON traffic are in the same VLAN
3. Check bridge configuration for hardware offloading issues

Problem: “Intermittent RoMON connectivity”

Cause: Unstable Layer 2 path or STP topology changes.

Solution:

1. Verify physical connections
2. Check for STP reconvergence events
3. Consider adjusting port costs to prefer stable paths

Problem: “Neighbors appear with wrong cost”

Cause: Port costs not configured consistently.

Solution:

/tool romon port print

Verify costs are set appropriately. Lower cost = preferred path.

Common Pitfalls

1. Forgetting to Set Secrets

Wrong:

/tool romon set enabled=yes
# No secret - devices may peer with unknown routers

Right:

/tool romon set enabled=yes secrets=SecurePassword

2. Leaving RoMON Enabled on WAN

Risk: RoMON traffic visible to upstream network.

Solution:

/tool romon port add interface=ether1-wan disabled=yes

3. Mismatched Secrets

Problem: Devices can’t discover each other.

Solution: Ensure identical secrets on all devices that should communicate:

/tool romon set secrets=SameSecretEverywhere

4. Expecting Encryption from RoMON

Wrong assumption: “RoMON secret encrypts my management traffic”

Reality: Secrets only authenticate neighbors. Use SSH or secure WinBox for encrypted sessions.

5. Not Considering Path Costs

Problem: Traffic takes suboptimal paths.

Solution: Set lower costs on preferred/faster links:

/tool romon port set [find interface=sfp1] cost=10

Security Considerations

1. Always use secrets - Prevents unauthorized devices from joining your RoMON network
2. Use SSH or secure WinBox - RoMON doesn’t encrypt management traffic
3. Disable on untrusted interfaces - Don’t expose RoMON on WAN or guest networks
4. Rotate secrets periodically - Use multiple secrets during transitions
5. Limit port participation - Only enable on necessary interfaces

Limitations

• MikroTik only - Won’t work with other vendors
• No encryption - Authentication only; use SSH/secure WinBox
• Layer 2 dependent - Requires physical or L2 tunnel connectivity
• Switch chip behavior - Some chips may require specific configuration (v7.17+)
• Not a replacement for proper IP management - Use as backup access method

Related Features

• MAC Server (/tool mac-server) - MAC-based WinBox/Telnet access
• Neighbor Discovery (/ip neighbor) - Find devices on local network
• The Dude - Network monitoring (integrates with RoMON)
• WinBox - GUI management tool with RoMON support

References

• MikroTik RoMON Documentation
• MikroTik RoMON Presentation (MUM)

Related Topics

Device Discovery

• IP Neighbors - find devices on local network
• MAC Server - MAC-based management access

Security

• User Management - authentication credentials
• SSH - encrypted remote access

Network Management

• Bridge Configuration - Layer 2 connectivity for RoMON
• VLAN Configuration - RoMON with VLANs