TFTP
Trivial File Transfer Protocol (TFTP) is a simple protocol in RouterOS for transferring files between devices on a network. Unlike FTP, TFTP requires no authentication and uses UDP port 69, making it suitable for simple file transfers, network boot operations (PXE), and provisioning embedded devices like IP phones, thin clients, and network equipment.
RouterOS TFTP server operates at /ip/tftp and provides access rules to control which files clients can request, with support for regex-based filename matching, read-only or write access, and large file transfers with block size negotiation.
Overview
Section titled “Overview”The TFTP server in RouterOS is designed for scenarios where simplicity is paramount. It requires no user authentication, making it ideal for automated provisioning workflows where devices need to boot from the network or retrieve configuration files during initialization. Common use cases include PXE boot environments where routers serve boot images to other devices, network firmware updates for equipment that supports TFTP-based upgrades, and configuration deployment to devices that can only receive configs via TFTP.
Each TFTP transfer consists of data blocks (typically 512 bytes, configurable up to 65535 bytes) with each block requiring an acknowledgment from the receiver. This stop-and-wait protocol is simple but can limit throughput on high-latency or lossy networks. RouterOS supports large file transfers by allowing block sequence numbers to rollover when the maximum value is reached, enabling files larger than 32MB to transfer successfully.
The TFTP server is disabled by default. It only starts when you create at least one access rule in /ip/tftp. This design ensures the service doesn’t run unnecessarily and provides explicit control over what files are served.
Use Cases
Section titled “Use Cases”TFTP serves several practical purposes in network deployments:
- PXE Boot: Serve boot images (kernel, initrd, PXE loader) to diskless workstations or MikroTik routers requiring network boot
- Firmware Deployment: Push firmware updates to network devices that support TFTP-based upgrades
- Configuration Provisioning: Deliver configuration files to VoIP phones, access points, or other embedded devices
- Backup Retrieval: Configure routers to upload backups to a TFTP server for centralized storage
- Log Collection: Upload router logs to a TFTP server for analysis
Sub-menu
Section titled “Sub-menu”/ip/tftp
Access rules are created under this menu to control TFTP server behavior. Each rule specifies which files can be accessed, from which clients, and whether read or write operations are permitted.
/ip/tftp/settings
Global settings that apply to all TFTP operations, including maximum block size negotiation.
Configuration
Section titled “Configuration”Creating a Basic TFTP Access Rule
Section titled “Creating a Basic TFTP Access Rule”Enable the TFTP server by creating an access rule. This rule allows any client to request any file from the router’s storage:
/ip/tftp add allow=yes read-only=yesVerify the rule was created:
/ip/tftp printOutput:
Flags: X - disabledColumns: REQ-FILENAME, REAL-FILENAME, ALLOW, READ-ONLY# REQ-FILENAME REAL-FILENAME ALLOW READ-ONLY0 .* yes yesThe default req-filename value of .* matches any filename. The router will serve files from the root of the router’s storage.
Serving Files from Specific Location
Section titled “Serving Files from Specific Location”To serve files from a specific directory or storage location, use real-filename:
/ip/tftp add req-filename="routeros-.*\\.npk" real-filename="/flash/routeros.npk" allow=yes read-only=yesThis rule matches any request for files matching routeros-*.npk and serves the file from /flash/routeros.npk. Clients can request routeros-7.15.npk and receive the contents of the actual file at /flash/routeros.npk.
Serving a Specific File
Section titled “Serving a Specific File”To serve exactly one file regardless of what the client requests:
/ip/tftp add req-filename=".*" real-filename=/flash/boot.npk allow=yes read-only=yesThis configuration returns the same file (/flash/boot.npk) to any client requesting any filename.
Multiple Regex Matching
Section titled “Multiple Regex Matching”Serve different files based on multiple regex patterns:
/ip/tftp add req-filename="(routerboot\\.bin)|(upgrade\\.bin)" real-filename="/flash/routerboot.bin\\0" allow=yes read-only=yesThe \0 in real-filename references the first capture group from the regex, so requests for either routerboot.bin or upgrade.bin both receive /flash/routerboot.bin.
Restricting by Client IP Address
Section titled “Restricting by Client IP Address”Limit TFTP access to specific IP ranges:
/ip/tftp add ip-address=192.168.100.0/24 req-filename=".*" real-filename=/flash/config.txt allow=yes read-only=yesOnly clients in the 192.168.100.0/24 subnet can access the TFTP server. Other clients receive connection errors.
Allowing File Uploads
Section titled “Allowing File Uploads”Enable write access to allow devices to upload files to the router:
/ip/tftp add req-filename="backup-.*\\.rsc" real-filename=/flash/backups/ allow=yes read-only=noThis rule allows clients to upload files matching backup-*.rsc to the /flash/backups/ directory. The router creates files with the name specified in the TFTP request.
Large File Support
Section titled “Large File Support”Enable block size rollover to support files larger than 32MB:
/ip/tftp add req-filename=".*" real-filename=/flash/large-image.bin allow=yes read-only=yes allow-rollover=yesWithout allow-rollover=yes, transfers fail when the block sequence number reaches its maximum value (65535 blocks × 512 bytes = approximately 32MB).
Settings
Section titled “Settings”Configuring Maximum Block Size
Section titled “Configuring Maximum Block Size”The max-block-size setting controls the largest block size RouterOS will negotiate during TFTP transfers. Some embedded TFTP clients request large block sizes that don’t work well with fragmented packets:
/ip/tftp/settings set max-block-size=1428Calculate the optimal value using: smallest MTU on your network minus 32 bytes (20 for IP header, 8 for UDP header, 4 for TFTP). For a 1500-byte MTU: 1500 - 32 = 1468. Some networks use 1428 for safety with additional encapsulation.
View current settings:
/ip/tftp/settings printOutput:
max-block-size: 4096The default is 4096 bytes. Increasing this value can improve transfer speeds on networks that support larger packets, particularly local networks without fragmentation concerns.
Regex Patterns
Section titled “Regex Patterns”The req-filename field supports regular expressions for flexible matching:
Basic Patterns
Section titled “Basic Patterns”Match any filename:
/ip/tftp add req-filename=".*" ...Match files with specific extension:
/ip/tftp add req-filename=".*\\.npk" ...Match specific prefix:
/ip/tftp add req-filename="config-.*" ...Alternation
Section titled “Alternation”Match one of several patterns:
/ip/tftp add req-filename="(file1|file2|file3)\\.txt" ...Character Classes
Section titled “Character Classes”Match specific characters:
/ip/tftp add req-filename="router[0-9]\\.cfg" ...This matches router0.cfg, router1.cfg, through router9.cfg.
Anchors
Section titled “Anchors”Match from start or end of filename:
/ip/tftp add req-filename="^boot" .../ip/tftp add req-filename="\\.rsc$" ...The first matches files starting with “boot”, the second matches files ending with “.rsc”.
Examples
Section titled “Examples”PXE Boot Server
Section titled “PXE Boot Server”Serve PXE boot files to network clients:
/ip/tftp add req-filename="pxelinux\\.0" real-filename=/flash/pxelinux.0 allow=yes read-only=yes/ip/tftp add req-filename="menu\\.c32" real-filename=/flash/menu.c32 allow=yes read-only=yes/ip/tftp add req-filename="linux\\.gz" real-filename=/flash/linux.gz allow=yes read-only=yesClients requesting these specific files during PXE boot receive the corresponding files from router storage.
Firmware Update Server
Section titled “Firmware Update Server”Serve RouterOS firmware to other MikroTik devices:
/ip/tftp add req-filename="routeros-.*\\.npk" real-filename=/flash/routeros.npk allow=yes read-only=yesDevices requesting any file matching the pattern receive the actual firmware file.
Device Configuration Provisioning
Section titled “Device Configuration Provisioning”Serve configuration files to VoIP phones or access points:
/ip/tftp add ip-address=10.0.0.0/8 req-filename="device[0-9]\\.cfg" real-filename=/flash/configs/device.cfg allow=yes read-only=yesOnly devices on the 10.0.0.0/8 network can request configuration files.
Centralized Backup Storage
Section titled “Centralized Backup Storage”Allow routers to upload backups:
/ip/tftp add req-filename="[0-9]{8}-[0-9]{6}\\.rsc" real-filename=/flash/backups/ allow=yes read-only=noThe regex [0-9]{8}-[0-9]{6}\\.rsc matches backup filenames in format YYYYMMDD-HHMMSS.rsc.
Troubleshooting
Section titled “Troubleshooting”Transfer Timeout
Section titled “Transfer Timeout”If TFTP transfers timeout, the issue is often network-related:
- Firewall blocking UDP port 69: Ensure the router’s firewall allows UDP traffic on port 69
- MTU issues: Some embedded clients request large block sizes but don’t handle fragmentation correctly. Set
max-block-sizelower in/ip/tftp/settings - Client-side issues: Some clients have bugs with specific block sizes. Try reducing the client’s blksize parameter if supported
# Check TFTP server logs for errors/log print where message~"tftp"Permission Denied Errors
Section titled “Permission Denied Errors”If clients receive “permission denied”:
- Verify the file exists at the
real-filenamepath - Check that
read-only=yesis set for read operations - Ensure the router has read access to the file location
- For uploads, verify
read-only=noand sufficient storage space exists
File Not Found
Section titled “File Not Found”If requests return file not found errors:
- Confirm the
real-filenamepath is correct - Verify the file exists on the specified storage (flash, disk, USB)
- Check that
req-filenameregex matches the client’s request
Large Files Failing
Section titled “Large Files Failing”For files over 32MB that won’t transfer:
/ip/tftp set 0 allow-rollover=yesOr add to specific rule:
/ip/tftp add req-filename=".*" real-filename=/large-file.bin allow=yes allow-rollover=yesSee Also
Section titled “See Also”- Fetch - Use the Fetch tool to download files from or upload files to TFTP servers
- PXE Boot - Set up network boot infrastructure
- RouterOS Packages - Manage RouterOS software packages
- Partitions - Configure partition-based installations for failover