Backup Automation

Backup Automation

RouterOS can automatically create binary backups and RSC configuration exports on a schedule, then deliver them off-router via email, FTP, or SFTP. This ensures a current copy of your configuration survives device failure.

For a reference on backup vs export format differences, see Backup.

Sub-menus

/system backup
/export
/system scheduler
/system script
/tool e-mail
/tool fetch

Backup Types

RouterOS provides two complementary formats that serve different recovery scenarios. Both should be included in automation scripts.

	Binary Backup (.backup)	Text Export (.rsc)
Command	/system backup save	/export file=
Format	Binary	Human-readable script
Includes MAC addresses	Yes	No
Password protection	Optional	No
Restore to same device	Yes	Yes
Migrate to new hardware	Not recommended	Yes
Partial restore	No	Yes (edit file)
Git-friendly diffs	No	Yes

Tip

Run both in each backup job. The binary backup provides fast full restore; the RSC export provides diff visibility and hardware portability.

Writing a Backup Script

Keep logic in a script and call it from the scheduler. This separates concerns and makes testing easier.

Combined backup and export

/system script
add name=auto-backup policy=read,write,policy,test,sensitive source={
    :local id [/system identity get name]
    :local d  [/system clock get date]
    :local t  [/system clock get time]
    :local base ("$id-$d-$t")

    /system backup save name=$base password=YourSecurePassword
    /export compact file=$base
    :log info ("Backup created: $base")
}

Note

/export compact omits settings that match their defaults, producing shorter, cleaner diffs. Use /export terse for single-line commands suited to machine processing.

Schedule the script

/system scheduler
add name=daily-backup \
    on-event=auto-backup \
    start-time=03:30:00 \
    interval=1d \
    policy=read,write,policy,test,sensitive

The scheduler calls auto-backup once daily at 03:30. If the router reboots, the next scheduled run occurs at 03:30 the following day.

Run once at startup

To additionally run a backup shortly after boot (useful for capturing state before automated changes):

/system scheduler
add name=startup-backup \
    on-event=auto-backup \
    start-time=startup \
    interval=0

start-time=startup runs the script 3 seconds after the console starts. Setting interval=0 means run once rather than repeatedly.

Script Policies

The script and scheduler must share the same policy set. For a backup script that creates files and reads all settings:

Policy	Required for
read	Reading configuration
write	Creating backup files
policy	Accessing sensitive policy objects
test	Running test commands
sensitive	Exporting sensitive values (show-sensitive)

Off-Router Delivery

Backups stored only on the router are lost when the router fails. Deliver copies to external systems immediately after creation.

Email delivery

Configure the SMTP client once:

/tool e-mail
set address=smtp.example.com \
    port=587 \
    from[email protected] \
    user[email protected] \
    password=AppPassword \
    tls=starttls

Extend the backup script to send the files as attachments:

/system script
add name=auto-backup policy=read,write,policy,test,sensitive source={
    :local id [/system identity get name]
    :local d  [/system clock get date]
    :local t  [/system clock get time]
    :local base ("$id-$d-$t")

    /system backup save name=$base password=YourSecurePassword
    /export compact file=$base
    :delay 5s

    /tool e-mail send \
        to="[email protected]" \
        subject=("RouterOS backup: $id $d $t") \
        body=("Automated backup from $id") \
        file=("$base.backup,$base.rsc")
    :log info ("Backup emailed: $base")
}

The 5-second delay ensures the files are fully written before attaching. See Email for SMTP configuration details and provider-specific TLS settings.

Caution

Some email providers require an app-specific password rather than your account password. Port and TLS mode must match — mismatched TLS/port combinations are the most common cause of delivery failure.

FTP upload

Use /tool fetch with upload=yes to push files to an FTP server:

/tool fetch url="ftp://backup.example.com/routers/$id/$base.backup" \
    src-path="$base.backup" \
    upload=yes \
    user=ftpuser \
    password=FtpPassword

SFTP upload

SFTP upload uses the same /tool fetch command with the sftp:// scheme:

/tool fetch url="sftp://backup.example.com/routers/$id/$base.backup" \
    src-path="$base.backup" \
    upload=yes \
    user=sftpuser \
    password=SftpPassword

To verify server identity, provide the host key:

/tool fetch url="sftp://backup.example.com/routers/$id/$base.backup" \
    src-path="$base.backup" \
    upload=yes \
    user=sftpuser \
    password=SftpPassword \
    host-key="AAAAB3NzaC1yc2EAAAA..."

See Fetch for full parameter reference.

Version-Controlled Configuration

RSC exports are plain text and integrate cleanly with Git. RouterOS has no native Git client, so the standard workflow is:

1. RouterOS exports RSC to a file on schedule
2. An external host (Linux server, CI runner) fetches the file via SCP/SFTP and commits it

On the router — export on schedule

/system script
add name=export-config policy=read,write,policy,test source={
    /export compact file=running-config
}

/system scheduler
add name=nightly-export \
    on-event=export-config \
    start-time=02:00:00 \
    interval=1d

This overwrites running-config.rsc with the current configuration each night, keeping a single canonical file rather than date-stamped copies.

On an external host — fetch and commit

#!/bin/bash
# Pull latest config export and commit to git
ROUTER=192.168.1.1
ROUTER_USER=admin
REPO=/opt/router-configs

sftp ${ROUTER_USER}@${ROUTER}:running-config.rsc ${REPO}/running-config.rsc

cd ${REPO}
git add running-config.rsc
git commit -m "RouterOS config export $(date -Iseconds)" || true
git push

Schedule this script via cron on the external host to run after the RouterOS export completes.

Including sensitive values

By default, /export omits passwords and private keys. To include them (required if the export is your sole recovery source):

/export compact show-sensitive file=running-config-full

Caution

Exports with show-sensitive contain credentials in plaintext. Encrypt the repository or restrict access accordingly.

File Retention

Dated backup files accumulate on the router’s storage. Remove old files to prevent disk exhaustion:

/system script
add name=auto-backup policy=read,write,policy,test,sensitive source={
    :local id [/system identity get name]
    :local d  [/system clock get date]
    :local t  [/system clock get time]
    :local base ("$id-$d-$t")

    # Create backups
    /system backup save name=$base password=YourSecurePassword
    /export compact file=$base

    # Clean up files older than 7 days (keep last 7 entries by name prefix)
    :local files [/file find where name~$id]
    :foreach f in=$files do={
        :if ([:len $files] > 14) do={
            /file remove $f
        }
    }

    :log info ("Backup created: $base")
}

Note

RouterOS scripting has limited date arithmetic. For robust retention management, handle cleanup on the external backup host after transferring files.

Check available storage before implementing long retention periods:

/system resource print

Restore Procedures

Restore from binary backup

/system backup load name=MyRouter-2026-03-22-030000.backup password=YourSecurePassword

RouterOS prompts for confirmation, then reboots and applies the configuration.

Restore from RSC export

/import file-name=running-config.rsc

For partial restore, download the RSC file, edit it to retain only the desired sections, upload it back, and import.

Caution

Importing an RSC export executes all commands in sequence. If objects already exist, some commands may fail with “already have such entry” errors — these are usually safe to ignore during partial imports.

Restore after factory reset

If the router is in a blank state (factory defaults):

1. Connect via WinBox or serial console
2. Upload the backup or RSC file via FTP/SFTP, WinBox Files panel, or Netinstall
3. Import or load the file

# After uploading the file
/system backup load name=router-config.backup password=YourSecurePassword

Best Practices

Practice	Reason
Keep script logic in /system script, not inline in the scheduler	Easier to test and modify
Use both binary backup and RSC export	Covers different failure scenarios
Deliver backups off-router immediately	On-device copies are lost with the device
Test restoration periodically	Untested backups may be corrupted or incomplete
Use compact export for version control	Reduces diff noise from default values
Monitor scheduler run-count and logs	Confirms backups are actually running
Store backup passwords in a password manager	Encrypted backups are useless without the password

Troubleshooting

Backup file not created

# Check available disk space
/system resource print

# Check scheduler is running
/system scheduler print

# Run script manually to see errors
/system script run auto-backup

# Check logs
/log print where message~"backup"

Email delivery fails

1. Confirm SMTP settings: /tool e-mail print
2. Verify TLS mode matches the port (starttls → port 587, implicit TLS → port 465)
3. Check for provider-specific app passwords
4. Test manually: /tool e-mail send to="[email protected]" subject="test" body="test"

FTP/SFTP upload fails

1. Verify credentials and URL format
2. Check the destination directory exists and is writable
3. Test fetch manually with the exact URL
4. For SFTP, provide host-key to avoid identity verification failures

Scheduler not running script

1. Verify script name matches on-event exactly
2. Check scheduler and script have matching policy settings
3. Look for errors in logs: /log print where topics~"script"
4. Run the script manually to confirm it works

Related Resources

• Backup — Binary backup and export format reference
• Scheduler — Full scheduler parameter reference
• Email — SMTP client configuration
• Fetch — FTP/SFTP transfer reference
• Scripting — RouterOS scripting language reference