Ports
MikroTik routers and devices feature various types of physical ports that serve as connection points for network cables, console access, and peripheral devices. Understanding the different port types, their capabilities, and proper configuration is essential for building reliable network infrastructure. Each port type serves specific purposes and offers different performance characteristics that influence network design decisions.
The physical ports on MikroTik devices form the foundation of network connectivity. Ethernet ports provide the primary means of connecting devices to local area networks, while SFP ports offer flexibility for fiber optic connections or additional Ethernet density. USB ports enable cellular failover, storage expansion, and serial console access. Serial and console ports provide direct device management access critical for initial configuration and recovery scenarios.
Modern MikroTik devices combine multiple port types to address diverse networking requirements. A typical enterprise router might include multiple Gigabit Ethernet ports, SFP+ ports for 10Gbps connections, USB ports for 3G/4G modems, and a dedicated console port for management. Understanding how these ports interact and how to configure them properly ensures optimal network performance and reliable device management.
Ethernet Ports
Section titled “Ethernet Ports”Port Types and Specifications
Section titled “Port Types and Specifications”Ethernet ports on MikroTik devices come in several speed grades and connector types that determine their compatibility and performance capabilities. Fast Ethernet ports support speeds up to 100 Mbps and use standard RJ-45 connectors with Category 5 or better cabling. These ports remain common on entry-level devices and provide sufficient bandwidth for basic networking tasks such as internet access, simple routing, and small office networks.
Gigabit Ethernet ports represent the most common port type on modern MikroTik devices, supporting speeds up to 1 Gbps over standard twisted-pair cabling. These ports auto-negotiate speed and duplex settings with connected devices, though manual configuration often provides more reliable operation in enterprise environments. Gigabit ports use all four pairs in Category 5e or Category 6 cabling to achieve full bandwidth.
# View all ethernet ports and their current status/interface ethernet print
# Detailed information including auto-negotiation results/interface ethernet print stats-detail
# Monitor traffic on a specific port/interface ethernet monitor [find name="ether1"]Multi-gigabit Ethernet ports found on newer MikroTik devices support speeds beyond 1 Gbps, commonly 2.5 Gbps or 5 Gbps over standard cabling. These ports address growing bandwidth requirements from Wi-Fi 6 access points and other high-throughput devices without requiring fiber optic cabling upgrades. Multi-gigabit ports maintain backward compatibility with slower devices through auto-negotiation.
# Check port capabilities and current settings/interface ethernet print
# View detailed statistics including error counters/interface ethernet print stats-detail/interface ethernet monitor-traffic ether1Auto-Negotiation
Section titled “Auto-Negotiation”Auto-negotiation allows Ethernet ports to automatically determine the optimal speed and duplex settings based on the capabilities of connected devices. This process exchanges link pulses between devices to establish common parameters. While convenient, auto-negotiation can sometimes produce suboptimal results, particularly with older equipment or in mixed-speed environments.
Manual configuration of speed and duplex settings often provides more reliable network operation. When both ends of a link use manual settings, there is no possibility of negotiation failures or unexpected speed changes. Enterprise networks typically configure ports manually to ensure consistent performance and simplify troubleshooting.
# Configure ether1 for 1Gbps full-duplex/interface ethernet set [find name="ether1"] speed=1G full-duplex=yes
# Disable auto-negotiation and set fixed parameters/interface ethernet set [find name="ether1"] auto-negotiation=no speed=1G full-duplex=yes
# Verify configuration/interface ethernet printAuto-negotiation should be disabled when connecting to devices that do not support it properly, such as some older switches or unmanaged devices. In these cases, manual configuration prevents connectivity issues caused by negotiation failures. Always verify that both ends of the link use matching settings to avoid duplex mismatch, which causes intermittent connectivity and poor performance.
Flow Control
Section titled “Flow Control”IEEE 802.3x flow control allows Ethernet ports to temporarily pause transmission when receiving buffers approach capacity. This mechanism prevents packet loss during temporary congestion by signaling the transmitting device to pause. Flow control operates at the physical layer and affects all traffic on the link regardless of protocol.
# Enable receive flow control/interface ethernet set [find name="ether1"] rx-flow-control=yes
# Enable transmit flow control/interface ethernet set [find name="ether1"] tx-flow-control=yes
# Enable both directions/interface ethernet set [find name="ether1"] rx-flow-control=yes tx-flow-control=yesFlow control provides benefits in specific scenarios such as storage traffic or when handling large file transfers that can temporarily saturate receive buffers. However, flow control can introduce latency and may not be appropriate for real-time traffic like voice or video. Many networks disable flow control on ports connecting to end-user devices while enabling it on ports connecting to storage systems or other buffer-intensive equipment.
Port Mirroring
Section titled “Port Mirroring”Port mirroring copies traffic from one or more source ports to a destination port for monitoring and analysis. This feature enables network administrators to capture and analyze traffic patterns, troubleshoot connectivity issues, and detect security threats without interrupting normal network operation. The destination port connects to a network analyzer or monitoring system.
# Create a mirror to send all traffic from ether1 to ether10/interface ethernet switch mirror add name=mirror1 sources=ether1 destination=ether10
# Mirror multiple source ports/interface ethernet switch mirror add name=mirror2 sources=ether1,ether2,ether3 destination=ether10
# Verify mirror configuration/interface ethernet switch mirror printSome MikroTik devices implement port mirroring through the switch chip, allowing efficient traffic copying without CPU involvement. Other devices mirror traffic at the CPU level, which can impact performance when monitoring high-traffic ports. Understanding the hardware capabilities of your device helps select the appropriate mirroring approach.
SFP Ports
Section titled “SFP Ports”SFP Module Types
Section titled “SFP Module Types”Small Form-factor Pluggable (SFP) modules provide flexible physical layer connectivity on MikroTik devices. These modular transceivers support various media types including copper, multimode fiber, and single-mode fiber. The hot-swappable nature of SFP modules allows rapid changes to physical layer connectivity without device replacement.
Copper SFP modules terminate twisted-pair cabling and provide Ethernet connectivity where fiber installation is impractical. These modules typically support Gigabit speeds and are useful for short-reach connections within a building or between nearby buildings. Copper SFP modules draw more power than fiber modules and may have thermal considerations in high-density installations.
# View installed SFP modules and their status/interface ethernet print
# Detailed SFP information including optical parameters/interface ethernet sfp print stats-detail
# Monitor SFP port statistics/interface ethernet monitor [find name="sfp1"]Fiber optic SFP modules connect to single-mode or multimode fiber optic cabling for longer-distance connectivity. Multimode fiber modules support distances up to 550 meters and are commonly used for connections within buildings or between nearby structures. Single-mode fiber modules support distances from 10 kilometers to over 100 kilometers depending on module specifications and link budget.
# Check SFP optical parameters/interface ethernet sfp print
# View receive and transmit power levels/interface ethernet sfp monitor
# SFP module diagnostics for single-mode modules/interface ethernet sfp printSFP+ and SFP28
Section titled “SFP+ and SFP28”SFP+ ports support data rates up to 10 Gbps and are commonly found on mid-range and enterprise MikroTik devices. These ports maintain the same physical form factor as SFP while providing significantly higher bandwidth. SFP+ modules are backward compatible with SFP ports at reduced speeds when the device supports it.
# Verify SFP+ port capabilities and status/interface ethernet print
# Monitor 10Gbps SFP+ port statistics/interface ethernet monitor [find name="sfp-sfpplus1"]SFP28 ports found on select MikroTik devices support 25 Gbps data rates, providing a cost-effective path to high-bandwidth connections. These ports typically connect to 25G SFP28 modules for connections to high-performance servers or aggregation switches. SFP28 ports maintain compatibility with SFP+ modules at lower speeds.
SFP Configuration
Section titled “SFP Configuration”SFP ports require proper configuration to achieve optimal performance with the connected fiber optic or copper modules. Most SFP ports auto-negotiate settings with the connected module and remote device, but manual configuration provides more control in enterprise environments.
# Configure SFP port speed and duplex/interface ethernet set [find name="sfp1"] speed=1G full-duplex=yes
# Disable auto-negotiation for direct fiber connections/interface ethernet set [find name="sfp1"] auto-negotiation=no
# View SFP diagnostic information/interface ethernet sfp print
# Monitor SFP port for errors or warnings/interface ethernet sfp monitorSFP modules report diagnostic information including transmit and receive power levels, temperature, and operational parameters. Monitoring these values helps identify optical degradation before it causes link failures. Power levels outside acceptable ranges indicate problems with the module, fiber plant, or connected equipment.
USB Ports
Section titled “USB Ports”Cellular Modem Support
Section titled “Cellular Modem Support”USB ports on MikroTik devices support cellular modems for primary or backup internet connectivity. 3G, 4G LTE, and 5G modems connect via USB to provide mobile broadband access in locations without wired connectivity or as failover protection for critical networks. MikroTik devices include drivers for numerous modem types and support various cellular technologies.
# Check for connected USB devices/system resource usb print
# View USB modem status/interface lte print
# Configure LTE interface/interface lte add apn=internet name=lte1 type=lte
# Monitor LTE connection status/interface lte monitor [find name="lte1"]USB modem configuration involves creating an LTE interface with the appropriate access point name (APN) and other carrier-specific settings. The device automatically detects compatible modems and creates the appropriate interface. Multiple modems can be connected to provide bandwidth aggregation or geographic diversity.
# Configure APN and authentication/interface lte set [find name="lte1"] apn=internet user=password
# Enable specific LTE bands for better performance/interface lte set [find name="lte1"] band=3,7,20
# Check signal quality and connected cell information/interface lte info [find name="lte1"] verbose=yesUSB Storage
Section titled “USB Storage”USB ports support external storage devices including flash drives and external hard disks. These devices can store configuration backups, system logs, or serve as shared network storage. MikroTik devices can mount USB storage and access files through the filesystem or share them via network protocols.
# View connected USB storage/system resource usb print
# Mount USB storage/disk print
# Access files on USB storage/file print
# Configure USB storage for logging/system logging action add name=usb1 target=disk disk-file-name="syslog.txt"USB storage provides practical benefits for logging-intensive deployments where device flash storage might wear prematurely from constant write operations. External storage also enables larger log retention periods and easier log retrieval. Some models support booting RouterOS from USB storage for systems requiring larger root filesystems.
Console Access
Section titled “Console Access”USB ports can provide serial console access on devices that lack dedicated console ports. A USB-to-serial adapter connects to the USB port, creating a serial console connection for initial configuration or recovery. This feature proves valuable when network connectivity is unavailable or during initial deployment.
# Access serial console via USB/system serial-terminal
# Configure serial port parameters/port set [find name=usb1] baud-rate=115200 data-bits=8 parity=none stop-bits=1Serial and Console Ports
Section titled “Serial and Console Ports”RS232 Console
Section titled “RS232 Console”Dedicated console ports provide direct management access to MikroTik devices regardless of network connectivity. Console access is essential for initial configuration, password recovery, and troubleshooting network connectivity issues. The console port typically uses an RS232 serial connection with standard terminal emulation settings.
# Configure console port parameters/port set [find name=serial0] baud-rate=115200 data-bits=8 parity=none stop-bits=1 flow-control=no
# Access console from device itself/system console print
# Add additional console access via telnet/service add name=telnet port=23Console access connects to the device using a null modem cable and terminal emulation software. Common terminal settings include 115200 baud rate, 8 data bits, no parity, 1 stop bit, and no flow control. Some devices use different default settings, so consult the hardware documentation for specific requirements.
Serial Applications
Section titled “Serial Applications”Beyond console access, serial ports support various applications including GPS tracking, industrial automation, and connection to legacy equipment. MikroTik devices can receive data from serial devices and process it according to configured rules. This capability enables integration with environmental sensors, meter reading equipment, and other serial-connected devices.
# Configure serial port for data input/port set [find name=serial0] baud-rate=9600
# Create a serial terminal server/tool telnet [find name=serial0]
# Process serial data with a script/system script add name=process_serial source=":local data [/serial get \$data]"Serial applications require understanding the data format transmitted by connected devices. MikroTik’s scripting capabilities process serial input and trigger appropriate actions based on received data. This functionality enables automation scenarios such as environmental monitoring or equipment status tracking.
Port Security
Section titled “Port Security”Port Locking
Section titled “Port Locking”Port security features prevent unauthorized devices from connecting to network ports by limiting the number of MAC addresses allowed on each port. When enabled, the port learns MAC addresses from connected devices and blocks traffic from unauthorized addresses. This feature prevents casual unauthorized connections and provides basic security for accessible ports.
# Enable port security on ether1/interface ethernet set [find name="ether1"] port-security-mode=dynamic
# Configure static MAC address binding/interface ethernet set [find name="ether1"] static-mac-address=XX:XX:XX:XX:XX:XX
# View learned MAC addresses/interface ethernet switch host printPort security provides different modes including dynamic learning with address limits and static address assignment. Dynamic mode learns addresses up to a configured limit and ages them out when not seen. Static mode requires manual configuration of allowed addresses but provides more control.
MAC Filtering
Section titled “MAC Filtering”MAC address filtering restricts network access based on the hardware address of connecting devices. Each MAC address can be allowed or denied independently, providing fine-grained control over port access. This feature operates at layer 2 and does not require authentication.
# Add MAC address to access list/interface ethernet access-list add action=accept interface=ether1 mac-address=XX:XX:XX:XX:XX:XX
# Deny specific MAC address/interface ethernet access-list add action=deny interface=ether1 mac-address=XX:XX:XX:XX:XX:XX
# Apply access list to interface/interface ethernet set [find name="ether1"] access-list=allMAC filtering provides simple access control without the complexity of authentication protocols. However, MAC addresses can be spoofed, so this method does not provide strong security for high-risk environments. Combine MAC filtering with other security measures for comprehensive protection.
Storm Control
Section titled “Storm Control”Storm control prevents broadcast, multicast, or unicast storms from disrupting network operation. When traffic of a specified type exceeds defined thresholds, the port blocks excess traffic to prevent it from propagating through the network. This protection maintains network availability during malfunction or attack scenarios.
# Configure broadcast storm control on ether1/interface ethernet set [find name="ether1"] broadcast-storm-control=yes threshold=100
# Set multicast threshold/interface ethernet set [find name="ether1"] multicast-storm-control=yes threshold=50
# Monitor storm control events/interface ethernet print statsStorm control thresholds are typically expressed as a percentage of port bandwidth or packets per second. Values around 10-20% of port capacity usually prevent storms without blocking legitimate traffic bursts. Adjust thresholds based on network characteristics and traffic patterns.
Link Aggregation
Section titled “Link Aggregation”Basic LACP
Section titled “Basic LACP”Link Aggregation Control Protocol (LACP) combines multiple physical ports into a single logical link for increased bandwidth and redundancy. LACP provides automatic configuration and monitoring of aggregated links, detecting member port failures and adjusting traffic distribution. Aggregated links appear as a single interface for routing and switching configuration.
# Create aggregation group with LACP/interface bonding add name=bond1 slaves=ether1,ether2 mode=802.3ad lacp-rate=30s
# Verify aggregation status/interface bonding print
# Detailed LACP partner information/interface bonding lacp printLACP requires configuration on both ends of the aggregation group. The LACP exchange negotiates port parameters and monitors link health. Failed member ports are automatically removed from the aggregation, maintaining connectivity through remaining members.
# Configure LACP on remote device similarly# Ensure matching:# - Bonding mode (802.3ad)# - LACP rate (30s or 1s)# - Transmit hash policy# - Link monitoring methodBalance Modes
Section titled “Balance Modes”MikroTik bonding supports multiple load balancing modes that determine how traffic distributes across member ports. The choice of mode affects both performance and compatibility with connected equipment. Each mode has specific requirements for proper traffic distribution.
# Balance-rr (round-robin) - simple distribution/interface bonding add name=bond1 slaves=ether1,ether2 mode=balance-rr
# Balance-xor (source/destination MAC hash)/interface bonding add name=bond1 slaves=ether1,ether2 mode=balance-xor
# Balance-tlb (adaptive transmit load balancing)/interface bonding add name=bond1 slaves=ether1,ether2 mode=balance-tlb
# Balance-alb (adaptive load balancing - includes receive)/interface bonding add name=bond1 slaves=ether1,ether2 mode=balance-albFor connections to other vendor equipment, 802.3ad (LACP) with standard transmit hash policy provides the most compatibility. Balance-xor with layer2+3 hashing offers good distribution for traffic to multiple destinations. Non-LACP modes work with unmanaged switches but provide no automatic failover detection.
Monitoring and Maintenance
Section titled “Monitoring and Maintenance”Port Statistics
Section titled “Port Statistics”Regular monitoring of port statistics helps identify problems before they cause network outages. MikroTik devices track extensive statistics including traffic counters, error counters, and interface status. Review these statistics during routine maintenance and when troubleshooting connectivity issues.
# View current interface statistics/interface print stats
# Detailed statistics with error counters/interface print stats-detail
# Reset counters to baseline/interface print stats reset-counters
# Monitor traffic in real-time/interface monitor-traffic [find]Error counters indicate physical layer problems, configuration mismatches, or hardware issues. Common error types include CRC errors (indicating signal integrity problems), frame errors (indicating incorrect settings), and dropped packets (indicating congestion or buffer exhaustion). Investigate sustained error counts to identify root causes.
Transceiver Monitoring
Section titled “Transceiver Monitoring”SFP and other transceiver modules provide diagnostic information that helps maintain link health. Monitor optical power levels, temperature, and bias currents to identify degradation before complete link failure. Establish baselines during initial installation and track trends over time.
# Detailed SFP diagnostics/interface ethernet sfp print
# Optical power monitoring/interface ethernet sfp monitor
# Historical monitoring data/tool graphing interfaceDocument acceptable power level ranges for each fiber link based on initial measurements and module specifications. Power levels approaching minimum thresholds indicate degradation requiring attention. Significant changes from baseline values suggest problems with connectors, splices, or modules.
Cable Testing
Section titled “Cable Testing”Some MikroTik devices include cable testing capabilities that identify faults in connected twisted-pair cabling. The test measures pair length and identifies shorts, opens, or crossed pairs. This feature helps troubleshoot cabling problems without specialized equipment.
# Run cable test on ethernet port/interface ethernet cable-test [find name="ether1"]
# View cable test results/interface ethernet printCable test results identify fault types and approximate distances from the device. Simple open or short circuits are easy to locate and repair. More complex faults may require professional testing equipment. Cable testing only works on ports connected to copper cabling and requires both ends to be connected.
Troubleshooting
Section titled “Troubleshooting”Common Connectivity Issues
Section titled “Common Connectivity Issues”Connectivity problems on physical ports typically result from a few common causes. Incorrect speed or duplex settings cause the most issues, especially when one port uses auto-negotiation and the other uses fixed settings. Verify that both ends of the link use matching configuration.
# Check interface status and settings/interface print
# View detailed error counters/interface print stats-detail
# Monitor interface for errors/interface monitor [find name="ether1"]Physical layer problems such as damaged cables, failed ports, or misconnected cables cause connectivity issues. Inspect cabling for damage and verify connections at both ends. Swap cables and ports to isolate whether the problem follows the cable or stays with the port.
Duplex Mismatch
Section titled “Duplex Mismatch”Duplex mismatch occurs when one port operates in full-duplex mode while the other uses half-duplex. This situation causes poor performance, intermittent connectivity, and CRC errors that are difficult to diagnose. Always verify that both ends of a link use the same duplex setting.
# Identify duplex mismatch via error counters/interface print stats-detail
# Common symptom: many CRC errors on one side only# Other symptom: collisions counter increasing on half-duplex side
# Fix by configuring matching duplex on both ports/interface ethernet set [find name="ether1"] full-duplex=yes/interface ethernet set [find name="ether2"] full-duplex=yesAuto-negotiation can cause duplex mismatch when one device supports it and the other does not. In these cases, manually configure both ports to use the same settings. Never leave one port in auto-negotiation mode when connecting to a manually configured port.
Fiber Optic Issues
Section titled “Fiber Optic Issues”Fiber optic connections suffer from problems unique to optical transmission. Excessive insertion loss from dirty connectors or damaged fiber prevents link establishment or causes intermittent connectivity. Optical power levels outside module specifications indicate problems requiring attention.
# Check SFP optical power levels/interface ethernet sfp print/interface ethernet sfp monitor
# Verify cable routing and connector condition# Clean connectors with appropriate materials# Check for excessive bend radius in cable routing
# Monitor for changes over time/tool graphing interfaceDirty optical connectors are a common cause of link problems. Clean connectors using appropriate fiber optic cleaning tools before troubleshooting other causes. Damaged fiber or connectors typically require replacement rather than repair.
Related Topics
Section titled “Related Topics”- Interface Configuration - General interface setup and options
- Switching - Layer 2 switching features and configuration
- VLANs - VLAN configuration across ports
- Bonding Examples - Practical aggregation configurations
- Failover (WAN Backup) - Port-based failover configurations
- System Health Monitoring - Monitoring device status including port health
- Resource Monitoring - Resource utilization including interface statistics
Management Ports
Section titled “Management Ports”MikroTik devices use specific TCP ports for remote management access. Understanding these ports is essential for network configuration and security.
Default Management Ports
Section titled “Default Management Ports”| Service | Port | Protocol | Description |
|---|---|---|---|
| WinBox | 8291 | TCP | MikroTik’s proprietary GUI management tool |
| WebFig | 80/443 | HTTP/HTTPS | Web-based management interface |
| SSH | 22 | TCP | Secure command-line access |
| Telnet | 23 | TCP | Unencrypted command-line access (not recommended) |
| API | 8728/8729 | TCP | RouterOS API (HTTP/HTTPS) |
| FTP | 21 | TCP | File transfer (deprecated, use SFTP) |
| SFTP | 22 | TCP | Secure file transfer |
| MAC Telnet | 20561 | UDP | Layer 2 management using MAC address |
Connecting via WinBox
Section titled “Connecting via WinBox”WinBox is MikroTik’s primary GUI management tool. The default port is TCP 8291.
# Connect to router at 192.168.1.1 using WinBox# In WinBox: Enter 192.168.1.1 in the Connect field# WinBox will use port 8291 by defaultTo connect to a non-default port:
# In WinBox: Enter 192.168.1.1:8292 for alternate portSecuring Management Access
Section titled “Securing Management Access”# Allow management only from local network/ip firewall filter add chain=input protocol=tcp src-address=192.168.0.0/16 dst-port=8291 action=accept/ip firewall filter add chain=input protocol=tcp dst-port=8291 action=drop
# Disable unused management services/ip service disable [find name=telnet]/ip service disable [find name=www]/ip service set www-ssl address=192.168.0.0/16