Special Login - Serial Port Proxy Access

Special Login - Serial Port Proxy Access

Version Info

RouterOS 7.16 | Min: v6.0+ | ⏱️ 20 minutes | 🟡 Intermediate

Tested on: 7.16 7.14

Version-specific notes

• v7.20: Some users report issues with USB serial adapters; check for updates
• v6.x: Same commands work; identical menu path in v6

TL;DR (Quick Start)

Create a user that connects directly to a serial port via SSH, bypassing RouterOS login.

# Disable console on serial port
/system/console disable [find port=serial0]

# Create special-login user
/user add name=serial group=full
/special-login add user=serial port=serial0

Access from remote machine:

ssh [email protected]

Overview

What this does: Special Login creates a user account that, when accessed via SSH or Telnet, connects directly to a serial port instead of the RouterOS CLI. This allows you to manage devices connected via serial cable (switches, modems, other routers) through a MikroTik router acting as a serial proxy.

When to use this:

• Managing a switch or device with only serial console access
• Remote access to equipment in hard-to-reach locations (towers, remote sites)
• Providing serial console access to a team without RouterOS credentials
• Accessing devices that have no network interface (serial-only equipment)
• Managing modems, radio links, or industrial equipment via RS-232

How it works:

1. MikroTik router connects to target device via serial cable
2. You configure a special-login user bound to that serial port
3. When you SSH to the router with that username, you’re connected directly to the serial device
4. RouterOS acts as a transparent serial proxy

Prerequisites:

• Serial cable connecting MikroTik to target device (null-modem for router-to-router)
• Serial port available (built-in or USB-to-serial adapter)
• Target device configured for serial console access
• SSH or Telnet enabled on RouterOS

Menu Reference

Menu	Purpose
/special-login	Configure special login entries
/port	View and configure serial ports
/system/console	Manage console bindings to ports
/system/serial-terminal	Direct serial terminal access (testing)

Understanding Serial Connections

Cable Types

Connection	Cable Type	Description
Router to Router	Null-modem	TX/RX crossed (pins 2-3 swapped)
Router to Switch	Null-modem	Most Cisco-style console ports
Router to Modem	Straight-through	DTE to DCE connection

Port Naming

Port	Description
serial0	Built-in RS-232 serial port
usb1	First USB serial adapter
usb2	Second USB serial adapter
serial-usb-1	USB serial (alternative naming)

View available ports:

/port print

Configuration Steps

Step 1: Identify and Configure Serial Port

View available serial ports:

/port print

Example output:

Flags: I - INACTIVE
 #   NAME         CHANNELS  USED-BY     BAUD-RATE
 0   serial0      1         serial-con  115200

Check current settings:

/port print detail

If needed, adjust baud rate to match target device:

/port set serial0 baud-rate=9600

Step 2: Disable Console on Serial Port

By default, RouterOS uses serial0 for its console. You must unbind it first:

/system/console print

Example output:

Flags: X - DISABLED, U - USED, F - FREE
 #   PORT       TERM       TX-BYTE    RX-BYTE
 0   serial0    vt102      0          0

Disable the console binding:

/system/console disable [find port=serial0]

Or by number:

/system/console disable 0

Loss of Serial Console Access

After disabling the console on serial0, you cannot access RouterOS via the serial port. Ensure you have network access (SSH, WinBox, WebFig) before proceeding. If you lose network access, you may need to reset the router configuration.

Step 3: Create User for Special Login

Create a dedicated user:

/user add name=serial group=full password=secretpass

Security tip: You can create a restricted group if the user only needs serial access:

/user/group add name=serial-only policy=ssh,read
/user add name=serial group=serial-only password=secretpass

Step 4: Configure Special Login

Bind the user to the serial port:

/special-login add user=serial port=serial0 disabled=no

Verify the configuration:

/special-login print

Example output:

Flags: X - DISABLED
 #   USER     PORT
 0   serial   serial0

Step 5: Configure Bootloader (Important)

After reboot with a serial cable attached, the connected device may send characters that trigger the RouterBOOT menu, preventing normal boot.

Access bootloader settings:

/system/routerboard/settings print

Change boot key from “any” to “delete”:

/system/routerboard/settings set enter-setup-on=delete-key

Step 6: Test the Connection

From the router (direct test):

/system/serial-terminal serial0

Press Ctrl-A then Q to exit.

From remote machine:

ssh [email protected]

You should see the target device’s console directly.

Configuration Examples

Example 1: Access Remote Switch via Serial

Connect a Cisco switch to a MikroTik router via serial:

# Disable RouterOS console
/system/console disable [find port=serial0]

# Set port speed to match switch (typically 9600)
/port set serial0 baud-rate=9600

# Create user
/user add name=switch group=full password=secretpass

# Configure special login
/special-login add user=switch port=serial0

# Prevent boot issues
/system/routerboard/settings set enter-setup-on=delete-key

Access from your workstation:

ssh [email protected]

Example 2: Multiple Serial Devices with USB Adapters

Connect multiple devices using USB-to-serial adapters:

# Check available USB serial ports
/port print

# Create users for each device
/user add name=switch1 group=full password=pass1
/user add name=switch2 group=full password=pass2
/user add name=modem group=full password=pass3

# Bind each to a different port
/special-login add user=switch1 port=usb1
/special-login add user=switch2 port=usb2
/special-login add user=modem port=usb3

Access each device:

ssh [email protected]  # Connects to first USB serial
ssh [email protected]  # Connects to second USB serial
ssh [email protected]    # Connects to third USB serial

Example 3: Provide Limited Access to Technician

Give a technician serial access without full RouterOS access:

# Create restricted group
/user/group add name=serial-access policy=ssh,read

# Create technician user
/user add name=tech-serial group=serial-access password=techpass

# Configure special login
/special-login add user=tech-serial port=serial0

The technician can SSH and access only the serial device, not RouterOS.

Example 4: Access Second MikroTik via Serial

Connect two MikroTik routers (R1 and R2) via serial cable:

On R1 (proxy router):

# Disable console
/system/console disable [find port=serial0]

# Create user for R2 access
/user add name=r2-console group=full password=secretpass

# Configure special login
/special-login add user=r2-console port=serial0

# Prevent boot issues
/system/routerboard/settings set enter-setup-on=delete-key

On R2 (target router): Serial console works with default settings. Ensure baud rate matches (default 115200).

Access from workstation:

ssh r2-console@[R1-IP]
# You're now on R2's console

Serial Terminal Navigation

When connected via special-login, use these keyboard shortcuts:

Key Sequence	Action
Ctrl-A, Q	Quit connection (return to SSH client)
Ctrl-A, B	Send break signal
Ctrl-A, A	Send Ctrl-A to device
Ctrl-A, R	Auto-configure baud rate

Properties Reference

Special Login Properties

Property	Type	Default	Description
user	string	(required)	Username that triggers special login
port	string	(required)	Serial port to connect to
channel	integer	0	Channel number for multi-channel adapters
disabled	yes / no	no	Disable this entry

Port Properties

Property	Type	Default	Description
baud-rate	integer / auto	115200	Connection speed
data-bits	7 / 8	8	Data bits per character
parity	none / even / odd	none	Error detection
stop-bits	1 / 2	1	Stop bits per character
flow-control	none / hardware / xon-xoff	hardware	Flow control method

Alternative: Port Remote Access

For scripted or automated serial communication, consider /port remote-access instead:

/port/remote-access add port=serial0 protocol=raw tcp-port=9999 allowed-addresses=192.168.88.0/24

Access via netcat:

nc 192.168.88.1 9999

Feature	Special Login	Remote Access
Authentication	SSH/Telnet user	IP-based (firewall)
Protocol	SSH/Telnet	Raw TCP or RFC2217
Scripting	Difficult	Easy (netcat, etc.)
User permissions	Per-user	Per-IP range

Verification

Check 1: Verify Special Login Configuration

/special-login print

Expected: Your entry with user and port shown.

Check 2: Verify Console is Disabled

/system/console print

Expected: Entry for serial0 shows X (disabled) flag.

Check 3: Verify Port Settings

/port print detail

Expected: Port shows correct baud-rate and is not “used-by” console.

Check 4: Test Local Serial Connection

/system/serial-terminal serial0

Expected: You see the target device’s output. Press Ctrl-A, Q to exit.

Check 5: Test Remote SSH Access

From remote machine:

ssh [email protected]

Expected: Direct connection to serial device, not RouterOS CLI.

Troubleshooting

Symptom	Cause	Solution
SSH connects to RouterOS instead of serial	Special login not configured for user	Verify /special-login print shows entry
”Port is used by another process”	Console still bound to port	Disable console: /system/console disable 0
No output from serial device	Baud rate mismatch	Match baud rate: /port set serial0 baud-rate=9600
Garbage characters on screen	Wrong parity or data bits	Check target device settings; adjust port config
Router stuck at boot after reboot	Serial cable sending characters to bootloader	Set /system/routerboard/settings set enter-setup-on=delete-key
USB serial not appearing	Adapter not recognized	Check /port print; try different USB port
Multi-channel adapter all go to channel 0	Known issue with some adapters	Use separate single-channel adapters or remote-access
Lost all access to router	Disabled console without network access	Reset router configuration via reset button

Common Mistakes

• Disabling console before verifying network access - Always test SSH/WinBox access before disabling serial console
• Forgetting to configure bootloader - Router may hang on reboot with serial cable attached
• Baud rate mismatch - Most switches use 9600; RouterOS default is 115200
• Using wrong cable type - Router-to-router requires null-modem cable
• Not testing locally first - Use /system/serial-terminal before configuring special-login

Related Topics

• Serial Console - Understanding serial console access to RouterOS
• User Management - Creating users and groups
• SSH Configuration - SSH server settings

Reference

• MikroTik Serial Console Documentation
• MikroTik Ports Documentation

Command Reference

Command	Description
/special-login print	List special login entries
/special-login add	Create special login entry
/special-login remove	Delete special login entry
/special-login set	Modify special login entry
/port print	List available serial ports
/port set	Configure port settings
/system/console print	List console bindings
/system/console disable	Disable console on port
/system/serial-terminal	Direct serial terminal access

Summary

Special Login provides serial port proxy access through SSH/Telnet:

1. Disable console on the serial port with /system/console disable
2. Create user dedicated to serial access
3. Configure special-login binding user to port
4. Set bootloader to prevent boot issues with attached cables
5. Test locally with /system/serial-terminal then remotely via SSH

Key points:

• Disabling serial console removes that access method to RouterOS
• Always verify network access before disabling console
• Match baud rate to target device (usually 9600 for switches)
• Configure bootloader to require Delete key for setup menu
• Use null-modem cables for router-to-router/switch connections
• For scripted access, consider /port remote-access instead