SNMP: Configuration, OID Reference, and Monitoring Integration

SNMP: Configuration, OID Reference, and Monitoring Integration

Overview

RouterOS supports SNMP versions 1, 2c, and 3. SNMPv1 and SNMPv2c use community strings for access control; SNMPv3 adds per-user authentication and optional encryption, making it suitable for production environments. This guide covers enabling SNMP, configuring all three protocol versions, understanding the MikroTik OID tree, loading custom MIBs, and integrating with common monitoring platforms.

Command paths:

Path	Purpose
/snmp	Global SNMP settings
/snmp community	v1/v2c communities and SNMPv3 users
/snmp target	Trap destinations

---

Enabling SNMP

SNMP is disabled by default. Enable it and set contact/location metadata:

/snmp set enabled=yes contact="[email protected]" location="DC1-Rack3"

Verify the service is active:

/snmp print

---

SNMPv2c Community (Basic)

SNMPv2c uses a shared community string with no encryption. Restrict access by source address and disable the default public community in production:

# Restrict the default community to a specific NMS subnet
/snmp community set [find name=public] addresses=10.0.0.0/24 read-access=yes write-access=no

# Or create a dedicated community and disable the default
/snmp community add name=monitoring addresses=10.10.10.50/32 read-access=yes write-access=no
/snmp community set [find name=public] disabled=yes

---

SNMPv3 User Configuration

SNMPv3 replaces community strings with named users that carry their own authentication and privacy credentials.

Security Levels

Level	Auth	Encryption	Use Case
noAuthNoPriv	None	None	Testing/trusted networks only
authNoPriv	MD5 or SHA	None	Auth without encryption
authPriv	MD5 or SHA	DES or AES	Recommended for production

Authentication Protocols

• MD5 — faster, 128-bit hash; acceptable for legacy environments
• SHA / SHA1 — stronger, 160-bit hash; preferred

Privacy (Encryption) Protocols

• AES — recommended; 128-bit block cipher
• DES — legacy; 56-bit, considered weak

Creating an SNMPv3 User (authPriv)

/snmp community add \
    name=nmsv3 \
    security=private \
    authentication-protocol=SHA \
    authentication-password="AuthPass123!" \
    encryption-protocol=AES \
    encryption-password="PrivPass123!" \
    addresses=10.10.10.0/24 \
    read-access=yes \
    write-access=no

Note: Both the authentication password and encryption password must be at least 8 characters.

Verify the Configuration

/snmp community print detail

---

SNMP Traps

Traps are unsolicited notifications sent from the router to a monitoring host when events occur.

Configure Global Trap Settings

/snmp set trap-version=2 trap-community=monitoring

Add a Trap Target

# SNMPv2c trap target
/snmp target add address=10.10.10.50:162 version=2 community=monitoring

# SNMPv3 trap target (where supported)
/snmp target add address=10.10.10.50:162 version=3 security-name=nmsv3 security-level=authPriv

Common trap generators:

Generator	Trigger
temp-exception	Temperature threshold exceeded
start-trap	Router boot/restart
interfaces	Interface state change

---

Firewall Rules for SNMP

Allow SNMP polling and trap traffic only from authorized hosts:

# Allow SNMP polling from NMS host
/ip firewall filter add chain=input protocol=udp dst-port=161 \
    src-address=10.10.10.50/32 action=accept comment="SNMP polling"

# Drop all other SNMP
/ip firewall filter add chain=input protocol=udp dst-port=161 \
    action=drop comment="Drop unauthorized SNMP"

---

OID Tree Overview

RouterOS exposes both standard MIB trees and MikroTik enterprise OIDs under the private enterprise branch (1.3.6.1.4.1.14988).

System Information (SNMPv2-MIB)

OID	Name	Description
1.3.6.1.2.1.1.1	sysDescr	System description (RouterOS version)
1.3.6.1.2.1.1.2	sysObjectID	Vendor object identifier
1.3.6.1.2.1.1.3	sysUpTime	Time since last restart
1.3.6.1.2.1.1.5	sysName	Router hostname
1.3.6.1.2.1.1.6	sysLocation	Physical location

Interface Statistics (IF-MIB)

OID	Name	Description
1.3.6.1.2.1.2.2.1.2	ifDescr	Interface name
1.3.6.1.2.1.2.2.1.3	ifType	Interface type
1.3.6.1.2.1.2.2.1.5	ifSpeed	Interface speed (bps)
1.3.6.1.2.1.2.2.1.8	ifOperStatus	Operational status (1=up, 2=down)
1.3.6.1.2.1.2.2.1.10	ifInOctets	Inbound bytes (32-bit)
1.3.6.1.2.1.2.2.1.16	ifOutOctets	Outbound bytes (32-bit)
1.3.6.1.2.1.31.1.1.1.6	ifHCInOctets	Inbound bytes (64-bit) — use on high-speed links
1.3.6.1.2.1.31.1.1.1.10	ifHCOutOctets	Outbound bytes (64-bit) — use on high-speed links

Use 64-bit counters (ifHCInOctets/ifHCOutOctets) for interfaces faster than 100 Mbit/s to avoid counter wrap.

MikroTik Enterprise OIDs

The MikroTik enterprise OID tree is rooted at 1.3.6.1.4.1.14988. The sub-tree below covers the most commonly polled objects.

System resources and health:

OID	MIKROTIK-MIB name	Description
1.3.6.1.4.1.14988.1.1.1.3	mtxrWlStat	Per-radio wireless statistics table
1.3.6.1.4.1.14988.1.1.1.3.1.4.X	mtxrWlStatTxRate	TX rate (bps) for wireless client X
1.3.6.1.4.1.14988.1.1.1.3.1.6.X	mtxrWlStatSignalStrength	Signal strength (dBm) for client X
1.3.6.1.4.1.14988.1.1.3.8.0	mtxrHlVoltage	Board voltage (units: 0.1 V)
1.3.6.1.4.1.14988.1.1.3.10.0	mtxrHlTemperature	Board temperature (units: 0.1 °C)
1.3.6.1.4.1.14988.1.1.3.11.0	mtxrHlProcessorLoad	CPU load (%)
1.3.6.1.4.1.14988.1.1.3.12.0	mtxrHlMemoryUsage	Memory usage (%)
1.3.6.1.4.1.14988.1.1.3.13.0	mtxrHlStorageUsage	Storage usage (%)

Writable management OIDs:

OID	Description
1.3.6.1.4.1.14988.1.1.7.1.0	Reboot trigger (SET non-zero value to reboot)
1.3.6.1.4.1.14988.1.1.8.1.1.3.X	Execute script number X via SNMP SET
1.3.6.1.4.1.14988.1.1.18.1.1.2.X	Run script X and return output via GET

PoE-Out (where hardware supports it):

OID	Description
1.3.6.1.4.1.14988.1.1.15.1.1.3.X	PoE-Out port X status
1.3.6.1.4.1.14988.1.1.15.1.1.5.X	PoE-Out port X current (mA)
1.3.6.1.4.1.14988.1.1.15.1.1.6.X	PoE-Out port X power (mW)

Use /interface print oid, /ip address print oid, etc. to discover OIDs for any RouterOS object dynamically.

Validate OIDs with snmpwalk

# Walk the system group
snmpwalk -v3 -l authPriv -u nmsv3 \
    -a SHA -A 'AuthPass123!' -x AES -X 'PrivPass123!' \
    <router-ip> 1.3.6.1.2.1.1

# Walk interface table (64-bit counters)
snmpwalk -v3 -l authPriv -u nmsv3 \
    -a SHA -A 'AuthPass123!' -x AES -X 'PrivPass123!' \
    <router-ip> 1.3.6.1.2.1.31.1.1.1

# Walk MikroTik enterprise tree
snmpwalk -v3 -l authPriv -u nmsv3 \
    -a SHA -A 'AuthPass123!' -x AES -X 'PrivPass123!' \
    <router-ip> 1.3.6.1.4.1.14988

MikroTik publishes MIB files for import into NMS tools. Place them in your SNMP manager’s MIB directory alongside standard dependencies (SNMPv2-SMI, IF-MIB, HOST-RESOURCES-MIB). RouterOS does not require MIB files to answer OID queries — MIBs are used by the manager for symbolic name resolution.

---

Integration with LibreNMS

1. Configure RouterOS

/snmp set enabled=yes contact="NetOps" location="DC1-RackA"
/snmp community add \
    name=librenms-v3 \
    security=private \
    authentication-protocol=SHA \
    authentication-password="AuthPass123!" \
    encryption-protocol=AES \
    encryption-password="PrivPass123!" \
    addresses=10.10.10.50/32 \
    read-access=yes

2. Validate from the LibreNMS Host

Before adding the device in LibreNMS, confirm SNMP connectivity from the polling server:

snmpwalk -v3 -l authPriv -u librenms-v3 \
    -a SHA -A 'AuthPass123!' -x AES -X 'PrivPass123!' \
    <router-ip> 1.3.6.1.2.1.1

3. Add Device in LibreNMS

In the LibreNMS UI, go to Devices → Add Device and set:

Field	Value
Hostname/IP	Router IP address
SNMP Version	v3
Security Level	authPriv
Username	librenms-v3
Auth Algorithm	SHA
Auth Password	AuthPass123!
Crypto Algorithm	AES
Crypto Password	PrivPass123!
Context	(leave blank)
Port	161

4. Key Graphs and Alerts

After discovery and initial poll:

• Traffic graphs — per-interface in/out bps, errors, discards
• Device overview — uptime, CPU, memory utilization
• Availability — polling latency and ICMP response

Recommended alerts to enable:

Alert	Threshold
Device unreachable	Any failure
Interface down	Operational interfaces only
High CPU	> 80% sustained
High memory	> 90% used
Interface errors/discards	Spike above baseline

---

Integration with Zabbix

1. Configure RouterOS

/snmp set enabled=yes contact="NOC" location="DC1-R1"
/snmp community set [find default=yes] disabled=yes
/snmp community add \
    name=zbxv3 \
    security=private \
    authentication-protocol=SHA \
    authentication-password="AuthPass_ChangeMe" \
    encryption-protocol=AES \
    encryption-password="PrivPass_ChangeMe" \
    addresses=10.10.10.10/32 \
    read-access=yes

2. Add Host in Zabbix

In Configuration → Hosts → Create host, add an SNMP interface:

Field	Value
IP address	Router IP
Port	161
SNMP version	SNMPv3
Security name	zbxv3
Security level	authPriv
Auth protocol	SHA
Auth passphrase	AuthPass_ChangeMe
Privacy protocol	AES
Privacy passphrase	PrivPass_ChangeMe

3. Assign Template

Link the host to a MikroTik SNMP template. Community-maintained templates are available in the Zabbix template library and cover:

• Interface discovery and traffic monitoring (IF-MIB)
• CPU and memory utilization
• System uptime and availability
• Hardware health sensors (temperature/voltage, device-dependent)

4. Key Items and Triggers

Item	Description
ifOperStatus	Interface up/down state
ifHCInOctets / ifHCOutOctets	64-bit traffic counters
ifInErrors / ifOutErrors	Interface error rate
sysUpTime	Uptime (alert on unexpected restart)
MikroTik CPU OID	CPU load percentage
MikroTik memory OID	Free/used memory

Recommended triggers:

• Device unavailable (ICMP and SNMP unreachable)
• Interface link down on critical interfaces
• CPU sustained above threshold
• Memory utilization critical
• Interface error rate spike
• Unexpected reboot (uptime reset)

---

Integration with PRTG

1. Configure RouterOS

/snmp set enabled=yes contact="[email protected]" location="HQ"
/snmp community add \
    name=prtgv3 \
    security=private \
    authentication-protocol=SHA1 \
    authentication-password="AuthPass123" \
    encryption-protocol=AES \
    encryption-password="PrivPass123" \
    addresses=10.10.10.20/32 \
    read-access=yes

2. Add Device in PRTG

In PRTG, go to Add Device and set SNMP version to v3. Under the device’s SNMP credentials:

Field	Value
SNMP Version	3
Security Name	prtgv3
Security Level	authPriv
Auth Method	SHA
Auth Password	AuthPass123
Encryption Type	AES
Encryption Password	PrivPass123

3. Add Sensors

Useful PRTG sensor types for MikroTik:

Sensor Type	Purpose
SNMP Traffic	Per-interface bandwidth monitoring
SNMP Custom OID	Query specific MikroTik enterprise OIDs
SNMP System Uptime	Monitor router restarts
Ping	Availability and latency

For custom OID sensors targeting MikroTik-specific metrics (CPU, memory, signal strength), use the SNMP Custom OID sensor with the enterprise OIDs listed in the OID Tree Overview section above.

---

Custom MIB Polling

RouterOS does not require MIB files to answer OID queries — it responds to numeric OIDs regardless. MIB files are used by the manager (NMS or CLI tools) to resolve symbolic names and validate the data type and description of each OID. Installing the MikroTik MIB files on your NMS enables human-readable output and auto-discovery of MikroTik-specific metrics.

Downloading MikroTik MIBs

Download the official MikroTik MIB bundle from:

https://mikrotik.com/download/tools

The archive contains:

• MIKROTIK-MIB — MikroTik enterprise OIDs (primary file)
• Standard dependency MIBs if bundled (SNMPv2-SMI, IF-MIB, HOST-RESOURCES-MIB)

Installing MIBs on Linux (snmpwalk/snmpget)

Place the MIB file in your SNMP manager’s MIB directory and load it:

# Copy to user MIB directory
mkdir -p ~/.snmp/mibs
cp MIKROTIK-MIB ~/.snmp/mibs/

# Or system-wide
sudo cp MIKROTIK-MIB /usr/share/snmp/mibs/

# Verify it loads (should show no errors)
snmptranslate -m +MIKROTIK-MIB -IR mtxrHlTemperature
# Expected output: MIKROTIK-MIB::mtxrHlTemperature.0

Enable the MIB for all snmp commands by adding to ~/.snmp/snmp.conf:

mibs +MIKROTIK-MIB

Then use symbolic names directly:

# Poll temperature using symbolic name
snmpget -v3 -l authPriv -u nmsv3 \
    -a SHA -A 'AuthPass123!' -x AES -X 'PrivPass123!' \
    <router-ip> MIKROTIK-MIB::mtxrHlTemperature.0

# Walk all health OIDs
snmpwalk -v3 -l authPriv -u nmsv3 \
    -a SHA -A 'AuthPass123!' -x AES -X 'PrivPass123!' \
    <router-ip> MIKROTIK-MIB::mtxrHealth

Installing MIBs in LibreNMS

LibreNMS auto-discovers MikroTik devices using its built-in OS definition. To add the MikroTik MIB for custom polling:

# Copy to LibreNMS MIB directory
sudo cp MIKROTIK-MIB /opt/librenms/mibs/

# Validate the MIB loads
sudo -u librenms /opt/librenms/scripts/pre-commit.php --check-mib MIKROTIK-MIB

LibreNMS includes a MikroTik OS definition (includes/definitions/mikrotik.yaml) that maps common enterprise OIDs to graphs automatically upon device discovery. No additional configuration is required for standard CPU, memory, and wireless metrics.

For custom OID polling, use Custom OID under device settings in LibreNMS:

1. Go to Devices → Device → Edit → Custom OIDs
2. Add the OID, description, and data type
3. LibreNMS graphs and alerts can then reference the custom value

Installing MIBs in Zabbix

# Copy to Zabbix MIB directory
sudo cp MIKROTIK-MIB /usr/share/snmp/mibs/

# Verify Zabbix can resolve the MIB
zabbix_get -s <router-ip> -c monitoring -k "SNMP[MIKROTIK-MIB::mtxrHlTemperature.0]"

In the Zabbix UI, MIBs are referenced when configuring SNMP items:

Field	Value
SNMP OID	MIKROTIK-MIB::mtxrHlTemperature.0
Type of information	Numeric (float)
Units	°C (multiply raw value by 0.1 in preprocessing)

Use Preprocessing → Multiplier: 0.1 for health OIDs that report in 0.1 units (voltage, temperature).

Custom Polling Without MIB Files

If MIB files are unavailable, poll by numeric OID directly:

# Temperature in 0.1 °C units (divide by 10 for Celsius)
snmpget -v2c -c monitoring <router-ip> 1.3.6.1.4.1.14988.1.1.3.10.0

# CPU load percent
snmpget -v2c -c monitoring <router-ip> 1.3.6.1.4.1.14988.1.1.3.11.0

# Walk entire health subtree
snmpwalk -v2c -c monitoring <router-ip> 1.3.6.1.4.1.14988.1.1.3

Discover Available OIDs on a Device

RouterOS reports OIDs for every item in its configuration. Use print oid in any submenu to discover the exact OID for any object:

# Find OIDs for all interfaces
/interface print oid

# Find OIDs for IP addresses
/ip address print oid

# Find OIDs for BGP peers (if configured)
/routing bgp peer print oid

This is the definitive method to find the exact OID index for a specific interface or configuration item on a given router.

---

Troubleshooting

SNMP Not Responding

# Check service is enabled
/snmp print

# Confirm firewall allows UDP 161 from NMS
/ip firewall filter print

From the NMS host:

# Quick connectivity test (v2c)
snmpget -v2c -c monitoring <router-ip> 1.3.6.1.2.1.1.5.0

# SNMPv3 test
snmpget -v3 -l authPriv -u nmsv3 \
    -a SHA -A 'AuthPass123!' -x AES -X 'PrivPass123!' \
    <router-ip> 1.3.6.1.2.1.1.5.0

SNMPv3 Authentication Failures

• Confirm the username in /snmp community matches exactly what the NMS sends
• Verify auth and privacy protocols match on both sides (SHA vs SHA1 naming varies by tool)
• Check passwords meet the 8-character minimum
• Ensure the NMS source IP is within the addresses restriction on the community

Trap Target Not Receiving

• Verify the target IP and port (UDP 162) are reachable from the router
• Check /snmp print for the configured trap community and version
• Confirm no firewall rule blocks outbound UDP 162

---

References

• RouterOS SNMP Manual
• RFC 3414 — SNMPv3 User-based Security Model
• IF-MIB (RFC 2863)