Skip to content
MikroTik RouterOS Docs

Winbox and WebFig

Winbox and WebFig

Section titled “Winbox and WebFig”

RouterOS provides two graphical management interfaces: Winbox, a native desktop application with full router access, and WebFig, a browser-based interface served directly by the router. Both expose the full RouterOS configuration tree and can be secured independently through service restrictions and firewall rules.

Winbox

Section titled “Winbox”

Winbox is a lightweight Windows executable that connects to RouterOS over TCP port 8291. It requires no installation — download and run.

Download

Section titled “Download”

Winbox is available directly from the router:

http://<router-ip>/winbox/WinBox.exe

Or download it from mikrotik.com/download. On Linux and macOS, Winbox runs under Wine.

Connecting

Section titled “Connecting”

Launch Winbox and enter the router’s IP address, username, and password. Winbox also supports MAC-address login for initial access when the IP address is not yet configured.

Neighbor Discovery

Section titled “Neighbor Discovery”

The Neighbors tab in Winbox’s login dialog automatically discovers local MikroTik devices using the MikroTik Neighbor Discovery Protocol (MNDP). Discovered routers appear with their MAC address, IP address, identity, RouterOS version, and uptime.

ColumnMeaning
MAC AddressLayer 2 identifier — used for MAC login
IP AddressLayer 3 address — used for normal login
IdentityRouter hostname
VersionRouterOS version running

MAC login connects at Layer 2 and requires the management workstation to be in the same broadcast domain as the router. It is useful for factory-fresh or misconfigured routers where no IP is reachable. For remote or routed management, always use IP.

To connect from the Neighbors tab, click the MAC or IP address to populate the login field, then click Connect.

Safe Mode

Section titled “Safe Mode”

Safe Mode protects against accidental lockouts during remote configuration changes. When enabled, RouterOS tracks all changes made during the session. If the Winbox session disconnects unexpectedly, the router automatically reverts those changes after a timeout.

Enable Safe Mode by clicking the Safe Mode button in the Winbox toolbar (or pressing Ctrl+X). The title bar displays [Safe Mode] when active.

To commit changes permanently, click Safe Mode again to exit safe mode — this applies all pending changes.

Safe Mode behavior:

  • Changes are held in a pending queue while safe mode is active
  • Disconnection triggers automatic rollback within approximately 9 minutes (configurable)
  • Pressing Ctrl+X again commits changes and exits safe mode
  • Another admin can release safe mode from a local session if needed

Session Management

Section titled “Session Management”

Winbox saves connection entries (address, username) in a local session list. Sessions can be organized into groups for environments with many routers. Passwords can optionally be stored, though storing credentials carries risk on shared workstations.

The Keep Password checkbox stores credentials locally. For security-sensitive environments, leave this unchecked and authenticate each session manually.

WebFig

Section titled “WebFig”

WebFig provides the same RouterOS management interface through any modern web browser. It is served by the RouterOS www (HTTP) and www-ssl (HTTPS) services on ports 80 and 443 respectively.

Accessing WebFig

Section titled “Accessing WebFig”

Navigate to the router’s IP address in a browser:

http://<router-ip>

Or for HTTPS:

https://<router-ip>

Log in with any RouterOS user account. WebFig respects the same user group permissions and policy restrictions as Winbox and SSH.

Section titled “Sub-menu”

/ip service

Enabling HTTPS

Section titled “Enabling HTTPS”

Plain HTTP transmits credentials in cleartext. For any router accessible beyond a trusted LAN segment, enable HTTPS and disable HTTP.

Step 1: Import or generate a certificate

For lab use, generate a self-signed certificate:

/certificate
add name=router-cert common-name=<router-hostname-or-ip> days-valid=3650 key-size=2048 key-usage=key-cert-sign,crl-sign,digital-signature,key-encipherment
sign router-cert

For production, import a certificate signed by a trusted CA:

/certificate import file-name=router.crt passphrase=""
/certificate import file-name=router.key passphrase=""

Step 2: Enable www-ssl and assign the certificate

/ip service
set www-ssl certificate=router-cert disabled=no port=443

Step 3: Disable plain HTTP

/ip service set www disabled=yes

Verify the service state:

/ip service print

Expected output:

Flags: X - disabled
 #   NAME      PORT   ADDRESS   CERTIFICATE
 0 X www        80
 1   www-ssl   443             router-cert
 2   winbox    8291

Securing Management Access

Section titled “Securing Management Access”

Both Winbox and WebFig should be restricted to trusted networks. The primary mechanisms are service address restrictions and firewall input rules.

Service Address Restrictions

Section titled “Service Address Restrictions”

RouterOS allows each management service to accept connections only from specified source addresses. This is enforced at the service layer, before firewall processing.

/ip service
set winbox  address=192.168.88.0/24   port=8291
set www-ssl address=192.168.88.0/24   port=443   certificate=router-cert disabled=no
set www     disabled=yes

Multiple subnets can be specified as a comma-separated list:

/ip service set winbox address=192.168.88.0/24,10.10.0.0/16

Firewall Input Rules

Section titled “Firewall Input Rules”

Complement service restrictions with firewall input chain rules. Drop management traffic from any source not explicitly permitted:

/ip firewall filter
add chain=input action=accept src-address=192.168.88.0/24 protocol=tcp dst-port=8291,443 comment="Allow Winbox/WebFig from LAN"
add chain=input action=accept src-address=10.10.0.0/16 protocol=tcp dst-port=8291,443 comment="Allow Winbox/WebFig from VPN"
add chain=input action=drop protocol=tcp dst-port=8291,80,443 comment="Drop all other GUI access"

Disable Unused Services

Section titled “Disable Unused Services”

Disable any management service not in active use:

/ip service
set telnet   disabled=yes
set ftp      disabled=yes
set api      disabled=yes
set api-ssl  disabled=yes
set www      disabled=yes

Custom Ports

Section titled “Custom Ports”

Changing the default port for Winbox or WebFig adds a minor obfuscation layer but is not a security control on its own. Pair it with address restrictions and firewall rules:

/ip service
set winbox  port=38291
set www-ssl port=4443

Management Access Best Practices

Section titled “Management Access Best Practices”
PracticeRationale
Restrict service addresses to known subnetsPrevents access from unexpected sources at the service layer
Add firewall input drop rulesDefense-in-depth; drops packets before they reach the service
Disable unused servicesReduces attack surface
Use HTTPS for WebFigProtects credentials from interception
Manage over VPNAvoids exposing management ports to the internet
Use Safe Mode for remote changesAutomatic rollback prevents lockouts
Use dedicated management accountsApply least-privilege via user group policies
Avoid storing Winbox passwords on shared workstationsPrevents credential theft
Restrict MAC-Winbox to trusted interface listsPrevents Winbox L2 access from untrusted segments

For MAC-level access hardening (MAC-Winbox, MAC-Telnet, MAC-Ping), see MAC Server Security.