Manual de Mikrotik Fulll

Manual:First time startup
Applies to RouterOS:All
Contents
[hide]
 1Overview
 2Winbox
 3QuickSet and WebFig
 4CLI
o 4.1Serial Cable
o 4.2Monitor and Keyboard
Overview
After you have installed the RouterOS software, or turned on the Router for the first time, there
are various ways how to connect to it:
 Accessing Command Line Interface (CLI) via Telnet, SSH, serial cable or even keyboard
and monitor if your router has a VGA card.
 Accessing Web based GUI (WebFig)
 Using the WinBox configuration utility (Windows app, compatible with Wine)
Every router is factory pre-configured with the IP address 192.168.88.1/24 on the ether1 port.
The default username is admin with no password. After you log in for the first time, please
create a new user with a password in the "full" group, re-login and delete the default admin
user. We highly recommend you to follow the general guidelines of the article Securing your
router to protect the device from any unauthorised access.
Additional configuration may be set depending on RouterBOARD model. Most models have the
ether1 configured as a WAN port and any communication with the router through that port is
not possible, since it is firewalled to protect from any outside access. List of RouterBOARD
models and their default configurations can be found in this article.
Winbox
Winbox is a configuration utility that can connect to the router via MAC or IP protocol. Latest
winbox version can be downloaded from our download page.
Run the Winbox utility, then click the [...] button and see if Winbox finds your Router and it's
MAC address. Winbox neighbor discovery will discover all routers on the broadcast network. If
you see routers on the list, connect to it by clicking on MAC address and
pressing Connect button.
Winbox will try download plugins from the router, if it is connecting for the first time to the router
with current version. Note that it may take up to one minute to download all plugins if winbox is
connected with MAC protocol. After winbox have successfully downloaded plugins and
authenticated, main window will be displayed:
If winbox cannot find any routers, make sure that your Windows computer is directly connected
to the router with an Ethernet cable, or at least they both are connected to the same switch. As
MAC connection works on Layer2, it is possible to connect to the router even without IP
address configuration. Due to the use of broadcasting MAC connection is not stable enough to
use continuously, therefore it is not wise to use it on a real production / live network!. MAC
connection should be used only for initial configuration.
Follow winbox manual for more information.
QuickSet and WebFig

If you have a router with default configuration, the IP address of the router can be used to
connect to the Web interface. The first screen to come up will be QuickSet, where you can set
the password and basic settings to secure your device. For more advanced settings, click the
WebFig button to open the Advanced mode, which has almost the same configuration
functionality as Winbox.
Please see following articles to learn more about web interface configuration:
 Initial Configuration with WebFig

 General WebFig Manual
CLI
Command Line Interface (CLI) allows configuration of the router's settings using text
commands. Since there is a lot of available commands, they are split into groups organized in
a way of hierarchical menu levels. Follow console manual for CLI syntax and commands.
There are several ways how to access CLI:
 Winbox terminal menu

 Telnet
 SSH
 serial cable etc.
Serial Cable
If your device has a Serial port, you can use a console cable (or Null modem cable)
Plug one end of the serial cable into the console port (also known as a serial port or DB9
RS232C asynchronous serial port) of the RouterBOARD and the other end in your PC (which
hopefully runs Windows or Linux). You can also use a USB-Serial adapter. Run a terminal
program (HyperTerminal, or Putty on Windows) with the following parameters for All
RouterBOARD models except 230:
115200bit/s, 8 data bits, 1 stop bit, no parity, flow control=none

by default.
RouterBOARD 230 parameters are:
9600bit/s, 8 data bits, 1 stop bit, no parity, hardware (RTS/CTS)

flow control by default.
If parameters are set correctly you should be able to see login prompt. Now you can access
router by entering username and password:
MikroTik 4.15
MikroTik Login:
MMM MMM KKK TTTTTTTTTTT

KKK
MMMM MMMM KKK TTTTTTTTTTT
KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III
KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III
KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III
KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III
KKK KKK
MikroTik RouterOS 4.15 (c) 1999-2010

http://www.mikrotik.com/
[admin@MikroTik] >
Detailed description of CLI login is in login process section.

Monitor and Keyboard
If your device has a graphics card (ie. regular PC) simply attach a monitor to the video card
connector of the computer (note: RouterBOARD products don't have this, so use Method 1 or
2) and see what happens on the screen. You should see a login promt like this:
MikroTik v3.16
Login:
Enter admin as the login name, and hit enter twice (because there is no password yet), you
will see this screen:
MMM MMM KKK TTTTTTTTTTT

KKK
MMMM MMMM KKK TTTTTTTTTTT
KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III
KKK KKK
KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III
KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III
KKK KKK
MikroTik RouterOS 3.16 (c) 2008 http://www.mikrotik.com/
Terminal ansi detected, using single line input mode

[admin@router] >
Now you can start configuring the router, by issuing the setup command.
This method works with any device that has a video card and keyboard connector
Manual:Initial Configuration
Contents
[hide]
 1Summary
 2Connecting wires
 3Configuring router
o 3.1Logging into the router
o 3.2Router user accounts
o 3.3Configure access to internet
 3.3.1DHCP Client
 3.3.2Static IP Address
 3.3.3Configuring network address translation (NAT)
 3.3.4Default gateway
 3.3.5Domain name resolution
 3.3.6SNTP Client
o 3.4Setting up Wireless
 3.4.1Check Ethernet interface state
 3.4.2Security profile
 3.4.3Wireless settings
 3.4.4Bridge LAN with Wireless
 4Troubleshooting & Advanced configuration
o 4.1General
 4.1.1Check IP address
 4.1.2Change password for current user
 4.1.3Change password for existing user
 4.1.4No access to the Internet or ISP network
 4.1.5Checking link
o 4.2Wireless
 4.2.1Channel frequencies and width
 4.2.2Wireless frequency usage
 4.2.3Change Country settings
o 4.3Port forwarding
 4.3.1Static configuration
 4.3.2Dynamic configuration
o 4.4Limiting access to web pages
 4.4.1Set up Web Proxy for page filtering
 4.4.2Set up Access rules
 4.4.3Limitation strategies
Summary
Congratulations, you have got hold of MikroTik router for your home network. This guide will
help you to do initial configuration of the router to make your home network a safe place to be.
The guide is mostly intended in case if default configuration did not get you to the internet right
away, however some parts of the guide is still useful.
Connecting wires
Router's initial configuration should be suitable for most of the cases. Description of the
configuration is on the back of the box and also described in the online manual.
The best way to connect wires as described on the box:
 Connect ethernet wire from your internet service provider (ISP) to port ether1, rest of the
ports on the router are for local area network (LAN). At this moment, your router is
protected by default firewall configuration so you should not worry about that;
 Connect LAN wires to the rest of the ports.
Configuring router
Initial configuration has DHCP client on WAN interface (ether1), rest of the ports are
considered your local network with DHCP server configured for automatic address
configuration on client devices. To connect to the router you have to set your computer to
accept DHCP settings and plug in the ethernet cable in one of the LAN ports (please check
routerboard.com for port numbering of the product you own, or check front panel of the router).
Logging into the router

To access the router enter address 192.168.88.1 in your browser. Main RouterOS page will be
shown as in the screen shot below. Click on WebFig from the list.
You will be prompted for login and password to access configuration interface. Default login
name is admin and blank password (leave empty field as it is already).
Router user accounts
It is good idea to start with password setup or add new user so that router is not accessible by
anyone on your network. User configuration is done form System -> Users menu.
To access this menu, click on System on the left panel and from the dropdown menu
choose Users (as shown in screenshot on the left)
You will see this screen, where you can manage users of the router. In this screen you can edit
or add new users:
 When you click on account name (in this case admin), edit screen for the user will be
displayed.
 If you click on Add new button, new user creation screen will be displayed.
Both screens are similar as illustrated in screenshot below. After editing user's data
click OK (to accept changes) or Cancel. It will bring you back to initial screen of user
management.
In user edit/Add new screen you can alter existing user or create new. Field marked with 2. is
the user name, field 1. will open password screen, where old password for the user can be
changed or added new one (see screenshot below).
Configure access to internet
If initial configuration did not work (your ISP is not providing DHCP server for automatic
configuration) then you will have to have details from your ISP for static configuration of the
router. These settings should include
 IP address you can use

 Network mask for the IP address
 Default gateway address
Less important settings regarding router configuration:
 DNS address for name resolution

 NTP server address for time automatic configuration
 Your previous MAC address of the interface facing ISP
DHCP Client
Default configuration is set up using DHCP-Client on interface facing your ISP or wide area
network (WAN). It has to be disabled if your ISP is not providing this service in the network.
Open 'IP -> DHCP Client' and inspect field 1. to see status of DHCP Client, if it is in state as
displayed in screenshot, means your ISP is not providing you with automatic configuration and
you can use button in selection 2. to remove DHCP-Client configured on the interface.
Static IP Address
To manage IP addresses of the router open 'IP -> Address'
You will have one address here - address of your local area network (LAN) 192.168.88.1 one
you are connected to router. Select Add new to add new static IP address to your router's
configuration.
You have to fill only fields that are marked. Field 1. should contain IP address provided by your
ISP and network mask'. Examples:
172.16.88.67/24
both of these notations mean the same, if your ISP gave you address in one notation, or in the
other, use one provided and router will do the rest of calculation.
Other field of interest is interface this address is going to be assigned. This should be interface
your ISP is connected to, if you followed this guide - interface contains name - ether1
Note: While you type in the address, webfig will calculate if address you have typed is
acceptable, if it is not label of the field will turn red, otherwise it will be blue
Note: It is good practice to add comments on the items to give some additional information for
the future, but that is not required
Configuring network address translation (NAT)

Since you are using local and global networks, you have to set up network masquerade, so
that your LAN is hidden behind IP address provided by your ISP. That should be so, since your
ISP does not know what LAN addresses you are going to use and your LAN will not be routed
from global network.
To check if you have the source NAT open 'IP -> Firewall -> tab NAT' and check if item
highlighted (or similar) is in your configuration.
Essential fields for masquerade to work:
 enabled is checked;
 chain - should be srcnat;
 out-interface is set to interface connected to your ISP network, Following this guide ether1;
 action should be set to masquerade.
In screenshot correct rule is visible, note that irrelevant fields that should not have any value
set here are hidden (and can be
ignored)
Default gateway
under 'IP -> Routes' menu you have to add routing rule called default route. And select Add
new to add new
route.
In screen presented you will see the following screen:

here you will have to press button with + near red Gateway label and enter in the field default
gateway, or simply gateway given by your ISP.
This should look like this, when you have pressed the + button and enter gateway into the field
displayed.
After this, you can press OK button to finish creation of the default route.
At this moment, you should be able to reach any globally available host on the Internet using IP
address.
To check weather addition of default gateway was successful use Tools -> Ping
Domain name resolution
To be able to open web pages or access Internet hosts by domain name DNS should be
configured, either on your router or your computer. In scope of this guide, i will present only
option of router configuration, so that DNS addresses are given out by DHCP-Server that you
are already using.
This can be done in 'IP -> DNS ->Settings', first Open 'IP ->DNS':
Then select Settings to set up DNS cacher on the router. You have to add field to enter DNS IP
address, section 1. in image below. and check Allow Remote Requests marked with 2.
The result of pressing + twice will result in 2 fields for DNS IP addresses:
Note: Filling acceptable value in the field will turn field label blue, other way it will be marked
red.
SNTP Client
RouterBOARD routers do not keep time between restarts or power failuers. To have correct
time on the router set up SNTP client if you require that.
To do that, go to 'System -> SNTP' where you have to enable it, first mark, change mode from
broadcast to unicast, so you can use global or ISP provided NTP servers, that will allow to
enter NTP server IP addresses in third area.
Setting up Wireless
For ease of use bridged wireless setup will be used, so that your wired hosts will be in same
ethernet broadcast domain as wireless clients.
To make this happen several things has to be checked:
 Ethernet interfaces designated for LAN are swtiched or bridged, or they are separate ports;
 If bridge interface exists;
 Wireless interface mode is set to ap-bridge (in case, router you have has level 4 or higher
license level), if not, then mode has to be set to bridge and only one client (station) will be
able to connect to the router using wireless network;
 There is appropriate security profile created and selected in interface settings.
Check Ethernet interface state
Warning: Changing settings may affect connectivity to your router and you can be
disconnected from the router. Use Safe Mode so in case of disconnection made changes are
reverted back to what they where before you entered safe mode
To check if ethernet port is switched, in other words, if ethernet port is set as slave to another
port go to 'Interface' menu and open Ethernet interface details. They can be distinguished by
Type column displaying Ethernet.
When interface details are opened, look up Master Port setting.

Available settings for the attribute are none, or one of Ethernet interface names. If name is set,
that mean, that interface is set as slave port. Usually RouterBOARD routers will come
with ether1 as intended WAN port and rest of ports will be set as slave ports of ether2 for LAN
use.
Check if all intended LAN Ethernet ports are set as slave ports of the rest of one of the LAN
ports. For example, if ether2. ether3, ether4 and ether5 are intended as LAN ports, set on
ether3 to ether5 attribute Master Portto ether2.
In case this operation fails - means that Ethernet interface is used as port in bridge, you have
to remove them from bridge to enable hardware packet switching between Ethernet ports. To
do this, go to Bridge -> Portsand remove slave ports (in example, ether3 to ether5) from the
tab.
Note: If master port is present as bridge port, that is fine, intended configuration requires it
there, same applies to wireless interface (wlan)
Security profile
It is important to protect your wireless network, so no malicious acts can be performed by 3rd
parties using your wireless access-point.
To edit or create new security profile head to 'Wireless -> tab 'Security Prodiles' and choose
one of two options:
 Using Add new create new profile;

 Using highlighted path in screenshot edit default profile that is already assigned to wireless
interface.
In This example i will create new security profile, editing it is quite similar. Options that has to
be set are highlighted with read and recommended options are outlined by red boxes and pre-
set to recommended values. WPA and WPA2 is used since there are still legacy equipment
around (Laptops with Windows XP, that do not support WPA2 etc.)
WPA Pre- shared key and WPA2 Pre- shared key should be entered with sufficient length. If
key length is too short field label will indicate that by turning red, when sufficient length is
reached it will turn
blue.
Note: WPA and WPA2 pre-shared keys should be different
Note: When configuring this, you can deselect Hide passwords in page header to see the
actual values of the fields, so they can be successfully entered into device configuration that
are going to connect to wireless access-point
Wireless settings
Adjusting wireless settings. That can be done
here:
In General section adjust settings to settings as shown in screenshot. Consider these safe,
however it is possible, that these has to be adjusted slightly.
Interface mode has to be set to ap-bridge, if that is not possible (license resctrictions) set to
bridge, so one client will be able to connect to device.
WiFI devices usually are designed with 2.4GHz modes in mind, setting band to 2GHz-b/g/n will
enable clients with 802.11b, 802.11g and 802.11n to connect to the access point
Adjust channel width to enable faster data rates for 802.11n clients. In example channel 6 is
used, as result, 20/40MHz HT Above or 20/40 MHz HT Below can be used. Choose either of
them.
Set SSID - the name of the access point. It will be visible when you scan for networks using
your WiFi
equipment.
In section HT set change HT transmit and receive chains. It is good practice to enable all
chains that are
available
When settings are set accordingly it is time to enable our protected wireless access-
point
Bridge LAN with Wireless

Open Bridge menu and check if there are any bridge interface available first mark. If there is
not, select Add New marked with second mark and in the screen that opens just accept the
default settings and create interface. When bridge interface is availbe continue to Ports tab
where master LAN interface and WiFI interface have to be added.
First marked area is where interfaces that are added as ports to bridge interface are visible. If
there are no ports added, choose Add New to add new ports to created bridge interfaces.
When new bridge port is added, select that it is enabled (part of active configuration), select
correct bridge interface, following this guide - there should be only 1 interface. And select
correct port - LAN interface master port and WiFi port
Finished look of bridge configured with all ports required
Troubleshooting & Advanced configuration

This section is here to make some deviations from configuration described in the guide itself. It
can require more understanding of networking, wireless networks in general.
General
Check IP address
Adding IP address with wrong network mask will result in wrong network setting. To correct
that problem it is required to change address field, first section, with correct address and
network mask and network field with correct network, or unset it, so it is going to be
recalculated again
Change password for current user
To change password of the current user, safe place to go is System -> Password
Where all the fields has to be filled. There is other place where this can be done in case you
have full privileges on the router.
Change password for existing user
If you have full privileges on the router, it is possible to change password for any user without
knowledge of current one. That can be done under System -> Usersmenu.
Steps are:
 Select user;
 type in password and re-type it to know it is one you intend to set
No access to the Internet or ISP network
If you have followed this guide to the letter but even then you can only communicate with your
local hosts only and every attempt to connect to Internet fails, there are certain things to check:
 If masquerade is configured properly;

 If setting MAC address of previous device on WAN interface changes anything
 ISP has some captive portal in place.
Respectively, there are several ways how to solve the issue, one - check configuration if you
are not missing any part of configuration, second - set MAC address. Change of mac address
is available only from CLI - New Terminal from the left side menu. If new window is not opening
check your browser if it is allowing to open popup windows for this place. There you will have
to write following command by replacing MAC address to correct one:
/interface ethernet set ether1 mac-address=XX:XX:XX:XX:XX:XX
Or contact your ISP for details and inform that you have changed device.
Checking link
There are certain things that are required for Ethernet link to work:
 Link activity lights are on when Ethernet wire is plugged into the port
 Correct IP address is set on the interface
 Correct route is set on the router
What to look for using ping tool:
 If all packets are replied;

 If all packets have approximately same round trip time (RTT) on non-congested Ethernet
link
It is located here: Tool -> Ping menu. Fill in Ping To field and press start to initiate sending of
ICMP packets.
Wireless
Wireless unnamed features in the guide that are good to know about. Configuration
adjustments.
Channel frequencies and width
It is possible to choose different frequency, here are frequencies that can be used and channel
width settings to use 40MHz HT channel (for 802.11n). For example, using channel 1 or
2412MHz frequency setting 20/40MHz HT below will not yield any results, since there are no
20MHz channels available below set frequency.
Channel # Frequency Below Above

1 2412 MHz no yes
2 2417 MHz no yes
3 2422 MHz no yes
4 2427 MHz no yes
5 2432 MHz yes yes
6 2437 MHz yes yes
7 2442 MHz yes yes
8 2447 MHz yes yes
9 2452 MHz yes yes
10 2457 MHz yes yes
11 2462 MHz yes no
12 2467 MHz yes no
13 2472 MHz yes no
Warning: You should check how many and what frequencies you have in your regulatory
domain before. If there are 10 or 11 channels adjust settings accordingly. With only 10
channels, channel #10 will have no sense of setting 20/40MHz HT above since no full 20MHz
channel is available
Wireless frequency usage

If wireless is not performing very well even when data rates are reported as being good, there
might be that your neighbours are using same wireless channel as you are. To make sure
follow these steps:
 Open frequency usage monitoring tool Freq. Usage... that is located in wireless interface
details;
 Wait for some time as scan results are displayed. Do that for minute or two. Smaller
numbers in Usage column means that channel is less crowded.
Note: Monitoring is performed on default channels for Country selected in configuration. For
example, if selected country would be Latvia, there would have been 13 frequencies listed as
at that country have 13 channels allowed.
Change Country settings

By default country attribute in wireless settings is set to no_country_set. It is good practice to
change this (if available) to change country you are in. To do that do the following:
 Go to wireless menu and select Advanced mode;
 Look up Country attribute and from drop-down menu select country
Note: Advanced mode is toggle button that changes from Simple to Advanced mode and back.
Port forwarding
To make services on local servers/hosts available to general public it is possible to forward
ports from outside to inside your NATed network, that is done from /ip firewall nat menu. For
example, to make possible for remote helpdesk to connect to your desktop and guide you,
make your local file cache available for you when not at location etc.
Static configuration
A lot of users prefer to configure these rules statically, to have more control over what service
is reachable from outside and what is not. This also has to be used when service you are using
does not support dynamic configuration.
Following rule will forward all connections to port 22 on the router external ip address to port 86
on your local host with set IP address:
if you require other services to be accessible you can change protocol as required, but usually
services are running TCP and dst-port. If change of port is not required, eg. remote service is
22 and local is also 22, then to-ports can be left unset.
Comparable command line command:
/ip firewall nat add chain=dstnat dst-address=172.16.88.67

protocol=tcp dst-port=22 \
action=dst-nat to-address=192.168.88.22 to-ports=86
Note: Screenshot contain only minimal set of settings are left visible
Dynamic configuration
uPnP is used to enable dynamic port forwarding configuration where service you are running
can request router using uPnP to forward some ports for it.
Warning: Services you are not aware of can request port forwarding. That can compromise
security of your local network, your host running the service and your data
Configuring uPnP service on the router:
 Set up what interfaces should be considered external and what internal;
/ip upnp interface add interface=ether1 type=external

/ip upnp interface add interface=ether2 type=internal
 Enable service itself
/ip upnp set allow-disable-external-interface=no show-dummy-rule=no

enabled=yes
Limiting access to web pages

Using IP -> Web Proxy it is possible to limit access to unwanted web pages. This requires
some understanding of use of WebFig interface.
Set up Web Proxy for page filtering
From IP -> Web Proxy menu Access tab open Web Proxy Settings and make sure that these
attributes are set follows:
Enabled -> checked

Port -> 8080
Max. Cache Size -> none
Cache on disk -> unchecked
Parent proxy -> unset
When required alterations are done applysettings to return to Access tab.

Set up Access rules
This list will contain all the rules that are required to limit access to sites on the Internet.
To add sample rule to deny access to any host that contain example.com do the following
when adding new entry:
Dst. Host -> .*example\.com.*

Action -> Deny
With this rule any host that has example.com will be unaccessible.
Limitation strategies
There are two main approaches to this problem
 deny only pages you know you want to deny (A)

 allow only certain pages and deny everything else (B)
For approach A each site that has to be denied is added with Action set to Deny
For approach B each site that has to be allowed should be added with Action set to Allow and
in the end is rule, that matches everything with Action set to Deny.
[ Top | Back to Content ]
Manual:Console login process
Applies to RouterOS:2.9, v3, v4
Contents
[hide]
 1Description
 2Console login options
 3Different information shown by login process
o 3.1Banner
o 3.2License
o 3.3Demo version upgrade reminder
o 3.4Software key information
 4Different information shown by console process after logging in
o 4.1System Note
o 4.2Critical log messages
 5Prompt
 6FAQ
Description
There are different ways to log into console:
 serial port
 console (screen and keyboard)
 telnet
 ssh
 mac-telnet
 winbox terminal
Input and validation of user name and password is done by login process. Login process can
also show different informative screens (license, demo version upgrade reminder, software key
information, default configuration).
At the end of successful login sequence login process prints banner and hands over control to
the console process.
Console process displays system note, last critical log entries, auto-detects terminal size and
capabilities and then displays command prompt]. After that you can start writing commands.
Use up arrow to recall previous commands from command history, TAB key to automatically
complete words in the command you are typing, ENTER key to execute command, and
Control-C to interrupt currently running command and return to prompt.
Easiest way to log out of console is to press Control-D at the command prompt while command
line is empty (You can cancel current command and get an empty line with Control-C, so
Control-C followed by Control-D will log you out in most cases).
Console login options

Starting from v3.14 it is possible to specify console options during login process. These options
enables or disables various console features like color, terminal detection and many other.
Additional login parameters can be appended to login name after '+' sign.
login_name ::= user_name [ '+' parameters ]

parameters ::= parameter [ parameters ]
parameter ::= [ number ] 'a'..'z'
number ::= '0'..'9' [ number ]
If parameter is not present, then default value is used. If number is not present then implicit
value of parameter is used.
example: admin+c80w - will disable console colors and set terminal width to 80.
Param Default Implicit
"w" auto auto Set terminal width
"h" auto auto Set terminal height
"c" on off disable/enable console colors
"t" on off Do auto detection of terminal capabilities
"e" on off Enables "dumb" terminal mode
Different information shown by login process

Banner
Login process will display MikroTik banner after validating user name and password.
MMM MMM KKK TTTTTTTTTTT KKK

MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK
KKK
KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK
KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK
KKK
MikroTik RouterOS 3.0rc (c) 1999-2007 http://www.mikrotik.com/
Actual banner can be different from the one shown here if it is replaced by distributor. See
also: branding.
License
After logging in for the first time after installation you are asked to read software licenses.
Do you want to see the software license? [Y/n]:
Answer y to read licenses, n if you do not wish to read licenses (question will not be shown
again). Pressing SPACE will skip this step and the same question will be asked after next
login.
Demo version upgrade reminder
After logging into router that has demo key, following remonder is shown:
UPGRADE NOW FOR FULL SUPPORT

----------------------------
FULL SUPPORT benefits:
- receive technical support
- one year feature support
- one year online upgrades
(avoid re-installation and re-configuring your router)
To upgrade, register your license "software ID"
on our account server www.mikrotik.com
Current installation "software ID": ABCD-456
Please press "Enter" to continue!
Software key information

If router does not have software key, it is running in the time limited trial mode. After logging in
following information is shown:
ROUTER HAS NO SOFTWARE KEY

----------------------------
You have 16h58m to configure the router to be remotely accessible,
and to enter the key by pasting it in a Telnet window or in Winbox.
See www.mikrotik.com/key for more details.
Current installation "software ID": ABCD-456

Please press "Enter" to continue!
After entering valid software key, following information is shown after login:
ROUTER HAS NEW SOFTWARE KEY

----------------------------
Your router has a valid key, but it will become active
only after reboot. Router will automatically reboot in a day.
=== Automatic configuration ===
Usually after [[netinstall|installation]] or configuration [[reset]]

RouterOS will apply [[default
settings]], such as an IP address.
First login into will show summary of these settings and offer to undo
them.
This is an example:
<pre>
The following default configuration has been installed on your router:
-----------------------------------------------------------------------
--------
IP address 192.168.88.1/24 is on ether1
ether1 is enabled
-----------------------------------------------------------------------
--------
You can type "v" to see the exact commands that are used to add and
remove
this default configuration, or you can view them later with
'/system default-configuration print' command.
To remove this default configuration type "r" or hit any other key to
continue.
If you are connected using the above IP and you remove it, you will be
disconnected.
Applying and removing of the default configuration is done using console script (you can press
'v' to review it).
Different information shown by console process after logging

in
System Note
It is possible to always display some fixed text message after logging into console.
Critical log messages
Console will display last critical error messages that this user has not seen yet. See log for
more details on configuration. During console session these messages are printed on screen.
dec/10/2007 10:40:06 system,error,critical login failure for user root

from 10.0.0.1 via telnet
dec/10/2007 10:40:07 system,error,critical login failure for user root
dec/10/2007 10:40:09 system,error,critical login failure for user test
Prompt
 [admin@MikroTik] /interface> - Default command prompt, shows user name, system
identity, and current command path.
 [admin@MikroTik] /interface<SAFE> - Prompt indicates that console session is in
Safe Mode.
 [admin@MikroTik] >> - Prompt indicates that HotLock is turned on.
 {(\... - While entering multiple line command continuation prompt shows open
parentheses.
 line 2 of 3> - While editing multiple line command prompt shows current line number
and line count.
 address: - Command requests additional input. Prompt shows name of requested value.
Console can show different prompts depending on enabled modes and data that is being
edited. Default command prompt looks like this:
[admin@MikroTik] /interface>
Default command prompt shows name of user, '@' sign and system name in brackets, followed
by space, followed by current command path (if it is not '/'), followed by '>' and space. When
console is in safe mode, it shows word SAFE in the command prompt.
[admin@MikroTik] /interface<SAFE>
Hotlock mode is indicated by an additional yellow '>' character at the end of the prompt.
[admin@MikroTik] >>
It is possible to write commands that consist of multiple lines. When entered line is not a
complete command and more input is expected, console shows continuation prompt that lists
all open parentheses, braces, brackets and quotes, and also trailing backslash if previous line
ended with backslash-whitespace.
[admin@MikroTik] > {
{... :put (\
{(\... 1+2)}
3
When you are editing such multiple line entry, prompt shows number of current line and total
line count instead of usual username and system name.
line 2 of 3> :put (\
Sometimes commands ask for additional input from user. For example, command '/password'
asks for old and new passwords. In such cases prompt shows name of requested value,
followed by colon and space.
[admin@MikroTik] > /password

old password: ******
new password: **********
retype new password: **********
FAQ
Q: How do I turn off colors in console?
A: Add '+c' after login name.
Q: After logging in console prints rubbish on the screen, what to do?
Q: My expect script does not work with newer 3.0 releases, it receives some strange
characters. What are those?
A: These sequences are used to automatically detect terminal size and capabilities. Add '+t'
after login name to turn them off.
Q: Thank you, now terminal width is not right. How do I set terminal width?
A: Add '+t80w' after login name, where 80 is your terminal width.
Manual:Troubleshooting tools
Contents
[hide]
 1Troubleshooting tools
o 1.1Check network connectivity
 1.1.1Using the ping command
 1.1.2Using the traceroute command
o 1.2Log Files
o 1.3Torch (/tool torch)
 1.3.1IPv6
 1.3.2Winbox
o 1.4Packet Sniffer (/tool sniffer)
o 1.5Bandwidth test
o 1.6Profiler
Troubleshooting tools
Before, we look at the most significant commands for connectivity checking and
troubleshooting, here is little reminder on how to check host computer's network interface
parameters on .
The Microsoft windows have a whole set of helpful command line tools that helps testing and
configuring LAN/WAN interfaces. We will look only at commonly used Windows networking
tools and commands.
All of the tools are being ran from windows terminal. Go to Start/Run and enter "cmd" to open
a Command window.
Some of commands on windows are:
ipconfig – used to display the TCP/IP network configuration values. To open it, enter
" ipconfig " in the command prompt.
C:\>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : mshome.net
Link-local IPv6 Address . . . . . : fe80::58ad:cd3f:f3df:bf18%8
IPv4 Address. . . . . . . . . . . : 173.16.16.243
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 173.16.16.1
There are also a variety of additional functions for ipconfig. To obtain a list of additional
options, enter " ipconfig /? " or “ ipconfig -? ”.
netstat – displays the active TCP connections and ports on which the computer is listening,
Ethernet statistics, the IP routing table, statistics for the IP, ICMP, TCP, and UDP protocols. It
comes with a number of options for displaying a variety of properties of the network and TCP
connections “netstat –?”.
nslookup – is a command-line administrative tool for testing and troubleshooting DNS servers.
For example, if you want to know what IP address is "www.google.com", enter "nslookup
www.google.com" and you will find that there are more addresses 74.125.77.99,
74.125.77.104, 74.125.77.147.
netsh – is a tool an administrator can use to configure and monitor Windows-based computers
at a command prompt. It allows configure interfaces, routing protocols, routes, routing filters
and display currently running configuration.
Very similar commands are available also on unix-like machines. Today in most of Linux
distributions network settings can be managed via GUI, but it is always good to be familiar with
the command-line tools. Here is the list of basic networking commands and tools on Linux:
ifconfig – it is similar like ipconfig commands on windows. It lets enable/disable network
adapters, assigned IP address and netmask details as well as show currently network interface
configuration.
iwconfig - iwconfig tool is like ifconfig and ethtool for wireless cards. That also view and set
the basic Wi-Fi network details.
nslookup – give a host name and the command will return IP address.
netstat – print network connections, including port connections, routing tables, interface
statistics, masquerade connections, and more. (netstat – r, netstat - a)
ip – show/manipulate routing, devices, policy routing and tunnels on linux-machine.
For example, check IP address on interface using ip command:
$ip addr show
You can add static route using ip following command:

ip route add {NETWORK address} via {next hop address} dev {DEVICE}, for example:
$ip route add 192.168.55.0/24 via 192.168.1.254 dev eth1
mentioned tools are only small part of networking tools that is available on Linux. Remember if
you want full details on the tools and commands options use man command. For example, if
you want to know all options on ifconfig write command man ifconfig in terminal.
Check network connectivity

Using the ping command
Ping is one of the most commonly used and known commands. Administration utility used to
test whether a particular host is reachable across an Internet Protocol (IP) network and to
measure the round-trip time for packets sent from the local host to a destination host, including
the local host's own interfaces.
Ping uses Internet Control Message Protocol (ICMP) protocol for echo response and echo
request. Ping sends ICMP echo request packets to the target host and waits for an ICMP
response. Ping output displays the minimum, average and maximum times used for a ping
packet to find a specified system and return.
From PC:
Windows:
C:\>ping 10.255.255.4
Pinging 10.255.255.4 with 32 bytes of data:
Reply from 10.255.255.4: bytes=32 time=1ms TTL=61
Reply from 10.255.255.4: bytes=32 time<1ms TTL=61
Ping statistics for 10.255.255.4:
Packets: Sent = 4, Received = 4, Lost = 0 (0%
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
Unix-like:
andris@andris-desktop:/$ ping 10.255.255.6

PING 10.255.255.6 (10.255.255.6) 56(84) bytes of data.
64 bytes from 10.255.255.6: icmp_seq=1 ttl=61 time=1.23 ms
^C
--- 10.255.255.6 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.780/0.948/1.232/0.174 ms
Press Ctrl-C to stop ping process.
From MikroTik:
[admin@MikroTik] > ping 10.255.255.4

10.255.255.4 64 byte ping: ttl=62 time=2 ms
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 1/5.2/10 ms
Press Ctrl-C to stop ping process.
Using the traceroute command

Traceroute displays the list of the routers that packet travels through to get to a remote host.
The traceroute or tracepath tool is available on practically all Unix-like operating systems
and tracert on Microsoft Windows operating systems.
Traceroute operation is based on TTL value and ICMP “Time Exceeded” message. Remember
that TTL value in IP header is used to avoid routing loops. Each hop decrements TTL value by
1. If the TTL reaches zero, the packet is discarded and ICMP Time Exceeded message is sent
back to the sender when this occurs.
Initially by traceroute, the TTL value is set to 1 when next router finds a packet with TTL = 1 it
sets TTL value to zero, and responds with an ICMP "time exceeded" message to the source.
This message lets the source know that the packet traverses that particular router as a hop.
Next time TTL value is incremented by 1 and so on. Typically, each router in the path towards
the destination decrements the TTL field by one unit TTL reaches zero.
Using this command you can see how packets travel through the network and where it may fail
or slow down. Using this information you can determine the computer, router, switch or other
network device that possibly causing network issues or failures.
From Personal computer:
Windows:
C:\>tracert 10.255.255.2
Tracing route to 10.255.255.2 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 10.13.13.1
2 1 ms 1 ms 1 ms 10.255.255.2
Trace complete.
Unix-like:
Traceroute and tracepath is similar, only tracepath does not not require superuser privileges.
andris@andris-desktop:~$ tracepath 10.255.255.6

1: andris-desktop.local (192.168.10.4) 0.123ms pmtu
1500
1: 192.168.10.1 (192.168.10.1) 0.542ms
1: 192.168.10.1 (192.168.10.1) 0.557ms
2: 192.168.1.2 (192.168.1.2) 1.213ms
3: no reply
4: 10.255.255.6 (10.255.255.6) 2.301ms
reached
Resume: pmtu 1500 hops 4 back 61
From MikroTik:
[admin@MikroTik] > tool traceroute 10.255.255.1

ADDRESS STATUS
1 10.0.1.17 2ms 1ms 1ms
2 10.255.255.1 5ms 1ms 1ms
[admin@MikroTik] >
Log Files
System event monitoring facility allows to debug different problems using Logs. Log file is a
text file created in the server/router/host capturing different kind of activity on the device. This
file is the primary data analysis source. RouterOS is capable of logging various system events
and status information. Logs can be saved in routers memory (RAM), disk, file, sent by email or
even sent to remote syslog server.
All messages stored in routers local memory can be printed from /log menu. Each entry
contains time and date when event occurred, topics that this message belongs to and message
itself.
[admin@MikroTik] /log> print

15:22:52 system,info device changed by admin
16:16:29 system,info,account user admin logged out from 10.13.13.14 via
winbox
16:16:29 system,info,account user admin logged out from 10.13.13.14 via
telnet
16:17:16 system,info filter rule added by admin
16:17:34 system,info mangle rule added by admin
16:17:52 system,info simple queue removed by admin
16:18:15 system,info OSPFv2 network added by admin
Read more about logging on RouterOS here>>
Torch (/tool torch)

Torch is real-time traffic monitoring tool that can be used to monitor the traffic flow through an
interface.
You can monitor traffic classified by protocol name, source address, destination address, port.
Torch shows the protocols you have chosen and tx/rx data rate for each of them.
Note: Wireless clients which belong to the same subnet and have enabled default-
forwarding communicate through wireless chip. This traffic will not be seen by the torch tool.
Example:
The following example monitor the traffic generated by the telnet protocol, which passes
through the interface ether1.
[admin@MikroTik] tool> torch ether1 port=telnet

SRC-PORT DST-PORT TX
RX
1439 23 (telnet) 1.7kbps
368bps
[admin@MikroTik] tool>
To see what IP protocols are sent via ether1:
[admin@MikroTik] tool> torch ether1 protocol=any-ip

PRO.. TX RX
tcp 1.06kbps 608bps
udp 896bps 3.7kbps
icmp 480bps 480bps
ospf 0bps 192bps
In order to see what protocols are linked to a host connected to interface 10.0.0.144/32 ether1:
[admin@MikroTik] tool> torch ether1 src-address=10.0.0.144/32

protocol=any
PRO.. SRC-ADDRESS TX RX
tcp 10.0.0.144 1.01kbps 608bps
icmp 10.0.0.144 480bps 480bps
IPv6
Starting from v5RC6 torch is capable of showing IPv6 traffic. Two new parameters are
introduced src-address6 and dst-address6. Example:
admin@RB1100test] > /tool torch interface=bypass-bridge src-

address6=::/0 ip-protocol=any sr
c-address=0.0.0.0/0
MAC-PROTOCOL IP-PROT... SRC-ADDRESS
TX RX
ipv6 tcp 2001:111:2222:2::1
60.1kbps 1005.4kbps
ip tcp 10.5.101.38
18.0kbps 3.5kbps
ip vrrp 10.5.101.34
0bps 288bps
ip udp 10.5.101.1
0bps 304bps
ip tcp 10.0.0.176
0bps 416bps
ip ospf 224.0.0.5
544bps 0bps
78.7kbps 1010.0kbps
To make /ping tool to work with domain name that resolves IPv6 address use the following:
/ping [:resolve ipv6.google.com]
By default ping tool will take IPv4 address.

Winbox
More attractive Torch interface is available from Winbox (Tool>Torch). In Winbox you can also
trigger a Filter bar by hitting the F key on the keyboard.
Packet Sniffer (/tool sniffer)
Packet sniffer is a tool that can capture and analyze packets sent and received by specific
interface. packet sniffer uses libpcap format.
Packet Sniffer Configuration
In the following example streaming-server will be added, streaming will be enabled, file-
name will be set to test and packet sniffer will be started and stopped after some time:
[admin@MikroTik] tool sniffer> set streaming-server=192.168.0.240 \

\... streaming-enabled=yes file-name=test
[admin@MikroTik] tool sniffer> print
interface: all
only-headers: no
memory-limit: 10
file-name: "test"
file-limit: 10
streaming-enabled: yes
streaming-server: 192.168.0.240
filter-stream: yes
filter-protocol: ip-only
filter-address1: 0.0.0.0/0:0-65535
filter-address2: 0.0.0.0/0:0-65535
running: no
[admin@MikroTik] tool sniffer> start
[admin@MikroTik] tool sniffer> stop
Here you can specify different packet sniffer parameters, like maximum amount of used
memory, file size limit in KBs.
Running Packet Sniffer Tool
There are three commands that are used to control runtime operation of the packet sniffer:
/tool sniffer start, /tool sniffer stop, /tool sniffer save.
The start command is used to start/reset sniffing, stop - stops sniffing. To save currently
sniffed packets in a specific file save command is used.
In the following example the packet sniffer will be started and after
some time - stopped:
[admin@MikroTik] tool sniffer> start
[admin@MikroTik] tool sniffer> stop
Below the sniffed packets will be saved in the file named test:
[admin@MikroTik] tool sniffer> save file-name=test
View sniffed packets

There are also available different submenus for viewing sniffed packets.
 /tool sniffer packet – show the list of sniffed packets
 /tool sniffer protocol – show all kind of protocols that have been sniffed
 /tool sniffer host – shows the list of hosts that were participating in data exchange you've
sniffed
For example:
[admin@MikroTik] tool sniffer packet> print
# TIME INTERFACE SRC-ADDRESS

0 1.697 ether1 0.0.0.0:68 (bootpc)
1 1.82 ether1 10.0.1.17
2 2.007 ether1 10.0.1.18
3 2.616 ether1 0.0.0.0:68 (bootpc)
4 2.616 ether1 10.0.1.18:45630
5 5.99 ether1 10.0.1.18
6 6.057 ether1 159.148.42.138
7 7.067 ether1 10.0.1.5:1701 (l2tp)
8 8.087 ether1 10.0.1.18:1701 (l2tp)
9 9.977 ether1 10.0.1.18:1701 (l2tp)
-- more
Figure below shows sniffer GUI in Winbox, which is more user-friendly.

Detailed commands description can be found in the manual >>
Bandwidth test
The Bandwidth Tester can be used to measure the throughput (Mbps) to another MikroTik
router (either wired or wireless network) and thereby help to discover network
"bottlenecks"- network point with lowest throughput.
BW test uses two protocols to test bandwidth:
 TCP – uses the standard TCP protocol operation principles with all main components like
connection initialization, packets acknowledgments, congestion window mechanism and all
other features of TCP algorithm. Please review the TCP protocol for details on its internal
speed settings and how to analyze its behavior. Statistics for throughput are calculated
using the entire size of the TCP data stream. As acknowledgments are an internal working
of TCP, their size and usage of the link are not included in the throughput statistics.
Therefore statistics are not as reliable as the UDP statistics when estimating throughput.
 UDP traffic – sends 110% or more packets than currently reported as received on the other
side of the link. To see the maximum throughput of a link, the packet size should be set for
the maximum MTU allowed by the links which is usually 1500 bytes. There is no
acknowledgment required by UDP; this implementation means that the closest
approximation of the throughput can be seen.
Remember that Bandwidth Test uses all available bandwidth (by default) and may impact
network usability.
If you want to test real throughput of a router, you should run bandwidth test through the router
not from or to it. To do this you need at least 3 routers connected in chain:
Bandwidth Server – router under test – Bandwidth Client.
Note: If you use UDP protocol then Bandwidth Test counts IP header+UDP header+UDP data.
In case if you use TCP then Bandwidth Test counts only TCP data (TCP header and IP header
are not included).
Configuration example:
Server
To enable bandwidth-test server with client authentication:
[admin@MikroTik] /tool bandwidth-server> set enabled=yes

authenticate=yes
[admin@MikroTik] /tool bandwidth-server> print
enabled: yes
authenticate: yes
allocate-udp-ports-from: 2000
max-sessions: 100
[admin@MikroTik] /tool bandwidth-server>
Client
Run UDP bandwidth test in both directions, user name and password depends on remote
Bandwidth Server. In this case user name is ‘admin’ without any password.
[admin@MikroTik] > tool bandwidth-test protocol=udp user=admin

password="" direction=both \
address=10.0.1.5
status: running
duration: 22s
tx-current: 97.0Mbps
tx-10-second-average: 97.1Mbps
tx-total-average: 75.2Mbps
rx-current: 91.7Mbps
rx-10-second-average: 91.8Mbps
rx-total-average: 72.4Mbps
lost-packets: 294
random-data: no
direction: both
tx-size: 1500
rx-size: 1500
-- [Q quit|D dump|C-z pause]
More information and all commands description can be found in the manual>>
Profiler
Profiler is a tool that shows CPU usage for each process running on RouterOS. It helps to
identify which process is using most of the CPU resources.
Read more >>
Manual:Support Output File

Contents
[hide]
 1What is a supout.rif file?
 2Making Support Output file
o 2.1Winbox
o 2.2Webfig
o 2.3Console
What is a supout.rif file?
Applies to RouterOS:ALL
The support file is used for debugging MikroTik RouterOS and to solve the support questions
faster. All MikroTik Router information is saved in a binary file, which is stored on the router
and can be downloaded from the router using FTP. If required, then you can generate file also
on "/flash" folder on devices with FLASH type memory or external storage drive, by specifying
full path to the file "name=flash/supout.rif". You can view the contents of this file in
your Mikrotik account, simply click on "Supout.rif viewer" located in the left column and upload
the file.
This file contains all your routers configuration, logs and some other details that will help the
MikroTik Support to solve your issue. The file does not contain sensitive information or router
passwords.
Making Support Output file
Winbox
To generate this file in Winbox, click on "Make Supout.rif"
To save the file to your computer, right mouse click on file and select "Download" to get
support output file, or simply drag the file to your desktop.
Webfig
To generate this file in Webfig, click on "Make Supout.rif" and then "Download" to get in on
your
computer
Console
To generate this file, please type in the command line:
/system sup-output name=supout.rif
Manual:Securing Your Router

The following steps are recommendation how to protect your router. We strongly suggest to
keep default firewall, it can be patched by other rules that fullfils your setup requirements.
Other tweaks and configuration options to harden your router's security are described later.
Contents
[hide]
 1Access to a router
o 1.1Access username
o 1.2Access password
o 1.3Access by IP address
 2Router services
o 2.1RouterOS services
o 2.2RouterOS MAC-access
 2.2.1MAC-Telnet
 2.2.2MAC-Winbox
 2.2.3MAC-Ping
o 2.3Neighbor Discovery
o 2.4Bandwidth server
o 2.5DNS cache
o 2.6Other clients services
o 2.7More Secure SSH access
 3Router interface
o 3.1Ethernet/SFP interfaces
o 3.2LCD
 4Firewall
o 4.1IPv4 firewall to a router
o 4.2IPv4 firewall for clients
 5IPv6
o 5.1IPv6 ND
o 5.2IPv6 firewall to a router
o 5.3IPv6 firewall for clients
Access to a router
Access username
Change default username admin to different name, custom name helps to protect access to
your rotuer, if anybody got direct access to your router.
/user print
/user set 0 name=myname
Access password
MikroTik routers requires password configuration, we suggest to use pwgen or other password
generator tool to create secure and non-repeating passwords,
/user set 0 password="!={Ba3N!"40TуX+GvKBz?jTLIUcx/,"
Another option to set a password,
/password
We strongly suggest to use second method or Winbox interface to apply new password for
your router, just to keep it safe from other unauthorised access.
Access by IP address
Besides the fact that default firewall protects your router from unauthorized access from outer
networks, it is possible to restrict username access for the specific IP address
/user set 0 allowed-address=x.x.x.x/yy
x.x.x.x/yy - your IP or network subnet that is allowed to access your router.
Note: login to router with new credentials to check that username/password are working.
Router services
All production routers have to be administred by SSH, secured Winbox or HTTPs services. Use
the latest Winbox version for secure
access.
RouterOS services
Most of RouterOS administrative tools are configured at
/ip service print
Keep only secure ones,
/ip service disable telnet,ftp,www,api,api-ssl

/ip service print
and also change the default port, this will immediately stop most of the random SSH bruteforce
login attempts:
/ip service set ssh port=2200

/ip service print
Additionaly each /ip service entity might be secured by allowed IP address (the address service
will reply to)
/ip service set winbox address=192.168.88.0/24
RouterOS MAC-access
RouterOS has built-in options for easy management access to network devices. The particular
services should be shutdown on production networks.
MAC-Telnet
Disable mac-telnet services,
/tool mac-server set allowed-interface-list=none

/tool mac-server print
MAC-Winbox
Disable mac-winbox services,
/tool mac-server mac-winbox set allowed-interface-list=none

/tool mac-server mac-winbox print
MAC-Ping
Disable mac-ping service,
/tool mac-server ping set enabled=no

/tool mac-server ping print
Neighbor Discovery
MikroTik Neighbor discovery protocol is used to show and recognize other MikroTik routers in
the network, disable neighbor discovery on all interfaces,
/ip neighbor discovery-settings set discover-interface-list=none
Bandwidth server
Bandwidth server is used to test throughput between two MikroTik routers. Disable it in
production enironment.
/tool bandwidth-server set enabled=no
DNS cache
Router might have DNS cache enabled, that decreases resolving time for DNS requests from
clients to remote servers. In case DNS cache is not required on your router or another router is
used for such purposes, disable it.
ip dns set allow-remote-requests=no
Other clients services

RouterOS might have other services enabled (they are disabled by default RouterOS
configuration). MikroTik caching proxy,
/ip proxy set enabled=no
MikroTik socks proxy,
/ip socks set enabled=no
MikroTik UPNP service,
/ip upnp set enabled=no
MikroTik dynamic name service or ip cloud,
ip cloud set ddns-enabled=no update-time=no
More Secure SSH access

RouterOS utilises stronger crypto for SSH, most newer programs use it, to turn on SSH strong
crypto:
/ip ssh set strong-crypto=yes
Router interface
Ethernet/SFP interfaces
It is good practice to disable all unused interfaces on your router, in order to decrease
unauthorised access to your router.
/interface print
/interface set x disabled=yes
 x numbers of the unused interfaces.
LCD
Some RouterBOARDs have LCD module for informational purpose, set pin or disable it.
/lcd set enabled=no
Firewall
We strongly suggest to keep default firewall on. Here are few adjustment to make it more
secure, make sure to apply the rules, when you understand what are they doing.
IPv4 firewall to a router
 work with new connections to decrease load on a router;

 create address-list for IP addresses, that are allowed to access your router;
 enable ICMP access (optionally);
 drop everything else, log=yes might be added to log packets that hit the specific rule;
/ip firewall filter

add action=accept chain=input comment="default configuration"
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
IPv4 firewall for clients
 Established/related packets are added to fasttrack for faster data throughput, firewall will
work with new connections only;
 drop invalid connection and log them with prefix invalid;
 drop attempts to reach not public addresses from your local network, apply address-
list=not_in_internet before, bridge1 is local network interface, log attempts
with !public_from_LAN;
 drop incoming packets that are not NATed, ether1 is public interface, log attempts
with !NAT prefix;
 drop incoming packets from Internet, which are not public IP addresses, ether1 is public
interface, log attempts with prefix !public;
 drop packets from LAN that does not have LAN IP, 192.168.88.0/24 is local network used
subnet;
/ip firewall filter

add action=fasttrack-connection chain=forward comment=FastTrack
add action=accept chain=forward comment="Established, Related"
add action=drop chain=forward comment="Drop invalid" connection-
state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop tries to reach not public
addresses from LAN" dst-address-list=not_in_internet in-
interface=bridge1 log=yes log-prefix=!public_from_LAN out-
interface=!bridge1
add action=drop chain=forward comment="Drop incoming packets that are
not NATted" connection-nat-state=!dstnat connection-state=new in-
interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment="Drop incoming from internet
which is not public IP" in-interface=ether1 log=yes log-prefix=!public
src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do
not have LAN IP" in-interface=bridge1 log=yes log-prefix=LAN_!LAN src-
address=!192.168.88.0/24
/ip firewall address-list

add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]"
list=not_in_internet
IPv6
Currently IPv6 package is disabled by default. Please enable package with care, as RouterOS
will not create any default firewall rules for IPv6 at the moment.
IPv6 ND
Disable IPv6 Neighbour Discovery
/ipv6 nd set [find] disabled=yes
IPv6 firewall to a router
 work with new packets, accept established/related packets;

 drop link-local addresses from Internet interface;
 accept access to a router from link-local addresses, accept multicast addresses for
management purposes, accept your address for router access;
 drop anything else;
/ipv6 firewall filter

add action=accept chain=input comment="allow established and related"
add chain=input action=accept protocol=icmpv6 comment="accept ICMPv6"
add chain=input action=accept protocol=udp port=33434-33534
comment="defconf: accept UDP traceroute"
add chain=input action=accept protocol=udp dst-port=546 src-
address=fe80::/16 comment="accept DHCPv6-Client prefix delegation.)
add action=drop chain=input in-interface=sit1 log=yes log-
prefix=dropLL_from_public src-address=fe80::/16
add action=accept chain=input comment="allow allowed addresses" src-
address-list=allowed
add action=drop chain=input
/ipv6 firewall address-list
add address=fe80::/16 list=allowed
add address=xxxx::/48 list=allowed
add address=ff02::/16 comment=multicast list=allowed
IPv6 firewall for clients

Enabled IPv6 puts your clients available for public networks, set proper firewall to protect your
customers.
 accept established/related and work with new packets;

 drop invalid packets and put prefix for rules;
 accept ICMP packets;
 accept new connection from your clients to the Internet;
 drop everything else.
/ipv6 firewall filter

add action=accept chain=forward comment=established,related connection-
state=established,related
add action=drop chain=forward comment=invalid connection-state=invalid
log=yes log-prefix=ipv6,invalid
add action=accept chain=forward comment=icmpv6 in-interface=!sit1
protocol=icmpv6
add action=accept chain=forward comment="local network" in-
interface=!sit1 src-address-list=allowed
add action=drop chain=forward log-prefix=IPV6
Manual:RouterOS features
Contents
[hide]
 1RouterOS features
o 1.1Hardware Support
o 1.2Installation
o 1.3Configuration
o 1.4Backup/Restore
o 1.5Firewall
o 1.6Routing
o 1.7MPLS
o 1.8VPN
o 1.9Wireless
o 1.10DHCP
o 1.11Hotspot
o 1.12QoS
o 1.13Proxy
o 1.14Tools
o 1.15Other features
RouterOS features
RouterOS is MikroTik's stand-alone operating system based on linux v3.3.5 kernel. The
following list shows features found in the latest RouterOS release:
Hardware Support
 i386 compatible architecture

 SMP – multi-core and multi-CPU compatible
 Minimum 32MB of RAM (maximum supported 2GB, except on Cloud Core devices and
CHR installations, where there is no maximum)
 IDE, SATA, USB and flash storage medium with minimum of 64MB space
 Network cards supported by linux v3.3.5 kernel (PCI, PCI-X)
 Partial hardware compatibility list (user maintained)
 Switch chip configuration support
Installation
 M:Netinstall: Full network based installation from PXE or EtherBoot enabled network card
 Netinstall: Installation to a secondary drive mounted in Windows
 CD based installation
Configuration
 MAC based access for initial configuration

 WinBox – standalone Windows GUI configuration tool
 M:Webfig - advanced web based configuration interface
 TikApp - Android based configuration tool.
 Powerful command-line configuration interface with integrated scripting capabilities,
accessible via local terminal, serial console, telnet and ssh
 API - the way to create your own configuration and monitoring applications.
Backup/Restore
 Binary configuration backup saving and loading

 Configuration export and import in human readable text format
Firewall
 Statefull filtering
 Source and destination NAT
 NAT helpers (h323, pptp, quake3, sip, ftp, irc, tftp)
 Internal connection, routing and packet marks
 Filtering by IP address and address range, port and port range, IP protocol, DSCP and
many more
 Address lists
 Custom Layer7 matcher
 IPv6 support
 PCC - per connection classifier, used in load balancing configurations
 RAW filtering to bypass connection tracking.
Routing
 Static routing
 Virtual Routing and Forwarding (VRF)
 Policy based routing
 Interface routing
 ECMP routing
 IPv4 dynamic routing protocols: RIP v1/v2, OSPFv2, BGP v4
 IPv6 dynamic routing protocols: RIPng, OSPFv3, BGP
 Bidirectional Forwarding Detection ( BFD)
MPLS
 Static Label bindings for IPv4

 Label Distribution protocol for IPv4
 RSVP Traffic Engineering tunnels
 VPLS MP-BGP based autodiscovery and signaling
 MP-BGP based MPLS IP VPN
 complete list of MPLS features
VPN
 IPSec – tunnel and transport mode, certificate or PSK, AH and ESP security protocols.
Hardware encryption support on RouterBOARD 1000.
 IKEv2 support
 AES-NI hardware acceleration support for IPSec
 Point to point tunneling ( OpenVPN, PPTP, PPPoE, L2TP, SSTP)
 Advanced PPP features (MLPPP, BCP)
 Simple tunnels ( IPIP, EoIP) IPv4 andIPv6 support
 6to4 tunnel support (IPv6 over IPv4 network)
 VLAN – IEEE802.1q Virtual LAN support, Q-in-Q support
 MPLS based VPNs
Wireless
 IEEE802.11a/b/g wireless client and access point

 Full IEEE802.11n support
 Nstreme and Nstreme2 proprietary protocols
 NV2 protocol
 Wireless Distribution System (WDS)
 Virtual AP
 WEP, WPA, WPA2
 Access control list
 Wireless client roaming
 WMM
 HWMP+ Wireless MESH protocol
 MME wireless routing protocol
DHCP
 Per interface DHCP server

 DHCP client and relay
 Static and dynamic DHCP leases
 RADIUS support
 Custom DHCP options
 DHCPv6 Prefix Delegation (DHCPv6-PD)
 DHCPv6 Client
Hotspot
 Plug-n-Play access to the Network

 Authentication of local Network Clients
 Users Accounting
 RADIUS support for Authentication and Accounting
QoS
 Hierarchical Token Bucket ( HTB) QoS system with CIR, MIR, burst and priority support
 Simple and fast solution for basic QoS implementation - Simple queues
 Dynamic client rate equalization ( PCQ)
Proxy
 HTTP caching proxy server

 Transparent HTTP proxy
 SOCKS protocol support
 DNS static entries
 Support for caching on a separate drive
 Parent proxy support
 Access control list
 Caching list
Tools
 Ping, traceroute
 Bandwidth test, ping flood
 Packet sniffer, torch
 Telnet, ssh
 E-mail and SMS send tools
 Automated script execution tools
 CALEA
 File Fetch tool
 Advanced traffic generator
Other features
 Samba support
 OpenFlow support
 Bridging – spanning tree protocol (STP, RSTP), bridge firewall and MAC natting.
 Dynamic DNS update tool
 NTP client/server and synchronization with GPS system
 VRRP v2 and v3 support
 SNMP
 M3P - MikroTik Packet packer protocol for wireless links and ethernet
 MNDP - MikroTik neighbor discovery protocol, supports CDP (Cisco discovery protocol)
 RADIUS authentication and accounting
 TFTP server
 Synchronous interface support (Farsync cards only) (Removed in v5.x)
 Asynchronous – serial PPP dial-in/dial-out, dial on demand
 ISDN – dial-in/dial-out, 128K bundle support, Cisco HDLC, x75i, x75ui, x75bui line
protocols, dial on demand
Manual:RouterOS FAQ
See also: Mikrotik_RouterOS_Preguntas_Frecuentes_(español/spanish)
Contents
[hide]
 1What is MikroTik RouterOS™?

 2Installation
 3Logging on and Passwords
 4Licensing Issues
 5Upgrading
 6Downgrading
 7TCP/IP Related Questions
 8Bandwidth Management Related Questions
 9Wireless Questions
 10BGP Questions
What is MikroTik RouterOS™?

What does MikroTik RouterOS™ do?
MikroTik RouterOS™ is a router operating system and software which turns a regular
Intel PC or MikroTik RouterBOARD™ hardware into a dedicated router.
What features does RouterOS™ have?
RouterOS feature list
Can I test the MikroTik RouterOS™ functionality before I buy the license?
Yes, you can download the installation from MikroTik's webpage and install your own
MikroTik router. The router has full functionality without the need for a license key for
24h total running time. That's enough time to test the router for 3 days at 8h a day, if
you shut down the router at the end of each 8h day.
Where can I get the License Key?
Create an account on MikroTik's webpage (the top right-hand corner of
www.mikrotik.com). You can use a credit card to pay for the key.
Can I use MikroTik router to hook up to a service provider via a T1, T3, or
other high speed connection?
Yes, you can install various NICs supported by MikroTik RouterOS™ and get your
edge router, backbone router, firewall, bandwidth manager, VPN server, wireless
access point, HotSpot and much more in one box. Please check the Specification
Sheet and Manual for supported interfaces!
How fast will it be?
An Intel PC is faster than almost any proprietary router, and there is plenty of
processing power even in a 100MHz CPU.
How does this software compare to using a Cisco router?
You can do almost everything that a proprietary router does at a fraction of the cost of
such a router and have flexibility in upgrading, ease of management and maintenance.
What OS do I need to install the MikroTik RouterOS™?
No Operating System is needed. The MikroTik RouterOS™ is standalone Operating
System. The OS is Linux kernel based and very stable. Your hard drive will be wiped
completely by the installation process. No additional disk support, just one PRIMARY
MASTER HDD or FlashDisk, except for WEB proxy cache.
How secure is the router once it is setup?
Access to the router is protected by username and password. Additional users can be
added to the router, specific rights can be set for user groups. Remote access to the
router can be restricted by user, IP address.Firewall filtering is the easiest way to
protect your router and network.
Installation
How can I install RouterOS?
RouterOS can be installed with CD Install or Netinstall.
How large HDD can I use for the MikroTik
RouterOS™?
MikroTik RouterOS™ supports disks larger than 8GB (usually up to 120GB). But make
sure the BIOS of the router's motherboard is able to support these large disks.
Can I run MikroTik RouterOS™ from any hard
drive in my system?
Yes
Is there support for multiple hard drives in
MikroTik RouterOS™?
A secondary drive is supported for web cache. This support has been added in 2.8,
older versions don't support multiple hard drives.
Why the CD installation stops at some
point and does not go "all the way
through"?
The CD installation is not working properly on some motherboards. Try to reboot the
computer and start the installation again. If it does not help, try using different
hardware.
Logging on and
Passwords
What is the username and
password when logging on to the
router for the first time?
Username is 'admin', and there is no password (hit the 'Enter' key). You can change
the password using the '/password' command.
How can I recover a lost
password?
If you have forgotten the password, there is no recovery for it. You have to reinstall the
router.
After power failure the
MikroTik router is not
starting up again
If you haven't shut the router down, the file system has not been unmounted properly.
When starting up, the RouterOS™ will perform a file system check. Depending on the
HDD size, it may take several minutes to complete. Do not interrupt the file system
check! It would make your installation unusable.
How can I access the
router if the LAN
interface has been
disabled?
You can access the router either locally (using monitor and keyboard) or through the
serial console.
Licensing
Issues
How many
MikroTik
RouterOS™
installations does
one license cover?
The license is per RouterOS installation. Each installed router needs a separate
license.
Does the
license expire?
The license never expires. The router runs for ever. Your only limitation is to which
versions you can upgrade. For example if it says "Upgradable to v4.x", it means you
can use all v4 releases, but not v5 This doesn't mean you can't stay on v4.x as long as
you want.
How can I
reinstall
the
MikroTik
RouterOS
™ software
without
losing my
software
license?
You have to use CD, Floppies or Netinstall procedure and install the MikroTik
RouterOS™ on the HDD with the previous MikroTik RouterOS™ installation still intact.
The license is kept with the HDD. Do not use format or partitioning utilities, they will
delete your key! Use the same (initial) BIOS settings for your HDD!
Can I
use my
MikroTi
k
Router
OS™
softwar
e
license
on a
differen
t
hardwa
re?
Yes, you can use different hardware (motherboard, NICs), but you should use the
same HDD. The license is kept with the HDD unless format or fdisk utilities are used. It
is not required to reinstall the system when moving to different hardware. When paying
for the license, please be aware, that it cannot be used on another harddrive than the
one it was installed upon.
License transfer to another hard drive costs 10$. Contact support to arrange this.
W
h
a
t
t
o
d
o
,
i
f
m
y
h
a
r
d
d
r
i
v
e
w
i
t
h
M
i
k
r
o
T
i
k
R
o
u
t
e
r
O
S
™
c
r
a
s
h
e
s
,
a
n
d
I
h
a
v
e
t
o
i
n
s
t
a
l
l
a
n
o
t
h
e
r
o
n
e
?
If you have paid for the license, you have to write to support[at]mikrotik.com and
describe the situation. We may request you to send the broken hard drive to us as
proof prior to issuing a replacement key.
W
h
a
t
h
a
p
p
e
n
s
i
f
m
y
h
a
r
d
w
a
r
e
b
r
e
a
k
s
a
g
a
i
n
,
a
n
d
I
l
o
s
e
m
y
r
e
p
l
a
c
e
m
e
n
t
k
e
y
?
The same process is used as above, but this time, we need physical proof that there is
in fact been another incident.
If you have a free demo license, no replacement key can be issued. Please obtain
another demo license, or purchase the base license.
More information available here All_about_licenses
H
o
w
c
a
n
I
e
n
t
e
r
a
n
e
w
S
o
f
t
w
a
r
e
K
e
y
?
Entering the key from Console/FTP:
Entering the key with Console/Telnet:
 use copy/paste to enter the key into a Telnet window (no matter which submenu).
Be sure to copy the whole key, including the lines "--BEGIN MIKROTIK
SOFTWARE KEY--" and "--END MIKROTIK SOFTWARE KEY--"
Entering the key from Winbox:
 use 'system -> license' menu in Winbox to Paste or Import the key
In the Account Server choose `work with keys`, then select your mis-typed key, and
then choose `fix key`.
Entering a RouterOS License key

All_about_licenses
You have to use the same version package files (extension .npk) as the system
package. Use the /system package print command to see the list of installed
packages. Check the free space on router's HDD using the /system resource
print command before uploading the package files. Make sure you have at least 2MB
free disk space on the router after you have uploaded the package files!
Upload the package files using the ftp BINARY mode to the router and issue /system
reboot command to shut down the router and reboot. The packages are installed
(upgraded) while the router is going for shutdown. You can monitor the installation
process on the monitor screen connected to the router. After reboot, the installed
packages are listed in the /system package print list.
To upgrade the software, you will need to download the latest package files (*.npk)
from our website (the 'system' package plus the ones that you need). Then, connect to
the router via FTP and upload the new packages to it by using Binary transfer mode.
Then reboot the router by issuing /system reboot command. More information
here: Upgrading_RouterOS
You have to obtain (purchase) the required license level or install the NPK package for
this interface (for example package 'wireless').
No, configuration is kept intact for upgrades within one version family. When upgrading
version families (for example, V2.5 to V2.6) you may lose the configuration of some
features that have major changes. For example when upgrading from V2.4, you should
upgrade to the last version of 2.4 first.
You need space for the system package and the additional packages you have to
upgrade. After uploading the newer version packages to the router you should have at
least 2MB free disk space left. If not, do not try to make the upgrade! Uninstall the
unnecessary packages first, and then upgrade the remaining ones.
You can downgrade by reinstalling the RouterOS™ from any media. The software
license will be kept with the HDD as long as the disk is not repartitioned/reformatted.
The configuration of the router will be lost (it is possible to save the old configuration,
but this option has unpredictable results when downgrading and it is not recommended
to use it).
Another way is to use the /system package downgrade command. This works only if
you downgrade to 2.7.20 and not lower. Upload the older packages to the router via
FTP and then use the /system package downgrade command.
This is a typical problem, where you do not have routing set up at your main Internet
gateway. Since you have introduced a new network, you need to 'tell' about it your
main gateway (your ISP). A route should be added for your new network. Alternatively,
you can 'hide' your new network by means of masquerading to get access to the
Internet. Please take time to study the Basic Setup Guide, where the problem is
described and the solution is given.
There is an example how to masquerade your private LAN:
You can change the allocated ports under /ip service.
The rules 'do not work', since they do not match the packets due to the incorrectly
specified address/mask. The correct form would be:
The DHCP feature is not included in the system software package. You need to install
the dhcp package. Upload it to the router and reboot!
Yes, you can add static leases to the DHCP server leases list. However, DHCP is
insecure by default, and it is better to use PPPoE for user authentication and handing
out IP addresses. There you can request the user to log on from a specified MAC
address as well.
Use /ip firewall nat rule with chain=srcnat action=nat, specify the to-src-
address argument value. It should be one of the router's external addresses. If you
use action=masquerade, the to-src-address is not taken into account, since it is
substituted by the external address of the router automatically.
Use /ip firewall mangle to change MSS (maximum segment size) 40 bytes less than
your connection MTU. For example, if you have encrypted PPPoE link with MTU=1492,
set the mangle rule as follows:
In bridge settings enable use-ip-firewall.
Yes. You can use all the extensive queue management features. Set the queue to the
interface where the traffic is actually leaving the router, when passing through the
router. It is not the bridge interface! The queue on the bridge interface is involved only
for the traffic generated from the router.
For download:
While this solution should function, it is fundamentally flawed as the first packet of each
connection destined to these clients will not be taken into account.
For upload:
No, you cannot.
Manual:Connection oriented communication
(TCP/IP)
Contents
[hide]
 1Connection oriented communication (TCP/IP)

o 1.1TCP session establishment and termination
 1.1.1Connection establishment process
 1.1.2Connection termination
o 1.2Segments transmission (windowing)
o 1.3Ethernet networking
 1.3.1CSMA/CD
 1.3.2Half and Full duplex Ethernet
o 1.4Simple network communication example
 1.4.1ARP protocol operation
Connection oriented communication (TCP/IP)

The connection-oriented communication is a data communication mode in which you must first
establish a connection with remote host or server before any data can be sent. It is similar with
analog telephone network where you had to establish connection before you are able to
communicate with a recipient. Connection establishment included operations such as dial
number, receive dial tone, wait for calling signal etc.
TCP session establishment and termination

Process when transmitting device establishes a connection-oriented session with remote peer
is called a three-way handshake. As the result end-to-end virtual (logical) circuit is created
where flow control and acknowledgment for reliable delivery is used. TCP has several
message types used in connection establishment and termination process (see Figure 2.1.).
Connection establishment process
1. The host A who needs to initialize a connection sends out a SYN (Synchronize) packet
with proposed initial sequence number to the destination host B.
2. When the host B receives SYN message, it returns a packet with both SYN and ACK
fags set in the TCP header (SYN-ACK).
3. When the host A receives the SYN-ACK, it sends back ACK (Acknowledgment)
macket.
4. Host B receives ACK and at this stage the connection is ESTABLISHED.
Connection-oriented protocol services are often sending acknowledgments (ACKs) after
successful delivery. After packet with data is transmitted, sender waits acknowledgement from
receiver. If time expires and sender did not receive ACK, packet is retransmitted.
Connection termination
When the data transmission is complete and the host wants to terminate the connection,
termination process is initiated. Unlike TCP Connection establishment, which uses three-way
handshake, connection termination uses four-way messages. Connection is terminated when
both sides have finished the shut down procedure by sending a FIN and receiving an ACK.
1. The host A, who needs to terminate the connection, sends a special message with the
FIN (finish) flag, indicating that it has finished sending the data.
2. The host B, who receives the FIN segment, does not terminate the connection but
enters into a "passive close" (CLOSE_WAIT) state and sends the ACK for the FIN
back to the host A. Now the host B enters into LAST_ACK state. At this point host B
will no longer accept data from host A, but can continue transmit data to host A. If host
B does not have any data to transmit to the host A it will also terminate the connection
by sending FIN segment.
3. When the host A receives the last ACK from the host B, it enters into a (TIME_WAIT)
state, and sends an ACK back to the host B.
4. Host B gets the ACK from the host A and closes the connection.
Segments transmission (windowing)

Now that we know how the TCP connection is established we need to understand how data
transmission is managed and maintained. In TCP/IP networks transmission between hosts is
handled by TCP protocol.
Let’s think about what happens when datagrams are sent out faster than receiving device can
process. Receiver stores them in memory called a buffer. But since buffer space are not
unlimited, when its capacity is exceeded receiver starts to drop the frames. All dropped frames
must be retransmitted again which is the reason for low transmission performance.
To address this problem, TCP uses flow control protocol. window mechanism is used to control
the flow of the data. When connection is established, receiver specifies window field (see, TCP
header format, Figure 1.6.) in each TCP frame. Window size represents the amount of
received data that receiver is willing to store in the buffer. window size (in bytes) is send
together with acknowledgements to the sender. So the size of window controls how much
information can be transmitted from one host to another without receiving an acknowledgment.
Sender will send only amount of bites specified in window size and then will wait for
acknowledgments with updated window size.
If the receiving application can process data as quickly as it arrives from the sender, then the
receiver will send a positive window advertisement (increase the windows size) with each
acknowledgement. It works until sender becomes faster than receiver and incoming data will
eventually fill the receiver's buffer, causing the receiver to advertise acknowledgment with a
zero window. A sender that receives a zero window advertisement must stop transmit until it
receives a positive window. Windowing process is illustrated in Figure 2.2.
The host A starts transmit with window size of 1000, one 1000byte frame is transmitted.
Receiver (host B) returns ACK with window size to increase to 2000. The host A receives ACK
and transmits two frames (1000 bytes each). After that receiver advertises an initial window
size to 2500. Now sender transmits three frames (two containing 1,000 bytes and one
containing 500 bytes) and waits for an acknowledgement. The first three segments fill the
receiver's buffer faster than the receiving application can process the data, so the advertised
window size reaches zero indicating that it is necessary to wait before further transmission is
possible.
The size of the window and how fast to increase or decrease the window size is available in
various TCP congestion avoidance algorithms such as Reno, Vegas, Tahoe etc.
Ethernet networking
CSMA/CD
The Ethernet system consists of three basic elements:
 the physical medium used to carry Ethernet signals between network devices,
 medium access control system embedded in each Ethernet interface that allow multiple
computers to fairly control access to the shared Ethernet channel,
 Ethernet frame that consists of a standardized set of bits used to carry data over the
system.
Ethernet network uses Carrier Sense Multiple Access with Collision detection (CSMA/CD)
protocol for data transmission. That helps to control and manage access to shared bandwidth
when two or more devices want to transmit data at the same time. CSMA/CD is a modification
of Carrier Sense Multiple Access. Carrier Sense Multiple Access with Collision Detection is
used to improve CSMA performance by terminating transmission as soon as collision is
detected, reducing the probability of a second collision on retry.
Before we discuss a little more about CSMA/CD we need to understand what is collision,
collision domain and network segment. A collision is the result of two devices on the same
Ethernet network attempting to transmit data at the same time. The network detects the
"collision" of the two transmitted packets and discards both of them.
If we have one large network solution is to break it up into smaller networks – often
called network segmentation. It is done by using devices like routers and switches - each of
switch ports create separate network segment which result in separate collision domain. A
collision domain is a physical network segment where data packets can "collide" with each
other when being sent on a shared medium. Therefore on a hub, only one computer can
receive data simultaneously otherwise collision can occur and data will be lost.
Hub (called also repeater) is specified in Physical layer of OSI model because it regenerates
only electrical signal and sends out input signal to each of ports. Today hubs do not dominate
on the LAN networks and are replaced with switches.
Carrier Sense – means that a transmitter listens for a carrier (encoded information signal) from
another station before attempting to transmit.
Multiple Access – means that multiple stations send and receive on the one medium.
Collision Detection - involves algorithms for checking for collision and advertises about collision
with collision response – “Jam signal”.
When the sender is ready to send data, it checks continuously if the medium is busy. If the
medium becomes idle the sender transmits a frame.
Look at the Figure 2.4 bellow where simple example of CSMA/CD is explained.
1. Any host on the segment that wants to send data “listens” what is happening on the
physical medium(wire) an is checking whether someone else is not sending data
already.
2. Host A and host C on shared network segment sees that nobody else is sending and
tries to send frames.
3. Host A and Host C are listening at the same time so both of them will transmit at the
same time and collision will occur. Collision results in what we refer to as "noise" - a
change in the voltage of the signals in the line (wire).
4. Host A and Host B detect this collision and send out “jam” signal to tell other hosts not
to send data at this time. Both Host A and Host C need to retransmit this data, but we
don't want them to send frames simultaneously once again. To avoid this, host A and
host B will start a random timer (ms) before attempting to start CSMA/CD process
again by listening to the wire.
Each computer on Ethernet network operates independently of all other stations on the
network.
Half and Full duplex Ethernet

Ethernet standards such as Ethernet II and Ethernet 802.3 are passed through formal IEEE
(Institute of Electrical and Electronics Engineers) standardization process. The difference is
that Ethernet II header includes Protocol type field whereas in Ethernet 802.3 this field was
changed to length field. Ethernet is the standard CSMA/CD access method. Ethernet supports
different data transfer rates Ethernet (10BaseT) – 10 Mbps, Fast Ethernet (100Base-TX) – 100
Mbps Gigabit Ethernet (1000Base-T) – 1000 Mbps through different types of physical mediums
(twisted pairs (Copper), coaxial cable, optical fiber). Today Ethernet cables consist of four
twisted pairs (8 wires). For example, 10Base-T uses only one of these wire pairs for running in
both directions using half-duplex mode.
Half-duplex data transmission means that data can be transmitted in both directions between
two nodes, but only one direction at the same time. Also in the Gigabit Ethernet is defined
(Half-duplex) specifications, but it isn’t used in practice.
Full-duplex data transmission means that data can be transmitted in both directions using
different twisted pairs for each of direction at the same time. Full Duplex Ethernet, collisions
are not possible since data is transmitted and received on different wires, and each segment is
connected directly to a switch. Full-duplex Ethernet offers performance in both directions for
example, if your computer supports Gigabit Ethernet (full duplex mode) and your gateway
(router) also support it then between your computer and gateway 2Gbps aggregated bandwidth
is available.
Simple network communication example

ARP protocol operation
Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol (IP) address
of host in the local network to the hardware address (MAC address). The physical/hardware
address is also known as a Media Access Control or MAC address. Each network device
maintains ARP tables (cache) that contain list of MAC address and its corresponding IP
address. MAC addresses uniquely identify every network interface in the network. IP
addresses are used for path selection to destination (in the routing process), but frame
forwarding process from one interface to another occur using MAC addresses.
When host on local area network wants to send IP packet to another host in this network, it
must looks for Ethernet MAC address of destination host in its ARP cache. If the destination
host’s MAC address is not in ARP table, then ARP request is sent to find device with
corresponding IP address. ARP sends broadcast request message to all devices on the LAN
by asking the devices with the specified IP address to reply with its MAC address. A device
that recognizes the IP address as its own returns ARP response with its own MAC address.
Figure 2.5 shows how an ARP looks for MAC address on the local network.
Commands that displays current ARP entries on a PC (linux, DOS) and a MikroTik router
(commands might do the same thing, but they syntax may be different):
For windows and Unix like machines: arp – a displays the list of IP addresses with its
corresponding MAC addresses
ip arp print – same command as arp – a but display the ARP table on a MikroTik Router.
Manual:Router AAA
Applies to RouterOS:2.9, v3, v4, v5+
Contents
[hide]
 1Summary
 2User Groups
o 2.1Properties
o 2.2Sensitive information
o 2.3Notes
o 2.4Example
 3Router Users
o 3.1Properties
o 3.2Notes
 4Monitoring Active Users
o 4.1Properties
o 4.2Example
 5Remote AAA
o 5.1Properties
 6SSH Keys
o 6.1Private keys
o 6.2Example
Summary
Sub-menu: /user
MikroTik RouterOS router user facility manage the users connecting the router from the local
console, via serial terminal, telnet, SSH or Winbox. The users are authenticated using either
local database or designated RADIUS server.
Each user is assigned to a user group, which denotes the rights of this user. A group policy is a
combination of individual policy items.
In case the user authentication is performed using RADIUS, the RADIUS Client should be
previously configured.
User Groups
Sub-menu: /user group
The router user groups provide a convenient way to assign different permissions and access
rights to different user classes.
Properties
Property
name (string; Default: ) The name of the user grou
policy (local | telnet | ssh | ftp | reboot | read | write | policy | test | web | sniff | api | List of allowed policies:
winbox | password | sensitive; Default: ) Login policies:
 local - policy that g

 telnet - policy that
 ssh - policy that gran
 web - policy that gran
 winbox - policy that
 password - policy t
 api - grants rights to
 dude - grants rights t
Config Policies:
 ftp - policy that gran

read, write and erase f
 reboot - policy that
 read - policy that gra
allowed. Doesn't affec
 write - policy that g
configuration, so mak
 policy - policy that
created by other users
 test - policy that gra
 sensitive - grants
 sniff - policy that g
 romon -
Sensitive information
Starting with RouterOS v3.27, the following information is regarded as sensitive, and can be
hidden from certain user groups with the 'sensitive' policy unchecked.
Also, since RouterOS v4.3, backup files are considered sensitive, and users without this policy
will not be able to download them in any way.
system package
/radius: secret
/snmp/community: authentication-password, encryption-password
advanced-tools package
/tool/sms: secret
wireless package
/interface/wireless/security-profiles: wpa-pre-shared-key,
wpa2-pre-shared-key, static-key-0, static-key-1, static-key-2,
static-key-3, static-sta-private-key
/interface/wireless/access-list: private-key, private-pre-shared-key
wireless-test package
/interface/wireless/security-profiles: wpa-pre-shared-key, wpa2-pre-

shared-key,
static-key-0, static-key-1, static-key-2, static-key-3, static-sta-
private-key, management-protection-key
/interface/wireless/access-list: private-key, private-pre-shared-key,
management-protection-key
user-manager package
/tool/user-manager/user: password
/tool/user-manager/customer: password
hotspot package
/ip/hotspot/user: password
ppp package
/ppp/secret: password
security package
/ip/ipsec/installed-sa: auth-key, enc-key

/ip/ipsec/manual-sa: ah-key, esp-auth-key, esp-enc-key
/ip/ipsec/peer: secret
routing package
/routing/bgp/peer: tcp-md5-key
/routing/rip/interface: authentication-key
/routing/ospf/interface: authentication-key
/routing/ospf/virtual-link: authentication-key
routing-test package
/routing/bgp/peer: tcp-md5-key
/routing/rip/interface: authentication-key
/routing/ospf/interface: authentication-key
/routing/ospf/virtual-link: authentication-key
Notes
There are three system groups which cannot be deleted:
[admin@rb13] > /user group print

0 name="read"
policy=local,telnet,ssh,reboot,read,test,winbox,password,web,!ftp,!writ
e,!policy
1 name="write"
policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,!ftp
,!policy
2 name="full"
policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passwo
rd,web
3 name="test"
policy=ssh,read,policy,!local,!telnet,!ftp,!reboot,!write,!test,!winbox
,!password,!web
[admin@rb13] >
Exclamation sign '!' just before policy item name means NOT.
Example
To add reboot group that is allowed to reboot the router locally or using telnet, as well as read
the router's configuration, enter the following command:
[admin@rb13] user group> add name=reboot

policy=telnet,reboot,read,local
[admin@rb13] user group> print
0 name="read"
policy=local,telnet,ssh,reboot,read,test,winbox,password,web,!ftp,!writ
e,!policy
1 name="write"
policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,!ftp
,!policy
2 name="full"
policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passwo
rd,web
3 name="reboot"
policy=local,telnet,reboot,read,!ssh,!ftp,!write,!policy,!test,!winbox,
!password,!web
[admin@rb13] user group>
Router Users
Sub-menu: /user
Router user database stores the information such as username, password, allowed access
addresses and group about router management personnel.
Properties
Property
address (IP/mask | IPv6 prefix; Default: ) Host or network address fr
group (string; Default: ) Name of the group the use
name (string; Default: ) User name. Although it mu
password (string; Default: ) User password. If not spec
may contain letters, digits,
Notes
There is one predefined user with full access rights:
[admin@MikroTik] user> print

Flags: X - disabled
# NAME GROUP ADDRESS
0 ;;; system default user
admin full 0.0.0.0/0
[admin@MikroTik] user>
There always should be at least one user with fulls access rights. If the user with full access
rights is the only one, it cannot be removed.
Monitoring Active Users

Sub-menu: /user active
/user active print command shows the currently active users along with respective
statisics information.
Properties
All properties are read-only.
Property
address (IP/IPv6 address) Host IP/IPv6 address from
group (string) Group that user belongs to
name (string) User name.
radius (true | false) Whether user is authentica
via (console | telnet | ssh |winbox | api | web) User's access method
when (time) Time and date when user l
Example
To print currently active users, enter the following command:
[admin@dzeltenais_burkaans] /user active> print detail

Flags: R - radius
0 when=dec/08/2010 16:19:24 name="admin" address=10.5.8.52
via=winbox
2 when=dec/09/2010 09:23:04 name="admin" address=10.5.101.38
via=telnet
3 when=dec/09/2010 09:34:27 name="admin"

address=fe80::21a:4dff:fe5d:8e56 via=api
Remote AAA
Sub-menu: /user aaa
Router user remote AAA enables router user authentication and accounting via RADIUS
server. The RADIUS user database is consulted only if the required username is not found in
the local user database
Properties
Property
accounting (yes | no; Default: yes)
exclude-groups (list of group names; Default: ) Exclude-groups consists o
for users authenticated by
This is to protect against p

server and
log in as admin.
default-group (string; Default: read) User group used by defaul
interim-update (time; Default: 0s) Interim-Update time interv
use-radius (yes |no; Default: no) Enable user authentication
Note: If you are using RADIUS, you need to have CHAP support enabled in the RADIUS
server for Winbox to work
SSH Keys
Sub-menu: /user ssh-keys
This menu allows to import public keys used for ssh authentication.
Warning: User is not allowed to login via ssh by password if ssh-keys for the user is added
Properties:
Property
user (string; Default: ) username to which ssh key
Read-only properties:
Property
key-owner (string)
When importing ssh key by /user ssh-keys import command you will be asked for two
parameters:
 public-key-file - file name in routers root directory containing the key.

 user - name of the user to which key will be assigned
Private keys
Sub-menu: /user ssh-keys private
This menu is used to import and list imported private keys. Private keys are used to
authenticate remote login attempts using certificates.
Read-only properties:
Property
user (string)
key-owner (string)
When importing ssh keys from this sub menu using /user ssh-keys private import
command you will be asked for three parameters:
 private-key-file - file name in routers root directory containing private key.

 public-key-file - file name in routers root directory containing public key.
 user - name of the user to which key will be assigned
Example
Read full example >>
Manual:RouterOS6 news
(Redirected from Manual:What's New In v6)
Contents
[hide]
 1General
 2PPP
 3Firewall
 4Wireless
 5DHCP
 6IpSec
 7Certificates
 8Routing
 9Queues
 10Compact configuration export
 11Tools
General
 Updated drivers and Kernel (to linux-3.3.5)
 Initial OpenFlow support
 New LCD Touch screen features
 Hotspot mac-cookie login method (mostly used for smartphones)
 Configurable Kernel options in /ip settings and /ipv6 settings menu (ip forward, rp filters
etc)
 ARP timeout can be changed in /ip settings
 Neighbor discovery can be disabled by default on dynamic interfaces in /ip neighbor
discovery settings menu
 To enable/disable discovery on interface you now must use command: "/ip neighbor
discovery set (interface number/name) discover=yes/no".
 Show last-logged-in in users list
 GRE supports all protocol encapsulation, not just ip and ipv6;
 Slave flag shows up for interfaces that are in bridge,bonding or switch group;
 SSH client has new property output-to-file, useful for scripting.
 Support for API over TLS (SSL)
 API is now enabled by default
 DNS retry queries with tcp if truncated results received
 DNS rotates servers only on failure
 DNS cache logs requests to topics "dns" and "packet";
 WebFig now supports RADIUS authentication (via MS-CHAPv2)
 New Web Proxy parameter max-cache-object-size
 Increased Max client/server connection count for Web Proxy
 If NTP client is enabled, logs show correct time and date when router was rebooted.
 802.1Q Trunking with Atheros switch chip
PPP
 SSTP can now force AES encryption instead of default RC4
 PPP profile now has bridge-path-cost amd bridge-port-priority parameters
 Secrets shows last-logged-out date and time
 Hotspot and PPP now support multiple address-lists
 Only 2 change mss mangle rules are created for all ppp interfaces;
Firewall
 New all-ether,all-wireless,all-vlan,all-ppp interface matchers
 Priority matcher
 New change-dscp options from-priority and from-priority-to-high-3-bits
 New Mangle Actions snif-tzsp,snif-pc
Wireless
 Wireless Channels options - creating custom channel lists
DHCP
 DHCP client now support custom options
 DHCP v4 client now have special-classless option for add-default-route parameter
 Possibility to add DHCP relay agent information option (Option 82)
 DHCPv6 DNS option support
 DHCPv6 Relay support
 DHCP server RADIUS framed route support
 DHCP option configuration per lease
IpSec
Significantly improved Road Warrior setup usage with Mode Configuration support.
Detailed configuration example can be found in the manual.
Full list of new features:
 Mode Conf support (unity split include, address pools, DNS)

 Ipsec peer can be set as passive - will not start ISAKMP SA negotiation
 Xauth support ( xauth PSK and Hybrid RSA)
 Policy templates - allow to generate policy only if src/dst address, protocol and proposal
matches the template
 Peer groups
 Multiple peers with the same IP can be used.
 For peers with full IP address specified system will auto-start ISAKMP SA negotiation.
 generate-policy now can have port-strict value which will use port from peer's
proposal
 Source address of phase1 is now configurable
Certificates
 CA keys are no more cached, every CA operations now requires a valid CA passphrase.
Use set-ca-passphrase for scep server to cache CA key in encrypted form;
 For certificates marked as trusted=yes, CRL will be automatically updated once in an hour
from http sources;
 Ipsec and SSTP respects CRLs
 SCEP server/client support
 Certificate manager now can issue self signed certificates.
Routing
 New OSPF parameter use-dn. Forces to ignore DN bit in LSAs.
 Changed BGP MED propagation logic, now discarded when sending route with non-empty
AS_PATH to an external peer
 Connected routes become inactive when Interface goes down. It also means that dynamic
routing protocols will stop distributing connected routes without Active flag.
Queues
 improved overall router performance when simple queues are used
 improved queue management (/queue simple and /queue tree) - easily handles tens of
thousands of queues;
 /queue tree entries with parent=global are performed separately from /queue simple and
before /queue simple;
 new default queue types: pcq-download-default and pcq-upload-default;
 simple queues have separate priority setting for download/upload/total;
 global-in, global-out, global-total parent in /queue tree is replaced
with global that is equivalent to global-total in v5;
 simple queues happen in different place - at the very end of postrouting and local-in
chains;
 simple queues target-addresses and interface parameters are joined into one target
parameter, now supports multiple interfaces match for one queue;
 simple queues dst-address parameter is changed to dst and now supports destination
interface matching;
Compact configuration export

Now by default configuration is exported in compact mode.
To make full config export verbose parameter should be used:
/export verbose file=myConfig
Tools
 FastPath support
 Renamed e-mail tls to start-tls and added it as a configurable parameter
 Fetch tool now has HTTPS support
 Added ipv6 header support for traffic generator
 Playback pcap files into network using new trafficgen inject-pcap command
 NAND Flash can be Partitioned on routerboards and separate RouterOS versions can be
installed on each of the partitions
Manual:License
Contents
[hide]
 1RouterBOARD and PC license

 2CHR license
 3License Levels
 4Upgrading from RouterOS v3 (2009)
 5Change license Level
 6Using the License
o 6.1Can I Format or Re-Flash the drive?
o 6.2How many computers can I use the License on?
o 6.3Can I temporary use the HDD for something else, other than RouterOS?
o 6.4Can I move the license to another HDD ?
o 6.5What is a Replacement Key
o 6.6Must I type the whole key into the router?
o 6.7Can I install another OS on my drive and then install RouterOS again later?
o 6.8I lost my RouterBOARD, can you give me the license to use on another system?
o 6.9Licenses Purchased from Resellers
 7Obtaining Licenses and working with them
o 7.1Where can I buy a RouterOS license key?
o 7.2If I have purchased my key elsewhere
o 7.3If I have a license and want to put it on another account?
 8See also
RouterBOARD and PC license

RouterBOARD devices come preinstalled with a RouterOS license, if you have purchased a
RouterBOARD device, nothing must be done regarding the license.
For X86 systems (ie. PC devices), you need to obtain a license key.
The license key is a block of symbols that needs to be copied from your mikrotik.com account,
or from the email you received in, and then it can be pasted into the router. You can paste the
key anywhere in the terminal, or by clicking "Paste key" in Winbox License menu. A reboot is
required for the key to take effect.
RouterOS licensing scheme is based on SoftwareID number that is bound to storage media
(HDD, NAND).
Licensing information can be read from CLI system console:
[admin@RB1100] > /system license print

software-id: "43NU-NLT9"
nlevel: 6
features:
[admin@RB1100] >
or from equivalent winbox, webfig menu.
CHR license
Cloud Hosted Router (CHR) licenses for virtual machines do not use Levels, please see
the CHR manual for more information
License Levels
After installation RouterOS runs in trial mode. You have 24 hours to register for Level1 or
purchase Level 3,4,5 or 6 and enter a valid key.
Level 3 is a wireless station (client or CPE) only license. For x86 PCs, Level3 is not available
for purchase individually. For ordering more than 100 L3 licenses, contact
sales[at]mikrotik.com
Level 2 was a transitional license from old legacy (pre 2.8) license format. These licenses are
not available anymore, if you have this kind of license, it will work, but to upgrade it - you will
have to purchase a new license.
The difference between license levels is shown in the table below.
Level 0 (Trial 1 (Free 3 (WISP 6
4 (WISP) 5 (WISP)
number mode) Demo) CPE) (Controller)
registration
Price no key volume only $45 $95 $250
required
Initial Config
- - - 15 days 30 days 30 days
Support
Wireless AP 24h trial - - yes yes yes
Wireless
Client and 24h trial - yes yes yes yes
Bridge
RIP, OSPF,
BGP 24h trial - yes(*) yes yes yes
protocols
EoIP tunnels 24h trial 1 unlimited unlimited unlimited unlimited
PPPoE
24h trial 1 200 200 500 unlimited
tunnels
PPTP tunnels 24h trial 1 200 200 500 unlimited
L2TP tunnels 24h trial 1 200 200 500 unlimited
OVPN
24h trial 1 200 200 unlimited unlimited
tunnels
Level 0 (Trial 1 (Free 3 (WISP 6
4 (WISP) 5 (WISP)
number mode) Demo) CPE) (Controller)
VLAN
24h trial 1 unlimited unlimited unlimited unlimited
interfaces
HotSpot
24h trial 1 1 200 500 unlimited
active users
RADIUS
24h trial - yes yes yes yes
client
Queues 24h trial 1 unlimited unlimited unlimited unlimited
Web proxy 24h trial - yes yes yes yes
User
manager
24h trial 1 10 20 50 Unlimited
active
sessions
Number of Unlimite Unlimite

none 1 Unlimited Unlimited
KVM guests d d
(*) - BGP is included in License Level3 only for RouterBOARDs, for other devices you need
Level4 or above to have BGP.
All Licenses:
 never expire
 include 15-30 day free support over e-mail
 can use unlimited number of interfaces
 are for one installation each
 offer unlimited software upgrades
Upgrading from RouterOS v3 (2009)

Since RouterOS 3.25 and 4.0beta3 new SoftID format is introduced. Your license menu will
show both the old and the new SoftID. Even by upgrading to a new version, RouterOS will still
work as before, but to use some of the new features, LICENSE UPDATE will be necessary.
To do this, just click on "Update license key" button in Winbox (currently only in Winbox).
New SoftID's are in the form of XXXX-XXXX (Four symbols, dash, four symbols).
The following actions will be taken:
1. Winbox will contact www.mikrotik.com with your old SoftID

2. www.mikrotik.com will check the database and see details about your key
3. the server will generate a new key as "upgrade" and put it into the same account as old
one
4. Winbox will receive the new key and automatically License your router with the new
key
5. Reboot will be required
6. New RouterOS features will be unlocked
Important Note!: If you see this button also in v3.24, don't use it, it will not work.
If you ever wish to downgrade RouterOS, you will have to apply the OLD key before doing so.
When RouterOS applies the NEW key, the OLD key is saved to a file, in the FILES folder, to
make sure you have the old key handy.
Even more important: Don't downgrade v4.0b3 to v3.23 or older. Use only v3.24 for
downgrading, or you might lose your new format key.
Change license Level

1. There are no license level upgrades, if you wish to use a different license Level, please
purchase the appropriate level. Be very careful when purchasing for the first time,
choose the correct option.
2. Why is it not possible to change license level (ie. upgrade license)? Just like you can't
easily upgrade your car's engine from 2L to 4L just by paying the difference, you can't
switch license levels as easily. This is a policy used by many software companies,
choose wisely when making your purchase! Instead we have lowered the prices, and
removed the software update time limit.
Using the License
Can I Format or Re-Flash the drive?
Formatting, and Re-Imaging the drive with non-mikrotik tools (like DD and Fdisk) will destroy
your license! Be very careful and contact mikrotik support before doing this. It is not
recommended, as mikrotik support might deny your request for a replacement license. For this
use MikroTik provided tools Netinstall or CD-install that are freely available from our download
page.
How many computers can I use the License on?
At the same time, the RouterOS license can be used only in one system. The License is bound
to the HDD it is installed on, but you have the ability to move the HDD to another computer
system. You cannot move the License to another HDD, neither can you format or overwrite the
HDD with the RouterOS license. It will be erased from the drive, and you will have to get a new
one. If you accidently removed your license, contact the support team for help.
Can I temporary use the HDD for something else, other than RouterOS?
As stated above, no.
Can I move the license to another HDD ?
If your current HDD drive is destroyed, or can no longer be used, it is possible to transfer the
license to another HDD. You will have to request a replacement key (see below) which will cost
10$
What is a Replacement Key
It is a special key which is issued by the Support Team if you accidently lose the license, and
the Mikrotik Support decides that it is not directly your fault. It costs 10$ and has the same
features as the key that you lose. Note that before issuing such key, the Mikrotik Support can
ask you to prove that the old drive is failed, in some cases this means sending us the dead
drive.
Note: We may issue only one replacement key per one original key, using replacement key
procedure twice for one key will not be possible. In cases like this new key for this RouterOS
device must be purchased.
Must I type the whole key into the router?

No, simply copy it and paste into the Telnet window, or License menu in Winbox.
Copy license to Telnet Window (or Winbox New Terminal),
Another option to use Winbox License Window, click on System ---> License,
Can I install another OS on my drive and then install RouterOS again later?
No, because if you use formatting or partitioning utilities, or tools that do something to the
MBR, you will lose the license and you will have to make a new one. This process is not free
(see Replacement Key above)
I lost my RouterBOARD, can you give me the license to use on another system?
The RouterBOARD comes with an embedded license. You cannot move this license to a new
system in any way, this includes upgrades applied to the RouterBOARD while it was still
working.
Licenses Purchased from Resellers

The keys that you purchase from other vendors and resellers, are not in your account. Your
mikrotik.com account only contains licenses purchased from MikroTik directly. However, you
can use the "Request key" link in your account, to get the key into your account for reference,
or for some upgrades (if available).
Obtaining Licenses and working with them

Where can I buy a RouterOS license key?
You must register an account on our webpage, and in there, use the option "Purchase a
RouterOS license key".
If I have purchased my key elsewhere
You must contact the company who sold you the license, they will provide support
If I have a license and want to put it on another account?
You can give access to keys with the help of Virtual Folders
See also
 Article translation to Spanish
Manual:Purchasing a License for RouterOS

First you have to make an account on the Account Server, this can be done on the mikrotik.com main
page, and is a free and easy process.
Important! Before purchasing a key, you have to install RouterOS. It will generate a SoftID that will be
required during the purchase. Before entering the SoftID in the purchase form, make sure it has not
changed on your router. After installation, you have 24 hours to enter a key. If you are close to running
out of time - shut down the router. The timer will stop.
After you have an account, start by logging in, here is an example process:
Log into your account

Click on Purchase a Key
Select your License Level and the number of licenses you need
Enter your SoftIDs and select the system kind, remember that SoftID will be given to you after installation of
RouterOS. The system kind is a choice between RouterBOARD and X86. Basically if you have a
RouterBOARD(TM) device, select RouterBOARD, if you have some other kind of device - select X86. NOTE!:
Older RouterBOARD 230 model is an X86 device too.
Click on Pay By Credit Card and You will be presented the bank payment page
In the Bank page you will be asked for your Credit Card Number, CVC/CVV code, expiry date of the
card and the name on the card. The CVC/CVV card can be found on the back of the card and is a three
digit code. After you enter all the details and submit the information, your credit card will be charged.
Do not close the browser or push any buttons until the process is complete. Then you will receive your
new key in your email, and it will also appear in the "work with keys" section of your account.
Instructions how to apply license on your router are here.
Categories:
 Manual
 License
 Basic
Navigation menu
 Log in
 Manual
 Discussion
 Read
 View source
 View history
Search
Go
 Main Page
 Recent changes
Tools
 What links here
 Related changes
 Special pages
 Printable version
 Permanent link
 Page information
 This page was last edited on 14 September 2011, at 13:40.
 Privacy policy
 About MikroTik Wiki
 Disclaimers
Manual:Entering a RouterOS License key

First method
If you have installed the Router OS onto a PC (i.e. it is not a RouterBoard), you will initially
have no key, but for 24 hours the router will be fully operable and working. During this
period configure the router to have an IP address, for example 10.1.0.133, then purchase a key
on the www.mikrotik.com account server. To enter this key follow this short guide:
 Telnet to the router:

 find the email from mikrotik which contains your key
 select this key and click copy

 in the telnet window right-click the screen and choose paste
 type y and hit enter to reboot the router

 For fans of the serial console, you may enter the license information via the serial console
on certain equipment. Perform the same operation as in the telnet session above, i.e., at
the console prompt, paste the license information as if it were a command; the paste buffer
or clipboard should contain the full text including the lines containing "BEGIN" and "END"
as mentioned above.
Manual:Replacement Key
 1 - To request replacement key go to required section in you account management in
mikrotik.com
 2 - Send required info to MikroTik support department.

 3 - Re-check your account after support staff has confirmed that replacement key has been
added to your account.
 4 - Claim the replacement key.

Manual:RouterBOARD settings
Contents
[hide]
 1General
o 1.1Properties
o 1.2Upgrading RouterBOOT
 2Settings
o 2.1Protected bootloader
 3Mode button
o 3.1Example
General
Sub-menu level: /system resource
On RouterBOARD devices, the following menu exists which gives you some basic information
about your device:
[admin@demo.mt.lv] /system routerboard> print

routerboard: yes
model: 433
serial-number: 185C01FCA958
current-firmware: 3.25
upgrade-firmware: 3.25
Properties
All properties are read-only
Property
model (string) If this device is a MikroTik
serial-number (string) Serial number of this parti

current-firmware (string) The version of the RouterB
upgrade-firmware (string) RouterOS upgrades also in

file has been found in the
uploaded to the router. In
Upgrading RouterBOOT
RouterBOOT upgrades usually include minor improvements to overall RouterBOARD
operation. It is recommended to keep this version upgraded. If you see that upgrade-
firmware value is bigger than current-firmware, you simply need to perform
the upgrade command, accept it with y and then reboot with /system reboot
[admin@mikrotik] /system routerboard> upgrade

Do you really want to upgrade firmware? [y/n]
y
echo: system,info,critical Firmware upgraded successfully, please
reboot for changes to take effect!
After rebooting, the current-firmware value should become identical with upgrade-firmware
Settings
Sub-menu level: /system routerboard settings
[admin@demo.mt.lv] /system routerboard settings> print

baud-rate: 115200
boot-delay: 2s
enter-setup-on: any-key
boot-device: nand-if-fail-then-ethernet
cpu-frequency: 1200MHz
memory-frequency: 1066DDR
boot-protocol: bootp
enable-jumper-reset: yes
force-backup-booter: no
silent-boot: no
Property
baud-rate (integer; Default: 115200) Choose the onboard RS23

boot-delay (time; Default: 1s) How much time to wait fo
boot-device (nand-if-fail-then-ethernet ...; Default: nand-if-fail-then-ethernet) Choose the way RouterBO
 flash-boot -
 flash-boot-once
 nand-if-fail-th
 nand-only -
 try-ethernet-on
boot-protocol (bootp |dhcp ...; Default: bootp) Boot protocol to use:
 bootp - the default o

 dhpc - used for Open
cpu-frequency (depends on model; Default: depends on model) This option allows for chan
keyboard at this prompt
cpu-mode (power-save | regular; Default: power-save) Whether to enter CPU sus

it consumes less power, b
would be higher
enable-jumper-reset (yes | no; Default: yes) Disable this to avoid accid
enter-setup-on (any-key | delete-key; Default: any-key) Which key will cause the B
use Delete key to enter th
force-backup-booter (yes | no; Default: no) If to use the backup Route

don't have to boot the dev
 yes - backup loader w

 no - main booter will
memory-frequency (depends on model; Default: depends on model) This option allows to chan
keyboard at this prompt
regulatory-domain-ce (yes | no; Default: )
silent-boot (yes | no; Default: no) This option disables outpu

device. Useful if you have
 yes - no output on th
 no - regular info and
Protected bootloader
This is a new feature which allows the protection of RouterOS configuration and files from a
physical attacker by disabling etherboot. It is called "Protected RouterBOOT". This feature can
be enabled and disabled only from within RouterOS after login, i.e., there is no RouterBOOT
setting to enable/disable this feature. These extra options appear only under certain conditions.
When this setting is enabled - both the reset button and the reset pin-hole is disabled. Console
access is also disabled. The only ability to change boot mode or RouterBOOT settings is
through RouterOS. If you do not know the RouterOS password - only a complete format is
possible.
 The backup RouterBOOT version can not be older than v3.24 version. A special package
is provided to upgrade the backup RouterBOOT (DANGEROUS). Newer devices will have
this new backup loader already installed at the factory. Download the package for:
MIPSBE platform here SMIPS platform here MMIPS platform here TILE platform here.
 RouterOS version 6.33 or later is required to enable this feature. Also make sure, that you
have the latest firmware installed.
Property
protected-routerboot (enabled | disabled; Default: disabled) This setting disables any a

change the boot mode (Ne
Unsetting of this option is
reformat of both NAND an
 enabled - secure m
Etherboot is not avail
 disabled - regular
reformat-hold-button (5s .. 300s; Default: 20s) As an emergency recovery

button time, but less than
When you use the button f
EXTREMELY DANGER
1. RouterOS, all of it
2. all RouterBOOT se
3. Board is rebooted
4. As boot from NAN
5. Netinstall is requi
Please note! Reformat on
reformat-hold-button-max (5s .. 600s; Default: 10m) Increase the security even

interval. If you set t he "re
60 to 65 seconds, not less
Note: RouterBOARD that has the protected RouterBOOT setting enabled will blink the LED
every second, to make counting easier. The LED will turn off for one second, and turn on for
the next second.
Mode button
Some RouterBOARD devices have a mode button that allows you to run any script when the
button it pushed.
Example
/system script add name=test-script source={:log info

message=("1234567890");}
/system routerboard mode-button set on-event=test-script
/system routerboard mode-button set enabled=yes
Upon pressing the button, the message 1234567890 will be logged in the system log.
Property
enabled (no | yes; Default: no) Disable or enable the oper
on-event (string; Default: )
Manual:RouterBOOT
RouterBOOT is responsible for starting RouterOS in RouterBOARD devices.
Contents
[hide]
 1Main and Backup loaders

 2RouterBOARD reset button
 3Configuration
 4Simple Upgrade
o 4.1Checking RouterBOOT version
 5Xmodem Method
Main and Backup loaders

By default, the main loader is used, but RouterBOARD devices also have a secondary
(backup) bootloader, which can be used in case the main doesn't work. It is possible to call the
backup loader with a configuration setting in RouterOS:
system routerboard settings set force-backup-booter=yes

it is also possible to use the backup booter by turning on the device, with the RESET button
pushed. Sometimes the RouterBOOT receives firmware upgrades (see Changelog). It is only
possible to upgrade the main RouterBOOT, so in case of failure, you can use the backup
booter to start the device and downgrade the main loader. For upgrade instructions, follow the
separate instructions in Manual:Bootloader upgrade
RouterBOARD reset button

RouterBOOT reset button has three functions:
 Hold this button during boot time until LED light starts flashing, release the button to reset
RouterOS configuration (total 5 seconds)
 Keep holding for 5 more seconds, LED turns solid, release now to turn on CAPs mode
(total 10 seconds)
 Or Keep holding the button for 5 more seconds until until LED turns off, then release it to
make the RouterBOARD look for Netinstall servers (total 15 seconds)
Note: If you hold the button before applying power, backup RouterBOOT will be used in
addition to all the above actions. To do the above actions without loading the backup loader,
push the button right after applying power to the device.
Configuration
For RouterBOARD devices that feature a serial console connector, it is possible to access the
RouterBOOT loader configuration menu. The required cable is described in the Serial
console manual. RouterBOARD serial port is configured to 115200bit/s, 8 data bits, 1 stop bit,
no parity. We suggest to disable the hardware flow control.
This example shows the menu which is available in RouterBOOT 3.19:
RouterBOOT booter 3.19
CCR1009-8G-1S-1S+
CPU frequency: 1200 MHz

Memory size: 2048 MiB
NAND size: 128 MiB
NAND partitions: 2
Press any key within 2 seconds to enter setup
RouterBOOT-3.19
What do you want to configure?
d - boot delay
k - boot key
s - serial console
n - silent boot
o - boot device
f - cpu frequency
r - reset booter configuration
e - format nand
w - repartition nand
y - active partition
g - upgrade firmware
i - board info
p - boot protocol
b - booter options
t - do memory testing
The options are self explainatory.
letter description explanation
d boot delay Delays starting of RouterOS to allow an interface to initialize
k boot key The button that will open the configuration menu
s serial console Sets baud rate of the serial port
Supresses all output on the serial port, in case some device is connected
n silent boot
to it (like a GPS device or a temperature monitor)
o boot device Allows to enable Netinstall booting
f cpu frequency Allows to adjust CPU/memory frequencies
reset booter
r Resets the settings in this menu. Warning, no confirmation!
configuration
Destroys all data on the NAND, including RouterOS configuration and

e format nand
license
w repartition nand Refer to the Manual:Partitions document for more info
y active partition Choose active partition from which to try to load RouterOS
Allows upgrading RouterBOOT version through the network, or the
g upgrade firmware
XModem protocol
i board info
p boot protocol
b booter options Select which bootloader to use by default
t do memory testing Very basic memory testing tool
Hitting the appropriate keyboard letter will give you a list of further options, they are shown
below:
# d - boot delay:
Select boot delay:

1 - 1s
* 2 - 2s
3 - 3s
4 - 4s
5 - 5s
6 - 6s
7 - 7s
8 - 8s
9 - 9s
# k - boot key:
Select key which will enter setup on boot:

* 1 - any key
2 - <Delete> key only
# s - serial console:
Select baud rate for serial console:

* 1 - 115200
2 - 57600
3 - 38400
4 - 19200
5 - 9600
6 - 4800
7 - 2400
8 - 1200
9 - off
# n - silent boot:
Silent boot:
0 - off
* 1 - on
# o - boot device:
Select boot device:

e - boot over Ethernet
* n - boot from NAND, if fail then Ethernet
1 - boot Ethernet once, then NAND
o - boot from NAND only
b - boot chosen device
f - boot Flash Configure Mode
3 - boot Flash Configure Mode once, then NAND
# f - cpu frequency:
Select CPU frequency:

a - 200MHz
b - 400MHz
c - 600MHz
d - 800MHz
e - 1000MHz
* f - 1200MHz
# r - reset booter configuration:
# e - format nand:
Do you realy want to format your storage device?

that would result in losing all your data
type "yes" to confirm:
# w - repartition nand:
Select parititon count:
1 - partition
* 2 - partitions
3 - partitions
4 - partitions
# y - active partition:
Select active partiton:

* 0 - partition
1 - partition
# g - upgrade firmware:
Upgrade firmware options:

e - upgrade firmware over ethernet
s - upgrade firmware over serial port
# i - board info:
Board Info:
Board type: CCR1009-8G-1S-1S+

Serial number: 48FF01DDE6FD
Firmware version: 3.19
CPU frequency: 1200 MHz
Memory size: 2048 MiB
NAND size: 128 MiB
Build time: 2014-09-23 15:02:34
eth1 MAC address: 00:0C:42:00:BE:4A
eth2 MAC address: 00:0C:42:00:BE:4B
eth3 MAC address: 00:0C:42:00:BE:4C
eth4 MAC address: 00:0C:42:00:BE:4D
eth5 MAC address: 00:0C:42:00:BE:4E
eth6 MAC address: 00:0C:42:00:BE:4F
eth7 MAC address: 00:0C:42:00:BE:50
# p - boot protocol:
Choose which boot protocol to use:

* 1 - bootp protocol
2 - dhcp protocol
# b - booter options:
Select which booter you want to load:

* 1 - load regular booter
2 - force backup-booter loading
#t - do memory testing:
launches built in memory test!
# x - exit setup:
Exit bios configuration menu and continues with system startup.
Simple Upgrade
RouterBOOT can be upgraded from RouterOS by:
 Run command /system routerboard upgrade

 Reboot your router to apply the upgrade (/system reboot)]
Note: If you need to install a different version than included in your "routerboard.npk - Upload
the latest RouterBOOT firmware to your router's FTP, the latest firmware is available
on routerboard.com and then follow above steps.
Checking RouterBOOT version

This command shows the current RouterBOOT version of your device, and available upgrade
which is either included in routerboard.npk package, or if you uploaded a FWF
file corresponding to device model:
[admin@MikroTik] > system routerboard print
routerboard: yes
model: "750"
serial-number: "1FC201DD513B"
current-firmware: "2.18"
upgrade-firmware: "2.20"
[admin@MikroTik] >
In this case you see, that there is a newer version of the Bootloader firmware available
already inside your current RouterOS version.
Note: Downgrade is also possible by uploading *.FWF file with older version
Xmodem Method
If there is no IP connectivity with your RouterBOARD, you can also use the Serial Console
XMODEM transfer to send the FWF file to the router, while connected via Serial Console. From
the Bootloader menu it's possible to upgrade the firmware with this method. This method is the
last resort, and should be used only if the first two methods are not available.
Manual:PoE-In
RouterBOARD devices with "poe" labeled ports, support powering by Passive PoE over spare
pairs, except where notified otherwise. This table explains Ethernet cable pinout for
RouterBOARD devices, and shows powered pins for PoE on 10/100 and 10/100/1000 devices.
RJ45 pin for Straight RJ45 pin for Crossover

RJ45 Function Function
Color cable (MDI, cable (MDI-X,
Pin (100Mbit) (1Gbit)
EIA/TIA568A) EIA/TIA568B)
1 Green TX+ Data Data A+ 1 3
2 Green/White TX- Data Data A- 2 6
3 Orange RX+ Data Data B+ 3 1

4 Blue PoE + Data C+ 4 4
5 Blue/White PoE + Data C- 5 5
6 Orange/White RX- Data Data B- 6 2
7 Brown PoE - Data D+ 7 7
8 Brown/White PoE - Data D- 8 8
Note: for Gigabit models, you have to use the MikroTik Gigabit PoE injector, that passes PoE
trough pins 4,5 (+) and 7,8 (-). When using other PoE injectors, power can be passed on any
other pins, depending on PoE injector model.
Manual:Product Naming
Contents
[hide]
 1Naming details for RouterBOARD products

o 1.1Board Name
o 1.2Board Features
o 1.3Built-in wireless details
o 1.4Enclosure type
o 1.5More Specific types OUT enclosures are:
o 1.6Example
 2CloudCoreRouter naming details
 3CloudRouterSwitch and CloudSmartSwitch naming details
Naming details for RouterBOARD products

RouterBOARD (short version RB)
<board name> <board features>-<built-in wireless> <wireless card
features>-<connector type>
-<enclosure type>
Board Name
Currently there can be three types of board names:
 3-symbol name
 1st symbol stands for series (this can either be a number or a letter)
 2nd digit for indicating number of potential wired interfaces (Ethernet, SFP, SFP+)
 3rd digit for indicating number of potential wireless interfaces (built-in and mPCI and
mPCIe slots)
 Word - currently used names are: OmniTIK, Groove, SXT, SEXTANT, Metal, LHG,
DynaDish, cAP, wAP, LDF, DISC, mANTBox, QRT, DynaDish, cAP, hAP, hEX . If
board has fundamental changes in hardware (such as completely different CPU) revision
version will be added in the end
 Exceptional naming - 600, 800, 1000, 1100, 1200, 2011, 3011 boards are standalone
representatives of the series or have more than 9 wired interfaces, so name was simplified
to full hundreds or development year.
Board Features
Board features follows immediately after board name section (no spaces or dashes), except
when board name is a word, then board features are separated by space.
Currently used features (listed in order they are used):
 U - USB
 P - power injection with controller
 i - single port power injector without controller
 A - more memory (and usually higher license level)
 H - more powerful CPU
 G - Gigabit (may include "U","A","H", if not used with "L")
 L - light edition
 S - SFP port (legacy usage - SwitchOS devices)
 e - PCIe interface extension card
 x<N> - where N is number of CPU cores ( x2, x16, x36 etc)
 R - MiniPCI or MINIPCIe slot
Built-in wireless details
If board has built-in wireless, then all its features are represented in following format:
<band><power_per_chain><protocol><number_of_chains>
 band
 5 - 5Ghz
 2 - 2.4Ghz
 52 - dual band 5Ghz and 2.4Ghz
 power per chain

 (not used) - "Normal" - <23dBm at 6Mbps 802.11a; <24dBm at 6Mbps 802.11g
 H - "High" - 23-24dBm at 6Mbps 802.11a; 24-27dBm at 6Mbps 802.11g
 HP - "High Power" - 25-26dBm 6Mbps 802.11a; 28-29dBm at 6Mbps 802.11g
 SHP - "Super High Power" - 27+dBm at 6Mbps 802.11a; 30+dBm at 6Mbps 802.11g
 protocol
 (not used) - for cards with only 802.11a/b/g support
 n - for cards with 802.11n support
 ac - for cards with 802.11ac support
 number_of_chains
 (not used) - single chain
 D - dual chain
 T - triple chain
 connector type
 (not used) - only one connector option on the model
 MMCX - MMCX connector type
 u.FL - u.FL connector type
Enclosure type
 (not used) - main type of enclosure for a product

 BU - board unit (no enclosure) - for situation when board-only option is required, but main
product already comes in the case
 RM - rack-mount enclosure
 IN - indoor enclosure
 EM - extended memory
 LM - light memory
 BE - black edition case
 TC - Tower (vertical) case
 OUT - outdoor enclosure
More Specific types OUT enclosures are:
 SA - sector antenna enclosure (for SXT)

 HG - high gain antenna enclosure (for SXT)
 BB - Basebox enclosure (for RB911)
 NB - NetBox enclosure (for RB911)
 NM - NetMetal enclosure (for RB911)
 QRT - QRT enclosure (for RB911)
 SX - Sextant enclosure (for RB911,RB711)
 PB - PowerBOX enclosure (for RB750P, RB950P)
 PC - PassiveCooling enclosure (for CCR)
 TC - Tower (vertical) Case enclosure (for hEX, hAP and other home routers.)
Example
Lets decode RB912UAG-5HPnD naming
 RB (RouterBOARD)
 912 - 9th series board with 1 wired (ethernet) interface and two wireless interfaces (built-in
and miniPCIe)
 UAG - has USB port, more memory and gigabit ethernet port
 5HPnD - has built in 5GHz high power dual chain wireless card with 802.11n support.
CloudCoreRouter naming details

CloudCoreRouter (short version CCR) naming consists of:
<4 digit number>-<list of ports>-<enclosure type>
 4 digit number
 1st digit stands for series
 2nd (reserved)
 3rd-4th digit indicate number of total CPU cores on the device
 list of ports
 -<n>G number of 1G Ethernet ports
 -<n>P number of 1G Ethernet ports with PoE-out
 -<n>C number of combo 1G Ethernet/SFP ports
 -<n>S number of 1G SFP ports
 -<n>G+ number of 2.5G Ethernet ports
 -<n>P+ number of 2.5G Ethernet ports with PoE-out
 -<n>C+ number of combo 10G Ethernet/SFP+ ports
 -<n>S+ number of 10G SFP+ ports
 -<n>XG number of 5G/10G Ethernet ports
 -<n>XP number of 5G/10G Ethernet ports with PoE-out
 -<n>XC number of combo 10G/25G SFP+ ports
 -<n>XS number of 25G SFP+ ports
 -<n>Q+ number of 40G QSFP+ ports
 -<n>XQ number of 100G QSFP+ ports
 enclosure type - same as for RouterBOARD products.
CloudRouterSwitch and CloudSmartSwitch naming details

CloudRouterSwitch (short version CRS, RouterOS device) CloudSmartSwitch (short version
CSS, SwOS device) naming consists of:
<3 digit number>-<list of ports>-<built-in wireless card>-<enclosure
type>
 3 digit number
 1st digit stands for series
 2nd-3rd digit - total number of wired interfaces (Ethernet, SFP, SFP+)
 list of ports
 -<n>G number of 1G Ethernet ports
 -<n>P number of 1G Ethernet ports with PoE-out
 -<n>C number of combo 1G Ethernet/SFP ports
 -<n>S number of 1G SFP ports
 -<n>G+ number of 2.5G Ethernet ports
 -<n>P+ number of 2.5G Ethernet ports with PoE-out
 -<n>C+ number of combo 10G Ethernet/SFP ports
 -<n>S+ number of 10G SFP+ ports
 -<n>XG number of 5G/10G Ethernet ports
 -<n>XP number of 5G/10G Ethernet ports with PoE-out
 -<n>XC number of combo 10G/25G SFP+ ports
 -<n>XS number of 25G SFP+ ports
 -<n>Q+ number of 40G QSFP+ ports
 -<n>XQ number of 100G QSFP+ ports
 built-in wireless card - same as for RouterBOARD products.
 enclosure type - same as for RouterBOARD products.
Manual:Peripherals
Contents
[hide]
 1Cellular modems
 2SFP modules
 3SFP+ modules
This article describes supported add-on peripherals for RouterBOARD hardware devices.
Cellular modems
Tested
Route Passthr
For Technol
Model rOS Comments ough
mat ogies
versio support
n
v5.25 and
BandRich C501 [1] USB ? LTE
v6.0
If modem uses firmware

v5.25,
Sierra Wireless 3.5 it should be upgraded
v6.0 and MiniPC
MC7710/MC7700/M to 3.5.23.2 firmware N LTE
6.40RC4 I-e
C7750 [2] release in order to work in
3
RouterOS correctly again.
v5.22 and Some settings are ignored.

Yota LU150 [3] USB ? LTE
v6.4 Works in Russian markets.
Yota WLTUBA- Some settings are ignored.
v6.0 USB ? LTE
107 [4] Works in Russian markets.
Some settings are ignored.
Yota wifi modem [5] v6.7 USB ? LTE
Works in Russian markets.
Vodafone K4305 [6] v6.7 Some settings are ignored. USB ? LTE
Android usb tethering
v6.7 Some settings are ignored. USB ? LTE
interface
ZTE MF823 v6.8 For some devices it's USB ? LTE
needed to enter in
Tested
Route Passthr
For Technol
mat ogies
versio support
n
FACTORY mode to
change operating state.
ZTE MF825A v6.xx Some settings are ignored. USB ? LTE
Vodafone K5160 [7] v6.37 Some settings are ignored. USB ? LTE
Vodafone K4201- Some settings are ignored.
v6.8 USB ? LTE
Z [8] LTE interface.
ZTE MF827 [9] v6.8 Some settings are ignored. USB ? LTE
There are multiple
versions of this modem.
Huawei E3272 v6.8 USB ? LTE
Looks like only modem
with device-id="0x14db"
works as LTE interface.
MIFI unit. No serial
Huawei E5377 v6.36.1 support, but works with IP USB ? LTE
on LTE interface
MiniPC
Huawei MU609 [10] v6.11 ? 3G
I-e
Huawei MU709s- MiniPC
v6.28 Y 3G
2 [11] I-e
Huawei ME909u- MiniPC
v6.11 N LTE
521 [12] I-e
Huawei ME909s- MiniPC
v6.28 Y LTE
120 [13] I-e
Works! PPP interface.
MiniPC
And starting with v7.xx it
v6.xx(pp I-e /
will support LTE
SIMcom SIM7100 p) v7.xx USB w/ ? LTE
interface. vendor-
(LTE) convert
id="0x1e0e" device-
er
id="0x9001"
Works! PPP interface.
And starting with v7.xx it
v6.xx(pp
Sierra wireless will support LTE MiniPC
p) v7.xx N LTE
MC73xx interface. MC7304 tested I-e
(LTE)
with firmware
SWI9X15C_05.05.67.00
Not supported in ROS v6,
Vodafone (Huawei)
v7.xx but as this modem USB ? LTE
K4203
supports MBIM drivers
Tested
Route Passthr
For Technol
mat ogies
versio support
n
support will be possible in

ROS v7.
Works! LTE interface.
vendor-id="0x12d1"
device-id="0x14dc" There
is different versions of this
modem available, not all
work under RouterOS.
Only cdc_ecm and Serial
modems are supported.
Huawei E3372 v6.xx USB Y LTE
Modem firmware upgrade
may be necessary. For ppp
mode send
AT^SETPORT="FF,12,1,
16" data-channel=1 info-
channel=0, other modes
are explained in modems
manual.
Works! LTE interface
Huawei E8372 v6.28 only. vendor-id="0x12d1" USB ? LTE
device-id="0x14db"
ppp interface,
MiniPC
Telit LE910 v6.xx vendorid=0x1bc7 ? LTE
I-e
deviceid=0x1201
ppp interface, there is page
MiniPC
Quectel EC20/EC21 v6.xx in wiki about ? LTE
I-e
Quactel: article
ppp/LTE interface, there is
MiniPC
Quectel EC25 v6.39 page in wiki about ? LTE
I-e
Quactel: article
ppp/LTE interface, there is
MiniPC
Quectel EP06 v6.42 page in wiki about ? LTE
I-e
Quactel: article
Huawei E3276-150 v6.xx ppp interface USB ? LTE
v6.40RC MiniPC
ZTE ME3630-E ppp interface ? LTE
26 I-e
LTE interface with
Ethernet emulation (no
v6.40RC MiniPC
Jaton MT421e [14] configuration possible), ? LTE
32 I-e
LTE supported bands
42/43
Tested
Route Passthr
For Technol
mat ogies
versio support
n
Huawei E5673s-609 v6.xx LTE interface USB ? LTE

v6.41RC
Novatel USB730L LTE interface USB ? LTE
6
LTE interface, Modem can
v6.41RC be configured only
Alcatel IK40 USB ? LTE
11 through modems
configuration WEB page.
v6.41RC
Olivetti Olicard 500 ppp interface USB ? LTE
11
MIFI unit. No serial
Netgear Unite
v6.41 support, but works with IP USB Y LTE
Explore 815S
on LTE interface.
LTE interface. Supports
MiniPC
R11e-LTE v6.39.2 multiple APN Y LTE
I-e
passthrough.
LTE interface. Old version
SXT LTE v6 Built-in N LTE
of SXT LTE
LTE interface from R11e-
SXT LTE kit v6.42 LTE/R11e-LTE-US mini- Built-in Y LTE
pcie module
MiniPC
Quectel UC15 v6.xx Works, ppp interface 3G
I-e
MiniPC
Quectel UC20 v6.xx Works, ppp interface 3G
I-e
MiniPC
Works! Using PPP
I-e /
interface, vendor-
SIMcom SIM5360 v6.xx USB w/ 3G
id="0x05c6" device-
convert
id="0x9000"
er
Works! ppp interface,
Huawei E171 v6.xx vendorid=0x12d1 USB 3G
deviceid=0x140c
Works! Data Channel: 2,
Info Channel: 3,Modem
Init: AT+CFUN=1,
vendor-id="0x2001"
D-link DWM-157 v6.xx USB 3G
device-id="0x7d02" Some
info from modem: > H/W
Ver.: B1, F/W Ver.:
2.0.1eu, revision:
Tested
Route Passthr
For Technol
mat ogies
versio support
n
+CGMR:
MOLY.WR8.W1231.DC.
WG.MP.V3, 2013/04/09
02:08 Different HW
revisions might not work
with RouterOS
( aka "USB Wireless
HSDPA/UMTS 2.1GHz
AnyData ADU-
v6 GSM/GPRS/EGPRS USB 3G
E630WH
900/17000MHz/CDMA 1x
EVDO Rev.A")
v6.x and MiniPC
Ericsson F5521gw 3G
higher I-e
ZTE AC5730 v6.x USB 3G
v6.31<
Huawei E153 and USB 3G
higher
Set info channel = 2, data
v6.28 and
ZTE MF110 channel = 2, Dial USB 3G
higher
command=ATM1L3DT
Set Info channel = 1, Data
ZTE 821D v6.x channel = 3, Dial USB 3G
command=ATDT
There are different
versions of this modem
v6.24 or
E3531-6 works from
Huawei E3531 6.40RC2 USB 3G
version 6.40RC25 as ppp,
5
mbim supported only from
RouterOS V7
v6.24 and
Huawei E3351 USB 3G
higher
Data channel 0, Info
channel 0, init:
Dell Wireless 5530 v6.1 and MiniPC
AT+CFUN=1 (needs 3G
HSPA higher I-e
manualy change profile by
command AT*ENAP=1,1)
Data Channel=2, Info
Telecom NZ T-Stick Channel=2, APN
v6.0rc13 USB 3G
ZTE MF-181 internet.telecom.co.nz,
PHONE=*99#. Tested ok
Tested
Route Passthr
For Technol
mat ogies
versio support
n
for both data and SMS on

CCR1016-12G
Data channel 2, Info
channel 2, Modem init:
AT+CGATT=0, Dial-
Sierra Wireless v6.xx and MiniPC
command: LTE
MC7430 higher I-e
AT+CGATT=1;D*99#,
also needs 3.0 pins taped
(PINS:23,25,27,31,33)
Customer tested the

Sierra Netgear
6.41 modem with firmware USB N LTE
AirCard 320U [15]
03.05.23
Note: Not all modems are listed. Localized and locked units may have compatibility issues.
SFP modules
Wor
Bran Connector/ Tested ks /
Model Rate Wavelength
d Cable type with Does
n't
*Check: SFP/
Nativel
SFP+
MikroTi y
S-85DLC05D 1,25G Dual LC, MM 850nm compatibility
k support
reference
ed
table
*Check: SFP/
Nativel
SFP+
MikroTi y
S-31DLC20D 1,25G Dual LC, SM 1310nm compatibility
k support
reference
ed
table
Wor
n't
*Check: SFP/
Nativel
SFP+
MikroTi Tx:1310nm/Rx:1 y
S-35LC20D 1,25G BiDi LC, SM compatibility
k 550nm support
reference
ed
table
*Check: SFP/
Nativel
SFP+
MikroTi Tx:1550nm/Rx:1 y
S-53LC20D 1,25G BiDi LC, SM compatibility
k 310nm support
reference
ed
table
*Check: SFP/
Nativel
SFP+
MikroTi 1000/100 RJ45, y
S-RJ01 N/A compatibility
k /10 Cat5/Cat6 support
reference
ed
table
1000BA CRS125-
Axiom AXG91632 Dual LC 1310nm Works!
SE-LX 24G-1S-RM
10/100/1 RB2011LS-
Finisar FCLF-8521-3 RJ45, Cat6 N/A Works!
000 IN
FCLF-8521- 10/100/1 RB2011LS-

Finisar RJ45, Cat6 N/A Works!
3-MD 000 IN
10/100/1
000 1.25
FTRJ8519P1 Gb/s RB2011LS-
Finisar Dual LC, MM 850nm Works!
BNL-B1 1000Bas IN
e-SX
Ethernet
Wor
n't
10/100/1
000 1.25
FTLF8519P2 Gb/s RB2011LS-
Finisar Dual LC, MM 850nm Works!
BNL 1000Bas IN
e-SX
Ethernet
CCR1009-
1.25Gb/s
8G-1S-1S+
FTRJ1319P1 1000Bas
Finisar Dual LC, SM 1310nm and Works!
BTL e-LX
CCR1009-
Ethernet
7G-1C-1S+
RB2011LS-
Unica SFP-1.25G-T 1000M RJ45, Cat6 N/A Works!
IN
FTLX8571D3 RB2011LS-
Dell 1,25G Dual LC, MM 850nm Works!
BCL IN
GP-3124- RB2011LS-
Unica 1,25G Dual LC, MM 1310nm Works!
L2CD-C IN
RB2011LS-
Cisco GLC-T 1.25G RJ45, Cat6 N/A Works!
IN
1000BA
SE-SX
SFP
transceiv
RB2011LS-
Cisco GLC-SX-MM er Dual LC, MM 850nm Works!
IN
module
for
MMF,
1.25G
Wor
n't
1000BA
SE-
LX/LH
SFP
Various MT
Cisco SFP-GE-L transceiv Dual LC, SM 1300nm Works!
hardware
er
module
for SMF,
1.25G
10/100/1 RB2011LS-
6COM 6C-SFP-T RJ45, Cat6 N/A Works!
000 IN
6C-WDM- Tx:1550nm/Rx:1 RB2011LS-

6COM 1,25G BiDi SC, SM Works!
0210BSD 310nm IN
6C-WDM- Tx:1310nm/Rx:1 RB2011LS-

6COM 1,25G BiDi SC, SM Works!
0210ASD 550nm IN
6C-SFP- RB2011LS-
6COM 1,25G Dual LC, MM 1310nm Works!
0310D IN
6C-SFP- RB2011LS-
6COM 1,25G Dual LC, MM 850nm Works!
0301D IN
INSP-
10/100/1 RB2011LS-
Ingellen T(10/100/100 RJ45, Cat6 N/A Works!
000 IN
0)
INSPL-53- RB2011LS-
Ingellen 1,25G BiDi LC, MM 1550/1310 Works!
BX IN
Wor
n't
INSPL-35- RB2011LS-
Ingellen 1,25G BiDi LC, MM 1310/1550 Works!
BX IN
RB2011LS-
Ingellen INSP-LX-SM 1,25G Dual LC, SM 1310nm Works!
IN
INSP-SX- RB2011LS-
Ingellen 1,25G Dual LC, MM 850nm Works!
MM IN
AXGT-R1T4- 10/100/1 RB2011LS-

AXCEN RJ45, Cat6 N/A Works!
05I1 000 IN
AXGD-37А4- Tx:1550nm/Rx:1 RB2011LS-

AXCEN 1,25G BiDi LC, MM Works!
0531 310nm IN
AXGD-16А4- Tx:1310nm/Rx:1 RB2011LS-

AXCEN 1,25G BiDi LC, MM Works!
0531 550nm IN
AXGD-1354- RB2011LS-
AXCEN 1,25G Dual LC, MM 1310nm Works!
0531 IN
AXGD-5854- RB2011LS-
AXCEN 1,25G Dual LC, MM 850nm Works!
0511 IN
RB2011LS-
TP-Link TL-SM311LS 1,25G Dual LC, SM 1310nm Works!
IN
TL- CCR1036
TP-Link 1,25G Dual LC, MM 850nm Works!
SM311LM 12G-4S
Wor
n't
RB2011UAS-
OPTIC-SFP- Tx:1310nm/Rx:1
OPTIC 1,25G BiDi SC, SM RM, Works!
3524S-02-SC 550nm
RB260GS
RB2011UAS-
OPTIC-SFP- Tx:1550nm/Rx:1
OPTIC 1,25G BiDi SC, SM RM, Works!
5324S-02-SC 310nm
RB260GS
OPTIC-SFP- RB2011UAS-
Tx:1310nm/Rx:1
OPTIC S1203- 1,25G BiDi LC, SM RM, Works!
550nm
L3302-LC RB260GS
OPTIC-SFP- RB2011UAS-
Tx:1550nm/Rx:1
OPTIC S1205- 1,25G BiDi LC, SM RM, Works!
310nm
L3302-LC RB260GS
CCR1036-
ROBOFi
SFP-7120-55 1,25G Dual LC, SM 1550nm 12G-4S, Works!
ber
RB2011
ROBOFi SFP-7120- Tx:1490nm/Rx:1 CCR,

1,25G BiDi LC, MM Works!
ber WA 550nm RB2011
ROBOFi SFP-7120- Tx:1550nm/Rx:1 CCR,

1,25G BiDi LC, MM Works!
ber WB 490nm RB2011
SFP- CCR,
Tx:1310nm/Rx:1
Enguity 3647603KM. 1,25G BiDi LC, SM RB2011, Works!
550nm
b1310 XT RB260GS
SFP- CCR,
Tx:1550nm/Rx:1
310nm
b1550 XT RB260GS
Wor
n't
SFP- CCR,
Tx:1490nm/Rx:1
550nm
b1490 XT RB260GS
SFP- CCR,
Tx:1550nm/Rx:1
490nm
b1550 XT RB260GS
CCR,
AdvOpti Tx:1310nm/Rx:1
GLC-SX-MM 1,25G BiDi LC, MM RB2011, Works!
cs MSA 310nm
RB260GS
CCR,
AdvOpti Tx:1310nm/Rx:1
GLC-ZX-SM 1,25G BiDi LC, SM RB2011, Works!
cs MSA 310nm
RB260GS
GLC-BX- Tx:1490nm/Rx:1
Proline 1,25G BiDi LC, SM CRS125 Works!
D20-PRO 310nm
GLC-BX- Tx:1310nm/Rx:1
Proline 1,25G BiDi LC, SM CRS125 Works!
D40-PRO 490nm
Foundry
E1MG-BXU- Tx:1310nm/Rx:1 RB3011UiAS
Network 1,25G BiDi LC, SM Works!
AC 490nm , hAP ac
s
Works
SFBR- CRS326, in
Avago 1,25G Dual LC, MM 850nm
5799APZ CRS112 1Gbps
mode!
SFP+ modules
Wo
Connect Test rks
Bra Dist Wavelengt
Model Rate or/Cable ed /
nd ance h
type with Doe
sn't
All
MikroT
ik
Native
product
Mikro S+85DLC0 Dual LC, ly
300m 10G 850nm s with
Tik 3D MM suppor
SFP/SF
ted
P+
interfac
es
All
MikroT
ik
Native
product
Mikro S+31DLC1 Dual LC, ly
10km 10G 1310nm s with
Tik 0D SM suppor
SFP/SF
ted
P+
interfac
es
All
MikroT
ik
Native
product
Mikro S+23LC10 BiDi LC, Tx:1270nm/R ly
10km 10G s with
Tik D SM x:1330nm suppor
SFP/SF
ted
P+
interfac
es
All
MikroT
ik
Native
product
Mikro S+32LC10 BiDi LC, Tx:1330nm/R ly
10km 10G s with
Tik D SM x:1270nm suppor
SFP/SF
ted
P+
interfac
es
Wo
Connect Test rks
Bra Dist Wavelengt
nd ance h
type with Doe
sn't
All
MikroT
ik
Native
product
Mikro Twinax ly
S+DA0001 1m 10G N/A s with
Tik Copper suppor
SFP/SF
ted
P+
interfac
es
All
MikroT
ik
Native
product
Mikro Twinax ly
S+DA0003 3m 10G N/A s with
Tik Copper suppor
SFP/SF
ted
P+
interfac
es
various
,
All
depend
MikroT
ing on
ik Native
link RJ45 -
Mikro 10G/5G/2.5G/1G product ly
S+RJ10 rate. Cat5E/Cat6/ N/A
Tik /100M/10M s with suppor
Check Cat7
SFP+ ted
brochu
interfac
re for
es
more
details
CRS
series,
Does
APSP55B3 Dual LC, CCR
Atop 40km 10G 1550nm NOT
0CDL40 SM series
work!
devices
with
SFP+
Wo
Connect Test rks
Bra Dist Wavelengt
nd ance h
type with Doe
sn't
interfac
es
SFP-10G- Dual LC, RB201 Works

Cisco 10km 10G 1310nm
LR SM 1LS-IN !
Most of
SFP/SF
Dell P+
FTLX8571 Dual LC, Works
(Finis 300m 10G 850nm MikroT
D3BCL MM !
ar) ik
product
s
Most of
SFP/SF
Junipe
P+
r FTLX8571 Dual LC, Works
300m 10G 850nm MikroT
(Finis D3BCL-J1 MM !
ik
ar)
product
s
Most of
SFP/SF
Intel P+
FTLX8571 Dual LC, Works
(Finis 300m 10G 850nm MikroT
D3BCV-IT MM !
ar) ik
product
s
Most of
SFP/SF
OEM EX-SFP- P+
Dual LC, Works
(Junip 10GE-SR- 300m 10G 850nm MikroT
MM !
er?) OEM ik
product
s
Wo
Connect Test rks
Bra Dist Wavelengt
nd ance h
type with Doe
sn't
CRS
series,
CCR
series
Fibers SFP- Dual LC, Works
40km 10G 1310nm devices
tore 10G31-40 SM !
with
SFP+
interfac
es
CRS
series,
CCR
series
Fibers SFP- Dual LC, Works
40km 10G 1310nm devices
tore 10G55-40 SM !
with
SFP+
interfac
es
CRS
series,
CCR
series
Fibers SFP- BiDi LC, Tx:1330nm/R Works
40km 10G devices
tore 10G32-40 SM x:1270nm !
with
SFP+
interfac
es
CRS
series,
CCR
series
Fibers SFP- BiDi LC, Tx:1270nm/R Works
40km 10G devices
tore 10G23-40 SM x:1330nm !
with
SFP+
interfac
es
Wo
Connect Test rks
Bra Dist Wavelengt
nd ance h
type with Doe
sn't
CCR, Works
CCR, ,
CSS startin
series g with
Optec OPAK- RJ45 - Cat
30m 10G N/A devices v6.40r
h TX1-00-C 6a/7 Cable
with c20
SFP+ Router
interfac OS
es build.
CCR, Works
CCR, ,
CSS startin
series g with
ProLa SFP-10G- RJ45 - Cat
30m 10G N/A devices v6.40r
bs T-C 6a/7 Cable
with c20
SFP+ Router
interfac OS
es build.
Categories:
 RouterBOARD
 Manual
 Basic
 Hardware
Manual:CHR
Contents
[hide]
 1Cloud Hosted Router

 2System Requirements
o 2.1Minimal requirements:
o 2.2CHR has been tested on the following platforms:
o 2.3Usable Network and Disk interfaces on various hypervisors:
 3How to Install CHR
o 3.1Steps to install CHR
o 3.2Installing CHR
 4CHR Licensing
o4.1Paid licenses
 4.1.1p1
 4.1.2p10
 4.1.3p-unlimited
o 4.2Free licenses
 4.2.1free
 4.2.260-day trial
 5Getting the License
o 5.1Upgrade from free to p1 or higher
o 5.2Upgrade from higher tier up
 6License Update
 7Troubleshooting
o 7.1Running on VMware ESXi
 7.1.1Changing MTU
o 7.2Using bridge on Linux
o 7.3Packets not passing from guests
o 7.4Using vlans on CHR in various Hypervisors
 7.4.1ESXI
 7.4.2Hyper-V
 7.4.3bhyve hypervisor
 7.4.4Linode
 8Guest tools
o 8.1VMWare
 8.1.1Time synchronization
 8.1.2Power operations
 8.1.3Quiescing/backup
 8.1.4Guest info
 8.1.5Provisioning
 8.1.5.1Python example
o 8.2Xen
 8.2.1Provisioning
o 8.3KVM
 8.3.1Proxmox
 8.3.2Guest agent python example
Cloud Hosted Router

Cloud Hosted Router (CHR) is a RouterOS version intended for running as a virtual machine. It
supports the x86 64-bit architecture and can be used on most of the popular hypervisors such
as VMWare, Hyper-V, VirtualBox, KVM and others. CHR has full RouterOS features enabled
by default but has a different licensing model than other RouterOS versions.
System Requirements
Minimal requirements:
 RouterOS version 6.34 or later installed

 64bit CPU with virtualization support
 128 MB or more RAM for the CHR instance
 128 MB disk space for the CHR virtual hard drive
 Maximum supported system disk image size is 16GB
Note: Minimal requirement is 128MB of RAM to complete the self-installation process.
CHR has been tested on the following platforms:
 VirtualBox 5 on Linux and OS X

 VMWare Fusion 7 and 8 on OS X
 VMWare ESXi 6.5
 Qemu 2.4.0.1 on Linux and OS X
 Hyper-V on Windows Server 2008r2, 2012 and Windows 10 (Only Generation 1 Hyper-V
virtual machine is supported at the moment)
 Xen Project 4.6.5
 Xen Server 7.1
Warning: Hypervisors that provide paravirtualization are not supported.
Usable Network and Disk interfaces on various hypervisors:
 ESX:
 Network: vmxnet3, E1000
 Disk: IDE, VMware paravirtual SCSI, LSI Logic SAS, LSI Logic Parallel
 Hyper-V:
 Network: Network adapter, Legacy Network adapter
 Disk: IDE, SCSI
 Qemu/KVM:
 Network: Virtio, E1000, vmxnet3 (optional)
 Disk: IDE, Sata, Virtio
 Xen Project:
 Network: E1000, rtl8193, netfront
 Disk: IDE, Sata
 VirtualBox
 Network: E1000, rtl8193
 Disk: IDE, Sata, SCSI, SAS
Note: SCSI controller Hyper-V and ESX is usable just for secondary disks, system image must
be used with IDE controller!
Warning: We do not recommend using E1000 network interface if better synthetic interface
options are available on specific Hypervisor!
How to Install CHR

We provide 4 different virtual disk images to choose from. Note that they are only disk images,
and you can't simply run them.
 RAW disk image (.img file)

 VMWare disk image (.vmdk file)
 Hyper-V disk image (.vhdx file)
 VirtualBox disk image (.vdi file)
Steps to install CHR
1. Download virtual disk image for your hypervisor

2. Create a guest virtual machine
3. Use previously downloaded image file as a virtual disk drive
4. Start the guest CHR virtual machine
5. Log in to your new CHR. Default user is 'admin', without password
Please note that running CHR systems can be cloned and copied, but the copy will be aware of
the previous trial period, so you cannot extend your trial time by making a copy of your CHR.
However, you are allowed to license both systems individually. To make a new trial system,
you need to make a fresh installation and reconfigure RouterOS.
Installing CHR
 VMWare Fusion / Workstation and ESXi 6.5

 VirtualBox
 Hyper-V
 Amazon Web Services (AWS)
 Linode
 Google Compute Engine
 ProxMox
CHR Licensing
The CHR has 4 license levels:
 free
 p1 perpetual-1 ($45)
 p10 perpetual-10 ($95)
 p-unlimited perpetual-unlimited ($250)
60-day free trial license is available for all paid license levels. To get the free trial license, you
have to have an account on MikroTik.com as all license management is done there.
Perpetual is a lifetime license (buy once, use forever). It is possible to transfer a perpetual
license to another CHR instance. A running CHR instance will indicate the time when it has to
access the account server to renew it's license. If the CHR instance will not be able to renew
the license it will behave as if the trial period has ran out and will not allow an upgrade of
RouterOS to a newer version.
After licensing a running trial system, you must manually run the /system license
renew function from the CHR to make it active. Otherwise the system will not know you have
licensed it in your account. If you do not do this before the system deadline time, the trial will
end and you will have to do a complete fresh CHR installation, request a new trial and then
license it with the license you had obtained.
License
Free 1Mbit
P1 1Gbit
P10 10Gbit
P-Unlimited Unlimited
Paid licenses
p1
p1 (perpetual-1) license level allows CHR to run indefinitely. It is limited to 1Gbps upload per
interface. All the rest of the features provided by CHR are available without restrictions. It is
possible to upgrade p1 to p10 or p-unlimited After the upgrade is purchased the former license
will become available for later use on your account.
p10
p10 (perpetual-10) license level allows CHR to run indefinitely. It is limited to 10Gbps upload
per interface. All the rest of the features provided by CHR are available without restrictions. It is
possible to upgrade p10 to p-unlimited After the upgrade is purchased the former license will
become available for later use on your account.
p-unlimited
The p-unlimited (perpetual-unlimited) license level allows CHR to run indefinitely. It is the
highest tier license and it has no enforced limitations.
Free licenses
There are several options to use and try CHR free of charge.
free
The free license level allows CHR to run indefinitely. It is limited to 1Mbps upload per interface.
All the rest of the features provided by CHR are available without restrictions. To use this, all
you have to do is download disk image file from our download page and create a virtual guest.
60-day trial
In addition to the limited Free installation, you can also test the increased speed of P1/P10/PU
licenses with a 60 trial.
You will have to have an account registered on MikroTik.com. Then you can request the
desired license level for trial from your router that will assign your router ID to your account and
enable a purchase of the license from your account. All the paid license equivalents are
available for trial. A trial period is 60 days from the day of acquisition, after this time passes,
your license menu will start to show "Limited upgrades", which means that RouterOS can no
longer be upgraded.
If you plan to purchase the selected license, you must do it within 60 days of the trial end date.
If your trial ends, and there are no purchases within 2 months after it ended, the device will no
longer appear in your MikroTik account. You will have to make a new CHR installation to make
a purchase within the required time frame.
To request a trial license, you must run the command "/system license renew" from the CHR
device command line. You will be asked for the username and password of your mikrotik.com
account.
Warning: If you plan to use multiple virtual systems of the same kind, it may be possible that
the next machine has the same systemID as the original one. This can happen on certain cloud
providers, such as Linode. To avoid this, after your first boot, run the command "/system
license generate-new-id" before you request a trial license.
Getting the License

After the initial setup a CHR instance will have a free license assigned. From there, it is
possible to upgrade the license to a higher tier. Once you have a trial license all the work with
the license is done on the account server where it is possible to upgrade license to a higher tier
unless it is p-unlimited already.
Upgrade from free to p1 or higher
Initial upgrade from the free tier to anything higher than that incurs CHR instance registration
on the account server. To do that you have to enter your MikroTik.com username and
password and a desired license level you want to acquire. As a result, a CHR ID number will
be assigned to your account on the account server and 60-day trial created for that ID. There
are 2 ways to obtain a license - using WinBox or RouterOS command line interface:
Using WinBox (Sytem -> License menu):
Using command line interface:
[admin@MikroTik] > /system license print

system-id: 6lR1ZP/utuJ
level: free
[admin@MikroTik] > /system license renew

account: mymikrotikcomaccount
password: *********************
level: p1
status: done
[admin@MikroTik] > /system license print

system-id: 6lR1ZP/utuJ
level: p1
next-renewal-at: jan/10/2016 21:59:59
deadline-at: feb/09/2016 21:59:59
To acquire a higher level trial, set up a new CHR instance, renew the license and select the
desired level.
To upgrade from a Trial license to Paid go to MikroTik.com account server and choose
'all keys' in Cloud Hosted Router (CHR) section:
You will be presented with a list of your CHR machines and licenses:
To upgrade from a Trial to a Paid license click 'Upgrade', choose the desired license
level (it can be different than the level of the trial license) and click 'Upgrade key':
Choose the payment method:
It is possible to pay using account balance (deposit), credit card (CC), PayPal or using
Balance (prepaid) key (if you have any).
Upgrade from higher tier up
Only an upgrade to a higher tier is possible at the moment (for paid licenses only) and that is
done in the account server. For changes to take place on the router itself renew command
should be issued. When the router already has any kind of trial or paid license, the license level
you set for the renew command is not important anymore, it is mandated by the account
server. Possible upgrades are as follows:
 p1 upgrade to p10
 p1 upgrade to p-unlimited
 p10 upgrade to p-unlimited
License Update
In '/system license' menu router will indicate the time next-renewal-at when it will attempt to
contact server located on licence.mikrotik.com. Communication attempts will be performed
once an hour after the date on next-renewal-at and will not cease until the server responds with
an error. If deadline-at date is reached without successfully contacting the account server, the
router will consider that license has expired and will disallow further software updates.
However, router will continue to work with the same license tier as before.
Troubleshooting
Running on VMware ESXi
Changing MTU
VMware ESXi supports MTU of up to 9000 bytes. To get the benefit of that, you have to adjust
your ESXi installation to allow a higher MTU. Virtual Ethernet interface added after the MTU
change will be properly allowed by the ESXi server to pass jumbo frames. Interfaces added
prior to MTU change on the ESXi server will be barred by the ESXi server (it will still report old
MTU as maximum possible size). If you have this, you have to re-add interfaces to the virtual
guests.
Example. There are 2 interfaces added to the ESXi guest, auto-detected MTU on the
interfaces show MTU size as it was at the time when the interface was added:
[admin@chr-vm] > interface ethernet print

Flags: X - disabled, R - running, S - slave
# NAME MTU MAC-ADDRESS ARP
0 R ether1 9000 00:0C:29:35:37:5C enabled
1 R ether2 1500 00:0C:29:35:37:66 enabled
Using bridge on Linux

If Linux bridge supports IGMP snooping, and there are problems with IPv6 traffic it is required
to disable that feature as it interacts with MLD packets (multicast) and is not passing them
through.
echo -n 0 > /sys/class/net/vmbr0/bridge/multicast_snooping
Packets not passing from guests

The problem: after configuring a software interface (VLAN, EoIP, bridge, etc.) on the guest
CHR it stops passing data to the outside world beyond the router.
The solution: check your VMS (Virtualization Management System) security settings, if other
MAC addresses allowed to pass if packets with VLAN tags allowed to pass through. Adjust the
security settings according to your needs like allowing MAC spoofing or certain MAC address
range. For VLAN interfaces, it is usually possible to define allowed VLAN tags or VLAN tag
range.
Using vlans on CHR in various Hypervisors
In some of hypervisors before Vlans can be used on VMs they need to first be configured on
hypervisor it self.
ESXI
Enable Promiscuous mode in port group or virtual switch that you will use for specific VM.
ESX documentation:
 https://kb.vmware.com/kb/1002934
 https://kb.vmware.com/kb/1004099
Hyper-V
Hyper-V documentation:
 https://technet.microsoft.com/en-us/library/cc816585(v=ws.10).aspx#Anchor_2
bhyve hypervisor
It wont be possible to run CHR on this hypervisor. CHR cannot be run as paravirtualized
platform.
Linode
When creating multiple Linodes with the same disk size, new Linodes will have the same
systemID. This will cause issues to get a Trial/Paid license. To avoid this, run the
command /system license generate-new-id after the first boot and before you request
a trial or paid license. This will make sure the ID is unique.
Some useful articles:

Specific vlan is untagged by nic interface:
 https://blogs.msdn.microsoft.com/adamfazio/2008/11/14/understanding-hyper-v-vlans/
 http://www.aidanfinn.com/?p=10164
Allow passing other vlans:
 https://social.technet.microsoft.com/Forums/windows/en-US/79d36d5b-c794-4502-8ed4-
b7a4183b1891/vlan-tags-and-hyperv-switches?forum=winserverhyperv
Guest tools
VMWare
Time synchronization
Must be enabled from GUI ('Synchronize guest time with host'). Backwards synchronization is
disabled by default - if guest is ahead of host by more than ~5 seconds, synchronization is not
performed
Power operations
 poweron and resume scripts are executed (if present and enabled) after poweron and
resume operations respectively.
 poweroff and suspend scripts are executed before poweroff and suspend operations
respectively.
 If scripts take longer than 30 seconds or contain errors, the operation fails
 In case of failure, retrying the same operation will ignore any errors and complete
successfully
 Failed script output is saved to file (e. g. 'poweroff-script.log', 'resume-script.log' etc)
 Scripts can be enabled/disabled from hypervisor GUI ('run VMware Tools Scripts') or by
enbaling/disabling scripts from console
Quiescing/backup
Guest filesystem quiescing is performed only if requested.
 freeze script is executed before freezing the filesystem

 freeze-fail script is executed if hypervisor failed to prepare for snapshot or if freeze script
failed
 thaw script is executed after snapshot has been taken
 Script run time is limited to 60 seconds
 freeze script timeouts and errors result in backup operation being aborted
 FAT32 disks are not quiesced
 Failed script output is saved to file (e. g. 'freeze-script.log', 'freeze-fail-script.log', 'thaw-
script.log')
Guest info
Networking, disk, and OS info is reported to hypervisor every 30 seconds (GuestStats
(memory) are disabled by default, can be enabled by setting 'guestinfo.disable-perfmon =
"FALSE"' in VM config).
 The order, in which network interfaces are reported, can be controlled by setting
'guestinfo.exclude-nics', 'guestinfo.primary-nics' and 'guestinfo.low-priority-nics' options.
Standard wildcard patterns can be used.
Provisioning
Can use the ProcessManager from vim API to execute scripts. Python bindings are available
 Main data structure: GuestProgramSpec

 The workingDirectory and envVariables members are ignored
 programPath must be set to either 'inline' or 'import'
 If programPath is 'inline', arguments are interpreted as script text
 If programPath is 'import', arguments are interpreted as file path
After using GuestProgramSpec together with an instance of GuestAuthentication as arguments
to StartProgramInGuest unique JobID is obtained.
Script progress can be tracked by using
the ListProcessesInGuest command. ListProcessesInGuest accepts an array of job id's;
passing an empty array will report on all jobs started from API
 ListProcessesInGuest returns an array of GuestProcessInfo instances:

 pid field is set to JobID
 endTime is only set after completion
 exitCode is set to 0 on success and -1 on error
 name is set to 'inline' or 'import' (same as programPath in GuestProgramSpec)
Information about completed jobs is kept around for ~1 minute, or
untill ListProcessesInGuest (with the corresponding JobID) is called. If the script fails, a file
named 'vix_job_$JobID$ .txt' containing the script output is created. Script run time is limited to
120 seconds and script output is not saved on timeout,
 The vmrun command runScriptInGuest can also be used

 The PowerCLI cmdlet Invoke-VMScript is not supported
 Host/guest file transfer is not supported
Python example
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys,time
from pyVim import connect
from pyVmomi import vmodl,vim
def runInline(content,vm,creds,source):
''' Execute script source on vm '''
if isinstance(source, list):
source = '\n'.join(source)
ps = vim.vm.guest.ProcessManager.ProgramSpec(
programPath = 'console',
arguments = source
)
return
content.guestOperationsManager.processManager.StartProgramInGuest(vm,cr
eds,ps)
def runFromFile(content,vm,creds,fileName):
''' Execute script file located on CHR '''
ps = vim.vm.guest.ProcessManager.ProgramSpec(
programPath = 'import',
arguments = fileName
)
return
content.guestOperationsManager.processManager.StartProgramInGuest(vm,cr
eds,ps)
def findDatastore(content,name):
sessionManager = content.sessionManager
dcenterObjView =
content.viewManager.CreateContainerView(content.rootFolder,
[vim.Datacenter], True)
datacenter = None
datastore = None
for dc in dcenterObjView.view:
dstoreObjView = content.viewManager.CreateContainerView(dc,
[vim.Datastore], True)
for ds in dstoreObjView:
if ds.info.name == name:
datacenter = dc
datastore = ds
break
dstoreObjView.Destroy()
dcenterObjView.Destroy()
return datacenter,datastore
def _FAILURE(s,*a):
print(s.format(*a))
sys.exit(-1)
#----------------------------------------------------------------------
--------#
if __name__ == '__main__':
host = sys.argv[1] # ip or something
user = 'root'
pwd = 'MikroTik'
vmName = 'chr-test'
dataStoreName = 'datastore1'
service = connect.SmartConnectNoSSL(host=host,user=user,pwd=pwd)
if not service:
_FAILURE("Could not connect to the specified host using
specified username and password")
content = service.RetrieveContent()
#------------------------------------------------------------------
---------
# Find datacenter and datastore
datacenter,datastore = findDatastore(content,dataStoreName)
if not datacenter or not datastore:

connect.Disconnect(service)
_FAILURE('Could not find datastore \'{}\'',dataStorename)
#------------------------------------------------------------------
---------
# Locate vm
vmxPath = '[{0}] {1}/{1}.vmx'.format(dataStoreName, vmName)

vm = content.searchIndex.FindByDatastorePath(datacenter, vmxPath)
if not vm:
_FAILURE("Could not locate vm")
#------------------------------------------------------------------
---------
# Setup credentials from user name and pasword
creds = vim.vm.guest.NamePasswordAuthentication(username = 'admin',

password = '')
#------------------------------------------------------------------
---------
# Run script
pm = content.guestOperationsManager.processManager
try:
# Run script
src = [':ip address add address=192.168.0.1/24
interface=ether1;']
jobID = runInline(content, vm, creds, src)
# Or run file (from FTP root)

# jobID = runFromFile(content,vm,creds,
'scripts/provision.rsc')
#--------------------------------------------------------------
-------------
# Wait for job to finish
pm = content.guestOperationsManager.processManager
jobInfo = pm.ListProcessesInGuest(vm, creds, [jobID])[0]
while jobInfo.endTime is None:
time.sleep(1.0)
jobInfo = pm.ListProcessesInGuest(vm, creds, [jobID])[0]
if jobInfo.exitCode != 0:
_FAILURE('Script failed!')
except:
raise
else:
Xen
Network, disk, memory and OS info is reported to hypervisor every 30 seconds
 On older hosts (pre 21.06.2017) only the first ipv4 address assigned to interface is visible
Provisioning
Base-64 encoded strings written to (domain local) xenstore path ('vm-data/provision/script') are
decoded and interpreted a script-text. Status ('ready', 'running', 'error') is reported in 'vm-
data/provision/script/status'. Scripts are accepted only if 'status' != 'running'. Base 64 encoded
script output (if any) is written to 'vm-data/provision/script/otuput'.
 When creating a VM scripts can be provided by using xenapi (VM.add_to_xenstore_data)

KVM
QEMU guest agent is available. Supported agent commands can be retrieved by using guest-
info command. Host-guest file transfer can be performed by using guest-file-* commands.
Guest networking information can be retrieved by using the guest-network-get-
interfaces command.
 Scripts can be executed by using the guest-exec command together with

the GuestExec data structure:
 If the path member is provided, the corresponding file is executed
 If the path member is not set and input-data member is provided, input-data value is
used as script input
 If capture-output is set, script output is reported back
 args and env members are not used
 Script job progress can be monitored with guest-exec-status command.

The GuestExecStatus data structure is populated as follows:
 On success exitcode member is set to 0
 If the script timed out exitcode is set to 1
 If the script contained errors exitcode is set to -1
 signal member is not set
 The err-data member is not used
 If capture-output was true, Base64 encoded script output is stored in out-data
 Enabling guest agent in libvirt

 An additional agent channel ('chr.provision_channel') is also available
Proxmox
Some agent commands can be issued by using Proxmox REST api. Guest filesystem
quiescing is automatically performed when taking a snapshot
 Enabling guest agent on proxmox
 Enabling 'chr.provision-agent' for remote access on port 1234

In host shell:
vmid=256
hostip=192.168.0.1
portnum=1234
qm set $vmid --args "-chardev
'socket,host=$hostip,port=$portnum,id=chr-agent,server,nowait' -device
'virtio-serial,bus=pci.0,addr=0x9' -device 'virtserialport,chardev=chr-
agent,name=chr.provision_agent'"
 Disabling 'chr.provision-agent'
In host shell:
vmid=256
qm set $vmid --delete args
 Providing remote access to default agent on port 1234

In host shell:
vmid=256
portnum=1234
socat TCP-LISTEN:$portnum,reuseaddr,fork UNIX-CLIENT:/run/qemu-
server/$vmid.qga
Guest agent python example
import os,time,base64,json,socket,select,errno
class GuestAgent(object):
'''
Qemu guest agent interface
runScript and runFile commands are tailored for ROS agent
implementation
Transport provided by derived classes (transact method)
'''
def __init__(self,**kwargs):
# Due to file contents being passed as base64 inside json:
# - large chunk sizes may slow down guest-side parsing.
# - small chunk sizes result in additional message
fragmentation overhead.
# Default value is a guestimate.
self.__chunkSize = kwargs.get('chunkSize', 4096)
def _qmpError(self,cls,msg):
''' Generic callback to log qmp errors before (optionally)
raising an exception '''
print(cls)
for line in msg.split('\n'):
print(line)
# raise RuntimeError()
def _error(self,msg,*a):
''' Generic callback to misc errors before (optionally) raising
an exception '''
print(msg.format(*a))
# raise RuntimeError()
def _info(self,msg,*a):
''' Generic callback to log info '''
print(msg.format(*a))
def _monitorJob(self,pid):
''' Block untill script job completes, echo output. Returns
None on failure '''
ret = self.transact('guest-exec-status',{'pid':pid})
if ret is None:
return None
while not bool(ret['exited']):

time.sleep(1)
ret = self.transact('guest-exec-status',{'pid':pid})
if ret is None:
return None
# err-data is never sent

out = []
if 'out-data' in ret.keys():
out = base64.b64decode(ret['out-data']).decode('utf-
8').split('\n')
if not out[-1]:
out = out[:-1]
exitcode = int(ret['exitcode'])
return exitcode, out
def putFile(self,src,dst):
''' Upload file '''
src = os.path.expanduser(src)
if not os.path.exists(src) or not os.path.isfile(src):
self._error('File does not exist: \'{}\'', src)
return None
ret = self.transact('guest-file-open', {'path':dst,'mode':'w'})

if ret is None:
return None
handle = int(ret)
file = open(src, 'rb')

for chunk in iter(lambda : file.read(self.__chunkSize), b''):
count = len(chunk)
chunk = base64.b64encode(chunk).decode('ascii')
ret = self.transact('guest-file-
write',{'handle':handle,'buf-b64':chunk,'count':count})
if ret is None:
return None
self.transact('guest-file-flush',{'handle':handle})
ret = self.transact('guest-file-close',{'handle':handle})
return True
def getFile(self,src,dst):
''' Download file '''
dst = os.path.expanduser(dst)
ret = self.transact('guest-file-open',{'path':src,'mode':'rb'})
if ret is None:
return None
handle = int(ret)
data = ''
size = 0
while True:
ret = self.transact('guest-file-
read',{'handle':handle,'count':self.__chunkSize})
if ret is None:
return None
data += ret['buf-b64']
size += int(ret['count'])
if bool(ret['eof']):
break
ret = self.transact('guest-file-close',{'handle':handle})
data = base64.b64decode(data.encode('ascii'))
with open(dst,'wb') as f:
f.write(data)
return True
def runFile(self,fileName):
''' Execute file (on guest) as script '''
ret = self.transact('guest-exec',{'path':fileName, 'capture-
output':True})
if ret is None:
return None
pid = ret['pid']
return self._monitorJob(pid)
def runSource(self,cmd):
''' Execute script '''
if isinstance(cmd,list):
cmd = '\n'.join(cmd)
cmd += '\n'
cmd = base64.b64encode(cmd.encode('utf-8')).decode('ascii')
ret = self.transact('guest-exec',{'input-data':cmd, 'capture-

output':True})
if ret is None:
return None
pid = ret['pid']
return self._monitorJob(pid)
def shutdown(self,mode='powerdown'):
'''
Execut shutdown command
mode == 'reboot' - reboot guest
mode == 'shutdown' or mode == 'halt' - shutdown guest
'''
ret = self.transact('guest-shutdown',{'mode':mode})
return ret
class SocketAgent(GuestAgent):
'''
GuestAgent using unix/tcp sockets for communication.
'''
def __init__(self):
GuestAgent.__init__(self,chunkSize= 32 * 65536)
@staticmethod
def unix(dev):
''' Connect using unix socket '''
self = SocketAgent()
self.__af = socket.AF_UNIX
self.__args = dev
self.__wait = False
return self
@staticmethod
def tcp(ip,port,wait = True):
''' Connect using tcp socket '''
self = SocketAgent()
self.__af = socket.AF_INET
self.__args = (ip,port)
self.__wait = wait
return self
def __enter__(self):
self._sock = socket.socket(self.__af, socket.SOCK_STREAM)
if self.__wait:
self._info('Waiting for guest ...')
# Wait for hyper to create channel
while True:
try:
self._sock.connect(self.__args)
break
except socket.error as e:
if e.errno == errno.EHOSTUNREACH or e.errno ==
errno.ECONNREFUSED:
time.sleep(1)
else:
self._sock.close()
raise
#Wait for guest agent to initialize and sync

while True:
import random
key = random.randint(0, 0xffffffff)
msg = json.dumps({'execute':'guest-sync-
delimited','arguments':{'id':key}},separators=(',',':'),sort_keys=True)
self._sock.send(msg.encode('ascii'))
self._sock.setblocking(0)
response = b''
if (select.select([self._sock],[],[])[0]):
response += self._sock.recv(65536)
else:
raise RuntimeError()
sentinel = b'\xff'
response = response.split(sentinel)[-1]
if not response:
time.sleep(3)
continue
response = json.loads(response.decode('utf-8').strip())
if 'return' in response.keys():
if int(response['return']) == key:
break
time.sleep(3)
else:
self._sock.connect(self.__args)
return self
def __exit__(self,*a):
self._sock.close()
def transact(self,cmd,args={}):
''' Exchange a single command with guest agent '''
timeout = 2
msg =
json.dumps({'execute':cmd,'arguments':args},separators=(',',':'),sort_k
eys=True)
self._sock.send(msg.encode('ascii'))
response = b''
if (select.select([self._sock],[],[],timeout)[0]):
response += self._sock.recv(65536)
if not response:
response = None
else:
if response[0] == 255: # sync
response = response[1:]
response = json.loads(response.decode('utf-8').strip())
if 'error' in response.keys():
self._qmpError(response['error']['class'],response['error']['desc'])
response = None
elif 'return' in response:
response = response['return']
return response
#----------------------------------------------------------------------
---------
if __name__ == '__main__':
script = [':log info "hello world";']
ip = '192.168.0.1'
port = 1234
# can also use unix sockets
#with SocketAgent.unix('/dev/something') as agent:
with SocketAgent.tcp(ip, port) as agent:

ret,out = agent.runSource(script)
print('ret = {}'.format(ret))
for line in out:
print(line)
Manual:Default Configurations
Applies to RouterOS:v5, v6+
Contents
[hide]
 1Overview
 2CPE Router
 3LTE CPE AP router
 4AP Router
 5PTP Bridge
 6WISP Bridge
 7Switch
 8IP Only
 9CAP
Overview
All RouterBOARDs from factory come with default configuration. There are several different
configurations depending on board type:
 CPE Router;
 LTE CPE AP router;
 AP Router (single or dual band);
 PTP Bridge (AP or CPE);
 WISP Bridge (AP in ap_bridge mode);
 Switch;
 IP Only;
 CAP.
You can run command /system default-configuration print to see exact applied default
configuration commands.
CPE Router
In this type of configurations router is configured as wireless client device. WAN interface
is Wireless interface. WAN port has configured DHCP client, is protected by IP firewall and MAC
discovery/connection is disabled.
List of routers using this type of configuration:
 RB 711,911,912,921,922 - with level3 license

 SXT
 QRT
 SEXTANT
 LHG
 LDF
 DISC
 Groove
 Metal
LTE CPE AP router

This configuration type is applied to routers that has both LTE and wireless interfaces. LTE interface is
considered a WAN port protected by firewall and MAC discovery/connection disabled. IP address on
WAN port is acquired automatically. Wireless is configured as access point and bridged with all
available Ethernet ports.
 wAP LTE Kit

 SXT LTE
AP Router
This type of configuration is applied to home access point routers to be used straight out of the box
without additional configuration (except router passwords and wireless keys)
First Ethernet is always configured as WAN port (protected by firewall, enabled DHCP client and
disabled MAC connection/discovery). Other Ethernet ports and wireless interfaces are added to local
LAN bridge with 192.168.88.1/24 address set and configured DHCP server. In case of dual band routers,
one wireless is configured as 5 GHz access point and other as 2.4 GHz access point.
 RB 450,751,850,951,953,2011,3011
 hEX,PowerBox
 mAP
 wAP,wAP R (without LTE card)
 hAP
 OmniTIK
 CRS series with wireless interface
PTP Bridge
Bridged ethernet with wireless interface. Default IP address 192.168.88.1/24 is set on the bridge
interface. There are two possible options - as CPE and as AP. For CPE wireless interface is set in
"station-bridge" mode, for AP "bridge" mode is used.
 DynaDish - as CPE
 Wireless Wire kit
 wAP 60G - with level3 license
WISP Bridge
Configuration is the same as PTP Bridge in AP mode, except that wireless mode is set to ap_bridge for
PTMP setups. Router can be accessed directly using MAC address. If device is connected to the network
with enabled DHCP server, configured DHCP client configured on the bridge interface will get the IP
address, that can be used to access the router.
 RB 911,912,921,922 - with Level4 license

 cAP
 Groove A, Metal A, RB 711 A
 BaseBox, NetBox
 mANTBox, NetMetal
 wAP 60G AP - with level4 license
Switch
This configuration utilizes switch chip features to configure dumb switch. All ethernet ports are added to
switch group and default IP address 192.168.88.1/24 is set on master port.
 FiberBox
 CRS without wireless interface
IP Only
When no specific configuration is found, IP address 192.168.88.1/24 is set on ether1, or combo1, or
sfp1.
 RB 411,433,435,493,800,M11,M33,1100
 CCR
CAP
This type of configuration is used when device need to be used as wireless client device controlled by
CAPsMAN.
When CAP default configuration is loaded, ether1 is considered a management port with DHCP client
configured. All other Ethernet interfaces are bridged and wlan1 is set to be managed by CAPsMAN.
To load CAP configuration refer to Reset Button manual.

Categories:
 Manual
 Routerboard
 Basic
 Install
Navigation menu
 Log in
 Manual
 Discussion
 Read
 View source
 View history
Search
Go
 Main Page
 Recent changes
Tools
 What links here
 Related changes
 Special pages
 Printable version
 Permanent link
 Page information
 This page was last edited on 31 January 2018, at 14:25.
 Privacy policy
 About MikroTik Wiki
 Disclaimers
Manual:System/Packages
< Manual:System
Contents
[hide]
 1Summary
 2Acquiring packages
 3RouterOS packages
 4Working with packages
 5Examples
o 5.1List available packages
o 5.2Uninstall package
o 5.3Disable package
o 5.4Downgrade
o 5.5Cancel uninstall or disable action
Summary
RouterOS supports a lot of different features and since every installation requires specific set
of features supprted it is possible to add or remove certain groups of features using package
system. As result user is able to control what features are available and size of installation.
Packages are provided only by MikroTik and no 3rd parties are allowed to make them.
Acquiring packages
Packages can be downloaded from MikroTik download page or mirrors listed on that page.
Either of provided download methods can be used.
RouterOS packages
For a simple home router, only the system package is needed for basic operation. Other
packages are optional. The DHCP package might be the next most important, if your ISP
provides IP addresses using this method. PPP is needed if you require PPPoE or PPTP for
connectivity. Other packages are not required for a home router, and are completely optional.
Install them only if you are sure of their purpose.
Package Features
advanced- Advanced ping tools (flood-ping, ping-speed), Netwatch, ip-scan, SMS tool, Wake-
tools (mipsle, on-LAN
mipsbe, ppc, x86,
mmips, arm)
calea (mipsle, Data gathering tool for specific use due to "Communications Assistance for Law
mipsbe, ppc, x86, Enforcement Act" in USA
mmips, arm)
dhcp (mipsle, Dynamic Host Control Protocol client and server

mipsbe, ppc, x86,
mmips, arm)
gps (mipsle, Global Positioning System devices support

mipsbe, ppc, x86,
mmips, arm)
hotspot (mipsle, HotSpot captive portal server for user management

mipsbe, ppc, x86,
mmips, arm)
ipv6 (mipsle, IPv6 addressing support

mipsbe, ppc, x86,
mmips, arm)
mpls (mipsle, Multi Protocol Labels Switching support
mipsbe, ppc, x86,
mmips, arm)
multicast (mipsle, Protocol Independent Multicast - Sparse Mode; Internet Group Managing Protoco
mipsbe, ppc, x86, l - Proxy
mmips, arm)
ntp (mipsle, Network protocol server, also includes simplistic client. NTP client is also built into
mipsbe, ppc, x86, the system package and functions well without this package installed.
mmips, arm)
openflow (mipsle, Enables OpenFlow support

mipsbe, ppc, x86,
mmips, arm)
ppp (mipsle, MlPPP client, PPP, PPTP, L2TP, PPPoE, ISDN PPP clients and servers
mipsbe, ppc, x86,
mmips, arm)
routerboard (mips accessing and managing RouterBOOT. RouterBOARD specific imformation.

le, mipsbe, ppc,
x86, mmips, arm)
routing (mipsle, dynamic routing protocols like RIP, BGP, OSPF and routing utilities like BFD, filters
mipsbe, ppc, x86, for routes.
mmips, arm)
security (mipsle, IPSEC, SSH, Secure WinBox

mipsbe, ppc, x86,
mmips, arm)
system (mipsle, basic router features like static routing, ip addresses, sNTP, telnet, API,
mipsbe, ppc, x86, queues, firewall, web proxy, DNS cache, TFTP, IP pool, SNMP, packet sniffer, e-
mmips, arm) mail send tool, graphing, bandwidth-test,
torch, EoIP, IPIP, bridging, VLAN, VRRP etc.). Also, for RouterBOARD platform
- MetaROUTER | Virtualization
ups (mipsle, APC ups management interface

mipsbe, ppc, x86,
mmips, arm)
user- MikroTik User Manager server for controlling Hotspot and other service users.
manager (mipsle,
mipsbe, ppc, x86,
mmips, arm)
wireless (mipsle, wireless interface support. Sometimes sub-types are released, for
mipsbe, ppc, x86, example wireless-fp introduced FastPath support, wireless-cm2 introduced
mmips, arm) CAPsMAN v2 and wireless-rep introduced Repeater mode. These packages are
occasionally released separately, before the new features get merged into the
main wireless package.
arlan (x86) legacy Aironet Arlan support
isdn (x86) ISDN modem support
lcd (x86) LCD panel support for serial/parallel port devices. Not needed for RouterBOARD
LCD panels.
radiolan (x86) RadioLan cards support
synchronous (x86) FarSync support
xen ( discontinued XEN Virtualization

x86)
kvm (x86) KVM Virtualization
routeros- combined package for mipsle (RB100, RB500) (includes system, hotspot, wireless,
mipsle (mipsle) ppp, security, mpls, advanced-tools, dhcp, routerboard, ipv6, routing)
routeros- combined package for smips (hAP mini, hAP lite) (includes system, hotspot,
smips (smips) wireless, ppp, security, mpls, advanced-tools, dhcp, routerboard, ipv6, routing)
routeros- combined package for mipsbe (RB400) (includes system, hotspot, wireless, ppp,
mipsbe (mipsbe) security, mpls, advanced-tools, dhcp, routerboard, ipv6, routing)
routeros- combined package for powerpc (RB300, RB600, RB1000) (includes system,
powerpc (ppc) hotspot, wireless, ppp, security, mpls, advanced-tools, dhcp, routerboard, ipv6,
routing)
routeros-x86 (x86) combined package for x86 (Intel/AMD PC, RB230) (includes system, hotspot,
wireless, ppp, security, mpls, advanced-tools, dhcp, routerboard, ipv6, routing)
routeros- combined package for multicore mips (Mxx, RB750v3) (includes system, hotspot,
mmips (mmips) wireless, ppp, security, mpls, advanced-tools, dhcp, routerboard, ipv6, routing)
routeros- combined package for arm (cAP ac, hAP ac², CRS3xx, RB3011, RB1100AHx4, etc)
arm (arm) (includes system, hotspot, wireless, ppp, security, mpls, advanced-tools, dhcp,
routerboard, ipv6, routing)
Working with packages

Menu: /system package
Commands executed in this menu will take place only on restart of the router. Until then, user
can freely schedule or revert set actions.
Command Desciption
disable schedule the package to be disabled after the next reboot. No features provided by the
package will be accessible
downgrade will prompt for the reboot. During the reboot process will try to downgrade the
RouterOS to the oldest version possible by checking the packages that are uploaded to
the router.
print outputs information about the packages, like: version, package state, planned state
changes etc.
enable schedule package to be enabled after the next reboot
uninstall schedule package to be removed from the router. That will take place during the reboot.
unschedule remove scheduled task for the package.
Examples
Upgrade process is described here.
List available packages
/system package print

Flags: X - disabled
# NAME VERSION SCHEDULED
0 X ipv6 3.13
1 system 3.13
2 X mpls 3.13
3 X hotspot 3.13
4 routing 3.13
5 wireless 3.13
6 X dhcp 3.13
7 routerboard 3.13
8 routeros-mipsle 3.13
9 security 3.13
10 X ppp 3.13
11 advanced-tools 3.13
Uninstall package
Schedules package for uninstallation and reboots router.
/system package uninstall ppp; /system reboot;

Reboot, yes? [y/N]:
Disable package
/system package disable hotspot; /system reboot;

Reboot, yes? [y/N]:
Downgrade
/system package downgrade; /system reboot;

Reboot, yes? [y/N]:
Cancel uninstall or disable action
/system package unschedule ipv6
Manual:Upgrading RouterOS
It is suggested to always keep your RouterOS installation up to date, MikroTik always keeps
adding new functionality and improving performance and stability by releasing updates.
Contents
[hide]
 1Automatic upgrade
 2RouterOS version release chains
 3Manual upgrade methods
 4Upgrade process
o 4.1Using Winbox
o 4.2Using FTP
 5RouterOS massive auto-upgrade
o 5.1RouterOS auto-upgrade
o 5.2The Dude auto-upgrade
o 5.3The Dude hierarchical upgrade
 6License issues
 7Version numbering
 8Suggestions
Automatic upgrade
The automatic upgrade feature connects to the MikroTik download servers, and checks if there
is a new RouterOS version for your device. If yes, a changelog is displayed, and Upgrade
button is shown. Clicking the upgrade button, software packages are automatically
downloaded, and device will be rebooted. Even if you have a custom set of packages installed,
only the correct packages will be downloaded.
Note: If you are running v5.25 or older, the system will only auto-upgrade to the most recent
version of the v5 major version release and not up to v6.20. Manual upgrade is needed in this
case.
Upgrade button in QuickSet:
Upgrade button in the Packages menu:

After clicking the Upgrade button, Changelog is shown:
By clicking "Download & Upgrade", downloads will start, and router will reboot. After the reboot,
your router will be running the latest RouterOS version. You can then click the Upgrade button
again, to confirm that your router is running the latest RouterOS.
RouterOS version release chains

When upgrading RouterOS, you can choose a release chain from which to install the new
packages. For mission critical installations, bugfixes-only release chain is suggested, as it
does not include freshly added new features and is kept for a long time on the download page,
with only critical fixes applied to it.
 Bugfixed-only version is the most stable release without new features, just most important
fixes. Updated rarely, only when a critical issue is found in a bugfixes-only release.
 Current includes the same fixes plus improvements and new features. Once a current
release has been tested for several months, it is promoted to bugfix-only and is no longer
updated with features.
 Release candidate released a few times per week. Includes newest features, released
without intensive testing. Not recommended for production.
Manual upgrade methods

You can upgrade RouterOS in the following ways:
 Winbox – drag and drop files to the Files menu

 FTP - upload files to root directory
 The Dude – See manual here
Note: RouterOS cannot be upgraded through serial cable. Using this method
only RouterBOOT can be upgraded.
Upgrade process
 First step - visit www.mikrotik.com and head to the download page, there choose the type
of system you have the RouterOS installed on.
 Download the Combined package, it will include all the functionality of RouterOS:
Using Winbox
Choose your system type, and download the upgrade package:
Connect to your router with Winbox, Select the downloaded file with your mouse, and drag it to
the Files menu. If there are some files already present, make sure to put the package in
the root menu, not inside the hotspot folder!:
The upload will start:
After it finishes - REBOOT and that's all! The New version number will be seen in the
Winbox Title and in the Packages menu
Using FTP
 Open your favourite FTP program (in this case it is Filezilla), select the package and
upload it to your router (demo2.mt.lv is the address of my router in this example). note that
in the image I'm uploading many packages, but in your case - you will have one file that
contains them all
 if you wish, you can check if the file is successfully transferred onto the router (optional):
[normis@Demo_v2.9] > file print

# NAME TYPE SIZE CREATION-
TIME
0 supout.rif .rif file 285942 nov/24/2005
15:21:54
1 dhcp-2.9.8.npk package 138846 nov/29/2005
09:55:42
2 ppp-2.9.8.npk package 328636 nov/29/2005
09:55:43
3 advanced-tools-2.9.... package 142820 nov/29/2005
09:55:42
4 web-proxy-2.9.8.npk package 377837 nov/29/2005
09:55:43
5 wireless-2.9.8.npk package 534052 nov/29/2005
09:55:43
6 routerboard-2.9.8.npk package 192628 nov/29/2005
09:55:45
7 system-2.9.8.npk package 5826498 nov/29/2005
09:55:54
 and reboot your router for the upgrade process to begin:
[normis@Demo_v2.9] > system reboot

Reboot, yes? [y/N]: y
 after the reboot, your router will be up to date, you can check it in this menu:
/system package print
 if your router did not upgrade correctly, make sure you check the log
/log print without-paging
RouterOS massive auto-upgrade

You can upgrade multiple MikroTik routers within few clicks. Let's have a look on simple
network with 3 routers (the same method works on networks with infinite numbers of routers),
RouterOS auto-upgrade
Sub-menu: /system package update
RouterOS version 6 has new auto upgrade option. RouterOS checks amazon servers for
information if new version is available and upgrades after upgrade command is executed. You
can automate the upgrade process by running a script in the scheduler:
After v6.31:
/system package update

check-for-updates once
:delay 1s;
:if ( [get status] = "New version is available") do={ install }
Older options
Until v6.31:
/system package update

check-for-updates
:delay 1s;
:if ( [get current-version] != [get latest-version]) do={ upgrade }
RouterOS can download software packages from a remote MikroTik router.

 Make one router as network upgrade central point, that will update MikroTik RouterOS on
other routers.
 Upload necessary RouterOS packages to this router (in the example, mipsbe for RB751U
and powerpc for RB1100AHx2).
 Add upgrade router (192.168.100.1) information to a router that you want to update
(192.168.100.253), required settings IP address/Username/Password
 Click on Refresh to see available packages, download newest packages and reboot the
router to finalize the upgrade.
The Dude auto-upgrade
Dude application can help you to upgrade entire RouterOS network with one click per router.
 Set type RouterOS and correct password for any device on your Dude map, that you want
to upgrade automatically,
 Upload required RouterOS packages to Dude files,
 Upgrade RouterOS version on devices from RouterOS list. Upgrade process is automatic,
after click on upgrade (or force upgrade), package will be uploaded and router will be
rebooted by the Dude automatically.
The Dude hierarchical upgrade
For complicated networks, when routers are connected sequentially, the simplest example is
1router-2router-3router connection. You might get an issue, 2router will go to reboot before
packages are uploaded to the 3router. The solution is Dude groups, the feature allows to group
routers and upgrade all of them by one click!
 Select group and click Upgrade (or Force Upgrade),
License issues
When upgrading from older versions, there could be issues with your license key. Possible
scenarios:
 When upgrading from RouterOS v2.8 or older, the system might complain about expired
upgrade time. To override this, use Netinstall to upgrade. Netinstall will ignore old license
restriction and will upgrade
 When upgrading to RouterOS v4 or newer, the system will ask you to update license to a
new format. To do this, ensure your Winbox PC (not the router) has a working internet
connection without any restrictions to reach www.mikrotik.com and click "update license" in
the license menu.
Version numbering
RouterOS versions are numbered sequentially, when a period is used to separate sequences,
it does not represent a decimal point, and the sequences do not have positional significance.
An identifier of 2.5, for instance, is not "two and a half" or "half way to version three", it is the
fifth second-level revision of the second first-level revision. Therefore v5.2 is older than v5.18,
which is newer.
Suggestions
When using a RouterBOARD device, it is always suggested to upgrade it's RouterBOOT
bootloader after RouterOS is upgraded. To do this, issue the command "/system routerboard
upgrade"
anual:CD Install
Contents
[hide]
 1CD Install Description

 2CD Install Requirements
o 2.1Router
o 2.2Additional PC
 3CD Install Example
o 3.1Prepare MikroTik RouterOS CD Installation Disk
o 3.2Router Preconfiguration
o 3.3Package Selection
o 3.4Installation
o 3.5Post Installation procedures
 4Reset RouterOS configuration with CD Intstall
CD Install Description
CD-Install allows to install MikroTik RouterOS to x86 boxes, which do not support Netinstall (all
the RouterBOARDs should be reinstalled with Netinstall).
Note: RouterOS installation will erase all data on your HDD, it will only work as the only
operating system in your PC. Remove any drives that you don't want to be erased
CD Install Requirements
Router

 x86 box with hard drive
 CD-ROM
Additional PC

 CD-ROM
 CD burning application
 MikroTik RouterOS CD installation ISO image
CD Install Example
Prepare MikroTik RouterOS CD Installation Disk
1. Download CD installation Image from MikroTik download page,
2. Burn ISO image to disk, you need PC with CD-ROM and application to write ISO files to CD.
For Linux (the latest Ubuntu release) you can use built-in application. Mouse right-click on
the .iso file and specify 'Write to Disk'. You got MikroTik RouterOS installation disk after
process is finished.
Router Preconfiguration
3. Switch on the x86 box, where you want to install MikroTik RouterOS, it should be with CD-
ROM as well. Put MikroTik RouterOS installation disk to CD-ROM and set to boot from CD-
ROM in BIOS settings,
4. x86 will boot from MikroTik RouterOS installation disk and should offer you to select the
RouterOS Packages to install,
Package Selection
5. Select the packages you want to install, it is possible to select all packages with a or
minimum with m, then Press i to install the RouterOS.
Installation
6. If you have previous installation of the RouterOS and want to reset the configuration, then
answer no for the question 'Do you want to keep old configuration ?' and click y to proceed,
7. You will the process of the packages installation. Router will ask for the reboot after
installation is finished,
Post Installation procedures

8. MikroTik RouterOS is successfully installed, do not forget to eject CD installation disk and
set PC to boot from Hard Drive,
9. MikroTik RouterOS is booted and you are ready to login. Default login is admin without any
password,
10. The last of the installation to license the router, use the software-id to purchase
the license,
Reset RouterOS configuration with CD Intstall

To reset the RouterOS configuration with CD Install, follow the procedure and on the step 6,
set no for the answer 'Do you want to keep old configuration ?'.
Manual:Netinstall
Contents
[hide]
 1Introduction
 2How to use Netinstall
 3Properties
Introduction
Netinstall is a tool designed for Windows operating systems to reinstall MikroTik devices
running RouterOS (except for non-MikroTik x86 devices). Netinstall re-formats the device's
disk and copies over fresh files on to the system's disk, this can solve multiple issues when
your device is not working properly. Always try using Netinstall if you suspect that your device
is not working properly.
Warning: Netinstall re-formats the system's drive, all configuration and saved files will be lost.
Netinstall does not erase the RouterOS license key, nor does it reset RouterBOOT related
settings, for example, CPU frequency is not changed after reinstalling the device.
How to use Netinstall

 Download Netinstall from our downloads page.
Note: You must choose a version for the Netinstall. If you are not sure, then you can always
select the version that is marked as Current.
 Download RouterOS Main package from our downloads page.
Note: You must choose a RouterOS version. You can always select the version that is marked
as Current. You must also select the architecture (ARM, MIPS, SMIPS, TILE, etc...), but if you
are not sure, then you can download the RouterOS package for ALL architectures, Netinstall
will choose the right architecture for you.
 Disconnect your computer from WiFi, Ethernet, LTE or any other type of connections!
Warning: Netinstall will only work on one active interface on your computer, it is highly
recommended that you disconnect any other network interfaces in order to be sure that
Netinstall will select the right network interface.
 Configure a static IP address for your Ethernet interface, open Start and select Settings:
Note: Netinstall can run also on a local network, in such case you could skip setting a static IP
address, but it is highly recommended that you set a static IP address if you are not familiar
with Netinstall.
 Open Network & Internet
 Select Change adapter options

 Right click on your Ethernet interface and select Properties
 Select Internet Protocol Version 4 (TCP/IPv4) and click Properties
 Check Use the following IP address and fill out the fields as shown in the image below
Note: It you have a working router, then you can use it and skip the setting up a static IP part
of this tutorial, but it requires for you to know your LAN address since you will need to specify
an unused IP address in your network for the Network boot server. For this reason it is
recommended to apply a static IP address and follow this guide precisely, if you are not sure
how to get these parameters out of your network.
 Open your Downloads folder (or wherever you saved the downloaded files) and extract
the Netinstall .zip file to a convenient place
 Extract the files
 Run Netinstall.exe
Note: If you followed the guide precisely, then you should not have any Internet connection on
your computer, Windows 10 wants to verify all apps that it runs, but will not be able to do it
since lack of the Internet connection, for this reason a warning might pop up, you should
click Run.
Warning: Netinstall requires administrator rights, there should be a window asking for
permissions to run Netinstall, you must accept these permissions in order for Netinstall to work
properly.
 Allow access for Netinstall in Public networks

 Configure Net booting settings and fill out the required fields as shown in the image below
 Connect your device to your computer using an Ethernet cable directly (without any other
devices in-between), plug the Ethernet cable into your device's Etherboot port. Most
commonly, RouterBOARD devices are able to use Netinstall from their first port (Ether1),
or from the port marked with "BOOT".
 Power up your device and put it into Etherboot mode

Note: There are multiple ways how to put your device into Etherboot mode. Make sure you
read the Etherboot manual before trying to put the device into this mode. Methods vary
between different MikroTik devices.
 Wait for the device to show up in Netinstall, select it and press Browse...
Note: If the device does not show up in this window, then you can try closing the Netinstall
application and opening it up again or try to put the device into Etherboot mode again.
 Navigate to your Downloads folder (or wherever you saved your RouterOS packages) and
press OK
 Select your desired RouterOS version and press Install
Note: If you downloaded RouterOS packages for multiple architectures, then Netinstall will only
show the appropriate architecture packages for your device after you have selected it. All
unsupported packages will not show up in this window after you have selected a device.
 Wait for the installation to finish and press "Reboot"
Note: If the installation does not start (progress bar is not moving or no status is shown), then
you can try closing the Netinstall application and opening it up again or try to put the device
into Etherboot mode again.
 You are done! Remove the device from power, remove the Ethernet cable, place the
device back in your network and your device should be running properly now!
Note: After using Netinstall the device will be reset to defaults (unless you specified not to
apply default configuration). Some devices are not accessible through ether1 port with the
default configuration for security reasons. Read more about Default configuration.
Properties
Property
Routers/Drives list of system drives on which RouterO
drive, the drive is going to be formatte
Make floppy used to create a bootable 1.44" floppy
Net booting (yes | no; Default: no) Used to enable PXE booting on your n
properly.
Install/Cancel After selecting the router or drive and
SoftID (Ready-only) The Software-ID that belongs to the ro
Key (use previous key | browse | get key; Default: use previous key) Specify the licence key for your Route
does not have a license) by selecting B
selecting Get key, or leave it blank t
Flashfig Launches the Flashfig utility, which ca
Keep old configuration (yes | no; Default: no) Keeps the configuration that was on th
IP address/Netmask (IP address/Netmask; Default: ) If set, then Netinstall will apply the sp
Gateway (IP address; Default: ) If set, then Netinstall will apply the sp
Baud rate (integer; Default: 115200) If set, then Netinstall will apply the sp
Apply default config (yes | no; Default: no) Applies default configuration on the d
set, then the default configuration will
Configure script (yes | no; Default: no) If set, then Netinstall will apply a custo
the export command. The configuratio
the default configuration. Resetting the
selecting Apply default config
Manual:Configuration Management
Applies to RouterOS:ALL
Contents
[hide]
 1Summary
 2Description
 3System Backup
o 3.1Description
o 3.2Encryption
o 3.3Example
 4Exporting Configuration
o 4.1Command Description
o 4.2Example
o 4.3Compact Export
 5Importing Configuration
o 5.2Automatic Import
o 5.3Example
 6Configuration Reset
o 6.1Description
o 6.3Example
 7Import troubleshooting
o 7.1Configuration parts to watch out for in exported .rsc files
o 7.2Startup delay
Summary
This manual introduces you with commands which are used to perform the following functions:
 system backup;
 system restore from a backup;
 configuration export;
 configuration import;
 system configuration reset.
Description
The configuration backup can be used for backing up MikroTik RouterOS configuration to a
binary file, which can be stored on the router or downloaded from it using FTP for future use.
The configuration restore can be used for restoring the router's configuration, exactly as it was
at the backup creation moment, from a backup file. The restoration procedure assumes the
cofiguration is restored on the same router, where the backup file was originally created, so it
will create partially broken configuration if the hardware has been changed.
The configuration export can be used for dumping out complete or partial MikroTik RouterOS
configuration to the console screen or to a text (script) file, which can be downloaded from the
router using FTP protocol. The configuration dumped is actually a batch of commands that add
(without removing the existing configuration) the selected configuration to a router. The
configuration import facility executes a batch of console commands from a script file.
System reset command is used to erase all configuration on the router. Before doing that, it
might be useful to backup the router's configuration.
System Backup
Submenu level: /system backup
Description
The backup save command is used to store the entire router configuration in a backup file.
The file is shown in the /file submenu. It can be downloaded via ftp to keep it as a backup for
your configuration.
Important! The backup file contains sensitive information, do not store your backup files inside
the router's Files directory, instead, download them, and keep them in a secure location.
Warning: If TheDude and user-manager is installed on the router then backup will not take
care of configuration used by these tools. Therefore additional care should be taken to save
configuration from these. Use provided tool mechanisms to save/export configuration if you
want to save it.
To restore the system configuration, for example, after a /system reset-configuration, it is

possible to upload that file via ftp and load that backup file using load command in /system
backup submenu.
Since RouterOS v6.13 it is possible to encrypt the backup files with RC4.
Command Description
 load name=[filename] - Load configuration backup from a file

 save name=[filename] - Save configuration backup to a file (when no name is provided,
default name will be used, and previous file will be overwritten)
 dont-encrypt - tells the system to not use any encryption and make the file readable in
text editors (DANGEROUS)
 password - when not specified, current user password will be asked when restoring the
file. when specified - this password will be asked instead.
Encryption
Since RouterOS v6.13 the backup file is encrypted by default, if the current RouterOS user has
a password configured, or if the "password" parameter is used. If your RouterOS user doesn't
have a password set (for example admin and no password) then backup file is not encrypted,
to enable encryption in this case, use the "password" parameter.
Notice that it is useless to set password, if you will use the "dont-encrypt=yes" parameter, the
password can only be used with encrypted files.
Example
To save the router configuration to file test:
[admin@MikroTik] system backup> save name=test

Configuration backup saved
[admin@MikroTik] system backup>
To see the files stored on the router:
[admin@MikroTik] > file print

TIME
0 test.backup backup 12567 sep/08/2004
21:07:50
[admin@MikroTik] >
To load the saved backup file test:

[admin@MikroTik] > system backup load name=test
Restore and reboot? [y/N]:
y
Restoring system configuration
System configuration restored, rebooting now
Exporting Configuration
Command name: /export
The export command prints a script that can be used to restore configuration. The command
can be invoked at any menu level, and it acts for that menu level and all menu levels below it.
The output can be saved into a file, available for download using FTP.
Command Description
 file=[filename] - saves the export to a file

Example
[admin@MikroTik] > ip address print

Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 10.1.0.172/24 10.1.0.0 10.1.0.255 bridge1
1 10.5.1.1/24 10.5.1.0 10.5.1.255 ether1
[admin@MikroTik] >
To make an export file:
[admin@MikroTik] ip address> export file=address

[admin@MikroTik] ip address>
To see the files stored on the router:
[admin@MikroTik] > file print

TIME
0 address.rsc script 315 dec/23/2003
13:21:48
[admin@MikroTik] >
Compact Export
Starting from v5.12 compact export was added. It allows to export only part of configuration
that is not default RouterOS config.
Note: Starting from v6rc1 "export compact" is default behavior. To do old style export
use export verbose
For example compact OSPF export:
[admin@SXT-ST] /routing ospf> export compact

# jan/02/1970 20:16:32 by RouterOS 5.12
# software id = JRB7-9UGC
#
/routing ospf instance
set [ find default=yes ] redistribute-connected=as-type-1
/routing ospf interface
add disabled=yes interface=wlan1 network-type=point-to-point
/routing ospf network
add area=backbone network=10.255.255.36/32
add area=backbone disabled=yes network=10.5.101.0/24
add area=backbone network=10.10.10.0/24
[admin@SXT-ST] /routing ospf>
Compact export introduces another feature that indicates which part of config is default on
RouterOS and cannot be deleted. As in example below '*' indicates that this OSPF instance is
part of default configuration.
[admin@SXT-ST] /routing ospf instance> print

Flags: X - disabled, * - default
0 * name="default" router-id=0.0.0.0 distribute-default=never
redistribute-connected=as-type-1 redistribute-static=no
redistribute-rip=no redistribute-bgp=no redistribute-other-
ospf=no
metric-default=1 metric-connected=20 metric-static=20 metric-
rip=20
metric-bgp=auto metric-other-ospf=auto in-filter=ospf-in
out-filter=ospf-out
List of default config by menus that cannot be removed:

Menu
/interface wireless security-profiles default
/ppp profile "default", "default-encryption"
/ip hotspot profile "default"
/ip hotspot user profile "default"
/ip ipsec proposal "default"
/ip smb shares "pub"
/ip smb users "guest"
/ipv6 nd "all"
/mpls interface "all"
/routing bfd interface "all"
/routing bgp instance "default"
/routing ospf instance "default"
/routing ospf area "backbone"
/routing ospf-v3 instance "default"
/routing ospf-v3 area "backbone"
/snmp community "public"
/tool mac-server mac-winbox "all"
/tool mac-server "all"
/system logging "info", "error", "warning", "critical"
/system logging action "memory", "disk", "echo", "remote"
/queue type "default", "ethernet-default", "wireless-default", "synchron

Importing Configuration
Command name: /import
The root level command /import [file_name] executes a script stored in the specified file. It will
add the configuration from the specified file to an existing configuration. This file may contain
any console commands, including scripts. Can be used to restore configuration or parts of it
after configuration loss.
Command Description
 file=[filename] - loads the exported configuration from a file to router

Automatic Import
In RouterOS it is possible to automatically execute scripts - your script file has to be named
anything.auto.rsc - once this file is uploaded using FTP to the router, it will automatically be
executed, just like with the '/import' command. This method only works with FTP.
Once the file is uploaded, it is automatically executed. Information about the success of the
commands that were executed is written to anything.auto.log
Example
To load the saved export file use the following command:
[admin@MikroTik] > import address.rsc

Opening script file address.rsc
Script file loaded and executed successfully

[admin@MikroTik] >
Configuration Reset
Command name: /system reset-configuration
Description
The command clears all configuration of the router and sets it to the default including the login
name and password ('admin' and no password), IP addresses and other configuration is
erased, interfaces will become disabled. After the reset command router will reboot. The
default is either the factory default, that you can see in the article Default configurations, or it
can be a custom default, that can be loaded by including an RSC file when doing Netinstall or if
specified with a branding package.
Command Description
 keep-users: keeps router users and passwords

 no-defaults: doesn't load any default cofigurations, just clears everything
 skip-backup: automatic backup is not created before reset, when yes is specified
 run-after-reset: specify export file name to run after reset
Warning: Warning: If the device has a folder named "flash", then the confscript.rsc file
must be stored in that folder to work with "run-after-reset" command. Everything
outside this folder is stored on the RAM drive which contents are deleted on reboot or
power cycle.
Warning: If the router has been installed using netinstall and had a script specified as the
initial configuration, the reset command executes this script after purging the configuration. To
stop it doing so, you will have to reinstall the router.
Example
[admin@MikroTik] > system reset-configuration

Dangerous! Reset anyway? [y/N]: n
action cancelled
[admin@MikroTik] >
Import troubleshooting
Configuration parts to watch out for in exported .rsc files
Things that should be removed from export files that were created with: "/export", before
attempting import on new device.
 Interface renaming that is in conflict with default ethernet naming scheme.
/interface ethernet
set [ find default-name=ether5 ] auto-negotiation=no name=ether1-
gateway
set [ find default-name=ether6 ] name=ether2
 In older version exports default entries might show with "add" instead of "set" command.
That should be edited before import to avoid errors.
 Check if interface/module: ether/wlan/modem/com/etc count match on new and old device.
If there will some missing that will end up in error during .rsc import.
In case of problematic import, attempt the following:
 Reset the configuration on that device.
 Run import command again with "verbose=yes" argument. It will stop also stop import
process on problem which you already encountered, but will also show place where export
failed. That way showing you place where things need to be edited in .rsc import file
Startup delay
If your configuration relies on interfaces that might not yet have started up upon command
execution, it is suggested to introduce delays, or to monitor until all needed interfaces are
available. This example script allows you to set how many interfaces you are expecting, and
how long to wait until they become available:
{
:local i 0
#Number of interfaces
:local x 10
#Max time to wait
:local t 30
while ($i < $t && [:len [/interface find]] < $x) do={
:put $i
:set $i ($i + 1)
:delay 1
}
if ($i = $t) do={
:log warning message="Could not load all physical interfaces"
} else={
#Rest of your script
}
}
The above script will wait until there are 10 interfaces visible, or 30 seconds. If there are no 10
interfaces in this time, it will put a message in the log. Modify the variables according to your
needs.
Manual:Console
Contents
[hide]
 1Overview
 2Hierarchy
o 2.1Example
 3Item Names and Numbers
o 3.1Item Names
o 3.2Item Numbers
 4Quick Typing
 5General Commands
 6Modes
 7List of keys
o 7.1Built-in Help
o 7.2Safe Mode
o 7.3HotLock Mode
o 7.4Quick Help menu
 8See also
Overview
The console is used for accessing the MikroTik Router's configuration and management
features using text terminals, either remotely using serial port, telnet, SSH or console screen
within Winbox, or directly using monitor and keyboard. The console is also used for writing
scripts. This manual describes the general console operation principles. Please consult the
Scripting Manual on some advanced console commands and on how to write scripts.
Hierarchy
The console allows configuration of the router's settings using text commands. Since there is a
lot of available commands, they are split into groups organized in a way of hierarchical menu
levels. The name of a menu level reflects the configuration information accessible in the
relevant section, eg. /ip hotspot.
Example
For example, you can issue the /ip route print command:
[admin@MikroTik] > ip route print

Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC G GATEWAY DIS
INTE...
0 A S 0.0.0.0/0 r 10.0.3.1 1
bridge1
1 ADC 1.0.1.0/24 1.0.1.1 0
bridge1
2 ADC 1.0.2.0/24 1.0.2.1 0 ether3
3 ADC 10.0.3.0/24 10.0.3.144 0
bridge1
4 ADC 10.10.10.0/24 10.10.10.1 0 wlan1
[admin@MikroTik] >
Instead of typing ip route path before each command, the path can be typed only once to
move into this particular branch of menu hierarchy. Thus, the example above could also be
executed like this:
[admin@MikroTik] > ip route

[admin@MikroTik] ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC G GATEWAY DIS
INTE...
0 A S 0.0.0.0/0 r 10.0.3.1 1
bridge1
1 ADC 1.0.1.0/24 1.0.1.1 0
bridge1
2 ADC 1.0.2.0/24 1.0.2.1 0 ether3
3 ADC 10.0.3.0/24 10.0.3.144 0
bridge1
4 ADC 10.10.10.0/24 10.10.10.1 0 wlan1
[admin@MikroTik] ip route>
Notice that the prompt changes in order to reflect where you are located in the menu hierarchy
at the moment. To move to the top level again, type " / "
[admin@MikroTik] > ip route

[admin@MikroTik] ip route> /
[admin@MikroTik] >
To move up one command level, type " .. "
[admin@MikroTik] ip route> ..
[admin@MikroTik] ip>
You can also use / and .. to execute commands from other menu levels without changing the
current level:
[admin@MikroTik] ip route> /ping 10.0.0.1

10.0.0.1 ping timeout
[admin@MikroTik] ip firewall nat> .. service-port print
Flags: X - disabled, I - invalid
# NAME
PORTS
0 ftp
21
1 tftp
69
2 irc
6667
3 h323
4 sip
5 pptp
[admin@MikroTik] ip firewall nat>
Item Names and Numbers

Many of the command levels operate with arrays of items: interfaces, routes, users etc. Such
arrays are displayed in similarly looking lists. All items in the list have an item number followed
by flags and parameter values.
To change properties of an item, you have to use set command and specify name or number
of the item.
Item Names
Some lists have items with specific names assigned to each of them. Examples
are interface or user levels. There you can use item names instead of item numbers.
You do not have to use the print command before accessing items by their names, which, as
opposed to numbers, are not assigned by the console internally, but are properties of the
items. Thus, they would not change on their own. However, there are all kinds of obscure
situations possible when several users are changing router's configuration at the same time.
Generally, item names are more "stable" than the numbers, and also more informative, so you
should prefer them to numbers when writing console scripts.
Item Numbers
Item numbers are assigned by the print command and are not constant - it is possible that two
successive print commands will order items differently. But the results of last print commands
are memorized and, thus, once assigned, item numbers can be used even
after add, remove and move operations (since version 3, move operation does not renumber
items). Item numbers are assigned on a per session basis, they will remain the same until you
quit the console or until the next print command is executed. Also, numbers are assigned
separately for every item list, so ip address print will not change numbering of the interface
list.
Since version 3 it is possible to use item numbers without running print command. Numbers
will be assigned just as if the print command was executed.
You can specify multiple items as targets to some commands. Almost everywhere, where you
can write the number of item, you can also write a list of numbers.
[admin@MikroTik] > interface print
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE MTU
0 R ether1 ether 1500
[admin@MikroTik] > interface set 0,1,2 mtu=1460
[admin@MikroTik] > interface print
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE MTU
[admin@MikroTik] >
Warning: Do not use Item numbers in scripts, it is not reliable way to edit items in scheduler.
scripts, etc. Instead use find command. More info here also look at scripting examples.
Quick Typing
There are two features in the console that help entering commands much quicker and easier -
the [Tab] key completions, and abbreviations of command names. Completions work similarly
to the bash shell in UNIX. If you press the [Tab] key after a part of a word, console tries to find
the command within the current context that begins with this word. If there is only one match, it
is automatically appended, followed by a space:
/inte[Tab]_ becomes /interface _
If there is more than one match, but they all have a common beginning, which is longer than
that what you have typed, then the word is completed to this common part, and no space is
appended:
/interface set e[Tab]_ becomes /interface set ether_
If you've typed just the common part, pressing the tab key once has no effect. However,
pressing it for the second time shows all possible completions in compact form:
[admin@MikroTik] > interface set e[Tab]_

[admin@MikroTik] > interface set ether[Tab]_
[admin@MikroTik] > interface set ether[Tab]_
ether1 ether5
[admin@MikroTik] > interface set ether_
The [Tab] key can be used almost in any context where the console might have a clue about
possible values - command names, argument names, arguments that have only several
possible values (like names of items in some lists or name of protocol in firewall and NAT
rules). You cannot complete numbers, IP addresses and similar values.
Another way to press fewer keys while typing is to abbreviate command and argument names.
You can type only beginning of command name, and, if it is not ambiguous, console will accept
it as a full name. So typing:
[admin@MikroTik] > pi 10.1 c 3 si 100
equals to:
[admin@MikroTik] > ping 10.0.0.1 count 3 size 100
It is possible to complete not only beginning, but also any distinctive substring of a name: if
there is no exact match, console starts looking for words that have string being completed as
first letters of a multiple word name, or that simply contain letters of this string in the same
order. If single such word is found, it is completed at cursor position. For example:
[admin@MikroTik] > interface x[TAB]_

[admin@MikroTik] > interface export _
[admin@MikroTik] > interface mt[TAB]_

[admin@MikroTik] > interface monitor-traffic _
General Commands
There are some commands that are common to nearly all menu levels, namely: print, set,
remove, add, find, get, export, enable, disable, comment, move. These commands have
similar behavior throughout different menu levels.
 add - this command usually has all the same arguments as set, except the item number
argument. It adds a new item with the values you have specified, usually at the end of the
item list, in places where the order of items is relevant. There are some required properties
that you have to supply, such as the interface for a new address, while other properties are
set to defaults unless you explicitly specify them.
 Common Parameters
 copy-from - Copies an existing item. It takes default values of new item's
properties from another item. If you do not want to make exact copy, you can
specify new values for some properties. When copying items that have names,
you will usually have to give a new name to a copy
 place-before - places a new item before an existing item with specified position.
Thus, you do not need to use the move command after adding an item to the list
 disabled - controls disabled/enabled state of the newly added item(-s)
 comment - holds the description of a newly created item
 Return Values
 add command returns internal number of item it has added
 edit - this command is associated with the set command. It can be used to edit values of
properties that contain large amount of text, such as scripts, but it works with all editable
properties. Depending on the capabilities of the terminal, either a fullscreen editor, or a
single line editor is launched to edit the value of the specified property.
 find - The find command has the same arguments as set, plus the flag arguments
like disabled or active that take values yes or no depending on the value of respective flag.
To see all flags and their names, look at the top of print command's output.
The find command returns internal numbers of all items that have the same values of
arguments as specified.
 move - changes the order of items in list.
 Parameters
 first argument specifies the item(-s) being moved.
 second argument specifies the item before which to place all items being moved
(they are placed at the end of the list if the second argument is omitted).
 print - shows all information that's accessible from particular command level.
Thus, /system clock print shows system date and time, /ip route print shows all routes
etc. If there's a list of items in current level and they are not read-only, i.e. you can
change/remove them (example of read-only item list is /system history, which shows
history of executed actions), then print command also assigns numbers that are used by all
commands that operate with items in this list.
 Common Parameters
 from - show only specified items, in the same order in which they are given.
 where - show only items that match specified criteria. The syntax
of where property is similar to the find command.
 brief - forces the print command to use tabular output form
 detail - forces the print command to use property=value output form
 count-only - shows the number of items
 file - prints the contents of the specific submenu into a file on the router.
 interval - updates the output from the print command for every interval seconds.
 oid - prints the OID value for properties that are accessible from SNMP
 without-paging - prints the output without stopping after each screenful.
 remove - removes specified item(-s) from a list.
 set - allows you to change values of general parameters or item parameters. The set
command has arguments with names corresponding to values you can change. Use ? or
double [Tab] to see list of all arguments. If there is a list of items in this command level,
then set has one action argument that accepts the number of item (or list of numbers) you
wish to set up. This command does not return anything.
Modes
Console line editor works either in multiline mode or in single line mode. In multiline mode line
editor displays complete input line, even if it is longer than single terminal line. It also uses full
screen editor for editing large text values, such as scripts. In single line mode only one terminal
line is used for line editing, and long lines are shown truncated around the cursor. Full screen
editor is not used in this mode.
Choice of modes depends on detected terminal capabilities.
List of keys
Control-C
keyboard interrupt.
Control-D
log out (if input line is empty)
Control-K
clear from cursor to the end of line
Control-X
toggle safe mode
Control-V
toggle hotlock mode mode
F6
toggle cellar
F1 or ?
show context sensitive help. If the previous character is \, then inserts literal ?.
Tab
perform line completion. When pressed second time, show possible completions.
Delete
remove character at cursor
Control-H or Backspace
remove character before cursor and move cursor back one position.
Control-\
split line at cursor. Insert newline at cursor position. Display second of the two resulting
lines.
Control-B or Left
move cursor backwards one character
Control-F or Right
move cursor forward one character
Control-P or Up
go to previous line. If this is the first line of input then recall previous input from history.
Control-N or Down
go to next line. If this is the last line of input then recall next input from history.
Control-A or Home
move cursor to the beginning of the line. If cursor is already at the beginning of the line,
then go to the beginning of the first line of current input.
Control-E or End
move cursor to the end of line. If cursor is already at the end of line, then move it to the
end of the last line of current input.
Control-L or F5
reset terminal and repaint screen.
up, down and split
keys leave cursor at
the end of line.
Built-in Help
The console has a
built-in help, which
can be accessed by
typing ?. General
rule is that help
shows what you can
type in position
where the ? was
pressed (similarly to
pressing [Tab] key
twice, but in verbose
form and with
explanations).
Safe Mode
It is sometimes
possible to change
router configuration
in a way that will
make the router
inaccessible (except
from local console).
Usually this is done
by accident, but
there is no way to
undo last change
when connection to
router is already cut.
Safe mode can be
used to minimize
such risk.
Safe mode is
entered by
pressing [CTRL]+[X
]. To save changes
and quit safe mode,
press [CTRL]+[X] a
gain. To exit without
saving the made
changes,
hit [CTRL]+[D]
[admin@MikroT
ik] ip
route>[CTRL]+
[X]
[Safe Mode
taken]
[admin@MikroT
ik] ip
route<SAFE>
Message Safe
Mode taken is
displayed and
prompt changes to
reflect that session
is now in safe mode.
All configuration
changes that are
made (also from
other login
sessions), while
router is in safe
mode, are
automatically
undone if safe mode
session terminates
abnormally. You can
see all such
changes that will be
automatically
undone tagged with
an F flag in system
history:
[admin@MikroT
ik] ip route>
[Safe Mode
taken]
[admin@MikroT
ik] ip
route<SAFE>
add
[admin@MikroT
ik] ip
route<SAFE>
/system
history print
Flags: U -
undoable, R -
redoable, F -
floating-undo
ACTION
BY
POLICY
F route added
admin
write
Now, if telnet
connection (or
winbox terminal) is
cut, then after a
while (TCP timeout
is 9 minutes) all
changes that were
made while in safe
mode will be
undone. Exiting
session
by [Ctrl]+[D] also
undoes all safe
mode changes,
while /quit does not.
If another user tries
to enter safe mode,
he's given following
message:
[admin@MikroT
ik] >
Hijacking
Safe Mode
from someone
-
unroll/releas
e/don't take
it [u/r/d]:
 [u] - undoes all

safe mode
changes, and
puts the current
session in safe
mode.
 [r] - keeps all
current safe
mode changes,
and puts current
session in a
safe mode.
Previous owner
of safe mode is
notified about
this:
[admin@MikroT
ik] ip
firewall rule
input
[Safe
mode released
by another
user]
 [d] - leaves
everything as-is.
If too many changes
are made while in
safe mode, and
there's no room in
history to hold them
all (currently history
keeps up to 100
most recent
actions), then
session is
automatically put
out of the safe
mode, no changes
are automatically
undone. Thus, it is
best to change
configuration in
small steps, while in
safe mode. Pressing
[Ctrl]+[X] twice is an
easy way to empty
safe mode action
list.
HotLock Mode
When HotLock
mode is enabled
commands will be
auto completed.
To enter/exit
HotLock mode
press [CTRL]+[V].
[admin@MikroT
ik] /ip
address>
[CTRL]+[V]
[admin@MikroT
ik] /ip
address>>
Double >> is
indication that
HotLock mode is
enabled. For
example if you
type /in e , it will
be auto completed
to
[admin@MikroT
ik] /ip
address>>
/interface
ethernet
Quick Help
menu
F6 key enables
menu at the bottom
of the terminal which
shows common key
combinations and
their usage.
[admin@RB493G
] >
tab compl ?
F1 help ^V
hotlk ^X safe
^C brk ^D
quit
Line editor
There is currently no text in this page. You can search for this page title in other pages,
or search the related logs, but you do not have permission to create this page.
Prompt
There is currently no text in this page. You can search for this page title in other pages,
or search the related logs, but you do not have permission to create this page.
Manual:Winbox
Contents
[hide]
 1Summary
 2Starting Winbox
o 2.1IPv6 connectivity
 3Run Winbox on macOS
o 3.1Wine bottler
o 3.2Homebrew
 4Interface Overview
 5Work Area and child windows
o 5.1Child window menu bar
o 5.2Sorting out displayed items
o 5.3Customizing list of displayed columns
 5.3.1Detail mode
 5.3.2Category view
o 5.4Drag & Drop
o 5.5Traffic monitoring
o 5.6Item copy
 6Transferring Settings
 7Troubleshooting
 8Legacy version manual
Summary
Winbox is a small utility that allows administration of MikroTik RouterOS using a fast and
simple GUI. It is a native Win32 binary, but can be run on Linux and MacOS (OSX) using
Wine. All Winbox interface functions are as close as possible mirroring the console functions,
that is why there are no Winbox sections in the manual. Some of advanced and system critical
configurations are not possible from winbox, like MAC address change on an interface Winbox
changelog
From Winbox v3.14, the following security features are used:
 Winbox.exe is signed with an Extended Validation certificate, issued by SIA Mikrotīkls

(MikroTik).
 WinBox uses ECSRP for key exchange and authentication (requires new winbox version).
 Both sides verify that other side knows password (no man in the middle attack is possible).
 Winbox in RoMON mode requires that agent is the latest version to be able to connect to
latest version routers.
 Winbox uses AES128-CBC-SHA as encryption algorithm (requires winbox version 3.14 or
above).
Starting Winbox
Winbox loader can be downloaded from the mikrotik download page. When winbox.exe is
downloaded, double click on it and winbox loader window will pop up:
To connect to the router enter IP or MAC address of the router, specify username and
password (if any) and click on Connect button. You can also enter the port number after the IP
address, separating them with a colon, like this 192.168.88.1:9999. The port can be changed in
RouterOS services menu.
Note: It is recommended to use IP address whenever possible. MAC session uses network
broadcasts and is not 100% reliable.
You can also use neighbor discovery, to list available routers use Neighbors tab:
From list of discovered routers you can click on IP or MAC address column to connect to that
router. If you click on IP address then IP will be used to connect, but if you click on MAC
Address then MAC address will be used to connect to the router.
Note: Neighbor discovery will show also devices which are not compatible with Winbox, like
Cisco routers or any other device that uses CDP (Cisco Discovery Protocol). If you will try to
connect to SwOS device, then connection will be established through web browser
Description of buttons and fields of loader screen
 Simple mode:
-- Buttons/check-boxes
 Connect - Connect to the router

 Connect To RoMON - Connect to RoMON Agent
 Add/set - Save/Edit any of saved router entries in Managed tab.
 Open In New Window - Leaves loader open in background and opens new windows
for each device to which connection is made.
-- Fields
 Connect To: - destination IP or MAC address of the router

 Login - username used for authentication
 Password - password used for authentication
 Keep Password - if unchecked, password is not saved to the list
 Advanced mode:
-- Buttons/check-boxes
 Browse - Browse file directory for some specific session

 Keep Password - if unchecked, password is not saved to the list
 Secure mode - if checked, winbox will use DH-1984 for key exchange and modified
and hardened RC4-drop3072 encryption to secure session.
 Autosave session - Saves sessions automatically for devices to which connection are
made.
-- Fields:
 Session - Saved router session.

 Note - Note that is assigned to save router entry.
 Group - Group to which saved router entry is assigned.
 RoMON Agent - Select RoMON Agent from available device list
Description of menu items in loader screen

-- File
 New - Create new managed router list in specified location

 Open - Open managed router list file
 Save As - Save current managed router list to file
 Exit - Exit Winbox loader
-- Tools
 Advanced Mode - Enables/Disables advanced mode view

 Import - Imports saved session file
 Export - Exports saved session file
 Move Session Folder - Change path where session files are stored
 Clear cache - Clear winbox cache
 Check For Updates - Check for updates for Winbox loader
Warning: Managed routers list is encrypted, but it can still be loaded in other winbox without
problems IF the master password is not set for it!
It is possible to use command line to pass connect to, user and password parameters
automatically:
winbox.exe [<connect-to> [<login> [<password>]]]
For example (with no password):

winbox.exe 10.5.101.1 admin ""
Will connect to router 10.5.101.1 with user "admin"without password.

It is possible to use command line to pass connect to, user and password parameters
automatically to conenct to router through RoMON. In this case RoMON Agent must be saved
on Managed routers list so Winbox would know user and password for this device:
winbox.exe --romon [<romon-agent> [<connect-to> [<login>

[<password>]]]]
For example (with no password):
winbox.exe --romon 10.5.101.1 D4:CA:6D:E1:B5:7D admin ""
Will connect to router D4:CA:6D:E1:B5:7D through 10.5.101.1 RoMON Agent with user
"admin" without password.
IPv6 connectivity
Winbox supports IPv6 connectivity. To connect to the routers IPv6 address, it must be placed
in square braces the same as in web browsers when connecting to IPv6 server. Example:
Winbox neighbor discovery is now capable of discovering IPv6 enabled routers. As you can
see from the image below, there are two entries for each IPv6 enabled router, one entry is with
IPv4 address and another one with IPv6 link-local address. You can easily choose to which
one you want to connect:
Run Winbox on macOS
Wine bottler
It is possible to use Winbox in Apple macOS operating system by using Wine emulation
software. For easier use it can be combined with WineBottler software to create a more
convenient executable.
Homebrew
If the bottled version does not work, you can use Homebrew to install Wine and then launch
the regular Winbox.exe file from our download page
Requirements:
1. Xcode latest version. If you have Xcode 9-beta, delete Xcode 8 first, then rename the
Beta to "Xcode".
2. Homebrew
Then just follow these steps:
brew cask install xquartz

brew install wine
If you'd like to create a launcher in MacOS, to avoid launching Wine from the Terminal, you
can do it with Automator and save the result as a service or as an app. This is an example
setup:
Interface Overview
Winbox interface has been designed to be intuitive for most of the users. Interface consists of:
 Main toolbar at the top where users can add various info fields, like CPU and memory
usage.
 Menu bar on the left - list of all available menus and sub-menus. This list changes
depending on what packages are installed. For example if IPv6 package is disabled,
then IPv6 menu and all it's sub-menus will not be displayed.
 Work area - area where all menu windows are opened.
Title bar shows information to identify with which router Winbox session is opened. Information
is displayed in following format:
[username]@[Router's IP or MAC] ( [RouterID] ) - Winbox [ROS version]

on [RB model] ([platform])
From screenshot above we can see that user krisjanis is logged into router with IPv4/IPv6
address [fe80::4e5e:cff:fef6:c0ab%3]. Router's ID is 3C18-Krisjanis_GW, currently installed
RouterOS version is v6.36rc6, RouterBoard is CCR1036-12G-4S and platform is tile.
On the Main toolbar's left side is located undo and redo buttons to quickly undo any changes
made to configuration. On the right side is located:
 winbox traffic indicator displayed as a green bar,
 indicator that shows whether winbox session uses encryption
Work Area and child windows

Winbox has MDI interface meaning that all menu configuration (child) widows are attached to
main (parent) Winbox window and are showed in work area.
Child windows can not be dragged out of working area. Notice in screenshot above
that Interface window is dragged out of visible working area and horizontal scroll bar appeared
at the bottom. If any window is outside visible work area boundaries the vertical or/and
horizontal scrollbars will appear.
Child window menu bar
Each child window has its own toolbar. Most of the windows have the same set of toolbar
buttons:
 Add - add new item to the list
 Remove - remove selected item from the list
 Enable - enable selected item (the same as enable command from console)
 Disable - disable selected item (the same as disable command from console)
 Comment - add or edit comment
 Sort - allows to sort out items depending on various parameters. Read more >>
Almost all windows have quick search input field at the right side of the toolbar. Any text
entered in this field is searched through all the items and highlighted as illustrated in
screenshot below
Notice that at the right side next to quick find input filed there is a dropdown box. For currently
opened (IP Route) window this dropdown box allows to quickly sort out items by routing tables.
For example if main is selected, then only routes from main routing table will be listed.
Similar dropdown box is also in all firewall windows to quickly sort out rules by chains.
Sorting out displayed items
Almost every window has a Sort button. When clicking on this button several options appear
as illustrated in screenshot below
Example shows how to quickly filter out routes that are in 10.0.0.0/8 range
1. Press Sort button

2. Chose Dst.Address from the first dropdown box.
3. Chose in form the second dropdown box. "in" means that filter will check if dst address
value is in range of specified network.
4. Enter network against which values will be compared (in our example enter
"10.0.0.0/8")
5. These buttons are to add or remove another filter to the stack.
6. Press Filter button to apply our filter.
As you can see from screenshot winbox sorted out only routes that are within 10.0.0.0/8 range.
Comparison operators (Number 3 in screenshot) may be different for each window. For
example "Ip Route" window has only two is and in. Other windows may have operators such
as "is not", "contains", "contains not".
Winbox allows to build stack of filters. For example if there is a need to filter by destination
address and gateway, then
 set first filter as described in example above,

 press [+] button to add another filter bar in stack.
 set up seconf filter to filter by gateway
 press Filter button to apply filters.
You can also remove unnecessary filter from the stack by pressing [-] button.
Customizing list of displayed columns
By default winbox shows most commonly used parameters. However sometimes it is needed
to see another parameters, for example "BGP AS Path" or other BGP attributes to monitor if
routes are selected properly.
Winbox allows to customize displayed columns for each individual window. For example to add
BGP AS path column:
 Click on little arrow button (1) on the right side of the column titles or right mouse click
on the route list.
 From popped up menu move to Show Columns (2) and from the sub-menu pick
desired column, in our case click on BGP AS Path (3)
Changes made to window layout are saved and next time when winbox is opened the same
column order and size is applied.
Detail mode
It is also possible to enable Detail mode. In this mode all parameters are displayed in
columns, first column is parameter name, second column is parameter's value.
To enable detail mode right mouse click on the item list and from the popupmenu pick Detail
mode
Category view
It is possible to list items by categories. In tis mode all items will be grouped alphabetically or
by other category. For example items may be categorized alphabetically if sorted by name,
items can also be categorized by type like in screenshot below.
To enable Category view, right mouse click on the item list and from the popupmenu
pick Show Categories
Drag & Drop
It is possible to upload and download files to/from router using winbox drag & drop
functionality. You can also download file by pressing right mouse button on it and selecting
"Download".
Note: Drag & Drop does not work if winbox is running on Linux using wine. This is not a winbox
problem, wine does not support drag & drop.
Traffic monitoring
Winbox can be used as a tool to monitor traffic of every interface, queue or firewall rule in real-
time. Screenshot below shows ethernet traffic monitoring graphs.
Item copy
This shows how easy it is to copy an item in Winbox. In this example, we will use the COPY
button to make a Dynamic PPPoE server interface into a Static interface.
This image shows us the initial state, as you see DR indicates "D" which means Dynamic:

Double-Click on the interface and click on COPY:

A new interface window will appear, a new name will be created automatically (in this case
pppoe-in1)

After this Down/Up event this interface will be Static:

Transferring Settings
 Managed router transfer - In File menu, use Save As and Open functions to save managed
router list to file and open it up again on new workstation.
 Router sessions transfer - In Tools menu, use Export and Import functions to save existing
sessions to file and import them again on new workstation.
Troubleshooting
Winbox cannot connect to router's IP address
Make sure that Windows firewall is set to allow Winbox connections or disable windows
firewall.
I get an error '(port 20561) timed out' when connecting to routers mac address
Windows (7/8) does not allow mac connection if file and print sharing is disabled.
Legacy version manual

Manual:Webfig
Contents
[hide]
 1Summary
 2Connecting to Router
o 2.1IPv6 Connectivity
o 2.2Enable HTTPS
 3Interface Overview
o 3.1Item configuration
 4Work with Files
 5Traffic Monitoring
 6Skins
o 6.1Designing skins
 6.1.1Configure wireless interface
o 6.2Status page
 6.2.1Addition of fields
 6.2.2Two columns
o 6.3Skin design examples
 6.3.1Set field
o 6.4Using skins
Summary
WebFig is a web based RouterOS utility which allows you to monitor, configure and
troubleshoot the router. It is designed as an alternative of WinBox, both have similar layouts
and both have access to almost any feature of RouterOS.
WebFig is accessible directly from the router which means that there is no need to install
additional software (except web browser with JavaScript support, of course).
As Webfig is platform independent, it can be used to configure router directly from various
mobile devices without need of a software developed for specific platform.
Some of the tasks that you can perform with WebFig:
 Configuration - view and edit current configuration;

 Monitoring - display the current status of the router, routing information, interface stats,
logs and many more;
 Troubleshooting - RouterOS has built in many troubleshooting tools (like ping, traceroute,
packet sniffers, traffic generators and many other) and all of them can be used with
WebFig.
Connecting to Router
WebFig can be launched from the routers home page which is accessible by entering routers
IP address in the browser. When home page is successfully loaded, choose webfig from the
list of available icons as illustrated in screenshot.
After clicking on webfig icon, login prompt will ask you to enter username and password. Enter
login information and click connect.
Now you should be able to see webfig in action.
IPv6 Connectivity
RouterOS http service now listens on ipv6 address, too. To connect to IPv6, in your browser
enter ipv6 address in square brackets, for example [2001:db8:1::4]. If it is required to connect
to link local address, don't forget to specify interface name or interface id on windows, for
example [fe80::9f94:9396%ether1].
Enable HTTPS
By default access to the router using HTTPS is disabled, but it can be enabled if you have a
valid certificate. In case you don't have a valid certificate, you can generate your own using
RouterOS. To generate your own certificates and enable HTTPS access, you must first login to
the router by using Webfig (HTTP version or you can use Winbox, SSH or Telnet), open a new
terminal and input the following commands:
 Create your own root CA on your router
/certificate
add name=LocalCA common-name=LocalCA key-usage=key-cert-sign,crl-sign
 Sign the newly created CA certificate
/certificate
sign LocalCA
Note: In case you already have set up your own CA or you are using a service that signs
certificates for you, then you create and sign the certificate remotely and import the certificate
on the router later. In case you are importing a certificate, then make sure you mark the
certificate as trusted.
 Create a new certificate for Webfig (non-root certificate)
/certificate
add name=Webfig common-name=192.168.88.1
Note: Most browsers will throw out an invalid certificate error if the common name for the
certificate does not match the address you are visiting, for this reason you can specify the
router's IP address as the common name since you will be using the IP address to open up
Webfig.
 Sign the newly created certificate for Webfig
/certificate
sign Webfig ca=LocalCA
Note: It is not required to set the certificate as trusted if you created your own root CA on the
same router since by default RouterOS will trust its own generated root CA and therefore will
trust all certificates signed by it, including the newly created certificate for Webfig.
 Enable www-ssl and specify to use the newly created certificate for Webfig
/ip service
set www-ssl certificate=Webfig disabled=no
You can now visit https://192.168.88.1 and securely configure your router.
Note: By default browsers will not trust self-signed certificates, you will need to add the
certificate as trusted on the first time you visit the page in your browser. Another approach is to
export the root CA certificate and import it as a trusted root certificate on your computer, this
way all certificates signed by this router will be considered as valid and will make it easier to
manage certificates in your network.
Interface Overview
WebFig interface is designed to be very intuitive especially for WinBox users. It has very
similar layout: menu bar on the left side, undo/redo at the top and work are at the rest of
available space.
When connected to router, browsers title bar (tab name on Chrome) displays currently opened
menu, user name used to authenticate, ip address, system identity, ROS version and
RouterBOARD model in following format:
[menu] at [username]@[Router's IP] ( [RouterID] ) - Webfig [ROS
version] on [RB model] ([platform])
Menu bar has almost the same design as WinBox menu bar. Little arrow on the right side of
the menu item indicates that this menu has several sub-menus.
When clicking on such menu item, sub-menus will be listed and the arrow will be pointing
down, indicating that sub-menus are listed.
At the top you can see three common buttons Undo/Redo buttons similar to winbox and one
additional button Log Out. In the top right corner, you can see WebFig logo and
RouterBOARDS model name.
Work area has tab design, where you can switch between several configuration tabs, for
example in screenshot there are listed all tabs available in Bridge menu (Bridge, Ports, Filters,
NAT, Rules).
Below the tabs are listed buttons for all menu specific commands, for example Add
New and Settings.
The last part is table of all menu items. First column of an item has item specific command
buttons:
 - enable current item

 - disable current item
 - remove current item
Item configuration
When clicking on one of the listed items, webfig will open new page showing all configurable
parameters, item specific commands and status.
At the top you can see item type and item name. In example screenshot you can see that item
is an interface with name bypass
There are also item specific command buttons (Ok, Cancel, Apply, Remove and Torch). These
can vary between different items. For example Torch is available only for interfaces.
Common Item buttons:
 Ok - apply changes to parameters and exit;

 Cancel - exit and do not apply changes;
 Apply - apply changes and stay on current page;
 Remove - remove current item.
Status bar similar to winbox shows current status of item specific flags (e.g running flag). Grey-
ed out flag means that it is not active. In example screenshot you can see that running is in
solid black and slave is grey-ed, which means that interface is running and is not a slave
interface.
List of properties is divided in several sections, for example "General", "STP", "Status",
"Traffic". In winbox these sections are located in separate tabs, but webfig lists them all in one
page specifying section name. In screenshotyou can see "General" section. Grey-edout
properties mean that they are read-only and configuration is not possible.
Work with Files

Webfig allows to upload files directly to the router, without using FTP services. To upload files,
open Files menu, click on Choose File button, pick file and wait until file is uploaded.
Files also can be easily downloaded from the router, by clicking Download button at the right
side of the file entry.
Traffic Monitoring
Template:TODO
Skins
Webfig skins is handy tool to make interface more user friendly. It is not a security tool. If user
has sufficient rights it is possible to access hidden features by other means.
Designing skins
If user has sufficient permissions (group has policy edit permissions) Design Skin button
becomes available. Pressing that toggle button will open interface editing options. Possible
operations are:
 Hide menu - this will hide all items from menu and its submenus;
 Hide submenu - only certain submenu will be hidden
 Hide tabs - if submenu details have several tabs, it is possible to hide them this way;
 Rename menus, items - make some certain features more obvious or translate them into
your launguage;
 Add note to to item (in detail view) - to add comments on filed;
 Make item read-only (in detail view) - for user safety very sensitive fields can be made read
only
 Hide flags (in detail view) - while it is only possible to hide flag in detail view, this flag will
not be visible in list view and in detailed view;
 Add limits for field - (in detail view) where it is list of times that are comma or newline
separated list of allowed values:
 number interval '..' example: 1..10 will allow values from 1 to 10 for fiels with numbers,
example, MTU size.
 field prefix (Text fields, MAC address, set fields, combo-boxes). If it is required to limit
prefix length $ should be added to the end, for example, limiting wireless interface to
"station" only will contain
 Add Tab - will add grey ribbon with editable label that will separate the fields. Ribbon will
be added before field it is added to;
 Add Separator - will add low height horizontal separator before the field it is added to.
Note: Number interval cannot be set to extend limitations set by RouterOS for that field
Note: Set fields are argument that consist of set of check-boxes, for example, setting up
policies for user groups, RADIUS "Service"
Note: Limitations set for combo-boxes will values selectable from dropdown
Configure wireless interface

To configure
Status page
Note: Starting RouterOS 5.7 webfig interface adds capability for users to create status page
where fields from anywhere can be added and arranged.
Satus page can be created by users (with sufficient permissions) and fields on the page can be
reordered.
When status page is created it is default page that opens when logging in the router through
webfig interface.
Addition of fields
To add field to status page user has to enter "Design skin" mode and from drop-down menu at
the field choose option - "Add to status page"
As the result of this action desired field in read-only mode will be added to status page. If at the
time Status page is not present at the time, it will be created for the user automatically.
Two columns
Fields in Status page can be arranged in two columns. Columns are filled from top to bottom.
When you have only one column then first item intended for second should be dragged to the
top of the first item when black line appear on top of the first item, then drag mouse to the left
until shorter black line is displayed as showed in screenshot. Releasing mouse button will
create second column. Rest of the fields afterwards can be dragged and dropped same way as
with one column design.
Skin design examples
Set field
Setting limits for set
field
And the
result:
Using skins
To use skins you have to assign skin to group, when that is done users of that group will
automatically use selected skin as their default when logging into Webfig.
Note: Webfig is only configuration interface that can use skins

If it is required to use created skin on other router you can copy files to skins folder on the
other router. On new router it is required to add copied skin to user group to use it.
Manual:Quickset
Applies to RouterOS:v5.15+
Contents
[hide]
 1Summary
 2Modes
 3HomeAP
o 3.1Wireless
o 3.2Internet
o 3.3Local Network
o 3.4VPN
o 3.5System
 4F.A.Q
Summary
Quickset is a simple configuration wizard page that prepares your router in a few clicks. It is
the first screen a user sees, when opening the default IP address 192.168.88.1 in a web
browser.
Quickset is available for all devices that have some sort of default configuration from factory.
Devices that do not have configuration must be configured by hand. The most popular and
recommended mode is the HomeAP (or HomeAP dual, depending on the device). This
Quickset mode provides the simplest of terminology and the most common options for the
home user.
Modes
Depending on the router model, different Quickset modes might be available from the Quickset
dropdown menu:
 CAP: Controlled Access Point, an AP device, that will be managed by a centralised

CAPsMAN server. Only use if you have already set up a CAPsMAN server.
 CPE: Client device, which will connect to an Access Point (AP) device. Provides option to
scan for AP devices in your area.
 HomeAP: The default Access Point config page for most home users. Provides less
options and simplified terminology.
 HomeAP dual: Dual band devices (2GHz/5GHz). The default Access Point config page for
most home users. Provides less options and simplified terminology.
 PTP Bridge AP: When you need to transparently interconnect two remote locations
together in the same network, set one device to this mode, and the other device to the next
(PTP Bridge CPE) mode.
 PTP Bridge CPE: When you need to transparently interconnect two remote locations
together in the same network, set one device to this mode, and the other device to the
previous (PTP Bridge AP) mode.
 WISP AP: Similar to the HomeAP mode, but provides more advanced options and uses
industry standard terminology, like SSID and WPA.
HomeAP
This is the mode you should use if you would like to quickly configure a home access point.
Wireless
 Network Name: How will your smartphone see your network? Set any name you like here.
In HomeAP dual, you can set the 2GHz (legacy) and 5GHz (modern) networks to the
same, or different names (see FAQ). Use any name you like, in any format.
 Frequency: Normally you can leave "Auto", in this way, the router will scan the
environment, and select the least occupied frequency channel (it will do this once). Use a
custom selection if you need to experiment.
 Band: Normally leave this to defaults (2GHz b/g/n and 5GHz A/N/AC).
 Use Access List (ACL): Enable this if you would like to restrict who can connect to your
AP, based on the users MAC (hardware) address. To use this option, first you need to
allow these clients to connect, and then use the below button "Copy to ACL". This will copy
the selected client to the access list. After you have build an Access list (ACL), you can
enable this option to forbid anyone else to attempt connections to your device. Normally
you can leave this alone, as the Wireless password already provides the needed
restrictions.
 WiFi Password: The most important option here. Sets a secure password that also
encrypts your wireless communications.
 WPS accept: Use this button to grant access to a specific device that supports the WPS
connection mode. Useful for printers and other peripherals where typing a password is
difficult. First start WPS mode in your client device, then once click the WPS button here to
allow said device. Button works for a few seconds and operates on a per-client basis.
 Guest network: Useful for house guests who don't need to know your main WiFi
password. Set a separate password for them in this option. Important! Guest users will not
be able to access other devices in your LAN and other guest devices. This mode enabled
Bridge filters to prevent this.
 Wireless clients: This table shows the currently connected client devices (their MAC
address, if they are in your Access List, their last used IP address, how long are they
connected, their signal level in dBm and in a bar graph).
Internet
 Port: Select which port is connected to the ISP (internet) modem. Usually Eth1.
 Address Acquisition: Select how the ISP is giving you the IP address. Ask your service
provider about this and the other options (IP address, Netmask, Gateway).
 MAC address: Normally should not be changed, unless your ISP has locked you to a
specific MAC address and you have changed the router to a new one.
 Firewall router: This enables secure firewall for your router and your network. Always
make sure this box is selected, so that no access is possible to your devices from the
internet port.
 MAC server / MAC Winbox: Allows connection with the [Winbox utility http://mt.lv/winbox]
from the LAN port side in MAC address mode. Useful for debugging and recovery, when IP
mode is not available. Advanced use only.
 Discovery: Allows the device to be identified by model name from other RouterOS
devices.
Local Network
 IP address: Mostly can stay at the default 192.168.88.1 unless your router is behind
another router. To avoid IP conflict, change to 192.168.89.1 or similar
 Netmask: In most situations can leave 255.255.255.0
 Bridge all LAN ports: Allows your devices to communicate to each other, even if, say,
your TV is connected via ethernet LAN cable, but your PC is connected via WiFi.
 DHCP server: Normally, you would want automatic IP address configuration in your home
network, so leave the DHCP settings ON and on their defaults.
 NAT: Turn this off ONLY if your ISP has provided a public IP address for both the router
and also the local network. If not, leave NAT on.
 UPnP: This option enables automatic port forwarding ("opening ports to the local network"
as some call it) for supported programs and devices, like your NAS disks and peer-to-peer
utilities. Use with care, as this option can sometimes expose internal devices to the internet
without your knowledge. Enable only if specifically needed.
VPN
If you want to access your local network (and your router) from the internet, use a secure VPN
tunnel. This option gives you a domain name where to connect to, and enables PPTP and
L2TP/IPsec (the second one is recommended). The username is 'vpn' and you can specify
your own password. All you need to do is enable it here, and then provide the address,
username and password in your laptop or phone, and when connected to the VPN, you will
have a securely encrypted connection to your home network. Also useful when travelling - you
will be able to browse the internet through a secure line, as if connecting from your home. This
also helps to avoid geographical restrictions that are set up in some countries.
System
 Check for updates: Always make sure your device is up to date with this button. Checks if
an updated RouterOS release is available, and installs it.
 Password: Sets the password for the device config page itself. Make sure nobody can
access your router config page and change the settings.
F.A.Q
How is Quickset different from the Webfig tab, where a whole bunch of new menus
appear?
If you need more options, do not use any Quickset settings at all, click on "Webfig" to
open the advanced configuration interface. The full functionality is unlocked.
Can I use Quickset and Webfig together?
While settings that are not conflicting can be configured this way, it is not
recommended to mix up these menus. If you are going to use Quickset, use only
Quickset and vice versa.
What's is difference between Router and Bridge mode?
Bridge mode adds all interfaces to the bridge allowing to forward Layer2 packets (acts
as a hub/switch).
In Router mode packets are forwarded in Layer3 by using IP addresses and IP routes
(acts as a router).
In HomeAP mode, should the 2GHz and 5GHz network names be the
same, or different?
If you prefer that all your client devices, like TV, phones, game consoles, would
automatically select the best preferred network, set the names identically. If you would
like to force a client device to use the faster 5GHz 802.11ac connection, set the names
unique.
Manual:CAPsMAN
Contents
[hide]
 1Overview
 2CAPsMAN v2
 3Requirements
 4Limitations
 5CAP to CAPsMAN Connection
o 5.1CAP Auto Locking to CAPsMAN
o 5.2Auto Certificates
 6CAP Configuration
 7CAPsMAN Configuration Concepts
 8CAPsMAN Global Configuration
 9Radio Provisioning
 10Interface Configuration
 11Master Configuration Profiles
 12Channel Groups
 13Datapath Configuration
 14Local Forwarding Mode
 15Manager Forwarding Mode
 16Access List
 17Registration Table
 18Examples
o 18.1Basic configuration with master and slave interface
o 18.2Configuration with certificates
 18.2.1Fast and easy configuration
 18.2.2Manual certificates and issuing with SCEP
Overview
Controlled Access Point system Manager (CAPsMAN) allows centralization of wireless network
management and if necessary, data processing. When using the CAPsMAN feature, the
network will consist of a number of 'Controlled Access Points' (CAP) that provide wireless
connectivity and a 'system Manager' (CAPsMAN) that manages the configuration of the APs, it
also takes care of client authentication and optionally, data forwarding.
When a CAP is controlled by CAPsMAN it only requires the minimum configuration required to
allow it to establish connection with CAPsMAN. Functions that were conventionally executed
by an AP (like access control, client authentication) are now executed by CAPsMAN. The CAP
device now only has to provide the wireless link layer encryption/decryption.
Depending on configuration, data is either forwarded to CAPsMAN for centralized processing
(default) or forwarded locally at the CAP itself (#Local_Forwarding_Mode).
CAPsMAN features
 RADIUS MAC authentication

 WPA/WPA2 security
 TBA
MISSING CAPsMAN features
 Nstreme AP support
 Nv2 AP support
 TBA
CAPsMAN v2
NOTE: CAPsMAN v2 is NOT compatible with current CAPsMAN v1 (CAPsMAN v1 CAP
devices will not be able to connect to CAPsMAN v2 and CAPsMAN v2 CAP devices will not be
able to connect to CAPsMAN v1). It means that both CAPsMAN and CAP devices should have
wireless-cm2 package enabled/installed in order to make CAPsMAN v2 system to work.
If you want to try out the CAPsMAN v2 upgrade all the CAPs and the CAPsMAN to latest
RouterOS version and enable/install wireless-cm2 package.
CAPsMAN v2 features:
 CAPsMAN automatic upgrade of all CAP clients (configurable)

 improved CAP<->CAPsMAN data connection protocol
 added "Name Format" and "Name Prefix" setting for Provision rules
 improved logging entries when client roams between the CAPs
 added L2 Path MTU discovery
Upgrade options from v1 to v2:
Option1: Install a new temporary CAPsMAN v2 router in same network where the current
CAPsMAN router is and start enabling/upgrading wireless-cm2 package on the CAPs. All
CAPs with the v2 will connect to the new temporary CAPsMAN v2 router. After every CAP is
upgraded to v2, upgrade your current CAPsMAN to v2 and then turn off the temporary
CAPsMAN v2 router.
Option2: Upgrade your CAPs and then CAPsMAN to v2 at the same time. In this case you
could have little more downtime unless you schedule all the CAPs to reboot/install at the same
time.
Requirements
CAPsMAN works on any RouterOS device from v6.11, wireless interfaces are not required
(since it manages the wireless interfaces of CAPs)
CAPsMAN v2 is working starting from RouterOS v6.22rc7.
CAP device should have at least Level4 RouterOS license
Limitations
unlimited CAPs (access points) supported by CAPsMAN
32 Radios per CAP
32 Virtual interfaces per master radio interface
CAP to CAPsMAN Connection

For the CAPsMAN system to function and provide wireless connectivity, a CAP must establish
management connection with CAPsMAN. A management connection can be established using
MAC or IP layer protocols and is secured using 'DTLS'.
A CAP can also pass the client data connection to the Manager, but the data connection is not
secured. If this is deemed necessary, then other means of data security needs to be used, e.g.
IPSec or encrypted tunnels.
CAP to CAPsMAN connection can be established using 2 transport protocols (via Layer 2 and
Layer3).
 MAC layer connection features:

 no IP configuration necessary on CAP
 CAP and CAPsMAN must be on the same Layer 2 segment - either physical or virtual
(by means of L2 tunnels)
 IP layer (UDP) connection features:
 can traverse NAT if necessary
 CAP must be able to reach CAPsMAN using IP protocol
 if the CAP is not on the same L2 segment as CAPsMAN, it must be provisioned with
the CAPsMAN IP address, because IP multicast based discovery does not work over
Layer3
In order to establish connection with CAPsMAN, CAP executes a discovery process. During
discovery, CAP attempts to contact CAPsMAN and builds an available CAPsMANs list. CAP
attempts to contact to an available CAPsMAN using:
 configured list of Manager IP addresses

 list of CAPsMAN IP addresses obtained from DHCP server
 broadcasting on configured interfaces using both - IP and MAC layer protocols.
When the list of available CAPsMANs is built, CAP selects a CAPsMAN based on the following
rules:
 if caps-man-names parameter specifies allowed manager names (/system identity of
CAPsMAN), CAP will prefer the CAPsMAN that is earlier in the list, if list is empty it will
connect to any available Manager
 suitable Manager with MAC layer connectivity is preferred to Manager with IP connectivity
After Manager is selected, CAP attempts to establish DTLS connection. There are the following
authentication modes possible:
 no certificates on CAP and CAPsMAN - no authentication

 only Manager is configured with certificate - CAP checks CAPsMAN certificate, but does
not fail if it does not have appropriate trusted CA certificate, CAPsMAN must be configured
with require-peer-certificate=noin order to establish connection with CAP that does not
possess certificate
 CAP and CAPsMAN are configured with certificates - mutual authentication
After DTLS connection is established, CAP can optionally check CommonName field of
certificate provided by CAPsMAN. caps-man-certificate-common-names parameter contains
list of allowed CommonName values. If this list is not empty, CAPsMAN must be configured
with certificate. If this list is empty, CAP does not check CommonName field.
If the CAPsMAN or CAP gets disconnected from the network, the loss of connection between
CAP and CAPsMAN will be detected in approximately 10-20 seconds.
CAP Auto Locking to CAPsMAN
CAP can be configured to automatically lock to particular CAPsMAN. Locking is implemented
by recording certificate CommonName of CAPsMAN that CAP is locked to and checking this
CommonName for all subsequent connections. As this feature is implemented using certificate
CommonName, use of certificates is mandatory for locking to work.
Locking is enabled by the following command:
[admin@CAP] > /interface wireless cap set lock-to-caps-man=yes
Once CAP connects to suitable CAPsMAN and locks to it, it is reflected like this:
[admin@wtp] > /interface wireless cap print

...
locked-caps-man-common-name: CAPsMAN-000C424C30F3
From now on CAP will only connect to CAPsMAN with this CommonName, until locking
requirement is cleared, by setting lock-to-caps-man=no. This approach needs to be used if it
is necessary to force CAP to lock to another CAPsMAN - by at first setting lock-to-caps-
man=no followed by lock-to-caps-man=yes.
Note that CAP can be manually "locked" to CAPsMAN by setting caps-man-certificate-
common-names.
Auto Certificates
To simplify CAPsMAN and CAP configuration when certificates are required (e.g. for automatic
locking feature), CAPsMAN can be configured to generate necessary certificates automatically
and CAP can be configured to request certificate from CAPsMAN.
Automatic certificates do not provide full public key infrastructure and are provided for
simple setups. If more complicated PKI is necessary - supporting proper certificate validity
periods, multiple-level CA certificates, certificate renewal - other means must be used, such as
manual certificate distribution or SCEP.
CAPsMAN has the following certificate settings:
 certificate - this is CAPsMAN certificate, private key must be available for this certificate. If
set to none, CAPsMAN will operate in no-certificate mode and none of certificate requiring
features will work. If set to auto, CAPsMAN will attempt to issue certificate to itself using
CA certificate (see ca-certificate description). Note that CommonName automatically
issued certificate will be "CAPsMAN-<mac address>" and validity period for will be the
same as for CA certificate.
 ca-certificate - this is CA certificate that CAPsMAN will use when issuing certificate for
itself if necessary (see certificate description) and when signing certificate requests from
CAPs. If set to none, CAPsMAN will not be able to issue certificate to itself or sign
certificate requests from CAPs. If set to auto, CAPsMAN will generate self-signed CA
certificate to use as CA certificate. CommonName for this certificate will take form
"CAPsMAN-CA-<mac address>" and validity period will be from jan/01/1970 until
jan/18/2038.
When CAPsMAN will auto-generate certificates, this will be reflected like this:
[admin@CM] /caps-man manager> pr

enabled: yes
certificate: auto
ca-certificate: auto
require-peer-certificate: no
generated-certificate: CAPsMAN-000C424C30F3
generated-ca-certificate: CAPsMAN-CA-000C424C30F3
And certificates:
[admin@CM] /certificate> print detail

Flags: K - private-key, D - dsa, L - crl, C - smart-card-key,
A - authority, I - issued, R - revoked, E - expired, T - trusted
0 K A T name="CAPsMAN-CA-000C424C30F3" common-name="CAPsMAN-CA-
000C424C30F3" key-size=2048
days-valid=24854 trusted=yes
key-usage=digital-signature,key-encipherment,data-
encipherment,key-cert-sign,crl-sign
serial-number="1"
fingerprint="69d77bbb45c50afd2d6c1785c2a3d72596b8a5f6"
invalid-before=jan/01/1970 00:00:01 invalid-
after=jan/18/2038 03:14:07
1 K I name="CAPsMAN-000C424C30F3" common-name="CAPsMAN-
000C424C30F3" key-size=2048
days-valid=24854 trusted=no key-usage=digital-signature,key-
encipherment
ca=CAPsMAN-CA-000C424C30F3 serial-number="1"
fingerprint="e853ddb9d41fc139083a176ab164331bc24bc5ed"
after=jan/18/2038 03:14:07
CAP can be configured to request certificate from CAPsMAN. In order for this to work, CAP
must be configured with setting certificate=request and CAPsMAN must have CA certificate
available (either specified in ca-certificate setting or auto-generated).
CAP will initially generate private key and certificate request with CommonName of form "CAP-
<mac address>". When CAP will establish connection with CAPsMAN, CAP will request
CAPsMAN to sign its certificate request. If this will succeed, CAPsMAN will send CA certificate
and newly issued certificate to CAP. CAP will import these certificates in its certificate store:
[admin@CAP] > /interface wireless cap print

...
requested-certificate: cert_2
locked-caps-man-common-name: CAPsMAN-000C424C30F3
[admin@CAP] > /certificate print detail
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key,
A - authority, I - issued, R - revoked, E - expired, T - trusted
0 T name="cert_1" issuer=CN=CAPsMAN-CA-000C424C30F3 common-
name="CAPsMAN-CA-000C424C30F3"
key-size=2048 days-valid=24837 trusted=yes
key-usage=digital-signature,key-encipherment,data-
encipherment,key-cert-sign,crl-sign
serial-number="1"
fingerprint="69d77bbb45c50afd2d6c1785c2a3d72596b8a5f6"
after=jan/01/2038 03:14:07
1 K T name="cert_2" issuer=CN=CAPsMAN-CA-000C424C30F3 common-

name="CAP-000C4200C032"
key-size=2048 days-valid=24837 trusted=yes
key-usage=digital-signature,key-encipherment serial-
number="2"
fingerprint="2c85bf2fbc9fc0832e47cd2773a6f4b6af35ef65"
after=jan/01/2038 03:14:07
On subsequent connections to CAPsMAN, CAP will use generated certificate.
CAP Configuration
When an AP is configured to be controlled by CAPsMAN, configuration of the managed
wireless interfaces on the AP is ignored (exceptions: antenna-gain,antenna-mode). Instead, AP
accepts configuration for the managed interfaces from CAPsMAN.
Note: The CAP wireless interfaces that are managed by CAPsMAN and whose traffic is being
forwarded to CAPsMAN (ie. they are not in local forwarding mode), are shown as disabled,
with the note Managed by CAPsMAN. Those interfaces that are in local forwarding mode
(traffic is locally managed by CAP, and only management is done by CAPsMAN) are not
shown disabled, but the note Managed by CAPsMAN is shown
CAP behaviour of AP is configured in /interface wireless cap menu. It contains the following
settings:
Property
enabled (yes | no; Default: no) Disable or enable CAP fea
interfaces (list of interfaces; Default: empty) List of wireless interfaces
certificate (certificate name | none; Default: none) Certificate to use for authe
discovery-interfaces (list of interfaces; Default: empty) List of interfaces over whi
caps-man-addresses (list of IP addresses; Default: empty) List of Manager IP addres
caps-man-names (list of allowed CAPs Manager names; Default: empty) List of Manager names tha
caps-man-certificate-common-names (list of allowed CAPs Manager CommonNames; List of Manager certificate
Default: empty)
bridge (bridge interface; Default: none) Bridge to which interfaces
static-virtual (Static Virtual Interface; Default: no) CAP will create Static Vir
address will be the same. N
random between those inte
CAPsMAN Configuration Concepts

Each wireless interface on a CAP that is under CAPsMAN control appears as a virtual interface
on the CAPsMAN. This provides maximum flexibility in data forwarding control using regular
RouterOS features, such as routing, bridging, firewall, etc.
Many wireless interface settings are able to be grouped together into named groups ('profiles')
that simplifies the reuse of configuration - for example, common configuration settings can be
configured in a 'configuration profile' and multiple interfaces can then refer to that profile. At the
same time any profile setting can be overridden directly in an interface configuration for
maximum flexibility.
Currently there are the following setting groups:
 channel - channel related settings, such as frequency and width

 datapath - data forwarding related settings, such as bridge to which particular interface
should be automatically added as port
 security - security related settings, such as allowed authentication types or passphrase
 configuration - main wireless settings group, includes settings such as SSID, and
additionally binds together other setting groups - that is, configuration profile can refer to
channel, security, etc. named setting groups. Additionally any setting can be overridden
directly in configuration profile.
Interface settings bind together all setting groups, but additionally any setting can be
overridden directly in interface settings.
By means of setting groups, configuration is organized in hierarchical structure with interface
(actual user of configuration) as the root. In order to figure out the effective value of some
setting this structure is consulted in a fashion where a higher level setting value overrides a
lower level value.
For example, when WPA2 passphrase to be used by a particular interface needs to be found,
the following places are consulted and the first place with WPA2 passphrase configured
specifies effective passphrase. "->" denotes referring to setting profile (if configured):
 interface passphrase
 interface->security passphrase
 interface->configuration passphrase
 interface->configuration->security passphrase
There are 2 types of interfaces on CAPsMAN - "master" and "slave". The master interface
holds the configuration for an actual wireless interface (radio), while a slave interface links to
the master interface and is intended to hold the configuration for a Virtual-AP (multiple SSID
support). There are settings that are meaningful only for master interface, i.e. mainly hardware
setup related settings such as radio channel settings. Note that in order for a radio to accept
clients, it's master interface needs to be enabled. Slave interfaces will become operational only
if enabled and the master interface is enabled.
Interfaces on CAPsMAN can be static or dynamic. Static interfaces are stored in RouterOS
configuration and will persist across reboots. Dynamic interfaces exist only while a particular
CAP is connected to CAPsMAN.
CAPsMAN Global Configuration

Settings to enable CAPsMAN functionality are found in /caps-man manager menu:
Property
enabled (yes | no; Default: no) Disable or enable CAPsM
certificate (auto | certificate name | none; Default: none) Device certificate
ca-certificate (auto | certificate name | none; Default: none) Device CA certificate
require-peer-certificate (yes | no; Default: no) Require all connecting CA
package-path (string |; Default: ) Folder location for the Rou
set, CAPsMAN can use bu
upgraded.
upgrade-policy (none | require-same-version | suggest-same-upgrade; Default: none) Upgrade policy options
 none - do not perform

 require-same-version
provision is still possi
 suggest-same-version
Radio Provisioning
CAPsMAN distinguishes between CAPs based on an identifier. The identifier is generated
based on the following rules:
 if CAP provided a certificate, identifier is set to the Common Name field in the certificate
 otherwise identifier is based on Base-MAC provided by CAP in the form:
'[XX:XX:XX:XX:XX:XX]'.
When the DTLS connection with CAP is successfully established (which means that CAP
identifier is known and valid), CAPsMAN makes sure there is no stale connection with CAP
using the same identifier. Currently connected CAPs are listed in /caps-man remote-
cap menu:
[admin@CM] /caps-man> remote-cap print

# ADDRESS IDENT STATE
RADIOS
0 00:0C:42:00:C0:32/27044 MT-000C4200C032 Run
1
CAPsMAN distinguishes between actual wireless interfaces (radios) based on their builtin MAC
address (radio-mac). This implies that it is impossible to manage two radios with the same
MAC address on one CAPsMAN. Radios currently managed by CAPsMAN (provided by
connected CAPs) are listed in /caps-man radio menu:
[admin@CM] /caps-man> radio print

Flags: L - local, P - provisioned
# RADIO-MAC INTERFACE REMOTE-
AP-IDENT
0 P 00:03:7F:48:CC:07 cap1 MT-
000C4200C032
When CAP connects, CAPsMAN at first tries to bind each CAP radio to CAPsMAN master
interface based on radio-mac. If an appropriate interface is found, radio gets set up using
master interface configuration and configuration of slave interfaces that refer to particular
master interface. At this moment interfaces (both master and slaves) are considered bound to
radio and radio is considered provisioned.
If no matching master interface for radio is found, CAPsMAN executes 'provisioning rules'.
Provisioning rules is an ordered list of rules that contain settings that specify which radio to
match and settings that specify what action to take if a radio matches.
Provisioning rules for matching radios are configured in /caps-man provisioning menu:
Property
action (create-disabled | create-enabled | create-dynamic-enabled | none; Default: none) Action to take if rule matc
 create-disabled - crea
operational until the in
 create-enabled - crea
 create-dynamic-enab
operational;
 none - do nothing, lea
comment (string; Default: ) Short description of the Pr
common-name-regexp (string; Default: ) Regular expression to mat
hw-supported-modes (a|a-turbo|ac|an|b|g|g-turbo|gn; Default: ) Match radios by supported
identity-regexp (string; Default: ) Regular expression to mat
ip-address-ranges (IpAddressRange[,IpAddressRanges] max 100x; Default: "") Match CAPs with IPs with
master-configuration (string; Default: ) If action specifies to creat
name-format (cap | identity | prefix | prefix-identity; Default: cap) specify the syntax of the C
 cap - default name

 identity - CAP boards
 prefix - name from the
 prefix-identity - name
name-prefix (string; Default: ) name prefix which can be
radio-mac (MAC address; Default: 00:00:00:00:00:00) MAC address of radio to b
slave-configurations (string; Default: ) If action specifies to creat
Note: If no rule matches radio, then implicit default rule with action create-enabled and no
configurations set is executed.
To get the active provisioning matchers:
[admin@CM] /caps-man provisioning> print

Flags: X - disabled
0 radio-mac=00:00:00:00:00:00 action=create-enabled master-
configuration=main-cfg
slave-configurations=virtual-ap-cfg name-prefix=""
For user's convenience there are commands that allow the re-execution of the provisioning
process for some radio or all radios provided by some AP:
[admin@CM] > caps-man radio provision 0
and
[admin@CM] > caps-man remote-cap provision 0
Interface Configuration
CAPsMAN interfaces are managed in /caps-man interface menu:
[admin@CM] > /caps-man interface print

Flags: M - master, D - dynamic, B - bound, X - disabled, I - inactive,
R - running
# NAME RADIO-MAC MASTER-
INTERFACE
0 M BR cap2 00:0C:42:1B:4E:F5 none
1 B cap3 00:00:00:00:00:00 cap2
Master Configuration Profiles

Configuration profiles permit pre-defined 'top level' master settings to be applied to CAP radios
being provisioned.
Configuration Profiles are configured in /caps-man configuration menu:

Property
channel (list; Default: ) User defined list taken from
channel.band (2ghz-b | 2ghz-b/g | 2ghz-b/g/n | 2ghz-onlyg | 2ghz-onlyn | 5ghz-a | 5ghz-a/n | Define operational radio fr
5ghz-onlyn; Default: )
channel.extension-channel (Ce | Ceee | eC | eCee | eeCe | eeeC | disabled; Default: ) Extension channel configu
channel.frequency (integer [0..4294967295]; Default: ) Channel frequency value i
least occupied.
channel.tx-power (integer [-30..40]; Default: ) Set TX Power for Card (in
channel.width (; Default: ) Sets Channel Width in MH
comment (string; Default: ) Short description of the Co
country (name of the country | no_country_set; Default: no_country_set) Limits available bands, fre
Value no_country_set is an
datapath (list; Default: ) User defined list taken from
datapath.bridge (list; Default: ) Bridge to which particular
datapath.bridge-cost (integer [0..4294967295]; Default: ) bridge port cost to use whe
datapath.bridge-horizon (integer [0..4294967295]; Default: ) bridge horizon to use when
datapath.client-to-client-forwarding (yes | no; Default: no) controls if client-to-client
function is performed by C
datapath.local-forwarding (yes | no; Default: no) controls forwarding mode
datapath.openflow-switch (; Default: ) OpenFlow switch port (wh
datapath.vlan-id (integer [1..4095]; Default: ) VLAN ID to assign to inte
datapath.vlan-mode (use-service-tag | use-tag; Default: ) Enables and specifies type
interface to only send out d
guard-interval (any | long; Default: any) Whether to allow use of sh
short or long, depending o
hide-ssid (yes | no; Default: ) .
 yes - AP does not incl

 no - AP includes SSID
This property has effect on
client software. Changing
AP.
load-balancing-group (string; Default: ) Interface belonging to the
interfaces from the same g
max-sta-count (integer [1..2007]; Default: ) Maximum number of asso
mode (; Default: ap) Set operational mode. Onl
multicast-helper (default | disabled | full; Default: default) When set to full multicast
option should be enabled o
 disabled - disables the

 full - all multicast pac
 default - default choic
name (string; Default: ) Descriptive name for the C
rx-chains (list of integer [0..2]; Default: 0) Which antennas to use for
security (string; Default: none) Name of security configur
security.authentication-types (list of string; Default: none) Specify the type of Authen
security.eap-methods (eap-tls | passthrough; Default: none) .
 eap-tls - Use built-in E

 passthrough - Access
security.encryption (aes-ccm | tkip; Default: ) Set type of unicast encrypt
security.group-encryption (aes-ccm | tkip; Default: ) Set type of group encryptio
security.passphrase (string; Default: ) WPA or WPA2 pre-shared
ssid (string (0..32 chars); Default: ) SSID (service set identifie
tx-chains (list of integer [0..2]; Default: 0) Which antennas to use for
Channel Groups
Channel group settings allows for the configuration of lists of radio channel related settings,
such as radio band, frequency, Tx Power extension channel and width.
Channel group settings are configured in the Channels profile menu /caps-man channels
Property
band (2ghz-b | 2ghz-b/g | 2ghz-b/g/n | 2ghz-onlyg | 2ghz-onlyn | 5ghz-a | 5ghz-a/n | 5ghz- Define operational radio fr
onlyn; Default: )
comment (string; Default: ) Short description of the Ch
extension-channel (Ce | Ceee | eC | eCee | eeCe | eeeC | disabled; Default: ) Extension channel configu
frequency (integer [0..4294967295]; Default: ) Channel frequency value i
name (string; Default: ) Descriptive name for the C
tx-power (integer [-30..40]; Default: ) Set TX Power for Card (in
width (; Default: ) Sets Channel Width in MH
save-selected (; Default: yes) Saves selected channel for
optimize is done for this C
Datapath Configuration
Datapath settings control data forwarding related aspects. On CAPsMAN datapath settings are
configured in datapath profile menu /caps-man datapath or directly in a configuration profile or
interface menu as settings with datapath. prefix.
There are 2 major forwarding modes:
 local forwarding mode, where CAP is locally forwarding data to and from wireless interface
 manager forwarding mode, where CAP sends to CAPsMAN all data received over wireless
and only sends out the wireless data received from CAPsMAN. In this mode even client-to-
client forwarding is controlled and performed by CAPsMAN.
Forwarding mode is configured on a per-interface basis - so if one CAP provides 2 radio
interfaces, one can be configured to operate in local forwarding mode and the other in
manager forwarding mode. The same applies to Virtual-AP interfaces - each can have different
forwarding mode from master interface or other Virtual-AP interfaces.
Most of the datapath settings are used only when in manager forwarding mode, because in
local forwarding mode CAPsMAN does not have control over data forwarding.
There are the following datapath settings:
 bridge -- bridge interface to add interface to, as a bridge port, when enabled
 bridge-cost -- bridge port cost to use when adding as bridge port
 bridge-horizon -- bridge horizon to use when adding as bridge port
 client-to-client-forwarding -- controls if client-to-client forwarding between wireless clients
connected to interface should be allowed, in local forwarding mode this function is
performed by CAP, otherwise it is performed by CAPsMAN.
 local-forwarding -- controls forwarding mode
 openflow-switch -- OpenFlow switch to add interface to, as port when enabled
 vlan-id -- VLAN ID to assign to interface if vlan-mode enables use of VLAN tagging
 vlan-mode -- VLAN tagging mode specifies if VLAN tag should be assigned to interface
(causes all received data to get tagged with VLAN tag and allows interface to only send out
data tagged with given tag)
Local Forwarding Mode

In this mode wireless interface on CAP behaves as a normal interface and takes part in normal
data forwarding. Wireless interface will accept/pass data to networking stack on CAP.
CAPsMAN will not participate in data forwarding and will not process any of data frames, it will
only control interface configuration and client association process.
Wireless interface on CAP will change its configuration to 'enabled' and its state and some
relevant parameters (e.g. mac-address, arp, mtu) will reflect that of the interface on CAPsMAN.
Note that wireless related configuration will not reflect actual interface configuration as applied
by CAPsMAN:
[admin@CAP] /interface wireless> pr

Flags: X - disabled, R - running
0 R ;;; managed by CAPsMAN
;;; channel: 5180/20-Ceee/ac, SSID: master, local forwarding
name="wlan2" mtu=1500 mac-address=00:03:7F:48:CC:07 arp=enabled
interface-type=Atheros AR9888 mode=ap-bridge ssid="merlin"
frequency=5240 band=5ghz-a/n channel-width=20/40mhz-eC scan-
list=default
...
Virtual-AP interfaces in local forwarding mode will appear as enabled and dynamic Virtual-AP
interfaces:
[admin@CAP] /interface> pr
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU MAX-
L2MTU
...
2 RS ;;; managed by CAPsMAN
;;; channel: 5180/20-Ceee/ac, SSID: master, local forwarding
wlan2 wlan 1500 1600
3 DRS ;;; managed by CAPsMAN
;;; SSID: slave, local forwarding
wlan6 wlan 1500 1600
...
[admin@CAP] /interface> wireless pr
...
2 R ;;; managed by CAPsMAN
;;; SSID: slave, local forwarding
name="wlan6" mtu=1500 mac-address=00:00:00:00:00:00 arp=enabled
interface-type=virtual-AP master-interface=wlan2
The fact that Virtual-AP interfaces are added as dynamic, somewhat limits static configuration
possibilities on CAP for data forwarding, such as assigning addresses to Virtual-AP interface.
This does not apply to master wireless interface.
To overcome this it is possible to use the static-virtual setting on the CAP which will create
Static Virtual Interfaces instead of Dynamic and allows the possibility to assign IP configuration
to those interfaces. MAC address is used to remember each static-interface when applying the
configuration from the CAPsMAN. If two or more static interfaces will have the same MAC
address the configuration could be applied in random order.
To facilitate data forwarding configuration, CAP can be configured with bridge to which
interfaces are automatically added as ports when interfaces are enabled by CAPsMAN. This
can be done in /interface wireless capmenu.
Manager Forwarding Mode

In this mode CAP sends all data received over wireless to CAPsMAN and only sends out over
wireless, data received from CAPsMAN. CAPsMAN has full control over data forwarding
including client-to-client forwarding. Wireless interface on CAP is disabled and does not
participate in networking:
...
1 X ;;; managed by CAPsMAN
;;; channel: 5180/20-Ceee/ac, SSID: master, manager forwarding
name="wlan2" mtu=1500 mac-address=00:03:7F:48:CC:07 arp=enabled
interface-type=Atheros AR9888 mode=ap-bridge ssid="merlin"
...
Virtual-AP interfaces are also created as 'disabled' and do not take part in data forwarding on
CAP.
Access List
Access list on CAPsMAN is an ordered list of rules that is used to allow/deny clients to connect
to any CAP under CAPsMAN control. When client attempts to connect to a CAP that is
controlled by CAPsMAN, CAP forwards that request to CAPsMAN. As a part of registration
process, CAPsMAN consults access list to determine if client should be allowed to connect.
The default behaviour of the access list is to allow connection.
Access list rules are processed one by one until matching rule is found. Then the action in the
matching rule is executed. If action specifies that client should be accepted, client is accepted,
potentially overriding it's default connection parameters with ones specified in access list rule.
Access list is configured in /caps-man access-list menu. There are the following parameters
for access list rules:
 client matching parameters:

 address - MAC address of client
 mask - MAC address mask to apply when comparing client address
 interface - optional interface to compare with interface to which client actually connects
to
 time - time of day and days when rule matches
 signal-range - range in which client signal must fit for rule to match
 action parameter - specifies action to take when client matches:
 accept - accept client
 reject - reject client
 query-radius - query RADIUS server if particular client is allowed to connect
 connection parameters:
 ap-tx-limit - tx speed limit in direction to client
 client-tx-limit - tx speed limit in direction to AP (applies to RouterOS clients only)
 client-to-client-forwarding - specifies whether to allow forwarding data received from
this client to other clients connected to the same interface
 private-passphrase - PSK passphrase to use for this client if some PSK authentication
algorithm is used
 radius-accounting - specifies if RADIUS traffic accounting should be used if RADIUS
authentication gets done for this client
 vlan-mode - VLAN tagging mode specifies if traffic coming from client should get
tagged (and untagged when going to client).
 vlan-id - VLAN ID to use if doing VLAN tagging.
Registration Table
Registration table contains a list of clients that are connected to radios controlled by CAPsMAN
and is available in /caps-man registration-table menu:
[admin@CM] /caps-man> registration-table print
# INTERFACE MAC-ADDRESS UPTIME
RX-SIGNAL
0 cap1 00:03:7F:48:CC:0B 1h38m9s210ms
-36
Examples
Basic configuration with master and slave interface
Create security profile for WPA2 PSK, without specifying passphrase:
[admin@CM] /caps-man security>add name="wpa2psk" authentication-

types=wpa2-psk encryption=aes-ccm
Create configuration profile to be used by master interface
 specify WPA2 passphrase in configuration

 specify channel settings in configuration:
[admin@CM] /caps-man configuration> add name=master-cfg ssid=master

security=wpa2psk
security.passphrase=12345678 channel.frequency=5180 channel.width=20
channel.band=5ghz-a
Create configuration profile to be used by virtual AP interface
 specify different WPA2 passphrase in configuration:
[admin@CM] /caps-man configuration> add name=slave-cfg ssid=slave

security=wpa2psk
security.passphrase=87654321
Create provisioning rule that matches any radio and creates dynamic interfaces using master-
cfg and slave-cfg:
[admin@CM] /caps-man provisioning> add action=create-dynamic-enabled

master-configuration=master-cfg
slave-configurations=slave-cfg
Now when AP connects and is provisioned 2 dynamic interfaces (one master and one slave)
will get created:
[admin@CM] /caps-man interface> print detail
R - running
0 MDB name="cap1" mtu=1500 l2mtu=2300 radio-mac=00:0C:42:1B:4E:F5
master-interface=none
configuration=master-cfg
1 DB name="cap2" mtu=1500 l2mtu=2300 radio-mac=00:00:00:00:00:00

master-interface=cap1
configuration=slave-cfg
Consider an AP, that does not support configured frequency connects and can not become
operational:
[admin@CM] /caps-man interface> pr

R - running
# NAME RADIO-MAC MASTER-
INTERFACE
0 MDB ;;; unsupported band or channel
cap3 00:0C:42:1B:4E:FF none
...
We can override channel settings for this particular radio in interface settings, without affecting
master-cfg profile:
[admin@CM] /caps-man interface> set cap3 channel.frequency=2142

channel.band=2ghz-b/g
Allow Specific MAC address range to match the Access-list, for example, match all the Apple
devices:
[admin@CM] /caps-man access-list> add mac-address=18:34:51:00:00:00

mac-address-mask=FF:FF:FF:FF:00:00:00 action=accept
Configuring DHCP Server Option 138 for setting the CAPsMAN address on the CAP boards
[admin@CM] /ip dhcp-server network set <network-id> caps-

manager=<capsman-server-ip>
DHCP client this CAPsMAN IP will see in "/ip dhcp-client print detail"
Configuration with certificates
You would want to configure certificates in your CAPsMAN to use options as Require Peer
Certificate and Lock To Caps Man. These options increase security and in some cases stability
of your CAPsMAN network. CAPs won't connect to CAPsMAN without a specific certificate and
vice versa.
Fast and easy configuration
This is a basic configuration for using certificates in your CAPsMAN setup. This example
assumes that you already have basic configuration on your CAPsMAN and CAP. It is best to
use this configuration in CAPsMAN networks which are not constantly growing. For more
details read about CAP to CAPsMAN Connection.
CAPsMAN device:
In CAPsMAN Manager menu set Certificate and CA Certificate to auto:
/caps-man manager
set ca-certificate=auto certificate=auto
Print output:
[admin@CAPsMAN] /caps-man manager print

enabled: yes
certificate: auto
ca-certificate: auto
package-path:
upgrade-policy: none
require-peer-certificate: no
generated-certificate: CAPsMAN-D4CA6D987C26
generated-ca-certificate: CAPsMAN-CA-D4CA6D987C26
CAPsMAN device first will generate CA-Certificate and then it will generate Certificate which
depends on CA-Certificate.
CAP device:
Set in CAP configuration to request certificate:
/interface wireless cap

set certificate=request
CAP will connect to CAPsMAN and request certificate. CAP will receive CA-Certificate form
CAPsMAN and another certificate will be created for use on CAP.
In Result
On CAP device in CAP menu Requested Certificate is set:
[admin@CAP] /interface wireless cap print
enabled: yes
interfaces: wlan1
certificate: request
lock-to-caps-man: no
discovery-interfaces: ether1
caps-man-addresses:
caps-man-names:
caps-man-certificate-common-names:
bridge: none
static-virtual: no
--> requested-certificate: CAP-D4CA6D7F45BA <--
Also, two certificates are gained and are seen in Certificate menu:
[admin@CAP] > /certificate print

Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A -
authority, I - issued, R - revoked, E - expired, T - trusted
# NAME COMMON-NAME SUBJECT-ALT-NAME
FINGERPRINT
0 A T _0 CAPsMAN-CA-D4CA6D987C26
383e63d7b...
1 K CAP-D4CA6D7F45BA CAP-D4CA6D7F45BA
d495d1a94...
On CAPsMAN device in Certificate menu three certificates are created. CAPsMAN and
CAPsMAN-CA certificates, as well as a certificate which is issued to CAP:
[admin@CAPsMAN] > /certificate print

authority, I - issued, R - revoked, E - expired, T - trusted
# NAME COMMON-NAME SUBJECT-
ALT-NAME FINGERPRINT
0 K A T CAPsMAN-CA-D4CA6D987C26 CAPsMAN-CA-D4CA6D987C26
383e63d7b...
1 K I CAPsMAN-D4CA6D987C26 CAPsMAN-D4CA6D987C26
02b0f7ff4...
2 I issued_1 CAP-D4CA6D7F45BA
d495d1a94...
Additionally
If you want to allow only CAPs with a valid certificate to connect to this CAPsMAN you can
set Require Peer Certificate to yes on CAPsMAN device:
/caps-man manager
set require-peer-certificate=yes
However, when you will want to add new CAP devices to your CAPsMAN network you will
have to set this option to no and then back to yes after CAP has gained certificates. Every time
you change this option CAPsMAN will drop all dynamic interfaces and CAPs will try to connect
again.
If you want to lock CAP to specific CAPsMAN and be sure it won't connect to other CAPsMANs
you should set option Lock To CAPsMAN to yes. Additionally, you can specify CAPsMAN to
lock to by setting CAPsMAN Certificate Common Names on CAP device:

set lock-to-caps-man=yes
set caps-man-certificate-common-names=CAPsMAN-D4CA6D987C26
Manual certificates and issuing with SCEP

With this example, you can create your own certificates for CAPsMAN and take control over
issuing certificates to CAPs. This configuration can be useful in big, growing CAPsMAN
networks. Many segments of this example can be done differently depending on your situation
and needs. At this point, some knowledge about Certificates and their application can be
useful.
CAPsMAN device:
In Certificate menu add certificate templates for CA certificate and CAPsMAN server certificate:
/certificate
add name=CA-temp common-name=CA
add name=CAPsMAN-temp common-name=CAPsMAN
Now Sign the certifiace templates. First Sign the CA certificate and use CAPsMAN device IP
as CA CRL Host:
/certificate
sign CA-temp ca-crl-host=10.5.138.157 name=CA
sign CAPsMAN-temp ca=CA name=CAPsMAN
Alternatively, previous two steps can be done with auto setting in Certificate and CA-
Certificate option in CAPsMAN Manager menu, see the Fast and easy configuration.
Export CA certificate. You will have to Import it on CAP device. You can use Download ->
Drag&Drop to CAP device, in this example fetch command is used later from CAP device.
Using long passphrase is advisable - longer passphrase will take longer to crack if it gets into
the wrong hands:
/certificate
export-certificate CA export-passphrase=thelongerthebetterpassphrase
Create SCEP server which will be used to issue and grant certificates to CAP devices:
/certificate scep-server
add ca-cert=CA path=/scep/CAPsMAN
Set certificates in CAPsMAN Manager menu and set Require Peer Certificate to yes:
/caps-man manager
set ca-certificate=CA certificate=CAPsMAN
set require-peer-certificate=yes
At this point, only CAPs with a valid certificate will be able to connect.
CAP device
Download export of CA certificate from CAPsMAN device to CAP device. In this
example fetch is used, however, there are multiple other ways:
/tool fetch address=10.5.138.157 src-path=cert_export_CA.crt user=admin

password="123" mode=ftp
Import CA certificate from CAPsMAN device in Certificate menu:
/certificate> import file-name=cert_export_CA.crt

passphrase=thelongerthebetterpassphrase
Add certificate template for CAP:
/certificate
add name=CAP1 common-name=CAP1
Ask CAPsMAN device to grant this certificate with a key using SCEP:
/certificate
add-scep template=CAP1 scep-url="http://10.5.138.157/scep/CAPsMAN"
You will have to return to CAPsMAN device to grant key to this certificate.
In CAP menu set just created certificate:

set certificate=CAP1
CAPsMAN device:
Return to CAPsMAN device to grant a key to CAP certificate in Certificate Request menu:
/certificate scep-server requests

grant numbers=0
In Result
Now CAP should be able to connect to CAPsMAN, see in CAPsMAN interfaces if it connects.
In CAPsMAN device Certificate menu three certificates can be seen: CA, CAPsMAN, and the
one which is issued to CAP:
[admin@CAPsMAN] /certificate print

authority, I - issued, R - revoked,
E - expired, T - trusted
FINGERPRINT
0 K L A T CA CA
752775b457a37...
1 K A CAPsMAN CAPsMAN
12911ba445b3b...
2 I issued_1 CAP1
5b9a52b6ce3fb...
In CAP devices Certificate menu two acquired certificates can be seen:
[admin@CAP1] /interface wireless> /certificate print

authority, I - issued, R - revoked,
E - expired, T - trusted
FINGERPRINT
0 L A T cert_exp... CA
752775b457a37...
1 K T CAP1 CAP1
Manual:Loop Protect
Applies to RouterOS:v6.37+
Loop Protect
Loop protect feature can prevent Layer2 loops by sending loop protect protocol packets and
shutting down interfaces in case they receive loop protect packets originated from themself.
The feature works by checking source MAC address of received loop protect packet against
MAC addresses of loop protect enabled interfaces. If the match is found, loop protect disables
the interface which received the loop protect packet. Log message warns about this event and
interface is marked with a loop protect comment by system. RouterOS loop protect feature can
be used on bridged interfaces as well as on ethernet interfaces which are set for switching in
RouterBoard switch chips.
Loop protect works on ethernet, vlan, eoip and eoipv6 interfaces. It supports adjusting loop
protect packet sending interval and interface disable time. Configuration changes or expiration
of disable time resets loop protection on interface.
Sub-menu: /interface ethernet /interface vlan /interface eoip /interface

eoipv6
Properties
Property
loop-protect (on | off | default; Default: default) Enables or disables loop p
loop-protect-send-interval (time interval; Default: 5s) Sets how often loop protec
loop-protect-disable-time (time interval | 0; Default: 5m) Sets how long selected int
Read-only properties
Property
loop-protect-status (on | off | disable)  on - loop-protect feat
 off - loop-protect fea
 disable - loop-prot
Manual:Interface/VLAN
< Manual:Interface
Contents
[hide]
 1Summary
 2802.1Q
 3Q-in-Q
 4Properties
 5Setup examples
o 5.1Layer2 VLAN examples
 5.1.1Port based VLAN tagging #1 (Trunk and Access ports)
 5.1.2Port based VLAN tagging #2 (Trunk and Hybrid ports)
 5.2.1Simple VLAN routing
 5.2.2InterVLAN routing
o 5.3RouterOS /32 and IP unnumbered addresses
Summary
Sub-menu: /interface vlan
Standards: IEEE 802.1Q
Virtual Local Area Network (VLAN) is a Layer 2 method that allows multiple Virtual LANs on a
single physical interface (ethernet, wireless, etc.), giving the ability to segregate LANs
efficiently.
You can use MikroTik RouterOS (as well as Cisco IOS, Linux and other router systems) to
mark these packets as well as to accept and route marked ones.
As VLAN works on OSI Layer 2, it can be used just as any other network interface without any
restrictions. VLAN successfully passes through regular Ethernet bridges.
You can also transport VLANs over wireless links and put multiple VLAN interfaces on a single
wireless interface. Note that as VLAN is not a full tunnel protocol (i.e., it does not have
additional fields to transport MAC addresses of sender and recipient), the same limitation
applies to bridging over VLAN as to bridging plain wireless interfaces. In other words, while
wireless clients may participate in VLANs put on wireless interfaces, it is not possible to have
VLAN put on a wireless interface in station mode bridged with any other interface.
802.1Q
The most commonly used protocol for Virtual LANs (VLANs) is IEEE 802.1Q. It is a
standardized encapsulation protocol that defines how to insert a four-byte VLAN identifier into
Ethernet header. (see Figure 12.1.)
Each VLAN is treated as a separate subnet. It means that by default, a host in a specific VLAN
cannot communicate with a host that is a member of another VLAN, although they are
connected in the same switch. So if you want inter-VLAN communication you need a router.
RouterOS supports up to 4095 VLAN interfaces, each with a unique VLAN ID, per interface.
VLAN priorities may also be used and manipulated.
When the VLAN extends over more than one switch, the inter-switch link has to become a
'trunk', where packets are tagged to indicate which VLAN they belong to. A trunk carries the
traffic of multiple VLANs; it is like a point-to-point link that carries tagged packets between
switches or between a switch and router.
Note: The IEEE 802.1Q standard has reserved VLAN IDs with special use cases, the following
VLAN IDs should not be used in generic VLAN setups: 0, 1, 4095
Q-in-Q
Original 802.1Q allows only one vlan header, Q-in-Q on the other hand allows two or more vlan
headers. In RouterOS Q-in-Q can be configured by adding one vlan interface over another.
Example:
/interface vlan
add name=vlan1 vlan-id=11 interface=ether1
add name=vlan2 vlan-id=12 interface=vlan1
If any packet is sent over 'vlan2' interface, two vlan tags will be added to ethernet header - '11'
and '12'.
Properties
Property
arp (disabled | enabled | proxy-arp | reply-only; Default: enabled) Address Resolution Protoc
interface (name; Default: ) Name of physical interface
l2mtu (integer; Default: ) Layer2 MTU. For VLANS th
mtu (integer; Default: 1500) Layer3 Maximum transmis
name (string; Default: ) Interface name
use-service-tag (yes | no; Default: ) 802.1ad compatible Servic
vlan-id (integer: 4095; Default: 1) Virtual LAN identifier or ta
Note: MTU should be set to 1500 bytes same as on Ethernet interfaces. But this may not work
with some Ethernet cards that do not support receiving/transmitting of full size Ethernet
packets with VLAN header added (1500 bytes data + 4 bytes VLAN header + 14 bytes
Ethernet header). In this situation MTU 1496 can be used, but note that this will cause packet
fragmentation if larger packets have to be sent over interface. At the same time remember that
MTU 1496 may cause problems if path MTU discovery is not working properly between source
and destination.
Setup examples
VLANs on Mikrotik environment are also described here: VLANs with bridging
Layer2 VLAN examples
Warning: These configurations are known to cause issues with other vendor devices,
especially in STP enabled network, you should use bridge VLAN filtering instead in case you
are using RouterOS v6.41 or newer. You can read more about this Here.
Port based VLAN tagging #1 (Trunk and Access ports)
Port Based VLAN #1
 Add necessary VLAN interfaces on ethernet interface to make it as a VLAN trunk port
/interface vlan
add interface=ether2 name=eth2-vlan200 vlan-id=200
 Add bridges for each VLAN
/interface bridge
add name=bridge-vlan200
 Add VLAN interfaces to their corresponding bridges and ethernet interfaces where
untagged traffic is necessary
/interface bridge port

add bridge=bridge-vlan200 interface=eth2-vlan200
add bridge=bridge-vlan200 interface=ether6


Port based VLAN tagging #2 (Trunk and Hybrid ports)
Port Based VLAN #2
 Add necessary VLAN interfaces on ethernet interfaces to make them as VLAN trunk ports
/interface vlan


/interface bridge




Simple VLAN routing
Lets assume that we have several MikroTik routers connected to a hub. Remember that a hub
is an OSI physical layer device (if there is a hub between routers, then from L3 point of view it
is the same as an Ethernet cable connection between them). For simplification assume that all
routers are connected to the hub using ether1 interface and has assigned IP addresses as
illustrated in figure below. Then on each of them the VLAN interface is
created.
Configuration for R2 and R4 is shown below:

R2:
[admin@MikroTik] /interface vlan> add name=VLAN2 vlan-id=2

interface=ether1 disabled=no
[admin@MikroTik] /interface vlan> print

# NAME MTU ARP VLAN-ID INTERFACE
0 R VLAN2 1500 enabled 2 ether1
R4:


The next step is to assign IP addresses to the VLAN interfaces.
R2:
[admin@MikroTik] ip address> add address=10.10.10.3/24 interface=VLAN2

[admin@MikroTik] ip address> print
0 10.0.1.4/24 10.0.1.0 10.0.1.255 ether1
1 10.20.0.1/24 10.20.0.0 10.20.0.255 pc1
2 10.10.10.3/24 10.10.10.0 10.10.10.255 vlan2
R4:
[admin@MikroTik] ip address> add address=10.10.10.5/24 interface=VLAN2

0 10.0.1.5/24 10.0.1.0 10.0.1.255 ether1
1 10.30.0.1/24 10.30.0.0 10.30.0.255 pc2
2 10.10.10.5/24 10.10.10.0 10.10.10.255 vlan2
At this point it should be possible to ping router R4 from router R2 and vice versa:
"Ping from R2 to R4:"
[admin@MikroTik] ip address> /ping 10.10.10.5

"From R4 to R2:"

To make sure if VLAN setup is working properly, try to ping R1 from R2. If pings are timing out
then VLANs are successfully isolated.
"From R2 to R1:"

InterVLAN routing
If separate VLANs are implemented on a switch, then a router is required to provide
communication between VLANs. Switch works at OSI layer 2 so it uses only Ethernet header
to forward and does not check IP header. For this reason we must use the router that is
working as a gateway for each VLAN. Without a router, a host is unable to communicate
outside of its own VLAN. Routing process between VLANs described above is called inter-
VLAN communication.
To illustrate inter-VLAN communication, we will create a trunk that will carry traffic from three
VLANs (VLAN2 and VLAN3, VLAN4) across a single link between a Mikrotik router and a
manageable switch that supports VLAN
trunking.
Each VLAN has its own separate subnet (broadcast domain) as we see in figure above:
 VLAN 2 – 10.10.20.0/24;
 VLAN 3 – 10.10.30.0/24;
 VLAN 4 – 10.10.40.0./24.
VLAN configuration on most switches is straightforward, basically we need to define which
ports are members of the VLANs and define a 'trunk' port that can carry tagged frames
between the switch and the router.
"Configuration example on MikroTik router:"
"Create VLAN interfaces:"
/interface vlan
add name=VLAN2 vlan-id=2 interface=ether1 disabled=no
"Add IP addresses to VLANs:"
/ip address
add address=10.10.20.1/24 interface=VLAN2
RouterOS /32 and IP unnumbered addresses
In RouterOS, to create a point-to-point tunnel with addresses you have to use address with a
network mask of '/32' that effectively brings you the same features as some vendors
unnumbered IP address.
There are 2 routers RouterA and RouterB where each is part of networks 10.22.0.0/24 and
10.23.0.0/24 respectively and to connect these routers using VLANs as a carrier with the
following configuration:
RouterA:
/ip address add address=10.22.0.1/24 interface=ether1

/interface vlan add interface=ether2 vlan-id=1 name=vlan1
/ip address add address=10.22.0.1/32 interface=vlan1 network=10.23.0.1
/ip route add gateway=10.23.0.1 dst-address=10.23.0.0/24
RouterB:

/ip address add address=10.23.0.1/32 interface=vlan1 network=10.22.0.1
Manual:Interface/Bridge
< Manual:Interface

Contents
[hide]
 1Summary
 2Bridge Interface Setup
o 2.1Properties
o 2.2Example
 3Spanning Tree Protocol
 4Bridge Settings
 5Port Settings
o 5.1Example
 6Interface lists
 7Hosts Table
o 7.1Monitoring
o 7.2Static entries
 8Bridge Monitoring
o 8.1Example
 9Bridge Port Monitoring
o 9.1Example
 10Bridge VLAN Filtering
o 10.1VLAN Example #1 (Trunk and Access Ports)
o 10.2VLAN Example #2 (Trunk and Hybrid Ports)
o 10.3VLAN Example #3 (InterVLAN Routing by Bridge)
o 10.4Management port
o 10.5VLAN Tunneling (Q-in-Q)
 11IGMP Snooping
 12Bridge Firewall
o 12.1Properties
 12.1.1Notes
o 12.2Bridge Packet Filter
 12.2.1Properties
o 12.3Bridge NAT
 12.3.1Properties
Summary
Sub-menu: /interface bridge
Standards: IEEE802.1D
Ethernet-like networks (Ethernet, Ethernet over IP, IEEE802.11 in ap-bridge or bridge mode,
WDS, VLAN) can be connected together using MAC bridges. The bridge feature allows the
interconnection of hosts connected to separate LANs (using EoIP, geographically distributed
networks can be bridged as well if any kind of IP network interconnection exists between them)
as if they were attached to a single LAN. As bridges are transparent, they do not appear in
traceroute list, and no utility can make a distinction between a host working in one LAN and a
host working in another LAN if these LANs are bridged (depending on the way the LANs are
interconnected, latency and data rate between hosts may vary).
Network loops may emerge (intentionally or not) in complex topologies. Without any special
treatment, loops would prevent network from functioning normally, as they would lead to
avalanche-like packet multiplication. Each bridge runs an algorithm which calculates how the
loop can be prevented. STP and RSTP allows bridges to communicate with each other, so they
can negotiate a loop free topology. All other alternative connections that would otherwise form
loops, are put to standby, so that should the main connection fail, another connection could
take its place. This algorithm exchanges configuration messages (BPDU - Bridge Protocol
Data Unit) periodically, so that all bridges are updated with the newest information about
changes in network topology. (R)STP selects a root bridge which is responsible for network
reconfiguration, such as blocking and opening ports on other bridges. The root bridge is the
bridge with the lowest bridge ID.
Bridge Interface Setup

To combine a number of networks into one bridge, a bridge interface should be created (later,
all the desired interfaces should be set up as its ports). One MAC address will be assigned to
all the bridged interfaces (the MAC address of first bridge port which comes up will be chosen
automatically).
Properties
Property
admin-mac (MAC address; Default: none) Static MAC address of t
ageing-time (time; Default: 00:05:00) How long a host's inform
arp (disabled | enabled | proxy-arp | reply-only; Default: enabled) Address Resolution Pro
 disabled - the inte

 enabled - the inter
 proxy-arp - the in
 reply-only - the i
which are entered a
Therefore for comm
arp-timeout (auto | integer; Default: auto) ARP timeout is time how
value of arp-timeout in
auto-mac (yes | no; Default: yes) Automatically select one
comment (string; Default: ) Short description of the
disabled (yes | no; Default: no) Whether interface is dis
fast-forward (yes | no; Default: yes) Special and faster case
forward-delay (time; Default: 00:00:15) Time which is spent dur
listening/learning state b
frame-types (admit-all | admit-only-untagged-and-priority-tagged | admit-only-vlan- Specifies allowed ingres
tagged; Default: admit-all)
ingress-filtering (yes | no; Default: no) Enables or disables ingr
table. Should be used w
igmp-snooping (yes | no; Default: no) Enables multicast group
max-hops (integer: 6..40; Default: 20) Bridge count which BPD
max-message-age (time; Default: 00:00:20) How long to remember H
mtu (integer; Default: 1500) Maximum Transmission
name (text; Default: bridgeN) Name of the bridge inter
priority (integer: 0..65535 decimal format or 0x0000-0xffff hex format; Bridge priority, used by
Default: 32768 / 0x8000)
protocol-mode (none | rstp | stp | mstp; Default: rstp) Select Spanning tree pr
RSTP provides for faste
multiple VLANs. Since R
range, this can be done
pvid (integer: 1..4094; Default: 1) Port VLAN ID (pvid) spe
IP and destined to a brid
region-name (text; Default: ) MSTP region name.
region-revision (integer: 0..65535; Default: 0) MSTP configuration revi
transmit-hold-count (integer: 1..10; Default: 6) The Transmit Hold Coun
vlan-filtering (yes | no; Default: no) Globally enables or disa
vlan-protocol (0x9100 | 802.1Q | 802.1ad; Default: 802.1Q) Changes the bridge VLA
Example
To add and enable a bridge interface that will forward all the protocols:
[admin@MikroTik] /interface bridge> add

[admin@MikroTik] /interface bridge> print
0 R name="bridge1" mtu=1500 l2mtu=65535 arp=enabled
mac-address=00:00:00:00:00:00 protocol-mode=none
priority=0x8000
auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s
forward-delay=15s transmit-hold-count=6 ageing-time=5m
[admin@MikroTik] /interface bridge>
Spanning Tree Protocol

RouterOS bridge interfaces are capable of running Spanning Tree Protocol to ensure a loop-
free and redundant topology. For small networks with just 2 bridges STP does not bring much
benefits, but for larger networks properly configured STP is very crucial, leaving STP related
values to default may result in completely unreachable network in case of a even single bridge
failure. To achieve a proper loop-free and redundant topology, it is necessary to properly set
bridge priorities, port path costs and port priorities.
Warning: In RouterOS it is possible to set any value for bridge priority between 0 and 65535,
the IEEE 802.1W standard states that the bridge priority must be in steps of 4096. This can
cause incompatibility issues between devices that does not support such values. To avoid
compatibility issues, it is recommended to use only these priorities: 0, 4096, 8192, 12288,
16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440
STP has multiple variants, currently RouterOS supports STP, RSTP and MSTP. Depending on
needs, either one of them can be used, some devices are able to run some of these protocols
using hardware offloading, detailed information about which device support it can be found in
the Hardware Offloading section. STP is considered to be outdated and slow, it has been
almost entirely replaced in all network topologies by RSTP, which is backwards compatible
with STP. For network topologies that depend on VLANs, it is recommended to use MSTP
since it is a VLAN aware protocol and gives the ability to do load balancing per VLAN groups.
There are a lot of considerations that should be made when designing a STP enabled network,
more detailed case studies can be found in the Spanning Tree Protocol section.
Note: By the IEEE 802.1ad standard the BPDUs from bridges that comply with IEEE 802.1Q
are not compatible with IEEE 802.1ad bridges, this means that the same bridge VLAN protocol
should be used across all bridges in a single Layer2 domain, otherwise (R/M)STP will not
function properly.
Bridge Settings
Sub-menu: /interface bridge settings
Property
use-ip-firewall (yes | no; Default: no) Force bridged traffic to a
not apply to routed traffi
use-ip-firewall-for-pppoe (yes | no; Default: no) Send bridged un-encryp
use-ip-firewall-for-vlan (yes | no; Default: no) Send bridged VLAN traf
allow-fast-path (yes | no; Default: yes) Allows fast path.

bridge-fast-path-active (yes | no; Default: ) Shows whether Bridge F
bridge-fast-path-packets (integer; Default: ) Shows packet count forw
bridge-fast-path-bytes (integer; Default: ) Shows byte count forwa
bridge-fast-forward-packets (integer; Default: ) Shows packet count forw
bridge-fast-forward-bytes (integer; Default: ) Shows byte count forwa
Port Settings
Sub-menu: /interface bridge port
Port submenu is used to enslave interfaces in a particular bridge interface.

Property
auto-isolate (yes | no; Default: no) Prevents STP blocking p
bridge (name; Default: none) The bridge interface the
broadcast-flood (yes | no; Default: yes) When enabled, bridge fl
Can be used to filter all
uses FF:FF:FF:FF:FF
BOOTP (Netinstall) and
edge (auto | no | no-discover | yes | yes-discover; Default: auto) Set port as edge port or
bridges attached. If the
port, the port becomes a
directly to forwarding sta
external-fdb (auto | no | yes; Default: auto) Whether to use wireless
setting external-fdb=
with learn parameter i
learn (auto | no | yes; Default: auto) Changes MAC learning
 yes - enables MAC

 no - disables MAC l
 auto - detects if bri
Wireless registration
Wireless interface is
horizon (integer 0..429496729; Default: none) Use split horizon bridgin
ports with the same hori
internal-path-cost (integer: 0..65535; Default: 10) Path cost to the interfac
interface (name; Default: none) Name of the interface.
path-cost (integer: 0..65535; Default: 10) Path cost to the interfac
point-to-point (auto | yes | no; Default: auto)
priority (integer: 0..240; Default: 128) The priority of the interfa
restricted-role (yes | no; Default: no) Enable the restricted rol
restricted-tcn (yes | no; Default: no) Disable topology change
unknown-multicast-flood (yes | no; Default: yes) When enabled, bridge fl
on egress ports. Require
bridge mdb are consid
multicast traffic will be d
CPU. Note that local mu
result some protocols th
VRRP and others. Some
implementations are com
unknown-unicast-flood (yes | no; Default: yes) When enabled, bridge fl
egress ports. If a MAC a
traffic and will not be flo
source MAC address is
bridge port to learn the M
the MAC address has b
Example
To group ether1 and ether2 in the already created bridge1 bridge
[admin@MikroTik] /interface bridge port> add bridge=bridge1

interface=ether1
[admin@MikroTik] /interface bridge port> add bridge=bridge1
interface=ether2
[admin@MikroTik] /interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST
HORIZON
0 ether1 bridge1 0x80 10
none
none
[admin@MikroTik] /interface bridge port>
Interface lists
Starting with RouterOS v6.41 it possible to add interface lists as a bridge port and sort them.
Interface lists are useful for creating simpler firewall rules, you can read more about interface
lists at the Interface List section. Below is an example how to add interface list to a bridge:
/interface list member
add interface=ether1 list=LAN1
add bridge=bridge1 interface=LAN1
add bridge=bridge1 interface=LAN2
Ports from a interface list added to a bridge will show up as dynamic ports:
[admin@MikroTik] > /interface bridge port print

Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
# INTERFACE BRIDGE
0 LAN1 bridge1
1 D ether1 bridge1
2 D ether2 bridge1
3 LAN2 bridge1
4 D ether3 bridge1
5 D ether4 bridge1
It is also possible to sort the order of lists in which they appear in the /interface bridge
port menu. This can be done using the move command. Below is an example how to sort
interface lists:
[admin@MikroTik] > /interface bridge port move 3 0

# INTERFACE BRIDGE
0 LAN2 bridge1
1 D ether3 bridge1
2 D ether4 bridge1
3 LAN1 bridge1
4 D ether1 bridge1
5 D ether2 bridge1
Note: The second parameter when moving interface lists is considered as "before id", the
second parameter specifies before which interface list should be the selected interface list
moved. When moving first interface list in place of the second interface list, then the command
will have no effect since the first list will be moved before the second list, which is the current
state either way.
Hosts Table
MAC addresses that have been learned on a bridge interface can be viewed in
the /interface bridge host menu. Below is a table of parameters and flags that can be
viewed.
Sub-menu: /interface bridge host
Property
age (read-only: time) The time since the last p
bridge (read-only: name) The bridge the entry bel
dynamic (read-only: flag) Dynamically created ent
external-fdb (read-only: flag) Whether the host was le
local (read-only: flag) Whether the host entry i
mac-address (read-only: MAC address) Host's MAC address
on-interface (read-only: name) Which of the bridged int
Monitoring
To get the active hosts table:
[admin@MikroTik] /interface bridge host> print

Flags: L - local, E - external-fdb
BRIDGE MAC-ADDRESS ON-INTERFACE AGE
bridge1 00:00:00:00:00:01 ether2 3s
bridge1 00:01:29:FF:1D:CC ether2 0s
L bridge1 00:0C:42:52:2E:CF ether2 0s
bridge1 00:0C:42:52:2E:D0 ether2 3s
bridge1 00:0C:42:5C:A5:AE ether2 0s
Static entries
Since RouterOS v6.42 it is possible to add a static MAC address entry into the hosts table.
This can be used to forward a certain type of traffic through a specific port. Below is a table of
possible parameters that can be set when adding a static MAC address entry into the hosts
table.
Property
bridge (name; Default: none) The bridge interface to w
disabled (yes | no; Default: no) Disables/enables static
interface (name; Default: none) Name of the interface.
mac-address (MAC address; Default: ) MAC address that will b
vid (integer: 1..4094; Default: ) VLAN ID for the staticall
For example, if it was required that all traffic destined to 4C:5E:0C:4D:12:43 is forwarded
only through ether2 , then the following commands can be used:
/interface bridge host

add bridge=bridge interface=ether2 mac-address=4C:5E:0C:4D:12:43
Bridge Monitoring
Sub-menu: /interface bridge monitor
Used to monitor the current status of a bridge.

Property
current-mac-address (MAC address) Current MAC address of the bridge
designated-port-count (integer) Number of designated bridge ports
port-count (integer) Number of the bridge ports
root-bridge (yes | no) Shows whether bridge is the root b
root-bridge-id (text) The root bridge ID, which is in form
root-path-cost (integer) The total cost of the path to the roo
root-port (name) Port to which the root bridge is con
state (enabled | disabled) State of the bridge
Example
To monitor a bridge:
[admin@MikroTik] /interface bridge> monitor bridge1

state: enabled
current-mac-address: 00:0C:42:52:2E:CE
root-bridge: yes
root-bridge-id: 0x8000.00:00:00:00:00:00
root-path-cost: 0
root-port: none
port-count: 2
designated-port-count: 0
[admin@MikroTik] /interface bridge>
Bridge Port Monitoring

Sub-menu: /interface bridge port monitor
Statistics of an interface that belongs to a bridge.

Property
edge-port (yes | no) Whether port is an edge
edge-port-discovery (yes | no) Whether port is set to au
external-fdb (yes | no) Shows whether registra
forwarding (yes | no) Port state
learning (yes | no) Port state
port-number (integer 1..4095) Port identifier
point-to-point-port (yes | no)
role (designated | root port | alternate | backup | disabled)
(R)STP algorithm assign
 Disabled port -
 Root port - a forw
 Alternative por
 Designated port
 Backup port - a b
sending-rstp (yes | no) Whether the port is send

status (in-bridge | inactive) Port status
Example
To monitor a bridge port:
[admin@MikroTik] /interface bridge port> monitor 0
status: in-bridge
port-number: 1
role: designated-port
edge-port: no
edge-port-discovery: yes
point-to-point-port: no
external-fdb: no
sending-rstp: no
learning: yes
forwarding: yes
[admin@MikroTik] /interface bridge port>
Bridge VLAN Filtering

Bridge VLAN Filtering since RouterOS v6.41 provides VLAN aware Layer2 forwarding and
VLAN tag modifications within the bridge. This set of features makes bridge operation more like
a traditional Ethernet switch and allows to overcome Spanning Tree compatibilty issues
compared to configuration when tunnel-like VLAN interfaces are bridged. Bridge VLAN Filtering
configuration is highly recommended to comply with STP (802.1D), RSTP (802.1w) standards
and is mandatory to enable MSTP (802.1s) support in RouterOS.
The main VLAN setting is vlan-filtering which globally controls vlan-awareness and
VLAN tag processing in the bridge. If vlan-filtering=no , bridge ignores VLAN tags, works
in a shared-VLAN-learning (SVL) mode and cannot modify VLAN tags of packets. Turning
on vlan-filtering enables all bridge VLAN related functionality and independent-VLAN-
learning (IVL) mode. Besides joining the ports for Layer2 forwarding, bridge itself is also an
interface therefore it has Port VLAN ID (pvid).
Property
VLAN table. Should be u
vlan-filtering (yes | no; Default: no) Globally enables or disa
vlan-protocol (0x9100 | 802.1Q | 802.1ad; Default: 802.1Q) Changes the bridge VLA
pvid (integer 1..4094; Default: 1) Port VLAN ID (pvid) spe
IP and destined to a brid
The bridge port settings related to VLAN filtering are described below.
Property
table. Should be used w
pvid (integer 1..4094; Default: 1) Port VLAN ID (pvid) spe
Sub-menu: /interface bridge vlan
Bridge VLAN table represents per-VLAN port mapping with an egress VLAN tag
action. tagged ports send out frames with a learned VLAN ID tag. untagged ports remove
VLAN tag before sending out frames if the learned VLAN ID matches the port pvid .
Property
bridge (name; Default: none) The bridge interface wh
disabled (yes | no; Default: no) Enables or disables Brid
tagged (interfaces; Default: none) Interface list with a VLA
E.g. tagged=ether1,e
untagged (interfaces; Default: none) Interface list with a VLA

E.g. tagged=ether3,e
vlan-ids (integer 1..4094; Default: 1) The list of VLAN IDs for

E.g. vlan-ids=100-11
Bridge Host table allows monitoring learned MAC addresses and when vlan-filtering is
enabled shows learned VLAN ID as well.
[admin@MikroTik] > interface bridge host print where !local

BRIDGE VID MAC-ADDRESS ON-
INTERFACE AGE
bridge1 200 D4:CA:6D:77:2E:F0 ether3
7s
bridge1 200 E4:8D:8C:1B:05:F0 ether2
2s
bridge1 300 D4:CA:6D:74:65:9D ether4
3s
2s
bridge1 400 4C:5E:0C:4B:89:5C ether5
0s
0s
[admin@MikroTik] >
Note: Make sure you have added all needed interfaces to the bridge VLAN table when using
bridge VLAN filtering. For routing functions to work properly on the same device through ports
that use bridge VLAN filtering, you will need to allow access to the CPU from those ports, this
can be done by adding the bridge interface itself to the VLAN table, for tagged traffic you will
need to add the bridge interface as a tagged port and create a VLAN interface on the bridge
interface. Examples can be found at the Management port section.
Warning: When allowing access to the CPU, you are allowing access from a certain port to the
actual router/switch, this is not always desirable. Make sure you implement proper firewall filter
rules to secure your device when access to the CPU is allowed from a certain VLAN ID and
port, use firewall filter rules to allow access to only certain services.
VLAN Example #1 (Trunk and Access Ports)

Trunk and Access Ports
 Create a bridge with disabled vlan-filtering to avoid losing access to the router
before VLANs are completely configured.
/interface bridge
add name=bridge1 vlan-filtering=no
 Add bridge ports and specify pvid for VLAN access ports to assign their untagged traffic
to the intended VLAN.

add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether6 pvid=200
 Add Bridge VLAN entries and specify tagged and untagged ports in them.
/interface bridge vlan

add bridge=bridge1 tagged=ether2 untagged=ether6 vlan-ids=200
 In the end, when VLAN configuration is complete, enable Bridge VLAN Filtering.
/interface bridge set bridge1 vlan-filtering=yes
VLAN Example #2 (Trunk and Hybrid Ports)

Trunk and Hybrid Ports
/interface bridge
 Add bridge ports and specify pvid on hybrid VLAN ports to assign untagged traffic to the
intended VLAN.

 Add Bridge VLAN entries and specify tagged and untagged ports in them. In this example
egress VLAN tagging is done on ether6,ether7,ether8 ports too, making them into hybrid
ports.

add bridge=bridge1 tagged=ether2,ether7,ether8 untagged=ether6
vlan-ids=200
vlan-ids=300
vlan-ids=400
Warning: The PVID value is set to all traffic that enters the bridge and adds the port
dynamically to the bridge VLAN table for VLAN ID that matches the PVID value. If you are
trying to isolate tagged traffic from untagged traffic, then make sure you have set a PVID to a
bridge port that is different from the bridge's PVID value, otherwise these ports will be
dynamically added to the bridge VLAN table and will be able to forward traffic from untagged
ports.
VLAN Example #3 (InterVLAN Routing by Bridge)
InterVLAN Routing by Bridge
/interface bridge
 Add bridge ports and specify pvid for VLAN access ports to assign their untagged traffic
to the intended VLAN.

 Add Bridge VLAN entries and specify tagged and untagged ports in them. In this
example bridge1 interface is the VLAN trunk that will send traffic further to do InterVLAN
routing.

add bridge=bridge1 tagged=bridge1 untagged=ether6 vlan-ids=200
 Configure VLAN interfaces on the bridge1 to allow handling of tagged VLAN traffic at
routing level and set IP addresses to ensure routing between VLANs as planned.
/interface vlan
add interface=bridge1 name=vlan200 vlan-id=200
/ip address
add address=20.0.0.1/24 interface=vlan200 network=20.0.0.0
Management port
There are multiple ways to setup management port on a device that uses bridge VLAN filtering.
Below are some of the most popular approaches to properly enable access to a router/switch.
Start by creating a bridge without VLAN filtering enabled:
/interface bridge
 In case VLAN filtering will not be used and access with untagged traffic is desired
The only requirement is to create an IP address on the bridge interface.
/ip address
add address=192.168.99.1/24 interface=bridge1
 In case VLAN filtering is used and access from trunk and/or access ports with tagged
traffic is desired
In this example VLAN 99 will be used to access the device, a VLAN interface on the bridge
must be created and an IP address must be assigned to it.
/interface vlan
add interface=bridge1 name=MGMT vlan-id=99
/ip address
add address=192.168.99.1/24 interface=MGMT
For example, if you want to allow access to the router/switch from access ports ether3,ether4
and from trunk port sfp-sfpplus1, then you must add this entry to the VLAN table:

add bridge=bridge1 tagged=bridge1,ether3,ether4,sfp-sfpplus1 vlan-
ids=99
After that you can enable VLAN filtering:
 In case VLAN filtering is used and access from trunk and/or access ports with untagged
traffic is desired
To allow untagged traffic to access the router/switch, start by creating an IP address on the
bridge interface.
/ip address
It is required to add VLAN 1 to ports from which you want to allow the access to the
router/switch, for example, to allow access from access ports ether3,ether4 add this entry to
the VLAN table:

add bridge=bridge1 untagged=ether3,ether4 vlan-ids=1
Make sure that PVID on the bridge interface matches the PVID value on these ports:
/interface bridge set bridge1 pvid=1

/interface bridge port set ether3,ether4 pvid=1
After that you can enable VLAN filtering:
Note: If connection to the router/switch through an IP address is not required, then steps
adding this IP address can be skipped since connection to the router/switch through Layer2
protocols (e.g. MAC-telnet) will be working either way.
VLAN Tunneling (Q-in-Q)

Since RouterOS v6.43rc14 RouterOS bridge is IEEE 802.1ad compliant and it is possible to
filter VLAN IDs based on Service VLAN ID (0x88A8) rather than Customer VLAN ID (0x8100).
The same principals can be applied as with IEEE 802.1Q VLAN filtering (the same setup
examples can be used). Below is a topology of a common Provider bridge:
Provider bridge topology
In this example R1, R2, R3 and R4 might be sending any VLAN tagged traffic by 802.1Q
(CVID), but SW1 and SW2 needs isolate traffic between routers in a way that R1 is able to
communicate only with R3 and R2 is only able to communicate with R4. To do so, you can tag
all ingress traffic with a SVID and only allow these VLANs on certain ports. Start by
enabling 802.1ad VLAN protocol on the bridge, use these commands on SW1 and SW2:
/interface bridge
add name=bridge1 vlan-filtering=no vlan-protocol=802.1ad
In this setup ether1 and ether2 are going to be access ports (untagged), use
the pvid parameter to tag all ingress traffic on each port, use the commands
on SW1 and SW2:

add interface=ether1 bridge=bridge1 pvid=200
add interface=ether2 bridge=bridge1 pvid=300
add interface=ether3 bridge=bridge1
Specify tagged and untagged ports in the bridge VLAN table, use these commands
on SW1 and SW2:

When bridge VLAN table is configured, you can enable bridge VLAN filtering, use these
commands on SW1 and SW2
Warning: By enabling vlan-filtering you will be filtering out traffic destined to the CPU,
before enabling VLAN filtering you should make sure that you set up a Management port. The
difference between 802.1Q VLAN protocol is that you must use a Service VLAN interface.
Service VLAN interfaces can be created as regular VLAN interface, but the use-service-
tag parameter toggles if the interface will use Service VLAN tag.
Note: Currently only CRS3xx series switches are capable of hardware offloading VLAN filtering
based on SVID (Service VLAN ID) tag when vlan-protocol is set to 802.1ad.
Warning: With 802.1Q VLAN protocol the bridge checks the outer VLAN tag if it is using
EtherType 0x8100 . If the bridge receives a packet with an outer tag that has a different
EtherType, it will mark the packet as untagged . Since RouterOS only checks the outer tag of
a packet, it is not possible to filter 802.1Q packets when 802.1ad protocol is used.
IGMP Snooping
IGMP Snooping which controls multicast streams and prevents multicast flooding is
implemented in RouterOS starting from version 6.41.
It's settings are placed in bridge menu and it works independently in every bridge interface.
Software driven implementation works on all devices with RouterOS but CRS1xx/2xx/3xx
series switches also support IGMP Snooping with hardware offloading.
Sub-menu: /interface bridge /interface bridge mdb
 Enabling IGMP Snooping on Bridge.
/interface bridge set bridge1 igmp-snooping=yes
 Monitoring multicast groups in the Bridge Multicast Database

[admin@MikroTik] > interface bridge mdb print
BRIDGE VID GROUP
PORTS
bridge1 200 229.1.1.2
ether3
ether2
ether1
bridge1 300 231.1.3.3
ether4
ether3
ether2
bridge1 400 229.10.10.4
ether4
ether3
bridge1 500 234.5.1.5
ether5
ether1
[admin@MikroTik] >
Bridge Firewall
Sub-menu: /interface bridge filter, /interface bridge nat
The bridge firewall implements packet filtering and thereby provides security functions that are
used to manage data flow to, from and through bridge.
Packet flow diagram shows how packets are processed through router. It is possible to force
bridge traffic to go through /ip firewall filter rules (see: Bridge Settings)
There are two bridge firewall tables:
 filter - bridge firewall with three predefined chains:

 input - filters packets, where the destination is the bridge (including those packets that
will be routed, as they are destined to the bridge MAC address anyway)
 output - filters packets, which come from the bridge (including those packets that has
been routed normally)
 forward - filters packets, which are to be bridged (note: this chain is not applied to the
packets that should be routed through the router, just to those that are traversing
between the ports of the same bridge)
 nat - bridge network address translation provides ways for changing source/destination
MAC addresses of the packets traversing a bridge. Has two built-in chains:
 srcnat - used for "hiding" a host or a network behind a different MAC address. This
chain is applied to the packets leaving the router through a bridged interface
 dstnat - used for redirecting some packets to other destinations
You can put packet marks in bridge firewall (filter and NAT), which are the same as the packet
marks in IP firewall put by '/ip firewall mangle' . In this way, packet marks put by bridge
firewall can be used in 'IP firewall', and vice versa.
General bridge firewall properties are described in this section. Some parameters that differ
between nat and filter rules are described in further sections.
Properties
Property
802.3-sap (integer; Default: ) DSAP (Destination Serv
network protocol entities
specified here to match
802.3-type (integer; Default: ) Ethernet protocol type, p
Attachment Point heade
0x809B.
action (accept | drop | jump | log | mark-packet | passthrough | return | set-priority; Action to take if packet i
Default: )
 accept - accept the
 drop - silently drop
 jump - jump to the u
 log - add a messag
>dst-ip:port and leng
 mark-packet - pla
 passthrough - if p
 return - passes co
 set-priority - se
transporting priority
arp-dst-address (IP address; Default: ) ARP destination IP addr
arp-dst-mac-address (MAC address; Default: ) ARP destination MAC a
arp-gratuitous (yes | no; Default: ) Matches ARP gratuitous
arp-hardware-type (integer; Default: 1) ARP hardware type. Thi
arp-opcode (arp-nak | drarp-error | drarp-reply | drarp-request | inarp-reply | inarp- ARP opcode (packet typ
request | reply | reply-reverse | request | request-reverse; Default: )
 arp-nak - negative
 drarp-error - Dy
 drarp-reply - Dy
 drarp-request -
 inarp-reply - Inv
 inarp-request -
 reply - standard A
 reply-reverse -
 request - standard
 request-reverse
be used by hosts to
arp-packet-type (integer 0..65535 | hex 0x0000-0xffff; Default: ) ARP Packet Type.
arp-src-address (IP address; Default: ) ARP source IP address.
arp-src-mac-address (MAC addres; Default: ) ARP source MAC addre
chain (text; Default: ) Bridge firewall chain, wh
dst-address (IP address; Default: ) Destination IP address (
dst-mac-address (MAC address; Default: ) Destination MAC addres
dst-port (integer 0..65535; Default: ) Destination port number
in-bridge (name; Default: ) Bridge interface through
in-interface (name; Default: ) Physical interface (i.e., b
in-interface-list (name; Default: ) Set of interfaces defined
ingress-priority (integer 0..63; Default: ) Matches ingress priority

ingress-priority (integer 0..63; Default: ) Matches ingress priority
ip-protocol (dccp | ddp | egp | encap | etherip | ggp | gre | hmp | icmp | icmpv6 | IP protocol (only if MAC
idpr-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | ipv6 | ipv6-frag | ipv6-nonxt |
ipv6-opts | ipv6-route | iso-tp4 | l2tp | ospf | pim | pup | rdp | rspf | rsvp | sctp | st | tcp |  dccp - Datagram C
udp | udp-lite | vmtp | vrrp | xns-idp | xtp; Default: )  ddp - Datagram De
 egp - Exterior Gatew
 encap - Encapsulat
 etherip - Ethernet
 ggp - Gateway-to-G
 gre - Generic Routi
 hmp - Host Monitorin
 icmp - IPv4 Interne
 icmpv6 - IPv6 Inter
 idpr-cmtp - Inter-
 igmp - Internet Gro
 ipencap - IP in IP (
 ipip - IP-within-IP
 ipsec-ah - IPsec A
 ipsec-esp - IPsec
 ipv6 - Internet Prot
 ipv6-frag - Fragm
 ipv6-nonxt - No N
 ipv6-opts - Destin
 ipv6-route - Rou
 iso-tp4 - ISO Tran
 l2tp - Layer Two T
 ospf - Open Shorte
 pim - Protocol Indep
 pup - PARC Univer
 rdp - Reliable Data
 rspf - Radio Shorte
 rsvp - Reservation
 sctp - Stream Con
 st - Internet Stream
 tcp - Transmission
 udp - User Datagra
 udp-lite - Lightwe
 vmtp - Versatile Me
 vrrp - Virtual Route
 xns-idp - Xerox N
 xtp - Xpress Trans
jump-target (name; Default: ) If action=jump specifi
limit (integer/time,integer; Default: ) Restricts packet match r
 count - maximum a
 time - specifies the
 burst - number of
log-prefix (text; Default: ) Defines the prefix to be

mac-protocol (802.2 | arp | homeplug-av | ip | ipv6 | ipx | length | lldp | loop-protect Ethernet payload type (M
| mpls-multicast | mpls-unicast | packing-compr | packing-simple | pppoe | pppoe-
discovery | rarp | service-vlan | vlan | integer 0..65535 | hex 0x0000-0xffff; Default: )  802.2 - 802.2 Fram
 arp - Address Reso
 homeplug-av - Ho
 ip - Internet Protoc
 ipv6 - Internet Prot
 ipx - Internetwork P
 length -
 lldp - Link Layer D
 loop-protect - L
 mpls-multicast
 mpls-unicast - M
 packing-compr -
 packing-simple
 ppoe - PPPoE Sess
 ppoe-discovery
 rarp - Reverse Add
 service-vlan - P
 vlan - VLAN-tagge
out-bridge (name; Default: ) Outgoing bridge interfac

out-interface (name; Default: ) Interface that the packe
out-interface-list (name; Default: ) Set of interfaces defined
packet-mark (name; Default: ) Match packets with cert

packet-type (broadcast | host | multicast | other-host; Default: ) MAC frame type:
 broadcast - broad
 host - packet is de
 multicast - multic
 other-host - pack
src-address (IP address; Default: ) Source IP address (only

src-mac-address (MAC address; Default: ) Source MAC address.
src-port (integer 0..65535; Default: ) Source port number or r
stp-flags (topology-change | topology-change-ack; Default: ) The BPDU (Bridge Proto
loops
 topology-change
their host tables and
 topology-change
stp-forward-delay (integer 0..65535; Default: ) Forward delay timer.

stp-hello-time (integer 0..65535; Default: ) STP hello packets time.
stp-max-age (integer 0..65535; Default: ) Maximal STP message
stp-msg-age (integer 0..65535; Default: ) STP message age.
stp-port (integer 0..65535; Default: ) STP port identifier.
stp-root-address (MAC address; Default: ) Root bridge MAC addre
stp-root-cost (integer 0..65535; Default: ) Root bridge cost.
stp-root-priority (integer 0..65535; Default: ) Root bridge priority.
stp-sender-address (MAC address; Default: ) STP message sender M
stp-sender-priority (integer 0..65535; Default: ) STP sender priority.
stp-type (config | tcn; Default: ) The BPDU type:
 config - configura
 tcn - topology chan
tls-host (string; Default: ) Allows to match https tra

not be able to match ho
vlan-encap (802.2 | arp | ip | ipv6 | ipx | length | mpls-multicast | mpls-unicast | the MAC protocol type e
pppoe | pppoe-discovery | rarp | vlan | integer 0..65535 | hex 0x0000-0xffff; Default: )
vlan-id (integer 0..4095; Default: ) VLAN identifier field.
vlan-priority (integer 0..7; Default: ) The user priority field.
Notes
 STP matchers are only valid if destination MAC address is

01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF (Bridge Group address), also stp should be
enabled.
 ARP matchers are only valid if mac-protocol is arp or rarp
 VLAN matchers are only valid for vlan ethernet protocol
 IP-related matchers are only valid if mac-protocol is set as ipv4
 802.3 matchers are only consulted if the actual frame is compliant with IEEE 802.2 and
IEEE 802.3 standards (note: it is not the industry-standard Ethernet frame format used in
most networks worldwide!). These matchers are ignored for other packets.
Bridge Packet Filter

Sub-menu: /interface bridge filter
This section describes bridge packet filter specific filtering options, that are specific
to '/interface bridge filter' .
Properties
Property
action (accept | drop | jump | log | mark-packet | passthrough | return | set-priority; Action to take if packet i
Default: accept)
are processed in the
 jump - jump to the c
 log - ladd a messa
protocol, src-ip:port-
as passthrough
 mark - mark the pac
 passthrough - ign
packets
 return - return to t
Bridge NAT
Sub-menu: /interface bridge nat
This section describes bridge NAT options, that are specific to '/interface bridge nat' .
Properties
Property
action (accept | drop | jump | mark-packet | redirect | set-priority | arp-reply | dst-nat Action to take if packet i
| log | passthrough | return | src-nat; Default: accept)
are processed in the
 arp-reply - send
address (only valid i
 dst-nat - change
 jump - jump to the c
 log - log the packe
 mark - mark the pac
 passthrough - ign
packets
 redirect - redirec
 return - return to t
 src-nat - change
to-arp-reply-mac-address (MAC address; Default: ) Source MAC address to
to-dst-mac-address (MAC address; Default: ) Destination MAC addres
to-src-mac-address (MAC address; Default: ) Source MAC address to
Manual:Spanning Tree Protocol

Contents
[hide]
 1Spanning Tree Protocol
o 1.1STP and RSTP
o 1.2Default values
o 1.3Election process
o 1.4Example
 2Multiple Spanning Tree Protocol
o 2.1MSTP Regions
o 2.2Election process
o 2.3MST Instance
o 2.4MST Override
o 2.5Monitoring
o 2.6Example

RouterOS is capable of running bridge interfaces with (R/M)STP support in order to create
loop-free and Layer2 redundant environment. It is always recommended to manually set up
each bridge priority, port priority and port path cost to ensure proper Layer2 functionality at all
times. Leaving STP related values to defaults are acceptable for a network that consists of of 1
to 2 bridges running with (R/M)STP enabled, but it is highly recommended to manually set
these values for larger networks. Since STP elects a root bridge and root ports by checking
STP related values from bridges over the network, then leaving STP settings to automatic may
elect a undesired root bridge and root ports and in case of a hardware failure can result in an
inaccessible network.
You can check the STP status of a bridge by using the /interface bridge
monitor command, for example:
/interface bridge monitor bridge

state: enabled
current-mac-address: 64:D1:54:D9:27:E6
root-bridge: yes
root-bridge-id: 0x3000.64:D1:54:D9:27:E6
root-path-cost: 0
root-port: none
port-count: 5
You can check the STP status of a bridge port by using the /interface bridge port
monitor command, for example:
/interface bridge port monitor 2

interface: ether3
status: in-bridge
port-number: 3
role: root-port
edge-port: no
edge-port-discovery: yes
point-to-point-port: yes
external-fdb: no
sending-rstp: yes
learning: yes
forwarding: yes
root-path-cost: 10
designated-bridge: 0x3000.64:D1:54:D9:27:E6
designated-cost: 0
designated-port-number: 4
hw-offload-group: switch1
Note that root-bridge-id consists of the bridge priority and the bridge's MAC address, for
non-root bridges the root bridge will be shown as designated-bridge . One port can have
one role in a STP enabled network, below is a list of possible port roles:
 root-port - port that is facing towards the root bridge and will be used to forward traffic
from/to the root bridge.
 alternate-port - port that is facing towards root bridge, but is not going to forward traffic (a
backup for root port).
 backup-port - port that is facing away from the root bridge, but is not going to forward
traffic (a backup for non-root port).
 designated-port - port that is facing away from the root bridge and is going to forward
traffic .
 disabled-port - disabled or inactive port.
Note: When using bridges that are set to use 802.1Q as VLAN protocol, they will send out
BPDUs to 01:80:C2:00:00:00, which are used by MSTP, RSTP and STP. When using 802.1ad
as bridge VLAN protocol, the BPDUs are not compatible with 802.1Q bridges and they are sent
to 01:80:C2:00:00:08. (R/M)STP will not function properly if there are different bridge VLAN
protocols across the Layer2 network.
STP and RSTP

STP and Rapid STP are used very widely across many networks, but almost all networks have
switched over using only RSTP since of its benefits. STP is a very old protocol and has a
convergence time (the time needed to fully learn network topology changes and to continue
properly forwarding traffic) even up to 50 seconds, which was acceptable for 1980s when it
was invented. RSTP has a lot smaller convergence time, a few seconds or even a few
milliseconds), which is acceptable for nowadays network requirements. It is recommended to
use RSTP instead of STP since it is a lot faster and is also backwards compatible with STP.
One of the reason why RSTP is faster is because of reduced possible port states, below is a
list of possible STP port states:
 Forwarding - port participates in traffic forwarding and is learning MAC addresses, is

receiving BPDUs.
 Listening - port does not participate in traffic forwarding and is not learning MAC
addresses, is receiving BPDUs.
 Learning - port does not participate in traffic forwarding, but is learning MAC addresses.
 Blocking - port is blocked since it is causing loops, but is receiving BPDUs.
 Disabled - port is disabled or inactive.
In RSTP the disabled, listening and blocking port states are replaced with just one state called
the Discarding state:
 Forwarding - port participates in traffic forwarding and is learning MAC addresses, is

receiving BPDUs.
 Learning - port does not participate in traffic forwarding, but is learning MAC addresses.
 Discarding - port does not participate in traffic forwarding and is not learning MAC
addresses, is receiving BPDUs.
In STP connectivity between bridges is determined by sending and receiving BPDUs between
neighbour bridges. Designated ports are sending BPDUs to root ports. If a BPDU is not
received 3 times the HelloTime in a row, then connection is considered as unavailable and
network topology convergence will commence. It is possible for STP to reduce the
convergence time in certain scenarios by reducing the forward-delay timer, which is
responsible for how long can port be in the learning/listening state.
In RouterOS it is possible to specify which bridge ports are edge ports. Edge ports are ports
that are not supposed to receive any BPDUs, this is beneficial since this allows STP to skip the
learning and the listening state and directly go to forwarding state. This feature is sometimes
called PortFast· You can leave this parameter to the default value, which is auto, but you can
also manually specify it, you can set a port as edge port manually for ports that should not
have any more bridges behind it, usually these are access ports.
Default values
When creating a bridge or adding a port to a bridge the following are the default values that are
assigned by RouterOS:
 Default bridge priority: 32768 / 0x8000

 Default bridge port path cost: 10
 Default bridge port priority: 0x80
 BPDU message age: 1
 HelloTime: 2
 Default max message age: 20
RouterOS does not change port path cost based on the link speed, for 10M, 100M, 1000M and
10000M link speeds the default path cost value when a port is added to a bridge is always 10.
The age of a BPDU is determined by how many bridges has the BPDU passed times the
message age, since RouterOS uses 1 as the message age, then the BPDU packet can pass
as many bridges as specified in the max-message-age parameter. By default this value is set
to 20, this means that after the 20th bridge the BPDU packet will be discarded and the next
bridge will become a root bridge, note that if max-message-age=20 on is set, then it is hard to
predict which ports will be the designated port on the 21st bridge and may result in traffic not
being able to be forwarded properly. In case bridge filter rules are used, make sure you allow
packets with DST-MAC address 01:00:0C:CC:CC:CC since these packets carry BPDUs that
are crucial for STP to work properly.
Election process
To properly configure STP in your network you need to understand the election process and
which parameters are involved in which order. In RouterOS the root bridge will be elected
based on the smallest priority and the smallest MAC address in this particular order:
1. Bridge priority (lowest)

2. Bridge MAC address (lowest)
In RouterOS root ports are elected based on lowest port path cost, lowest port priority and
lowest bridge port ID in this particular order:
1. Port path cost (lowest)

2. Port priority (lowest)
3. Bridge port ID (lowest)
Note: Make sure you are using path cost and priority on the right ports. For example, setting
path cost on a ports that are in a root bridge has no effect, only port priority has effect on them.
Path cost has effect on ports that are facing towards the root bridge and port priority has effect
on ports that are facing away from the root bridge.
Warning: In RouterOS it is possible to set any value for bridge priority between 0 and 65535,
the IEEE 802.1W standard states that the bridge priority must be in steps of 4096. This can
cause incompatibility issues between devices that does not support such values. To avoid
incompatibility issues, it is recommended to use only these priorities: 0, 4096, 8192, 12288,
16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440
Note: When electing a root port the path cost will be checked first. If the path cost for multiple
paths is the same, then port priority is checked. If port priority is the same, then bridge port ID
is checked, port with the lowest values will be elected as a root port. Make sure you take into
account the election process when designing your network with STP enabled.
Example
Topology of a STP enabled network

In this example we want to ensure Layer2 redundancy for connections from ServerA to
ServerB. If a port is connected to a device that is not a bridge and not running (R)STP, then
this port is considered as an edge port, in this case ServerA and ServerB is connected to an
edge port. This is possible by using STP in a network. Below are configuration examples for
each switch.
 Configuration for SW1:
/interface bridge
add name=bridge priority=0x1000
add bridge=bridge interface=ether1 priority=0x60
add bridge=bridge interface=ether5
/interface bridge
/interface bridge
/interface bridge
add bridge=bridge interface=ether2 path-cost=20
In this example SW1 is the root bridge since it has the lowest bridge
priority. SW2 and SW3 has ether1,ether2 connected to the root bridge and ether3 is connected
to SW4. When all switches are working properly, the traffic will be flowing from ServerA
through SW1_ether2, through SW2, through SW4 to ServerB. In case of SW1 failure,
the SW2 becomes the root bridge because of the next lowest priority. Below is a list of ports
and their role for each switch:
 root-port - SW2_ether2, SW3_ether2, SW4_ether1

 alternate-port - SW2_ether1, SW3_ether1, SW4_ether2
 designated-port - SW1_ether1, SW1_ether2, SW1_ether3, SW1_ether4, SW1_ether5,
SW2_ether3, SW2_ether3, SW4_ether3
Note: By the 802.1W recommendations, you should use bridge priorities in steps of 4096. To
set a recommended priority it is more convenient to use hexadecimal notation, for example, 0
is 0x0000, 4096 is 0x1000, 8192 is 0x2000 and so on (0..F).
Multiple Spanning Tree Protocol
Since RouterOS v6.41 it is possible to enable Multiple Spanning Tree Protocol (MSTP) on a
bridge interface to ensure loop-free topology across multiple VLANs, MSTP can also provide
Layer2 redundancy and can be used as a load balancing technique for VLANs since it has the
ability to have different paths across different VLANs. MSTP is operating very similarly to
(R)STP and many concepts from (R)STP can be applied to MSTP and it is highly
recommended to understand the principles behind (R)STP before using MSTP, but there are
some differences that must be taken into account when designing a MSTP enabled network.
In case (R)STP is used, the BPDUs are sent across all physical interfaces in a bridge to
determine loops and stop ports from being able to forward traffic, if it causes a loop. In case
there is a loop inside a certain VLAN, (R)STP might not be able to detect it. Some STP variants
solve this problem by running a STP instance on every single VLAN (PVST), but this has been
proven to inefficient and some STP variants solve this problem by running a single STP
instance across all VLANs (CST), but it lacks the possibility to do load balancing for each
VLAN or VLAN group. MSTP tends to solve both problems by using MST instances that can
define a group of VLANs (VLAN mapping) that can be used for load balancing and
redundancy, this means that each VLAN group can have a different root bridge and a different
path. Note that it is beneficial to group multiple VLANs in a single instance to reduce the
amount of CPU cycles for each network topology change.
Warning: In RouterOS with MSTP enabled the bridge priority is the CIST's root bridge priority,
as stated in the IEEE 802.1Q standard the bridge priority must be in steps of 4096, the 12
lowest bits are ignored. These are valid bridge priorities: 0, 4096, 8192, 12288, 16384, 20480,
24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440. When setting an
invalid bridge priority, RouterOS will warn you about it and trunk the value to a valid value, but
will save the original value in the configuration since invalid bridge priority values can still be
used in (R)STP between devices running RouterOS, though it is recommended to use valid a
bridge priority instead.
MSTP Regions
MSTP works in groups called regions, for each region there will be a regional root bridge and
between regions there will be a root bridge elected. MSTP will use Internal Spanning Tree
(IST) to build the network topology inside a region and Common Spanning Tree (CST) outside
a region to build the network topology between multiple regions, MSTP combines these two
protocols into Common and Internal Spanning Tree (CIST), which holds information about
topology inside a region and between regions. From CST's perspective a region will seemingly
be as a single virtual bridge, because of this MSTP is considered very scalable for large
networks. In order for bridges to be in the same region, their configuration must match, BPDUs
will not include VLAN mappings since they can be large, rather a computed hash is being
transmitted. If a bridge receives a BPDU through a port and the configuration does not match,
then MSTP will consider that port as a boundary port and that it can be used to reach other
regions. Below is a list of parameters that need to match in order for MSTP to consider a
BPDU from the same region:
 Region name
 Region revision
 VLAN mappings to MST Instance IDs (computed hash)
It is possible to create MSTP enabled network without regions, though to be able to do load
balancing per VLAN group it is required for a bridge to receive a BPDU from a bridge that is
connected to it with the same parameters mentioned above. In RouterOS the default region
name is empty and region revision is 0, which are valid values, but you must make sure that
they match in order to get multiple bridges in a single MSTP region. A region cannot exist if
their bridges are scattered over the network, these bridges must be connected at least in one
way, in which they can send and receive BPDUs without leaving the region, for example, if a
bridge with different region related parameters is between two bridges that have the same
region related parameters, then there will exist at least 3 different MSTP regions.
Topology of a MSTP enabled network with boundary ports

The downside of running every single bridge in a single MSTP region is the excess CPU
cycles. In comparison, PVST(+) creates a Spanning Tree Instance for each VLAN ID that
exists on the network, since there will be very limited paths that can exist in a network, then
this approach creates a lot of overhead and unnecessary CPU cycles, this also means that this
approach does not scale very well and can overload switches with not very powerful CPUs.
MSTP solves this problem by dividing the network into MSTP regions, where each bridge
inside this region will exchange and process information about VLANs that exist inside the
same region, but will run a single instance of Spanning Tree Protocol in background to
maintain the network topology between regions. This approach has been proven to be much
more effective and much more scalable, this means that regions should be used for larger
networks to reduce CPU cycles.
In regions you can define MST Instances, which are used to configure load balancing per
VLAN group and to elect the regional root bridge. It is worth mentioning that in each region
there exists a pre-defined MST Instance, in most documentations this is called as MSTI0· This
MST Instance is considered as the default MST Instance, there are certain parameters that
apply to this special MST Instance. When traffic is passing through a MSTP enabled bridge,
MSTP will look for a MST Instance that has a matching VLAN mapping, but if a VLAN mapping
does not exists for a certain VLAN ID, then traffic will fall under MSTI0.
Note: Since MSTP requires VLAN filtering on the bridge interface to be enabled, then make
sure that you have allowed all required VLAN IDs in /interface bridge vlan ,
otherwise the traffic will not be forwarded and it might seem as MSTP misconfigured, although
this is a VLAN filtering misconfiguration.
Election process
The election process in MSTP can be divided into two sections, intra region and inter region.
For MSTP to work properly there will always need to be a regional root, that is the root bridge
inside a region, and a CIST root, that is the root bridge between regions. A regional root is the
root bridge inside a region, regional root bridge will be needed to properly set up load
balancing for VLAN groups inside a region. CIST root will be used to configure which ports will
be alternate/backups ports (inactive) and which ports will be root ports (active).
Note: Between regions there is no load balancing per VLAN group, root port election process
and port blocking between MSTP regions is done the same way as in (R)STP. If CIST has
blocked a port that is inside a MSTP region to prevent traffic loops between MSTP regions,
then this port can still be active for IST to do load balancing per VLAN group inside a MSTP
region.
 The following parameters are involved to elect a regional root bridge or root ports inside a
MSTP region:
Property
priority (integer: 0..65535 decimal format or 0x0000-0xffff hex format; Default: 32768 / /interface bridge
0x8000)
internal-path-cost (integer: 1..200000000; Default: 10) /interface bridge
priority (integer: 0..240; Default: 128) /interface bridge
root bridge.
internal-path-cost (integer: 1..200000000; Default: 10) /interface bridge
MSTP region.
 The following parameters are involved to elect a CIST root bridge or CIST root ports:
Property
priority (integer: 0..65535 decimal format or 0x0000-0xffff hex format; Default: 32768 / /interface bridge,
0x8000)
priority (integer: 0..240; Default: 128) /interface bridge
path-cost (integer: 1..200000000; Default: 10) /interface bridge
Note: The sequence of parameters in which MSTP checks to elect root bridge/ports are the
same as in (R)STP, you can read more about it at the (R)STP Election Process section.
MST Instance
Sub-menu: /interface bridge msti
This section is used to group multiple VLAN IDs to a single instance to create a different root
bridge for each VLAN group inside a MSTP region.
Property
bridge (text; Default: ) Bridge to which assign a M
identifier (integer: 1..31; Default: ) MST instance identifier.
priority (integer: 0..65535 decimal format or 0x0000-0xffff hex format; Default: 32768 / MST instance priority, use
0x8000)
vlan-mapping (integer: 1..4094; Default: ) The list of VLAN IDs to a
mapping=100-115,120
MST Override
Sub-menu: /interface bridge port mst-override
This section is used to select desired path for each VLAN mapping inside a MSTP region.
Property
disabled (yes | no; Default: no) Whether entry is disabled.
internal-path-cost (integer: 1..200000000; Default: 10) Path cost for a MST instan
path cost is preferred.
identifier (integer: 1..31; Default: ) MST instance identifier.
priority (integer: 0..240; Default: 128) The priority a MST instanc
is preferred.
interface (name; Default: ) Name of the port on which
Monitoring
Similarly to (R)STP, it is also possible to monitor MSTP status. By monitoring the bridge
interface itself it possible to see the current CIST root bridge and the current regional root
bridge for MSTI0, it is also possible to see the computed hash of MST Instance identifiers and
VLAN mappings, this is useful when making sure that certain bridges are in the same MSTP
region. Below you can find an example to monitoring a MSTP bridge:
/interface bridge monitor bridge

state: enabled
current-mac-address: 6C:3B:6B:7B:F0:AA
root-bridge: no
root-bridge-id: 0x1000.64:D1:54:24:23:72
regional-root-bridge-id: 0x4000.6C:3B:6B:7B:F0:AA
root-path-cost: 10
root-port: ether4
port-count: 5
mst-config-digest: 74edbeefdbf82cf63a70cf60e43a56f3
In MSTP it is possible to monitor the MST Instance, this is useful to determine the current
regional root bridge for a certain MST Instance and VLAN group, below you can find an
example to monitor a MST Instance:
/interface bridge msti monitor 1

state: enabled
identifier: 2
current-mac-address: 6C:3B:6B:7B:F0:AA
root-bridge: no
root-bridge-id: 0.00:00:00:00:00:00
regional-root-bridge-id: 0x1002.6C:3B:6B:7B:F9:08
root-path-cost: 0
root-port: ether2
port-count: 5
It is also possible to monitor a certain MST Override entry, this is useful to determine the port
role for a certain MST Instance when configuring root ports and alternate/backup ports in a
MSTP region, below you can find an example to monitor a MST Override entry:
/interface bridge port mst-override monitor 1

port: ether3
status: active
identifier: 2
role: alternate-port
learning: no
forwarding: no
internal-root-path-cost: 15
designated-bridge: 0x1002.6C:3B:6B:7B:F9:08
designated-internal-cost: 0
designated-port-number: 130
Example
Lets say that we need to design a topology and configure MSTP in a way that VLAN 10,20 will
be forwarded in one path, but VLAN 30,40 will be forwarded in a different path, while all other
VLAN IDs will be forwarded in one of those paths. This can easily be done by setting up MST
Instances and assigning port path costs, below you can find a network topology that needs to
do load balancing per VLAN group with 3 separate regions as an example:
Topology of a MSTP enabled network with load balancing per VLAN group
Start by adding each interface to a bridge, initially you should create a (R)STP bridge without
VLAN filtering enabled, this is to prevent loosing access to the CPU. Each device in this
example is named by the region that it is in (Rx) and a device number (_x). For larger networks
configuring MSTP can confusing because of the amount of links and devices, we recommend
using The Dude to monitor and design a network topology.
 Use the following commands on R1_1, R1_3, R2_1, R2_3, R3_1, R3_3:
/interface bridge
add name=bridge protocol-mode=rstp vlan-filtering=no
 Use the following commands on R1_2, R2_2, R3_2:
/interface bridge
add name=bridge protocol-mode=rstp vlan-filtering=no
 Make sure you allow the required VLAN IDs on these devices, here we will consider that
each device will receive tagged traffic that needs to be load balanced per VLAN group, use
these commands on R1_1, R1_3, R2_1, R2_3, R3_1, R3_3:

add bridge=bridge tagged=ether1,ether2,ether3,ether4 vlan-
ids=10,20,30,40

add bridge=bridge tagged=ether1,ether2 vlan-ids=10,20,30,40
Note: Make sure you add all the needed VLAN IDs and ports to the bridge VLAN table,
otherwise your device will not forward all required VLANs and/or you will loose access to the
device. You can read about how to set up management ports with bridge VLAN filtering at
the Management port section.
We need to assign a region name for each bridge that we want to be in a single MSTP region,
you can also specify the region revision, but it is optional, though they need to match. In this
example if all bridges will have the same region name, then they will all be in a single MSTP
bridge. In this case we want to separate a group of 3 bridges in a different MSTP region to do
load balancing per VLAN group and to create diversity and scalability.
 Set appropriate region name (and region revision) for each bridge, use the following
commands on each device (change the region name!):
/interface bridge
set bridge region-name=Rx region-revision=1
After we have created 3 different MSTP regions, we need to decide which device is going to be
a regional root for each VLAN group. For consistency we are going to set the first device (_1)
in each region as the regional root for VLAN 10,20 and the third device (_3) in each region as
the regional root for VLAN 30,40. This can be done by creating a MST Instance for each VLAN
group and assigning a bridge priority to it. The MST Instance identifier is only relevant inside a
MSTP region, outside a MSTP region these identifiers can be different and mapped to a
different VLAN group.
/interface bridge msti

add bridge=bridge identifier=1 priority=0x1000 vlan-mapping=10,20


Now we need to override the port path-cost and/or port priority for each MST Instance. This
can be done by adding a MST-Override entry for each port and each MST Instance. To
achieve that for a certain MST Instance the traffic flow path is different, we simply need to
make sure that the port path cost and/or priority is larger. We can either increase the port path
cost or either decrease the port path cost to ports that are facing towards the regional root
bridge. It doesn't matter if you increase or decrease all values, it is important that at the end
one port's path cost is larger than the other's.
/interface bridge port mst-override

add identifier=2 interface=ether1 internal-path-cost=5


In this case for VLAN 10,20 to reach the third device from the first device it would choose
between ether1 and ether2, one port will be blocked and set as an alternate port, ether1 will
have path cost as 5+9=14 and ether2 will have path cost as 10 , ether2 will be elected as the
root port for MSTI1 on the third device. In case for VLAN 30,40 to reach the first device from
the third device, ether1 will have path cost as 5+9=14 and ether2 will have path cost as 15 ,
ether1 will be elected as the root port for MSTI2 on the third device.
Now we can configure the root ports for MSTI0, in which will fall under all VLANs that are not
assigned to a specific MST Instance, like in our example VLAN 10,20 and VLAN 30,40. To
configure this special MST Instance, you will need to specify internal-path-cost to a
bridge port. This value is only relevant to MSTP regions, it does not have any effect outside a
MSTP region. In this example will choose that all unknown VLANs will be forwarded over the
same path as VLAN 30,40, we will simply increase the path cost on one of the ports.

set [find where interface=ether3] internal-path-cost=25
At this point a single region MSTP can be considered as configured and in general MSTP is
fully functional. It is highly recommended to configure the CIST part, but for testing purposes it
can be left with the default values. Before doing any tests, you need to enable MSTP on all
bridges.
 Use the following commands on all devices:
/interface bridge
set bridge protocol-mode=mstp vlan-filtering=yes
When MSTP regions have been configured, you can check if they are properly configured by
forwarding traffic, for example, send tagged traffic from the first device to the third device and
change the VLAN ID for the tagged traffic to observe different paths based on VLAN ID. When
this is working as expected, then you can continue to configure CIST related parameters to
elect a CIST root bridge and CIST root ports. For consistency we will choose the first device in
the first region to be the CIST root bridge and to ensure the consistency in case of failure we
can set a higher priority to all other bridges.
 Use the following commands on R1_1:
/interface bridge
set bridge priority=0x1000
/interface bridge
 ...
/interface bridge
We also need to elect a root port on each bridge, for simplicity we will choose the port that is
closest to Ŗ1_1 as the root port and has the least hops. At this point the procedure to elect root
ports is the same as the procedure in (R)STP.

set [find where interface=ether2] path-cost=30
 Use the following commands on R1_3 and R2_3:


Manual:Switch Chip Features
Applies to RouterOS:v6.0 +
Contents
[hide]
 1Introduction
 2Features
o 2.1Port Switching
 2.1.1Bridge Hardware Offloading
 2.1.2Switch All Ports Feature
o 2.2Port Mirroring
o 2.3Hosts Table
o 2.4VLAN Table
o 2.5Rule Table
o 2.6Port isolation
o 2.7Statistics
 3Setup Examples
o 3.1VLAN Example 1 (Trunk and Access Ports)
o 3.2VLAN Example 2 (Trunk and Hybrid Ports)
o 3.3Management port configuration
 3.3.1Tagged
 3.3.2Untagged
 3.3.3Untagged from tagged port
o 3.4Spanning Tree Protocol
Introduction
There are several types of switch chips on Routerboards and they have a different set of
features. Most of them (from now on "Other") have only basic "Port Switching" feature, but
there are few with more features:
Capabilities of switch chips:
Feature QCA8337 Atheros8327 Atheros8316 Atheros822
Port Switching yes yes yes yes
Port Mirroring yes yes yes yes
Host table 2048 entries 2048 entries 2048 entries 1024 entries
Vlan table 4096 entries 4096 entries 4096 entries 4096 entries
Rule table 92 rules 92 rules 32 rules no

Note: Cloud Router Switch (CRS) series devices have highly advanced switch chips built-in,
they support wide variety of features. For more details about switch chip capabilities on
CRS1xx/CRS2xx series devices check theCRS1xx/CRS2xx series switches manual, for
CRS3xx series devices check the CRS3xx series switches manual.
RouterBoard
RB1100AHx4
RB750Gr3 (hEX), RB760iGS (hEX S)
RB3011 series
RB OmniTik ac series
RB941-2nD (hAP lite)
RB951Ui-2nD (hAP); RB952Ui-5ac2nD (hAP ac lite); RB750r2 (hEX lite); RB750UPr2 (hEX PoE lite); RB750P-PBr2 (PowerB
(OmniTIK 5); RBOmniTikUPA-5HnDr2 (OmniTIK 5 PoE)
RB750Gr2 (hEX); RB962UiGS-5HacT2HnT (hAP ac); RB960PGS (hEX PoE); RB960PGS-PB (PowerBox Pro)
RB953GS
RB850Gx2
RB2011 series
RB750GL; RB751G-2HnD; RB951G-2HnD; RBD52G-5HacD2HnD (hAP ac²)
cAP ac
RB1100AH
RB1100AHx2
CCR1009 series
RB493G
RB435G
RB450G
RB433GL
RB750G
RB1200
RB1100
RB750
RB750UP
RB751U-2HnD
RB951-2n
RB951Ui-2HnD
RB433 series
RB450
RB493 series
RB816
Command line config is under /interface ethernet switch menu. This menu contains a
list of all switch chips present in system, and some sub-menus as well. /interface
ethernet switch menu list item represents a switch chip in system:
[admin@MikroTik] /interface ethernet switch> print

Flags: I - invalid
# NAME TYPE MIRROR-SOURCE MIRROR-TARGET
0 switch1 Atheros-8316 ether2 none
Depending on switch type there might be available or not available some configuration
capabilities.
Atheros8316 packet flow diagram
Features
Port Switching
Switching feature allows wire speed traffic passing among a group of ports, like the ports were
a regular ethernet switch. You configure this feature by setting a "master-port" property to one
ore more ports in /interface ethernet menu. A 'master' port will be the port through which
the RouterOS will communicate to all ports in the group. Interfaces for which the 'master' port is
specified become inactive - no traffic is received on them and no traffic can be sent out.
For example consider a router with five ethernet interfaces:
[admin@MikroTik] > interface ethernet print

# NAME MTU MAC-ADDRESS ARP MASTER-PORT
SWITCH
0 R ether1 1500 00:0C:42:3E:5D:BB enabled
1 ether2 1500 00:0C:42:3E:5D:BC enabled none
switch1
2 ether3 1500 00:0C:42:3E:5D:BD enabled none
switch1
3 ether4 1500 00:0C:42:3E:5D:BE enabled none
switch1
4 R ether5 1500 00:0C:42:3E:5D:BF enabled none
switch1
And you configure a switch containing three ports ether3, ether4 and ether5:
[admin@MikroTik] /interface ethernet> set ether4,ether5 master-

port=ether3
[admin@MikroTik] /interface ethernet> print
SWITCH
0 R ether1 1500 00:0C:42:3E:5D:BB enabled
1 ether2 1500 00:0C:42:3E:5D:BC enabled none
switch1
2 R ether3 1500 00:0C:42:3E:5D:BD enabled none
switch1
3 S ether4 1500 00:0C:42:3E:5D:BE enabled ether3
switch1
4 RS ether5 1500 00:0C:42:3E:5D:BF enabled ether3
switch1
ether3 is now the master port of the group. Note: you can see that previously a link was
detected only on ether5, but now as the ether3 is a 'master' the running flag is propagated to
master port.
In essence this configuration is the same as if you had a RouterBoard with 3 ethernet
interfaces with ether3 connected to ethernet switch that has 4 ports:
A more general diagram of RouterBoard with switch chip that has 5 port switch chip:
Here you can see that, a packet that gets received by one of the ports always passes through
the switch logic at first. Switch logic decides to which ports the packet should be going to.
Passing packet 'up' or giving it to RouterOS is also called sending it to switch chips 'cpu' port.
That means that at the point switch forwards the packet to cpu port the packet starts to get
processed by RouterOS as some interfaces incoming packet. While the packet does not have
to go to cpu port it is handled entirely by switch logic and does not require any cpu cycles and
happen at wire speed for any frame size.
Bridge Hardware Offloading
Since RouterOS v6.41 there are user interface changes which convert RouterBoard master-
port configuration into a bridge with hardware offloading. From now on bridges will handle all
Layer2 forwarding and the use of switch chip ( hw-offload ) will automatically turn on if
appropriate conditions are met. The rest of RouterOS Switch features remain untouched in
usual menus. By default all newly created bridge ports have hw=yes option and it allows
enabling of hw-offload when possible. If such functionality is not required, it can be disabled
by hw=no on bridge port to have completely software operated bridging.
Note: Downgrading to previous RouterOS versions will not restore master-port configuration.
The bridge with no hw-offload will appear instead and master-port configuration will have to be
redone from the beginning.
Following table states what features currently in v6.41 keeps bridge hardware offloading
enabled on certain RouterBoard and switch chip models.
Notes:
 Enabling this feature maintains hw-offload: +

 Enabling this feature turns off hw-offload: -
RouterBoard/[Switc Features in Bridge Bridge Bridge IGMP Bridge VLAN Bon

h Chip] Model Switch menu STP/RSTP MSTP Snooping Filtering ding
CRS3xx series + + + + + +
CRS1xx/CRS2xx
+ + - + - -
series
[QCA8337] + + - - - -
[AR8327] + + - - - -
[AR8227] + + - - - -
RouterBoard/[Switc Features in Bridge Bridge Bridge IGMP Bridge VLAN Bon
h Chip] Model Switch menu STP/RSTP MSTP Snooping Filtering ding
[AR8316] + + - - - -
[AR7240] + + - - - -
[MT7621] + - - - - -
RB1100AHx4
+ - - - - -
[RTL8367]
[ICPlus175D] + - - - - -
 Port switching with master-port configuration before v6.41
[admin@MikroTik] > interface ethernet export

/interface ethernet
set [ find default-name=ether3 ] master-port=ether2
[admin@MikroTik] >

# NAME MTU MAC-ADDRESS ARP MASTER-
PORT SWITCH
0 R ether1 1500 D4:CA:6D:E2:64:64 enabled none
switch1
switch1
2 RS ether3 1500 D4:CA:6D:E2:64:66 enabled ether2
switch1
switch1
switch1
[admin@MikroTik] >
 Port switching with bridge configuration and enabled hw-offload since v6.41
[admin@MikroTik] > interface bridge export

/interface bridge
add name=bridge1 igmp-snooping=no protocol-mode=none
[admin@MikroTik] >
[admin@MikroTik] > interface bridge port print

# INTERFACE BRIDGE HW PVID PRIORITY
PATH-COST INTERNAL-PATH-COST HORIZON
0 H ether2 bridge1 yes 1 0x80
10 10 none
10 10 none
10 10 none
10 10 none
[admin@MikroTik] >
Switch All Ports Feature

Ether1 port on RB450G/RB435G/RB850Gx2 has a feature that allows it to be removed/added
to the default switch group. By default ether1 port will be included in the switch group. This
configuration can be changed with /interface ethernet switch set switch1 switch-
all-ports=no
 switch-all-ports=yes/no -
"yes" means ether1 is part of switch and supports switch grouping, and all other advanced
Atheros8316/Atheros8327 features including extended statistics ( /interface ethernet
print stats ).
"no" means ether1 is not part of switch, effectively making it as stand alone ethernet port, this
way increasing its throughput to other ports in bridged, and routed mode, but removing the
switching possibility on this port.
Port Mirroring
Port mirroring lets switch 'sniff' all traffic that is going in and out of one port (mirror-source) and
send a copy of those packets out of some other port (mirror-target). This feature can be used
to easily set up a 'tap' device that receives all traffic that goes in/out of some specific port. Note
that mirror-source and mirror-target ports have to belong to same switch. (See which port
belong to which switch in /interface ethernet menu). Also mirror-target can have a
special 'cpu' value, which means that 'sniffed' packets should be sent out of switch chips cpu
port. Port mirroring happens independently of switching groups that have or have not been set
up.
 Port mirroring configuration example:
/interface ethernet switch

set switch1 mirror-source=ether2 mirror-target=ether3
Warning: If you set mirror-source as a Ethernet port for a device with at least two switch chips
and these mirror-source ports are in a single bridge while mirror-target for both switch chips are
set to send the packets to the CPU, then this will result in a loop, which can make your device
inaccessible.
Hosts Table
Basically the hosts table represents switch chips internal mac address to port mapping. It can
contain two kinds of entries: dynamic and static. Dynamic entries get added automatically, this
is also called a learning process: when switch chip receives a packet from certain port, it adds
the packets source mac address X and port it received the packet from to host table, so when
a packet comes in with destination mac address X it knows to which port it should forward the
packet. If the destination mac address is not present in host table then it forwards the packet to
all ports in the group. Dynamic entries take about 5 minutes to time out. Learning is enabled
only on ports that are configured as part of switch group. So you won't see dynamic entries if
you have not specified some 'master-ports'. Also you can add static entries that take over
dynamic if dynamic entry with same mac-address already exists. Also by adding a static entry
you get access to some more functionality that is controlled via following params:
 copy-to-cpu=yes/no - a packet can be cloned and sent to cpu port

 redirect-to-cpu=yes/no - a packet can be redirected to cpu port
 mirror=yes/no - a packet can be cloned and sent to mirror-target port configured in
"/interface ethernet switch"
 drop=yes/no - a packet with certain mac address coming from certain ports can be
dropped
copy-to-cpu, redirect-to-cpu, mirror actions are performed for packets which destination mac
matches mac address specified in entry drop action is performed for packets which source mac
address matches mac address specified in entry
Another possibility for static entries is that mac address can be mapped to more that one port,
including 'cpu' port.
VLAN Table
Vlan table specifies certain forwarding rules for packets that have specific 802.1q tag. Those
rules are of higher priority than switch groups configured using 'master-port' property. Basically
the table contains entries that map specific vlan tag ids to a group of one or more ports.
Packets with vlan tags leave switch chip through one or more ports that are set in
corresponding table entry. The exact logic that controls how packets with vlan tags are treated
is controlled by vlan-mode parameter that is changeable per switch port in /interface
ethernet switch port menu. Vlan-mode can take following values:
 disabled - ignore vlan table, treat packet with vlan tags just as if they did not contain a vlan
tag;
 fallback - the default mode - handle packets with vlan tag that is not present in vlan table
just like packets without vlan tag. Packets with vlan tags that are present in vlan table, but
incoming port does not match any port in vlan table entry does not get dropped.
 check - drop packets with vlan tag that is not present in vlan table. Packets with vlan tags
that are present in vlan table, but incoming port does not match any port in vlan table entry
does not get dropped.
 secure - drop packets with vlan tag that is not present in vlan table. Packets with vlan tags
that are present in vlan table, but incoming port does not match any port in vlan table entry
get dropped.
Vlan tag id based forwarding takes into account the MAC addresses dynamically learned or
manually added in the host table. QCA8337 and AR8327 switch-chips also support
Independent VLAN learning (IVL) which does the learning based on both MAC addresses and
VLAN IDs thus allowing the same MAC to be used in multiple VLANs. The option
"independent-learning" in VLAN table entries enables this feature.
Packets without vlan tag are treated just like if they had a vlan tag with port default-vlan-
id. This means that if "vlan-mode=check or secure" to be able to forward packets without vlan
tags you have to add a special entry to vlan table with the same vlan id set according
to default-vlan-id.
Vlan-header option (configured in /interface ethernet switch port ) sets the VLAN tag
mode on egress port. Starting from RouterOS version 6 this option works with QCA8337,
AR8316, AR8327, AR8227 and AR7240 switch chips and takes the following values:
 leave-as-is - packet remains unchanged on egress port;

 always-strip - if VLAN header is present it is removed from the packet;
 add-if-missing - if VLAN header is not present it is added to the packet.
Rule Table
Rule table is very powerful tool allowing wire speed packet filtering, forwarding and vlan
tagging based on L2,L3,L4 protocol header field condition.
Each rule contains a conditions part and an action part. Action part is controlled by following
parameters:
 copy-to-cpu=yes/no - clones matching packets and sends them to cpu port;

 redirect-to-cpu=yes/no - redirects matching packets to cpu port;
 mirror=yes/no - clones matching packets and send them to mirror-target port;
 new-dst-ports - if set forces the destination port to be as specified, multiple ports allowed,
including cpu port. Non obvious feature of this parameter is to pass empty list of ports to
drop matching packets;
 new-vlan-id (only applies to Atheros8316) - if specified changes the vlan tag id, or add
new vlan tag if one was not present;
 new-vlan-priority - if specified changes the vlan tag priority bits;
 rate (only applies to Atheros8327/QCA8337) - Sets limitation (bits per second) for all
matched traffic. Can only be applied to first 32 rule slots.
Conditions part is controlled by rest of parameters:
 ports - match port that packet came in from (multiple ports allowed);
 mac layer conditions

 dst-mac-address - match by destination mac address and mask;
 src-mac-address - ...;
 vlan-header - match by vlan header presence;
 vlan-id (only applies to Atheros8316) - match by vlan tag id;
 vlan-priority (only applies to Atheros8316) - match by priority in vlan tag;
 mac-protocol - match by mac protocol (skips vlan tags if any);
 ip conditions
 dst-address - match by destination ip and mask;
 src-address - match by source ip and mask;
 dscp - match by ip dscp field;
 protocol - match by ip protocol;
 ipv6 conditions
 dst-address6 - match by destination ip and mask;
 src-address6 - match by source ip and mask;
 flow-label - match by ipv6 flow label;
 traffic-class - match by ipv6 traffic class;
 protocol - match by ip protocol;
 L4 conditions
 src-port - match by tcp/udp source port range;
 dst-port - match by tcp/udp destination port range;
IPv4 and IPv6 specific conditions cannot be present in same rule. Menu contains ordered list of
rules just like in /ip firewall filter . Due to the fact that the rule table is processed
entirely in switch chips hardware there is limitation to how many rules you may have.
Depending on the amount of conditions (MAC layer, IP layer, IPv6, L4 layer) you use in your
rules the amount of active rules may vary from 8 to 32 for Atheros8316 switch chip and from 24
to 96 for Atheros8327/QCA8337 switch chip. You can always do /interface ethernet
switch rule print after modifying your rule set to see that no rules at the end of the list
are 'invalid' which means those rules did not fit into the switch chip.
Port isolation
Since RouterOS v6.43rc11 it is possible to create an uplink port and isolated ports. Such a
configuration allows each device connected to a switch port to be isolated from other ports and
these isolated ports are only capable of communicating with other devices through the uplink
port. This kind of configuration can also be called Private VLAN configuration, the Switch will
forward all Ethernet frames directly to the uplink port allowing the Router to filter unwanted
packets and limit access between devices that are behind switch ports.
Switch port isolation
To configure switch port isolation, you need to switch all required ports:
/interface bridge
add name=bridge1 protocol-mode=none
add interface=sfp1 bridge=bridge1 hw=yes
add interface=ether1 bridge=bridge1 hw=yes
Override the egress port for each switch port that needs to be isolated (excluding the uplink
port):
/interface ethernet switch port-isolation

set ether1 forwarding-override=sfp1
Note: It is possible to set multiple uplink ports for a single switch chip, this can be done by
specifying multiple interfaces and separating them with a comma.
Statistics
Some switch chips are capable of reporting statistics, this can be useful to monitor how many
packets are sent to the CPU from the built-in switch chip. These statistics can also be used to
monitor CPU Flow Control. You can find an example of switch chip's statistics below:
[admin@MikroTik] > /interface ethernet switch print stats
name: switch1
driver-rx-byte: 221 369 701
driver-rx-packet: 1 802 975
driver-tx-byte: 42 621 969
driver-tx-packet: 310 485
rx-bytes: 414 588 529
rx-packet: 2 851 236
rx-too-short: 0
rx-too-long: 0
rx-broadcast: 1 040 309
rx-pause: 0
rx-multicast: 486 321
rx-fcs-error: 0
rx-align-error: 0
rx-fragment: 0
rx-control: 0
rx-unknown-op: 0
rx-length-error: 0
rx-code-error: 0
rx-carrier-error: 0
rx-jabber: 0
rx-drop: 0
tx-bytes: 44 071 621
tx-packet: 312 597
tx-too-short: 0
tx-too-long: 8 397
tx-broadcast: 2 518
tx-pause: 2 112
tx-multicast: 7 142
tx-excessive-collision: 0
tx-multiple-collision: 0
tx-single-collision: 0
tx-excessive-deferred: 0
tx-deferred: 0
tx-late-collision: 0
tx-total-collision: 0
tx-drop: 0
tx-jabber: 0
tx-fcs-error: 0
tx-control: 2 112
tx-fragment: 0
tx-rx-64: 6 646
tx-rx-65-127: 1 509 891
tx-rx-128-255: 1 458 299
tx-rx-256-511: 178 975
tx-rx-512-1023: 953
tx-rx-1024-1518: 672
tx-rx-1519-max: 0
Some devices have multiple CPU cores that are directly connected to a built-in switch chip
using separate data lanes. These devices can report which data lane was used to forward the
packet from or to the CPU port from the switch chip. For such devices an extra line is added for
each row, the first line represents data that was sent using the first data lane, the second line
represent data that was sent using the second data line and so on. You can find an example of
switch chip's statistics for a device with multiple data lanes connecting the CPU and the built-in
switch chip:
[admin@MikroTik] > /interface ethernet switch print stats

name: switch1
driver-rx-byte: 226 411 248
0
driver-rx-packet: 1 854 971
0
driver-tx-byte: 45 988 067
0
driver-tx-packet: 345 282
0
rx-bytes: 233 636 763
0
rx-packet: 1 855 018
0
rx-too-short: 0
0
rx-too-long: 0
0
rx-pause: 0
0
rx-fcs-error: 0
0
rx-overflow: 0
0
tx-bytes: 47 433 203
0
tx-packet: 345 282
0
tx-total-collision: 0
0
Setup Examples
Note: Make sure you have added all needed interfaces to the VLAN table when using secure
vlan-mode. For routing functions to work properly on the same device through ports that use
secure vlan-mode, you will need to allow access to the CPU from those ports, this can be done
by adding the switchX-cpu interface itself to the VLAN table. Examples can be found at
the Management port section.
Warning: When allowing access to the CPU, you are allowing access from a certain port to the
actual router/switch, this is not always desirable. Make sure you implement proper firewall filter
rules to secure your device when access to the CPU is allowed from a certain VLAN ID and
port, use firewall filter rules to allow access to only certain services.
Note: It is possible to use the built-in switch chip and the CPU at the same time to create a
Switch-Router setup, where a device acts as a switch and as a router at the same time. You
can find a configuration example in theSwitch-Router guide.
VLAN Example 1 (Trunk and Access Ports)

Routerboards with Atheros switch chips can be used for 802.1Q Trunking. This feature in
RouterOS version 6 is supported by QCA8337, AR8316, AR8327, AR8227 and AR7240 switch
chips.
In this example ether3,ether4 and ether5 interfaces are access ports, while ether2 is a trunk port.
VLAN IDs for each access port: ether3 - 200, ether4 - 300, ether5 - 400.
 Create a group of switched ports by selecting one master-port and setting it for other ports.
# pre-v6.41 master-port configuration

/interface ethernet
set ether3 master-port=ether2
# post-v6.41 bridge hw-offload configuration
/interface bridge
add bridge=bridge1 interface=ether2 hw=yes
 Add VLAN table entries to allow frames with specific VLAN IDs between ports.
/interface ethernet switch vlan

add ports=ether2,ether3 switch=switch1 vlan-id=200
 Assign "vlan-mode" and "vlan-header" mode for each port and also "default-vlan-id" on
ingress for each access port.
Setting "vlan-mode=secure" ensures strict use of VLAN table.
Setting "vlan-header=always-strip" for access ports removes VLAN header from frame when it
leaves the switch chip.
Setting "vlan-header=add-if-missing" for trunk port adds VLAN header to untagged frames.
"Default-vlan-id" specifies what VLAN ID is added for untagged ingress traffic of the access
port.
/interface ethernet switch port

set ether2 vlan-mode=secure vlan-header=add-if-missing
set ether3 vlan-mode=secure vlan-header=always-strip default-vlan-
id=200
id=300
id=400
VLAN Example 2 (Trunk and Hybrid Ports)
VLAN Hybrid ports which can forward both tagged and untagged traffic are supported only by
some Gigabit switch chips (QCA8337, AR8327)
 Create a group of switched ports.
/interface ethernet
/interface bridge
 Add VLAN table entries to allow frames with specific VLAN IDs between ports.

add ports=ether2,ether3,ether4,ether5 switch=switch1 vlan-id=200
 In switch port menu set "vlan-mode" on all ports and also "default-vlan-id" on planned
hybrid ports.
"Vlan-mode=secure" will ensure strict use of VLAN table.
"Default-vlan-id" will define VLAN for untagged ingress traffic on port.
In Gigabit switch chips when "vlan-mode=secure", it ignores switch port "vlan-header" options.
VLAN table entries handle all the egress tagging/untagging and works as "vlan-header=leave-
as-is" on all ports.
It means what comes in tagged, goes out tagged as well, only "default-vlan-id" frames are
untagged at the egress of port.

set ether2 vlan-mode=secure vlan-header=leave-as-is
set ether3 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=200
Management port configuration

In these examples there will be shown examples for multiple scenarios, but each of these
scenarios require you to have switched ports. Below you can find how to switch multiple ports:
 For RouterOS before v6.41
/interface ethernet
 For RouterOS after v6.41
/interface bridge
In these examples it will be assumed that ether1 is the trunk port and ether2 is the access
port, for configuration as the following:

set ether1 vlan-header=add-if-missing
set ether2 default-vlan-id=100 vlan-header=always-strip
add ports=ether1,ether2,switch1-cpu switch=switch1 vlan-id=100
Tagged
In order to make the device accessible only from a certain VLAN, you need to create a new
VLAN interface on the bridge/master-port interface and assign an IP address to it:
/interface vlan
add name=MGMT vlan-id=99 interface=bridge1
/ip address
Specify from which interfaces it is allowed to access the device:

add ports=ether1,switch1-cpu switch=switch1 vlan-id=99
Note: Only specify trunk ports in this VLAN table entry, it is not possible to allow access to the
CPU with tagged traffic through an access port since the access port will tag all ingress traffic
with the specified default-vlan-id value.
When VLAN table is configured, you can enable vlan-mode=secure to limit access to the
CPU:

set ether1 vlan-header=add-if-missing vlan-mode=secure
set ether2 default-vlan-id=100 vlan-header=always-strip vlan-
mode=secure
set switch1-cpu vlan-header=leave-as-is vlan-mode=secure
Untagged
In order to make the device accessible from the access port, create a VLAN interface with the
same VLAN ID as set in default-vlan-id , for example VLAN 100, and add an IP address
to it:
/interface vlan
add name=VLAN100 vlan-id=100 interface=bridge1
/ip address
Specify which access (untagged) ports are allowed to access the CPU:

add ports=ether1,ether2,switch1-cpu switch=switch1 vlan-id=100
Warning: Most commonly an access (untagged) port is accompanied with a trunk (tagged)
port. In case of untagged access to the CPU, you are forced to specify both the access port
and the trunk port, this gives access to the CPU from the trunk port as well. Not always this is
desired and Firewall might be required on top of VLAN filtering.
CPU:

set ether1 vlan-header=add-if-missing vlan-mode=secure
set ether2 default-vlan-id=100 vlan-header=always-strip vlan-
mode=secure
Untagged from tagged port

It is possible to allow access to the device from the trunk (tagged) port with untagged traffic. To
do so, assign an IP address on the bridge/master-port interface:
/ip address
Specify the trunk port to be able to access the CPU for the default-vlan-id for the trunk
port, by default it is set to 1:

CPU:

set ether1 default-vlan-id=1 vlan-header=add-if-missing vlan-
mode=secure

Starting from RouterOS v6.38 RouterBoards support Spanning Tree Protocols on ports
configured for switching. This feature is available on following switch chips: QCA8337;
Atheros8327; Atheros8316; Atheros8227; Atheros7240. To enable this feature create
RouterOS bridge interface and add the master-port to it.
 Create a group of switched ports
/interface ethernet
 Create a bridge interface and add the master-port to it
/interface bridge add name=bridge1 protocol=rstp
/interface bridge port add bridge=bridge1 interface=ether1
 Slave ports are dynamically added to the bridge only to show STP status. Forwarding
through switched ports still are handled by hardware switch chip.

HORIZON
none
1 ID ether2 bridge1 0x80 10
none
2 D ether3 bridge1 0x80 10
none
none
anual:CRS1xx/2xx series switches
Contents
[hide]
 1Summary
 2Cloud Router Switch models
 3Cloud Router Switch configuration examples
 4Abbreviations and Explanations
 5Port Switching
o 5.1Bridge Hardware Offloading
 6Global Settings
 7Port Settings
 8Forwarding Databases
o 8.1Unicast FDB
o 8.2Multicast FDB
o 8.3Reserved FDB
 9VLAN
o 9.1VLAN Table
o 9.2Egress VLAN Tag
o 9.3Ingress/Egress VLAN Translation
o 9.4Protocol Based VLAN
o 9.5MAC Based VLAN
o 9.61:1 VLAN Switching
 10Port Isolation/Leakage
 11Trunking
 12Quality of Service
o 12.1Shaper
o 12.2Ingress Port Policer
o 12.3QoS Group
o 12.4DSCP QoS Map
o 12.5DSCP To DSCP Map
o 12.6Policer QoS Map
 13Access Control List
o 13.1ACL
o 13.2ACL Policer
Summary
The Cloud Router Switch series are highly integrated switches with high performance MIPS
CPU and feature-rich packet processor. The CRS switches can be designed into various
Ethernet applications including unmanaged switch, Layer 2 managed switch, carrier switch and
wireless/wired unified packet processing.
Warning: This article applies to CRS1xx and CRS2xx series switches and not to CRS3xx
series switches. For CRS3xx series devices read the CRS3xx series switches manual.
Features
Forwarding  Configurable ports for switching or routing

 Full non-blocking wirespeed switching
 Up to 16k MAC entries in Unicast FDB for Layer
 Up to 1k MAC entries in Multicast FDB for multica
 Up to 256 MAC entries in Reserved FDB for cont
 All Forwarding Databases support IVL and SVL
 Configurable Port based MAC learning limit
 Jumbo frame support (CRS1xx: 4064 Bytes; CRS
 IGMP Snooping support
Mirroring  Various types of mirroring:
 Port based mirroring
 VLAN based mirroring
 MAC based mirroring
 2 independent mirroring analyzer ports
VLAN  Fully compatible with IEEE802.1Q and IEEE802.

 4k active VLANs
 Flexible VLAN assignment:
 Port based VLAN
 Protocol based VLAN
 MAC based VLAN
 From any to any VLAN translation and swapping
 1:1 VLAN switching - VLAN to port mapping
 VLAN filtering
Port Isolation and Leakage  Applicable for Private VLAN implementation

 3 port profile types: Promiscuous, Isolated and C
 Up to 28 Community profiles
 Leakage profiles allow bypassing egress VLAN fi
Trunking  Supports static link aggregation groups
 Up to 8 Port Trunk groups
 Up to 8 member ports per Port Trunk group
 Hardware automatic failover and load balancing
Quality of Service (QoS)  Flexible QoS classification and assignment:
 Port based
 MAC based
 VLAN based
 Protocol based
 PCP/DEI based
 DSCP based
 ACL based
 QoS remarking and remapping for QoS domain t
 Overriding of each QoS assignment according to
Shaping and Scheduling  8 queues on each physical port

 Shaping per port, per queue, per queue group
Access Control List  Ingress and Egress ACL tables

 Up to 128 ACL rules (limited by RouterOS)
 Classification based on ports, L2, L3, L4 protoco
 ACL actions include filtering, forwarding and mod
Cloud Router Switch models

This table clarifies main differences between Cloud Router Switch models.
Switch Wirele SFP+ Access Control Jumbo Frame

Model CPU
Chip ss port List (Bytes)
CRS10
400M
5-5S- QCA-8511 - - + 9204
Hz
FB
CRS10
400M
6-1C- QCA-8511 - - + 9204
Hz
5S
CRS11
400M
2-8G- QCA-8511 - - + 9204
Hz
4S
CRS21
400M
0-8G- QCA-8519 - + + 9204
Hz
2S+
CRS21
2-1G- 400M
QCA-8519 - + + 9204
10S- Hz
1S+
CRS22
400M
6-24G- QCA-8519 - + + 9204
Hz
2S+
CRS12
QCA- 600M
5-24G- - - - 4064
8513L Hz
1S
Switch Wirele SFP+ Access Control Jumbo Frame
Model CPU
Chip ss port List (Bytes)
CRS12
5-24G- QCA- 600M
+ - - 4064
1S- 8513L Hz
2HnD
CRS10
9-8G- QCA- 600M
+ - - 4064
1S- 8513L Hz
2HnD
Cloud Router Switch configuration examples

Abbreviations and Explanations
CVID - Customer VLAN id: inner VLAN tag id of the IEEE 802.1ad frame
SVID - Service VLAN id: outer VLAN tag id of the IEEE 802.1ad frame
IVL - Independent VLAN learning - learning/lookup is based on both MAC addresses and
VLAN IDs.
SVL - Shared VLAN learning - learning/lookup is based on MAC addresses - not on VLAN IDs.
TPID - Tag Protocol Identifier
PCP - Priority Code Point: a 3-bit field which refers to the IEEE 802.1p priority
DEI - Drop Eligible Indicator
DSCP - Differentiated services Code Point
Drop precedence - internal CRS switch QoS attribute used for packet enqueuing or dropping.
Port Switching
Similarly to other RouterBoards, port switching on CRS allows wire-speed traffic forwarding
among a group of ports, like the ports were a regular Ethernet switch. This feature is
configurable by setting a "master-port" property to one or more ports in /interface
ethernet menu . The "master-port" will be the port through which the RouterOS will
communicate to all ports in the group. Interfaces which have the "master-port" specified
become isolated - no traffic can be received and no traffic can be sent out directly from
RouterOS.
Here is a general diagram of RouterBoard with a five port switch chip:
A packet that is received by one of the ports always passes through the switch logic first.
Switch logic decides to which ports the packet should be going to. Passing packet "up" or
giving it to RouterOS is also called sending it to switch chip's “CPU” port. It means at that point
switch forwards the packet to CPU port the packet starts to get processed by RouterOS as
incoming packet of the “master-port”. If the packet does not have to go to “CPU” port, it is
handled entirely by switch logic, does not require any CPU resources and happens at wire-
speed.
Additionally, CRS series switches support multiple “master-port” configurations and have no
port selection limitations for a port group which makes possible many various switched port
combinations with all CRS switch interfaces. But no port can be in more than one switch group.
For example, consider a CRS125 switch with 24 Ethernet interfaces and 1 SFP interface:

SWITCH
0 R ether1 1500 D4:CA:6D:F9:FE:2F enabled none
switch1
1 ether2 1500 D4:CA:6D:F9:FE:30 enabled none
switch1
switch1
switch1
4 R ether5 1500 D4:CA:6D:F9:FE:33 enabled none
switch1
switch1
switch1
switch1
...
switch1
switch1
24 sfp1 1500 D4:CA:6D:F9:FE:47 enabled none
switch1
And there are configured 3 switch groups: 1) ether2, ether3, ether4, ether5, ether6; 2) ether13,
ether14, ether15, ether16, ether17, ether18, ether19, ether20; 3) ether21, ether22, ether23,
ether24, sfp1.
Ports ether1, ether7-ether12 are not switched in this example, they remain as independent
router ports.
[admin@MikroTik] /interface ethernet>

set ether3,ether4,ether5,ether6 master-port=ether2
set ether14,ether15,ether16,ether17,ether18,ether19,ether20 master-
port=ether13
set ether22,ether23,ether24,sfp1 master-port=ether21
[admin@MikroTik] /interface ethernet> print

SWITCH
0 R ether1 1500 D4:CA:6D:F9:FE:2F enabled none
switch1
switch1
2 S ether3 1500 D4:CA:6D:F9:FE:31 enabled ether2
switch1
switch1
4 RS ether5 1500 D4:CA:6D:F9:FE:33 enabled ether2
switch1
switch1
switch1
switch1
switch1
switch1
switch1
11 ether12 1500 D4:CA:6D:F9:FE:3A enabled none
switch1
12 R ether13 1500 D4:CA:6D:F9:FE:3B enabled none
switch1
13 S ether14 1500 D4:CA:6D:F9:FE:3C enabled ether13
switch1
14 S ether15 1500 D4:CA:6D:F9:FE:3D enabled ether13
switch1
15 RS ether16 1500 D4:CA:6D:F9:FE:3E enabled ether13
switch1
16 S ether17 1500 D4:CA:6D:F9:FE:3F enabled ether13
switch1
switch1
switch1
switch1
switch1
switch1
switch1
switch1
24 S sfp1 1500 D4:CA:6D:F9:FE:47 enabled ether21
switch1
Now ether2 is the “master-port” of the group 1, ether13 – of the group 2 and ether21 – of the
group 3.
Note: Previously a link was detected only on interfaces with a physical connection, but now
since the ether2, ether13 and ether21 have connection to CPU, the running flag is propagated
to them, as well.
CRS Port Switching Example
In essence this configuration is the same as if you had a RouterBoard with 10 Ethernet
interfaces and 3 switches:
CRS Port Switching Logic
Note: Dynamic reserved VLAN entries (VLAN4091; VLAN4090; VLAN4089; etc.) are created
in CRS switch when switched port groups are added by setting new master-ports. These
VLANs are necessary for internal operation and have lower precedence than user configured
VLANs.
Note: Multiple master-port configuration is designed as fast and simple port isolation solution,
but it limits a part of VLAN functionality supported by CRS switch-chip. For advanced
configurations use one master-port within CRS switch chip for all ports, configure VLANs and
isolate port groups with port isolation profile configuration.
Bridge Hardware Offloading

Since RouterOS v6.41 there are user interface changes which convert RouterBoard master-
port configuration into a bridge with hardware offloading. From now on bridges will handle all
Layer2 forwarding and the use of switch chip ( hw-offload ) will automatically turn on if
appropriate conditions are met. The rest of RouterOS Switch features remain untouched in
usual menus. By default all newly created bridge ports have hw=yes option and it allows
enabling of hw-offload when possible. If such functionality is not required, it can be disabled
by hw=no on bridge port to have completely software operated bridging.
Following table states what features currently in v6.41 keep bridge hardware offloading
enabled on certain RouterBoard and switch chip models.
Notes:
 Enabling this feature maintains hw-offload: +

 Enabling this feature turns off hw-offload: -
Bridge Bridge Bridge

RouterBoard/[Sw Features in Bridge Bon
STP/RST IGMP VLAN
itch Chip] Model Switch menu MSTP ding
P Snooping Filtering
CRS3xx series + + + + + +
CRS1xx/CRS2xx
+ + - + - -
series
[QCA8337] + + - - - -
Bridge Bridge Bridge
RouterBoard/[Sw Features in Bridge Bon
STP/RST IGMP VLAN
itch Chip] Model Switch menu MSTP ding
P Snooping Filtering
[AR8327] + + - - - -
[AR8227] + + - - - -
[AR8316] + + - - - -
[AR7240] + + - - - -
[MT7621] + - - - - -
RB1100AHx4
+ - - - - -
[RTL8367]
[ICPlus175D] + - - - - -
 Port switching with master-port configuration before v6.41
[admin@MikroTik] > interface ethernet export

/interface ethernet
[admin@MikroTik] >

# NAME MTU MAC-ADDRESS ARP
MASTER-PORT SWITCH
switch1
switch1
switch1
switch1
switch1
[admin@MikroTik] >
 Port switching with bridge configuration and enabled hw-offload since v6.41
[admin@MikroTik] > interface bridge export

/interface bridge
[admin@MikroTik] >
[admin@MikroTik] > interface bridge port print

10 10 none
10 10 none
10 10 none
10 10 none
[admin@MikroTik] >
Global Settings
Sub-menu: /interface ethernet switch
CRS switch chip is configurable from the /interface ethernet switch console menu.
Property
name (string value; Default: switch1) Na
bridge-type (customer-vid-used-as-lookup-vid | service-vid-used-as-lookup-vid; Default: customer-vid- Br

used-as-lookup-vid) VL
mac-level-isolation (yes | no; Default: yes) En
use-svid-in-one2one-vlan-lookup (yes | no; Default: no) W
use-cvid-in-one2one-vlan-lookup (yes | no; Default: yes) W
multicast-lookup-mode Lo
(dst-ip-and-vid-for-ipv4 | dst-mac-and-vid-always;
Default:dst-ip-and-vid-for-ipv4)
unicast-fdb-timeout (time interval; Default: 5m) Tim
override-existing-when-ufdb-full (yes | no; Default: no) En
Property
drop-if-no-vlan-assignment-on-ports (ports; Default: none) Po

is
drop-if-invalid-or-src-port- Po
-not-member-of-vlan-on-ports
(ports; Default: none)
unknown-vlan-lookup-mode (ivl | svl; Default: svl) Lo
forward-unknown-vlan (yes | no; Default: yes) W
Property
bypass-vlan-ingress-filter-for (protocols; Default: none) Pr
pr
ea
bypass-ingress-port-policing-for (protocols; Default: none) Pr

pp
bypass-l2-security-check-filter-for (protocols; Default: none) Pr

pp
Property
ingress-mirror0 (port | trunk,format; Default: none,modified) Th
ingress-mirror1 (port | trunk,format; Default: none,modified) Th
ingress-mirror-ratio (1/32768..1/1; Default: 1/1) Pr
egress-mirror0 (port | trunk,format; Default: none,modified) Th
egress-mirror1 (port | trunk,format; Default: none,modified) Th

egress-mirror-ratio (1/32768..1/1; Default: 1/1) Pr
mirror-egress-if-ingress-mirrored (yes | no; Default: no) W

se
se
mirror-tx-on-mirror-port (yes | no; Default: no)
mirrored-packet-qos-priority (0..7; Default: 0) Re
mirrored-packet-drop-precedence (drop | green | red | yellow; Default: green) Re

or
fdb-uses (mirror0 | mirror1; Default: mirror0) An
vlan-uses (mirror0 | mirror1; Default: mirror0) An
Port Settings
Sub-menu: /interface ethernet switch port
Property
vlan-type (edge-port | network-port; Default: network-port) Po

UF
isolation-leakage-profile-override (yes | no; Default: Cu
!isolation-leakage-profile-override)
isolation-leakage-profile (0..31;)
learn-override (yes | no; Default: !learn-override) En

learn-limit (1..1023; Default: !learn-limit) de
drop-when-ufdb-entry-src-drop (yes | no; Default: yes) En

allow-unicast-loopback (yes | no; Default: no) Un
so
pa
allow-multicast-loopback (yes | no; Default: no) Mu
so
br
action-on-static-station-move (copy-to-cpu | drop | forward | redirect-to-cpu; Default: forward) Ac
drop-dynamic-mac-move (yes | no; Default: no) Pr
Property
allow-fdb-based-vlan-translate (yes | no; Default: no) En
allow-mac-based-service-vlan-assignment-for (all-frames | none | Fr
tagged-frame-only | untagged-and-priority-tagged-frame-only; Default:

none)
allow-mac-based-customer-vlan-assignment-for (all-frames | none | Fr
tagged-frame-only | untagged-and-priority-tagged-frame-only; Default:

none)
default-customer-pcp (0..7; Default: 0) De
default-service-pcp (0..7; Default: 0) De
pcp-propagation-for-initial-pcp (yes | no; Default: no) En
filter-untagged-frame (yes | no; Default: no) W
filter-priority-tagged-frame (yes | no; Default: no) W
filter-tagged-frame (yes | no; Default: no) W

Property
egress-vlan-tag-table-lookup-key (according-to-bridge-type | egress-vid; Default: egress-vid) Eg
egress-vlan-mode (tagged | unmodified | untagged; Default: unmodified) Eg
egress-pcp-propagation (yes | no; Default: no) En
Property
ingress-mirror-to (mirror0 | mirror1 | none; Default: none) An
ingress-mirroring-according-to-vlan (yes | no; Default: no)
egress-mirror-to (mirror0 | mirror1 | none; Default: none) An
Property
qos-scheme-precedence (da-based | dscp-based | ingress-acl-based | pcp-based | protocol-based | sa- Sp

based | vlan-based; Default: pcp-based, sa-based, da-based, dscp-based, protocol-based, vlan-
based)
pcp-or-dscp-based-qos-change-dei (yes | no; Default: no) En
pcp-or-dscp-based-qos-change-pcp (yes | no; Default: no) En
pcp-or-dscp-based-qos-change-dscp (yes | no; Default: no) En

dscp-based-qos-dscp-to-dscp-mapping (yes | no; Default: yes) En
pcp-based-qos-drop-precedence-mapping (PCP/DEI-range:drop-precedence; Default: 0-15:green) Th

ma
pcp-based-qos-dscp-mapping (PCP/DEI-range:DEI; Default: 0-15:0) Th

by
pcp-based-qos-dei-mapping (PCP/DEI-range:DEI; Default: 0-15:0) Th

co
pcp-based-qos-pcp-mapping (PCP/DEI-range:DEI; Default: 0-15:0) Th

co
pcp-based-qos-priority-mapping (PCP/DEI-range:DEI; Default: 0-15:0) Th

se
Property
priority-to-queue (priority-range:queue; Default: 0-15:0,1:1,2:2,3:3) Int
per-queue-scheduling (Scheduling-type:Weight; Se
qu
Default: wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,
wrr-group0:64,wrr-group0:128)
Property
ingress-customer-tpid-override (yes | no; Ing

De
Default:!ingress-customer-tpid-override)
ingress-customer-tpid (0..10000; Default: 0x8100)
egress-customer-tpid-override (yes | no; Default: Eg

va
!egress-customer-tpid-override)
egress-customer-tpid (0..10000; Default:
0x8100)
ingress-service-tpid-override (yes | no; Default: Ing

va
!ingress-service-tpid-override)
ingress-service-tpid (0..10000; Default: 0x88A8)
egress-service-tpid-override (yes | no; Default: Eg

va
!egress-service-tpid-override)
egress-service-tpid (0..10000; Default:
0x88A8)
Property
custom-drop-counter-includes (counters; Default: none) Cu









queue-custom-drop-counter0-includes (counters; Default: none) Cu
an






queue-custom-drop-counter1-includes (counters; Default: none) Cu
an






policy-drop-counter-includes (counters; Default: none) Cu




Forwarding Databases
Unicast FDB
Sub-menu: /interface ethernet switch unicast-fdb
The unicast forwarding database supports up to 16318 MAC entries.

Property
action (action; Default: forward) Ac
disabled (yes | no; Default: no) En
isolation-profile (community1 | community2 | isolated | promiscuous; Default: promiscuous) MA
mac-address (MAC address) Th
mirror (yes | no; Default: no) En
port (port) Ma
qos-group (none; Default: none) De
svl (yes | no; Default: no) Un

vlan-id (0..4095) Un
Multicast FDB
Sub-menu: /interface ethernet switch multicast-fdb
CRS125 switch-chip supports up to 1024 entries in MFDB for multicast forwarding. For each
multicast packet, destination MAC or destination IP lookup is performed in MFDB. MFDB
entries are not automatically learnt and can only be configured.
Property
address (X.X.X.X | XX:XX:XX:XX:XX:XX) Ma
bypass-vlan-filter (yes | no; Default: no) Al
ports (ports) Me
svl (yes | no; Default: no) Mu
vlan-id (0..4095; Default: 0) Mu
Reserved FDB
Sub-menu: /interface ethernet switch reserved-fdb
Cloud Router Switch supports 256 RFDB entries. Each RFDB entry can store either Layer2
unicast or multicast MAC address with specific commands.
Property
action (copy-to-cpu | drop | forward | redirect-to-cpu; Default: forward) Ac

bypass-ingress-port-policing (yes | no; Default: no) Al
bypass-ingress-vlan-filter (yes | no; Default: no) Al
mac-address (MAC address; Default: 00:00:00:00:00:00) Ma
VLAN
VLAN Table
Sub-menu: /interface ethernet switch vlan
The VLAN table supports 4096 VLAN entries for storing VLAN member information as well as
other VLAN information such as QoS, isolation, forced VLAN, learning, and mirroring.
Property
disabled (yes | no; Default: no) Ind

for
flood (yes | no; Default: no) En

en
an
ingress-mirror (yes | no; Default: no) En
learn (yes | no; Default: yes) En
ports (ports) Me
svl (yes | no; Default: no) FD

vlan-id (0..4095) VL
Egress VLAN Tag
Sub-menu: /interface ethernet switch egress-vlan-tag
Egress packets can be assigned different VLAN tag format. The VLAN tags can be removed,
added, or remained as is when the packet is sent to the egress port (destination port). Each
port has dedicated control on the egress VLAN tag format. The tag formats include:
 Untagged
 Tagged
 Unmodified
The Egress VLAN Tag table includes 4096 entries for VLAN tagging selection.
Property
tagged-ports (ports) Po
vlan-id (0..4095) VL
Ingress/Egress VLAN Translation

The Ingress VLAN Translation table allows for up to 16 entries for each port. One or multiple
fields can be selected from packet header for lookup in the Ingress VLAN Translation table.
The S-VLAN or C-VLAN or both configured in the first matched entry is assigned to the packet.
Sub-menu: /interface ethernet switch ingress-vlan-translation
Sub-menu: /interface ethernet switch egress-vlan-translation
Property
customer-dei (0..1; Default: none) Ma
customer-pcp (0..7; Default: none) Ma
customer-vid (0..4095; Default: none) Ma

customer-vlan-format (any | priority-tagged-or-tagged | tagged | untagged-or-tagged; Default:any) Ty
new-customer-vid (0..4095; Default: none) Th

tra
new-service-vid (0..4095; Default: none) Th
pcp-propagation (yes | no; Default: no) En
ports (ports) Ma
protocol (protocols; Default: none) Ma
sa-learning (yes | no; Default: no) En
service-dei (0..1; Default: none) Ma
service-pcp (0..7; Default: none) Ma
service-vid (0..4095; Default: none) Ma
service-vlan-format (any | priority-tagged-or-tagged | tagged | untagged-or-tagged; Default:any) Ty
Below is a table of traffic that triggers a rule that has a certain VLAN format set, note that traffic
that is tagged with VLAN ID 0 is a special case that is also taken into account.
Property
any Ac





priority-tagged-or-tagged Ac




tagged Ac


untagged-or-tagged Ac



Warning: If VLAN-format is set to any , then customer-vid/service-vid set

to 0 will trigger the switch rule with VLAN 0 traffic. In this case the switch rule will be looking
for untagged traffic or traffic with VLAN 0 tag, only untagged-or-tagged will filter out
VLAN 0 traffic in this case.
Protocol Based VLAN
Sub-menu: /interface ethernet switch protocol-based-vlan
Protocol Based VLAN table is used to assign VID and QoS attributes to related protocol packet
per port.
Property
frame-type (ethernet | llc | rfc-1042; Default: ethernet) En
new-customer-vid (0..4095; Default: 0) Th

the
new-service-vid (0..4095; Default: 0) Th
ports (ports) Ma
protocol (protocol; Default: 0) Ma

set-customer-vid-for (all | none | tagged | untagged-or-priority-tagged; Default: all) Cu
set-qos-for (all | none | tagged | untagged-or-priority-tagged; Default: none) Fr
set-service-vid-for (all | none | tagged | untagged-or-priority-tagged; Default: all) Se
MAC Based VLAN
Sub-menu: /interface ethernet switch mac-based-vlan
MAC Based VLAN table is used to assign VLAN based on source MAC.
Property
new-customer-vid (0..4095; Default: 0) Th

the
new-service-vid (0..4095; Default: 0) Th
src-mac-address (MAC address) Ma
Note: All CRS1xx/2xx series switches support up to 1024 MAC Based VLAN table entries.
1:1 VLAN Switching
Sub-menu: /interface ethernet switch one2one-vlan-switching
1:1 VLAN switching can be used to replace the regular L2 bridging for matched packets. When
a packet hits an 1:1 VLAN switching table entry, the destination port information in the entry is
assigned to the packet. The matched destination information in UFDB and MFDB entry no
longer applies to the packet.
Property
customer-vid (0..4095; Default: 0) Ma

dst-port (port) De
service-vid (0..4095; Default: 0) Ma
Port Isolation/Leakage
Sub-menu: /interface ethernet switch port-isolation
Sub-menu: /interface ethernet switch port-leakage
The CRS switches support flexible multi-level isolation features, which can be used for user
access control, traffic engineering and advanced security and network management. The
isolation features provide an organized fabric structure allowing user to easily program and
control the access by port, MAC address, VLAN, protocol, flow and frame type. The following
isolation and leakage features are supported:
 Port-level isolation
 MAC-level isolation
 VLAN-level isolation
 Protocol-level isolation
 Flow-level isolation
 Free combination of the above
Port-level isolation supports different control schemes on source port and destination port.
Each entry can be programmed with access control for either source port or destination port.
 When the entry is programmed with source port access control, the entry is
applied to the ingress packets.
 When the entry is programmed with destination port access control, the entry
is applied to the egress packets.
Port leakage allows bypassing egress VLAN filtering on the port. Leaky port is allowed to
access other ports for various applications such as security, network control and management.
Note: When both isolation and leakage is applied to the same port, the port is isolated.
Property
flow-id (0..63; Default: none)

forwarding-type (bridged; routed; Default: bridged,routed) Ma
mac-profile (community1 | community2 | isolated | promiscuous; Default: none) Ma
port-profile (0..31; Default: none) Ma
ports (ports; Default: none) Iso
protocol-type (arp; nd; dhcpv4; dhcpv6; ripv1; Default: arp,nd,dhcpv4,dhcpv6,ripv1) Inc
registration-status (known; unknown; Default: known,unknown) Re
traffic-type (unicast; multicast; broadcast; Default: unicast,multicast,broadcast) Ma
type (dst | src; Default: src) Lo
vlan-profile (community1 | community2 | isolated | promiscuous; Default: none) Ma
Trunking
Sub-menu: /interface ethernet switch trunk
The Trunking in the Cloud Router Switches provides static link aggregation groups with
hardware automatic failover and load balancing. IEEE802.3ad and IEEE802.1ax compatible
Link Aggregation Control Protocol is not supported yet. Up to 8 Trunk groups are supported
with up to 8 Trunk member ports per Trunk group. CRS Port Trunking calculates transmit-hash
based on all following parameters: L2 src-dst MAC + L3 src-dst IP + L4 src-dst Port.
Property
member-ports (ports) Me
name (string value; Default: trunkX) Na
Quality of Service
Shaper
Sub-menu: /interface ethernet switch shaper

Traffic shaping restricts the rate and burst size of the flow which is transmitted out from the
interface. The shaper is implemented by a token bucket. If the packet exceeds the maximum
rate or the burst size, which means no enough token for the packet, the packet is stored to
buffer until there is enough token to transmit it.
Property
burst (integer; Default: 100k) Ma
meter-unit (bit | packet; Default: bit) Me
port (port) Ph
rate (integer; Default: 1M) Ma
target (port | queueX | wrr-groupX; Default: port) Th
Ingress Port Policer
Sub-menu: /interface ethernet switch ingress-port-policer
Property
burst (integer; Default: 100k) Ma
meter-len (layer-1 | layer-2 | layer-3; Default: layer-1) Pa

new-dei-for-yellow (0..1 | remap; Default: none) Re
new-dscp-for-yellow (0..63 | remap; Default: none) Re
new-pcp-for-yellow (0..7 | remap; Default: none) Re
packet-types (packet-types; Default: all types from description) Ma
port (port) Ph
rate (integer) Ma
yellow-action (drop | forward | remark; Default: drop) Pe
QoS Group
Sub-menu: /interface ethernet switch qos-group
The global QoS group table is used for VLAN-based, Protocol-based and MAC-based QoS
group assignment configuration.
Property
dei (0..1; Default: none) Th
drop-precedence (drop | green | red | yellow; Default: green) Dr
dscp (0..63; Default: none) Th
name (string value; Default: groupX) Na
pcp (0..7; Default: none) Th
priority (0..15; Default: 0) Int

(1
DSCP QoS Map
Sub-menu: /interface ethernet switch dscp-qos-map

The global DSCP to QOS mapping table is used for mapping from DSCP of the packet to new
QoS attributes configured in the table.
Property
dei (0..1) Th
drop-precedence (drop | green | red | yellow) Th
pcp (0..7) Th
priority (0..15) Th
DSCP To DSCP Map
Sub-menu: /interface ethernet switch dscp-to-dscp
The global DSCP to DSCP mapping table is used for mapping from the packet's original DSCP
to new DSCP value configured in the table.
Property
new-dscp (0..63) Th
Policer QoS Map
Sub-menu: /interface ethernet switch policer-qos-map
Property
dei-for-red (0..1; Default: 0) Po
dei-for-yellow (0..1; Default: 0) Po
dscp-for-red (0..63; Default: 0) Po
dscp-for-yellow (0..63; Default: 0) Po
pcp-for-red (0..7; Default: 0) Po
pcp-for-yellow (0..7; Default: 0) Po

Access Control List
Note: See Summary section for Access Control List supported Cloud Router Switch devices.
Access Control List contains of ingress policy and egress policy engines and allows to
configure up to 128 policy rules (limited by RouterOS). It is advanced tool for wire-speed
packet filtering, forwarding, shaping and modifying based on Layer2, Layer3 and Layer4
protocol header field conditions.
ACL
Sub-menu: /interface ethernet switch acl
ACL condition part for MAC related fields of packets.

Property
table (egress | ingress; Default: ingress) Se
invert-match (yes | no; Default: no) Inv
src-ports (ports,trunks) Ma
dst-ports (ports,trunks) Ma
mac-src-address (MAC address/Mask) So
mac-dst-address (MAC address/Mask) De
dst-addr-registered (yes | no) De

UF
mac-protocol (802.2 | arp | ip | ipv6 | ipx | length | Et
mpls-multicast | mpls-unicast | pppoe | pppoe-discovery | rarp |


vlan or integer: 0..65535 decimal format or 0x0000-0xffff hex format) 









drop-precedence (drop | green | red | yellow) Ma
custom-fields
ACL condition part for VLAN related fields of packets.

Property
lookup-vid (0..4095) VL
service-vid (0-4095) Ma
service-pcp (0..7) Ma
service-dei (0..1) Ma
service-tag (priority-tagged | tagged | tagged-or-priority-tagged | untagged) Fo
customer-vid (0-4095) Ma
customer-pcp (0..7) Ma
customer-dei (0..1) Ma
customer-tag (priority-tagged | tagged | tagged-or-priority-tagged | untagged) Fo
priority (0..15) Ma
ACL condition part for IPv4 and IPv6 related fields of packets.
Property
ip-src (IPv4/0..32) Ma
ip-dst (IPv4/0..32) Ma
ip-protocol (tcp | udp | udp-lite | other) IP
src-l3-port (0-65535) Ma
dst-l3-port (0-65535) Ma
ttl (0 | 1 | max | other) Ma
dscp (0..63) Ma
ecn (0..3) Ma
fragmented (yes | no) W
first-fragment (yes | no) YE
ipv6-src (IPv6/0..128) Ma
ipv6-dst (IPv6/0..128) Ma
mac-isolation-profile (community1 | community2 | isolated | promiscuous) Ma
src-mac-addr-state (dynamic-station-move | sa-found | sa-not-found | static-station-move) De

UF
flow-id (0..63)
ACL rule action part.

Property
action (copy-to-cpu | drop | forward |
redirect-to-cpu | send-to-new-dst-ports; Default:

forward)
new-dst-ports (ports,trunks) If a
mirror-to (mirror0 | mirror1) Mi
policer (policer) Ap
src-mac-learn (yes | no) W
new-service-vid (0..4095) Ne
new-service-pcp (0..7) Ne
new-service-dei (0..1) Ne
new-customer-vid (0..4095) Ne
new-customer-pcp (0..7) Ne
new-customer-dei (0..1) Ne
new-dscp (0..63) Ne
new-priority (0..15) Ne
new-drop-precedence (drop | green | red | yellow) Ne
new-registered-state (yes | no) W

ing
new-flow-id (0..63)
Filter bypassing part for ACL packets.

Property
attack-filter-bypass (yes | no; Default: no)
ingress-vlan-filter-bypass (yes | no; Default: no) Al

tab
egress-vlan-filter-bypass (yes | no; Default: no) Al

tab
isolation-filter-bypass (yes | no; Default: no) Al
egress-vlan-translate-bypass (yes | no; Default: no) Al

ACL Policer
Sub-menu: /interface ethernet switch acl policer
Property
name (string; Default: policerX) Na
yellow-rate (integer) Ma
yellow-burst (integer; Default: 0) Ma

pr
red-rate (integer); Default: 0) Ma
red-burst (integer; Default: 0) Ma

pr
meter-len (layer-1 | layer-2 | layer-3; Default: layer-1) Pa
color-awareness (yes | no; Default: no) YE
bucket-coupling (yes | no; Default: no)
yellow-action (drop | forward | remark; Default: drop) Pe
new-dei-for-yellow (0..1 | remap) Ne
new-pcp-for-yellow (0..7 | remap) Ne
new-dscp-for-yellow (0..63 | remap) Ne
red-action (drop | forward | remark; Default: drop) Pe
new-dei-for-red (0..1 | remap) Ne
new-pcp-for-red (0..7 | remap) Ne

new-dscp-for-red (0..63 | remap) Ne
Manual:CRS3xx series switches
Contents
[hide]
 1Summary
o 1.1Features
o 1.2Models
o 1.3Abbreviations
 2Port Switching
o 2.1Example
 3Host Table
o 3.1Example
 4VLAN
o 4.1VLAN Filtering
o 4.2VLAN Table
o 4.3Setup examples
 4.3.1Port Based VLAN
 4.3.2MAC Based VLAN
 4.3.3Protocol Based VLAN
 4.3.4VLAN Tunneling (Q-in-Q)
 4.3.5Ingress VLAN translation
 5(R/M)STP
 6Bonding
 7Port isolation
 8IGMP Snooping
 9Mirroring
 10Quality of Service (QoS)
 11Traffic Storm Control
 12MPLS hardware offloading
 13Switch Rules (ACL)
 14Port Security
 15Dual Boot
 16Configuring SwOS using RouterOS
 17See also
Summary
The Cloud Router Switch series are highly integrated switches with high performance ARM
CPU and feature-rich packet processor. The CRS switches can be designed into various
Ethernet applications including unmanaged switch, Layer 2 managed switch, carrier switch and
wired unified packet processing.
Warning: This article applies to CRS3xx series switches and not to CRS1xx/CRS2xx series
switches.
Features
Features
Forwarding  Configurable ports for switching or routing
 Full non-blocking wirespeed switching
 Up to 16k MAC entries in Unicast FDB for Layer 2 u
 Forwarding Databases works based on IVL
 Jumbo frame support
 IGMP Snooping support
Mirroring  Various types of mirroring:
 Port based mirroring
 VLAN based mirroring
 MAC based mirroring
VLAN  Fully compatible with IEEE802.1Q and IEEE802.1ad

 4k active VLANs
 Flexible VLAN assignment:
 Port based VLAN
 Protocol based VLAN
 MAC based VLAN
 VLAN filtering
 From any to any VLAN translation
Bonding  Supports 802.3ad (LACP) and balance-xor modes

 Up to 8 member ports per bonding interface
 Up to 30 bonding interfaces
 Hardware automatic failover and load balancing
Quality of Service (QoS)  Ingress traffic limiting
 Port based
 MAC based
 IP based
 VLAN based
 Protocol based
 DSCP based
 Port based egress traffic limiting
Port isolation  Applicable for Private VLAN implementation
Access Control List  Ingress ACL tables

 Up to 128 ACL rules (limited by RouterOS)
 Classification based on ports, L2, L3, L4 protocol hea
 ACL actions include filtering, forwarding and modify
Models
This table clarifies main differences between Cloud Router Switch models.
Switch Core Wirele SFP+ Access Control Jumbo Frame

Model CPU
Chip s ss port List (Bytes)
CRS32
Marvell- 800M
6-24G- 1 - + + 10218
98DX3236 Hz
2S+
CRS32
Marvell- 800M
8-24P- 1 - + + 10218
98DX3236 Hz
4S+
CRS32
8-4C- Marvell- 800M
1 - + + 10218
20S- 98DX3236 Hz
4S+
CRS31
Marvell- 800M
7-1G- 2 - + + 10218
98DX8216 Hz
16S+
Abbreviations
 FDB - Forwarding Database
 MDB - Multicast Database
 SVL - Shared VLAN Learning
 IVL - Independent VLAN Learning
 PVID - Port VLAN ID
 ACL - Access Control List
 CVID - Customer VLAN ID
 SVID - Service VLAN ID
Port Switching
Since v6.41 bridges will handle all Layer2 forwarding and the use of switch chip ( hw-offload )
will automatically turn on if appropriate conditions are met. The rest of RouterOS Switch
features remain untouched in usual menus. By default all newly created bridge ports
have hw=yes option and it allows enabling of hw-offload when possible. If such
functionality is not required, it can be disabled by hw=no on bridge port to have completely
software operated bridging.
Example
Use the command lines below to create a bridge and add ports to it. On CRS3xx using other
bridge protocol modes will also enable hardware offloading.
/interface bridge
Make sure that hardware offloading is enabled. If H flag is available next to the desired
interface, then hardware offloading is active on that port. If hardware offloading flag is not
shown, then make sure you haven't enabled features that disable hardware offloading.
Note: Currently it is possible to create only one bridge with hardware offloading on CRS3xx
series devices. Use the hw parameter to select which bridge will use hardware offloading.

10 10 none
10 10 none
10 10 none
10 10 none
Note: On CRS3xx series switches bridge STP/RSTP/MSTP, IGMP Snooping and VLAN
filtering settings don't affect hardware offloading, since RouterOS v6.42 Bonding interfaces are
also hardware offloaded.
Host Table
Property
age (read-only: time) The time since the last pac
bridge (read-only: name) The bridge the entry belon
external-fdb (read-only: flag) Whether the host was learn
local (read-only: flag) Whether the host entry is o
mac-address (read-only: MAC address) Host's MAC address
on-interface (read-only: name) Which of the bridged inter
Example
 Use this command to get the active host table:
[admin@MikroTik] > /interface bridge host print

BRIDGE MAC-ADDRESS ON-INTERFACE AGE
bridge1 00:00:00:00:00:01 ether2 3s
bridge1 00:01:29:FF:1D:CC ether2 0s
L bridge1 00:0C:42:52:2E:CF ether2 0s
bridge1 00:0C:42:52:2E:D0 ether2 3s
bridge1 00:0C:42:5C:A5:AE ether2 0s
VLAN
Since RouterOS v6.41 bridges provides VLAN aware Layer2 forwarding and VLAN tag
modifications within the bridge. This set of features makes bridge operation more like a
traditional Ethernet switch and allows to overcome Spanning Tree compatibilty issues
compared to configuration when tunnel-like VLAN interfaces are bridged. Bridge VLAN Filtering
configuration is highly recommended to comply with STP (802.1D), RSTP (802.1w) standards
and is mandatory to enable MSTP (802.1s) support in RouterOS.
VLAN Filtering
The main VLAN setting is vlan-filtering which globally controls vlan-awareness and
VLAN tag processing in the bridge. If vlan-filtering=no , bridge ignores VLAN tags, works
in a shared-VLAN-learning (SVL) mode and cannot modify VLAN tags of packets. Turning
on vlan-filtering enables all bridge VLAN related functionality and independent-VLAN-
learning (IVL) mode. Besides joining the ports for Layer2 forwarding, bridge itself is also an
interface therefore it has Port VLAN ID (pvid).
Note: Since RouterOS v6.41 all switching related parameters are moved to the bridge section.
On CRS3xx series devices VLAN switching must be configured under the bridge section as
well, this will not limit the device's performance, CRS3xx is designed to use the built-in switch
chip to work with bridge VLAN filtering, you are able to achieve full non-blocking wire-speed
switching performance while using bridges and bridge VLAN filtering. Make sure that all bridge
ports have the "H" flag, which indicates that the device is using the switch chip to forward
packets.
Property
vlan-filtering (yes | no; Default: no) Gl
pvid (1..4094; Default: 1) Po
fro
Property
frame-types (admit-all | admit-only-untagged-and-priority-tagged | admit-only-vlan-tagged; Default: admit-all) Sp
ingress-filtering (yes | no; Default: no) En
bri
pvid (1..4094; Default: 1) Po
VLAN Table
Bridge VLAN table represents per-VLAN port mapping with an egress VLAN tag
action. tagged ports send out frames with a learned VLAN ID tag. untagged ports remove
VLAN tag before sending out frames if the learned VLAN ID matches the port pvid .
Sub-menu: /interface bridge vlan
Property
bridge (name) Th
tagged (interfaces; Default: none) Int
E.
untagged (interfaces; Default: none) Int

E.
vlan-ids (1..4094) Th
va
Setup examples
Port Based VLAN
 The configuration for CRS3xx switches is described in the Bridge VLAN FIltering section.
Note: It is possible to use the built-in switch chip and the CPU at the same time to create a
Switch-Router setup, where a device acts as a switch and as a router at the same time. You
can find a configuration example in the CRS-Router guide.
MAC Based VLAN

MAC Based VLAN
Note: The CRS3xx Switch Rule table is used for MAC Based VLAN functionality, it supports up
to 128 entries.
 Enable switching on ports by creating a bridge with enabled hw-offloading.
/interface bridge
add name=bridge1 vlan-filtering=yes
 Add VLANs in the Bridge VLAN table and specify ports.

add bridge=bridge1 tagged=ether2 untagged=ether7 vlan-ids=200,300,400
 Add Switch rules which assign VLAN id based on MAC address.

/interface ethernet switch rule
add switch=switch1 ports=ether7 src-mac-
address=A4:12:6D:77:94:43/FF:FF:FF:FF:FF:FF new-vlan-id=200
address=84:37:62:DF:04:20/FF:FF:FF:FF:FF:FF new-vlan-id=300
address=E7:16:34:A1:CD:18/FF:FF:FF:FF:FF:FF new-vlan-id=400
Protocol Based VLAN
Protocol Based VLAN
Note: The CRS3xx Switch Rule table is used for Protocol Based VLAN functionality, it supports
up to 128 entries.
 Enable switching on ports by creating a bridge with enabled hw-offloading.
/interface bridge
add name=bridge1 vlan-filtering=yes
 Add VLANs in the Bridge VLAN table and specify ports.

 Add Switch rules which assign VLAN id based on MAC protocol.

add mac-protocol=ip new-vlan-id=200 ports=ether6 switch=switch1
add mac-protocol=ipx new-vlan-id=300 ports=ether7 switch=switch1
add mac-protocol=0x80F3 new-vlan-id=400 ports=ether8 switch=switch1

Since RouterOS v6.43rc14 it is possible to use a provider bridge (IEEE 802.1ad) VLAN filtering
and hardware offloading at the same time on CRS3xx series switches. The configuration for
CRS3xx switches is described in the Bridge VLAN Tunneling (Q-in-Q) section.
Ingress VLAN translation
It is possible to translate a certain VLAN ID to a different VLAN ID using ACL rules on an
ingress port. This can be done by doing the following:
 Create a new bridge and add ports to it with hardware offloading:
/interface bridge
 Add an ACL rule to translate a VLAN ID:

add new-vlan-id=20 ports=ether1 switch=switch1 vlan-id=10
 Add the NEW VLAN ID to the bridge VLAN table:

add bridge=bridge tagged=ether1,ether2 vlan-ids=20
 Enable bridge VLAN filtering:
before enabling VLAN filtering you should make sure that you set up a Management port
(R/M)STP
Network loops may emerge (intentionally or not) in complex topologies. Without any special
treatment, loops would prevent network from functioning normally, as they would lead to
avalanche-like packet multiplication. Each bridge runs an algorithm which calculates how the
loop can be prevented. STP and RSTP allows bridges to communicate with each other, so they
can negotiate a loop free topology. All other alternative connections that would otherwise form
loops, are put to standby, so that should the main connection fail, another connection could
take its place. This algorithm exchanges configuration messages (BPDU - Bridge Protocol
Data Unit) periodically, so that all bridges are updated with the newest information about
changes in network topology. (R/M)STP selects a root bridge which is responsible for network
reconfiguration, such as blocking and opening ports on other bridges. The root bridge is the
bridge with the lowest bridge ID.
As of RouterOS v6.41 all CRS3xx series switches support (R/M)STP bridge protocol mode and
hardware offloading simultaneously, meaning that it possible to use the switch chip's built-in
VLAN filtering function in conjunction with bridge's Spanning Tree Protocol features and
forward packets at wire-speed. There are a lot of considerations that should be made when
designing a STP enabled network, more detailed case studies can be found in the Spanning
Tree Protocol section.
Property
protocol-mode (mstp | none | rstp | stp; Default: rstp)
Bonding
Since RouterOS v6.42 all CRS3xx series switches support hardware offloading with bonding
interfaces. Only 802.3ad and balance-xor bonding modes are hardware offloaded, other
bonding modes will use the CPU's resources. You can find more information about the bonding
interfaces in the Bonding Interface section. If 802.3ad mode is used, then LACP (Link
Aggregation Control Protocol) is supported.
To create a hardware offloaded bonding interface, you must create a bonding interface with a
supported bonding mode:
/interface bonding
add mode=802.3ad name=bond1 slaves=ether1,ether2
This interface can be added to a bridge alongside with other interfaces:
/interface bridge
add name=bridge
add bridge=bridge interface=bond1 hw=yes
add bridge=bridge interface=ether3 hw=yes
add bridge=bridge interface=ether4 hw=yes
Note: Don't add interfaces to a bridge that are already in a bond, RouterOS will not allow you
to add an interface that is already a slave to a bridge as there is no need to do it since a
bonding interface already contains the slave interfaces.
Make sure that the bonding interface is hardware offloaded by checking the "H" flag:
/interface bridge port print

# INTERFACE BRIDGE
HW
0 H bond1 bridge
yes
1 H ether3 bridge
yes
2 H ether4 bridge
yes
Note: The built-in switch chip will always use Layer2+Layer3+Layer4 for transmit hash policy,
changing the transmit hash policy manually will have no effect.
Port isolation
Since RouterOS v6.43rc11 is it possible to create a Private VLAN setup on CRS3xx series
switches, example can be found in the Switch chip port isolation manual page.
IGMP Snooping
IGMP Snooping which controls multicast streams and prevents multicast flooding is
implemented in RouterOS starting from version 6.41. It's settings are placed in bridge menu
and it works independently in every bridge interface. Software driven implementation works on
all devices with RouterOS but CRS1xx/2xx/3xx series switches also support IGMP Snooping
with hardware offloading.
 Use this command to enable IGMP Snooping on a bridge interface:
/interface bridge set bridge1 igmp-snooping=yes
 Use this command to get current Multicast Database entries:
[admin@MikroTik] > /interface bridge mdb print

BRIDGE VID GROUP
PORTS
bridge1 200 229.1.1.2
ether3
ether2
ether1
bridge1 300 231.1.3.3
ether4
ether3
ether2
bridge1 400 229.10.10.4
ether4
ether3
bridge1 500 234.5.1.5
ether5
ether1
Mirroring
Mirroring lets the switch 'sniff' all traffic that is going in a switch chip and send a copy of those
packets out to another port (mirror-target). This feature can be used to easily set up a 'tap'
device that allows you to inspect the traffic on your network on a traffic analyzer device. It is
possible to set up a simple port based mirroring where, but it is also possible to setup more
complex mirroring based on various parameters. Note that mirror-target port has to belong to
same switch. (See which port belong to which switch in /interface ethernet menu). Also
mirror-target can have a special 'cpu' value, which means that 'sniffed' packets will be sent out
of switch chips cpu port. There are many possibilities that can be used to mirror certain traffic,
below you can find most common mirroring examples:
 Port Based Mirroring

set switch1 mirror-source=ether2 mirror-target=ether3
 VLAN Based Mirroring
/interface bridge
set bridge1 vlan-filtering=yes
set switch1 mirror-target=ether3 mirror-source=none
add mirror=yes ports=ether1 switch=switch1 vlan-id=11
 MAC Based Mirroring

add mirror=yes ports=ether1 switch=switch1 dst-mac-
address=64:D1:54:D9:27:E6/FF:FF:FF:FF:FF:FF
add mirror=yes ports=ether1 switch=switch1 src-mac-
address=64:D1:54:D9:27:E6/FF:FF:FF:FF:FF:FF
 Protocol Based Mirroring

add mirror=yes ports=ether1 switch=switch1 mac-protocol=ipx
 IP Based Mirroring

add mirror=yes ports=ether1 switch=switch1 src-address=192.168.88.0/24
add mirror=yes ports=ether1 switch=switch1 dst-address=192.168.88.0/24
There are other options as well, check the ACL section to find out all possible parameters that
can be used to match packets.
Quality of Service (QoS)

It is possible to limit certain type of traffic using ACL rules. For CRS3xx series switches it is
possible to limit ingress traffic that matches certain parameters and it is possible to limit
ingress/egress traffic per port basis. For ingress traffic QoS policer is used, for egress traffic
QoS shaper is used.
 Port Based QoS

set ether1 ingress-rate=10M egress-rate=5M
 MAC Based QoS

add ports=ether1 switch=switch1 src-mac-
address=64:D1:54:D9:27:E6/FF:FF:FF:FF:FF:FF rate=10M
 VLAN Based QoS
/interface bridge
add ports=ether1 switch=switch1 vlan-id=11 rate=10M
 Protocol Based QoS

add ports=ether1 switch=switch1 mac-protocol=ipx rate=10M
There are other options as well, check the ACL section to find out all possible parameters that
can be used to match packets.
Note: The CRS3xx Switch Rule table is used for QoS functionality, it supports up to 128
entries.
Traffic Storm Control

Since RouterOS v6.42 it is possible to enable traffic storm control on CRS3xx series devices. It
is possible to limit broadcast, unknown multicast and unknown unicast traffic. These settings
should be applied to ingress ports, the egress traffic will be limited.
Note: The storm control parameter is specified in percentage (%) of the link speed. If your link
speed is 1Gbps, then specifying storm-rate as 10 will allow only 100Mbps of broadcast,
unknown multicast and/or unknown unicast traffic to be forwarded.
Sub-menu: /interface ethernet switch port
Property
limit-broadcasts (yes | no; Default: yes) Limit broadcast traffic on
limit-unknown-multicasts (yes | no; Default: no) Limit unknown multicast t
limit-unknown-unicasts (yes | no; Default: no) Limit unknown unicast tra
storm-rate (integer 0..100; Default: 100) Amount of broadcast, unk
Warning: Devices with Marvell-98DX3236 switch chip cannot distinguish unknown multicast
traffic from all multicast traffic. For example, CRS326-24G-2S+ will limit all multicast traffic
when limit-unknown-multicasts and storm-rate is used. For other devices, for
example, CRS317-1G-16S+ the limit-unknown-multicasts parameter will limit only
unknown multicast traffic (addresses that are not present in /interface bridge mdb
 For example, to limit 1% (10Mbps) of broadcast and unknown unicast traffic on ether1
(1Gbps), use the following commands:

set ether1 storm-rate=1 limit-broadcasts=yes limit-unknown-unicasts=yes
MPLS hardware offloading

Since RouterOS v6.41 it is possible to offload certain MPLS functions to the switch chip, the
switch must be a (P)rovider router in a PE-P-PE setup in order to achieve hardware offloading.
Setup example can be found in the Basic MPLS setup example manual page.
Note: Currently only CRS317-1G-16S+ using RouterOS v6.41 and newer is capable of
hardware offloading certain MPLS functions. CRS317-1G-16S+ built-in switch chip is not
capable of popping MPLS labels from packets, in a PE-P-PE setup you either have to use
explicit null or disable TTL propagation in MPLS network to achieve hardware offloading.
Switch Rules (ACL)

Access Control List contains of ingress policy and egress policy engines and allows to
configure up to 128 policy rules (limited by RouterOS). It is advanced tool for wire-speed
packet filtering, forwarding and modifying based on Layer2, Layer3 and Layer4 protocol header
field conditions.
Note: ACL rules are checked for each packet until a match has been found. If there are
multiple rules that can match, then only the first rule will be triggered. A rule without any action
parameters is a rule to accept the packet.
Sub-menu: /interface ethernet switch rule
Property
copy-to-cpu (no | yes; Default: no) Cl
dscp (0..63) M
dst-address (IP address/Mask) M
dst-address6 (IPv6 address/Mask) M
dst-mac-address (MAC address/Mask) M
dst-port (0..65535) M
flow-label (0..1048575) M
mac-protocol (802.2 | arp | homeplug-av | ip | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | M
packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan | or 0..65535 | or 0x0000-0xffff)
mirror (no | yes) Cl
new-dst-ports (ports) Ch
pa
on
new-vlan-id (0..4095) Ch
new-vlan-priority (0..7) Ch
ports (ports) M
protocol (dccp | ddp | egp | encap | etherip | ggp | gre | hmp | icmp | icmpv6 | idpr-cmtp | igmp | ipencap | ipip | M
ipsec-ah | ipsec-esp | ipv6 | ipv6-frag | ipv6-nonxt | ipv6-opts | ipv6-route | iso-tp4 | l2tp | ospf | pim | pup | rdp | rspf |
rsvp | sctp | st | tcp | udp | udp-lite | vmtp | vrrp | xns-idp | xtp | or 0..255)
redirect-to-cpu (no | yes) Ch
src-address (IP address/Mask) M
src-address6 (IPv6 address/Mask) M
src-mac-address (MAC address/Mask) M
src-port (0..65535) M
switch (switch group) M
traffic-class (0..255) M
vlan-id (0..4095) M
vlan-header (not-present | present) M

vlan-priority (0..7) M
Action parameters:
 copy-to-cpu
 redirect-to-cpu
 mirror
 new-dst-ports (can be used to drop packets)
 new-vlan-id
 new-vlan-priority
 rate
Conditional parameters:
 Layer2 conditions:
 dst-mac-address
 mac-protocol
 src-mac-address
 vlan-id
 vlan-header
 vlan-priority
 dscp
 protocol
 IPv4 conditions:
 dst-address
 src-address
 IPv6 conditions:
 dst-address6
 flow-label
 src-address6
 traffic-class
 dst-port
 src-port
Note: For VLAN related matchers or VLAN related action parameters to work, you need to
enable vlan-filtering on the bridge interface and make sure that hardware offloading is
enabled on those ports, otherwise these parameters will not have any effect.
Warning: When vlan-protocol is set to 802.1Q, then VLAN related ACL rules are
relevant to 0x8100 (CVID) packets, this includes vlan-id and new-vlan-id .
When vlan-protocol is set to 802.1ad, then ACL rules are relevant to 0x88A8 (SVID)
packets. For example, with 802.1Q the vlan-id matcher will match CVID packets, but with
802.1ad the vlan-id matcher will match SVID packets.
Port Security
It is possible to limit allowed MAC addresses on a single switch port on CRS3xx series
switches. For example, to allow 64:D1:54:81:EF:8E start by switching multiple ports
together, in this example 64:D1:54:81:EF:8E is going to be located behind ether1.
 Create an ACL rule to allow the given MAC address and drop all other traffic on ether1 (for
ingress traffic):

add ports=ether1 src-mac-address=64:D1:54:81:EF:8E/FF:FF:FF:FF:FF:FF
switch=switch1
add new-dst-ports="" ports=ether1 switch=switch1
 Switch all required ports together, disable MAC learning and disable unknown unicast
flooding on ether1:
/interface bridge
add name=bridge1
add bridge=bridge1 interface=ether1 hw=yes learn=no unknown-unicast-
flood=no
 Add a static hosts entry for 64:D1:54:81:EF:8E (for egress traffic):
/interface bridge host

add bridge=bridge1 interface=ether1 mac-address=64:D1:54:81:EF:8E
Warning: Broadcast traffic will still be sent out from ether1. To limit broadcast traffic flood on a
bridge port, you can use the broadcast-flood parameter to toggle it. Do note that some
protocols depend on broadcast traffic, such as streaming protocols and DHCP.
Dual Boot
“Dual boot” feature allows you to choose which operating system you prefer to use, RouterOS
or SwOS. Device operating system could be changed using:
 Serial Terminal (/system routerboard settings set boot-os=swos)

 Winbox
 Webfig
 Serial Console
Winbox Webfig Serial Console
More details about SwOS are described here: SwOS manual
Configuring SwOS using RouterOS

Since RouterOS 6.43rc29 it is possible to load, save and reset SwOS configuration, as well as
upgrade SwOS and set an IP address for the switch by using RouterOS.
 Save configuration with /system swos save-config

Note: Configuration will be saved on the same device with swos.config as filename, make
sure you download the file off your device since the configuration file will be removed after a
reboot.
 Load configuration with /system swos load-config
 Reset configuration with /system swos reset-config
 Set static IP address with /system swos set-address
Note: By setting a static IP address you are not changing the IP address acquisition process,
which is DHCP with fallback by default. This means that the configured static IP
address will become active only when there is going to be no DHCP servers in the same
broadcast domain.
 Upgrade SwOS from RouterOS using /system swos upgrade
Note: The upgrade command will automatically install the latest available SwOS version, make
sure that your device has access to the Internet in order for the upgrade process to work
properly.
Manual:Basic VLAN switching
Contents
[hide]
 1Introduction
 2CRS3xx series switches
 3CRS1xx/CRS2xx series switches
 4Other devices with built-in switch chip
 5Other devices without a built-in switch chip
Introduction
Many MikroTik devices come with a built-in switch chips that usually have an option to do
VLAN switching on a hardware level, this means that you can achieve wire-speed performance
using VLANs if a proper configuration method is used. The configuration method changes
across different models, this guide will focus on setting up a basic trunk/access port setup with
a management port from the trunk port using different devices with the right configuration to
achieve best performance and to fully utilize the available hardware components.
CRS3xx series switches

/interface bridge
add name=bridge1
add bridge=bridge1 interface=ether2 hw=yes pvid=20
add bridge=bridge1 interface=ether3 hw=yes pvid=30
add bridge=bridge1 tagged=ether1 untagged=ether2,ether3 vlan-ids=20,30
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=99
/interface vlan
add interface=bridge1 vlan-id=99 name=MGMT
/ip address
/interface bridge
More detailed examples can be found here.
CRS1xx/CRS2xx series switches

/interface bridge
add name=bridge1
/interface ethernet switch ingress-vlan-translation
add ports=ether2 customer-vid=0 new-customer-vid=20 sa-learning=yes
add ports=ether3 customer-vid=0 new-customer-vid=30 sa-learning=yes
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1 vlan-id=20
add tagged-ports=ether1,switch1-cpu vlan-id=99
add ports=ether1,ether2 vlan-id=20 learn=yes
add ports=ether1,switch1-cpu vlan-id=99 learn=yes
/interface vlan
/ip address
set drop-if-invalid-or-src-port-not-member-of-vlan-on-
ports=ether1,ether2,ether3
Other devices with built-in switch chip
Warning: Not all devices with a switch chip are capable of VLAN switching on a hardware
level, check the supported features for each switch chip, the compatibility table can be
found Here. If a device has VLAN table support, then it is capable of VLAN switching using
the built-in switch chip. You can check the device's switch chip either in the provided link or by
using /interface ethernet switch print
/interface bridge
/interface vlan
/ip address
set ether1 vlan-mode=secure vlan-header=add-if-missing
set ether2 vlan-mode=secure vlan-header=always-strip default-vlan-id=20
set ether3 vlan-mode=secure vlan-header=always-strip default-vlan-id=30
Note: This type of configuration should be used on RouterBOARD series devices, this includes
RB4xx, RB9xx, RB2011, RB3011, hAP, hEX, cAP and other devices.
Other devices without a built-in switch chip

It is possible to do VLAN filtering using the CPU, there are multiple ways to do it, but it is highly
recommended by using bridge VLAN filtering.
/interface bridge
add name=bridge1
add bridge=bridge1 interface=ether1 hw=no
add bridge=bridge1 interface=ether2 hw=no pvid=20
add bridge=bridge1 interface=ether3 hw=no pvid=30
add bridge=bridge1 tagged=ether1 untagged=ether2,ether3 vlan-ids=20,30
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=99
/interface vlan
/ip address
/interface bridge
Manual:Layer2 misconfiguration
Contents
[hide]
 1Introduction
 2Bridges on a single switch chip
o 2.1Configuration
o 2.2Problem
o 2.3Symptoms
o 2.4Solution
 3Packet flow with hardware offloading and MAC learning
o 3.1Configuration
o 3.2Problem
o 3.3Symptoms
o 3.4Solution
 4LAG interfaces and load balancing
o 4.1Configuration
o 4.2Problem
o 4.3Symptoms
o 4.4Solution
 5VLAN interface on a slave interface
o 5.1Configuration
o 5.2Problem
o 5.3Symptoms
o 5.4Solution
 6VLAN on a bridge in a bridge
o 6.1Configuration
o 6.2Problem
o 6.3Symptoms
o 6.4Solution
 7VLAN in bridge with a physical interface
o 7.1Configuration
o 7.2Problem
o 7.3Symptoms
o 7.4Solution
 8Bridged VLAN on physical interfaces
o 8.1Configuration
o 8.2Problem
o 8.3Symptoms
o 8.4Solution
 9Bridge VLAN filtering on non-CRS3xx
o 9.1Configuration
o 9.2Problem
o 9.3Symptoms
o 9.4Solution
 10MTU on master interface
o 10.1Configuration
o 10.2Problem
o 10.3Symptoms
o 10.4Solution
 11MTU inconsistency
o 11.1Configuration
o 11.2Problem
o 11.3Symptoms
o 11.4Solution
 12Bridge and reserved MAC addresses
o 12.1Configuration
o 12.2Problem
o 12.3Symptoms
o 12.4Solution
 13Bandwidth testing
o 13.1Problem
o 13.2Symptoms
o 13.3Solution
 14Bridge split-horizon usage
o 14.1Configuration
o 14.2Problem
o 14.3Symptoms
o 14.4Solution
Introduction
There are certain configuration that are known to have major flaws by design and should be
avoided by all means possible. Misconfigured Layer2 can sometimes cause hard to detect
network errors, random performance drops, certain segments of a network to be unreachable,
certain networking services to be malfunctioning or a complete network failure. This page will
contain some common and not so very common configurations that will cause issues in your
network.
Bridges on a single switch chip

Consider the following scenario, you have a device with a built-in switch chip and you need to
isolate certain ports from each other, for this reason you have created multiple bridges and
enabled hardware offloading on them. Since each bridge is located on a different Layer2
domain, then Layer2 frames will not be forwarded between these bridges, as a result ports in
each bridge are isolated from other ports in a different bridge.
Configuration
/interface bridge
add name=bridge1
add name=bridge2
Problem
After a simple performance test you might notice that one bridge is capable of forwarding traffic
at wire-speed while the second, third, ... bridge is not able to forward as much data as the first
bridge. Another symptom might be that there exists a huge latency for packets that need to be
routed. After a quick inspection you might notice that the CPU is always at full load, this is
because hardware offloading is not available on all bridges, but is available only on one bridge.
By checking the hardware offloading status you will notice that only one bridge has it active:

# INTERFACE BRIDGE
HW
0 H ether1 bridge1
yes
1 H ether2 bridge1
yes
2 ether3 bridge2
yes
3 ether4 bridge2
yes
The reason why only one bridge has the hardware offloading flag available is because the
device does not support port isolation. If port isolation is not supported, then only one bridge
will be able to offload the traffic to the switch chip.
Symptoms
Below is a list of possible symptoms that might be as a result of this kind of a misconfiguration:
 Missing "H" flag to bridge ports

 Low throughput
 High CPU usage
Solution
Not all device devices support port isolation, currently only CRS1xx/CRS2xx series devices
support it and only 7 isolated and hardware offloaded bridges are supported at the same time,
other devices will have to use the CPU to forward the packets on other bridges. This is usually
a hardware limitation and a different device might be required. Bridge split horizon parameter is
a software feature that disables hardware offloading and when using bridge filter rules you
need to enable forward all packets to the CPU, which requires the hardware offloading to be
disabled. You can control which bridge will be hardware offloaded with the hw=yes flag and by
setting hw=no to other bridges, for example:
/interface bridge port set [find where bridge=bridge1] hw=no

/interface bridge port set [find where bridge=bridge2] hw=yes
Sometimes it is possible to restructure a network topology to use VLANs, which is the proper
way to isolate Layer2 networks.
Packet flow with hardware offloading and MAC

learning
Consider the following scenario, you setup a bridge and have enabled hardware offloading in
order to maximize the throughput for your device, as a result your device is working as a
switch, but you want to use packet analyser or to simply sniff some packets that are being
forwarded over your bridge or you might want to use Firewall rules for statistics.
Configuration
/interface bridge
add name=bridge
add bridge=bridge hw=yes interface=ether1
add bridge=bridge hw=yes interface=ether2
Problem
When hardware offloading is enabled, all packets are being processed by the built-in switch
chip, all MikroTik devices using a built-in switch chip are capable of MAC learning which makes
a switch a smart switch. The function of a smart switch is not to flood traffic to ports that are not
supposed to receive certain packets, because of MAC learning the switch chip will learn on
which ports a certain MAC address is located, the switch chip will send packets that are
destined to this address directly without flooding the packet to all ports. If the destination MAC
address is not known, then the packet is flooded to all ports, broadcast packets are always
flooded to all ports. Devices that have a switch chip have a port called switch-cpu port, this is
the port on which packets that are destined to the CPU will be received on. Because of this
behaviour packets that are destined to a learned MAC address are not sent to the CPU and
are not visible with /tool sniffer , this can be sometimes misleading since traffic is not
visible, but rx-bytes/tx-bytes counters are increasing, this behaviour is similar
to FastPath.
Symptoms
 Packets not visible by Sniffer tool

 Filter rules not working
Solution
Packets with a destination MAC address that has been learned will not be sent to the CPU
since the packets are not not being flooded to all ports. If you do need to send certain packets
to the CPU for packet analyser or for Firewall, then it is possible to copy or redirect the packet
to the CPU by using ACL rules. Below is an example how to send a copy of packets that are
meant for 4C:5E:0C:4D:12:4B:

add copy-to-cpu=yes dst-mac-address=4C:5E:0C:4D:12:4B/FF:FF:FF:FF:FF:FF
ports=ether1 switch=switch1
Note: If the packet is sent to the CPU, then the packet must be processed by the CPU, this
increases the CPU load.
LAG interfaces and load balancing

Consider the following scenario, you have created a LAG interface to increase total bandwidth
between 2 network nodes, usually these are switches. For testing purposes to make sure that
LAG interface is working properly you have attached two servers that transfer data, most
commonly the well known network performance measurement
tool https://en.wikipedia.org/wiki/Iperf is used to test such setups. For example, you might have
made a LAG interface out of two Gigabit Ethernet ports, which gives you a 2Gbps interface
while the servers are connected using a 10Gbps interface, for example, SFP+.
LACP topology
Configuration
The following configuration is relevant to SW1 and SW2:
/interface bonding
add mode=802.3ad name=bond1 slaves=ether1,ether2
add bridge=bridge interface=bond1
add bridge=bridge interface=sfp-sfpplus1
Problem
After initial tests you immediately notice that the your network throughput never exceeds the
1Gbps limit even though the CPU load on the servers is low as well as on the network nodes
(switches in this case), but the throughput is still limited to only 1Gbps. The reason behind this
is because LACP (802.ad) uses transmit hash policy in order to determine if traffic can be
balanced over multiple LAG members, in this case a LAG interface does not create a 2Gbps
interface, but rather an interface that can balance traffic over multiple slave interface whenever
it is possible. For each packet a transmit hash is generated, this determines through which
LAG member will the packet be sent, this is needed in order to avoid packets being out of
order, there is an option to select the transmit hash policy, usually there is an option to choose
between Layer2 (MAC), Layer3 (IP) and Layer4 (Port), in RouterOS this can be selected by
using the transmit-hash-policy parameter. In this case the transmit hash is the same
since you are sending packets to the same destination MAC address, as well as the same IP
address and Iperf uses the same port as well, this generates the same transmit hash for all
packets and load balancing between LAG members is not possible. Note that now always
packets will get balanced over LAG members even though the destination is different, this is
because the standardized transmit hash policy can generate the same transmit hash for
different destinations, for example, 192.168.0.1/192.168.0.2 will get balanced, but
192.168.0.2/192.168.0.4 will NOT get balanced in case layer2-and-3 transmit hash policy is
used and the destination MAC address is the same.
Symptoms
 Traffic going through only one LAG member
Solution
Choose the proper transmit hash policy and test your network's throughput properly. The
simplest way to test such setups is to use multiple destinations, for example, instead of
sending data to just one server, rather send data to multiple servers, this will generate a
different transmit hash for each packet and will make load balancing across LAG members
possible. For some setups you might want to change the bonding interface mode to increase
the total throughput, for UDP traffic balance-rr mode might be sufficient, but can cause
issues for TCP traffic, you can read more about selecting the right mode for your setup Here.
VLAN interface on a slave interface
Consider the following scenario, you have created a bridge and you want a DHCP Server to
give out IP addresses only to a certain tagged VLAN traffic, for this reason you have created a
VLAN interface, specified a VLAN ID and created a DHCP Server on it, but for some reasons it
is not working properly.
Configuration
/interface bridge
add name=bridge
add interface=ether1 bridge=bridge
/interface vlan
add name=VLAN99 interface=ether1 vlan-id=99
/ip pool
add name=VLAN99_POOL range=192.168.99.100-192.168.99.200
/ip address add address=192.168.99.1/24 interface=VLAN99
/ip dhcp-server
add interface=VLAN99 address-pool=VLAN99_POOL disabled=no
/ip dhcp-server network
add address=192.168.99.0/24 gateway=192.168.99.1 dns-
server=192.168.99.1
Problem
When you add an interface to a bridge, the bridge becomes the master interface and all bridge
ports become slave ports, this means that all traffic that is received on a bridge port is captured
by the bridge interface and all traffic is forwarded to the CPU using the bridge interface instead
of the physical interface. As a result VLAN interface that is created on a slave interface will
never capture any traffic at all since it is immediately forwarded to the master interface before
any packet processing is being done. Usual side effect is that some DHCP clients receive IP
addresses and some don't.
Symptoms
 DHCP Client/Server not working properly

 Device is unreachable
 Device behind a bridge is unreachable with tagged traffic
Solution
Change the interface on which the VLAN interface will be listening for traffic, change it to the
master interface:
/interface vlan set VLAN99 interface=bridge
VLAN on a bridge in a bridge

Consider the following scenario, you have a set of interfaces (don't have to be physical
interfaces) and you want all of them to be in the same Layer2 segment, the solution is to add
them to a single bridge, but you require that traffic from one port tags all traffic into a certain
VLAN. This can be done by creating a VLAN interface on top of the bridge interface and by
creating a separate bridge that contains this newly created VLAN interface and the interface,
which will send out tagged traffic. Network diagram can be found below:
VLAN on bridge in bridge topology
Configuration
/interface bridge
add name=bridge1
add name=bridge2
/interface vlan
add interface=bridge1 name=VLAN vlan-id=99
add bridge=bridge2 interface=VLAN
Problem
Packets coming from ether3 will be sent out tagged and traffic won't be flooded
through ether1 and ether2, but if another port is added to bridge2, then traffic will be flooded.
Similar issue arises when traffic needs to be sent from ether1 to ether3 since MAC learning is
only possible between bridge ports and not interfaces that are created on top of the bridge
interface. As a result unicast traffic will be flooded to ether2 and ether3. If a device
behind ether3 is using (R)STP, then ether1 and ether2 will send out tagged BPDUs. Because
of the broken MAC learning functionality and broken (R)STP this setup and configuration must
be avoided. It is also known that in some setups this kind of configuration can prevent you from
connecting to the device by using MAC telnet.
Symptoms
 Port blocked by RSTP

 Loops in network
 Traffic is flooded to all ports
 MAC telnet is unable to connect
 Device inaccessible
Solution
Use bridge VLAN filtering. The proper way to tag traffic is to assign a VLAN ID whenever traffic
enters a bridge, this behaviour can easily be achieved by specifying PVID value for a bridge
port and specifying which ports are tagged (trunk) ports and which are untagged (access)
ports. Below is an example how such setup should have been configured:
/interface bridge
add name=bridge vlan-filtering=yes
add bridge=bridge interface=ether3 pvid=99
add bridge=bridge tagged=ether1 untagged=ether3 vlan-ids=99
VLAN in bridge with a physical interface

Very similar case to VLAN on a bridge in a bridge, there are multiple possible scenarios where
this could could have been used, most popular use case is when you want to send out tagged
traffic through a physical interface, in such a setup you want traffic from one interface to
receive only certain tagged traffic and send out this tagged traffic as tagged through a physical
interface (simplified trunk/access port setup) by just using VLAN interfaces and a bridge.
Configuration
/interface vlan
add interface=ether1 name=VLAN99 vlan-id=99
/interface bridge
add name=bridge
add interface=VLAN99 bridge=bridge
Problem
This setup and configuration will work on most cases, but it violates the IEEE 802.1W standard
when (R)STP is used. If this is the only device in your Layer2 domain, then this should not
cause problems, but problems can arise when there are other vendor switches. The reason for
this is that (R)STP on a bridge interface is enabled by default and BPDUs coming
from ether1 will be sent out tagged since everything sent into ether1 will be sent out
through ether2 as tagged traffic, not all switches can understand tagged BPDUs. Precautions
should be made with this configuration in a more complex network where there are multiple
network topologies for certain (group of) VLANs, this is relevant to MSTP and PVSTP(+) with
mixed vendor devices. In a ring-like topology with multiple network topologies for certain
VLANs, one port from the switch will be blocked, but in MSTP and PVSTP(+) a path can be
opened for a certain VLAN, in such a situation it is possible that devices that don't support
PVSTP(+) will untag the BPDUs and forward the BPDU, as a result the switch will receive its
own packet, trigger a loop detection and block a port, this can happen to other protocols as
well, but (R)STP is the most common case. If a switch is using a BPDU guard function, then
this type of configuration can trigger it and cause a port to be blocked by STP. It has been
reported that this type of configuration can prevent traffic from being forwarded over certain
bridge ports over time when using 6.41 or later.
Symptoms
 Port blocked by RSTP

 Traffic stops forwarding over time
 BPDUs ignored by other RSTP enabled devices
Solution
To avoid compatibility issues you should use bridge VLAN filtering. Below you can find an
example how the same traffic tagging effect can be achieved with a bridge VLAN filtering
configuration:
/interface bridge
add bridge=bridge tagged=ether2 untagged=ether1 vlan-ids=99
Bridged VLAN on physical interfaces

Very similar case to VLAN on a bridge in a bridge, consider the following scenario, you have a
couple of switches in your network and you are using VLANs to isolate certain Layer2 domains
and connect these switches are connected to a router that assigns addresses and routes the
traffic to the world. For redundancy you connect switches all switches directly to the router and
have enabled RSTP, but to be able to setup DHCP Server you decide that you can create a
VLAN interface for each VLAN on each physical interface that is connected to a switch and add
these VLAN interfaces in a bridge. Network diagram can be found bellow:
Bridged VLANs topology
Configuration
Only the router part is relevant to this case, switch configuration doesn't really matter as long
as ports are switched. Router configuration can be found bellow:
/interface bridge
add name=bridge10
add name=bridge20
/interface vlan
add interface=ether1 name=ether1_v10 vlan-id=10
add bridge=bridge10 interface=ether1_v10
Problem
You might notice that the network is having some weird delays or even the network is
unresponsive, you might notice that there is a loop detected (packet received with own MAC
address) and some traffic is being generated out of nowhere. The problem occurs because a
broadcast packet that is coming from either one of the VLAN interface created on
the Router will be sent out the physical interface, packet will be forwarded through the physical
interface, through a switch and will be received back on a different physical interface, in this
case broadcast packets sent out ether1_v10 will be received on ether2, packet will be
captured by ether2_v10, which is bridged with ether1_v10 and will get forwarded again the
same path (loop). (R)STP might not always detect this loop since (R)STP is not aware of any
VLANs, a loop does not exist with untagged traffic, but exists with tagged traffic. In this
scenario it is quite obvious to spot the loop, but in more complex setups it is not always easy to
detect the network design flaw. Sometimes this network design flaw might get unnoticed for a
very long time if your network does not use broadcast traffic, usually Nieghbor Discovery
Protocol is broadcasting packets from the VLAN interface and will usually trigger a loop
detection in such a setup. Sometimes it is useful to capture the packet that triggered a loop
detection, this can by using sniffer and analysing the packet capture file:
/tool sniffer
set filter-mac-address=4C:5E:0C:4D:12:44/FF:FF:FF:FF:FF:FF \
filter-interface=ether1 filter-direction=rx file-name=loop_packet.pcap
Or a more convenient way using logging:
/interface bridge filter

add action=log chain=forward src-mac-
address=4C:5E:0C:4D:12:44/FF:FF:FF:FF:FF:FF
add action=log chain=input src-mac-
address=4C:5E:0C:4D:12:44/FF:FF:FF:FF:FF:FF
Symptoms
 Port blocked by (R)STP

 Low throughput
 Network inaccessible
Solution
Partial solution is to use Multiple Spanning Tree Protocol across the whole network, but it is
required to use bridge VLAN filtering in order to make all bridges compatible with IEEE 802.1W
and IEEE 802.1Q.
/interface bridge
add bridge=bridge tagged=ether1,ether2,bridge vlan-ids=10,20
/interface vlan
add name=vlan10 interface=bridge vlan-id=10
add name=vlan20 interface=bridge vlan-id=20
Even though rewriting your configuration to use bridge VLAN filtering will fix loop occurrence
because of broadcast traffic that is coming from a VLAN interface, there still might exist loops
with tagged unknown unicast or broadcast traffic. To make sure that loops don't exist with
tagged and untagged traffic you should consider implementing MSTP in your network instead
of (R)STP.
Bridge VLAN filtering on non-CRS3xx

Consider the following scenario, you found out the new bridge VLAN filtering feature and you
decided to change the configuration on your device, you have a very simple trunk/access port
setup and you like the concept of bridge VLAN filtering.
Configuration
/interface bridge
Problem
For example, you use this configuration on a CRS1xx/CRS2xx series device and you started to
notice that the CPU usage is very high and when running a performance test to check the
network's throughput you notice that the total throughput is only a fraction of the wire-speed
performance that it should easily reach. The cause of the problem is that not all devices
support bridge VLAN filtering on a hardware level. All devices are able to be configured with
bridge VLAN filtering, but only few of them will be able to offload the traffic to the switch chip. If
improper configuration method is used on a device with a built-in switch chip, then the CPU will
be used to forward the traffic.
Symptoms
 Missing "H" flag on bridge port

 Low throughput
 High CPU usage
Solution
Before using bridge VLAN filtering check if your device supports it at the hardware level, table
with compatibility can be found at the Bridge Hardware Offloading section. Each type of device
currently requires a different configuration method, below is a list of which configuration should
be used on a device in order to use benefits of hardware offloading:
 CRS3xx series devices

 CRS1xx/CRS2xx series devices
 Other devices with a switch chip
MTU on master interface
Consider the following scenario, you have created a bridge, added a few interfaces to it and
have created a VLAN interface on top of the bridge interface, but you need to increase the
MTU size on the VLAN interface in order to receive larger packets.
Configuration
/interface bridge
add name=bridge
/interface vlan
add interface=bridge name=VLAN99 vlan-id=99
Problem
As soon as you try to increase the MTU size on the VLAN interface, you receive an error that
RouterOS Could not set MTU. This can happen when you are trying to set MTU larger than
the L2MTU. In this case you need to increase the L2MTU size on all slave interfaces, which will
update the L2MTU size on the bridge interface. After this has been done, you will be able to set
a larger MTU on the VLAN interface. The same principle applies to bonding interfaces. You
can increase the MTU on interfaces like VLAN, MPLS, VPLS, Bonding and other interfaces
only when all physical slave interfaces have proper L2MTU set.
Symptoms
 Cannot change MTU
Solution
Increase the L2MTU on slave interfaces before changing the MTU on a master interface.
/interface ethernet
set ether1,ether2 l2mtu=9018
/interface vlan
set VLAN99 mtu=9000
MTU inconsistency
Consider the following scenario, you have multiple devices in your network, most of them are
used as a switch/bridge in your network and there are certain endpoints that are supposed to
receive and process traffic. To decrease the overhead in your network, you have decided to
increase the MTU size so you set a larger MTU size on both endpoints, but you start to notice
that some packets are being dropped.
MTU inconsistency setup
Configuration
In this case both endpoints can be any type of device, we will assume that they are both Linux
servers that are supposed to transfer large amount of data. In such a scenario you would have
probably set something similar to this on ServerA and ServerB:
ip link set eth1 mtu 9000
And on your Switch you have probably have set something similar to this:
/interface bridge
add name=bridge
Problem
This is a very simplified problem, but in larger networks this might not be very easy to detect.
For instance, ping might be working since a generic ping packet will be 70 bytes long (14 bytes
for Ethernet header, 20 bytes for IPv4 header, 8 bytes for ICMP header, 28 bytes for ICMP
payload), but data transfer might not work properly. The reason why some packets might not
get forwarded is that MikroTik devices running RouterOS by default has MTU set to 1500 and
L2MTU set to something around 1580 bytes (depends on the device), but the Ethernet
interface will silently drop anything that does not fit into the L2MTU size. Note that L2MTU
parameter is not relevant to x86 or CHR devices. For a device that is only supposed to forward
packets, there is no need to increase the MTU size, it is only required to increase the L2MTU
size, RouterOS will not allow you to increase the MTU size that is larger than the L2MTU size.
If you require the packet to be received on the interface and the device needs to process this
packet rather than just forwarding it, for example, in case of routing, then it is required to
increase the L2MTU and the MTU size, but you can leave the MTU size on the interface to the
default value if you are using only IP traffic (that supports packet fragmentation) and don't mind
that packets are being fragmented. You can use the ping utility to make sure that all devices
are able to forward jumbo frames:
/ping 192.168.88.1 size=9000 do-not-fragment
Remember that the L2MTU and MTU size needs to be larger or equal to the ping packet size
on the device from which and to which you are sending a ping packet, since ping (ICMP) is IP
traffic that is sent out from a interface over Layer3.
Symptoms
 Web pages are not able to load up, but ping works properly
 Tunnels dropping traffic
 Specific protocols are broken
 Large packet loss
Solution
Increase the L2MTU size on your Switch:
/interface ethernet
set ether1,ether2 l2mtu=9000
In case your traffic is encapsulated (VLAN, VPN, MPLS, VPLS or other), then you might need
to consider setting even a larger L2MTU size. In this scenario it is not needed to increase the
MTU size for the reason described above.
Note: Full frame MTU is not the same as L2MTU. L2MTU size does not include the Ethernet
header (14 bytes) and the CRC checksum (FCS) field. The FCS field is stripped by the
Ethernet's driver and RouterOS will never show the extra 4 bytes to any packet. For example, if
a you set MTU and L2MTU to 9000, then the full frame MTU is 9014 bytes long, this can also
be observed when sniffing packets with /tool sniffer quick
Bridge and reserved MAC addresses

Consider the following scenario, you want to transparently bridge two network segments
together, either those are tunnel interfaces like EoIP, Wireless interfaces, Ethernet interface or
any other kind of interfaces that can be added to a bridge. Such setups allows you to
seamlessly connect two devices together like there was only a physical cable between them,
this is sometimes called a transparent bridge from DeviceA to DeviceB.
Configuration
For both devices DeviceA and DeviceB there should be a very similar configuration.
/interface bridge
add name=bridge1 protocol-mode=rstp
add interface=ether1 bridge=bridge1
add interface=eoip1 bridge=bridge1
Problem
Both devices are able to communicate with each other, but some protocols do not work
properly. The reason is that as soon as you use any STP variant (STP, RSTP, MSTP), you
make the bridge compliant with IEEE 802.1D and IEEE 802.1Q, these standards recommend
that packets that are destined to 01:80:C2:XX:XX:XX should NOT be forwarded. In cases
where there are only 2 ports added to a bridge (R/M)STP should not be used since a loop
cannot occur from 2 interfaces and if a loop does occur, the cause is elsewhere and should be
fixed on a different bridge. Since (R/M)STP is not needed in transparent bridge setups, it can
be disabled. As soon as (R/M)STP is disabled, the RouterOS bridge is not compliant with IEEE
802.1D and IEEE 802.1Q and therefore will forward packets that are destined
to 01:80:C2:XX:XX:XX.
Symptoms
 LLDP neighbors not showing up

 802.1x authentication (dot1x) not working
 LACP interface not passing traffic
Solution
Since RouterOS v6.43rc13 it is possible to partly disable compliance with IEEE 802.1D and
IEEE 802.1Q, this can be done by changing the bridge protocol mode.
/interface bridge
set bridge1 protocol-mode=none
Warning: The 802.1x standard is meant to be used between a switch and a client directly. If it
is possible to connect a device between the switch and the client, then this creates a security
threat. For this reason it is not recommended to disable the compliance with IEEE 802.1D and
IEEE 802.1Q, but rather design a proper network topology.
Bandwidth testing
Consider the following scenario, you set up a link between two devices, this can be any link, an
Ethernet cable, a Wireless link, a tunnel or any other connection. You decide that you want to
test the link's bandwidth, but for convenience reasons you decide to start testing the link the
same devices that are running the link.
Bad way to test bandwidth or throughput
Problem
As soon as you start Bandwidth test or Traffic generator you notice that the throughput is much
smaller than expected. For very powerful routers, which should be able to forward many
Gigabits per second (Gbps) you notice that only a few Gigabits per second gets forwarded.
The reason why this is happening is because of the testing method you are using, you should
never test throughput on a router while using the same router for generating traffic, this is
especially true when using Bandwidth test since it is only able to generate traffic on a single
CPU core and also applies when using Traffic-generator, though it can run on multiple cores,
but you are still adding a load on the CPU that reduces the total throughput.
Symptoms
 Low throughput
 High CPU usage on one CPU core
Solution
Use a proper testing method. Don't use Bandwidth-test to test large capacity links and don't run
any tool that generates traffic on the same device you are testing. Design your network
properly so you can attach devices that will generate and receive traffic on both ends. If you
are familiar with Iperf, then this concept should be clear. Remember that in real world a router
or a switch does not generate traffic, a server/client generates the traffic while a router/switch
forwards the traffic (and does some manipulations to the traffic in appropriate cases).
Proper way to test bandwidth or throughput
Bridge split-horizon usage

Consider the following scenario, you have a bridge and you need to isolate certain bridge ports
from each other. There are options to use a built-in switch chip to isolate certain ports on
certain switch chips, you can use bridge firewall rules to prevent certain ports to be able to
send any traffic to other ports, you can isolate ports in a PVLAN type of setup using port
isolation, but there is also a software based solution to use bridge split-horizon (which disables
hardware offloading on all switch chips).
Configuration
/interface bridge
add name=bridge1
add bridge=bridge1 horizon=1 hw=no interface=ether1
Problem
After setting the bridge split-horizon on each port, you start to notice that each port is still able
to send data between each other. The reason for this is misuse of bridge split-horizon. A bridge
port is only not able to communicate with ports that are in the same horizon, for example,
horizon=1 is not able to communicate with horizon=1, but is able to communicate with
horizon=2, horizon=3 and so on.
Symptoms
 Traffic is being forwarded on different bridge split-horizons
Solution
Set a proper value as the bridge split-horizon. In case you want to isolate each port from each
other (common scenario for PPPoE setups) and each port is only able to communicate with the
bridge port itself, then all ports must be in the same bridge split-horizon.

set [f] horizon=1
Manual:Switch Router
Contents
[hide]
 1Port switching
 2DHCP and NAT
 3VLAN switching
 4Isolated VLANs
Many MikroTik's devices come with a built-in switch chip that can be used to greatly improve
overall throughput when configured properly. Devices with a switch chip can be used as a
router and a switch at the same time, this gives you the possibility to use a single device
instead of multiple devices for your network.
Switch-router topology
Warning: Not all devices are designed to handle large amounts of traffic through the CPU, for
this reason be very careful when designing your network since large amounts of traffic that are
passing through the CPU will overload it. Functions that depend on the CPU (for example, NAT
and DHCP) will not work properly when the CPU is overloaded.
Note: This guide is meant for devices that have a switch chip and are capable of using the
switch chip's VLAN table, make sure that your device has hardware support for this feature,
feature list per switch chip can be found here. For CRS series devices you should check
the CRS Router guide, this guide should be used for devices that don't have a built-in switch
chip as well (should be configured like CRS3xx series switches).
Port switching
For this type of setup to work, you must switch all required ports together:
/interface bridge
DHCP and NAT

Create a VLAN interface for each VLAN ID and assign an IP address on it:
/interface vlan
add interface=bridge1 name=VLAN10 vlan-id=10
add interface=bridge1 name=VLAN20 vlan-id=20
/ip address
Setup a DHCP Server for each VLAN:
/ip pool
add name=POOL10 ranges=192.168.10.100-192.168.10.200
add name=POOL20 ranges=192.168.20.100-192.168.20.200
/ip dhcp-server
add address-pool=POOL10 disabled=no interface=VLAN10 name=DHCP10
add address-pool=POOL20 disabled=no interface=VLAN20 name=DHCP20
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1
Enable NAT on the device:
/ip firewall nat

add action=masquerade chain=srcnat out-interface=ether1
VLAN switching
Add each port to the VLAN table and allow these ports to access the CPU in order to make
DHCP and routing to work:

add independent-learning=yes ports=ether2,switch1-cpu switch=switch1
vlan-id=10
add independent-learning=yes ports=ether3,switch1-cpu switch=switch1
vlan-id=20
Specify each port to be as an access port, enable secure VLAN mode on each port and on the
switch1-cpu port:

set ether2 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set ether3 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set switch1-cpu vlan-mode=secure
Isolated VLANs
In case your devices has a rule table, then you can limit access between VLANs on a hardware
level. As soon as you add an IP address on the VLAN interface you enable interVLAN routing,
but this can be limited on a hardware level yet preserving DHCP Server and other router
related services' functionality. To do so, use these ACL rules:

add dst-address=192.168.20.0/24 new-dst-ports="" ports=ether2
switch=switch1
add dst-address=192.168.10.0/24 new-dst-ports="" ports=ether3
switch=switch1
And you are done! With this type of configuration you can achieve isolated port groups using
VLANs.
Vvvvvv
Manual:CRS1xx/2xx VLANs with Trunks
Contents
[hide]
 1Summary
 2Port switching
 3Port trunking
 4Management IP
 5Bonding
 6Port based VLAN
 7Invalid VLAN filtering
 8InterVLAN routing
 9DHCP-Server
 10Jumbo frames
 11See also
Summary
This page will show how to configure multiple switches to use port trunking and port based
VLANs, it will also show a working example with a DHCP-Server, interVLAN routing,
management IP and invalid VLAN filtering configuration.
Warning: This article applies to CRS1xx and CRS2xx series switches and not to CRS3xx
series switches. For a similar setup for CRS3xx series switches you can check the CRS3xx
VLANs with Bonds guide.
CRS1xx/CRS2xx port trunking with port based VLANs
Note: Configuration is written for CRS125-24G-1S and CRS226-24G-2S+, but will work on
other CRS1xx/CRS2xx series switches as well.
In this setup SwitchA and SwitchC will tag all traffic from ports ether3-ether6 to VLAN ID 10,
ether7-ether12 to VLAN ID 20, ether13-ether18 to VLAN ID 30, ether19-ether24 to VLAN ID
40. SwitchB will tag all traffic from ports ether9-ether12 to VLAN ID 10, ether13-ether16 to
VLAN ID 20, ether17-ether20 to VLAN ID 30, ether21-ether24 to VLAN ID 40. Management will
only be possible if user is connecting with tagged traffic with VLAN ID 99. SFP port is not used
in this setup at all, consider disabling it if not being used.
Port switching
All switches in this setup require that all used ports are switched together. Use these
commands on SwitchA, SwitchB, SwitchC:
/interface ethernet
Disable SFP interface for security reasons (in case it is not being used):
/interface ethernet set [find where name~"sfp"] disabled=yes
 In case using RouterOS 6.41+, a bridge must be created instead with disabled RSTP and
IGMP Snooping and no VLAN filtering:
/interface bridge
add name=bridge protocol-mode=none igmp-snooping=no vlan-filtering=no
add bridge=bridge interface=sfp1
Note: If required, it is possible to use STP/RSTP and IGMP Snooping with hardware
offloading, make sure your device supports it.
Port trunking
Port trunking is used when a larger amount of bandwidth is required, this is done by creating a
static link aggregation group, which also provides hardware automatic failover and load
balancing for CRS1xx/CRS2xx series switches. By adding two 1Gbps interfaces to a trunk, you
can increase the theoretical bandwidth limit to 2Gbps. Make sure that all trunked interfaces are
linked to the same speed rates.
Note: CRS1xx/CRS2xx series switches aggregate traffic using the built-in Switch Chip without
using CPU resources, to route the traffic a router with a powerful CPU is required to handle the
aggregated traffic.
To create a 2Gbps port trunk from ether1 and ether2 between SwitchA, SwitchB and SwitchC,
use these commands on SwitchA and SwitchC:
/interface ethernet switch trunk

add member-ports=ether1,ether2 name=trunk-1-2
To create a 4Gbps port trunk from ether1,ether2,ether3,ether4 between SWitchB and the
Router, use these commands on SwitchB:

add member-ports=ether1,ether2,ether3,ether4 name=trunk-1-2-3-4
On SwitchB ether5 and ether6 will be used to connect with SwitchA at 2Gbps and
ether7,ether8 will be used to connect with SwitchC at 2Gbps. Use these command
on SwitchB:

Management IP
It is very useful to create a management interface and assign an IP address to it in order to
preserve access to the switch. This is also very useful when updating your switches since such
traffic to the switch will be blocked when enabling invalid VLAN filtering.
Create a VLAN interface on SwitchA, SwitchB, SwitchC:
/interface vlan
add interface=ether1 name=Vlan99 vlan-id=99
Note: VLAN interface must be created on the master-port interface since it is the only interface
that will be able to communicate the CPU.
For this guide we are going to use these addresses for each device:
Address Device
192.168.99.1 Router
192.168.99.2 SwitchA
192.168.99.3 SwitchB
192.168.99.4 SwitchC
Add an IP address for each device on the VLAN interface (change X to appropriate number):
/ip address
add address=192.168.99.X/24 interface=Vlan99
Don't forget to add the default gateway and specify a DNS server:
/ip route
add gateway=192.168.99.1
/ip dns
set servers=192.168.99.1
Add the IP address on the Router:
/ip address
add address=192.168.99.1/24 interface=Vlan99
Bonding
Unlike CRS1xx/CRS2xx series switches that use the built-in Switch Chip to create a
aggregated link group, a router will use the CPU to create the aggregated link group.
To create a bonding interface for ether1,ether2,ether3,ether4, use these commands on
the Router:
/interface bonding
add mode=balance-xor name=bond1 slaves=ether1,ether2,ether3,ether4\
transmit-hash-policy=layer-2-and-3
Warning: Don't use bonding interfaces on CRS1xx/CRS2xx series devices, bonding interface
does NOT use the built-in Switch Chip to create aggregated link group and will overload the
CPU instantly. For CRS series device use only port trunking.
Now a VLAN interface can be created on the newly created bonding interface for management
and assign an IP address to it, use these commands on the Router:
/interface vlan
add interface=bond1 name=Vlan99 vlan-id=99
/ip address
Port based VLAN

When using port trunks, the main difference is that access ports are now trunk ports and they
should be used in the Egress VLAN tag table, Ingress VLAN translation table and VLAN table
instead of physical Ethernet interfaces.
To create each trunk port as access port, use these commands on SwitchA and SwitchC:

add tagged-ports=trunk-1-2 vlan-id=10
Similarly add entries to the Egress VLAN tag table for SwitchB, use these commands
on SwitchB:

add tagged-ports=trunk-1-2-3-4,trunk-5-6,trunk-7-8 vlan-id=10
Note: Management VLAN ID is not addedd to Egress VLAN tag table since a VLAN interface
has been already created that will only send out tagged traffic either way.
Specify for each Ethernet interface a VLAN ID that will be assigned for a device that uses the
port, use these commands for SwitchA and SwitchC:

add new-customer-vid=10 ports=ether3,ether4,ether5,ether6
add new-customer-vid=20
ports=ether7,ether8,ether9,ether10,ether11,ether12
Similarly specify a VLAN ID for each Ethernet interface on SwitchB, use these commands
on SwitchB:

It is required add allowed VLAN IDs to the VLAN table in order for VLAN filtering to work
properly. Specify each VLAN ID and each port that is allowed to forward a certain VLAN ID.
Use trunk ports instead of physical Ethernet interfaces. Use these commands
on SwitchA and SwitchC:

add ports=trunk-1-2,ether3,ether4,ether5,ether6 vlan-id=10
add ports=trunk-1-2,ether7,ether8,ether9,ether10,ether11,ether12 vlan-
id=20
add ports=trunk-1-2,ether13,ether14,ether15,ether16,ether17,ether18
vlan-id=30
add ports=trunk-1-2,ether19,ether20,ether21,ether22,ether23,ether24
vlan-id=40
add ports=trunk-1-2,switch1-cpu vlan-id=99
Similarly add entries to the VLAN table for SwitchB, use the commands on SwitchB:

add ports=trunk-1-2-3-4,trunk-5-6,trunk-7-
8,ether9,ether10,ether11,ether12 vlan-id=10
add ports=trunk-1-2-3-4,trunk-5-6,trunk-7-8,switch1-cpu vlan-id=99
Note: It is required to specify switch1-cpu port in the VLAN table in order to allow access
the the previously created VLAN interface for management purposes.
Invalid VLAN filtering

If ingress VLAN translation table, egress VLAN tag table and VLAN table is properly set, invalid
VLAN filtering can be enabled, which will drop any other packet that does not a suitable entry
in the VLAN table.
Warning: Double check if port based VLANs are set up properly. If a mistake was made, you
might loose access to the switch and it can only be regained by resetting theconfiguration or by
using the serial console.
To enable invalid VLAN filtering, use these commands on SwitchA, SwitchB, SwitchC:

ports="ether1,ether2,ether3,ether4\
,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13\
,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21,ether2
2,ether23,ether24"
InterVLAN routing
To create InterVLAN routing, VLAN interface for each customer VLAN ID must be created on
the router and must have an IP address assigned to it. The VLAN interface must be created on
the bonding interface created previously.
Use these commands on the Router:
/interface vlan
/ip address
Note: These commands are required for DHCP-Server. In case interVLAN routing is not
desired but a DHCP-Server on a single router is required, then use Firewall Filter to block
access between different subnets.
DHCP-Server
To get the DHCP-Server working for each VLAN ID, the server must be set up on the
previously created VLAN interfaces (one server for each VLAN ID). Preferably each VLAN ID
should have its own subnet and its own IP pool. DNS Server could be specified as the router's
IP address for particular VLAN ID or a global DNS Server could be used, but this address must
be reachable.
To set up the DHCP-Server, use these commands on the Router:
/ip pool
add name=Vlan10_pool ranges=192.168.10.100-192.168.10.200
/ip dhcp-server
add address-pool=Vlan10_pool disabled=no interface=Vlan10
name=Vlan10_DHCP
name=Vlan20_DHCP
name=Vlan30_DHCP
name=Vlan40_DHCP
add address=192.168.10.0/24 dns-server=192.168.10.1
gateway=192.168.10.1
gateway=192.168.20.1
gateway=192.168.30.1
gateway=192.168.40.1
In case the router's DNS Server is being used, don't forget to allow remote requests and make
sure DNS Servers are configured on the router. Use these commands on the Router:
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
Warning: Make sure to secure your local DNS Server with Firewall from the outside when
using allow-remote-requests set to yes since your DNS Server can be used for
DDoS attacks if it is accessible from the Internet by anyone.
Don't forget to create NAT, assuming that sfp-sfpplus1 is used as WAN port, use these
commands on the Router:
/ip firewall nat

add action=masquerade chain=srcnat out-interface=sfp-sfpplus1
Jumbo frames
One can increase the total throughput in such a setup by enabling jumbo frames. This reduces
the packet overhead by increasing the Maximum Transmission Unit (MTU). If a device in your
network does not support jumbo frames, then it will not benefit from a larger MTU. Usually the
whole network does not support jumbo frames, but you can still benefit when sending data
between devices that support jumbo frames, including all switches in the path.
In this case, if clients behind SwitchA and client behind SwitchC supports jumbo frames, then
enabling jumbo frames will be beneficial. Before enabling jumbo frames, determine the MAX-
L2MTU by using this command:
[admin@MikroTik] > /interface> print
# NAME TYPE ACTUAL-MTU L2MTU
MAX-L2MTU
0 R ether1 ether 1500 1580
4064
Note: More information can be found in MTU manual page.
When MAX-L2MTU is determined, choose the MTU size depending on the traffic on your
network, use this command on SwitchA, SwitchB and SwitchC:
/interface ethernet
set [ find ] l2mtu=4064 mtu=4040
Note: Don't forget to change the MTU on your client devices too, otherwise above mentioned
settings will not have any effect.
See also
 Bonding
 CRS examples
 CRS features
 Switch Chip Features
 IP/DNS
 NAT examples
 Firewall filter examples
 VLAN
 MTU on RouterBOARD
Manual:CRS3xx VLANs with Bonds

Contents
[hide]
 1Summary
 2Port switching
 3Bonding
 4Management IP
 5Invalid VLAN filtering
 6InterVLAN routing
 7DHCP-Server
 8Jumbo frames
 9See also
Summary
This page will show how to configure multiple switches to use bonding interfaces and port
based VLANs, it will also show a working example with a DHCP-Server, interVLAN routing,
management IP and invalid VLAN filtering configuration.
Warning: This article applies to CRS3xx series devices and not CRS1xx/CRS2xx. For a
similar setup for CRS1xx/CRS2xx series switches you can check CRS1xx/2xx VLANs with
Trunks guide.
CRS3xx bonds and port based VLANs
Note: For this network topology we will be using two CRS326-24G-2S+, one CRS317-1G-
16S+ and one CCR1072-1G-8S+, but same principles can be applied to any CRS3xx series
devices and a router.
In this setup SwitchA and SwitchC will tag all traffic from ports ether1-ether8 to VLAN ID 10,
ether9-ether16 to VLAN ID 20, ether17-ether24 to VLAN ID 30. Management will only be
possible if user is connecting with tagged traffic with VLAN ID 99 from ether1 on SwitchA or
SwitchB, connecting to all devices will also be possible from the router using tagged traffic with
VLAN ID 99. SFP+ ports in this setup are going to be used as VLAN trunk ports while being in
a bond to create a LAG interface.
Port switching
All switches in this setup require that all used ports are switched together (except for ports that
are going to be part of a bonding interface). Use these commands on SwitchA and SwitchC:
/interface bridge
add name=bridge vlan-filtering=no
Note: If required, it is possible to use STP/RSTP/MSTP and IGMP Snooping with hardware
offloading, make sure your device supports it.
Warning: In this setup vlan-filtering is required, but it should be disabled while you are
setting up the device. If you create a bridge with vlan-filtering enabled at the
beginning, then you might loose access to the switch while you are configuring it. It is
recommended to enable vlan-filtering only when management port and bridge VLAN
table is configured.
Bonding
Bonding interfaces are used when a larger amount of bandwidth is required, this is done by
creating a link aggregation group, which also provides hardware automatic failover and load
balancing for CRS3xx series switches. By adding two 10Gbps interfaces to a bonding, you can
increase the theoretical bandwidth limit to 20Gbps. Make sure that all bonded interfaces are
linked to the same speed rates.
Note: CRS3xx series switches aggregate traffic using the built-in Switch Chip without using
CPU resources, to route the traffic a router with a powerful CPU is required to handle the
aggregated traffic.
To create a 20Gbps bonding interface from sfp-sfpplus1 and sfp-sfpplus2 between SwitchA to
SwitchB and between SwitchC to SwitchB, use these commands on SwitchA and SwitchC:
/interface bonding
add mode=802.3ad name=bond_1-2 slaves=sfp-sfpplus1,sfp-sfpplus2
To create a 40Gbps bonding interface between SwitchB and the Router and 20Gbps bonding
interfaces between SwitchA and SwitchC, use these commands on SwitchB:
/interface bonding
add mode=802.3ad name=bond_5-6-7-8 slaves=sfp-sfpplus5,sfp-
sfpplus6,sfp-sfpplus7,sfp-sfpplus8
When all the bonding interfaces are create, they must be added as a bridge port. Use these
commands on SwitchA and SwitchB:

add bridge=bridge interface=bond_1-2
Add all bonding interfaces to a single bridge on SwitchB by using these commands
on SwitchB:

add bridge=bridge interface=bond_5-6-7-8
In our case the Router needs a software based bonding interface, use these commands
on Router:
/interface bonding
add mode=802.3ad name=bond_1-2-3-4 slaves=sfp-sfpplus1,sfp-
sfpplus2,sfp-sfpplus3,sfp-sfpplus4
Management IP
It is very useful to create a management interface and assign an IP address to it in order to
preserve access to the switch. This is also very useful when updating your switches since such
traffic to the switch will be blocked when enabling invalid VLAN filtering.
Create a VLAN interface on SwitchA, SwitchB and SwitchC:
/interface vlan
add interface=bridge name=MGMT vlan-id=99
The Router needs the VLAN interface to be created on the bonding interface, use these
commands to create a VLAN interface on Router':
/interface vlan
add interface=bond_1-2-3-4 name=MGMT vlan-id=99
Note: VLAN interface must be created on the bridge interface since it is the only interface that
will be able to communicate the CPU.
For this guide we are going to use these addresses for each device:
Address Device
192.168.99.1 Router
192.168.99.2 SwitchA
192.168.99.3 SwitchB
192.168.99.4 SwitchC
Add an IP address for each device on the VLAN interface (change X to appropriate number):
/ip address
add address=192.168.99.X/24 interface=MGMT
Don't forget to add the default gateway and specify a DNS server:
/ip route
add gateway=192.168.99.1
/ip dns
set servers=192.168.99.1
Add the IP address on the Router:
/ip address
Invalid VLAN filtering

Enable ingress traffic filtering for more security, use these commands
on SwitchA, SwitchB and SwitchC:

set [f] ingress-filtering=yes
Since most ports on SwitchA and SwitchC are going to be access ports, you can set all ports to
accept only certain types of packets, in this case we will want SwitchA and SwitchC to only
accept untagged packets, use these commands on SwitchA and SwitchC:

set [f] frame-types=admit-only-untagged-and-priority-tagged
There is an exception for frame types on SwitchA and SwitchB, in this setup access to
management port is required from ether1, bonding interfaces require that only tagged traffic
can be forwarded. Use these commands on SwitchA and SwitchC:

set [find where interface=ether1] frame-types=admit-all
set [find where interface=bond_1-2] frame-types=admit-only-vlan-tagged
On SwitchB only tagged packets should be forwarded, use these commands on SwitchB:

set [f] frame-types=admit-only-vlan-tagged
It is required to setup bridge VLAN table. In this network setup we need to allow VLAN 10 on
ether1-ether8, VLAN 20 on ether9-ether16, VLAN 30 on ether17-ether24, VLAN 10,20,30,99
on bond_1-2 and a special case for ether1 to allow to forward VLAN 99 on SwitchA and
SwitchC. Use these commands on SwitchA and SwitchC:

add bridge=bridge tagged=bond_1-2
untagged=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-
ids=10
untagged=ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16
vlan-ids=20
untagged=ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether2
4 vlan-ids=30
add bridge=bridge tagged=bridge,bond_1-2,ether1 vlan-ids=99
Similarly it is required to setup bridge VLAN table for SwitchB. Use these commands
on SwitchB:

add bridge=bridge tagged=bond_1-2,bond_3-4,bond_5-6-7-8 vlan-
ids=10,20,30
add bridge=bridge tagged=bond_1-2,bond_3-4,bond_5-6-7-8,bridge vlan-
ids=9
When everything is configured, VLAN filtering can be enabled. Use these commands
on SwitchA, SwitchB and SwitchC:
/interface bridge
set bridge vlan-filtering=yes
Warning: Double check if port based VLANs are set up properly. If a mistake was made, you
might loose access to the switch and it can only be regained by resetting the configuration or
by using the serial console.
InterVLAN routing
To create InterVLAN routing, VLAN interface for each customer VLAN ID must be created on
the router and must have an IP address assigned to it. The VLAN interface must be created on
the bonding interface created previously.
Use these commands on the Router:
/interface vlan
add interface=bond_1-2-3-4 name=VLAN10 vlan-id=10
/ip address
Note: These commands are required for DHCP-Server. In case interVLAN routing is not
desired but a DHCP-Server on a single router is required, then use Firewall Filter to block
access between different subnets.
DHCP-Server
To get the DHCP-Server working for each VLAN ID, the server must be set up on the
previously created VLAN interfaces (one server for each VLAN ID). Preferably each VLAN ID
should have its own subnet and its own IP pool. DNS Server could be specified as the router's
IP address for particular VLAN ID or a global DNS Server could be used, but this address must
be reachable.
To set up the DHCP-Server, use these commands on the Router:
/ip pool
add name=VLAN10_POOL ranges=192.168.10.100-192.168.10.200
/ip dhcp-server
add address-pool=VLAN10_POOL disabled=no interface=VLAN10
name=VLAN10_DHCP
name=VLAN20_DHCP
name=VLAN30_DHCP
gateway=192.168.10.1
gateway=192.168.20.1
gateway=192.168.30.1
In case the router's DNS Server is being used, don't forget to allow remote requests and make
sure DNS Servers are configured on the router. Use these commands on the Router:
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
Warning: Make sure to secure your local DNS Server with Firewall from the outside when
using allow-remote-requests set to yes since your DNS Server can be used for
DDoS attacks if it is accessible from the Internet by anyone.
Don't forget to create NAT, assuming that sfp-sfpplus8 is used as WAN port, use these
commands on the Router:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp-sfpplus8
Jumbo frames
One can increase the total throughput in such a setup by enabling jumbo frames. This reduces
the packet overhead by increasing the Maximum Transmission Unit (MTU). If a device in your
network does not support jumbo frames, then it will not benefit from a larger MTU. Usually the
whole network does not support jumbo frames, but you can still benefit when sending data
between devices that support jumbo frames, including all switches in the path.
In this case, if clients behind SwitchA and client behind SwitchC supports jumbo frames, then
enabling jumbo frames will be beneficial. Before enabling jumbo frames, determine the MAX-
L2MTU by using this command:
[admin@MikroTik] > /interface> print

# NAME TYPE ACTUAL-MTU L2MTU
MAX-L2MTU
0 R ether1 ether 1500 1580
4064
Note: More information can be found in MTU manual page.
When MAX-L2MTU is determined, choose the MTU size depending on the traffic on your
network, use this command on SwitchA, SwitchB and SwitchC:
/interface ethernet
set [ find ] l2mtu=4064 mtu=4040
Note: Don't forget to change the MTU on your client devices too, otherwise above mentioned
settings will not have any effect.
See also
 Bonding
 CRS3xx manual
 Switch Chip Features
 IP/DNS
 NAT examples
 Firewall filter examples
 VLAN
 MTU on RouterBOARD
Manual:Interface/Bonding
< Manual:Interface
Applies to RouterOS:v3, v4
Contents
[hide]
 1Summary
 2Specifications
 3Quick Setup Guide
 4Link monitoring
o 4.1ARP Monitoring
o 4.2MII monitoring
 5Bonding modes
o 5.1802.3ad
o 5.2balance-rr
o 5.3active-backup
o 5.4balance-xor
o 5.5broadcast
o 5.6balance-tlb
o 5.7balance-alb
 6Property Description
 7Notes
 8See also
Summary
Bonding is a technology that allows aggregation of multiple ethernet-like interfaces into a single
virtual link, thus getting higher data rates and providing failover.
Specifications
 Packages required: system
 License required: Level1
 Submenu level: /interface bonding
 Standards and Technologies: None
 Hardware usage: Not significant
Quick Setup Guide

Let us assume that we have 2 NICs in each router (Router1 and Router2) and want to get
maximum data rate between 2 routers. To make this possible, follow these steps:
 Make sure that you do not have IP addresses on interfaces which will be enslaved for
bonding interface!
 Add bonding interface on Router1:
[admin@Router1] interface bonding> add slaves=ether1,ether2
And on Router2:
Add addresses to bonding interfaces:
[admin@Router1] ip address> add address=172.16.0.1/24

interface=bonding1
interface=bonding1
Test the link from Router1:
[admin@Router1] interface bonding> /pi 172.16.0.2

Note: bonding interface needs a couple of seconds to get connectivity with its peer.
Link monitoring
It is critical that one of the available link monitoring options is enabled. In the above example, if
one of the bonded links were to fail, the bonding driver will still continue to send packets over
the failed link which will lead to network degradation. Bonding in RouterOS currently supports
two schemes for monitoring a link state of slave devices: MII and ARP monitoring. It is not
possible to use both methods at the same time due to restrictions in the bonding driver.
ARP Monitoring
ARP monitoring sends ARP queries and uses the response as an indication that the link is
operational. This also gives assurance that traffic is actually flowing over the links. If balance-rr
and balance-xor modes are set, then the switch should be configured to evenly distribute
packets across all links. Otherwise all replies from the ARP targets will be received on the
same link which could cause other links to fail. ARP monitoring is enabled by setting three
properties link-monitoring, arp-ip-targets and arp-interval. Meaning of each
option is described later in this article. It is possible to specify multiple ARP targets that can be
useful in High Availability setups. If only one target is set, the target itself may go down. Having
additional targets increases the reliability of the ARP monitoring.
Enable ARP monitoring
[admin@Router1] interface bonding> set 0 link-monitoring=arp arp-ip-

targets=172.16.0.2
targets=172.16.0.1
We will not change arp-interval value in our example, RouterOS sets arp-interval to
100ms by default.
Unplug one of the cables to test if the link monitoring works correctly, you will notice some ping
timeouts until arp monitoring detects link failure.

MII monitoring
MII monitoring monitors only the state of the local interface. MII Type 1 - device driver
determines whether link is up or down. If device driver does not support this option then link will
appear as always up. Main disadvantage is that MII monitoring can't tell if the link can actually
pass packets or not, even if the link is detected as being up.
MII monitoring is configured by setting the variables link-monitoring mode and mii-
interval.
Enable MII Type1 monitoring:
[admin@Router1] interface bonding> set 0 link-monitoring=mii

We will leave mii-interval to it's default value (100ms)

When unplugging one of the cables, the failure will be detected almost instantly compared to
ARP link monitoring.
Bonding modes
802.3ad
802.3ad mode is an IEEE standard also called LACP (Link Aggregation Control Protocol). It
includes automatic configuration of the aggregates, so minimal configuration of the switch is
needed. This standard also mandates that frames will be delivered in order and connections
should not see mis-ordering of packets. The standard also mandates that all devices in the
aggregate must operate at the same speed and duplex mode and works only with MII link
monitoring.
LACP balances outgoing traffic across the active ports based on hashed protocol header
information and accepts incoming traffic from any active port. The hash includes the Ethernet
source and destination address and if available, the VLAN tag, and the IPv4/IPv6 source and
destination address. How this is calculated depends on transmit-hash-policy parameter.
Note: layer-3-and-4 transmit hash mode is not fully compatible with LACP. More details
can be found in https://www.kernel.org/doc/Documentation/networking/bonding.txt
Configuration example
Example connects two ethernet interfaces on a router to the Edimax switch as a single, load
balanced and fault tolerant link. More interfaces can be added to increase throughput and fault
tolerance. Since frame ordering is mandatory on Ethernet links then any traffic between two
devices always flows over the same physical link limiting the maximum speed to that of one
interface. The transmit algorithm attempts to use as much information as it can to distinguish
different traffic flows and balance across the available interfaces.
Router R1 configuration:
/inteface bonding add slaves=ether1,ether2 mode=802.3ad lacp-

rate=30secs link-monitoring=mii-type1 \
Configuration on a switch:
Intelligent Switch : Trunk Configuration

==================
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23
24 M1 M2
1 - v - v - - - - - - - - - - - - - - - - - - -
- - -
2 - - - - - - - - - - - - - - - - - - - - - - -
- - -
3 - - - - - - - - - - - - - - - - - - - - - - -
- - -
4 - - - - - - - - - - - - - - - - - - - - - - -
- - -
5 - - - - - - - - - - - - - - - - - - - - - - -
- - -
6 - - - - - - - - - - - - - - - - - - - - - - -
- - -
7 - - - - - - - - - - - - - - - - - - - - - - -
- - -
TRK1 LACP
TRK2 Disable
TRK3 Disable
TRK4 Disable
TRK5 Disable
TRK6 Disable
TRK7 Disable
Notice that LACP is enabled on first trunk group (TRK1) and switch ports on first trunk group
are bound with 'v' flag. In our case port 2 and port4 will run LACP.
Verify if LACP is working: On the switch we should first verify if LACP protocol is enabled and
running:
Intelligent Switch : LACP Port State Active

Configuration
==================
Port State Activity Port State

Activity
--------------------------- --------------------------
-
2 Active
4 Active
After that we can ensure that LACP negotiated with our router. If you don't see both ports on
the list then something is wrong and LACP is not going to work.
Intelligent Switch : LACP Group Status
==================
Group
[Actor] [Partner]
Priority: 1 65535
MAC : 000E2E2206A9 000C42409426
Port_No Key Priority Active Port_No Key Priority

2 513 1 selected 1 9 255
4 513 1 selected 2 9 255
After we verified that switch successfully negotiated LACP with our router, we can start traffic
from Client1 and Client2 to the Server and check how traffic is evenly forwarded through both
bonding slaves:
[admin@test-host] /interface> monitor-traffic ether1,ether2,bonding1

rx-packets-per-second: 8158 8120 16278
rx-drops-per-second: 0 0 0
rx-errors-per-second: 0 0 0
rx-bits-per-second: 98.8Mbps 98.2Mbps 197.0Mbps
tx-packets-per-second: 4833 4560 9394
tx-drops-per-second: 0 0 0
tx-errors-per-second: 0 0 0
tx-bits-per-second: 2.7Mbps 3.0Mbps 5.8Mbps
Note: On some switches you need to set correct link aggregation protocol, to make balancing
work in both directions
balance-rr
If this mode is set, packets are transmitted in sequential order from the first available slave to
the last.
Balance-rr is the only mode that will send packets across multiple interfaces that belong to the
same TCP/IP connection.
When utilizing multiple sending and multiple receiving links, packets are often received out of
order, which result in segment retransmission, for other protocols such as UDP it is not a
problem if client software can tolerate out-of-order packets.
If switch is used to aggregate links together, then appropriate switch port configuration is
required, however many switches do not support balance-rr.
Quick setup guide demonstrates use of the balance-rr bonding mode. As you can see, it is
quite simple to set up. Balance-rr is also useful for bonding several wireless links, however it
requires equal bandwidth for all bonded links. If bandwidth of one bonded link drops, then total
bandwidth of bond will be equal to the bandwidth of the slowest bonded link.
active-backup
This mode uses only one active slave to transmit packets. The additional slave only becomes
active if the primary slave fails. The MAC address of the bonding interface is presented onto
the active port to avoid confusing the switch. Active-backup is the best choice in high
availability setups with multiple switches that are interconnected.
Note: ARP monitoring in this mode will not work correctly if both routers are directly connected.
In such setups mii-type1 or mii-type2 monitoring must be used or a switch should be put
between routers.
balance-xor
This mode balances outgoing traffic across the active ports based on the hashed protocol
header information and accepts incoming traffic from any active port. Mode is very similar
to LACP except that it is not standardized and works with layer-3-and-4 hash policy.
broadcast
When ports are configured with broadcast mode, all slave ports transmit the same packets to
the destination to provide fault tolerance. This mode does not provide load balancing.
balance-tlb
This mode balances outgoing traffic by peer. Each link can be a different speed and duplex
mode and no specific switch configuration is required as for the other modes. Downside of this
mode is that only MII link monitoring is supported and incoming traffic is not balanced.
Incoming traffic will use the link that is configured as "primary".
Lets assume than router has two links - ether1 max bandwidth is 10Mbps and ether2 max
bandwidth is 5Mbps.
First link has more bandwidth so we set it as primary link
/interface bonding add mode=balance-tlb slaves=ether1,ether2

primary=ether1
No additional configuration is required for the switch.
Image above illustrates how balance-tlb mode works. As you can see router can
communicate to all the clients connected to the switch with a total bandwidth of both links
(15Mbps). But as you already know, balance-tlb is not balancing incoming traffic. In our
example clients can communicate to router with total bandwidth of primary link which is
10Mbps in our configuration.
balance-alb
Mode is basically the same as balance-tlb but incoming traffic is also balanced. Only
additional downside of this mode is that it requires device driver capability to change MAC
address. Most of the cheap cards do not support this mode.
Image above illustrates how balance-alb mode works. Compared to balance-tlb mode,
traffic from clients can also use the secondary link to communicate with the router.
Property Description
Property
arp (disabled | enabled | proxy-arp | reply-only; Default: enabled) A
arp-interval (time; Default: 00:00:00.100) ti

arp-ip-targets (IP address; Default: ) I
a
down-delay (time; Default: 00:00:00) if
o
lacp-rate (1sec | 30secs; Default: 30secs) L
U
c
link-monitoring (arp | mii | none; Default: mii) m
N
mii-interval (time; Default: 00:00:00.100) h
mode (802.3ad | active-backup | balance-alb | balance-rr | balance-tlb | balance-xor | broadcast; Default: balance-rr) S
mtu (integer; Default: 1500) M
name (string; Default: ) d
primary (string; Default: ) I
w
slaves (string; Default: none) a
up-delay (time; Default: 00:00:00) if
V
transmit-hash-policy (layer-2 | layer-2-and-3 | layer-3-and-4; Default: layer-2) S
Notes
Link failure detection and failover is working significantly better with expensive network cards,
for example, made by Intel, then with more cheap ones. On Intel cards for example, failover is
taking place in less than a second after link loss, while on some other cards, it may require up
to 20 seconds. Also, the Active load balancing ( mode=balance-alb ) does not work on some
cheap cards.
L2 MTU of bonding interface is determined by taking smallest value of all slaves.
Manual:Bonding Examples
(Redirected from Bonding Examples)
Contents
[hide]
 1Bonding EoIP tunnels over two wireless links

o 1.1Network Diagram
o 1.2Getting started
o 1.3Test the configuration
o 1.4Link Monitoring
 2See also
Bonding EoIP tunnels over two wireless links

This is an example of aggregating multiple network interfaces into a single pipe. In particular, it
is shown how to aggregate multiple virtual (EoIP) interfaces to get maximum throughput (MT)
with emphasis on availability.
Network Diagram
Two routers R1 and R2 are interconnected via multihop wireless links. Wireless interfaces on
both sides have assigned IP addresses.
Getting started
Bonding could be used only on OSI layer 2 (Ethernet level) connections. Thus we need to
create EoIP interfaces on each of the wireless links. This is done as follows:
 on router R1:
[admin@MikroTik] > /interface eoip add remote-address=10.0.1.1/24

tunnel-id=1
tunnel-id=2
 and on router R2

tunnel-id=1
tunnel-id=2
The second step is to add bonding interface and specify EoIP interfaces as slaves:
 R1:
[admin@MikroTik] > / interface bonding add slaves=eoip-

tunnel1,eoip-tunnel2 mode=balance-rr
 R2
[admin@MikroTik] > / interface bonding add slaves=eoip-

tunnel1,eoip-tunnel2 mode=balance-rr
The last step is to add IP addresses to the bonding interfaces:
 R1:
[admin@MikroTik] > / ip address add address 192.168.0.1/24

interface=bonding1
 R2
[admin@MikroTik] > / ip address add address 192.168.0.2/24

interface=bonding1
Test the configuration

Now two routers are able to reach each other using addresses from the 192.168.0.0/24
network. To verify bonding interface functionality, do the following:
 R1:
[admin@MikroTik] > /interface monitor-traffic eoip-tunnel1,eoip-

tunnel2
 R2
[admin@MikroTik] > /tool bandwidth-test 192.168.0.1

direction=transmit
You should see that traffic is distributed equally across both EoIP interfaces:
[admin@MikroTik] > /int monitor-traffic eoip-tunnel1,eoip-tunnel2

received-packets-per-second: 685 685
received-bits-per-second: 8.0Mbps 8.0Mbps
sent-packets-per-second: 21 20
sent-bits-per-second: 11.9kbps 11.0kbps
-- [Q quit|D dump|C-z pause]
[admin@MikroTik] >
Link Monitoring
It is easy to notice that with the configuration above as soon as any of individual link fails, the
bonding interface throughput collapses. That's because no link monitoring is performed,
consequently, the bonding driver is unaware of problems with the underlying links. Enabling
link monitoring is a must in most bonding configurations. To enable ARP link monitoring, do the
following:
 R1:
[admin@MikroTik] > / interface bonding set bonding1 link-

monitoring=arp arp-ip-targets=192.168.0.2
 R2
[admin@MikroTik] > / interface bonding set bonding1 link-

monitoring=arp arp-ip-targets=192.168.0.1
Manual:Interface/Bonding
< Manual:Interface
Applies to RouterOS:v3, v4
Contents
[hide]
 1Summary
 2Specifications
 3Quick Setup Guide
 4Link monitoring
o 4.1ARP Monitoring
o 4.2MII monitoring
 5Bonding modes
o 5.1802.3ad
o 5.2balance-rr
o 5.3active-backup
o 5.4balance-xor
o 5.5broadcast
o 5.6balance-tlb
o 5.7balance-alb
 6Property Description
 7Notes
 8See also
Summary
Bonding is a technology that allows aggregation of multiple ethernet-like interfaces into a single
virtual link, thus getting higher data rates and providing failover.
Specifications
 Submenu level: /interface bonding
 Standards and Technologies: None
Quick Setup Guide

Let us assume that we have 2 NICs in each router (Router1 and Router2) and want to get
maximum data rate between 2 routers. To make this possible, follow these steps:
 Make sure that you do not have IP addresses on interfaces which will be enslaved for
bonding interface!
 Add bonding interface on Router1:

And on Router2:
Add addresses to bonding interfaces:

interface=bonding1
interface=bonding1
Test the link from Router1:

Note: bonding interface needs a couple of seconds to get connectivity with its peer.
Link monitoring
It is critical that one of the available link monitoring options is enabled. In the above example, if
one of the bonded links were to fail, the bonding driver will still continue to send packets over
the failed link which will lead to network degradation. Bonding in RouterOS currently supports
two schemes for monitoring a link state of slave devices: MII and ARP monitoring. It is not
possible to use both methods at the same time due to restrictions in the bonding driver.
ARP Monitoring
ARP monitoring sends ARP queries and uses the response as an indication that the link is
operational. This also gives assurance that traffic is actually flowing over the links. If balance-rr
and balance-xor modes are set, then the switch should be configured to evenly distribute
packets across all links. Otherwise all replies from the ARP targets will be received on the
same link which could cause other links to fail. ARP monitoring is enabled by setting three
properties link-monitoring, arp-ip-targets and arp-interval. Meaning of each
option is described later in this article. It is possible to specify multiple ARP targets that can be
useful in High Availability setups. If only one target is set, the target itself may go down. Having
additional targets increases the reliability of the ARP monitoring.
Enable ARP monitoring

targets=172.16.0.2
targets=172.16.0.1
We will not change arp-interval value in our example, RouterOS sets arp-interval to
100ms by default.
Unplug one of the cables to test if the link monitoring works correctly, you will notice some ping
timeouts until arp monitoring detects link failure.

MII monitoring
MII monitoring monitors only the state of the local interface. MII Type 1 - device driver
determines whether link is up or down. If device driver does not support this option then link will
appear as always up. Main disadvantage is that MII monitoring can't tell if the link can actually
pass packets or not, even if the link is detected as being up.
MII monitoring is configured by setting the variables link-monitoring mode and mii-
interval.
Enable MII Type1 monitoring:

We will leave mii-interval to it's default value (100ms)

When unplugging one of the cables, the failure will be detected almost instantly compared to
ARP link monitoring.
Bonding modes
802.3ad
802.3ad mode is an IEEE standard also called LACP (Link Aggregation Control Protocol). It
includes automatic configuration of the aggregates, so minimal configuration of the switch is
needed. This standard also mandates that frames will be delivered in order and connections
should not see mis-ordering of packets. The standard also mandates that all devices in the
aggregate must operate at the same speed and duplex mode and works only with MII link
monitoring.
LACP balances outgoing traffic across the active ports based on hashed protocol header
information and accepts incoming traffic from any active port. The hash includes the Ethernet
source and destination address and if available, the VLAN tag, and the IPv4/IPv6 source and
destination address. How this is calculated depends on transmit-hash-policy parameter.
Note: layer-3-and-4 transmit hash mode is not fully compatible with LACP. More details
can be found in https://www.kernel.org/doc/Documentation/networking/bonding.txt
Example connects two ethernet interfaces on a router to the Edimax switch as a single, load
balanced and fault tolerant link. More interfaces can be added to increase throughput and fault
tolerance. Since frame ordering is mandatory on Ethernet links then any traffic between two
devices always flows over the same physical link limiting the maximum speed to that of one
interface. The transmit algorithm attempts to use as much information as it can to distinguish
different traffic flows and balance across the available interfaces.
Router R1 configuration:
/inteface bonding add slaves=ether1,ether2 mode=802.3ad lacp-

rate=30secs link-monitoring=mii-type1 \
Configuration on a switch:
Intelligent Switch : Trunk Configuration

==================
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23
24 M1 M2
1 - v - v - - - - - - - - - - - - - - - - - - -
- - -
2 - - - - - - - - - - - - - - - - - - - - - - -
- - -
3 - - - - - - - - - - - - - - - - - - - - - - -
- - -
4 - - - - - - - - - - - - - - - - - - - - - - -
- - -
5 - - - - - - - - - - - - - - - - - - - - - - -
- - -
6 - - - - - - - - - - - - - - - - - - - - - - -
- - -
7 - - - - - - - - - - - - - - - - - - - - - - -
- - -
TRK1 LACP
TRK2 Disable
TRK3 Disable
TRK4 Disable
TRK5 Disable
TRK6 Disable
TRK7 Disable
Notice that LACP is enabled on first trunk group (TRK1) and switch ports on first trunk group
are bound with 'v' flag. In our case port 2 and port4 will run LACP.
Verify if LACP is working: On the switch we should first verify if LACP protocol is enabled and
running:
Intelligent Switch : LACP Port State Active

Configuration
==================
Port State Activity Port State
Activity
--------------------------- --------------------------
-
2 Active
4 Active
After that we can ensure that LACP negotiated with our router. If you don't see both ports on
the list then something is wrong and LACP is not going to work.
Intelligent Switch : LACP Group Status

==================
Group
[Actor] [Partner]
Priority: 1 65535
MAC : 000E2E2206A9 000C42409426
Port_No Key Priority Active Port_No Key Priority

2 513 1 selected 1 9 255
4 513 1 selected 2 9 255
After we verified that switch successfully negotiated LACP with our router, we can start traffic
from Client1 and Client2 to the Server and check how traffic is evenly forwarded through both
bonding slaves:
[admin@test-host] /interface> monitor-traffic ether1,ether2,bonding1

rx-packets-per-second: 8158 8120 16278
rx-drops-per-second: 0 0 0
rx-errors-per-second: 0 0 0
rx-bits-per-second: 98.8Mbps 98.2Mbps 197.0Mbps
tx-packets-per-second: 4833 4560 9394
tx-drops-per-second: 0 0 0
tx-errors-per-second: 0 0 0
tx-bits-per-second: 2.7Mbps 3.0Mbps 5.8Mbps
Note: On some switches you need to set correct link aggregation protocol, to make balancing
work in both directions
balance-rr
If this mode is set, packets are transmitted in sequential order from the first available slave to
the last.
Balance-rr is the only mode that will send packets across multiple interfaces that belong to the
same TCP/IP connection.
When utilizing multiple sending and multiple receiving links, packets are often received out of
order, which result in segment retransmission, for other protocols such as UDP it is not a
problem if client software can tolerate out-of-order packets.
If switch is used to aggregate links together, then appropriate switch port configuration is
required, however many switches do not support balance-rr.
Quick setup guide demonstrates use of the balance-rr bonding mode. As you can see, it is
quite simple to set up. Balance-rr is also useful for bonding several wireless links, however it
requires equal bandwidth for all bonded links. If bandwidth of one bonded link drops, then total
bandwidth of bond will be equal to the bandwidth of the slowest bonded link.
active-backup
This mode uses only one active slave to transmit packets. The additional slave only becomes
active if the primary slave fails. The MAC address of the bonding interface is presented onto
the active port to avoid confusing the switch. Active-backup is the best choice in high
availability setups with multiple switches that are interconnected.
Note: ARP monitoring in this mode will not work correctly if both routers are directly connected.
In such setups mii-type1 or mii-type2 monitoring must be used or a switch should be put
between routers.
balance-xor
This mode balances outgoing traffic across the active ports based on the hashed protocol
header information and accepts incoming traffic from any active port. Mode is very similar
to LACP except that it is not standardized and works with layer-3-and-4 hash policy.
broadcast
When ports are configured with broadcast mode, all slave ports transmit the same packets to
the destination to provide fault tolerance. This mode does not provide load balancing.
balance-tlb
This mode balances outgoing traffic by peer. Each link can be a different speed and duplex
mode and no specific switch configuration is required as for the other modes. Downside of this
mode is that only MII link monitoring is supported and incoming traffic is not balanced.
Incoming traffic will use the link that is configured as "primary".
Lets assume than router has two links - ether1 max bandwidth is 10Mbps and ether2 max
bandwidth is 5Mbps.
First link has more bandwidth so we set it as primary link
/interface bonding add mode=balance-tlb slaves=ether1,ether2

primary=ether1
No additional configuration is required for the switch.
Image above illustrates how balance-tlb mode works. As you can see router can
communicate to all the clients connected to the switch with a total bandwidth of both links
(15Mbps). But as you already know, balance-tlb is not balancing incoming traffic. In our
example clients can communicate to router with total bandwidth of primary link which is
10Mbps in our configuration.
balance-alb
Mode is basically the same as balance-tlb but incoming traffic is also balanced. Only
additional downside of this mode is that it requires device driver capability to change MAC
address. Most of the cheap cards do not support this mode.
Image above illustrates how balance-alb mode works. Compared to balance-tlb mode,
traffic from clients can also use the secondary link to communicate with the router.
Property
arp (disabled | enabled | proxy-arp | reply-only; Default: enabled) A
arp-interval (time; Default: 00:00:00.100) ti

arp-ip-targets (IP address; Default: ) I
a
down-delay (time; Default: 00:00:00) if
o
lacp-rate (1sec | 30secs; Default: 30secs) L
U
c
link-monitoring (arp | mii | none; Default: mii) m
N
mii-interval (time; Default: 00:00:00.100) h
mode (802.3ad | active-backup | balance-alb | balance-rr | balance-tlb | balance-xor | broadcast; Default: balance-rr) S
mtu (integer; Default: 1500) M

name (string; Default: ) d
primary (string; Default: ) I
w
slaves (string; Default: none) a
up-delay (time; Default: 00:00:00) if
V
transmit-hash-policy (layer-2 | layer-2-and-3 | layer-3-and-4; Default: layer-2) S
Notes
Link failure detection and failover is working significantly better with expensive network cards,
for example, made by Intel, then with more cheap ones. On Intel cards for example, failover is
taking place in less than a second after link loss, while on some other cards, it may require up
to 20 seconds. Also, the Active load balancing ( mode=balance-alb ) does not work on some
cheap cards.
L2 MTU of bonding interface is determined by taking smallest value of all slaves.
Manual:IP/DNS
< Manual:IP
Applies to RouterOS:v4.6
DNS cache is used to minimize DNS requests to an external DNS server as well as to
minimize DNS resolution time. This is a simple DNS cache with local items.
Contents
[hide]
 1Specifications
 2Description
 3DNS Cache Setup
o 3.1Properties
o 3.2Example
 4Cache Monitoring
o 4.1Description
o 4.2Property Description
 5All DNS Entries
o 5.1Description
 6Static DNS Entries
o 6.1Description
o 6.3Notes
 7Flushing DNS cache
o 7.2Example
 8See Also
Specifications
 Submenu level: /ip dns
 Standards and Technologies: DNS
Description
A MikroTik router with DNS feature enabled can be set as a DNS server for any DNS-
compliant client. Moreover, MikroTik router can be specified as a primary DNS server under its
dhcp-server settings. When the remote requests are enabled, the MikroTik router responds to
TCP and UDP DNS requests on port 53.
DNS Cache Setup

Sub-menu: /ip dns
DNS facility is used to provide domain name resolution for router itself as well as for the clients
connected to it.
Properties
Property
allow-remote-requests (yes | no; Default: no) Specifies whether to allow
cache-max-ttl (time; Default: 1w) Maximum time-to-live for

received from DNS servers
cache-size (integer[64..4294967295]; Default: 2048) Specifies the size of DNS c
max-concurrent-queries (integer; Default: 100) Specifies how much concu
max-concurrent-tcp-sessions (integer; Default: 20) Specifies how much concu
max-udp-packet-size (integer [50..65507]; Default: 4096) Maximum size of allowed
query-server-timeout (time; Default: 2s) Specifies how long to wait
query-total-timeout (time; Default: 10s) Specifies how long to wait

timeout and number of
servers (list of IPv4/IPv6 addresses; Default: ) List of DNS server IPv4/IPv
Read-only Properties
Property
cache-used (integer) Shows the currently used

dynamic-server (IPv4/IPv6 list) List of dynamically added
When both static and dynamic servers are set, static server entries are more preferred,
however it does not indicate that static server will always be used (for example, previously
query was received from dynamic server, but static was added later, then dynamic entry will be
preferred).
Note: If allow-remote-requests is used make sure that you limit access to your server over
TCP and UDP protocol.
Example
To set 159.148.60.2 as the primary DNS server and allow the router to be used as a DNS
server, do the following:
[admin@MikroTik] ip dns> set servers=159.148.60.2 \

\... allow-remote-requests=yes
[admin@MikroTik] ip dns> print
servers: 159.148.60.2
allow-remote-requests: yes
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 7KiB
[admin@MikroTik] ip dns>
Cache Monitoring
 Submenu level: /ip dns cache
Description
This menu provides a list with all address (DNS type "A") records stored on the server
Property Desciption
address (read-only: IP address) IP address of the host
name (read-only: name) DNS name of the host

ttl (read-only: time) remaining time-to-live for the record
All DNS Entries

 Submenu level: /ip dns cache all
Description
This menu provides a complete list with all DNS records stored on the server
Property Desciption
data (read-only: DNS data field. IP address for type "A" records. Other record types may have
text) different contents of the data field (like hostname or arbitrary text)
name (read-only: DNS name of the host

name)
ttl (read-only: remaining time-to-live for the record

time)
type (read-only: DNS record type

text)
Static DNS Entries

 Submenu level: /ip dns static
Description
The MikroTik RouterOS has an embedded DNS server feature in DNS cache. It allows you to
link the particular domain names with the respective IP addresses and advertize these links to
the DNS clients using the router as their DNS server. This feature can also be used to provide
fake DNS information to your network clients. For example, resolving any DNS request for a
certain set of domains (or for the whole Internet) to your own page.
The server is capable of resolving DNS requests based on POSIX basic regular expressions,
so that multiple requets can be matched with the same entry. In case an entry does not
conform with DNS naming standards, it is considered a regular expression and marked with ‘R’
flag. The list is ordered and is checked from top to bottom. Regular expressions are checked
first, then the plain records.
Property Desciption
address (IP address) IP address to resolve domain name with
name (text) DNS name to be resolved to a given IP address.

regex (text) DNS regex
ttl (time) time-to-live of the DNS record
Notes
Reverse DNS lookup (Address to Name) of the regular expression entries is not possible. You
can, however, add an additional plain record with the same IP address and specify some name
for it.
Remember that the meaning of a dot (.) in regular expressions is any character, so the
expression should be escaped properly. For example, if you need to match anything within
example.com domain but not all the domains that just end with example.com,
like www.another-example.com, use name=".*\\.example\\.com"
Regular expression matching is significantly slower than of the plain entries, so it is advised to
minimize the number of regular expression rules and optimize the expressions themselves.
Example
To add a static DNS entry for www.example.com to be resolved to 10.0.0.1 IP address:
[admin@MikroTik] ip dns static> add name=www.example.com

address=10.0.0.1
[admin@MikroTik] ip dns static> print
Flags: D - dynamic, X - disabled, R - regexp
# NAME ADDRESS TTL
0 www.example.com 10.0.0.1 1d
[admin@MikroTik] ip dns static>
Or use regex to match DNS requests:
[admin@MikroTik] ip dns static> add regexp="[*example*]"

address=10.0.0.2
For more information how to use regex, read wiki page below.
Flushing DNS cache

 Command name: /ip dns cache flush
Command Description
Command Desciption
flush clears internal DNS cache
Example
[admin@MikroTik] ip dns> cache flush
[admin@MikroTik] ip dns> print
servers: 159.148.60.2
allow-remote-requests: yes
cache-size: 2048 KiB
cache-max-ttl: 1w
cache-used: 10 KiB
[admin@MikroTik] ip dns>
egular Expressions/POSIX Basic Regular

Expressions
< Regular Expressions
Jump to navigationJump to search

The POSIX Basic Regular Expression (BRE) syntax provided extensions to achieve
consistency between utility programs such as grep, sed and awk. These extensions are not
supported by some traditional implementations of Unix tools.
Contents
 1History
 2Syntax
 3Character classes
 4Collating symbols
 5Equivalence classes
 6External links
 7Use in Tools
History[edit]
Traditional Unix regular expression syntax followed common conventions that often differed
from tool to tool. The POSIX Basic Regular Expressions syntax was developed by the IEEE,
together with an extended variant called Extended Regular Expression syntax. These
standards were designed mostly to provide backward compatibility with the traditional Simple
Regular Expressions syntax, providing a common standard which has since been adopted as
the default syntax of many Unix regular expression tools.
Syntax[edit]
In POSIX Basic Regular Expression syntax, most characters are treated as literals — they
match only themselves (e.g., a matches "a"). The exceptions, listed below, are
called metacharacters or metasequences.
Metacharacter Description
. Matches any single character (many applications exclude newlines, and exactly
which characters are considered newlines is flavor, character encoding, and
platform specific, but it is safe to assume that the line feed character is included).
Within POSIX bracket expressions, the dot character matches a literal dot. For
example, a.c matches "abc", etc., but [a.c] matches only "a", ".", or "c".
[ ] A bracket expression. Matches a single character that is contained within the

brackets. For example, [abc] matches "a", "b", or "c", and [a-z] specifies a
range which matches any lowercase letter from "a" to "z". These forms can be
mixed: [abcx-z] matches "a", "b", "c", "x", "y", or "z", as does [a-cx-z] .
The - character is treated as a literal character if it is the last or the first character
within the brackets: [abc-] , [-abc] . The ] character can be included in a
bracket expression if it is the first character: []abc] . The bracket expression may
also contain character classes, equivalence classes, and collating characters.
[^ ] Matches a single character that is not contained within the brackets. For
example, [âbc] matches any character other than "a", "b", or "c", and [â-
z] matches any single character that is not a lowercase letter from "a" to "z".
These forms can be mixed: [âbcx-z] matches any character other than "a",
"b", "c", "x", "y", or "z".
The - character is treated as a literal character if it is the last character or the first
characted after ^ : [âbc-] , [^-abc] . The ] character is treated as a literal
character if it is the first character after ^ : [^]abc] . The expression may also
contain character classes, equivalence classes, and collating characters.
^ Matches the starting position within the string, if it is the first character of the
regular expression.
$ Matches the ending position of the string, if it is the last character of the regular
expression.
* Matches the preceding element zero or more times. For example, ab*c matches
"ac", "abc", "abbbc", etc. [xyz]* matches "", "x", "y", "z", "zx", "zyx", "xyzzy",
and so on.
BRE: \{m\} Matches the preceding element exactly m times. For example, a\{3\} matches
ERE: {m} only "aaa".
BRE: \{m,\} Matches the preceding element at least m times. For example, a\{3,\} matches
ERE: {m,} "aaa", "aaaa", "aaaaa", "aaaaaa", "aaaaaaa", and so on.
BRE: \{m,n\} Matches the preceding element at least m and not more than n times. For
ERE: {m,n} example, a\{3,5\} matches only "aaa", "aaaa", and "aaaaa". This is not found
in a few older instances of regular expressions.
BRE:  Defines a subexpression. It is treated as a single element. For
ERE: ( ) example, ab* matches "a", "ab", "abb" and so on, while $ab$* matches "",
"ab", "abab", "ababab", and so on. The string matched within the parentheses can
be recalled later (see the next entry, \n ). A subexpression is also called a marked
subexpression, a block or a capturing group.
BRE only: \n Matches what the nth marked subexpression matched, where n is a digit from 1 to
9. This construct is theoretically irregular (an expression with this construct does
not obey the mathematical definition of regular expression), and was not adopted
in the POSIX ERE syntax.
Examples:
 .at matches any three-character string ending with "at", including "hat", "cat", and "bat".
 [hc]at matches "hat" and "cat".
 [^b]at matches all strings matched by .at except "bat".
 ^[hc]at matches "hat" and "cat", but only at the beginning of the string or line.
 [hc]at$ matches "hat" and "cat", but only at the end of the string or line.
 \[.\] matches any single character surrounded by "[" and "]" since the brackets are
escaped, for example: "[a]" and "[b]".
Character classes[edit]
The POSIX standard defines some classes or categories of characters as shown below. These
classes are used within brackets.
POSIX class similar to meaning
[:upper:] [A-Z] uppercase letters
[:lower:] [a-z] lowercase letters
[:alpha:] [A-Za-z] upper- and lowercase letters
[:digit:] [0-9] digits
[:xdigit:] [0-9A-Fa-f] hexadecimal digits
[:alnum:] [A-Za-z0-9] digits, upper- and lowercase letters
[:punct:] punctuation (all graphic characters except letters and digits)

[:blank:] [ \t] space and TAB characters only
[:space:] [ \t\n\r\f\v] blank (whitespace) characters
[:cntrl:] control characters
[:graph:] [^ [:cntrl:]] graphic characters (all characters which have graphic representation)
[:print:] [[:graph] ] graphic characters and space
For example,
 a[[:digit:]]b matches "a0b", "a1b", ..., "a9b".

 a[:digit:]b is an error: character classes must be in brackets
 [[:digit:]abc] matches any digit, "a", "b", and "c".
 [abc[:digit:]] is the same as above
 [ÂBZ[:lower:]] matches any character except lowercase letters, A, B, and Z.
Collating symbols[edit]
Collating symbols, like character classes, are used in brackets and have the form [.ch.] .
Here ch is a digraph. Collating systems are defined by the locale.
Equivalence classes[edit]
Equivalence classes, like character classes and collating symbols, are used in brackets and
have the form [=a=] . They stand for any character which is equivalent to the given. According
to the standard[1],
For example, if 'a', 'à', and 'â' belong to the same equivalence class, then "[[=a=]b]", "[[=à=]b]",
and "[[=â=]b]" are each equivalent to "[aàâb]".
Equivalence classes, like collating symbols, are defined by the locale.
9. Regular Expressions
Regular Expressions (REs) provide a mechanism to select specific strings from a set of
character strings.
Regular expressions are a context-independent syntax that can represent a wide

variety of character sets and character set orderings, where these character sets are
interpreted according to the current locale. While many regular expressions can be
interpreted differently depending on the current locale, many features, such as
character class expressions, provide for contextual invariance across locales.
The Basic Regular Expression (BRE) notation and construction rules in Basic Regular
Expressions shall apply to most utilities supporting regular expressions. Some utilities,
instead, support the Extended Regular Expressions (ERE) described in Extended
Regular Expressions; any exceptions for both cases are noted in the descriptions of the
specific utilities using regular expressions. Both BREs and EREs are supported by the
Regular Expression Matching interface in the System Interfaces volume of
IEEE Std 1003.1-2001 under regcomp(), regexec(), and related functions.
9.1 Regular Expression Definitions

For the purposes of this section, the following definitions shall apply:
entire regular expression
The concatenated set of one or more BREs or EREs that make up the pattern specified
for string selection.
matched
A sequence of zero or more characters shall be said to be matched by a BRE or ERE

when the characters in the sequence correspond to a sequence of characters defined
by the pattern.
Matching shall be based on the bit pattern used for encoding the character, not on the
graphic representation of the character. This means that if a character set contains two
or more encodings for a graphic symbol, or if the strings searched contain text
encoded in more than one codeset, no attempt is made to search for any other
representation of the encoded symbol. If that is required, the user can specify
equivalence classes containing all variations of the desired graphic symbol.
The search for a matching sequence starts at the beginning of a string and stops when
the first sequence matching the expression is found, where "first" is defined to mean
"begins earliest in the string". If the pattern permits a variable number of matching
characters and thus there is more than one such sequence starting at that point, the
longest such sequence is matched. For example, the BRE "bb*" matches the second to
fourth characters of the string "abbbc", and the
ERE "(wee|week)(knights|night)" matches all ten characters of the
string "weeknights".
Consistent with the whole match being the longest of the leftmost matches, each
subpattern, from left to right, shall match the longest possible string. For this purpose,
a null string shall be considered to be longer than no match at all. For example,
matching the BRE "$.*$.*" against "abcdef", the
subexpression "(\1)" is "abcdef", and matching the BRE "$a*$*" against "bc", the
subexpression "(\1)" is the null string.
When a multi-character collating element in a bracket expression (see RE Bracket

Expression) is involved, the longest sequence shall be measured in characters
consumed from the string to be matched; that is, the collating element counts not as
one element, but as the number of characters it matches.
BRE (ERE) matching a single character
A BRE or ERE that shall match either a single character or a single collating element.
Only a BRE or ERE of this type that includes a bracket expression (see RE Bracket
Expression) can match a collating element.
BRE (ERE) matching multiple characters
A BRE or ERE that shall match a concatenation of single characters or collating

elements.
Such a BRE or ERE is made up from a BRE (ERE) matching a single character and BRE
(ERE) special characters.
invalid
This section uses the term "invalid" for certain constructs or conditions. Invalid REs
shall cause the utility or function using the RE to generate an error condition. When
invalid is not used, violations of the specified syntax or semantics for REs produce
undefined results: this may entail an error, enabling an extended syntax for that RE, or
using the construct in error as literal characters to be matched. For example, the BRE
construct "\{1,2,3\}" does not comply with the grammar. A conforming application
cannot rely on it producing an error nor matching the literal characters "\{1,2,3\}".
9.2 Regular Expression General Requirements

The requirements in this section shall apply to both basic and extended regular
expressions.
The use of regular expressions is generally associated with text processing. REs (BREs
and EREs) operate on text strings; that is, zero or more characters followed by an end-
of-string delimiter (typically NUL). Some utilities employing regular expressions limit
the processing to lines; that is, zero or more characters followed by a <newline>. In
the regular expression processing described in IEEE Std 1003.1-2001, the <newline>
is regarded as an ordinary character and both a period and a non-matching list can
match one. The Shell and Utilities volume of IEEE Std 1003.1-2001 specifies within the
individual descriptions of those standard utilities employing regular expressions
whether they permit matching of <newline>s; if not stated otherwise, the use of literal
<newline>s or any escape sequence equivalent produces undefined results. Those
utilities (like grep) that do not allow <newline>s to match are responsible for
eliminating any <newline> from strings before matching against the RE.
The regcomp() function in the System Interfaces volume of IEEE Std 1003.1-2001,
however, can provide support for such processing without violating the rules of this
section.
The interfaces specified in IEEE Std 1003.1-2001 do not permit the inclusion of a NUL
character in an RE or in the string to be matched. If during the operation of a standard
utility a NUL is included in the text designated to be matched, that NUL may designate
the end of the text string for the purposes of matching.
When a standard utility or function that uses regular expressions specifies that pattern
matching shall be performed without regard to the case (uppercase or lowercase) of
either data or patterns, then when each character in the string is matched against the
pattern, not only the character, but also its case counterpart (if any), shall be
matched. This definition of case-insensitive processing is intended to allow matching of
multi-character collating elements as well as characters, as each character in the string
is matched using both its cases. For example, in a locale where "Ch" is a multi-
character collating element and where a matching list expression matches such
elements, the RE "[[.Ch.]]" when matched against the string "char" is in reality
matched against "ch", "Ch", "cH", and "CH".
The implementation shall support any regular expression that does not exceed 256
bytes in length.
9.3 Basic Regular Expressions

9.3.1 BREs Matching a Single Character or Collating Element
A BRE ordinary character, a special character preceded by a backslash, or a period

shall match a single character. A bracket expression shall match a single character or a
single collating element.
9.3.2 BRE Ordinary Characters
An ordinary character is a BRE that matches itself: any character in the supported
character set, except for the BRE special characters listed in BRE Special Characters.
The interpretation of an ordinary character preceded by a backslash ( '\' ) is

undefined, except for:
 The characters ')', '(', '{', and '}'

 The digits 1 to 9 inclusive (see BREs Matching Multiple Characters)
 A character inside a bracket expression
9.3.3 BRE Special Characters
A BRE special character has special properties in certain contexts. Outside those
contexts, or when preceded by a backslash, such a character is a BRE that matches
the special character itself. The BRE special characters and the contexts in which they
have their special meaning are as follows:
.[\
The period, left-bracket, and backslash shall be special except when used in a
bracket expression (see RE Bracket Expression). An expression containing
a '[' that is not preceded by a backslash and is not part of a bracket
expression produces undefined results.
*
The asterisk shall be special except when used:

 In a bracket expression
 As the first character of an entire BRE (after an initial '^', if any)
 As the first character of a subexpression (after an initial '^', if any);
see BREs Matching Multiple Characters
The circumflex shall be special when used as:
 An anchor (see BRE Expression Anchoring)

 The first character of a bracket expression (see RE Bracket Expression)
The dollar sign shall be special when used as an anchor.
9.3.4 Periods in BREs
A period ( '.' ), when used outside a bracket expression, is a BRE that shall match
any character in the supported character set except NUL.
9.3.5 RE Bracket Expression
A bracket expression (an expression enclosed in square brackets, "[]" ) is an RE that

shall match a single collating element contained in the non-empty set of collating
elements represented by the bracket expression.
The following rules and definitions apply to bracket expressions:
1. A bracket expression is either a matching list expression or a non-matching list

expression. It consists of one or more expressions: collating elements, collating
symbols, equivalence classes, character classes, or range expressions. The
right-bracket ( ']' ) shall lose its special meaning and represent itself in a
bracket expression if it occurs first in the list (after an initial circumflex ( '^' ),
if any). Otherwise, it shall terminate the bracket expression, unless it appears
in a collating symbol (such as "[.].]" ) or is the ending right-bracket for a
collating symbol, equivalence class, or character class. The special
characters '.', '*', '[', and '\' (period, asterisk, left-bracket, and backslash,
respectively) shall lose their special meaning within a bracket expression.
The character sequences "[.", "[=", and "[:" (left-bracket followed by a

period, equals-sign, or colon) shall be special inside a bracket expression and
are used to delimit collating symbols, equivalence class expressions, and
character class expressions. These symbols shall be followed by a valid
expression and the matching terminating sequence ".]", "=]", or ":]", as
described in the following items.
2. A matching list expression specifies a list that shall match any single-character
collating element in any of the expressions represented in the list. The first
character in the list shall not be the circumflex; for example, "[abc]" is an RE
that matches any of the characters 'a', 'b', or 'c'. It is unspecified whether a
matching list expression matches a multi-character collating element that is
matched by one of the expressions.
3. A non-matching list expression begins with a circumflex ( '^' ), and specifies a
list that shall match any single-character collating element except for the
expressions represented in the list after the leading circumflex. For
example, "[âbc]" is an RE that matches any character except the
characters 'a', 'b', or 'c'. It is unspecified whether a non-matching list
expression matches a multi-character collating element that is not matched by
any of the expressions. The circumflex shall have this special meaning only
when it occurs first in the list, immediately following the left-bracket.
4. A collating symbol is a collating element enclosed within bracket-period
( "[." and ".]" ) delimiters. Collating elements are defined as described
in Collation Order. Conforming applications shall represent multi-character
collating elements as collating symbols when it is necessary to distinguish them
from a list of the individual characters that make up the multi-character
collating element. For example, if the string "ch" is a collating element defined
using the line:
5. collating-element <ch-digraph> from "<c><h>"
6.
in the locale definition, the expression "[[.ch.]]" shall be treated as an RE

containing the collating symbol 'ch', while "[ch]" shall be treated as an RE
matching 'c' or 'h'. Collating symbols are recognized only inside bracket
expressions. If the string is not a collating element in the current locale, the
expression is invalid.
7. An equivalence class expression shall represent the set of collating elements

belonging to an equivalence class, as described in Collation Order. Only primary
equivalence classes shall be recognized. The class shall be expressed by
enclosing any one of the collating elements in the equivalence class within
bracket-equal ( "[=" and "=]" ) delimiters. For example, if 'a', 'à',
and 'â' belong to the same equivalence class, then "[[=a=]b]", "[[=à=]b]",
and "[[=â=]b]" are each equivalent to "[aàâb]". If the collating element does
not belong to an equivalence class, the equivalence class expression shall be
treated as a collating symbol.
8. A character class expression shall represent the union of two sets:
a. The set of single-character collating elements whose characters belong
to the character class, as defined in the LC_CTYPE category in the
current locale.
b. An unspecified set of multi-character collating elements.
All character classes specified in the current locale shall be recognized. A

character class expression is expressed as a character class name enclosed
within bracket-colon ( "[:" and ":]" ) delimiters.
The following character class expressions shall be supported in all locales:
[:alnum:] [:cntrl:] [:lower:] [:space:]

[:alpha:] [:digit:] [:print:] [:upper:]
[:blank:] [:graph:] [:punct:] [:xdigit:]
In addition, character class expressions of the form:
[:name:]
are recognized in those locales where the name keyword has been given
a charclass definition in the LC_CTYPE category.
9. In the POSIX locale, a range expression represents the set of collating elements
that fall between two elements in the collation sequence, inclusive. In other
locales, a range expression has unspecified behavior: strictly conforming
applications shall not rely on whether the range expression is valid, or on the
set of collating elements matched. A range expression shall be expressed as the
starting point and the ending point separated by a hyphen ( '-' ).
In the following, all examples assume the POSIX locale.
The starting range point and the ending range point shall be a collating element
or collating symbol. An equivalence class expression used as a starting or
ending point of a range expression produces unspecified results. An equivalence
class can be used portably within a bracket expression, but only outside the
range. If the represented set of collating elements is empty, it is unspecified
whether the expression matches nothing, or is treated as invalid.
The interpretation of range expressions where the ending range point is also the
starting range point of a subsequent range expression (for example, "[a-m-
o]" ) is undefined.
The hyphen character shall be treated as itself if it occurs first (after an

initial '^', if any) or last in the list, or as an ending range point in a range
expression. As examples, the expressions "[-ac]" and "[ac-]" are equivalent
and match any of the characters 'a', 'c', or '-' ; "[^-ac]" and "[âc-]" are
equivalent and match any characters except 'a', 'c', or '-' ; the
expression "[%--]" matches any of the characters between '%' and '-
' inclusive; the expression "[--@]" matches any of the characters between '-
' and '@' inclusive; and the expression "[a--@]" is either invalid or equivalent
to '@', because the letter 'a' follows the symbol '-' in the POSIX locale. To
use a hyphen as the starting range point, it shall either come first in the bracket
expression or be specified as a collating symbol; for example, "[][.-.]-0]",
which matches either a right bracket or any character or collating element that
collates between hyphen and 0, inclusive.
If a bracket expression specifies both '-' and ']', the ']' shall be placed first
(after the '^', if any) and the '-' last within the bracket expression.
9.3.6 BREs Matching Multiple Characters
The following rules can be used to construct BREs matching multiple characters from
BREs matching a single character:
1. The concatenation of BREs shall match the concatenation of the strings
matched by each component of the BRE.
2. A subexpression can be defined within a BRE by enclosing it between the
character pairs "$" and "$". Such a subexpression shall match whatever it
would have matched without the "$" and "$", except that anchoring within
subexpressions is optional behavior; see BRE Expression Anchoring.
Subexpressions can be arbitrarily nested.
3. The back-reference expression '\n' shall match the same (possibly empty)
string of characters as was matched by a subexpression enclosed
between "$" and "$" preceding the '\n'. The character 'n' shall be a digit
from 1 through 9, specifying the nth subexpression (the one that begins with
the nth "$" from the beginning of the pattern and ends with the corresponding
paired "$" ). The expression is invalid if less than n subexpressions precede
the '\n'. For example, the expression "$.*$\1$" matches a line consisting
of two adjacent appearances of the same string, and the
expression "$a$*\1" fails to match 'a'. When the referenced subexpression
matched more than one string, the back-referenced expression shall refer to
the last matched string. If the subexpression referenced by the back-reference
matches more than one string because of an asterisk ( '*' ) or an interval
expression (see item (5)), the back-reference shall match the last (rightmost)
of these strings.
4. When a BRE matching a single character, a subexpression, or a back-reference
is followed by the special character asterisk ( '*' ), together with that asterisk
it shall match what zero or more consecutive occurrences of the BRE would
match. For example, "[ab]*" and "[ab][ab]" are equivalent when matching
the string "ab".
5. When a BRE matching a single character, a subexpression, or a back-reference
is followed by an interval expression of the format "\{m\}", "\{m,\}",
or "\{m,n\}", together with that interval expression it shall match what
repeated consecutive occurrences of the BRE would match. The values
of m and n are decimal integers in the range 0 <= m<= n<= {RE_DUP_MAX},
where m specifies the exact or minimum number of occurrences and nspecifies
the maximum number of occurrences. The expression "\{m\}" shall match
exactly m occurrences of the preceding BRE, "\{m,\}" shall match at
least m occurrences, and "\{m,n\}" shall match any number of occurrences
between m and n, inclusive.
For example, in the string "abababccccccd" the BRE "c\{3\}" is matched by

characters seven to nine, the BRE "$ab$\{4,\}" is not matched at all, and
the BRE "c\{1,3\}d" is matched by characters ten to thirteen.
The behavior of multiple adjacent duplication symbols ( '*' and intervals) produces
undefined results.
A subexpression repeated by an asterisk ( '*' ) or an interval expression shall not

match a null expression unless this is the only match for the repetition or it is
necessary to satisfy the exact or minimum number of occurrences for the interval
expression.
9.3.7 BRE Precedence
The order of precedence shall be as shown in the following table:
BRE Precedence (from high to low)

Collation-related bracket symbols [==] [::] [..]
Escaped characters \<special character>
Bracket expression []
Subexpressions/back-references  \n
Single-character-BRE duplication * \{m,n\}
Concatenation
Anchoring ^$
9.3.8 BRE Expression Anchoring
A BRE can be limited to matching strings that begin or end a line; this is called
"anchoring". The circumflex and dollar sign special characters shall be considered BRE
anchors in the following contexts:
1. A circumflex ( '^' ) shall be an anchor when used as the first character of an

entire BRE. The implementation may treat the circumflex as an anchor when
used as the first character of a subexpression. The circumflex shall anchor the
expression (or optionally subexpression) to the beginning of a string; only
sequences starting at the first character of a string shall be matched by the
BRE. For example, the BRE "âb" matches "ab" in the string "abcdef", but
fails to match in the string "cdefab". The BRE "$âb$" may match the
former string. A portable BRE shall escape a leading circumflex in a
subexpression to match a literal circumflex.
2. A dollar sign ( '$' ) shall be an anchor when used as the last character of an
entire BRE. The implementation may treat a dollar sign as an anchor when used
as the last character of a subexpression. The dollar sign shall anchor the
expression (or optionally subexpression) to the end of the string being
matched; the dollar sign can be said to match the end-of-string following the
last character.
3. A BRE anchored by both '^' and '$' shall match only an entire string. For
example, the BRE "âbcdef$" matches strings consisting only of "abcdef".
9.4 Extended Regular Expressions

The extended regular expression (ERE) notation and construction rules shall apply to
utilities defined as using extended regular expressions; any exceptions to the following
rules are noted in the descriptions of the specific utilities using EREs.
9.4.1 EREs Matching a Single Character or Collating Element
An ERE ordinary character, a special character preceded by a backslash, or a period

shall match a single character. A bracket expression shall match a single character or a
single collating element. An ERE matching a single character enclosed in parentheses
shall match the same as the ERE without parentheses would have matched.
9.4.2 ERE Ordinary Characters
An ordinary character is an ERE that matches itself. An ordinary character is any

character in the supported character set, except for the ERE special characters listed
in ERE Special Characters. The interpretation of an ordinary character preceded by a
backslash ( '\' ) is undefined.
9.4.3 ERE Special Characters
An ERE special character has special properties in certain contexts. Outside those
contexts, or when preceded by a backslash, such a character shall be an ERE that
matches the special character itself. The extended regular expression special
characters and the contexts in which they shall have their special meaning are as
follows:
.[\(
The period, left-bracket, backslash, and left-parenthesis shall be special except

when used in a bracket expression (see RE Bracket Expression). Outside a
bracket expression, a left-parenthesis immediately followed by a right-
parenthesis produces undefined results.
)
The right-parenthesis shall be special when matched with a preceding left-

parenthesis, both outside a bracket expression.
*+?{
The asterisk, plus-sign, question-mark, and left-brace shall be special except

when used in a bracket expression (see RE Bracket Expression). Any of the
following uses produce undefined results:
 If these characters appear first in an ERE, or immediately following a

vertical-line, circumflex, or left-parenthesis
 If a left-brace is not part of a valid interval expression (see EREs
Matching Multiple Characters )
The vertical-line is special except when used in a bracket expression (see RE

Bracket Expression). A vertical-line appearing first or last in an ERE, or
immediately following a vertical-line or a left-parenthesis, or immediately
preceding a right-parenthesis, produces undefined results.
^
The circumflex shall be special when used as:
 An anchor (see ERE Expression Anchoring)

 The first character of a bracket expression (see RE Bracket Expression)
The dollar sign shall be special when used as an anchor.
9.4.4 Periods in EREs
A period ( '.' ), when used outside a bracket expression, is an ERE that shall match
any character in the supported character set except NUL.
9.4.5 ERE Bracket Expression
The rules for ERE Bracket Expressions are the same as for Basic Regular Expressions;
see RE Bracket Expression.
9.4.6 EREs Matching Multiple Characters
The following rules shall be used to construct EREs matching multiple characters from
EREs matching a single character:
1. A concatenation of EREs shall match the concatenation of the character

sequences matched by each component of the ERE. A concatenation of EREs
enclosed in parentheses shall match whatever the concatenation without the
parentheses matches. For example, both the ERE "cd" and the ERE "(cd)" are
matched by the third and fourth character of the string "abcdefabcdef".
2. When an ERE matching a single character or an ERE enclosed in parentheses is
followed by the special character plus-sign ( '+' ), together with that plus-sign
it shall match what one or more consecutive occurrences of the ERE would
match. For example, the ERE "b+(bc)" matches the fourth to seventh
characters in the string "acabbbcde". And, "[ab]+" and "[ab][ab]*" are
equivalent.
followed by the special character asterisk ( '*' ), together with that asterisk it
shall match what zero or more consecutive occurrences of the ERE would
match. For example, the ERE "b*c" matches the first character in the
string "cabbbcde", and the ERE "b*cd" matches the third to seventh characters
in the string "cabbbcdebbbbbbcdbc". And, "[ab]*" and "[ab][ab]" are
equivalent when matching the string "ab".
followed by the special character question-mark ( '?' ), together with that
question-mark it shall match what zero or one consecutive occurrences of the
ERE would match. For example, the ERE "b?c" matches the second character in
the string "acabbbcde".
followed by an interval expression of the format "{m}", "{m,}", or "{m,n}",
together with that interval expression it shall match what repeated consecutive
occurrences of the ERE would match. The values of m and n are decimal
integers in the range 0 <= m<= n<= {RE_DUP_MAX}, where m specifies the
exact or minimum number of occurrences and n specifies the maximum number
of occurrences. The expression "{m}" matches exactly m occurrences of the
preceding ERE, "{m,}" matches at least m occurrences, and "{m,n}" matches
any number of occurrences between m and n, inclusive.
For example, in the string "abababccccccd" the ERE "c{3}" is matched by

characters seven to nine and the ERE "(ab){2,}" is matched by characters one
to six.
The behavior of multiple adjacent duplication symbols ( '+', '*', '?', and intervals)
produces undefined results.
An ERE matching a single character repeated by an '*', '?', or an interval expression

shall not match a null expression unless this is the only match for the repetition or it is
necessary to satisfy the exact or minimum number of occurrences for the interval
expression.
9.4.7 ERE Alternation
Two EREs separated by the special character vertical-line ( '|' ) shall match a string
that is matched by either. For example, the ERE "a((bc)|d)" matches the
string "abc" and the string "ad". Single characters, or expressions matching single
characters, separated by the vertical bar and enclosed in parentheses, shall be treated
as an ERE matching a single character.
9.4.8 ERE Precedence
The order of precedence shall be as shown in the following table:
ERE Precedence (from high to low)

Collation-related bracket symbols [==] [::] [..]
Escaped characters \<special character>
Bracket expression []
Grouping ()
Single-character-ERE duplication * + ? {m,n}
Concatenation
Anchoring ^$
Alternation |
For example, the ERE "abba|cde" matches either the string "abba" or the
string "cde" (rather than the string "abbade" or "abbcde", because concatenation has
a higher order of precedence than alternation).
9.4.9 ERE Expression Anchoring
An ERE can be limited to matching strings that begin or end a line; this is called
"anchoring". The circumflex and dollar sign special characters shall be considered ERE
anchors when used anywhere outside a bracket expression. This shall have the
following effects:
1. A circumflex ( '^' ) outside a bracket expression shall anchor the expression or

subexpression it begins to the beginning of a string; such an expression or
subexpression can match only a sequence starting at the first character of a
string. For example, the EREs "âb" and "(âb)" match "ab" in the
string "abcdef", but fail to match in the string "cdefab", and the ERE "a^b" is
valid, but can never match because the 'a' prevents the expression "^b"from
matching starting at the first character.
2. A dollar sign ( '$' ) outside a bracket expression shall anchor the expression or
subexpression it ends to the end of a string; such an expression or
subexpression can match only a sequence ending at the last character of a
string. For example, the EREs "ef$" and "(ef$)" match "ef" in the
string "abcdef", but fail to match in the string "cdefab", and the ERE "e$f" is
valid, but can never match because the 'f' prevents the expression "e$" from
matching ending at the last character.
9.5 Regular Expression Grammar

Grammars describing the syntax of both basic and extended regular expressions are
presented in this section. The grammar takes precedence over the text. See the Shell
and Utilities volume of IEEE Std 1003.1-2001, Section 1.10, Grammar Conventions.
9.5.1 BRE/ERE Grammar Lexical Conventions
The lexical conventions for regular expressions are as described in this section.
Except as noted, the longest possible token or delimiter beginning at a given point is
recognized.
The following tokens are processed (in addition to those string constants shown in the
grammar):
COLL_ELEM_SINGLE
Any single-character collating element, unless it is a META_CHAR.
COLL_ELEM_MULTI
Any multi-character collating element.
BACKREF
Applicable only to basic regular expressions. The character string consisting

of '\' followed by a single-digit numeral, '1' to '9'.
DUP_COUNT
Represents a numeric constant. It shall be an integer in the range 0
<= DUP_COUNT <= {RE_DUP_MAX}. This token is only recognized when the
context of the grammar requires it. At all other times, digits not preceded
by '\' are treated as ORD_CHAR.
META_CHAR
One of the characters:

^
When found first in a bracket expression

-
When found anywhere but first (after an initial '^', if any) or last in a bracket
expression, or as the ending range point in a range expression
]
When found anywhere but first (after an initial '^', if any) in a bracket
expression
L_ANCHOR
Applicable only to basic regular expressions. The character '^' when it appears
as the first character of a basic regular expression and when
not QUOTED_CHAR. The '^' may be recognized as an anchor elsewhere;
see BRE Expression Anchoring.
ORD_CHAR
A character, other than one of the special characters in SPEC_CHAR.
QUOTED_CHAR
In a BRE, one of the character sequences:

\^ \. \* \[ \$ \\
In an ERE, one of the character sequences:
\^ \. \[ \$  \|
\* \+ \? \{ \\
R_ANCHOR
(Applicable only to basic regular expressions.) The character '$' when it

appears as the last character of a basic regular expression and when
not QUOTED_CHAR. The '$' may be recognized as an anchor elsewhere;
see BRE Expression Anchoring.
SPEC_CHAR
For basic regular expressions, one of the following special characters:

.
Anywhere outside bracket expressions

\

[

^
When used as an anchor (see BRE Expression Anchoring) or when first in a

bracket expression
$
When used as an anchor

*
Anywhere except first in an entire RE, anywhere in a bracket expression,

directly following "$", directly following an anchoring '^'
For extended regular expressions, shall be one of the following special

characters found anywhere outside bracket expressions:
^ . [ $ ( ) |
* + ? { \
(The close-parenthesis shall be considered special in this context only if

matched with a preceding open-parenthesis.)
9.5.2 RE and Bracket Expression Grammar
This section presents the grammar for basic regular expressions, including the bracket
expression grammar that is common to both BREs and EREs.
%token ORD_CHAR QUOTED_CHAR DUP_COUNT
%token BACKREF L_ANCHOR R_ANCHOR
%token Back_open_paren Back_close_paren

/* '\(' '$' */
%token Back_open_brace Back_close_brace

/* '\{' '\}' */
/* The following tokens are for the Bracket Expression

grammar common to both REs and EREs. */
%token COLL_ELEM_SINGLE COLL_ELEM_MULTI META_CHAR
%token Open_equal Equal_close Open_dot Dot_close Open_colon

Colon_close
/* '[=' '=]' '[.' '.]' '[:' ':]'
*/
%token class_name
/* class_name is a keyword to the LC_CTYPE locale category */
/* (representing a character class) in the current locale */
/* and is only recognized between [: and :] */
%start basic_reg_exp
%%
/* --------------------------------------------
Basic Regular Expression
--------------------------------------------
*/
basic_reg_exp : RE_expression
| L_ANCHOR
| R_ANCHOR
| L_ANCHOR R_ANCHOR
| L_ANCHOR RE_expression
| RE_expression R_ANCHOR
| L_ANCHOR RE_expression R_ANCHOR
;
RE_expression : simple_RE
| RE_expression simple_RE
;
simple_RE : nondupl_RE
| nondupl_RE RE_dupl_symbol
;
nondupl_RE : one_char_or_coll_elem_RE
| Back_open_paren RE_expression Back_close_paren
| BACKREF
;
one_char_or_coll_elem_RE : ORD_CHAR
| QUOTED_CHAR
| '.'
| bracket_expression
;
RE_dupl_symbol : '*'
| Back_open_brace DUP_COUNT Back_close_brace
| Back_open_brace DUP_COUNT ',' Back_close_brace
| Back_open_brace DUP_COUNT ',' DUP_COUNT Back_close_brace
;
/* --------------------------------------------
Bracket Expression
-------------------------------------------
*/
bracket_expression : '[' matching_list ']'
| '[' nonmatching_list ']'
;
matching_list : bracket_list
;
nonmatching_list : '^' bracket_list
;
bracket_list : follow_list
| follow_list '-'
;
follow_list : expression_term
| follow_list expression_term
;
expression_term : single_expression
| range_expression
;
single_expression : end_range
| character_class
| equivalence_class
;
range_expression : start_range end_range
| start_range '-'
;
start_range : end_range '-'
;
end_range : COLL_ELEM_SINGLE
| collating_symbol
;
collating_symbol : Open_dot COLL_ELEM_SINGLE Dot_close
| Open_dot COLL_ELEM_MULTI Dot_close
| Open_dot META_CHAR Dot_close
;
equivalence_class : Open_equal COLL_ELEM_SINGLE Equal_close
| Open_equal COLL_ELEM_MULTI Equal_close
;
character_class : Open_colon class_name Colon_close
;
The BRE grammar does not

permit L_ANCHOR or R_ANCHOR inside "$" and "$" (which implies
that '^' and '$' are ordinary characters). This reflects the semantic limits on the
application, as noted in BRE Expression Anchoring. Implementations are permitted to
extend the language to interpret '^' and '$' as anchors in these locations, and as
such, conforming applications cannot use unescaped '^' and '$' in positions
inside "$" and "$" that might be interpreted as anchors.
9.5.3 ERE Grammar
This section presents the grammar for extended regular expressions, excluding the
bracket expression grammar.
Note:
The bracket expression grammar and the associated %token lines are identical
between BREs and EREs. It has been omitted from the ERE section to avoid
unnecessary editorial duplication.
%token ORD_CHAR QUOTED_CHAR DUP_COUNT
%start extended_reg_exp
%%
/* --------------------------------------------
Extended Regular Expression
--------------------------------------------
*/
extended_reg_exp : ERE_branch
| extended_reg_exp '|' ERE_branch
;
ERE_branch : ERE_expression
| ERE_branch ERE_expression
;
ERE_expression : one_char_or_coll_elem_ERE
| '^'
| '$'
| '(' extended_reg_exp ')'
| ERE_expression ERE_dupl_symbol
;
one_char_or_coll_elem_ERE : ORD_CHAR
| QUOTED_CHAR
| '.'
| bracket_expression
;
ERE_dupl_symbol : '*'
| '+'
| '?'
| '{' DUP_COUNT '}'
| '{' DUP_COUNT ',' '}'
| '{' DUP_COUNT ',' DUP_COUNT '}'
;
The ERE grammar does not permit several constructs that previous sections specify as
having undefined results:
 ORD_CHAR preceded by '\'

 One or more ERE_dupl_symbols appearing first in an ERE, or immediately
following '|', '^', or '('
 '{' not part of a valid ERE_dupl_symbol
 '|' appearing first or last in an ERE, or immediately following '|' or '(', or
immediately preceding ')'
Implementations are permitted to extend the language to allow these. Conforming

applications cannot use such constructs.
TextPad
From Wikipedia, the free encyclopedia
TextPad
Developer(s) Helios Software Solutions
Initial release 1992; 26 years ago
Stable release 7.6.4,
8.1.2[1] / March 7, 2017
Operating system Microsoft Windows
Size ~6.0 MB
Type Text editor
License Proprietary
Website textpad.com
TextPad is a text editor for the Microsoft Windows family of operating systems. It is produced
by Helios Software Solutions. It is currently in its eighth major version.[2]
TextPad was initially released in 1992[3] as shareware, with users requested to pay a
registration fee to support future development.[4] As of 1996 the company was an associate
member of the Association of Shareware Professionals.[5] By 1998 the company was pointing
out that the editor was " shareware (try before you buy)" and payment was necessary to use
it.[6]
Contents
 1Features
o 1.1Clip Library
 2Reception
 3See also
 4References
 5External links
Features[edit]
Key features include:[7]
 The ability to maintain block indents

 Automatic code indentation (see indent style)
 Regular expression based search and replace, including multiline regex
 Macro recording feature to facilitate complex text transformations and data processing.[8]
 Macro feature supports multiple regex searches (and replacements) within a macro
 Syntax highlighting (extendable to many different languages)[9]
 Ability to call external programs (such as compilers)
 Regex matching can be used to jump to a line number in a file given in the output from
external programs (e.g. to locate the cause of a compiler error)
 Automatic integration with Java JDK, if JDK is already on the machine
 Large file support[8]
 Support for editing multiple files, with tabbed document selection[8]
 Block select mode
 Synchronized scrolling of multiple files
 Clip libraries – snippet management for reusable portions of text to insert into documents
 Clipboard history – Allowing TextPad to function as a multiple clipboard tool
 Bookmarking of lines, therefore allowing users to copy specific lines (e.g. log file error
messages), and then paste them to another document.
 Multi-lingual support: User interface is available in seven languages with spelling
dictionaries available in ten languages.
Clip Library[edit]
The Clip Library is a TextPad sidebar that allows users to store small items persistently, and
then use them easily. This is done by double clicking clip names in the Clip Library sidebar. In
other editors such as Komodo, a clip library is known as "snippets".
TextPad comes with a number of pre-defined clip libraries, including ANSI characters, HTML
characters and HTML tags. A very useful clip library is the Clipboard History. This is a list of
previous Clipboard contents. So even though the standard Windows Clipboard can only hold
one piece of information, the TextPad Clipboard History Clip Library can access a whole
history of entries. See also clipboard managers.
You can create your own new clip libraries, and there are many clip libraries available.[10]
Reception[edit]
TextPad has received generally favorable professional reviews. Mike Williams of PC Advisor
calls it "an excellent Notepad replacement with a stack of essential features."[11] Download.com
described it as an affordable editor suited for coding, "neither the most powerful nor most
expensive shareware text tool, though many users will find it more than meets their needs at a
fraction of the cost of similar tools.
Comparison of text editors
This article provides basic comparisons for common text editors. More feature details for text
editors are available from the Category of text editor features and from the individual products'
articles. This article may not be up-to-date or necessarily all-inclusive.
Feature comparisons are made between stable versions of software, not the upcoming
versions or beta releases – and are exclusive of any add-ons, extensions or external programs
(unless specified in footnotes).
Contents
 1Overview
 2Operating system support
o 2.1Cross-platform
 3Natural language (localization)
 4Document interface
o 4.1Notes
 5Basic features
 6Programming features
o 6.1Notes
 7Extra features
 8Key bindings
o 8.1Notes, bugs
 9Protocol support
 10Unicode and other character encodings
 11Right-to-left and bidirectional text
 12Newline support
 13See also
 14Notes and references
Overview[edit]
List of text editors
Fi L
O Mi
rs at
La p ni
t es
tes e C m
p t
t Cos Soft n LI u
u R
Na Crea sta Programming t ware s av m
bl el
me tor ble language (US licen o ail ins
ic ea
ve $) se u ab tal
re se
rsi r le led
le D
on c siz
as at
e e
e e
Plan
LPL (O
Rob 9 and
Acme 1993 C Free SI appro Yes
Pike Infern
ved)
o
Alexey
Kuznets
ov, 2016
AkelP
Alexand 2003 4.9.8 -07- C Free BSD Yes
ad
er 18
Shengal
ts
Propriet
ary,
2004
Alpha Vince with
1999 8.3.3 -12- $40 No
tk Darley BSD
10
compon
ents
2016
Aqua David
2005 3.3 -09- C, Emacs Lisp Free GPL Yes
macs Reitter
20
2018
HTML, CSS, JavaScript, ~ 150
Atom GitHub 2014 1.26.1 -04- Free MIT Yes No
C++ MB
26
2018
BBEd Rich Objective-C, Objective- Propriet
1992 12.1.3 -04- $49.99 No
it Siegel C++ ary
11
Fi L
O Mi
rs at
La p ni
t es
tes e C m
p t
t Cos Soft n LI u
u R
bl el
ic ea
ve $) se u ab tal
re se
rsi r le led
le D
on c siz
as at
e e
e e
Bluefish
2017
Bluefi Develop
1999 2.2.10 -01- C Free GPL Yes
sh ment
27
Team
2018
Brack Adobe HTML, CSS, JavaScript,
2012 1.12 -02- Free MIT Yes
ets Systems C++
05
2017
Propriet
Coda Panic 2007 2.6.6 -06- Objective-C $99 No
ary
05
ConTE
2009
ConT XT
1999 0.98.6 -08- Object Pascal (Delphi) Free BSD Yes
EXT Project
14
Ltd
Ingyu
Crims
Kang, E 2008
on
merald 1999 3.72 -05- C++ Free GPL Yes
Edito
Editor T 14
r
eam
UVVie 8 MB
wSoft Mac
(alexey
2018
Cuda _t, MPL 12
2015 1.57.0 -06- Object Pascal (Lazarus) Free Yes
Text kvichan 2.0 MB
25
s, Win
matthias
030) 5 Mb
*nix
Fi L
O Mi
rs at
La p ni
t es
tes e C m
p t
t Cos Soft n LI u
u R
bl el
ic ea
ve $) se u ab tal
re se
rsi r le led
le D
on c siz
as at
e e
e e
Propriet
E ary,
Alexand 2010
Text with
er 2005 2.0.2 -11- $46.95 No
Edito BSD
Stigsen 30
r compon
ents
uncha
Ken nged
0.04
ed Thomps 1970 from C Free ? Yes Yes
MB
on origin
al
2018
EditPl Sangil Sharew
1998 5.0 -03- C++ $35 No
us Kim are
26
2013 wxWin
Editr Cody
2007 0.7.20 -01- Python Free dows Yes
a Precord
05 license
2017
EmEd Emuras $39.99 Sharew
1997 17.3.2 -09- C++ No
itor oft, Inc. 1-user are
20
Lugaru 2016
epsilo Propriet
Softwar 1984 13.06 -12- C $250 No
n ary
e 06
3.28.2
(Win
2018
GNU Pr 3.20.1
gedit 2000 -05- C Free GPL Yes
oject , Mac
09
3.2.6[1
]
)
2018
Gean Enrico
2005 1.33 -02- C, GTK2 Free GPL Yes
y Tröger
25
GNU Richard 2017
11.6
Emac Stallma 1984 25.3 -09- C, Emacs Lisp Free GPL Yes Yes
MB
s n 11
2009
John E. 0.99- 3.5
JED 1992 -12- C, S-Lang Free GPL Yes Yes
Davis 19 MB[2]
13
Fi L
O Mi
rs at
La p ni
t es
tes e C m
p t
t Cos Soft n LI u
u R
bl el
ic ea
ve $) se u ab tal
re se
rsi r le led
le D
on c siz
as at
e e
e e
2017
Slava
jEdit 1998 5.4.0 -03- Java Free GPL Yes
Pestov
18
2018
Joseph 1.3
JOE 1988 4.6 -01- C Free GPL Yes Yes
Allen MB
10
Johnath 1996
JOVE on 1983 4.16 -03- C Free GPL Yes
Payne 19
2018
KDE Pr 2000 17.12.
Kate -03- C++ Free GPL Yes
oject -12 3
08
Mansfie
ld
2016
KEDI Softwar Propriet 1.1M
1983 1.6.1 -12- C $129 No Yes
T e ary B
05
Group,
Inc.
open
Komo - 2017 Python, MPL,
Activest
do sour 10.2.3 -07- JavaScript, Perl, Tcl, PHP, Free GPL, L Yes
ate
Edit ced 11 Ruby GPL
2007
Komo 2017
Activest Python, JavaScript, Perl, Propriet
do 2001 11.0.2 -12- $295 No
ate Tcl, PHP, Ruby ary
IDE 19
2017
KWri KDE Pr 17.12.
2000 -03- C++ Free GPL Yes
te oject 3
08
Alexand
2016
er V.
LE 1997 1.16.3 -06- C++ Free GPL Yes
Lukyan
06
ov
Edward 2018
Leo K. 1996 5.7.2 -05- Python Free MIT Yes
Ream 07
2016
Light Chris
2012 0.8.1 -01- ClojureScript Free MIT Yes
Table Granger
21
Fi L
O Mi
rs at
La p ni
t es
tes e C m
p t
t Cos Soft n LI u
u R
bl el
ic ea
ve $) se u ab tal
re se
rsi r le led
le D
on c siz
as at
e e
e e
Alexand
2011
Meta er
1999 3.6 -05- C Free GPL Yes
pad Davidso
28
n
Dave curre Public
mg 1986 C Free Yes
Conroy nt domain
2015
MinE Thomas 2015.
1992 -03- C Free GPL Yes
d Wolff 25
30
Bundl
ed
with
MS-
MS-
DOS Microso 2.0.02 Propriet
1991 DOS, No No
Edito ft 6 ary
Micros
r
oft
Windo
ws
Chris 2018
0.6
Nano Allegret 1999 2.9.6 -04- C Free GPL Yes Yes
MB
ta 27
Sebastia
no
Vigna, 2017
ne Todd 1993 3.1.1 -06- C Free GPL Yes
Lewis, 04
Daniele
Filaretti
2017
Mark
NEdit 1991 5.7 -02- C Free GPL Yes
Edel
08
Bundl
ed
with
Notep Microso Propriet
1985 6.0 MASM (originally) Micros No
ad ft ary
oft
Windo
ws
Fi L
O Mi
rs at
La p ni
t es
tes e C m
p t
t Cos Soft n LI u
u R
bl el
ic ea
ve $) se u ab tal
re se
rsi r le led
le D
on c siz
as at
e e
e e
2003 2018
Notep
Don Ho -11- 7.5.6 -03- C++ Free GPL Yes
ad++
25 19
2011
Notep Florian 2004
4.2.25 -05- C++ Free BSD Yes
ad2 Balmer -04
06
Eric Free,
Fookes, 2014 $10
NoteT Propriet
Fookes 1995 7.2 -11- Object Pascal (Delphi) Standa No
ab ary
Softwar 04 rd, $20
e Pro
Keith
nvi ? 1.79 C Free BSD Yes
Bostic
Ioannis 2014
Peppe Propriet
Zafeiro 2014 1.4 -12- Objective-C, JavaScript $14.99 No
rmint ary
poulos 07
Univers
ity of
Pico 1992 4.64 C Free AL2 Yes
Washin
gton
PolySof
2010
PolyE t Sharew
1998 5.4 -04- $27.95 No
dit Solution are
07
s
2018
PSPa Jan 5.0.0 Propriet
2002 -04- Object Pascal (Delphi) Free No
d Fiala (277) ary
24
2011
Baara Propriet
Q10 2007 1.2.21 -06- ? Free No
Estudio ary
16
RJ Rickard 2018
Propriet
TextE Johanss 2004 13.10 -05- Object Pascal (Delphi) Free No
ary
d on 07
2017
RText Fifesoft 2003 2.6.3 -04- Java Free BSD Yes
30
Fi L
O Mi
rs at
La p ni
t es
tes e C m
p t
t Cos Soft n LI u
u R
bl el
ic ea
ve $) se u ab tal
re se
rsi r le led
le D
on c siz
as at
e e
e e
early LPL (O
Rob
Sam 1980 stable C Free SI appro Yes
Pike
s ved)
$41.99
for
Neil 2018
macO
SciTE Hodgso 1999 4.0.5 -04- C++ HPND Yes
S. free
n 10
for
others
2016
Slick SlickEd Propriet
1988 21.0.0 -10- C, Slick-C $299 No
Edit it, Inc. ary
14
2017
Smult Peter Propriet
2004 9.2.3 -02- Objective-C $5 No
ron Borg ary
20
Sourc
Source 2017
e 4.0.00 Source Insight macro $239- Propriet
Dynami ? -02- No
Insigh 84 language $255 ary
cs 26
t
$35
SubEt TheCod 2015
comm Propriet
haEdi ingMon 2003 4.1 -02- No
ercial ary
t keys 25
use
Subli 3.1.1 2018
Jon C++, Objective-C++ Propriet 21
me 2008 (build -05- $80 No No
Skinner (macOS version), Python ary MB
Text 3176) 14
TED Juraj 2016
Freewar
Notep Simlovi 2001 6.1.1 -12- C Free No
e
ad c 04
2017
Texta
Mitchell 2007 9.6 -11- C, Lua Free MIT Yes
dept
01
Free
(also
2017
TextE Apple bundle New
2001 1.13 -07- Yes
dit Inc. d BSD
16
with m
acOS)
Fi L
O Mi
rs at
La p ni
t es
tes e C m
p t
t Cos Soft n LI u
u R
bl el
ic ea
ve $) se u ab tal
re se
rsi r le led
le D
on c siz
as at
e e
e e
Propriet
ary,
with
MIT Yes
2004 2012 compon (fro
Text Macro $53
-10- 1.5.11 -07- Objective-C++ ents. m
Mate Mates (€39)
10 13 Version versi
2 on 2)
released
under G
PLv3
Helios
Softwar 2017 $30.00
TextP Sharew
e 1992 8.1.2 -03- (£16.5 No
ad are
Solution 07 0)
s
Bare
Text 2016
Bones Propriet
Wran 2003 5.5.1 -07- Free No
Softwar ary
gler 27
e
The
Sem 2005
Sammy 1985 Propriet
Ware 4.4 -06- C, SAL $99 No
Mitchell -11 ary
Edito 24
r
IDM
Comput 2018
Ultra Propriet
er 1994 25.0 -03- C++ $99.95 No
Edit ary
Solution 12
s
$89
Ted
2015 standa
VEDI Green, Propriet
1980 6.24.2 -01- Assembly, C rd, No
T Greenvi ary
12 $239
ew Data
Pro64
BSD or
vi Bill Joy 1976 3.7 C Free Yes Yes
CDDL
Bram 2018 GPL
8.0.18 2.2
Vim Moolen 1991 -05- C, Vim script Free compati Yes Yes
26 MB
aar 12 ble
Fi L
O Mi
rs at
La p ni
t es
tes e C m
p t
t Cos Soft n LI u
u R
bl el
ic ea
ve $) se u ab tal
re se
rsi r le led
le D
on c siz
as at
e e
e e
Visual JavaScript, C#, C++, JSO

2018 180-
Studi Microso N, HTML, PHP, Python,
2015 1.23 -05- Free MIT Yes 200
o ft Markdown, TypeScript, C
04 MB
Code SS
2009
XEma Lucid 21.4.2
1991 -01- C, Emacs Lisp Free GPL Yes
cs Inc. 2
30
2017
Don
Yi 2005 0.14 -07- Haskell Free GPL Yes
Stewart
25
Operating system support[edit]

This section lists the operating systems that different editors can run on. Some editors run on
additional operating systems that are not listed.
Cross-platform[edit]
Text editor support for various operating systems
Name Windows macOS Linux BSD Unix OpenVMS
Acme Partial[3] Yes Yes Yes Yes No
AkelPad Yes No No No No No
Alphatk Yes Yes Yes Yes Yes Yes
Aquamacs No Yes No No No No
Atom Yes Yes Yes No No No
Arachnophilia Yes Yes Yes Yes Yes No
BBEdit No Yes No No No No
Bluefish Yes Yes Yes Yes Yes Yes
Brackets Yes Yes Yes No No No
Coda No Yes No No No No
ConTEXT Yes No No No No No
Crimson Editor Yes No No No No No
CudaText Yes Yes Yes Yes Yes No
ed Partial[4] Yes Yes Yes Yes Yes
EditPlus Yes No No No No No
Editra Yes Yes Yes ? ? ?
EmEditor Yes No No No No No
epsilon Yes Yes[5] Yes Yes Yes No

Geany Yes Yes Yes Yes Yes Yes
gedit Yes Yes[1] Yes Yes Yes No
GNU Emacs Yes Yes Yes Yes Yes Yes
JED Yes Yes Yes Yes Yes Yes
jEdit Yes Yes Yes Yes Yes No
JOE Yes[dubious – discuss] Yes Yes Yes Yes No
JOVE Yes Yes Yes Yes Yes No
Kate Yes Yes Yes Yes Yes No
KEDIT Yes No No No No No
Komodo Edit Yes Yes Yes Yes ? ?
Komodo IDE Yes Yes Yes Yes ? ?
KWrite Yes Yes Yes Yes Yes No
LE Partial[4] Yes Yes Yes Yes No
Light Table Yes Yes Yes No No No

Metapad Yes No No No No No
mg No Yes Yes Yes Yes ?
MinEd Yes Yes Yes Yes Yes Yes
Nano Yes Yes Yes Yes Yes No
ne Partial[4] Yes Yes Yes Yes No
NEdit Partial[4] Yes[6] Yes Yes Yes Yes
Notepad Yes No No No No No
Notepad++ Yes No No No No No
Notepad2 Yes No No No No No
NoteTab Yes No No No No No
nvi No Yes Yes Yes Yes No
Peppermint No Yes No No No No
Pico Yes Yes Yes Yes Yes Yes
PSPad Yes No No No No No
Q10 Yes No No No No No
RJ TextEd Yes No No No No No
RText Yes Yes Yes Yes Yes No
Sam Partial[3] Yes Yes Yes Yes No
SciTE Yes Yes[6] Yes Yes Yes No
SlickEdit Yes Yes Yes No Yes No
Smultron No Yes No No No No
Source Insight Yes No No No No No
SubEthaEdit No Yes No No No No
Sublime Text Yes Yes Yes No No No
TED Notepad Yes No No No No No
Textadept Yes Yes Yes No No No
TextEdit No Yes No No No No
TextMate No Yes No No No No
TextPad Yes No No No No No
TextWrangler No Yes No No No No
The SemWare Editor Yes No No No No No
UltraEdit Yes Yes Yes No No No
Ulysses (text editor) No Yes No No No No
vi Yes Yes Yes Yes Yes Yes
Vim Yes Yes Yes Yes Yes Yes
Visual Studio Code Yes Yes Yes ? ? ?
XEmacs Yes Yes Yes Yes Yes Yes
Yi Partial Yes Yes Yes Yes No
Natural language (localization)[edit]

Available languages for the UI
Text Editor Languages supported
Acme English
AkelPad English, German, French, Polish, Korean, Japanese, Italian, Dutch, Portuguese, Spanish
Alphatk English
Aquamacs English
Atom English
BBEdit English
English, German, French, Polish(Outdated), Korean, Japanese, Italian, Czech, Dutch, Portuguese,
Brackets
Spanish, Swedish(Outdated)
Coda English, German, French, Spanish
ConTEXT English, German, French, Polish, Italian, Dutch, Portuguese, Spanish
Crimson Editor English
Main: English. Addons: Japanese, French, Polish, Korean, Hungarian (2018), Greek, German
CudaText
(2017), and 9 others
E Text Editor English
ed
EditPlus English, Korean

Editra English, German, French, Polish, Japanese, Italian, Dutch, Portuguese, Spanish, Swedish
EmEditor English, German, French, Korean, Japanese, Italian, Dutch, Spanish
epsilon English
Geany English, German, French, Polish, Japanese, Italian, Dutch, Portuguese, Spanish, Swedish, Hindi
English, German, French, Polish, Korean, Japanese, Italian, Dutch, Portuguese, Spanish, Swedish,
gedit
Hindi
GNU Emacs English
JED English
jEdit English
JOE[7] English, German, French
JOVE English
Kate[8] English, German, French, Polish, Japanese, Italian, Dutch, Portuguese, Spanish, Swedish
KEDIT English
Komodo Edit English
KWrite English, German, Italian, Spanish, Swedish

Metapad[9] English, German, French, Polish, Korean, Japanese, Italian, Dutch, Portuguese, Spanish, Swedish
mined English
MS-DOS Editor English, German, French, Polish, Korean, Japanese, Italian, Dutch, Portuguese, Spanish, Swedish
Nano English, German, French, Italian, Portuguese
NEdit English
Notepad
Hindi
Notepad++
Hindi
Notepad2 English, German, French, Polish, Spanish, Swedish
NoteTab English
nvi English
Peppermint English
Pico English, Italian
PolyEdit English
PSPad English, German, French, Polish, Japanese, Italian, Czech, Dutch, Portuguese, Spanish, Swedish
Q10 English, German, Italian, Dutch, Portuguese, Spanish
RJ TextEd English, German, French, Polish, Japanese, Italian, Dutch, Portuguese, Spanish, Swedish
RText English, German, French, Polish, Korean, Japanese, Italian, Dutch, Portuguese, Spanish, Swedish
Sam English
English, German, French (Outdated (1.72)), Polish, Japanese (Outdated (1.62)), Italian, Dutch
SciTE[10]
(Outdated (1.67)), Portuguese (Outdated (1.63)), Spanish, Swedish
SlickEdit English
Smultron English, German, French, Japanese, Italian, Dutch, Spanish, Swedish
Source Insight English
SubEthaEdit English
SublimeText English
TED Notepad English
TextEdit English, German, French, Polish, Japanese, Italian, Dutch, Portuguese, Spanish, Swedish
TextMate English
English, German, French, Polish (Outdated (4.7.3)), Japanese, Italian(Outdated (4.7.3)), Dutch
TextPad
(Outdated (4.7.3)), Spanish (Outdated (4.7.3)), Portuguese (Outdated (4.7.3))
TextWrangler English
The SemWare
English
Editor
UltraEdit English, German, French, Korean, Italian, Spanish
VEDIT English
vi English
Vim Afrikaans, Catalan, Czech, Esperanto, Finnish, Irish, Norwegian, Dutch, Russian, Slovak,
Ukrainian, Vietnamese, Chinese
Visual Studio
English, German, French, Korean, Japanese, Italian, Russian, Spanish, Chinese
Code
XEmacs English
Yi English
Document interface[edit]
Text editor support for common document interfaces
Single
MDI: MDI: tabbed MDI:
Multiple document
overlappable document window
instances window
windows interface splitting
splitting
Acme Yes Yes No No Yes
AkelPad Yes Yes Yes Yes Yes
Alphatk Yes Yes Yes Yes Yes
Atom Yes Yes Yes Yes Yes
Aquamacs Yes Yes Yes Yes Yes
BBEdit Yes Yes Yes Yes Yes
Bluefish Yes Yes Yes Yes No
Brackets No No No Yes Yes
Coda Yes Yes Yes Yes Yes
ConTEXT Yes No Yes Yes No
Crimson
Yes Yes Yes Yes Yes
Editor
CudaText Yes Yes No Yes Yes
E Text Editor Yes No No Yes Yes
ed Yes No No No No
EditPlus Yes Yes Yes Yes Yes
Editra Yes Yes ? Yes ?
EmEditor Yes Yes Yes Yes Yes
Geany Yes Plug-in No Yes No
gedit Yes Plug-in[11] Yes Yes Plug-in[12]

Single
Multiple document
instances window
splitting
GNU Emacs Yes Yes Yes Plug-in[13][14] Yes
JED Yes Yes No No Yes
jEdit Yes Yes No Yes Yes
JOE Yes Yes No No[15] Yes
JOVE Yes Yes No No Yes
Kate Yes Yes Yes Yes Yes
KEDIT Yes Yes Yes No Yes
Komodo Edit Yes Yes No Yes Yes
Komodo IDE Yes Yes No Yes Yes
KWrite Yes No No No No
LE Yes No No No No
Light Table Yes No No Yes Yes
Metapad Yes No No No No
mined Yes No No[16] Yes No
MS-DOS
Yes Yes No No Yes
Editor
Nano Yes No No No No
NEdit Yes Yes No Yes Yes
Notepad Yes No No No No
Notepad++ Yes Yes No Yes 2 windows

Single
Multiple document
instances window
splitting
Notepad2 Yes No No No No
NoteTab Yes ? No Yes 2 windows
nvi Yes Yes No No No
Peppermint Yes Yes No Yes Yes
Pico Yes No No No No
PolyEdit No No Yes Yes Yes
PSPad Yes Yes Yes Yes Yes
Q10 No No No No No
RJ TextEd Yes Yes Yes Yes Yes
RText Yes No Yes Yes No
Sam Yes No Yes No No
SciTE Yes No No Yes[17] No
SlickEdit Yes Yes Yes Yes Yes
Smultron Yes Yes No Yes Yes
Source Insight Yes Yes Yes No No
SubEthaEdit Yes Yes No Yes No
Sublime Text Yes Yes No Yes Yes
TED Notepad ? ? ? No ?
TextEdit Yes No No No No
TextMate Yes No No Yes No

Single
Multiple document
instances window
splitting
TextPad Yes Yes Yes Yes Yes
TextWrangler Yes Yes Yes Yes Yes
The SemWare
Yes Yes No No Yes
Editor
UltraEdit Yes Yes Yes Yes Yes
VEDIT Yes Yes Yes Yes Yes
vi Yes No No No No
Vim Yes Yes Yes[18] Yes[19] Yes
Visual Studio
Yes Yes No Yes Yes
Code
XEmacs Yes Yes Yes Yes Yes
Yi Yes Yes Yes Yes Yes
MDI: MDI:
Multiple Single document MDI: tabbed
overlappable window
instances window splitting document interface
windows splitting
Notes[edit]
 Multiple instances: multiple instances of the program can be opened simultaneously for
editing multiple files. Applies both for single document interface (SDI) and multiple
document interface (MDI) programs. Also applies for program that has a user interface that
looks like multiple instances of the same program (such as some versions of Microsoft
Word).
 Single document window splitting: window can be split to simultaneously view different
areas of a file.
 MDI: Overlappable windows: each opened document gets its own fully movable window
inside the editor environment.
 MDI: Tabbed document interface: multiple documents can be viewed as tabs in a single
window.
 MDI: Window splitting: splitting application window to show multiple documents (non-
overlapping windows).
Basic features[edit]
Text editor support for basic editing features
Regex
-
Spell based Multiple Rectangul
Encoding convers Newline convers
checki find undo/re ar block
ion ion
ng & do selection
repla
ce
Acme external[20] Yes Yes Yes Yes No
AkelPad Plug-in Yes Yes Yes Yes Yes
Alphatk Yes Yes Yes Yes Yes Yes
Atom Yes Yes Yes Yes Yes Plug-in
Aquamacs Yes Yes Yes Yes Yes Yes
BBEdit Yes Yes Yes Yes Yes Yes
Bluefish Yes Yes Yes Yes Yes No
Brackets Plug-in Yes Plug-in No Yes Yes
Coda Yes Yes Yes Yes Yes Yes
ConTEXT No Partial[21] Partial[22] Yes Yes Yes
Instant/liv
Crimson
e (like Yes Yes Yes Yes Yes
Editor
Firefox)
Regex
-
ion ion
ng & do selection
repla
ce
CudaText No Yes Yes Yes Yes Yes
E Text
Plug-in[23] Yes Yes Yes Yes Yes
Editor
ed No Yes No No No No
EditPlus Yes Yes Yes Yes Yes Yes
Editra Yes Yes ? ? ? Yes
EmEditor Yes Yes Yes Yes Yes Yes
Geany Plug-in[24] Yes Yes Yes Yes Yes
gedit Yes[25] Plug-in[26] Yes Yes Yes Plug-in[27]
GNU Emacs Plug-in[28] Yes Yes Yes Yes Yes
JED Yes Yes Yes Yes Yes Yes
jEdit Plug-in[29] Yes Yes Yes Yes Yes
JOE Plug-in[30] Partial[31] No[32] Yes Yes Yes

Regex
-
ion ion
ng & do selection
repla
ce
JOVE Yes Yes No No Yes Yes
Kate Yes Yes Yes Yes Yes Yes
KEDIT No Yes No Yes Yes Yes
Komodo
Yes Yes Yes Yes Yes Yes
Edit
Komodo
IDE
KWrite Yes Yes Yes Yes Yes Yes
LE No Yes No[33] Yes Yes Yes
Light Table Plug-in[34] ? No No Yes ?
Metapad Partial[35] No Yes Yes Yes No
mg No Yes[36] No Partial Yes[36] No
MinEd No Yes[37] Yes[38] Yes[39] No Yes

Regex
-
ion ion
ng & do selection
repla
ce
MS-DOS
No No No Yes No No
Editor
Nano Yes Yes No Yes Yes No
Regex-
Rectangular
Spell based Encoding Multiple
Newline conversion block
checking find & conversion undo/redo
selection
replace
ne No Yes No No Yes Yes
NEdit Plug-in[40] Yes No Yes Yes Yes
Notepad No No No No No No
Notepad++ Yes[41] Yes Yes Yes Yes Yes
Notepad2 No Limited[42 Yes Yes Yes Yes

]
NoteTab Yes Yes Yes Yes Yes Yes
nvi No Yes No No Yes ?
Peppermint Yes Yes Yes Yes Yes Yes

Regex
-
ion ion
ng & do selection
repla
ce
Pico Yes No No No No No
PolyEdit Yes Yes Yes Yes Yes Yes
PSPad Yes Yes Yes Yes Yes Yes
Q10 Yes ? ? ? ? ?
RJ TextEd Yes Yes Yes Yes Yes Yes
RText Yes Yes Yes Yes Yes No
Sam No Yes No No Yes No
SciTE No Limited[42 No Yes Yes Yes

]
SlickEdit Yes Yes Yes Yes Yes Yes
Smultron Yes Yes Yes Yes Yes Yes
Source
No Yes No Yes Yes Yes
Insight
SubEthaEdi
Yes Yes Yes Yes Yes Yes[43]
t
Regex
-
ion ion
ng & do selection
repla
ce
Sublime
Text
TED
No No No Yes Yes No
Notepad
TextEdit Yes No Yes Yes Yes Yes
TextMate Yes Yes Partial Yes Yes Yes
TextPad Yes Yes Yes Yes Yes Yes
TextWrangl
er
The
SemWare Yes Yes No Yes Yes Yes
Editor
UltraEdit Yes Limited[44 Yes Yes Yes Yes

]
VEDIT Yes[45] Yes Yes Yes Yes Yes
vi No Yes No No No No
Vim Yes[46] Yes Yes Yes Yes Yes

Regex
-
ion ion
ng & do selection
repla
ce
Visual
Plug-in Yes Yes Yes Yes Yes
Studio Code
XEmacs Plug-in[28] Yes Yes Yes Yes Yes
Yi ? Yes ? ? Yes Yes
Regex-
Rectangular
Spell based Encoding Multiple
Newline conversion block
checking find & conversion undo/redo
selection
replace
Programming features[edit]
Text editor support for programming features (see source code editor)
Sym
bol
Synta data Brac Co Tex
Fun Auto Auto
x base e de t Compiler i
ction indent compl
highli (ctag matc fold fold ntegration
list ation etion
ghting s or hing ing ing
equi
v.)
Acme No external external[ Yes Yes Partial[47] No No external[20]

[20] 20]
Plug-
AkelPad Plug-in Plug-in Plug-in Plug-in Yes Plug-in No Plug-in
in
Sym
bol
Fun Auto Auto
ction indent compl
list ation etion
equi
v.)
Alphatk Yes ? ? Yes Yes Yes Yes Yes Yes
Atom Yes Yes Yes Yes Yes Yes Yes Yes Plug-in
Aquama
Yes Yes Yes Yes Yes Yes Yes Yes Yes
cs
BBEdit Yes Yes Yes Yes Yes Yes Yes Yes Yes
Bluefish Yes No Yes Yes Yes Yes Yes No Yes[48]
Brackets Yes Yes No Yes Yes Yes Yes Yes Plug-in
Coda Yes Yes Yes Yes Yes Yes Yes No No
ConTEX
Yes ? ? Yes Yes Yes No No Yes
T
Crimson
Yes No Partial[49] Yes Yes No No No Yes
Editor
CudaTex
Yes Yes Yes Plug-in Yes Plug-in Yes Yes Plug-in
t
E Text
Yes ? ? Yes Yes Yes Yes Yes Yes
Editor
Sym
bol
Fun Auto Auto
ction indent compl
list ation etion
equi
v.)
ed No No No No No No No No external[50]
EditPlus Yes Yes[51] Partial[49] Yes Yes Yes[52] Yes No Yes
Editra Yes ? ? Yes Yes ? Yes ? ?
EmEdito
Yes Plug-in Plug-in Yes Yes Plug-in[53] Yes Yes Yes
r
Geany Yes Yes Yes[54] Yes Yes Yes Partial No Yes
Plug-
gedit Yes Plug-in Plug-in Yes Yes Plug-in No Yes[56]
in[55]
GNU
Emacs
JED Yes Yes Yes Yes Yes Yes Yes Yes Yes
jEdit Yes Plug-in Plug-in Yes Yes Yes Yes Yes Plug-in
JOE Yes ? Yes Yes Yes ? No No Yes
JOVE No No No Yes Yes No No No Yes

Sym
bol
Fun Auto Auto
ction indent compl
list ation etion
equi
v.)
Kate Yes Plug-in Plug-in Yes Yes Yes Yes Yes Plug-in
KEDIT Yes No Macro Yes Yes No Yes Yes Yes
Komodo
Yes Yes No Yes Yes Yes Yes Yes No
Edit
Komodo
IDE
KWrite Yes ? ? Yes Yes Yes Yes Yes No
LE Yes No No Yes Yes No No No No[57]
Light
Yes No No Yes Yes Yes No No Partial[58]
Table
Metapad No No No No Yes No No No No
mined Yes[59] ? Yes Yes Yes No No No No
MS-DOS
No No No No No No No No No
Editor
Nano Yes No No Yes Yes No No No No

Sym
bol
Fun Auto Auto
ction indent compl
list ation etion
equi
v.)
Symbol
databas
Syntax Bracket Auto Auto Code Text
Functio e Compiler
highlighti matchi indentati completi foldin foldin
n list (ctags integration
ng ng on on g g
or
equiv.)
ne Yes No No Yes Yes Yes No No No
NEdit Yes Plug-in Yes Yes Yes Plug-in No No Yes
Notepad No No No No No No No No No
Notepad
Yes Plug-in Plug-in Yes Yes Yes[60] Yes Yes Yes
++
Notepad
Yes No No Yes Yes No No No No
2
NoteTab Partial[61] ? ? No ? Yes ? ? Yes
nvi No ? Yes Yes Yes Yes No No No
Pepperm
int
Pico No No No No No No No No No
Sym
bol
Fun Auto Auto
ction indent compl
list ation etion
equi
v.)
PolyEdit Yes No No No No No No No No
PSPad Yes Yes Plug-in Yes Yes Yes No No Yes
Q10 ? ? ? ? ? ? ? ? ?
RJ
TextEd
RText Yes Plug-in No Yes Yes No No No No
Sam No No No No No No No No external[62]
SciTE Yes No[63] ? Yes Yes Yes Yes Yes Yes
SlickEdit Yes Yes Yes Yes Yes Yes Yes Yes Yes
Smultro
Yes No No Yes Yes Yes ? ? ?
n
Source
Yes Yes Yes Yes Yes Yes No No Limited
Insight
SubEtha
Yes ? ? Yes Yes Yes Yes Yes Yes
Edit
Sym
bol
Fun Auto Auto
ction indent compl
list ation etion
equi
v.)
Sublime Plug-
Yes Yes Yes Yes Yes Yes Yes Yes
Text in[64]
TED
No ? ? No Yes Yes No No No
Notepad
TextEdit No No No No No No No No No
TextMat
Yes Yes Plug-in Yes Yes Yes[65] Yes Yes No
e
Plug-
TextPad Yes No Yes Yes No No No Yes
in[66]
TextWra
Yes Yes No Yes Yes Yes Yes Yes Plug-in[67]
ngler
The
Plug- Partial[
SemWar Yes Yes Yes Yes Yes[69] 70] No Yes
in[68]
e Editor
UltraEdi
Yes Yes Partial[71] Yes Yes Yes Yes Yes Yes
t
VEDIT Yes Yes Yes Yes Yes Yes[72] No No Yes
vi No No Yes Yes No No No No Yes

Sym
bol
Fun Auto Auto
ction indent compl
list ation etion
equi
v.)
Plug-
Vim Yes Yes Yes Yes Yes Yes Yes Yes
in[73]
Visual
Studio Yes Yes Yes Yes Yes Yes Yes Yes Yes
Code
XEmacs Yes ? Yes Yes Yes Yes Yes Yes Yes
Yi Yes[74] No Yes[75] Yes Yes Yes ? ? Yes
Symbol
databas
Syntax Bracket Auto Auto Code Text
Functio e Compiler
highlighti matchi indentati completi foldin foldin
n list (ctags integration
ng ng on on g g
or
equiv.)
Notes[edit]
 Syntax highlighting: Displays text in different colors and fonts according to the category
of terms.
 Function list: Lists all functions from current file in a window or sidebar and allows user to
jump directly to the definition of that function for example by double-clicking on the function
name in the list. More or less realtime (does not require creating a symbol database, see
below).
 Symbol database: Database of functions, variable and type definitions, macro definitions
etc. in all the files belonging to the software being developed. The database can be
created by the editor itself or by an external program such as ctags. The database can be
used to instantly locate the definition even if it is in another file.
 Bracket matching: Find matching parenthesis or bracket, taking into account nesting.
 Auto indentation: May refer to just simple indenting to the same level as the line above,
or intelligent indenting that is language specific, e.g., ensuring a given indent style.
 Compiler integration: Allows running compilers/linkers/debuggers from within editor,
capturing the compiler output and stepping through errors, automatically moving cursor to
corresponding location in the source file.
Extra features[edit]
Text editor support for other programming features
Lar Lon
Graphica Macr Sea
Text Collabo ge g Multi-
l o rch
shellinteg rative file line line regexsu
shellinteg lang in
ration editing supp supp pport[76]
ration uage files
ort ort
Extensib
Acme Yes No No ? ? Yes ?
le
memor
AkelPad Yes Yes Yes No Yes Yes Plug-in
y
Alphatk Yes Yes Yes[77] No ? ? ? ?
Aquamac memor
Yes Yes Yes Yes ? Yes ?
s y
Plug- No 2-5
Atom No[78] ? Yes 100B [81] No [82] Yes
in[79] MB [80]
memor
BBEdit Yes Yes Yes[83] No ? Yes Yes
y[84]
Bluefish No Yes ? Yes ? ? Yes ?
Extensib
Brackets Yes Yes No No ? Partial Yes
le
Coda Yes No Yes[85] Yes ? ? Yes Yes

Lar Lon
Graphica Macr Sea
l o rch
shellinteg lang in
ration uage files
ort ort
ConTEX memor
No Yes Yes No ? No ?
T y[86]
Crimson
No Yes Yes No No ? No ?
Editor
CudaTex
No No Plug-in No ? ? Yes Plug-in
t
E Text
Yes Yes No[87] Yes Yes ? Yes ?
Editor
ed Yes No Yes No ? ? ? Yes
memor
EditPlus ? Yes Yes No ? Yes Yes
y
Editra ? ? ? ? 2 GB ? ? ?
EmEdito
Yes Yes Yes No Yes ? Yes Yes
r
Geany Yes ? Plug-in ? ? ? Yes Yes
gedit Yes Yes Yes[88] Plug-in No ? No No
GNU
Yes Yes Yes Yes 2 EB Yes Yes Yes
Emacs
on 64-
Lar Lon
Graphica Macr Sea
l o rch
shellinteg lang in
ration uage files
ort ort
bit OS[89
][90]
memor Plug-
JED Yes No Yes No Yes No
y[91] ins
No
jEdit Yes No Yes No (heap)[92 ? Yes Yes
]
JOE Yes No Yes No Yes[citation ? ? Yes[93]

needed]
memor
JOVE Yes No No No ? No No
y
Kate Yes Yes No No No[94] ? Yes Plug-in
KEDIT Yes Yes Yes No Yes 10Kb Yes No
Komodo ? ? Yes[95] No ? ? Yes Yes

Edit
Komodo ? ? Yes[95] Yes ? ? Yes Yes

IDE
KWrite No No No No No[94] No[96] No ?
memor
LE Yes No No No[97] ? Yes ?
y[98]
Lar Lon
Graphica Macr Sea
l o rch
shellinteg lang in
ration uage files
ort ort
Light
No Yes No No ? ? No Yes
Table
memor
Metapad Yes Yes No No ? No No
y[99]
mined ? ? ? ? ? ? Yes ?
EDIT No
(MS- No No No No (64~30 No No No
DOS) 0 KB)
2 GB,
for as
long as
there is
EDIT
disk
(DR- No No No No Yes No No
swap
DOS)
space
for two
tempora
ry files
Nano Yes No No No ? ? ? ?
Large Long
Graphical Macro
Text shell Collaborat file line Multi-line Search
shell languag
integration ive editing suppor suppor regex support in files
integration e
t t
NEdit Yes Yes Yes No No ? Yes ?

Lar Lon
Graphica Macr Sea
l o rch
shellinteg lang in
ration uage files
ort ort
memor
Notepad Yes Yes No No ? No No
y
2GB,
Notepad+ with plug- 64Bit
Yes Yes Yes more in ? Yes Yes
+ in
Test[100][1
01]
memor
Notepad2 No No No No ? No ?
y[102]
NoteTab ? ? Yes ? No ? Yes[103] ?
nvi Yes No No ? ? ? ? ?
Peppermi
Yes Yes Yes No Yes Yes Yes Yes
nt
Pico ? ? ? No ? ? ? ?
PolyEdit Yes Yes No No Yes ? Yes ?
memor
PSPad Yes Yes Yes No ? with plug-in Yes
y[104]
Q10 ? ? ? ? ? ? ? ?
Lar Lon
Graphica Macr Sea
l o rch
shellinteg lang in
ration uage files
ort ort
RJ
Yes Yes Yes No No ? Yes ?
TextEd
RText No No Yes No No ? Yes ?
externa
Sam Yes No Yes No ? ? Yes
l[62]
SciTE ? ? Yes No No ? No Yes
SlickEdit Yes Yes Yes No 2 TB Yes Yes Yes
Smultron ? ? ? ? ? ? ? ?
Source ? ? Yes No ? ? No ?
Insight
SubEtha
Yes Yes No Yes ? ? Yes ?
Edit
TED
Yes Yes No No No ? ? ?
Notepad
TextEdit Yes Yes No No ? ? ? ?
TextMate Yes Yes Yes No No ? Yes ?

Lar Lon
Graphica Macr Sea
l o rch
shellinteg lang in
ration uage files
ort ort
memor
TextPad No Yes Yes No ? Yes Yes
y[105]
TextWra memor
Yes Yes Yes No ? Yes ?
ngler y[84]
Yes Only in
The special
SemWare Yes Yes Yes DOS multi- 2 GB Yes ? Yes
Editor user
version
UltraEdit Yes Yes Yes No Yes Yes Yes Yes
VEDIT Yes Yes Yes No Yes ? Yes Yes
approx.
vi Yes No Yes No ? Yes Yes
65 MB
with plug- memor

Vim Yes Yes Yes Yes Yes Yes
in[106] y[107]
Visual
Studio Yes Yes Yes No ? ? Yes Yes
Code
on 64-
XEmacs Yes Yes Yes Yes bit ? Yes Yes
OS[89]
Lar Lon
Graphica Macr Sea
l o rch
shellinteg lang in
ration uage files
ort ort
Large Long
Graphical Macro
Text shell Collaborat file line Multi-line Search
shell languag
integration ive editing suppor suppor regex support in files
integration e
t t
Large file support:

Yes = Larger than 4 GB (LFS) 2 GB = Larger than 1 GB, not limited by memory
= Limited by available No = Some limit less than available memory (give max size if
memory
memory (64 KB) known)
In general, most text editors do not support large text files. Some restrict themselves to
available in-core RAM while others use sophisticated virtual memory management techniques
and paging algorithms.[108]
Search in files: Perform search (and possibly replace) in multiple files on disk, for example on
a sub-directory and recursively all the directories below it. Similar to grep.
Key bindings[edit]
Support for custom key bindings.
Text editor support for key bindings.
Dynamic IB
ally M mac Em Pic Word WordPe Bri
Vi
customiz CU OS acs o Star rfect ef
able A
Acme No No No No No No No No No
AkelPad Yes ? ? ? ? ? ? ? ?
Alphatk ? ? ? ? ? ? ? ? ?
Dynamic IB
Vi
able A
Aquamacs Yes ? Yes Yes Yes ? ? ? ?
BBEdit[109][110] Yes ? Yes ? Yes ? ? ? ?
Bluefish Yes ? Yes ? ? ? ? ? ?
Plug-
Brackets Yes Partial Yes Plug-in No No No No
in
Coda Yes ? Yes ? ? ? ? ? ?
ConTEXT ? ? ? ? ? ? ? ? ?
Crimson ? ? ? ? ? ? ? ? ?
Editor
CudaText Yes ? ? ? ? ? ? ? ?
E Text Editor ? ? ? ? ? ? ? ? ?
ed No No No No No No No No No
EditPlus Yes ? ? ? ? ? ? ? ?
Editra No No No Yes No No No No No
EmEditor Yes ? ? ? ? ? ? ? ?
Dynamic IB
Vi
able A
epsilon Yes ? ? ? Yes ? ? ? Yes
Geany Yes ? ? ? ? ? ? ? ?
gedit Yes[111] ? ? ? ? ? ? ? ?
GNU Emacs Yes Yes Yes Yes Yes Partial[ Yes[113] Yes[114] Yes[114]
112]
JED Yes Partial[ ? Yes Yes ? Yes ? Yes

115]
jEdit Yes ? Yes Yes ? ? ? ? ?
JOE[116] Yes No No No Yes Yes Yes No No
JOVE Yes No No No Yes No Yes[117] No No
LE Yes ? ? No ? ? ? ? ?
Plug-
Light Table Yes Partial ? Plug-in ? ? ? ?
in
Kate Yes No No Yes[118] No No No No No
KEDIT Yes Yes No No No No No No No

Dynamic IB
Vi
able A
Komodo Edit Yes ? Yes Yes Yes ? ? ? ?
Komodo IDE Yes ? Yes Yes Yes ? ? ? ?
KWrite Yes ? ? ? ? ? ? ? ?
Metapad ? ? ? ? ? ? ? ? ?
mg ? ? ? ? Yes ? ? ? ?
mined ? ? ? ? Yes Yes Yes ? ?
MS-DOS
No No No No No No No No No
Editor
Nano Yes No No No Partial[1 Yes No No No

19]
NEdit Yes ? ? ? ? ? ? ? ?
Notepad No Yes No No No No No No No
Notepad++ Partial Yes No No No No No No No
Notepad2 No ? No No No No ? ? ?
NoteTab ? ? ? ? ? ? ? ? ?
Dynamic IB
Vi
able A
nvi ? ? ? Yes ? ? ? ? ?
Peppermint Yes No Yes Yes Yes No No No No
Pico No No No No Partial[1 Yes No No No

19]
PolyEdit ? ? ? ? ? ? ? ? ?
PSPad Yes ? ? ? ? ? ? ? ?
Q10 ? ? ? ? ? ? ? ? ?
RJ TextEd Yes ? ? ? ? ? ? ? ?
RText Yes ? ? ? ? ? ? ? ?
Sam No No No No No No No No No
SciTE Partial[120] ? ? No No No ? ? ?
SlickEdit Yes[121] Yes Yes[122] Partial[ Yes No No No Yes

123]
Smultron ? ? ? ? ? ? ? ? ?
Dynamic IB
Vi
able A
Source
Yes ? No No No No ? ? ?
Insight
SubEthaEdit No No Yes No No No No No No
Sublime Text Yes No Yes Yes Yes No No No No
TED Notepad ? ? ? ? ? ? ? ? ?
TextEdit No No Yes No No No No No No
TextMate No No Yes No No No No No No
TextPad Yes ? ? ? ? ? ? ? ?
TextWrangle
Yes ? Yes No Yes No ? ? ?
r[109][124]
The
SemWare Yes ? ? ? ? ? ? ? ?
Editor
UltraEdit Yes ? No ? ? ? ? ? ?
VEDIT Yes Yes No No[125] No No Yes Yes Yes
vi Yes No No Yes No No No No No
Dynamic IB
Vi
able A
Plug- Partial|[1 Partial[1 Plug-

Vim Partial 27] Yes[128] 29] No No No
in[126] in[130]
Visual Studio Plug- Plug-

Yes No Yes No No No No
Code in[131] in[132]
XEmacs Yes Yes Yes Yes Yes Partial[ Yes[133] Yes[114] Yes[114]
112]
Yi Yes Yes Yes Yes Yes Yes No No No
Dynamicall
y IBM WordSta WordPerfe
macOS Vi Emacs Pico Brief
customizab CUA r ct
le
Notes, bugs[edit]
 Vim: custom maps of Ctrl-1 .. Ctrl-9, Ctrl-0 cannot be set, nor is Control-Shift-<char>
distinguished from Ctrl-<char>.[134][135]
 Notepad++: custom shortcuts of Shift-<char> cannot be set, they need an added modifier
such as Ctrl or Alt. i.e. SCI_LINESCROLLUP cannot be bound to "Shift-I" as the "Add"
button is greyed out.
 Emacs and Pico: pico uses most of Emacs's motion and deletion commands: ^F ^B ^P ^N
^D etc.
Protocol support[edit]
Support for editing files over a network or the Internet.
Text editor support for remote file editing over network protocols
FTP HTTP SSH WebDAV
Acme Yes Yes Yes Yes
AkelPad No No No No
Alphatk Yes No No Yes
Aquamacs Yes Yes Yes Yes[136]
BBEdit Yes No Yes No
Bluefish Yes Yes Yes Yes
Brackets Plug-in No No No
Coda Yes Yes Yes Yes
ConTEXT No[137] ? No[137] ?
Crimson Editor Yes No No No
CudaText Yes No No No
E Text Editor Yes No No No
ed No No No No
EditPlus Yes No No No
FTP HTTP SSH WebDAV
Editra ? ? ? ?
EmEditor No No No No
Geany No No No No
gedit Yes Yes Yes Yes
GNU Emacs Yes Yes Yes Yes
JED No No No No
Plug-
jEdit Plug-in[138] Yes[139] Plug-in.
in[138]
JOE No No No No
JOVE No No No No
LE No No No No
Kate Yes Yes Yes Yes
KEDIT No No No No
Komodo IDE FTP, FTPS, SFTP No Yes No
KWrite Yes Yes Yes Yes

FTP HTTP SSH WebDAV
Metapad No No No No
mined ? ? ? ?
MS-DOS Editor No No No No
Nano No No Yes No
FTP HTTP SSH WebDAV
NEdit No No No No
Notepad No No No No
Plug-in for FTP, FTPS, FTPES,

Notepad++ No Plug-in No
SFTP
Notepad2 No No No No
NoteTab No[140] ? No[140] ?
nvi No No No No
Peppermint Yes No Yes No
Pico No No No No
PolyEdit No No No No
FTP HTTP SSH WebDAV
PSPad Yes No No No
Q10 ? ? ? ?
RJ TextEd FTP, SFTP No Yes No
RText No No No No
Sam No No No No
SciTE No No No No
SlickEdit Yes Yes Yes No
Smultron Yes ? ? ?
Source Insight No No No No
SubEthaEdit Yes No No No
Plug-
Sublime text Plug-in [141] Yes Plug-in [143]
in [142]
TED Notepad No[144] ? No[144] ?
TextEdit No No No No
TextMate Yes[136] No No No
FTP HTTP SSH WebDAV
TextPad No No No No
TextWrangler Yes[145] FTP, SFTP No Yes No
The SemWare Editor No No No No
UltraEdit Yes No Yes No
VEDIT Yes No No No
vi No No No No
Plug-
Vim Plug-in[146] Plug-in[146] Plug-in[146]
in[146]
Visual Studio Code No No No No
XEmacs Yes Yes Yes ?
Yi No No No No
FTP HTTP SSH WebDAV
Unicode and other character encodings[edit]

To support specified character encoding, the editor must be able to load, save, view and edit
text in the specific encoding and not destroy any characters. For UTF-8 and UTF-16, this
requires internal 16-bit character support.
Partial support is indicated if: 1) the editor can only convert the character encoding to internal
(8-bit) format for editing. 2) If some encodings are supported only in some platforms. 3) If the
editor can only display specific character set (such as OEM) by loading corresponding font, but
does not support keyboard entry for that character set.
Text editor support for some of the most common character encodings
ISO- DOS UTF- UTF-

ASCII EBCDIC
8859 (OEM) 8 16
Acme Yes ? ? ? Yes ?
AkelPad Yes Yes Yes Yes Yes Yes
Alphatk Yes ? ? ? Yes Yes
Aquamacs Yes Yes Yes ? Yes Yes
BBEdit Yes Yes Yes Yes Yes Yes
Bluefish Yes Yes Yes Yes Yes Yes
Brackets Yes No No No Yes No
Coda Yes Yes Yes ? Yes Yes
ConTEXT Yes Yes Partial[147] No No No
Crimson Editor Yes Yes Partial[147] No Partial No
CudaText Yes Yes Yes ? Yes Yes
E Text Editor Yes ? ? ? Yes Yes
ed Yes ? ? ? Yes No
ISO- DOS UTF- UTF-

ASCII EBCDIC
8859 (OEM) 8 16
EditPlus Yes ? Yes ? Yes Yes
Editra Yes Yes Yes Yes Yes Yes
EmEditor Yes Yes Yes Yes Yes Yes
Geany Yes Yes Yes ? Yes Yes
gedit Yes Yes ? ? Yes Yes
GNU Emacs Yes Yes Yes Yes Yes[148] Yes[149]
JED Yes Yes Yes ? Yes Partial[150]
jEdit Yes Yes Yes Yes Yes Yes
JOE Yes ? ? ? Yes No
JOVE Yes No No No No No
LE Yes ? ? ? Yes No
Kate Yes Yes ? ? Yes Yes
KEDIT Yes Yes Partial[147] No No No
Komodo Edit Yes Yes No No Yes Yes

ISO- DOS UTF- UTF-

ASCII EBCDIC
8859 (OEM) 8 16
Komodo IDE Yes Yes No No Yes Yes
KWrite Yes ? ? ? Yes Yes
Metapad Yes Yes Partial[147] No No No
mined Yes Yes Yes ? Yes Yes
MS-DOS Editor Yes ? Yes ? ? ?
Nano Yes Yes ? ? Yes No
ASCII ISO-8859 DOS (OEM) EBCDIC UTF-8 UTF-16
NEdit Yes ? ? ? No No
Notepad Yes Yes Partial[147] No Yes Yes
Notepad++ Yes Yes No Plug-in? Yes Yes
Notepad2 Yes Yes Yes No Yes Yes
NoteTab Yes ? Yes Yes Partial[151] Partial[151]
nvi Yes ? ? ? Yes[152] No
Peppermint Yes Yes Yes ? Yes Yes

ISO- DOS UTF- UTF-

ASCII EBCDIC
8859 (OEM) 8 16
Pico Yes No No No Yes No
PolyEdit Yes ? ? ? Yes Yes
PSPad Yes Yes Yes ? Yes Yes
Q10 ? ? ? ? ? ?
RJ TextEd Yes Yes Yes Yes Yes Yes
RText Yes Yes Yes Yes[153] Yes Yes
Sam Yes ? ? ? Yes No
SciTE[154] Yes No No No Yes Yes
SlickEdit Yes Yes Yes Yes Yes Yes
Smultron Yes ? ? ? Yes Yes
Source Insight Yes ? ? ? No No
SubEthaEdit Yes Yes Yes Yes Yes Yes
Sublime Text Yes Yes Yes Yes Partial[155] Yes
TED Notepad Yes ? ? ? Yes Yes

ISO- DOS UTF- UTF-

ASCII EBCDIC
8859 (OEM) 8 16
TextEdit Yes Yes ? ? Yes Yes
TextMate Yes Yes ? ? Yes Yes
TextPad Yes ? ? ? Partial[156] Partial[156]
TextWrangler Yes Yes Yes Yes Yes Yes
The SemWare Editor Yes Yes[157] Partial[147] Plug-in No No
UltraEdit Yes Yes Yes Yes Yes Yes
VEDIT Yes Yes Yes Yes Partial[158] Partial[158]
vi Yes ? ? ? Yes No
Vim Yes Yes Yes Partial[159] Yes Yes
Visual Studio Code Yes Yes Yes ? Yes Yes
XEmacs Yes Yes ? ? Yes[160] Yes
Yi Yes ? ? ? Yes No
ASCII ISO-8859 DOS (OEM) EBCDIC UTF-8 UTF-16
Right-to-left and bidirectional text[edit]

Support for Right-To-Left (RTL) texts is necessary for editing some languages
like Arabic, Persian, Hebrew, and Yiddish and the mixture of left to right (LTR) and RTL known
as bi-directional (BiDi) support.
Depending on the algorithm used in the programs it might only render the bidirectional text
correctly but may not be able to edit them. (e.g. Notepad++ 5.1.3 shows bidirectional texts
correctly but cannot edit it and user should change the text direction to RTL to be able to edit
RTL texts correctly.)
Right to left (RTL) & bidirectional (bidi) support
Right-to-left (RTL) Bi-directional (Bidi)
Acme No No
AkelPad No No
Alphatk ? ?
Aquamacs ? ?
Atom No No
BBEdit No No
Bluefish Yes Yes
Brackets ? ?
Coda ? ?
ConTEXT ? ?
Crimson Editor ? ?
E Text Editor ? ?
ed ? ?
EditPlus No No
Editra ? ?
EmEditor No No
Geany ? ?
gedit Yes Yes
GNU Emacs Yes Yes[161]
JED ? ?
jEdit No No
JOE ? ?
JOVE No No
LE ? ?
Kate Yes Yes

KEDIT No No
Komodo Edit No No
Komodo IDE No No
KWrite ? ?
Metapad ? ?
MS-DOS Editor ? ?
mined Yes[162] Yes[162]
Nano ? ?
RTL Bidi
NEdit ? ?
Notepad Yes Yes
Notepad++ Yes Partial[163]
Notepad2 No No
NoteTab ? ?
nvi ? ?
Peppermint No No
Pico ? ?
PolyEdit ? ?
PSPad ? ?
Q10 ? ?
RJ TextEd Yes Yes
RText ? ?
Sam No No
SciTE No No
SlickEdit ? ?
Smultron ? ?
Source Insight No No
SubEthaEdit Yes Yes

Sublime Text No No
TED Notepad ? ?
TextEdit Yes Yes
TextMate No No
TextPad ? ?
TextWrangler No No
The SemWare Editor No No
UltraEdit No No
VEDIT ? ?
vi ? ?
Vim Yes through terminal support
Visual Studio Code No No
XEmacs ? ?
Yi ? ?
RTL Bidi
Newline support[edit]
Support for newline characters in line endings
Unix-like systems Classic Mac

Windows (CR/LF)
(including macOS[164]) (LF) OS (CR)
Acme Yes Yes Yes
AkelPad Yes Yes Yes
Alphatk Yes Yes Yes
Aquamacs Yes Yes Yes
BBEdit Yes Yes Yes
Bluefish Yes Yes Yes
Brackets Yes Yes No
Coda Yes Yes Yes
ConTEXT Yes Yes Yes
Crimson Editor Yes Yes Yes


Windows (CR/LF)
CudaText Yes Yes Yes
E Text Editor Yes Yes Yes
ed No Yes No
EditPlus Yes Yes Yes
Editra Yes Yes Yes
EmEditor Yes Yes Yes
Geany Yes Yes Yes
gedit Yes Yes Yes
GNU Emacs[165] Yes Yes Yes
JED Yes Yes Yes
jEdit Yes Yes Yes
JOE[166] Yes Yes No
JOVE Yes Yes Yes
Kate Yes Yes Yes


Windows (CR/LF)
KEDIT Yes Yes Yes
Komodo Edit Yes Yes Yes
Komodo IDE Yes Yes Yes
KWrite Yes Yes Yes
LE Yes Yes No
Metapad Yes Yes ?
MS-DOS Editor Yes No No
mined Yes Yes Yes
Nano Yes Yes Yes
NEdit Yes Yes Yes
Notepad Yes No No
Notepad++ Yes Yes Yes
Notepad2 Yes Yes Yes
NoteTab Yes Yes Yes


Windows (CR/LF)
nvi ? Yes ?
Peppermint Yes Yes Yes
Pico Yes Yes Yes
PolyEdit Yes Yes Yes
PSPad Yes Yes Yes
Q10 Yes Yes Yes
RJ TextEd Yes Yes Yes
RText Yes Yes Yes
Sam ? ? ?
SciTE Yes Yes Yes
SlickEdit Yes Yes Yes
Smultron Yes Yes Yes
Source Insight Yes Yes Yes
SubEthaEdit Yes Yes Yes


Windows (CR/LF)
Sublime Text Yes Yes Yes
TED Notepad Yes Yes Yes
TextEdit Yes Yes Yes
TextMate Yes Yes Yes
TextPad Yes Yes Yes
TextWrangler Yes Yes Yes
The SemWare Editor Yes Yes Yes
UltraEdit Yes Yes Yes
VEDIT Yes Yes Yes
vi No Yes No
Vim Yes Yes Yes
Visual Studio Code Yes Yes Yes
XEmacs Yes Yes Yes
Yi ? Yes ?

Windows (CR/LF)
Unix-like systems (including Classic Mac OS

Windows (CR/LF)
macOS) (LF) (CR)
See also
This list needs additional citations for verification. Please
help improve this article by adding citations to reliable sources.
Unsourced material may be challenged and removed. (February
2011) (Learn how and when to remove this template message)
The following is a list of notable text editors.
Contents
[hide]
 1Graphical and text user interface

 2Graphical user interface
 3Text user interface
o 3.1System default
o 3.2Others
 3.2.1vi clones
 4No user interface (editor libraries/toolkits)
 5ASCII and ANSI art
o 5.1ASCII font editors
 6Historical
o 6.1Visual and full-screen editors
o 6.2Line editors
 7See also
 8Notes
Graphical and text user interface[edit]

The following editors can either be used with a graphical user interface or a text user interface.
Free
Name Description
software
Extensible Versatile
Default under OpenVMS. ?
Editor (EVE)
A distribution of GNU Emacs heavily modified to behave like a

Aquamacs Emacs Yes
Mac program.
Cream A configuration of Vim. Yes
Elvis A vi/ex clone with additional commands and features. Yes
Two long-existing forks of the popular Emacs programmer's

GNU
editor. Emacs and vi are the dominant text editors on Unix- Yes
Emacs/XEmacs
like operating systems, and have inspired the editor wars.
Language-Sensitive
Programmer's Editor for OpenVMS implemented using TPU. Yes
Editor (LSE)
A modular, cross-platform editor written in C and Lua,

Textadept Yes
using Scintilla.[1]
A vi work-alike which retains the vi command-set while adding

vile (vi like Emacs) new features: multiple windows and buffers, infinite undo, Yes
colorization, scriptable expansion capabilities, etc.
A clone based on the ideas of the vi editor and designed for use
vim both from a command line interface and in a graphical user Yes
interface.
A scriptable text editor written in the Haskell programming

Yi editor Yes
language.
Graphical user interface[edit]

Name Description License
Acme A User Interface for Programmers by Rob Pike. Free software
Еditor for plain text. It is designed to be a small and

AkelPad Free software
fast. Many plugins.
Alphatk Proprietary
Arachnophilia Free software
A modular, general-purpose editor built

Atom using HTML, CSS and JavaScript on top Free software
of Chromium and Node.js.
BBEdit Proprietary
BBEdit Lite Freeware
Bluefish A web development editor. Free software
A modular, web-oriented editor built

Brackets using HTML, CSS and JavaScript on top of Free software
the Chromium Embedded Framework.
CodeWright Proprietary
Crimson Editor Freeware
Written in Object Pascal on Lazarus (IDE), thus cross

CudaText Free software
platform native GUI.
CygnusEd (CED) Proprietary
E Text Editor Default under IBM OS/2 versions 2-4[citation needed]. Proprietary
An editor originally made for BeOS and later ported

Eddie Freeware
to Linux and macOS.
EditPlus An editor with syntax highlighting and FTP. Proprietary
EmEditor Proprietary
Epsilon Proprietary
Geany A fast and lightweight editor / IDE, uses GTK+. Free software
gedit Default under GNOME.[2] Free software
GoldED (text editor

Proprietary
of Cubic IDE)
GWD Text Editor Proprietary
HTML Kit Freeware
HxD for huge text files. Freeware
iA Writer Proprietary
A free cross-platform programmer's editor written

jEdit Free software
in Java, GPL licensed.
JOVE Jonathan's Own Version of Emacs Free software
JuffEd A lightweight text editor written in Qt4. Free software
Kate A basic text editor for the KDE desktop. Free software
An editor with commands and Rexx macros similar to

Kedit Proprietary
IBM XEDIT.
Kile A user friendly TeX/LaTeX editor. Free software
Komodo Edit Free software
KWrite A default editor on KDE. Free software
An experimental text editor allowing multiple

Lapis simultaneous edits of text in a multiple selection from a Free software
few examples provided by the user.
Leafpad Default under LXDE.[3] and Xfce[citation needed] Free software
LEd – LaTeX Editor Freeware
A text editor that features outlines with clones as its

Leo Free software
central tool of organization and navigation.
Light Table A text editor and IDE with real-time, inline expression Free software
evaluation. Intended mainly for dynamic languages
such as Clojure, Python and JavaScript, and for web

development.
mcedit A text editor provided with Midnight Commander. Free software
Metapad Windows Notepad replacement, GPL licensed. Free software
MicroEMACS Free software
Mousepad Previously the default under Xfce.[4] Free software
NEdit – "Nirvana Editor" Free software
Notepad Default under Microsoft Windows. Proprietary
Multi-Edit Proprietary
Notepad2 Free software
Notepad++ A tabbed text editor. Free software
NoteTab Proprietary
NoteTab Light Freeware
Pe A text editor for BeOS. Free software
Peppermint An editor with a CoffeeScript/JavaScript API. Proprietary

The default text editor of the MATE desktop

pluma Free software
environment for Linux.
PolyEdit Proprietary
Programmer's File
Freeware
Editor (PFE)
An editor for Microsoft Windows with various

PSPad Freeware
programming environments.
Q10 A full screen text editor (Windows). Freeware
RJ TextEd Freeware
RText Free software
Sam Free software
SciTE Free software
SimpleText Default under Classic Mac OS from version 7.5.[5] Proprietary
SlickEdit Proprietary
Smultron A macOS text editor. Proprietary
Source Insight Proprietary

SubEthaEdit (formerly
Proprietary
called Hydra)
Sublime Text Proprietary
TeachText Default under Classic Mac OS versions prior to 7.5.[6] Proprietary
TED Notepad Freeware
Tex-Edit Plus Proprietary
TextPad and Wildedit Proprietary
TeXnicCenter Free software
TeXShop TeX/LaTeX editor and previewer. Free software
Default under macOS,[7] NeXTSTEP[citation needed],

TextEdit Free software
and GNUstep.[citation needed]
TextMate Free software
TextWrangler Freeware
The Hessling Editor Free software
The SemWare
Editor (TSE) (formerly Proprietary
called QEdit).
TopStyle Proprietary
Text and source code editor with syntax highlighting,

UltraEdit Proprietary
code folding, FTP etc. Handles multi-gigabyte files.
Ulysses Proprietary
UniRed Windows text editor supporting many encodings. Free software
VEDIT Proprietary
An extensible code editor with support for development

Visual Studio Code operations like debugging, task running and version Free software
control.
WinEdt Proprietary
X11 Xedit Free software
XEDIT Default under VM/CMS. Proprietary
Yudit Free software
Text user interface[edit]

System default[edit]
Command Description License
E is the text editor in PC DOS 6, PC DOS 7 and PC DOS 2000. Proprietary

The default line editor on Unix since the birth of Unix. Either ed or a
ed compatible editor is available on all systems labeled as Unix (not by Free software
default on every one).
The default editor on CP/M, MP/M, Concurrent CP/M, CP/M-

ED Free software
86, MP/M-86, Concurrent CP/M-86.
The default on MS-DOS 5.0 and higher and is included with all 32-
EDIT bit versions of Windows that do not rely on a separate copy of DOS. Proprietary
Up to including MS-DOS 6.22, it only supported files up to 64 KB.
The text editor in DR DOS 6.0, Novell DOS 7, OpenDOS 7.01, DR-
DOS 7.02 and higher. Supports large files for as long as swap space
EDIT Proprietary
is available. Version 7 and higher optionally supports a pseudo-
graphics user interface named NewUI.
The text editor in Concurrent DOS, Concurrent DOS

EDIX XM, Concurrent PC DOS, Concurrent DOS 386, FlexOS Proprietary
286, FlexOS 386, 4680 OS, 4690 OS, S5-DOS/MT.
The text editor in DR DOS 3.31 through DR DOS 5.0, and the
EDITOR Proprietary
predecessor of EDIT.
A command-line based line editor introduced with 86-DOS, and the

EDLIN default on MS-DOS prior to version 5 and is also available on MS- Proprietary
DOS 5.0 and Windows NT.
Stands for Easy Editor, is part of the base system of FreeBSD, along
ee Free software
with vi.[8]
(Installed as vi by default in BSD operating systems and

nvi some Linux distributions) – A free replacement for the original vi Free software
which maintains compatibility while adding some new features.
The default for Unix systems and must be included in

vi all POSIX compliant systems[9] – One of the earliest screen-based Free software
editors, it is based on ex.
Others[edit]
A screen-based editor with an embedded computer

Emacs language, Emacs Lisp. Early versions were implemented in TECO, Free software
see below.
Multi-mode, multi-window editor with drop-down menus, folding,

JED ctags support, undo, UTF-8, key-macros, autosave, etc. Multi- Free software
emulation; default is emacs. Programmable in S-Lang.
A modern screen-based editor with a sort of enhanced-

JOE Free software
WordStar style to the interface, but can also emulate Pico.
LE Free software
mcedit Full featured terminal text editor for Unix-like systems. Free software
Small and light, uses GNU/Emacs keybindings. Installed by

mg Free software
default on OpenBSD.
Text editor with user-friendly interface, mouse and menu control,

MinEd and extensive Unicode and CJK support; for Unix/Linux and Free software
Windows/DOS.
Nano A clone of Pico GPL licensed. Free software
ne A minimal, modern replacement for vi. Free software

SETEDIT A clone of the editor of Borland's Turbo* IDEs. Free software
Zile Free software
Pico Free software
The SemWare
(TSE for DOS) (formerly called QEdit) Proprietary
Editor
vi clones[edit]
busybox Free
A small vi clone with a minimum of commands and features.
vi software
Free
Elvis The first vi clone and the default vi in Minix.
software
Free
nvi A new implementation and currently the standard vi in BSD distributions.
software
STEVIE (ST Editor for VI Enthusiasts) for the Atari ST, the starting point for Free
STEVIE
vim and xvi software
Derived from an early version of Microemacs in an attempt to bring

the Emacs multi-window/multi-buffer editing paradigm to vi users. First
Free
vile published 1991 with infinite undo, UTF-8 compatibility, multi-window/multi-
software
buffer operation, a macro expansion language, syntax highlighting, file read
and write hooks, and more.
An extended version of the vi editor, with many additional features designed to Free
vim
be helpful in editing program source code. software
No user interface (editor libraries/toolkits)[edit]

Scintilla (editing Free

Used as the core of several text editors.
component) software
Language and runtime package, developed by DEC, used to

Text Processing
implement the Language-Sensitive Editor and Extensible Versatile Proprietary
Utility (TPU)
Editor, Eve.
ASCII and ANSI art[edit]

Editors that are specifically designed for the creation of ASCII and ANSI text art.
 ACiDDraw – designed for editing ASCII text art. Supports ANSI color (ANSI X3.64)
 JavE – ASCII editor, portable to any platform running a Java GUI
 PabloDraw – ANSI/ASCII editor allowing multiple users to edit via TCP/IP network
connections
 TheDraw – ANSI/ASCII text editor for DOS and PCBoard file format support
ASCII font editors[edit]
 FIGlet – for creating ASCII art text

 TheDraw – ANSI/ASCII text editor with built-in editor and manager of ASCII fonts
Historical[edit]
Visual and full-screen editors[edit]
 Brief – a very popular programmer's editor for DOS and OS/2

 Edit application – a programmer's editor for Classic Mac OS
 EDIT – a menu-based editor introduced to supersede EDLIN in MS-DOS version 5.0 and
up and available in most Microsoft Windows
 EDT – a character-based editor used on DEC PDP-11s and VAXen
 O26 – written for the operator console of the CDC 6000 series machines in the mid-1960s
 Red – a VAX/VMS editor, written in Forth variant STOIC
 se – an early screen-based editor for Unix
 SED – cross-platform editor from the 1980s, ran on TOPS-10, TOPS-20 and VMS
 STET (the 'STructured Editing Tool') – may have been the first folding editor; its first
version was written in 1977
 TeachText
 TECO – one of the most advanced character-based editors, which included a
programming language. While usually described as a line editor, it included screen editing
capabilities at least as early as 1965.
Line editors[edit]
 Colossal Typewriter – an early editor thought to be written for the PDP-1

 ed:
 Unix's early line editor
 CP/M's line editor
 EDLIN – a line editor delivered with MS-DOS
 EDT (Univac) – a line editor for Unisys VS/9 and e Fujitsu BS2000 systems
 ex – an EXtended version of Unix's ed, later evolved into the visual editor vi
 fred – sed-like line editor used on the CDC 7600 at Los Alamos
 GEDIT (aka George 3 EDITor) – a TECO-like editor including a programming language for
the GEC 4000 series computers. GEDIT was originally written by David Toll of Rutherford
Appleton Laboratory, and then adopted by GEC Computers for OS4000.
 sed – a non-interactive programmable stream editor available in Unix
 TECO – one of the most advanced character-based editors, which included a
programming language
 TEDIT – GEC 4000 series editor based on the Cambridge Titan EDIT
 QED
abbix
Zabbix
Zabbix 3.0 dashboard

Developer(s) Zabbix LLC
Initial release April 2001; 17 years ago
Stable release 3.4.11[1] / June 25, 2018; 34 days ago
Preview release 3.4.2rc1 / September 14, 2017; 10 months ago
 svn://svn.zabbix.com/
Repository
Written in C (server, proxy, agent), PHP(frontend), Java (Java

gateway)
Operating system Cross-platform
Type Network management system
License GNU General Public License version 2
Website www.zabbix.com
Zabbix is an open source monitoring software for networks, operating systems and
applications, created in Latvia by Alexei Vladishev. It is designed to monitor and track the
status of various network services, servers, and other network hardware.
Zabbix can use MySQL, MariaDB, PostgreSQL, SQLite, Oracle or IBM DB2 to store data.[2] Its
backend is written in C and the web frontend is written in PHP. Zabbix offers several
monitoring options:
 Simple checks can verify the availability and responsiveness of standard services such as
SMTP or HTTP without installing any software on the monitored host.
 A Zabbix agent can also be installed on UNIX and Windows hosts to monitor statistics
such as CPU load, network utilization, disk space, etc.
 As an alternative to installing an agent on hosts, Zabbix includes support for monitoring
via SNMP, TCP and ICMP checks, as well as over IPMI, JMX, SSH, Telnetand using
custom parameters. Zabbix supports a variety of near-real-time notification mechanisms,
including XMPP.
Released under the terms of GNU General Public License version 2, Zabbix is free software.
Contents
 1History
 2Features
 3Development
o 3.1Source code
o 3.2Releases
 4See also
 5References
 6Further reading
 7External links
History[edit]
Zabbix started as an internal software project in 1998. After three years, in 2001, it was
released to the public under GPL.[3], three years later until the first stable version, 1.0, was
released in 2004.
Dashboard of the Zabbix 3.4.0 release, dark theme
Timeline of major releases
End of Full Support End of Limited

Date Release
(3 years) Support (5 years)
Zabbix 1.0
Zabbix started as an internal project in a

1998 - -
bank by Alexei Vladishev[3]
7 Apr
Zabbix 1.0alpha1 is released as GPL[4] - -
2001
23 Mar
Zabbix 1.0 released[5] -
2004
Zabbix 1.x
6 Feb
Zabbix 1.1 released[5] - -
2006
29 May
2007
11 Sep
2008
7 Dec
2009
Zabbix 2.x
21 May Zabbix 2.0 Long Term Support (LTS)

August, 2015 [6] August, 2017 [7]
2012 released[5]
12 Nov
Zabbix 2.2 LTS released[5] August, 2017 [8] August, 2019 [9]
2013
11 Sep
2014
Zabbix 3.x
16 Feb
Zabbix 3.0 LTS released[5] February, 2019 [10] February, 2021 [11]
2016
14 Sep
2016
22 Aug
2017
Features[edit]
Architecture
 High performance, high capacity (able to monitor hundreds of thousands of devices).

 Auto-discovery of servers and network devices.
 Low-level discovery.
 Distributed monitoring with centralized web administration.
 Native high performance agents (client software for Linux, Solaris, HP-UX, AIX, FreeBSD,
OpenBSD, OS X, Tru64/OSF1, Windows 2000, Windows Server 2003, Windows XP,
Windows Vista, Windows Server 2008, Windows 7)
 SLA, and ITIL KPI metrics on reporting.
 High-level (business) view of monitored resources through user-defined visual console
screens and dashboards.
 Remote command execution through Zabbix proxies since August 2017 [12], up to Zabbix
3.4[13]
Architecture
 Agent-less monitoring.
 Web-based interface.
 Support for both polling and trapping mechanisms.
Monitoring
 JMX monitoring.
 Web monitoring.
Security and authentication
 Audit log.
 Secure user authentication.
 Flexible user permissions.
Notification capabilities
 Flexible e-mail notification on predefined events.

 Near-real-time notification mechanisms, for example using including XMPP protocol
Development[edit]
Dashboard of the Zabbix 3.0.0 release
Zabbix 2.4 Dashboard page
Zabbix is primarily developed by a Zabbix LLC company.

Source code[edit]
Zabbix consists of several separate modules:
 Zabbix Server, not supported in Windows[14]
 Zabbix Agents
 Zabbix Frontend
 Zabbix Proxy, not supported in Windows[15]
While the server, proxy and agents are written in C, the frontend is implemented
in PHP and Javascript, also a Java gateway, available since Zabbix 2.0, is written in Java.
Releases[edit]
Since the first stable version was released as 1.0, Zabbix versioning has used minor version
numbers to denote major releases. Each minor release actually implements many new
features, while change level releases mostly introduce bugfixes.
Zabbix version numbering scheme has changed over time. While the first two stable branches
were 1.0 and 1.1, after 1.1 it was decided to use odd numbers for development versions and
even numbers for stable versions. As a result, 1.3 followed 1.1 as a development release to be
released as 1.4.
Timeline[edit]
Note: this chart excludes release candidates in stable branches.
See also[edit]
 Free software portal

 Comparison of network monitoring systems
 List of systems management systems
References[edit]
1. Jump up^ "Release Notes for Zabbix 3.4.11". 25 June 2018. Retrieved 10 July2018.
2. Jump up^ List of supported databases in the manual
3. ^ Jump up to:a b Presentation, containing early history
4. Jump up^ Freshmeat announcement page
5. ^ Jump up to:a b c d e f g h i j k Zabbix release list
6. Jump up^ https://www.zabbix.com/life_cycle_and_release_policy
12. Jump up^ https://www.zabbix.com/rn/rn3.4.0
13. Jump
up^https://www.zabbix.com/documentation/3.4/manual/introduction/whatsnew340#remote_com
mand_support_through_proxies
14. Jump up^ https://www.zabbix.com/requirements
15. Jump up^ https://www.zabbix.com/requirements
 Vidmar, Anže (March 12, 2007). ZABBIX: State-of-the-art network monitoring Linux.com
 Ramm, Mark (March 15, 2005). The Watcher Knows, Linux Magazine
 Schroder, Carla (May 24, 2005). Monitor Your Net with Free, High-Performance ZABBIX, Enterprise
Networking Planet
 ZABBIX - monitoring your applications, network and servers debianhelp.co.uk (Installation
Instructions for Debian or Ubuntu Machines)
Further reading[edit]
 (2010) Zabbix 1.8 Network Monitoring - Packt Publishing ISBN 978-1-84719-768-9
 (2013) Mastering Zabbix - Packt Publishing ISBN 978-1-78328-349-1
 (2015) Zabbix Cookbook - Packt Publishing
 (2015) Zabbix Network Monitoring Essentials - Packt Publishing
 (2016) Zabbix Network Monitoring - Second Edition - Packt
Publishing ISBN 9781782161288


 Up: Connected: An Internet Encyclopedia
Up: Programmed Instruction Course
Up: Section 2 - Domain Naming
 Prev: Naming
Next: RFC 1034

 DNS Theory
 DNS uses a distributed database to maintain its world-wide tree of names.
 DNS uses a distributed database protocol to delegate control of domain
name hierarchies among zones, each managed by a group of name servers.
For example, *.cnn.com, where * is anything, is completely the
responsibility of CNN (Turner Broadcasting, as they say). CNN is
responsible for constructing name servers to handle any domain name
ending in cnn.com, referred to as their Zone of Authority (ZOA). A zone
takes its name from its highest point, so this zone is simply called cnn.com.
CNN registers their zone with InterNIC, who loads their name server IP
addresses into the root name servers, which makes this information
available to the global Internet. CNN can also make subdelegations, like
delegating news.cnn.comto their news division. This can be as simple as
creating new name server entries with the longer names, but mechanisms
exist if the delegee wants to operate an independent name server (see RFC
1034 §4.2).
 Of course, CNN doesn't actually maintain their own name server. Like
most people, they let their Internet service provider do it for them. In their
case, that means ANSnet, so nis.ans.net is their primary name server,
and ns.ans.net their backup name server. How do I know this? I accessed
InterNIC's Whois service and retrieved cnn.com's domain information
record. Follow the link to try this yourself.
 So, name servers contain pointers to other name servers, that can be used
to transverse the entire domain naming hierarchy. You may be wondering
how Internet hosts find an entry point to this system. Currently, it can be
done in three major ways, all of which depend on preloading the IP
address of at least one name server. One way is to preconfigure addresses
of the root name servers. This method is typically used by Internet service
providers on their name servers, typically in the UNIX
file /etc/namedb/named.root. Another way is to preload the address of a
name server that supports recursive queries, and send any name server
lookups to it. This method is common among dial-up Internet subscribers.
The user preloads the address of the service provider's name server, which
processes all queries and returns the answer to the client. The final method
is to automatically configure the address of a recursive name server,
perhaps using a PPP extension (RFC 1877) that is not yet widely
supported.
 Once a host has been configured with initial name server addresses, it can
use the DNS protocols to locate the name servers responsible for any part
of the DNS naming hierarchy, and retrieve the resource records (RRs) that
match DNS names to IP


 Welcome! The Internet Encyclopedia is my attempt to take the Internet
tradition of open, free protocol specifications, merge it with a 1990s Web
presentation, and produce a readable and useful reference to the technical
operation of the Internet. Some of my favorite parts are the essays
on Ping and Traceroute and the CIDR and DNS sections of the Course.
Read what's new!
Full text search of Connected: Five-part Programmed

100+ Internet engineering
An Internet Encyclopedia and Instruction Course (good
essays
all RFCs DNS section)
Questions readers have asked

Internet Standards Other sites to check out
(with answers)
The Encyclopedia is mirrored In the free software tradition,

How the Encyclopedia is
around the world; find a copy everything is available for
constructed
close to you download
 I'd like to thank all those who have expressed interest and support for this
project.
 Brent Baccala, Editor
Connected: An Internet Encyclopedia
baccala@freesoft.org
earching for Internet engineering info?
If you're trying to search for technical information about Internet operation, I, of

course, recommend this site. Full text search of Connected: An Internet
Encyclopedia and all RFCs is at your disposal, based on CNIDR's Isearch
software. Please remember to dot your i's, enclose multi-word strings in quotes,
like "name server", and feel free to use boolean constructors and parentheses. If
you don't find what you're looking for here, be sure to check Surf Sites. See
also Search Engine Design.
Submit Query
Search Syntax Quick Reference

Single word collision
Sendmail
Longer string "open shortest path first"
"address exhaustion"
Acroynm RIP
TCP and IP (not TCP/IP)
RFC by number RFC 768
Wildcarding subnet*
rout* and table* (not "rout* table*")
Weighting MIB:3 or SNMP:1
Boolean Construction timer and (holddown* or "hold down")
Connected: An Internet Encyclopedia

Searching for Internet engineering info?
Binary Arithmetic
For some important aspects of Internet engineering, most notably IP Addressing,
an understanding of binary arithmetic is critical. Many strange-looking decimal
numbers can only be understood by converting them (at least mentally) to binary.
All digital computers represent data as a collection of bits. A bit is the smallest
possible unit of information. It can be in one of two states - off or on, 0 or 1. The
meaning of the bit, which can represent almost anything, is unimportant at this
point. The thing to remember is that all computer data - a text file on disk, a
program in memory, a packet on a network - is ultimately a collection of bits.
If one bit has two different states, how many states do two bits have? The answer
is four. Likewise, three bits have eight states. For example, if a computer display
had eight colors available, and you wished to select one of these to draw a
diagram in, three bits would be sufficient to represent this information. Each of
the eight colors would be assigned to one of the three-bit combinations. Then,
you could pick one of the colors by picking the right three-bit combination.
A common and convenient grouping of bits is the byte or octet, composed of

eight bits. If two bits have four combinations, and three bits have eight
combinations, how many combinations do eight bits have? If you don't want to
write out all the possible byte patterns, just multiply eight twos together - one
two for each bit. Two times two is four, so the number of combinations of two
bits is four. Two times two times two is eight, so the number of combinations of
three bits is eight. Do this eight times - or just compute two to the eighth power -
and you discover that a byte has 256 possible states.
Obviously, if a byte has 256 possible states, its exact state can be represented by
a number from 1 to 256. However, since zero is a very important number, a byte
is more typically represented by a number from 0 to 255. This is very common,
and with bit pattern 00000000 representing zero, and bit
pattern 11111111 representing 255. The numbers matching these two patterns, and
everything in between, can be computed by assigning a weight to each bit,
multiplying each bit's value (0 or 1) by its weight, and then adding the totals. For
example, here's how 217 is represented as 11011001 in binary:
To convert a number from decimal to binary, begin at leftmost bit position (128).
If the number is larger than or equal to the bit's weight, write a 1 in the bit
position, subtract the bit's weight from the number, and continue with the
difference. If the number is less than the bit's weight, write a 0 in the bit position
and continue without any subtraction. Here's an illustration of converting 141 to
binary:
There is a simpler way to convert bytes back and forth between binary and
decimal; akin to memorizing multiplication tables. The byte can split into two
four-bit halves, each half called a nibble. Memorize the decimal values for the
high nibble (they're just the multiples of 16). The low nibble is trivial. Every
number between 0 and 255 is the sum of one of the high nibble values and one of
the low nibble values. Write the high nibble next to the low nibble, and you have
the byte value in binary. Conversely, an eight-bit binary byte can be split in half,
each nibble converted to decimal and two decimal numbers added together.
The most common bit patterns in Internet engineering are those with a string of
one bits, followed by a string of zero bits. Here are all such bytes, along with
their decimal representation, computed just like the example using 217.
Manual:IP/Firewall/NAT
< Manual:IP | Firewall
Applies to RouterOS:v3, v4 +
Contents
[hide]
 1Summary
o 1.1Masquerade
 2Properties
 3Stats
 4Menu specific commands
 5Basic examples
o 5.1Source NAT
 5.1.1Masquerade
 5.1.2Source nat to specific address
o 5.2Destination NAT
 5.2.1Forward all traffic to internal host
 5.2.2Port mapping/forwarding
 5.2.3Port forwarding to internal FTP server
o 5.31:1 mapping
o 5.4Carrier-Grade NAT (CGNAT) or NAT444
Summary
Sub-menu: /ip firewall nat
Network Address Translation is an Internet standard that allows hosts on local area networks
to use one set of IP addresses for internal communications and another set of IP addresses for
external communications. A LAN that uses NAT is referred as natted network. For NAT to
function, there should be a NAT gateway in each natted network. The NAT gateway (NAT
router) performs IP address rewriting on the way a packet travel from/to LAN.
There are two types of NAT:
 source NAT or srcnat. This type of NAT is performed on packets that are originated
from a natted network. A NAT router replaces the private source address of an IP
packet with a new public IP address as it travels through the router. A reverse
operation is applied to the reply packets travelling in the other direction.
 destination NAT or dstnat. This type of NAT is performed on packets that are
destined to the natted network. It is most comonly used to make hosts on a private
network to be acceesible from the Internet. A NAT router performing dstnat replaces
the destination IP address of an IP packet as it travel through the router towards a
private network.
Hosts behind a NAT-enabled router do not have true end-to-end connectivity. Therefore some
Internet protocols might not work in scenarios with NAT. Services that require the initiation of
TCP connection from outside the private network or stateless protocols such as UDP, can be
disrupted. Moreover, some protocols are inherently incompatible with NAT, a bold example is
AH protocol from the IPsec suite.
To overcome these limitations RouterOS includes a number of so-called NAT helpers, that
enable NAT traversal for various protocols.
Masquerade
Firewall NAT action=masquerade is unique subversion of action=srcnat , it was designed
for specific use in situations when public IP can randomly change, for example DHCP-server
changes it, or PPPoE tunnel after disconnect gets different IP, in short - when public IP is
dynamic.
Every time interface disconnects and/or its IP address changes, router will clear all
masqueraded connection tracking entries that send packet out that interface, this way
improving system recovery time after public ip address change.
Unfortunately this can lead to some issues when action=masquerade is used in setups with
unstable connections/links that get routed over different link when primary is down. In such
scenario following things can happen:
 on disconnect, all related connection tracking entries are purged;

 next packet from every purged (previously masqueraded) connection will come into firewall
as connection-state=new , and, if primary interface is not back, packet will be routed
out via alternative route (if you have any) thus creating new connection;
 primary link comes back, routing is restored over primary link, so packets that belong to
existing connections are sent over primary interface without being masqueraded leaking
local IPs to a public network.
You can workaround this by creating blackhole route as alternative to route that might
disappear on disconnect).
When action=srcnat is used instead, connection tracking entries remain and connections
can simply resume.
Properties
Property
action (action name; Default: accept) Action to take if packet is
 accept - accept
 add-dst-to-a
 add-src-to-a
 dst-nat - repla
ports parame
 jump - jump to th
 log - add a mess
ip:port and lengt
 masquerade - r
packet to IP dete
 netmap - creates
hosts on private
 passthrough -
 redirect - repl
the router's loca
 return - passes
 same - gives a pa
frequently used
 src-nat - repla
address-list (string; Default: ) Name of the address list to
address-list-timeout (time; Default: 00:00:00) Time interval after which t

with add-dst-to-addr
Value of 00:00:00 will l
chain (name; Default: ) Specifies to which chain ru

comment (string; Default: ) Descriptive comment for t
connection-bytes (integer-integer; Default: ) Matches packets only if a

example connection-b
connection
connection-limit (integer,netmaks; Default: ) Restrict connection limit p
connection-mark (no-mark | string; Default: ) Matches packets marked v
connection-rate (Integer 0..4294967295; Default: ) Connection Rate is a firew
connection-type (ftp | h323 | irc | pptp | quake3 | sip | tftp; Default: ) Matches packets from rela
be enabled under /ip firew
content (string; Default: ) Match packets that contai
dscp (integer: 0..63; Default: ) Matches DSCP IP header f
dst-address (IP/netmask | IP range; Default: ) Matches packets which de
dst-address-list (name; Default: ) Matches destination addre
dst-address-type (unicast | local | broadcast | multicast; Default: ) Matches destination addre
 unicast - IP add
 local - if dst-ad
 broadcast - pa
 multicast - pa
dst-limit (integer[/time],integer,dst-address | dst-port | src-address[/time]; Default: ) Matches packets until a gi

it's own limit. Parameters
 count - maximum
 time - specifies th
 mode - the classif
 expire - specifies
dst-port (integer[-integer]: 0..65535; Default: ) List of destination port nu
fragment (yes|no; Default: ) Matches fragmented pack

system automatically asse
hotspot (auth | from-client | http | local-dst | to-client; Default: )
icmp-options (integer:integer; Default: ) Matches ICMP type:code f
in-bridge-port (name; Default: ) Actual interface the packe
in-interface (name; Default: ) Interface the packet has e
ingress-priority (integer: 0..63; Default: ) Matches ingress priority o
ipsec-policy (in | out, ipsec | none; Default: ) Matches the policy used b
match the policy used for
 in - valid in the PRER

 out - valid in the POS
 ipsec - matches if th
 none - matches pack
For example, if router rece
rule ipsec-policy=in
ipv4-options (any | loose-source-routing | no-record-route | no-router-alert | no- Matches IPv4 header optio
source-routing | no-timestamp | none | record-route | router-alert | strict-source-routing |
timestamp; Default: )  any - match pack
 loose-source
based on inform
 no-record-ro
information sup
 no-router-al
 no-source-ro
 no-timestamp
 record-route
 router-alert
 strict-sourc
 timestamp - ma
jump-target (name; Default: ) Name of the target chain t
layer7-protocol (name; Default: ) Layer7 filter name defined
limit (integer,time,integer; Default: ) Matches packets until a gi
 count - maximum
 time - specifies th
log-prefix (string; Default: ) Adds specified text at the
nth (integer,integer; Default: ) Matches every nth packet
out-bridge-port (name; Default: ) Actual interface the packe
out-interface (; Default: ) Interface the packet is lea
packet-mark (no-mark | string; Default: ) Matches packets marked v
packet-size (integer[-integer]:0..65535; Default: ) Matches packets of specif
per-connection-classifier (ValuesToHash:Denominator/Remainder; Default: ) PCC matcher allows to div

stream. Read more >>
port (integer[-integer]: 0..65535; Default: ) Matches if any (source or
protocol (name or protocol ID; Default: tcp) Matches particular IP prot
psd (integer,time,integer,integer; Default: ) Attempts to detect TCP an

LopPortWeight, High
 WeightThreshold
treated as port s
 DelayThreshold -
scan subsequenc
 LowPortWeight -
 HighPortWeight -
random (integer: 1..99; Default: ) Matches packets randoml
routing-mark (string; Default: ) Matches packets marked b
same-not-by-dst (yes | no; Default: ) Specifies whether to take
src-address (Ip/Netmaks, Ip range; Default: ) Matches packets which so
src-address-list (name; Default: ) Matches source address o
src-address-type (unicast | local | broadcast | multicast; Default: )

Matches source address ty
 unicast - IP add
 local - if addres
 broadcast - pa
 multicast - pa
src-port (integer[-integer]: 0..65535; Default: ) List of source ports and ra
src-mac-address (MAC address; Default: ) Matches source MAC addr
tcp-flags (ack | cwr | ece | fin | psh | rst | syn | urg; Default: ) Matches specified TCP flag
 ack - acknowledg
 cwr - congestion
 ece - ECN-echo f
 fin - close conne
 psh - push functi
 rst - drop conne
 syn - new conne
 urg - urgent data
tcp-mss (integer: 0..65535; Default: ) Matches TCP MSS value of
time (time-time,sat | fri | thu | wed | tue | mon | sun; Default: ) Allows to create filter base
to-addresses (IP address[-IP address]; Default: 0.0.0.0) Replace original address w
to-ports (integer[-integer]: 0..65535; Default: ) Replace original port with
ttl (integer: 0..255; Default: ) Matches packets TTL value
Stats
/ip firewall nat print stats will show additional read-only properties
Property
bytes (integer) Total amount of bytes ma
packets (integer) Total amount of packets m
By default print is equivalent to print static and shows only static rules.
[admin@dzeltenais_burkaans] /ip firewall mangle> print stats

# CHAIN ACTION BYTES PACKETS
0 prerouting mark-routing 17478158 127631
To print also dynamic rules use print all.
[admin@dzeltenais_burkaans] /ip firewall mangle> print all stats

2 D forward change-mss 0 0
Or to print only dynamic rules use print dynamic
[admin@dzeltenais_burkaans] /ip firewall mangle> print stats dynamic

Menu specific commands

Property
reset-counters (id) Reset statistics counters fo
reset-counters-all () Reset statistics counters fo
Basic examples
Source NAT
Masquerade
If you want to "hide" the private LAN 192.168.0.0/24 "behind" one address 10.5.8.109 given to
you by the ISP, you should use the source network address translation (masquerading) feature
of the MikroTik router. The masquerading will change the source IP address and port of the
packets originated from the network 192.168.0.0/24 to the address 10.5.8.109 of the router
when the packet is routed through it.
To use masquerading, a source NAT rule with action 'masquerade' should be added to the
firewall configuration:
/ip firewall nat add chain=srcnat action=masquerade out-

interface=Public
All outgoing connections from the network 192.168.0.0/24 will have source address 10.5.8.109
of the router and source port above 1024. No access from the Internet will be possible to the
Local addresses. If you want to allow connections to the server on the local network, you
should use destination Network Address Translation (NAT).
Source nat to specific address
If you have multiple public IP addresses, source nat can be changed to specific IP, for
example, one local subnet can be hidden behind first IP and second local subnet is
masqueraded behind second IP.
/ip firewall nat

add chain=srcnat src-address=192.168.1.0/24 action=src-nat to-
addresses=1.1.1.1 out-interface=Public
add chain=srcnat src-address=192.168.2.0/24 action=src-nat to-
addresses=1.1.1.2 out-interface=Public
Destination NAT
Forward all traffic to internal host
If you want to link Public IP 10.5.8.200 address to Local one 192.168.0.109, you should use
destination address translation feature of the MikroTik router. Also if you want allow Local
server to initiate connections to outside with given Public IP you should use source address
translation, too.
Add Public IP to Public interface:
/ip address add address=10.5.8.200/32 interface=Public
Add rule allowing access to the internal server from external networks:
/ip firewall nat add chain=dstnat dst-address=10.5.8.200 action=dst-nat

\
to-addresses=192.168.0.109
Add rule allowing the internal server to initate connections to the outer networks having its
source address translated to 10.5.8.200:
/ip firewall nat add chain=srcnat src-address=192.168.0.109 action=src-

nat \
to-addresses=10.5.8.200
Port mapping/forwarding
If you would like to direct requests for a certain port to an internal machine (sometimes called
opening a port, port mapping), you can do it like this:
/ip firewall nat add chain=dstnat dst-port=1234 action=dst-nat

protocol=tcp to-address=192.168.1.1 to-port=1234
This rule translates to: when an incoming connection requests TCP port 1234, use the DST-
NAT action and redirect it to local address 192.168.1.1 and the port 1234
Port forwarding to internal FTP server
As you can see from illustration above FTP uses more than one connection, but only command
channel should be forwarded by Destination nat. Data channel is considered as related
connection and should be accepted with "accept related" rule if you have strict firewall. Note
that for related connections to be properly detected FTP helper has to be enabled.
/ip firewall nat

add chain=dstnat dst-address=10.5.8.200 dst-port=21 protocol=tcp
action=dst-nat to-addresses=192.168.0.109
/ip firewall filter
add chain=forward connection-state=established,related action=accept
Note that active FTP might not work if client is behind dumb firewall or NATed router, because
data channel is initiated by the server and cannot directly access the client.
If client is behind Mikrotik router, then make sure that FTP helper is enabled
[admin@3C22-atombumba] /ip firewall service-port> print

# NAME
PORTS
0 ftp
21
1 tftp
69
2 irc
6667
3 h323
4 sip
5060
5061
5 pptp
1:1 mapping
If you want to link Public IP subnet 11.11.11.0/24 to local one 2.2.2.0/24, you should use
destination address translation and source address translation features with action=netmap.
/ip firewall nat add chain=dstnat dst-address=11.11.11.0/24 \

action=netmap to-addresses=2.2.2.0/24
/ip firewall nat add chain=srcnat src-address=2.2.2.0/24 \

action=netmap to-addresses=11.11.11.0/24
Same can be written using different address notation, that still have to match with the
described network
/ip firewall nat add chain=dstnat dst-address=11.11.11.0-11.11.11.255 \

action=netmap to-addresses=2.2.2.0-2.2.2.255
/ip firewall nat add chain=srcnat src-address=2.2.2.0-2.2.2.255 \

action=netmap to-addresses=11.11.11.0-11.11.11.255
Carrier-Grade NAT (CGNAT) or NAT444

To combat IPv4 address exhaustion, new RFC 6598 was deployed. The idea is to use shared
100.64.0.0/10 address space inside carrier's network and performing NAT on carrier's edge
router to sigle public IP or public IP range.
Because of nature of such setup it is also called NAT444, as opposed to a NAT44 network for
a 'normal' NAT environment, three different IPv4 address spaces are involved.
CGNAT configuration on RouterOS does not differ from any other regular source NAT
configuration:
/ip firewall nat

add chain=src-nat action=srcnat src-address=100.64.0.0/10 to-
address=2.2.2.2 out-interface=<public_if>
Where:
 2.2.2.2 - public IP address,

 public_if - interface on providers edge router connected to internet
The advantage of NAT444 is obvious, less public IPv4 addresses used. But this technique
comes with mayor drawbacks:
 The service provider router performing CGNAT needs to maintain a state table for all the
address translations: this requires a lot of memory and CPU resources.
 Console gaming problems. Some games fail when two subscribers using the same outside
public IPv4 address try to connect to each other.
 Tracking of users for legal reasons means extra logging, as multiple households go behind
one public address.
 Anything requiring incoming connections is broken. While this already was the case with
regular NAT, end users could usually still set up port forwarding on their NAT router.
CGNAT makes this impossible. This means no web servers can be hosted here, and IP
Phones cannot receive incoming calls by default either.
 Some web servers only allow a maximum number of connections from the same public IP
address, as a means to counter DoS attacks like SYN floods. Using CGNAT this limit is
reached more often and some services may be of poor quality.
 6to4 requires globally reachable addresses and will not work in networks that employ
addresses with limited topological span.
More on things that can break can be read in this article [1]
Packets with Shared Address Space source or destination addresses MUST NOT be
forwarded across Service Provider boundaries. Service Providers MUST filter such packets on
ingress links. In RouterOS this can be easily done with firewall filters on edge routers:
/ip firewall filter

add chain=input src-address=100.64.0.0/10 action=drop in-
interface=<public_if>
add chain=output dst-address=100.64.0.0/10 action=drop out-
add chain=forward src-address=100.64.0.0/10 action=drop in-
add chain=forward src-address=100.64.0.0/10 action=drop out-
add chain=forward dst-address=100.64.0.0/10 action=drop out-
Service providers may be required to do logging of MAPed addresses, in large CGN deployed
network that may be a problem. Fortunately RFC 7422 suggests a way to manage CGN
translations in such a way as to significantly reduce the amount of logging required while
providing traceability for abuse response.
RFC states that instead of logging each connection, CGNs could deterministically map
customer private addresses (received on the customer-facing interface of the CGN, a.k.a.,
internal side) to public addresses extended with port ranges.
In RouterOS described algorithm can be done with few script functions. Lets take an example:
Inside IP Outside IP/Port range
100.64.1.1 2.2.2.2:2000-2099
100.64.1.2 2.2.2.2:2100-2199
100.64.1.3 2.2.2.2:2200-2299
100.64.1.4 2.2.2.2:2300-2399
100.64.1.5 2.2.2.2:2400-2499
100.64.1.6 2.2.2.2:2500-2599
Instead of writing NAT mappings by hand we could write a function which adds such rules
automatically.
:global sqrt do={

:for i from=0 to=$1 do={
:if (i * i > $1) do={ :return ($i - 1) }
}
}
:global addNatRules do={

/ip firewall nat add chain=srcnat action=jump jump-target=xxx \
src-address="$($srcStart)-$($srcStart + $count - 1)"
:local x [$sqrt $count]

:local y $x
:if ($x * $x = $count) do={ :set y ($x + 1) }
:for i from=0 to=$x do={
/ip firewall nat add chain=xxx action=jump jump-target="xxx-$($i)"
\
src-address="$($srcStart + ($x * $i))-$($srcStart + ($x * ($i + 1)
- 1))"
}
:for i from=0 to=($count - 1) do={

:local prange "$($portStart + ($i * $portsPerAddr))-$($portStart +
(($i + 1) * $portsPerAddr) - 1)"
/ip firewall nat add chain="xxx-$($i / $x)" action=src-nat
protocol=tcp src-address=($srcStart + $i) \
to-address=$toAddr to-ports=$prange
/ip firewall nat add chain="xxx-$($i / $x)" action=src-nat
protocol=udp src-address=($srcStart + $i) \
to-address=$toAddr to-ports=$prange
}
}
After pasting above script in the terminal function "addNatRules" is available. If we take our
example, we need to map 6 shared network addresses to be mapped to 2.2.2.2 and each
address uses range of 100 ports starting from 2000. So we run our function:
$addNatRules count=6 srcStart=100.64.1.1 toAddr=2.2.2.2 portStart=2000

portsPerAddr=100
Now you should be able to get set of rules:
[admin@rack1_b18_450] /ip firewall nat> print

0 chain=srcnat action=jump jump-target=xxx src-address=100.64.1.1-
100.64.1.6 log=no log-prefix=""
1 chain=xxx action=jump jump-target=xxx-0 src-address=100.64.1.1-


4 chain=xxx-0 action=src-nat to-addresses=2.2.2.2 to-ports=2000-

2099 protocol=tcp src-address=100.64.1.1 log=no log-prefix=""

2099 protocol=udp src-address=100.64.1.1 log=no log-prefix=""










< Manual:Interface
Contents
[hide]
 1Summary
 2802.1Q
 3Q-in-Q
 4Properties
 5Setup examples
Summary
efficiently.
802.1Q
Q-in-Q
Example:
/interface vlan
and '12'.
Properties
Property
interface (name; Default: ) Name of physical interfa
l2mtu (integer; Default: ) Layer2 MTU. For VLAN
mtu (integer; Default: 1500) Layer3 Maximum transm
use-service-tag (yes | no; Default: ) 802.1ad compatible Ser
vlan-id (integer: 4095; Default: 1) Virtual LAN identifier or
and destination.
Setup examples
Port Based VLAN #1
/interface vlan
/interface bridge



Port Based VLAN #2
/interface vlan


/interface bridge




Simple VLAN routing
created.

R2:


R4:


R2:
[admin@MikroTik] ip address> add address=10.10.10.3/24

interface=VLAN2
0 10.0.1.4/24 10.0.1.0 10.0.1.255 ether1
1 10.20.0.1/24 10.20.0.0 10.20.0.255 pc1
2 10.10.10.3/24 10.10.10.0 10.10.10.255 vlan2
R4:

interface=VLAN2
0 10.0.1.5/24 10.0.1.0 10.0.1.255 ether1
1 10.30.0.1/24 10.30.0.0 10.30.0.255 pc2
2 10.10.10.5/24 10.10.10.0 10.10.10.255 vlan2

"From R4 to R2:"

"From R2 to R1:"

InterVLAN routing
VLAN communication.
trunking.
 VLAN 2 – 10.10.20.0/24;
 VLAN 3 – 10.10.30.0/24;
 VLAN 4 – 10.10.40.0./24.
/interface vlan
/ip address
RouterA:

/ip address add address=10.22.0.1/32 interface=vlan1
network=10.23.0.1
RouterB:

network=10.22.0.1
Manual:Maximum Transmission Unit on

RouterBoards
Contents
[hide]
 1Background
 2MTU on RouterOS
o 2.1Full frame MTU
o 2.2MAC/Layer-2/L2 MTU
o 2.3MPLS/Layer-2.5/L2.5 MTU
 2.3.1MPLS Switching
 2.3.2IP ingress
 2.3.3VPLS ingress
o 2.4IP/Layer-3/L3 MTU
 3Simple Examples
o 3.1Simple Routing
o 3.2Routing with VLAN Encap
o 3.3Simple MPLS with tags
o 3.4VPLS Tunnel
 4L2MTU advanced example
Background
It is sole responsibility of administrator to configure MTUs such that intended services and
applications can be successfully implemented in network. In other words - administrator must
make sure that MTUs are configured in a way that packet sizes does not exceed the
capabilities of network equipment.
Originally MTU was introduced because of the high error rates and low speed of
communications. Fragmentation of the data stream gives ability to correct corruption errors
only by resending corrupted fragment, not the whole stream. Also on low speed connections
such as modems it can take too much time to send a big fragment, so in this case
communication is possible only with smaller fragments.
But in present days we have much lower error rates and higher speed of communication, this
opens a possibility to increase the value of MTU. By increasing value of MTU we will result in
less protocol overhead and reduce CPU utilization mostly due to interrupt reduction.
This way some non-standard frames started to emerge:
 Giant or Jumbo frames - frames that are bigger than standard (IEEE) Ethernet MTU
 Baby Giant or Baby Jumbo frames - frames that are just slightly bigger that standard
(IEEE) Ethernet MTU
It is common now for Ethernet interfaces to support physical MTU above standard, but this can
not be taken for granted. Abilities of other network equipment must be taken into account as
well - for example, if 2 routers with Ethernet interfaces supporting physical MTU 1526 are
connected through Ethernet switch, in order to successfully implement some application that
will produce this big Ethernet frames, switch must also support forwarding such frames.
MTU on RouterOS
Mikrotik RouterOS recognizes several types of MTU:
 IP/Layer-3/L3 MTU
 MPLS/Layer-2.5/L2.5 MTU
 MAC/Layer-2/L2 MTU
 Full frame MTU
Full frame MTU

Full frame MTU indicates the actual size of the frame that are sent by particular interface.
Frame Checksum is not included as it is removed by Ethernet driver as soon as frame reach its
destination.
MAC/Layer-2/L2 MTU
L2MTU indicates the maximum size of the frame without MAC header that can be sent by this
interface.
Starting from the RouterOS v3.25 L2MTU values can be seen in "/interface" menu. L2MTU
support is added for all Routerboard related Ethernet interfaces, VLANs, Bridge, VPLS and
wireless interfaces. Some of them support configuration of L2MTU value. All other Ethernet
interfaces might indicate L2MTU only if the chip set is the same as Routerboard Ethernets.
This will allow users to check if desired setup is possible. Users will be able to utilize additional
bytes for VLAN and MPLS tags, or simple increase of interface MTU to get rid of the some
unnecessary fragmentation.
This table shows max-l2mtu supported by Mikrotik RouterBoards (Starting from the RouterOS
v5.3 also available in "/interface print" menu as value of read-only "max-l2mtu" option):
Integrated Solutions
RouterBoard
RB Groove series ether1:2028
RB Metal series ether1:2028
RB SXT series, RB LHG, RB LDF ether1:2028
RB SXT Lite series ether1:2028
RB SXT G series, RB DynaDish, wAP ac ether1:4076
RB OmniTik series ether1:4076; ether
RB OmniTik ac series ether1-ether5:4074
RB mAP, RB mAP lite, RB cAP, RB wAP ether1-ether2:2028
RB750 ether1:4076; ether
RB750r2, RB750P-PBr2, RB750UPr2 ether1-ether5:2028
RB750UP ether1:4076; ether
RB751U-2HnD ether1:4076; ether
RB951-2n ether1:4076; ether
RB941-2nD, RB951Ui/RB952Ui series ether1-ether5:2028
RB750GL, RB750Gr2 ether1-ether5:4074
RB750Gr3 ether1-ether5:2026
RB751G-2HnD ether1-ether5:4074
RB951G-2HnD ether1-ether5:4074
RB962UiGS, RB960PGS ether1-ether5:4074
RB1100Hx2 ether1-ether10:949
RB1100AHx2 ether1-ether10:949
CCR1009 series ether1-ether4:1022
CCR1072 series ether1:9116; sfp-sf
CRS109-8G-1S ether1-ether8:4064
CRS106-1C-5S sfp1-sfp5:9204; co
CRS210-8G-2S+ ether1-ether8:9204
CRS212-1G-10S-1S+ ether1:9204; sfp1-
CRS226-24G-2S+ ether1-ether24:920
CRS326-24G-2S+, CSS326-24G-2S+ ether1-ether24:102
CRS317-1G-16S+ ether1:10218; sfp-
CRS328-24P-4S+ ether1-ether24:102
D52G-5HacD2HnD (hAP ac²) ether1-ether5:9124
cAP ac ether1-ether2:9124
wAP60G ether1:9124
RB260GS series, CSS106-5G-1S, CSS106-1G-4P-1S ether1-ether5:9198
RB FTC ether1:4046; sfp1:4
RBM33G ether1-ether3:2026
RBM11G ether1:2026
RB760iGS ether1-ether5:2026
RouterBOARD
RouterBoard
RB411 series ether1:1526
RB433 series ether1:1526; ether2-ether3:1522
RB450 ether1:1526; ether2-ether5:1522
RB450Gx4 ether1-ether5:9214
RB493 series ether1:1526; ether2-ether9:1522
RB411GL ether1:1520
RB433GL ether1-ether3:1520
RB435G ether1-ether3:1520
RB711 series ether1:2028
RB711G series ether1:4076
RB800 ether1-ether2:9500; ether3:9116
RB850Gx2 ether1-ether5:1580
RB911G ether1:4076
RB912UAG ether1:4076
RB921UAGS, RB922UAGS ether1:4076; sfp1:4076
RB953GS ether1-ether2:4074; sfp1:4074; sfp2:4076
RB2011 series ether1-ether5:4074; ether6-ether10:2028;
RB3011 series ether1-ether5:8156; ether6-ether10:8156;
RB44Ge ether1-ether4:9116
Old Products
RouterBoard
RB600 series ether1-ether3:9500
RB1000 ether1-ether4:9500
RB1100 ether1-ether10:9498; ether11-ether13:9116
RB1100AH ether1-ether10:9498; ether11:9500, ether12-ether13:
RB1200 ether1-ether5:4078, ether6-ether8:4080, ether9-ether
RB750 (old revision) ether1:1526; ether2-ether5:1522
RB333 ether1-ether3:1632
RB1xx ether1-ether5:1518; ether6-ether9:1514
RB532, CrossRoads ether1-ether3:1600
RB44GV ether1-ether4:9000
RB250GS ether1-ether5:9198
All wireless interfaces in RouterOS (including Nstreme2) support 2290 byte L2MTU.
Warning: L2MTU configuration changes on Cloud Core Routers evoke all interface reload (link
down - link up) due to necessary internal processes.
It is recommended to configure L2MTU with caution by keeping in mind that it can cause short
interruption with connected devices.
MPLS/Layer-2.5/L2.5 MTU
Configured in "/mpls interface" menu, specifies maximal size of packet, including MPLS labels,
that is allowed to send out by the particular interface (default is 1508).
Make sure that MPLS MTU is smaller or equal to L2MTU
MPLS MTU affects packets depending on what action MPLS router is performing. It is strongly
recommended that MPLS MTU is configured to the same value on all routers forming MPLS
cloud because of effects MPLS MTU has on MPLS switched packets. This requirement means
that all interfaces participating in MPLS cloud must be configured to the smallest MPLS MTU
values among participating interfaces, therefore care must be taken to properly select
hardware to be used.
MPLS Switching
If packet with labels included is bigger than MPLS MTU, MPLS tries to guess protocol that is
carried inside MPLS frame.
If this is IP packet, MPLS produces ICMP Need Fragment error. This behavior mimics IP
protocol behavior. Note that this ICMP error is not routed back to originator of packet but is
switched towards end of LSP, so that egress router can route it back.
If this is not IP packet, MPLS simply drops it, because it does not know how to interpret the
contents of packet. This feature is very important in situations where MPLS applications such
as VPLS are used (where frames that are MPLS tagged are not IP packets, but e.g.
encapsulated Ethernet frames as in case of VPLS) - if somewhere along the LSP MPLS MTU
will be less than packet size prepared by ingress router, frames will simply get dropped.
IP ingress
When router first introduces label (or labels) on IP packet, and resulting packet size including
MPLS labels exceeds MPLS MTU, router behaves as if interface MTU was exceeded - either
fragments packet in fragments that does not exceed MPLS MTU when labels are attached (if
IP Dont Fragment is not set), or generates ICMP Need Fragmentation error that is sent back to
originator.
VPLS ingress
When router encapsulates Ethernet frame for forwarding over VPLS pseudowire, it checks if
packet size with VPLS Control Word (4 bytes) and any necessary labels (usually 2 labels - 8
bytes), exceeds MPLS MTU of outgoing interface. If it does, VPLS fragments packet so that it
honours MPLS MTU of outgoing interface. Packet is defragmented at egress point of VPLS
pseudowire.
IP/Layer-3/L3 MTU
Configured as interface MTU setting (/interface <type> <name> set mtu=X). Specifies how big
IP packets router is allowed to send out the particular interface.
If router receives IP packet of size 1500, but MTU for outgoing interface is set to 1400, router
will either fragment the packet (if "Don't Fragment" bit is not set in IP header) or drop the
packet and send ICMP "Need Fragmentation" error back to originator (this is essential for Path
MTU Discovery to work).
Sometimes it can be bad idea to change IP MTU from its default 1500 bytes on router
interfaces if complete path end-to-end is not in administrators control. Although IP
fragmentation and end-to-end Path MTU Discovery is intended to handle this situation, if ICMP
Need Fragmentation errors are filtered somewhere along the path, Path MTU Discovery will
not work.
There are several features in MikroTik RouterOS that can benefit from possibility to exceed
standard MTU
Simple Examples
In these examples we will take a look at frames entering and leaving router via Ethernet
interfaces.
Simple Routing
The image shows the packet MTU size for simple routing, packets size is not modified.
Routing with VLAN Encap
Each VLAN tag is 4 bytes long, VLAN tag is added by router. L2-MTU is increased by 4 bytes.
Simple MPLS with tags

When MPLS is used as plain replacement for IP routing, only one label is attached to every
packet, therefore packet size increases by 4 bytes, we have the situation with two MPLS
labels. In order to be able to forward standard size (1500 bytes) IP packet without
fragmentation, MPLS MTU must be set to at least 1508 for two MPLS labels.
VPLS Tunnel
Two MPLS labels are present, when remote endpoint is not directly attached. One MPLS label
is used to get to remote endpoint, second label is used to identify VPLS tunnel.
L2MTU advanced example

In this example we will take a closer look at required L2MTU of all Ethernet like interfaces
including Bridge, VLAN, VPLS interfaces.
In this setup we will have 3 routers:
 Q-in-Q router - this router will receive standard 1500 byte Ethernet frame and will add two
VLAN tags to the packet. Then packet will be sent out via Ethernet network to the second
router
 VPLS router - this router will remove outer VLAN tag and will bridge packet with the
remaining VLAN tag with VPLS tunnel. VPLS tunnel will take packet through the MPLS
network to the third router.
 MPLS Edge router - will remove VPLS and VLAN tags and bridge packet to the client
Ethernet network.
ummary
Basic use cases and configuration examples for Cloud Router Switch features.
Warning: This article applies to CRS1xx and CRS2xx series switches and not to
CRS3xx series switches. For CRS3xx series devices read the CRS3xx series
switches manual.
Management IP Configuration
Untagged
Untagged (VLAN 0) Management IP address has to be assigned to the master-port.
 For RouterOS versions before v6.41:
/interface ethernet
/ip address
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
 For RouterOS versions after v6.41:
/interface bridge
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
If you are intending to use invalid VLAN filtering (which you should), then ports, from which you
are going to access the switch, needs to be added to the VLAN table for untagged (VLAN 0)
traffic, for example, in case you want to access the switch from ether2:
add vlan-id=0 ports=ether2,switch1-cpu
Tagged
For tagged VLAN Management IP address add VLAN 99 interface and assign IP address to it.
Since the master-port receives all the traffic coming from switch-cpu port, VLAN interface has
to be configured on the master-port, in this case "ether2" port. Now from switch-chip point there
also has to be VLAN 99 tagging on switch1-cpu port.
 For RouterOS versions before v6.41:
/interface vlan
/ip address
 For RouterOS versions after v6.41:
/interface vlan
add name=vlan99 vlan-id=99 interface=bridge1
/ip address
Specify which ports will need to send out tagged traffic:

add tagged-ports=ether2,ether3,ether4,ether5,switch1-cpu vlan-id=99
Specify which ports are allowed to forward the management VLAN:

add ports=ether2,ether3,ether4,ether5,switch1-cpu vlan-id=99
learn=yes
After valid VLAN99 configuration unknown/invalid VLAN filtering can be enabled in global
switch settings.

ports=ether2,ether3,ether4,ether5
VLAN
Note: It is recommended to get Serial Console cable and test it before configuring
VLANs because you may lose access to the CPU and/or the port you are
connected to.
Note: Some changes may take some time to take effect due to already learned
MAC addreses. In such cases flushing Unicast Forwarding Database can
help: /interface ethernet switch unicast-fdb flush
Warning: Multiple master-port/bridge configuration is designed as fast and simple

port isolation solution, but it limits part of VLAN functionality supported by CRS
switch-chip. For advanced configurations use one master-port/bridge within CRS
switch chip for all ports, configure VLANs and isolate port groups with port
isolation profile configuration.
Port Based VLAN
Note: For CRS3xx series devices you must use bridge VLAN filtering, you can
read more about it in the Bridge VLAN Filtering section.
Example 1 (Trunk and Access ports)

Port Based VLAN 1
 Choose a master port and enslave the ports you need to be in the same switch group.
/interface ethernet
/interface bridge
 Add initial VLAN assignments (PVID) to VLAN access ports.

add ports=ether6 customer-vid=0 new-customer-vid=200 sa-
learning=yes
learning=yes
learning=yes
 Add VLAN 200, VLAN 300 and VLAN 400 tagging on ether2 port to create it as VLAN trunk
port. Egress-VLAN-Tag entry is mandatory for every VLAN to make VLAN access ports
work. If VLAN trunk port has not been chosen yet, Egress-VLAN-Tag entry has to be
added with tagged-ports="".

 VLAN membership definitions in the VLAN table are required for proper isolation. Adding
entries with VLAN id and ports makes that VLAN traffic valid on those ports.

 After valid VLAN configuration unknown/invalid VLAN forwarding can be disabled in global
switch settings.

Note: It is possible to use the built-in switch chip and the CPU at the same time to
create a Switch-Router setup, where a device acts as a switch and as a router at
the same time. You can find a configuration example in the CRS-Router guide.
Example 2 (Trunk and Hybrid ports)

Port Based VLAN 2
/interface ethernet
/interface bridge
 Add initial VLAN assignments (PVID) for untagged traffic on ether6, ether7, ether8 ports.

learning=yes
learning=yes
learning=yes
 Add VLAN 200, VLAN 300 and VLAN 400 tagging on ports according to diagram.
The tagged-ports option allow multiple values to support tagging on many ports.
add tagged-ports=ether2,ether7,ether8 vlan-id=200
 VLAN membership definitions in the VLAN table are required for proper isolation. Adding
entries with VLAN id and ports makes that VLAN traffic valid on those ports.

add ports=ether2,ether6,ether7,ether8 vlan-id=200 learn=yes
 Unknown VLANs should be disabled after valid VLAN membership configuration.

Protocol Based VLAN
Protocol Based VLAN
/interface ethernet
/interface bridge
 Set VLAN for IP and ARP protocols
/interface ethernet switch protocol-based-vlan

add port=ether2 protocol=arp set-customer-vid-for=all new-customer-
vid=0
add port=ether6 protocol=arp set-customer-vid-for=all new-customer-
vid=200
add port=ether2 protocol=ip set-customer-vid-for=all new-customer-
vid=0
add port=ether6 protocol=ip set-customer-vid-for=all new-customer-
vid=200
 Set VLAN for IPX protocol

add port=ether2 protocol=ipx set-customer-vid-for=all new-customer-
vid=0
add port=ether7 protocol=ipx set-customer-vid-for=all new-customer-
vid=300
 Set VLAN for AppleTalk AARP and AppleTalk DDP protocols

add port=ether2 protocol=0x80F3 set-customer-vid-for=all new-
customer-vid=0
add port=ether8 protocol=0x80F3 set-customer-vid-for=all new-
customer-vid=400
add port=ether2 protocol=0x809B set-customer-vid-for=all new-
customer-vid=0
add port=ether8 protocol=0x809B set-customer-vid-for=all new-
customer-vid=400
MAC Based VLAN
Warning: Internally all MAC addresses in MAC based VLANs are hashed, certain
MAC addresses can have the same hash, which will prevent a MAC address
being loaded in to the switch chip if the hash matches with a hash from a MAC
address that has been already loaded, for this reason it is recommended to use
Port bases VLANs in combination with MAC based VLANs. This is a hardware
limitation.
MAC Based VLAN

/interface ethernet
/interface bridge
 Enable MAC based VLAN translation on access port.

set ether7 allow-fdb-based-vlan-translate=yes
 Add MAC-to-VLAN mapping entries in MAC based VLAN table.
/interface ethernet switch mac-based-vlan

add src-mac=A4:12:6D:77:94:43 new-customer-vid=200
add src-mac=84:37:62:DF:04:20 new-customer-vid=300
add src-mac=E7:16:34:A1:CD:18 new-customer-vid=400
 Add VLAN 200, VLAN 300 and VLAN 400 tagging on ether2 port to create it as VLAN trunk
port.

InterVLAN Routing
InterVLAN Routing
InterVLAN routing configuration consists of two main parts – VLAN tagging in switch-chip and
routing in RouterOS. This configuration can be used in many applications by combining it with
DHCP server, Hotspot, PPP and other features for each VLAN. Additionally this example
covers blocking of unwanted other VLAN traffic on ports.
/interface ethernet
/interface bridge
 Set VLAN tagging on CPU port for all VLANs to make packets tagged before they are
routed and add ingress VLAN translation rules to ensure correct VLAN id assignment is
done on access ports.

add tagged-ports=switch1-cpu vlan-id=200

learning=yes
learning=yes
learning=yes
 For routing add VLAN interfaces on master-port (bridge) because it connects with CPU
port and add IP addresses to created VLAN interfaces. In this example three 192.168.x.1
addresses are added to vlan200, vlan300 and vlan400 interfaces.

/interface vlan
add name=vlan200 interface=ether2 vlan-id=200
/ip address
add address=192.168.20.1/24 interface=vlan200

/interface vlan
add name=vlan200 interface=bridge1 vlan-id=200
/ip address
Unknown/Invalid VLAN filtering

VLAN membership is defined in the VLAN table. Adding entries with VLAN id and ports makes
that VLAN traffic valid on those ports. After valid VLAN configuration unknown/invalid VLAN
forwarding can be disabled in global switch settings. This VLAN filtering configuration example
applies to InterVLAN Routing setup.

add ports=switch1-cpu,ether6 vlan-id=200 learn=yes
 Option 1: disable invalid VLAN forwarding on specific ports:

 Option 2: disable invalid VLAN forwarding on all ports:

set forward-unknown-vlan=no
Warning: Using multiple master-ports/bridges on a single switch chip with

enabled invalid VLAN filtering can cause unexpected behaviour. You should
always use a single master-port/bridge configuration whenever using VLAN
filtering. If port isolation is required, then port isolation feature should be used
instead of using multiple master-ports/bridges.

This example covers typical VLAN tunneling use case where service provider devices add
another VLAN tag for independent forwarding in the mean time allowing customers to use their
own VLANs.
Note: This example contains only Service VLAN tagging part.
It is recommended to additionally set Unknown/Invalid VLAN filtering configuration
on ports.
Q-in-Q VLAN
CRS-1:The first switch on the edge of service provider network has to properly indentify traffic
from customer VLAN id on port and assign new service VLAN id with ingress VLAN translation
rules.
VLAN trunk port configuration for service provider VLAN tags is in the same egress-vlan-
tag table.
The main difference from basic Port Based VLAN configuration is that CRS switch-chip has to
be set to do forwarding according to service (outer) VLAN id instead of customer (inner) VLAN
id.
/interface ethernet
/interface bridge

add customer-vid=200 new-service-vid=400 ports=ether1 sa-
learning=yes
learning=yes


set bridge-type=service-vid-used-as-lookup-vid
CRS-2: The second switch in the service provider network require only switched ports
using master-port and bridge-type configured to do forwarding according to service
(outer) VLAN id instead of customer (inner) VLAN id.
/interface ethernet
/interface bridge

CRS-3: The third switch has similar configuration to CRS-1:

 Ports in a switch group using master-port;
 Ingress VLAN translation rules to define new service VLAN assingments on ports;
 tagged-ports for service provider VLAN trunks;
 CRS switch-chip set to use service VLAN id in switching lookup.
/interface ethernet
/interface bridge

learning=yes
learning=yes


CVID Stacking
It is possible to use CRS1xx/CRS2xx series switches for CVID Stacking setups.
CRS1xx/CRS2xx series switches are capable of VLAN filtering based on the outer tag of
tagged packets that have two CVID tags (double CVID tag), these switches are also capable of
adding another CVID tag on top of an existing CVID tag (CVID Stacking). For example, in a
setup where ether1 is receiving tagged packets with CVID 10, but it is required
that ether2 sends out these packets with another tag CVID 20 (VLAN10 inside VLAN20) while
filtering out any other VLANs, the following must be configured:
 Switch together ether1 and ether2:

/interface ethernet
/interface bridge
 Set the switch to filter VLANs based on service tag (0x88a8):

 Add a service tag SVID 20 to packets that have a CVID 10 tag on ether1:

add customer-vid=10 new-service-vid=20 ports=ether1
 Specify ether2 as the tagged/trunk port for SVID 20:

 Allow ether1 and ether2 to forward SVID 20:

add ports=ether1,ether2 vlan-id=20
 Override the SVID EtherType (0x88a8) to CVID EtherType (0x8100) on ether2:

set ether2 egress-service-tpid-override=0x8100 ingress-service-
tpid-override=0x8100
 Enable invalid VLAN filtering

ports=ether1,ether2
Note: Since the switch is set to look up VLAN ID based on service tag, which is
overridden with a different EtherType, then VLAN filtering is only done on the
outer tag of a packet, the inner tag is not checked.
Mirroring
Mirroring
The Cloud Router Switches support three types of mirroring. Port based mirroring can be
applied to any of switch-chip ports, VLAN based mirroring works for all specified VLANs
regardless switch-chip ports and MAC based mirroring copies traffic sent or received from
specific device reachable from the port configured in Unicast Forwarding Database.
Port Based Mirroring

The first configuration sets ether5 port as a mirror0 analyzer port for both ingress and egress
mirroring, mirrored traffic will be sent to this port. Port based ingress and egress mirroring is
enabled from ether6 port.

set ingress-mirror0=ether5 egress-mirror0=ether5

set ether6 ingress-mirror-to=mirror0 egress-mirror-to=mirror0
VLAN Based Mirroring

The second example requires ports to be switched in a group. Mirroring configuration sets
ether5 port as a mirror0 analyzer port and sets mirror0 port to be used when mirroring from
VLAN occurs. VLAN table entry enables mirroring only for VLAN 300 traffic between ether2
and ether7 ports.
/interface ethernet
/interface bridge

set ingress-mirror0=ether5 vlan-uses=mirror0

add ports=ether2,ether7 vlan-id=300 learn=yes ingress-mirror=yes
MAC Based Mirroring

The third configuration also requires ports to be switched in a group. Mirroring configuration
sets ether5 port as a mirror0 analyzer port and sets mirror0 port to be used when mirroring
from Unicast Forwarding database occurs. The entry from Unicast Forwarding database
enables mirroring for packets with source or destination MAC address E7:16:34:A1:CD:18 from
ether8 port.
/interface ethernet
/interface bridge

set ingress-mirror0=ether5 fdb-uses=mirror0
/interface ethernet switch unicast-fdb

add port=ether8 mirror=yes svl=yes mac-address=E7:16:34:A1:CD:18
Trunking
Trunking
The Trunking in the Cloud Router Switches provides static link aggregation groups with
hardware automatic failover and load balancing. IEEE802.3ad and IEEE802.1ax compatible
Link Aggregation Control Protocol is not supported yet. Up to 8 Trunk groups are supported
with up to 8 Trunk member ports per Trunk group.
 Configuration requires a group of switched ports and an entry in the Trunk table.
/interface ethernet
/interface bridge

add name=trunk1 member-ports=ether6,ether7,ether8
 This example also shows proper bonding configuration in RouterOS on the other end.
/interface bonding
add name=bonding1 slaves=ether2,ether3,ether4 mode=balance-xor
transmit-hash-policy=layer-2-and-3 \
link-monitoring=mii mii-interval=100ms
Note: You can find a working example for trunking and port based VLANs at CRS
VLANs with Trunks page.
Limited MAC Access per Port

Disabling MAC learning and configuring static MAC addresses gives ability to control what
exact devices can communicate to CRS1xx/2xx switches and through them.
Configuration requires a group of switched ports, disabled MAC learning on those ports and
static UFDB entries.
/interface ethernet
/interface bridge

set ether6 learn-override=no
set ether7 learn-override=no

add mac-address=4C:5E:0C:00:00:01 port=ether6 svl=yes
add mac-address=D4:CA:6D:00:00:02 port=ether7 svl=yes
CRS1xx/2xx switches also allow to learn one dynamic MAC per port to ensure only one end
user device is connected no matter of its MAC address.
/interface ethernet
/interface bridge

set ether6 learn-limit=1
set ether7 learn-limit=1
Isolation
Port Level Isolation
Port Level Isolation

Port-level isolation is often used for Private VLAN, where:
 One or multiple uplink ports are shared among all users for accessing gateway or router.
 Port group Isolated Ports is for guest users. Communication is through the uplink ports
only.
 Port group Community 0 is for department A. Communication is allowed between the
group members and through uplink ports.
 Port group Community X is for department X. Communication is allowed between the
group members and through uplink ports.
The Cloud Router Switches use port-level isolation profiles for Private VLAN implementation:
 Uplink ports – Port-level isolation profile 0

 Isolated ports – Port-level isolation profile 1
 Community 0 ports - Port-level isolation profile 2
 Community X (X <= 30) ports - Port-level isolation profile X
This example requires a group of switched ports. Assume that all ports used in this
example are in one switch group configured with master-port setting.
/interface ethernet
/interface bridge
The first part of port isolation configuration is setting the Uplink port – set port profile to 0 for
ether2.

set ether2 isolation-leakage-profile-override=0
Then continue with setting isolation profile 1 to all isolated ports and adding the communication
port for port isolation profile 1.


add port-profile=1 ports=ether2 type=dst
Configuration to set Community 2 and Community 3 ports is similar.


add port-profile=2 ports=ether2,ether7,ether8 type=dst

add port-profile=3 ports=ether2,ether9,ether10 type=dst
Protocol Level Isolation
Protocol Level Isolation

Protocol level isolation on CRS switches can be used to enchance network security. For
example, restricting DHCP traffic between the users and allowing it only to trusted DHCP
server port can prevent security risks like DHCP spoofing attack. The following example shows
how to configure it on CRS.
 Choose a master port and enslave the ports you need to be within the same switch group.

/interface ethernet
/interface bridge
 Set the same Community port profile for all DHCP client ports. Community port profile
numbers are from 2 to 30.

 And configure port isolation/leakage profile for selected Community (2) to allow DHCP
traffic destined only to port where the trusted DHCP server is located. registration-
status and traffic-type properties have to be set empty in order to apply restriction
only for DHCP protocol.

add port-profile=2 protocol-type=dhcpv4 type=dst forwarding-
type=bridged ports=ether1 \
registration-status="" traffic-type=""
Quality of Service (QoS)

QoS configuration schemes
MAC based traffic scheduling and shaping: [MAC address in UFDB] -> [QoS Group] ->
[Priority] -> [Queue] -> [Shaper]
VLAN based traffic scheduling and shaping: [VLAN id in VLAN table] -> [QoS Group] ->
[Priority] -> [Queue] -> [Shaper]
Protocol based traffic scheduling and shaping: [Protocol in Protocol VLAN table] -> [QoS
Group] -> [Priority] -> [Queue] -> [Shaper]
PCP/DEI based traffic scheduling and shaping: [Switch port PCP/DEI mapping] -> [Priority] ->
[Queue] -> [Shaper]
DSCP based traffic scheduling and shaping: [QoS DSCP mapping] -> [Priority] -> [Queue] ->
[Shaper]
MAC based traffic scheduling using internal Priority

In Strict Priority scheduling mode, the highest priority queue is served first. The queue number
represents the priority and the queue with highest queue number has the highest priority.
Traffic is transmitted from highest priority queue until the queue is empty, and then moves to
the next highest priority queue, and so on. If no congestion is present on the egress port,
packet is transmitted as soon as it is received. If congestion occurs on the port where high
priority traffics keep coming, the lower priority queues starve.
On all CRS switches the scheme where MAC based egress traffic scheduling is done
according to internal Priority would be following: [MAC address] -> [QoS Group] -> [Priority] ->
[Queue];
In this example host1 (E7:16:34:00:00:01) and host2 (E7:16:34:00:00:02) will have higher
priority 1 and the rest of the hosts will have lower priority 0 for transmited traffic on port ether7.
Note that CRS has maximum 8 queues per port.
 Create a group of ports for switching.
/interface ethernet
/interface bridge
 Create QoS group for use in UFDB.

/interface ethernet switch qos-group
add name=group1 priority=1
 Add UFDB entries to match specific MACs on ether7 and apply QoS group1

add mac-address=E7:16:34:00:00:01 port=ether7 qos-group=group1
svl=yes
add mac-address=E7:16:34:00:00:02 port=ether7 qos-group=group1
svl=yes
 Configure ether7 port queues to work according Strict Priority and QoS scheme only for
destination address.

set ether7 per-queue-scheduling="strict-priority:0,strict-
priority:0,strict-priority:0,strict-priority:0,strict-prior\
ity:0,strict-priority:0,strict-priority:0,strict-priority:0"
priority-to-queue=0:0,1:1 \
qos-scheme-precedence=da-based
MAC based traffic shaping using internal Priority

The scheme where MAC based traffic shaping is done according to internal Priority would be
following: [MAC address] -> [QoS Group] -> [Priority] -> [Queue] -> [Shaper];
In this example unlimited traffic will have priority 0 and limited traffic will have priority 1 with the
bandwidth limit 10Mbit. Note that CRS has maximum 8 queues per port.
/interface ethernet
/interface bridge
 Create QoS group for use in UFDB.

 Add UFDB entry to match specific MAC on ether8 and apply QoS group1

add mac-address=E7:16:34:A1:CD:18 port=ether8 qos-group=group1
svl=yes
 Configure ether8 port queues to work according Strict Priority and QoS scheme only for
destination address.

priority-to-queue=0:0,1:1 \
qos-scheme-precedence=da-based
 Apply bandwidth limit for queue1 on ether8.
/interface ethernet switch shaper

add port=ether8 rate=10M target=queue1
If CRS switch supports Access Control List, this configuration would be simplier.
/interface ethernet switch acl policer

add name=policer1 yellow-burst=100k yellow-rate=10M
/interface ethernet switch acl

add mac-dst-address=E7:16:34:A1:CD:18 policer=policer1
VLAN based traffic scheduling + shaping using internal
Priorities
Best practice is to assign lower internal QoS Priority for traffic limited by shaper to make it also
less important in Strict Priority scheduler. (higher priority should be more important and
unlimited)
In this example:
Switch port ether6 is using shaper to limit the traffic that comes from ether7 and ether8.
When link has reached its capacity, the traffic with the highest priority will be sent out first.
VLAN10 -> QoS group0 = lowest priority
VLAN20 -> QoS group1 = normal priority
VLAN30 -> QoS group2 = highest priority
/interface ethernet
/interface bridge
 Create QoS groups for use in VLAN table.

 Add VLAN entries to apply QoS groups for certain VLANs.

add ports=ether6,ether7,ether8 qos-group=group0 vlan-id=10
 Configure ether6, ether7, ether8 port queues to work according Strict Priority and QoS
scheme only for VLAN based QoS.

priority-to-queue=0:0,1:1,2:2 \
qos-scheme-precedence=vlan-based
 Apply bandwidth limit on ether6.

add port=ether6 rate=10M
PCP based traffic scheduling

By default CRS1xx/CRS2xx series devices will ignore the PCP/CoS/802.1p value and forward
packets based on FIFO (First-In-First-Out) manner. When the device's internal queue is not
full, then packets are in FIFO manner, but as soon as a queue is filled, then higher priority
traffic can be sent out first. Lets consider a scenario when ether1 and ether2 is forwarding
data to ether3, but when ether3 is congested, then packets are going to be scheduled, we can
configure the switch to hold lowest priority packets until all higher priority packets are sent out,
this is a very common scenario for VoIP type setups, where some traffic needs to be
prioritized.
 To achieve such a behaviour, switch together ether1, ether2 and ether3 ports:

/interface ethernet
/interface bridge
 Enable Strict Policy for each internal queue on each port:

set ether1,ether2,ether3 per-queue-scheduling="strict-
priority:0,strict-priority:0,strict-priority:0,strict-
priority:0,strict-priority:0,strict-priority:0,strict-
priority:0,strict-priority:0"
 Map each PCP value to an internal priority value, for convenience reasons simply map
PCP to an internal priority 1-to-1:

set ether1,ether2,ether3 pcp-based-qos-priority-
mapping=0:0,1:1,2:2,3:3,4:4,5:5,6:6,7:7
 Since the switch will empty the largest queue first and you need the highest priority to be
served first, then you can assign this internal priority to a queue 1-to-1:

set ether1,ether2,ether3 priority-to-
queue=0:0,1:1,2:2,3:3,4:4,5:5,6:6,7:7
 Finally, set each switch port to schedule packets based on the PCP value:

set ether1,ether2,ether3 qos-scheme-precedence=pcp-based
Bandwidth Limiting
Both Ingress Port policer and Shaper provide bandwidth limiting features for CRS switches.
 Ingress Port Policer sets RX limit on port:
/interface ethernet switch ingress-port-policer

add port=ether5 meter-unit=bit rate=10M
 Shaper sets TX limit on port:

add port=ether5 meter-unit=bit rate=10M
Traffic Storm Control

The same Ingress Port policer also can be used for the traffic storm control to prevent
disruptions on Layer 2 ports caused by broadcast, multicast or unicast traffic storms.
 Broadcast storm control example on ether5 port with 500 packet limit per second:

add port=ether5 rate=500 meter-unit=packet packet-types=broadcast
 Example with multiple packet types which includes ARP and ND protocols and
unregistered multicast traffic. Unregistered multicast is traffic which is not defined in
Multicast Forwarding database.

add port=ether5 rate=5k meter-unit=packet packet-
types=broadcast,arp-or-nd,unregistered-multicast

Starting from RouterOS v6.38 Cloud Router Switches support Spanning Tree Protocols on
ports configured for switching by hardware switch chip. To enable this feature create RouterOS
bridge interface and add the master-port to it.
 Create a group of switched ports

/interface ethernet
 Create a bridge interface and add the master-port to it
/interface bridge add name=bridge1 protocol=rstp
/interface bridge port add bridge=bridge1 interface=ether1
 Slave ports are dynamically added to the bridge only to show STP status. Forwarding
through switched ports still are handled by hardware switch chip.

HORIZON
none
1 ID ether2 bridge1 0x80 10
none
none
none
[admin@MikroTik] > /interface bridge port monitor [find]
status: in-bridge in-bridge in-bridge
in-bridge
port-number: 1 2 3
4
role: designated-port disabled-port
designated-port backup-port
edge-port: yes no no
no
edge-port-discovery: yes yes yes
yes
point-to-point-port: no no no
no
external-fdb: no no no
no
sending-rstp: yes yes yes
yes
learning: yes no yes
no
forwarding: yes no yes
no
root-path-cost:
10
designated-bridge:
0x8000.D4:CA:6D:1E:66:9A
designated-cost:
0
designated-port-number:
3
< Manual:Interface
Contents
[hide]
 1Summary
 2802.1Q
 3Q-in-Q
 4Properties
 5Setup examples
Summary
efficiently.
802.1Q
Q-in-Q
Example:
/interface vlan
and '12'.
Properties
Property
interface (name; Default: ) Name of physical interfa
l2mtu (integer; Default: ) Layer2 MTU. For VLAN
mtu (integer; Default: 1500) Layer3 Maximum transm
use-service-tag (yes | no; Default: ) 802.1ad compatible Ser
vlan-id (integer: 4095; Default: 1) Virtual LAN identifier or
and destination.
Setup examples
Port Based VLAN #1
/interface vlan
/interface bridge



Port Based VLAN #2
/interface vlan



/interface bridge




Simple VLAN routing
created.

R2:

R4:



R2:

interface=VLAN2
0 10.0.1.4/24 10.0.1.0 10.0.1.255 ether1
1 10.20.0.1/24 10.20.0.0 10.20.0.255 pc1
2 10.10.10.3/24 10.10.10.0 10.10.10.255 vlan2
R4:

interface=VLAN2
0 10.0.1.5/24 10.0.1.0 10.0.1.255 ether1
1 10.30.0.1/24 10.30.0.0 10.30.0.255 pc2
2 10.10.10.5/24 10.10.10.0 10.10.10.255 vlan2
"From R4 to R2:"

"From R2 to R1:"

InterVLAN routing
VLAN communication.
trunking.
 VLAN 2 – 10.10.20.0/24;
 VLAN 3 – 10.10.30.0/24;
 VLAN 4 – 10.10.40.0./24.
/interface vlan
/ip address

RouterA:

network=10.23.0.1
RouterB:
network=10.22.0.1
MIKROTIK ROUTEROS 5.20 PARA PROVEDORES - TUTORIAL

COMPLETO
MIKROTIK ROUTEROS 5.20 PARA PROVEDORES - TUTORIAL COMPLETO
Autor: Danilo Menzanoti Fugi <danilofugi at gmail.com>
Data: 18/12/2014
INICIANDO
MikroTik
Danilo M. Fugi - Ciência da Computação - 6º Período - Disciplina Redes
2
danilofugi@gmail.com
IF Sul de Minas - Muzambinho
O QUE É MIKROTIK
Talvez já tenha utilizado e não saiba, a maioria dos provedores de
acesso utiliza essa tecnologia para autenticar seus clientes para
navegação na internet, onde temos que digitar o login e a senha para
depois navegar na web.
MikroTik é uma empresa que fabrica equipamentos para redes de

computadores.
O produto de maior sucesso e venda da empresa é o sistema operacional

baseado em GNU/Linux chamado MikroTik RouterOS. Ele é um roteador
poderosíssimo, com funções como hotspot, webproxy, servidor Samba,
controle de banda e usuário, firewall, dentre outras.
E sua função empregada é a autenticação de usuários por empresas

prestadoras de serviço de Internet (provedores), onde o cliente (nós),
antes do acesso à internet, prefica realizar autenticação com usuário
e senha, assim sendo possível análise de tráfego e controle de clientes
online ou offline.
INSTALAÇÃO E CONFIGURAÇÃO
Primeiramente vamos entender como funciona a instalação.
Pode-se adquirir a licença do SO MIKROTIK RouterOs em seu site e fazer

o download da imagem ISO do SO baseado em GNU/Linux (aproximadamente
22MB para a versão mk5.20). Aquisição de hardware Routerboard para
instalação do Sistema Operacional ou pode-se comprar o conjunto de
Routerboard + licença.
P: É possível fazer a configuração sem adquirir a licença?

R: Sim, a licença pode ser inserida posteriormente para fins
comerciais.
P: Tem como fazer sem o hardware específico?

R: Sim, já que é um SO, podemos instalá-lo em uma máquina comum de
32bits ou máquina virtual.
Tipo de utilização:
Provedor de Internet --------- (P. rede 01) Mikrotik (P. rede 02) ----
-------- Clientes
* Percebam que temos 02 placas de rede
Instalação:
 No início da instalação é solicitado ao usuário escolher os pacotes da

instalação, aqui foi bem simples, escolhi TODOS, aperte a e depois i.
 Depois, aperte n e depois y.
Ele criará partições e formatará o disco. Depois de alguns segundos,

reinicia já voltando no sistema operacional. Lembrando que se estiver
utilizando uma máquina virtual, nesse momento é hora de remover a imagem
da inicialização, pois ficará tentando iniciar a instalação e não o
sistema operacional, ok?
Pronto, já está instalado. Sem segredos.
Login e senha: por padrão é admin e senha em branco. Pronto, está

logado. Agora veio o aviso de chave. Você tem 23h:47m para configurar
e inserir a chave (licença).
Vamos à configuração.
O console já aparece assim:
[admin@MikroTik] >
 Aprendendo a utilizar: para entrar em diretórios não precisa utilizar
CD, agora é só digitar o nome e se estiver correto, ele fica marcado
de verde, errado em vermelho.
 Comando ls para listar não funciona, pode-se utilizar Tab.

 Ações estão em ROXO, como por exemplo: print
Setando as configurações de Rede:
[admin@MikroTik] > interface
Ajuda se digitar: int+[tab]

Agora: print
[admin@MikroTik] / interface > print
Aparecerão as interfaces de rede da máquina:

0 ether1
1 ether2
Agora vamos setar os nomes (ether1 = provedor / ether2 = clientes).
# set name=internet numbers=0

# set name=clientes numbers=1
# print (para ver as configurações)
Deve estar assim:

0 internet
1 clientes
CONFIGURANDO IPS
Agora vamos configurar os IPs:
Digite ".." (para sair do diretório).
[admin@MikroTik] / interface >..

[admin@MikroTik] >
Agora que já aprenderam como entrar e sair dos diretórios, colocarei

apenas os comandos, ok?
Vamos configurar a interface Internet como DHCP, para receber o IP
automático do Servidor de Internet, no diretório ip e depois dhcp-
cliente. Depois que entrar, digite:
# add interface=internet
# print #ver resultados
# enable numbers=0
# print #já deve ter pego o ip automático
Agora vamos setar o IP do lado dos clientes que será IP fixo e será o
gateway da rede interna
# Add interface=clientes
address=SeuIpRedeClientes/MascaradeRede #exemplo do IP/máscara
192.168.0.1/24 <- não sabe o que é o 24, pesquise por máscara de rede
representação binária
CONFIGURANDO DHCP PARA CLIENTES

Agora vamos configurar o servidor DHCP para os clientes:
Vamos no diretório ip dhcp-server depois de entrar:
# setup
Dhcp server interface: clientes
Dhcp address space: EndereçodaSuaRede/mascara (já deve ter reconhecido)
Gateway for dhcp network: EndereçoIpConfiguradoClientes (192.168.0.1)
Addresses to give out: 192.168.0.2-192.168.0.254 (pode alterar se quiser, pois será atribuído
desde o ip 2 até 254)
Dns servers: 8.8.8.8 (já deve ter reconhecido seu dns primário)
Lease time: 3d (3 dias)
Pronto, seu servidor DHCP foi configurado corretamente! Para finalizar,

vamos apenas trocar o nome do servidor, vá em ip e depois pool.
# print #ver o nome
0 dhcp_pool1
# set name=Servidor numbers=0
# print
0 Servidor
CONFIGURANDO O FIREWALL
Ainda não temos internet. =(
Os clientes já podem se conectar ao servidor, atribuindo endereços

automáticos para cada cliente com renovação de 3 dias, no entanto, os
clientes não podem navegar na internet, pois ainda não configuramos o
NAT que seria a tradução de portas e IPs da rede interna para a internet,
isto é, todos os clientes navegam na internet como sendo um único IP
(do provedor) fazendo um mascaramento da rede interna.
* Lembrando que NAT não é o proxy! =)
Vamos em: ip / firewall / nat
# print #verificar configuração / última vez da explicação do print

# add chain=srcnat action=masquerade out-interface=internet
Agora sim, seus clientes já tem acesso à internet e o NAT está ativo.
CONFIGURANDO O HOTSPOT
Solicitar usuário e senha para navegar na internet.
Vamos em: ip / hotspot
# print
# setup
Hotspot interface: clientes
Local address os network: 192.168.0.1/24
Masquerade network: yes
Address pool of network: 192.168.0.2-192.168.0.254
Select certificate: none (podemos deixar none para não importer nenhum SSL)
Ip address of smtp server: 0.0.0.0
Dns servers: (colocar endereço de gateway da internet ou servidor dns do provedor)
Dns name: mkt.provedornome.net (ou outro nome que desejar)
Name of local hotspot user: joao (primeiro usuario do hotspot – o qualquer nome)
Password for the user: 123 (senha do usuário)
# set name=HotSpotProvedor
Agora vamos em: ip / hotspot / profile
# print
Teremos 2 perfis. Precisamos alterar a autenticação por cookie, pois é

gravado o cookie e o login fica automático. Mas queremos derrubar os
clientes quando necessário!
# set 1 name=Servidor login-by=http-chap,http-pap
Pronto, configurado! Agora qualquer cliente que deseje utilizar a

internet deverá fazer login para depois ter acesso.
ADICIONANDO NOVOS USUÁRIOS
Vamos em: ip / hotspot / user
# add name=NomedoUsuario password=SenhaUsuario

# print
Remover usuário:
# remove NomedoUsuario
CONTROLAR BANDA DO USUÁRIO POR PERFIL

Controlar a velocidade de internet para os usuário, é uma das vantagens
de ter um equipamento MikroTik, pois a banda inteira está sendo passada
para os clientes e queremos limitar o valor de banda conforme
contratado, ou políticas de quota de rede.
Muito fácil configurar, vamos aos passos.
Vamos em: ip / hotspot / user / profile
# print
# add name=plano1 rate-limit=512k/1024k #podemos fazer vários
planos
Comentário da linha NAME nome do Perfil rate-limit Limites de banda

UPLOAD(K)/DOWNLOAD(K)
# print #verificar os perfis
ADICIONAR USUÁRIOS AOS PERFIS DE CONTROLE DE BANDA

Vamos em: ip / hotspot / user
# print
# set joao profile=plano1
* Atenção: colocar cada usuário em perfis criados, lembrando que usuário

com perfil default, têm 100% de banda liberada!
CONFIGURAÇÃO DE SEGURANÇA
Nosso Usuário ADMIN, que é padrão, acessa o Sistema Operacional e sem
senha possui um potencial de segurança baixíssimo, onde qualquer cliente
poderá acessar o MikroTik e reconfigurar tudo! Vamos trocar isso, né?!
Vamos em na raiz digitando: / [Enter] - agora em user.
# print
# add name=super password=123456 group=full #utilize uma senha
adequada!
Full permissão total para alterar o Sistema operacional.
E depois remova a conta ADMIN:
# remove admin
PERSONALIZANDO A TELA DE LOGIN
Amigos, a tela inicial de login no nosso servidor MikroTik possui uma

página padrão com logotipo e definições do próprio MikroTik e podemos
personalizá-la. Podemos acessar a página para edição em qualquer
cliente, acessando via protocolo ftp (Windows ou cliente ftp).
Lembrando que ao utilizar o Windows, antes devemos utilizar o navegador

e realizar o login na página de acesso inserindo login e senha:
 Endereço: ftp://192.168.0.1
 Login: admin
 Senha: (nada)
Agora é só acessar a pasta hotspot e fazer donwload de todos os arquivos

e utilizar um editor HTML, como Dreamweaver ou similar, ou ainda editar
o arquivo no notepad mesmo, basta ter algum conhecimento HTML e
JavaScript, ok?
A Página principal é a login.htm e logout.html.
SERVIDOR DE ARQUIVOS (SERVIDOR SAMBA)

É possível habilitar o Servidor de arquivos no MikroTik, mas devemos
ter cuidado, pois o armazenamento do mesmo pode ser bem reduzido e a
permissão de gravação nestas pastas compartilhadas podem comprometer
radicalmente no armazenamento.
Mas é possível, basta irmos em: ip / smb
# set enable=yes
Depois, entre na pasta shares:
# print
# enable numbers=0
Podemos criar outros diretórios com usuário e senha, no nosso caso,

apenas habilitaremos a pasta pública pub.
Acessando via clientes: basta digitar na barra de

endereços: \\192.168.0.1\ e pronto, já verá a pasta compartilhada PUB.
CONCLUSÃO
Amigos, chegamos ao fim deste tutorial. Espero ter ajudado nas
configurações!
Se ocorreu tudo bem, você configurou o MikroTik corretamente e já está

tudo funcionando, lembrando que fizemos toda a configuração via terminal
no próprio Sistema Operacional como sendo uma máquina real ou virtual.
Para operação em Routerboard, devemos utilizar um software Winbox,

também baixado no site Mikrotik e acessado primariamente via MAC ADDRESS
da routerboard e poderá optar em utilizar o terminal (como fizemos) ou
modo gráfico.
Para os amigos mais avançados, podemos habilitar ainda o Servidor

WebProxy no MikroTik fazendo cache inclusive, e gravando todo o tráfego
em arquivos LOG, mas que devem ser analisados pelo software The Dude,
também baixado no site Mikrotik.
Agradeço a paciência e compreensão de todos na interpretação dos

comandos e comentários, tudo foi feito em uma máquina virtual,
configurada com 02 placas de rede.
* Lembrete: adquirir a licença para validação das configurações, a

licença pode ser inserida pelo WinBox citado acima.
anual:IP/Hotspot
< Manual:IP
Contents
[hide]
 1HotSpot
o 1.1Sub Categories
 2HotSpot Setup
 3ip hotspot
 4ip hotspot active
 5ip hotspot host
 6IP Bindings
 7Cookies
HotSpot
The MikroTik HotSpot Gateway provides authentication for clients before access to public
networks .
HotSpot Gateway features:
 different authentication methods of clients using local client database on the router, or
remote RADIUS server;
 users accounting in local database on the router, or on remote RADIUS server;
 walled-garden system, access to some web pages without authorization;
 login page modification, where you can put information about the company;
 automatic and transparent change any IP address of a client to a valid address;
Hotspot can work reliably only when IPv4 is used. Hotspot relies on Firewall NAT rules which
currently are not supported for IPv6.
Sub Categories
List of reference sub-pages Case studies List of examples
 IP/Hotspot  Hotspot Introduction  Hotspot with PCC

 Profile  Hotspot HTTPS example
 User  Hotspot manual login
 Walled Garden  Trial user limits
 Customizing Hotspot
HotSpot Setup
The simplest way to setup HotSpot server on a router is by /ip hotspot setup command.
Router will ask to enter parameters required to successfully set up HotSpot. When finished,
default configuration will be added for HotSpot server.
[admin@MikroTik] /ip hotspot> setup

Select interface to run HotSpot on
hotspot interface: ether3

Set HotSpot address for interface
local address of network: 10.5.50.1/24

masquerade network: yes
Set pool for HotSpot addresses
address pool of network: 10.5.50.2-10.5.50.254

Select hotspot SSL certificate
select certificate: none

Select SMTP server
ip address of smtp server: 0.0.0.0

Setup DNS configuration
dns servers: 10.1.101.1

DNS name of local hotspot server
dns name: myhotspot

Create local hotspot user
name of local hotspot user: admin

password for the user:
[admin@MikroTik] /ip hotspot>
What was created:

[admin@MikroTik] /ip hotspot> print
Flags: X - disabled, I - invalid, S - HTTPS
# NAME INTERFACE ADDRESS-POOL PROFILE IDLE-
TIMEOUT
0 hotspot1 ether3 hs-pool-3 hsprof1 5m
[admin@MikroTik] /ip hotspot>
[admin@MikroTik] /ip pool> print
# NAME RANGES
0 hs-pool-3 10.5.50.2-10.5.50.254
[admin@MikroTik] /ip pool> /ip dhcp-server
[admin@MikroTik] /ip dhcp-server> print
# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME
ADD-ARP
0 dhcp1 ether3 hs-pool-3 1h
[admin@MikroTik] /ip dhcp-server> /ip firewall nat
[admin@MikroTik] /ip firewall nat> print
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
1 ;;; masquerade hotspot network

chain=srcnat action=masquerade src-address=10.5.50.0/24
[admin@MikroTik] /ip firewall nat>
Parameters asked during setup process

Parameter
hotspot interface (string; Default: allow) Interface name on which to
ports.
local address of network (IP; Default: 10.5.50.1/24) HotSpot gateway address
masquerade network (yes | no; Default: yes) Whether to masquerade H
address pool of network (string; Default: yes) Address pool for HotSpot
clients that are not willing
select certificate (none | import-other-certificate; Default: ) Choose SSL certificate, wh
ip address of smtp server (IP; Default: 0.0.0.0) IP address of the SMTP se
dns servers (IP; Default: 0.0.0.0) DNS server addresses used
dns name (string; Default: "") domain name of the HotSp
name of local hotspot user (string; Default: "admin") username of one automatic
password for the user' (string; Default: ) Password for automatically
ip hotspot
Menu is designed to manage HotSpot servers of the router. It is possible to run HotSpot on
Ethernet, wireless, VLAN and bridge interfaces. One HotSpot server is allowed per interface.
When HotSpot is configured on bridge interface, set HotSpot interface as bridge interface not
as bridge port, do not add public interfaces to bridge ports. You can add HotSpot servers
manually to /ip hotspot menu, but it is advised to run /ip hotspot setup, that adds all necessary
settings.
 name (text) : HotSpot server's name or identifier

 address-pool (name / none; default: none) : address space used to change HotSpot
client any IP address to a valid address. Useful for providing public network access to
mobile clients that are not willing to change their networking settings
 idle-timeout (time / none; default: 5m) : period of inactivity for unauthorized clients. When
there is no traffic from this client (literally client computer should be switched off), once the
timeout is reached, user is dropped from the HotSpot host list, its used address becomes
available
 keepalive-timeout (time / none; default: none) : Value of how long host can stay out of
reach to be removed from the HotSpot.
 login-timeout (time / none; default: none) : period of time after which if host hasn't been
authorized it self with system the host entry gets deleted from host table. Loop repeats until
host logs in the system. Enable if there are situations where host cannot login after being
to long in host table unauthorized.
 interface (name of interface) : interface to run HotSpot on
 addresses-per-mac (integer / unlimited; default: 2) : number of IP addresses allowed to
be bind with the MAC address, when multiple HotSpot clients connected with one MAC-
address
 profile (name; default: default) - HotSpot server default HotSpot profile, which is located
in /ip hotspot profile
keepalive-timeout (read-only; time) : the exact value of the keepalive-timeout, that is applied for
user. Value shows how long host can stay out of reach to be removed from the HotSpot
ip hotspot active
HotSpot active menu shows all clients authenticated in HotSpot, menu is informational it is not
possible to change anything here.
 server (read-only; name) : HotSpot server name client is logged in

 user (read-only; name) : name of the HotSpot user
 domain (read-only; text) : domain of the user (if split from username), parameter is used
only with RADIUS authentication
 address (read-only; IP address) : IP address of the HotSpot user
 mac-address (read-only; MAC-address) : MAC-address of the HotSpot user
 login-by (read-only; multiple choice: cookie / http-chap / http-pap / https / mac / mac-
cookie / trial) : authentication method used by HotSpot client
 uptime (read-only; time) : current session time of the user, it is showing how long user has
been logged in
 idle-time (read-only; time) : the amount of time user has been idle
 session-time-left (read-only; time) : the exact value of session-time, that is applied for
user. Value shows how long user is allowed to be online to be logged of automatically
by uptime reached
 idle-timeout (read-only; time) : the exact value of the user's idle-timeout
 keepalive-timeout (read-only; time) : the exact value of the keepalive-timeout, that is
applied for user. Value shows how long host can stay out of reach to be removed from the
HotSpot
 limit-bytes-in (read-only; integer) : value shows how many bytes received from the client,
option is active when the appropriate parameter is configured for HotSpot user
 limit-bytes-out (read-only; integer) : value shows how many bytes send to the client,
option is active when the appropriate parameter is configured for HotSpot user
 limit-bytes-total (read-only; integer) : value shows how many bytes total were
send/received from client, option is active when the appropriate parameter is configured for
HotSpot user
ip hotspot host
Host table lists all computers connected to the HotSpot server. Host table is informational and
it is not possible to change any value there
 mac-address (read-only; MAC-address) : HotSpot user MAC-address

 address (read-only; IP address) : HotSpot client original IP address
 to-address (read-only; IP address) : New client address assigned by HotSpot, it might be
the same as original address
 server (read-only; name) : HotSpot server name client is connected to
 bridge-port (read-only; name) : /interface bridge port client connected to, value is
unknown when HotSpot is not configured on the bridge
 uptime (read-only; time) : value shows how long user is online (connected to the HotSpot)
 idle-time (read-only; time) : time user has been idle
 idle-timeout (read-only; time) : value of the client idle-timeout (unauthorized client)
 keeaplive-timeout (read-only; time) : keepalive-timeout value of the unauthorized client
 bytes-in (read-only; integer) : amount of bytes received from unauthorized client
 packet-in (read-only; integer) : amount of packets received from unauthorized client
 bytes-out (read-only; integer) : amount of bytes send to unauthorized client
 packet-out (read-only; integer) : amount of packets send to unauthorized client
IP Bindings
Sub-menu: /ip hotspot ip-binding
IP-Binding HotSpot menu allows to setup static One-to-One NAT translations, allows to bypass
specific HotSpot clients without any authentication, and also allows to block specific hosts and
subnets from HotSpot network
Property
address (IP Range; Default: "") The original IP address of
mac-address (MAC; Default: "") MAC address of the client
server (string | all; Default: "all") Name of the HotSpot serve
 all - will be applied to

to-address (IP; Default: "") New IP address of the clie
type (blocked | bypassed | regular; Default: "") Type of the IP-binding act
 regular - performs On
 bypassed - performs t
 blocked - translation
Cookies
Sub-menu: /ip hotspot cookie
Simplemente hay un router en el camino que no tiene ruta hacia el destino.
He aqui un abstract del libro TCP ilustrated capitulo 3 IP Protocol sub tema IP Routing:
IP routing performs the following actions:

1. Search the routing table for an entry that matches the complete destination IP address
(matching network ID and host ID). If found, send the packet to the indicated next-hop
router or to the directly connected interface (depending on the flags field). Point-to-point
links are found here, for example, since the other end of such a link is the other host's
file:///D|/Documents%20and%20Settings/bigini/Docum.../homenet2run/tcpip/tcp-ip-illustrated/ip_inter.htm (6 of 19)
[12/09/2001 14.46.37]
Chapter 3. IP: Internet Protocol
complete IP address.
2. Search the routing table for an entry that matches just the destination network ID. If found,
send the packet to the indicated next-hop router or to the directly connected interface
(depending on the flags field). All the hosts on the destination network can be handled with
this single routing table entry All the hosts on a local Ethernet, for example, are handled
with a routing table entry of this type.
This check for a network match must take into account a possible subnet mask, which we
describe in the next section.
3. Search the routing table for an entry labeled "default." If found, send the packet to the
indicated next-hop router.
If none of the steps works, the datagram is undeliverable. If the undeliverable datagram was
generated on this host, a "host unreachable" or "network unreachable" error is normally returned to
the application that generated the datagram.

Manual de Mikrotik Fulll

Uploaded by

Copyright:

Available Formats

Manual de Mikrotik Fulll

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Manual de Mikrotik Fulll

Uploaded by

Copyright:

Available Formats

Manual:First time startup

QuickSet and WebFig

 Initial Configuration with WebFig

 Winbox terminal menu

115200bit/s, 8 data bits, 1 stop bit, no parity, flow control=none

RouterBOARD 230 parameters are:

9600bit/s, 8 data bits, 1 stop bit, no parity, hardware (RTS/CTS)

MMM MMM KKK TTTTTTTTTTT

MikroTik RouterOS 4.15 (c) 1999-2010

Detailed description of CLI login is in login process section.

MMM MMM KKK TTTTTTTTTTT

Terminal ansi detected, using single line input mode

Logging into the router

Router user accounts

 IP address you can use

 DNS address for name resolution

Configuring network address translation (NAT)

In screen presented you will see the following screen:

When interface details are opened, look up Master Port setting.

 Using Add new create new profile;

Note: WPA and WPA2 pre-shared keys should be different

Bridge LAN with Wireless

Finished look of bridge configured with all ports required

Troubleshooting & Advanced configuration

Change password for current user

 If masquerade is configured properly;

/interface ethernet set ether1 mac-address=XX:XX:XX:XX:XX:XX

 If all packets are replied;

Channel # Frequency Below Above

2 2417 MHz no yes

3 2422 MHz no yes

4 2427 MHz no yes

5 2432 MHz yes yes

6 2437 MHz yes yes

7 2442 MHz yes yes

8 2447 MHz yes yes

9 2452 MHz yes yes

10 2457 MHz yes yes

11 2462 MHz yes no

12 2467 MHz yes no

13 2472 MHz yes no

Wireless frequency usage

Change Country settings

 Look up Country attribute and from drop-down menu select country

Comparable command line command:

/ip firewall nat add chain=dstnat dst-address=172.16.88.67

Configuring uPnP service on the router:

 Set up what interfaces should be considered external and what internal;

/ip upnp interface add interface=ether1 type=external

 Enable service itself

/ip upnp set allow-disable-external-interface=no show-dummy-rule=no

Limiting access to web pages

Enabled -> checked

When required alterations are done applysettings to return to Access tab.

Dst. Host -> .*example\.com.*

 deny only pages you know you want to deny (A)

Manual:Console login process

Applies to RouterOS:2.9, v3, v4

Console login options

Dst. Host -> .example\.com.