The Reasons I Keep Going Back to MikroTik

I have been using MikroTik (my-crow-tick or me-crow-teek), or however you want to pronounce it, for several years now and I just keep coming back to using it. MikroTik, for the uninitiated, can be quite a difficult system to learn and use. There are quite a bit of gotchas that can bite you along the way and even now, some things can still trip me up if I’m not paying attention to what I’m doing. Read below under Final Thoughts for the great benefits that I have found from using MikroTik and for those TLDR enthusiasts.

The headings are in no particular order.

RouterOS

The Operating System designed for MikroTik routers. It runs on Linux and is quite robust in its workings. The interface is a bit scattered and most people who look at it for the first time think it was made in the Windows XP days. RouterOS has a Beta version now that updates the look and feel of the Winbox interface. Now they might be right but one thing I can say about the interface is it doesn’t change. If you are a Linux dude, dudette, or what have you and have been for many years, change in the most rudimentary places can be sometimes be annoying and upsetting.

As you can see from the image above, the interface is light grey with a grey background and several options/buttons on the left. Now I won’t go into the many things that can be done in RouterOS but I’ll walk through a few of the options here.

I think it best to know what version we are using so that we can later look back and laugh at how old the interface looks or, given MikroTik’s track record, how exactly the same it will look in a few years. Hitting System -> Routerboard will open up a window detailing some info on our system. I am running a CCR1036-12G-4S. Like with most big businesses their model numbers can be very confusing but if you know what to look for you can see at a glance the amount of ports both ethernet and SFP along with a few other things that some other special devices might have. This router has 12 Gigabit ethernet ports and 4 SFP ports.

Firmware Type: is not important unless you want to download software for the router like MikroTik’s The Dude software where you need to know the CPU type of the router which in this case is the Tile CPU. You can also install the newest or an older RouterOS version without the need of the router itself going to the internet.

Factory Firmware: Identifies the firmware that came with the router that can never be erased, just in case your system needed to be factory reset or what have you.

Current Firmware: is the firmware version you are running and Upgrade Firmware: is the what you can upgrade to. You must reboot the router for the new firmware to installed.

Quick Set

Quick Set is a good tool for beginners but once you learn how to do things in MikroTik, you won’t and shouldn’t use it.

When you take the intro cert for MT they teach you to either use Quickset or don’t. The reason is that using both can cause adverse and weird things to happen to your config. When you use Quick Set, it will run scripts to populate the values you have entered. This works fine for simple configs but if you want to do any of the cool things that RouterOS has to offer then Quick Set will override and erase things you might have made. Also, Quick Set causes the router to reboot after saving which will most liken not happen if you make changes manually.

One example is where Quick Set, in my opinion, shouldn’t be used is that the IP Address: you enter only affects ether1 or port 1. If needed to use a different port then Quick Set would never work for you. Another is with creating a station-psuedobridge WLAN interface which is needed for making a WiFi extender. The correct Quick Set value is PTP Bridge CPE but unless you placed your wireless interface into station-psuedobridge mode, scanned the network, and added the password for the SSID that it will be copying in Security Profiles, PTP Bridge CPE would never work.

Safe Mode

ALWAYS USE SAFE MODE

You don’t always have to use safe mode, but if you are configuring a MikroTik, then you better be using safe mode.

– WretchedGhost

To be serious though, having this button is a poor man’s save button that almost every other router has. Its unique in that when enabled the router will reset to how it was before any new change were made automatically. If you did something that made the connection drop or your close the Winbox session by accident, the router will remove those latest changes and go exactly back to how it was before.

After you have made the correct changes you wanted unclick safe mode and the new changes will stick.

I am that guy. I learn from breaking, fixing, and breaking it again.

I like that MT doesn’t hold your hand all the time. If you want to make a change do it, and well if you broke something, hopefully you had a backup or are willing to do everything again from scratch. I am that guy. I learn from breaking, fixing, and breaking it again. That is probably why I enjoy computers so much. Things are going to break when you take things off the rails but fixing it is such a great feeling of accomplishment.

If you are new to MT I implore you to use safe mode. I don’t use it very often anymore as I only make very methodical changes and better yet I make backups manually before I make a change and also have automatic daily backups that are pulled daily from my off-site backups servers that I have created using scripts.

SwitchOS

There also exists a dumbed down version for switches called SwitchOS which works quite well for Layer 2 switching but has many limitations like no Winbox capabilities and basically no ARP which is a very important feature to have a switch.

I have seen a few iterations of SwitchOS that have been a little annoying to deal with. One was a SwitchOS lite switch I bought that did VLAN and VLAN mapping different than the main SwitchOS version. I don’t know why they changed it for this version but I figured it out eventually although its not as intuitive as the main SwitchOS I was used to.

Winbox and other options to connect to RouterOS

MikroTik is unique, for better or for worse, for having a dedicated program that allows you to login to a device. The program called winbox.exe, is quite robust in that it will scan the network for available MikroTik devices. What is even more unique is the ability to login not only via IP address where you need to be in the same subnet to access it but also able to login via MAC address that traverses across the 2nd layer of the OSI model and bypasses IP and subnets. This feature alone has saved my bacon and kept me from having to perform a factory reset. NATs will break this feature so don’t expect to be able to do this across upstream or downstream routers.

WWW - This interface is to me abysmal. I tries to copy the winbox format but is limited by how web pages are displayed and interacted with, but does offer a simple web interface for connecting to RouterOS.

SSH - SSH is OK but getting the router to allow a connection is more complicated than it should be. Depending on your network you might have to enable a firewall rule too allow an input rule to your router via the SSH port. Next you might have to tell the service of SSH to allow incoming from your client’s IP address. Lastly you might have to put in the SSH public key under System/Users/SSH Keys. I was only able to use rsa keys and not the recommended ed25519 keys that everyone should be using now as a minimum. https://medium.com/risan/upgrade-your-ssh-key-to-ed25519-c6e8d60d3c54

PoEs and the ability to change WAN to any port

Typically when I setup a new “client” on our WISP network, I will use a MikroTik HAP ac as the router and a Ubiquiti IsoStation AC or PrismStation AC as the PtMP station. In this setup I can get away with only one power cable and one data cable. Normally you would need the PoE block that comes with the IsoStation and plug it into the PoE side. Then you would need another patch cable to plug in to the LAN port into the MikroTik’s WAN side, typically port 1. Then plug in the power cable into the MikroTik and plug that one and the Ubiquiti PoE block into the wall.

I get away from having to have so many cables being used by swapping the WAN port from port 1 to port 5 which again is the PoE out port as well. This will provide 24V to the IsoStation which eliminates the need of the PoE block entirely and the extra patch cable.

I’m working on an article of how I do this setup via hardware and in the software.

GUI and a CLI and also runs on Linux (sorta)

As the header reads, MikroTik RouterOS has a GUI and a CLI interface. You can also use SSH, Telnet, API calls, web app, and even console commands. I refer to the RouterOS only and not the SwitchOS as the SwitchOS only allows for interaction via the web app. This means there are many many ways to control your router. One cool little way I have also found that MikroTik allows for users to control their device is with a little plug-in-able, hotspot AP, that offers a console via their web interface. The best one I have found so far is the mAP lite.

I also mentioned above that they run on the Linux kernel and the MikroTik that I can currently working on is running Linux 3.3.5 ehci_hcd. Currently we are on 6.x version but I know many routers, networking devices, etc. run older versions of the kernel since they often don’t need the latest and greatest features that new versions contain. This also allows them to harden that one kernel rather than having to keep up with the many changes and updates that the newer kernels have. That being said, the terminal interface you can access via the GUI and the CLI do not function as a TTY shell. It is more in the vein of Cisco and other command-line interact-able devices. Hit tab and it shows the options available. The directory tree though is almost synonymous with the GUI as /system and /ip will also show all but sometimes more options from the terminal/CLI than the GUI.

Patch, Patch, Patch

One word of advice I would give to any user using MikroTik is to update your device regularly and also remove the admin account and use a robust password with the new user account.

The ability to view information live

I have used several routers ranging from Linksys to Palo Alto and SonicWall, from pfSense to OpnSense, but not one allows for the same visual information of traffic as a MikroTik Router. I can instantly see packet coming and going and have many times that helped me configure a client’s networks and even multi-billion dollar projects like a 600MW solar farm south of my work area, when they were having network issues. I installed a simple MikroTik HAP ac on location to be the router for them and quickly found many of their ports not configured correctly on their very expensive Palo Alto routers.

I love to use a OpnSense router since it can be robust and simple but I always have the thing in the back of my mind telling me that I can have so much more information presented to me if was using a MikroTik router instead.

Scripting

Here is where MikroTik can do some interesting and fun things. One of which is manipulating the iconic crunch sound that some MikroTik devices do when they boot up and are ready to be used. Some that stood out to me were some Metallica sounds, AC/DC, and of course Mario’s theme song. Super Mario Theme

Just place the code into the Source: by going to System -> Scripts. Create a new script then hit OK. Click Run Script and it will play the sound.

• Making cool sounds on the device
• changing defaults
• autobackups

:local name [/system identity get name];
:local date [/system clock get date];
:local day [ :pick $date 4 6 ]
:local month [ :pick $date 0 3 ]
:local year [ :pick $date 7 11]
:local backupName ($name."_".$year."-".$month."-".$day);
:put $backupName

/system backup save name=$backupName

:log info "Delay 3s";
:delay 3s;

:log info "Generating RSC";
:global rsc $backupName;

/export file=$rsc;

:log info "Backup FINISHED";

Head to System -> Scheduler, hit the blue plus and and create a new script with the input box containing the name of the script you want to run, in this case I called my autobackup. Call the Name whatever you want and how often you want to run it.

This is what the file list found under Files will look like. I take a .rsc and a .backup. rsc is a script and is human readable with plain text reader soft. Backup is a internal RouterOS backup and probably there is user info and some graphs log history that is not present in .rsc file. I’m using always the two options. Backup for fast restoring and rsc for reviewing config before restore or if there are problems restoring a backup in a newer ROS version.

Many more things

There is no way to put in all the other features that make MT great that they have into one post. I haven’t messed with everything either so I wouldn’t be the best reviewer on all subjects that MikroTik has to offer.

Final Thoughts: Pros and Cons

I wouldn’t be a decent network admin if I didn’t include the good, the bad, and the ugly side to using MikroTik. As I have mentioned above there are great pros that they offer but let me round out this post by presenting the pros and cons in no particular order.

Pros

• Nicely priced devices that can do powerful things
• Most devices can be powered up from 8V to 50V+ DC
• Most routers and switches have built in PoE in on port 1 and PoE out on the last port 5, 8, or 10, etc.
• Allows for setting up custom scripts that can add banned users to a blocklist.
• The MAC Winbox login is great when you might have messed up the LAN network or the LAN’s gateway is down and no DHCP is being offered.
• Runs on the Linux kernel although its heavily tweaked.
• Has options to manage device using SSH, Winbox, console via USB dongle if not built in, and web.
• RouterOS is robust and SwitchOS is simple when layer 3 management isn’t needed.
• The interface hasn’t changed much over the years and probably wont any time soon.

Cons

• Steep learning curve
  • Easy stuff can be hard and hard stuff is super stupid hard. Some hard things are actually easy though
• GUI is not the most modern looking nor is it the best at UX (user experience).
• The Quick Set tab can get things working quickly but most other niche things will need to be done in the other settings which can often break.
• Too many option, many of which you may never use. I have only used about half of what is available at any point in my career.
• Some advanced networking things like VLANs can be difficult to implement. But if you have a simple VLAN structure VLAN via the bridge can make things pretty simple compared to the interface VLAN.
• Usually to get one thing working you need to setup several other settings and options, which will require opening multiple windows. Sometimes you have to already make a change or setup another thing before the thing you want to setup will work. One that comes to mind is the WiFi where you will want to set it up but you have to set a password config first if you want to use WPA or WPA2 which requires opening another window and setting the password up first.
• Things are not what you might expect them to be. Example: /ip ssh does not allow you to SSH but is rather the SSH setting tab. To SSH into a device that is under /tools telnet -> ssh.
• Scripting and Scheduling is quite hard and the syntax is different than anything I have used before. There are experts on the MikroTik forums but most go over my head.
• WiFi works but I found it to be not as good as other options like Ubiquiti and TP-Link for roaming (802.11r) and the latest WiFi 6e and WiFi 7.
• SwitchOS is very watered down compared to RouterOS and is only accessible through the web interface. Also there exists an alternative version of SwitchOS which is every more watered down and obscure like the small 5 port Ethernet switch.

All in all I have to say I really enjoy using MikroTik. Its very rare there has been something I couldn’t figure out or get working. Expect the learning curve to be pretty steep but you can a nice priced and power router do things that other devices could only dream of.