Skip to content
DADL

Mikrotik MCP server via DADL

MikroTik RouterOS REST API -- manage interfaces, IP addresses, routing, firewall, DHCP, DNS, PPP, queues, wireless, system configuration, users, certificates, files, logs, and diagnostics on RouterOS v7.1+ devices

Use the Mikrotik API as an MCP server with Claude, GPT, or any MCP-compatible AI agent — defined declaratively in a single DADL file, served by ToolMesh. No custom MCP server code, no boilerplate.

Source: MikroTik RouterOS REST API

networkingcruduser-managementauthenticationloggingmonitoringfile-managementdeploymentauth:basic
Credits: Dunkel Cloud GmbH -- maintainer Updated: 2026-05-21

Coverage

64% (295 of ~450 endpoints)

Focus: system (resource, identity, clock, health, license, package, script, scheduler, reboot/shutdown, backup, note, logging rules + actions with /set twin), interfaces (generic set, list/CRUD, ethernet + atomic /set + switch chip + switch port, bridge + /set + port /set + VLAN CRUD + host/FDB table, vlan, bonding CRUD, wireless legacy, wifi, lte + /set, wireguard + interface CRUD + peers, list/member + list CRUD), IP (address, route, ARP, neighbor, service set/enable/disable, pool, cloud + /set), DNS (settings, static, cache), DHCP server (CRUD + /set + delete, lease, network CRUD, make-static, client CRUD + release/renew), firewall (filter, NAT, mangle full CRUD + move, raw full CRUD + move, address-list update, connection tracking), IPv6 (address full CRUD, route CRUD, firewall filter CRUD + move, ND, settings /set), PPP (secret, active, profile CRUD), routing (BGP connection CRUD, BGP templates/sessions, OSPF instance + area CRUD, interface-templates, neighbors, routing-filter rules CRUD), queues (simple full, tree, type), tools (ping, traceroute, bandwidth-test, netwatch CRUD, email SMTP settings get/set + send), users (user, group CRUD, ssh-keys, active sessions), logs, certificates, files, SNMP, VPN servers (L2TP/SSTP/PPTP/OVPN singleton get/set), IPsec (peer, identity, policy, profile, proposal full CRUD; active-peers, installed-sa, flush, settings), container (RouterOS 7), MPLS basics

Missing: CAPsMAN controller endpoints (out of scope: CRS354 is Ethernet-only), RADIUS server config, hotspot user profiles/walled garden, /interface/wireless deep config (legacy stack; tooling focuses on the modern /interface/wifi stack), BGP VPN/VPLS, OSPFv3 (instance.version=3 supported but no separate tooling), MPLS LDP detail, RIPv2, traffic-flow exporter, traffic monitor, GPS, ROMON, dude integration, dot1x, w60g, modem deep config, /tool/fetch (file upload/download via REST), file repository sync, certificate ACME plugin, /caps-man for new wifi stack (intentional: per-device wifi-config exposes set already)

Last reviewed: 2026-05-21

Setup

  1. Log in to your MikroTik device via Winbox, SSH, or WebFig as an admin
  2. Enable the REST API service: /ip/service> set www-ssl disabled=no (HTTPS) or set www disabled=no (HTTP, NOT recommended for production)
  3. Ensure www-ssl has a valid certificate: /ip/service> set www-ssl certificate=<cert-name>
  4. Create a dedicated API user: /user/add name=api-user password=<strong-password> group=read (or 'full' / a custom group)
  5. For least-privilege custom groups: /user/group/add name=api-readonly policy=api,read,test,winbox
  6. Verify access: curl -k -u api-user:<password> https://<router-ip>/rest/system/resource
  7. Store the credentials: CREDENTIAL_MIKROTIK_USERNAME=api-user and CREDENTIAL_MIKROTIK_PASSWORD=<password>

Environment variable: CREDENTIAL_MIKROTIK_USERNAME and CREDENTIAL_MIKROTIK_PASSWORD

Authentication docs ↗

RouterOS v7.1+ required (v7.9+ recommended). Most MikroTik devices ship with self-signed certificates -- ToolMesh must skip TLS verification or you must install a trusted certificate via /certificate/import. The 'api' policy is REQUIRED on the user's group for any REST access. For read-only monitoring, use group with policy=api,read,test,winbox; for full management add write,policy,reboot,ftp,sensitive.

Install

Add to your backends.yaml:

- name: mikrotik
  transport: rest
  dadl: mikrotik.dadl
  url: "https://10.0.0.1/rest"   # HTTPS (recommended) -- requires www-ssl service
  # url: "http://10.0.0.1/rest"  # plain HTTP -- requires www service (RouterOS v7.9+)

Set the credential:

CREDENTIAL_MIKROTIK_USERNAME and CREDENTIAL_MIKROTIK_PASSWORD=your-token-here

Tools (295)

GET get_system_resource Get the device's hardware and runtime resource summary: architecture (mipsbe/arm/arm64/x86_64/tile), board-name, CPU model and count, CPU load, RAM (free/total), HDD (free/total), uptime, RouterOS version, build-time. Returns a single JSON object (NOT an array).
GET get_system_identity Get the device's identity (hostname shown in Winbox, neighbor discovery, and the CLI prompt). Returns a single-field object: {"name":"<hostname>"}.
POST set_system_identity Set the device's hostname/identity. Send {name: '<new-name>'}.
GET get_system_clock Get the current date, time, timezone, and DST setting on the device. Useful for verifying NTP sync and timezone configuration.
POST set_system_clock Set the device clock. Useful fields: time-zone-name (e.g. 'Europe/Berlin'), time-zone-autodetect ('yes'/'no'), date ('YYYY-MM-DD'), time ('HH:MM:SS').
GET get_ntp_client Get NTP client config and live sync state. Key fields: enabled ('true'/'false'), mode (unicast|broadcast|multicast|manycast), servers (comma-separated upstream NTP server IPs/FQDNs), vrf. Read-only status fields: status (started|stopped| synchronized|using-local-clock|error|search), synced-server, synced-stratum, system-offset (e.g. '0.5ms'), freq-diff. If 'status' is anything other than 'synchronized', the device clock is drifting on its own RTC/quartz.
POST set_ntp_client Update the NTP client. Most common change: provide a comma-separated list of trusted NTP servers and enable the client. Example body: {enabled:'yes', servers:'time.cloudflare.com,ptbtime1.ptb.de', mode:'unicast'}. Apply takes effect immediately; allow a few seconds for first sync attempt.
GET get_ntp_server Get the device's NTP SERVER config (whether this router serves time to other clients). Fields: enabled, broadcast, multicast, manycast, use-local-clock, local-clock-stratum, vrf, broadcast-addresses. Most edge devices keep this disabled and rely solely on the client.
POST set_ntp_server Update the NTP server config (enable broadcast/multicast/manycast NTP serving).
GET get_system_health Get hardware sensor readings: CPU temperature, board temperature, fan speeds, voltage, PSU state. Available sensors vary by hardware model; small devices (hAP lite, hEX lite) expose only a subset.
GET get_system_health_settings Get the cooling/fan control settings (separate from the read-only sensor values in /system/health). Typical fields: fan-mode (auto|manual), fan-min-speed-percent (PWM floor, e.g. 30), fan-target-temperature (target CPU/board temp for PWM control, e.g. 55), and PSU-related toggles (use-fan, fan-failure-trigger). Available only on devices with controllable fans (CCR, CRS3xx with PWM headers, RB5009, etc.). On fan-less hardware (cAP, hAP, hEX, CHR) this endpoint typically returns an empty object.
POST set_system_health_settings Configure cooling/fan behavior. Common changes -- quieter idle: {fan-mode:'auto', fan-min-speed-percent:'20', fan-target-temperature:'55'}. Force constant high RPM (e.g. dusty environment): {fan-mode:'manual', fan-min-speed-percent:'100'}. CAUTION: setting fan-target-temperature too high (>70C) or fan-min-speed-percent too low on a thermally constrained chassis can cause throttling or shutdown. Verify with get_system_health afterwards.
GET get_system_license Get the RouterOS license level (0-6), software-id, and CHR upgrade state. Level 6 = CHR/x86, levels 4-5 = WISP/Controller.
GET get_routerboard Get RouterBOARD hardware info: model, serial-number, firmware-type, factory-firmware (the firmware that shipped from the factory), current-firmware (running), upgrade-firmware (latest available bundled with the running RouterOS package), routerboot version. The 'routerboard' flag is 'true' on physical MikroTik hardware and 'false' on CHR/x86 (where this endpoint typically returns empty). For CRS3xx switches this is the canonical source for the factory firmware revision and the bootloader (RouterBOOT) version that the device shipped with.
POST upgrade_routerboard_firmware Trigger a RouterBOOT firmware upgrade to the version reported in 'upgrade-firmware'. The new firmware is staged for the next boot -- the device MUST be rebooted (POST /system/reboot) for the upgrade to take effect. Different from RouterOS package upgrades (see install_package_updates) -- this updates ONLY the bootloader/CPLD/SoC firmware bundled with the running RouterOS package. Returns no body on success; check get_routerboard afterwards to confirm current-firmware matches upgrade-firmware.
POST downgrade_routerboard_firmware Downgrade RouterBOOT firmware to the factory firmware. Same reboot requirement as upgrade. Rarely needed; use only when a RouterBOOT upgrade caused issues and you need to revert.
GET list_system_packages List all installed RouterOS packages with version, build time, and disabled state. Standard package set: system, wireless, ipv6, advanced-tools, routing, security, wifi-qcom-ac, etc. Disabled packages remain on flash but are not loaded.
POST enable_system_package Enable a package by name. Requires reboot to take effect.
POST disable_system_package Disable a package by name. Requires reboot to unload.
POST check_for_package_updates Check the MikroTik update server for available RouterOS updates. Returns installed-version, latest-version, status ('System is already up to date', 'New version is available'). Does NOT install -- use install_package_updates.
POST install_package_updates Download and install RouterOS updates from MikroTik servers. The device WILL reboot after install. Channel must be set first via set channel (stable, long-term, testing, development).
GET list_system_scripts List all stored scripts on the device with name, source code, run-count, last-started, owner, and policies.
GET get_system_script Get a single script by .id or name. Returns the full source field.
PUT add_system_script Create a new script. Provide name and source (RouterOS scripting language).
PATCH update_system_script Update an existing script's source, policies, or comment.
DELETE delete_system_script Delete a script by .id or name.
POST run_system_script Execute a stored script by .id. Output (if any) is appended to the system log.
GET list_system_scheduler List scheduled tasks (cron-like). Each has name, start-date, start-time, interval, on-event (script to run), policy, run-count, next-run.
PUT add_system_scheduler Schedule a script to run at a specific time or interval.
PATCH update_system_scheduler Update a scheduled task (name, on-event, start-date/time, interval, policy, comment, disabled).
DELETE delete_system_scheduler Delete a scheduled task by .id or name.
POST reboot_system Reboot the device immediately. Disconnects ALL sessions; device will be offline for 30-90 seconds. There is no undo. Confirm intent before calling.
POST shutdown_system Power-off the device immediately. Device requires physical power-cycle to come back online. Use only when you have on-site access.
POST create_backup Create a binary backup of the running configuration. Stored on device flash as <name>.backup. Retrieve via FTP/SFTP -- the REST API does not stream file contents.
POST load_backup Restore configuration from a backup file. Device WILL reboot. Backup must already exist in /file (uploaded via FTP/SFTP or made via create_backup).
POST export_config Export the running configuration as an RSC script. If 'file' is provided, writes to /file/<name>.rsc on the device; otherwise returns the script text inline. 'compact' (yes/no) and 'verbose' (yes/no) control verbosity.
GET get_system_note Get the login banner / system note shown on console login. Often used for ownership/contact info.
POST set_system_note Set the login banner / system note.
GET list_interfaces List all interfaces (physical and virtual) with name, type, MTU, MAC address, running/disabled state, rx/tx-byte counters, last-link-up/down. Type values: ether, vlan, bridge, wireless, wifi, wireguard, lte, ppp-client, ovpn-server, ovpn-client, l2tp-server, sstp-server, pptp-server, eoip, ipip, gre, vrrp, etc.
GET get_interface Get a single interface by name (e.g. 'ether1', 'bridge1') or .id (e.g. '*1').
PATCH update_interface Update common interface properties: name, comment, mtu (L3), l2mtu (L2), disabled, arp mode. NOTE on jumbo frames: RouterOS clamps L3 'mtu' to l2mtu - 14 bytes. To run mtu=9000 you must FIRST raise 'l2mtu' to at least 9014 (or use the max-l2mtu the hardware reports). On CRS3xx switch-chips the per-port l2mtu IS writable and changes the chip's accepted frame size on that port.
POST enable_interface Enable one or more interfaces by .id or name (comma-separated in 'numbers').
POST disable_interface Disable one or more interfaces.
POST monitor_interface_traffic Sample rx/tx rates for an interface. ALWAYS pass once='' to avoid the 60s timeout, otherwise the API streams indefinitely.
POST set_interface Atomically update one or more interfaces (any type) via the CLI-style '/interface set'. Use this when you need to change name/comment/mtu/disabled across MIXED interface types in one transaction (CLI: '/interface set [find ...] mtu=9000'). For ether-specific atomic edits (l2mtu, speed, duplex) use set_ethernet_interface; for cellular APN/mode use set_lte_interface. The generic /interface/set only touches L3 mtu and cannot raise l2mtu on Ethernet ports.
GET list_ethernet_interfaces List physical Ethernet ports with name, default-name, MAC, MTU, speed, auto-negotiation, full-duplex, SFP details.
POST set_ethernet_interface Atomically update one or more Ethernet ports via the CLI-style '/interface/ethernet set' command. PREFERRED for jumbo-frame setup on switches: PATCH /interface/ethernet/{id} returns HTTP 400 when a port is a bridge slave (slave='true') OR when mtu would exceed current l2mtu - 14. This POST endpoint sets l2mtu and mtu in a single atomic transaction so the validator sees both new values together. Reference ports via 'numbers' (comma-separated names or .ids).
PATCH update_ethernet_interface Update an Ethernet port's properties (name, speed, advertise, full-duplex, auto-negotiation, comment, disabled, MTU/l2mtu, MAC override). Jumbo-frame note: raise l2mtu (e.g. to 9014 or up to max-l2mtu) BEFORE setting mtu=9000, otherwise RouterOS silently clamps mtu to l2mtu - 14. For slave (bridge-member) ports this PATCH frequently returns HTTP 400 when changing mtu/l2mtu -- use set_ethernet_interface instead, which sets both values atomically via the /set endpoint.
GET list_ethernet_switches List hardware switch chips (CRS3xx-series and similar). Each chip has name (e.g. 'switch1'), type, mirror-source, mirror-target, cpu-flow-control. On boxes with no switch chip (RB4011, hAP family) this returns an empty array.
GET list_ethernet_switch_ports List per-port switch-chip configuration (separate from /interface/ethernet L2/L3 view). Fields: name (chip-port id like 'switch1-cpu' or 'ether1'), l2mtu, vlan-mode, vlan-header, default-vlan-id, mirror, mirror-egress. On CRS3xx the chip enforces its own per-port l2mtu — this is the cap that /interface/ethernet l2mtu is clamped against. For end-to-end jumbo you usually need set_ethernet_interface (raises ether l2mtu) AND, on older firmwares, set_ethernet_switch_port (raises chip-port l2mtu).
POST set_ethernet_switch Atomically update one or more switch chips. Reference via 'numbers' (chip name or .id). Use for changing mirror-source/mirror-target, cpu-flow-control. Rarely needed on a 'just give me jumbo frames' workflow — try set_ethernet_interface first.
POST set_ethernet_switch_port Atomically update one or more switch-chip ports. Reference via 'numbers' (port name like 'ether1' or chip-port .id). Most relevant field is 'l2mtu' on older RouterOS releases where the chip cap needs explicit bumping for jumbo. On RouterOS 7.10+ the chip auto-tracks /interface/ethernet l2mtu; this endpoint is the fallback if your hardware does not.
GET list_bridges List bridge interfaces (Layer-2 software switches). Returns name, mtu, protocol-mode (none|rstp|stp|mstp), vlan-filtering, igmp-snooping, fast-forward.
PUT add_bridge Create a new bridge interface. At minimum provide name; common options: protocol-mode (rstp), vlan-filtering ('yes' for VLAN-aware bridge).
PATCH update_bridge Update bridge properties (name, protocol-mode, vlan-filtering, igmp-snooping, fast-forward, mtu, admin-mac, comment).
POST set_bridge Atomically update one or more bridges via CLI-style '/interface/bridge set'. Useful when you need to flip vlan-filtering or protocol-mode on multiple bridges in one transaction. Reference via 'numbers' (bridge name or .id).
DELETE delete_bridge Delete a bridge by .id or name. Removes all port memberships.
GET list_bridge_ports List bridge port memberships (which interfaces are members of which bridges). Key fields: bridge, interface, pvid, frame-types, ingress-filtering.
PUT add_bridge_port Add an interface to a bridge.
DELETE delete_bridge_port Remove a port from a bridge.
POST set_bridge_port Atomically update one or more bridge ports via CLI-style '/interface/bridge/port set'. Reference via 'numbers' (.id or bridge-port name). Use this instead of PATCH when you need to flip pvid/frame-types/ingress-filtering on many ports together; PATCH on individual bridge-port records can interact awkwardly with hardware offload and slave validation.
GET list_bridge_hosts List the bridge forwarding database (FDB) — every MAC the bridge has learned, plus where (which port). Fields: mac-address, on-interface, bridge, age, local (yes=our own MAC), external (yes=learned from another switch), dynamic. Essential for debugging "host disappeared" issues — confirms whether the bridge ever saw the MAC.
GET list_bridge_vlans List bridge VLAN configurations (which VLAN IDs are tagged/untagged on which bridge ports). Used with vlan-filtering=yes bridges.
PUT add_bridge_vlan Configure VLAN tagging on a bridge.
PATCH update_bridge_vlan Update an existing bridge-vlan record (tagged/untagged port lists, comment, disabled).
DELETE delete_bridge_vlan Remove a bridge-vlan record.
GET list_vlan_interfaces List VLAN interfaces (802.1Q sub-interfaces). Each has name, vlan-id, interface (parent), mtu.
PUT add_vlan_interface Create a VLAN sub-interface on a physical or bridge interface.
DELETE delete_vlan_interface Delete a VLAN interface.
GET list_bonding_interfaces List bonding (link aggregation) interfaces. Modes: 802.3ad (LACP), balance-rr, balance-xor, broadcast, active-backup, etc.
PUT add_bonding_interface Create a bonding interface that aggregates physical Ethernet ports. For switch-side LACP both sides must speak 802.3ad.
PATCH update_bonding_interface Update a bonding interface (slaves, mode, lacp-rate, hash policy, comment).
DELETE delete_bonding_interface Delete a bonding interface. Member ports return to individual L2 state.
GET list_interface_lists List interface lists (named groups of interfaces, used in firewall rules as 'in-interface-list' / 'out-interface-list'). Default lists: WAN, LAN.
PUT add_interface_list Create a new interface list. Use to group interfaces for firewall in-/out-interface-list matching.
DELETE delete_interface_list Delete an interface list. Firewall rules referencing it will break — audit first.
GET list_interface_list_members List members of all interface lists. Key fields: list, interface.
PUT add_interface_list_member Add an interface to an interface list.
DELETE delete_interface_list_member Remove an interface from an interface list.
GET list_wireless_interfaces List legacy wireless interfaces (cAP, hAP ac, RB devices). Each has ssid, mode (ap-bridge|station|station-bridge|bridge), band, channel-width, frequency, security-profile, radio-name, master-interface. Use list_wifi_interfaces for newer cAP ax / hAP ax / Audience devices.
GET list_wireless_security_profiles List wireless security profiles (WPA/WPA2/WPA3 PSK and EAP). Key fields: name, mode, authentication-types, wpa2-pre-shared-key, group-ciphers, unicast-ciphers.
GET list_wireless_registrations List currently associated wireless clients (CAPsMAN/wireless). Returns mac-address, interface, signal-strength, tx-rate, rx-rate, uptime.
GET list_wifi_interfaces List newer 802.11ax wifi interfaces (cAP ax, hAP ax, Audience family). Newer stack than /interface/wireless.
GET list_wifi_registrations List clients connected to the new wifi stack interfaces.
POST monitor_wifi Sample current wifi interface state (channel, tx-rate, noise floor). ALWAYS pass once=''.
GET list_lte_interfaces List LTE/cellular modem interfaces. Each has name, apn, pin, network-mode, status, imei.
POST set_lte_interface Update an LTE modem interface (APN, network selection, PIN, name). Reference via 'numbers' (lte interface name). Carrier change normally triggers a brief re-attach (5-10s). For per-APN profile work see /interface/lte/apn (singleton APN list is queryable via the modem itself).
POST monitor_lte Sample LTE modem state (signal RSSI/RSRP/RSRQ, technology, current-operator, cell-id). ALWAYS pass once=''.
GET list_wireguard_interfaces List WireGuard VPN interfaces. Each has name, public-key, private-key (hidden unless 'sensitive' policy), listen-port, mtu.
PUT add_wireguard_interface Create a WireGuard interface. RouterOS auto-generates a key pair if private-key is omitted.
PATCH update_wireguard_interface Update a WireGuard interface (listen-port, private-key, mtu, comment, disabled). Rotating private-key requires re-distributing the resulting public-key to every peer — handle with care.
DELETE delete_wireguard_interface Delete a WireGuard interface. ALL associated peers are removed implicitly.
GET list_wireguard_peers List configured WireGuard peers. Key fields: interface, public-key, endpoint-address, endpoint-port, allowed-address, last-handshake, rx, tx, current-endpoint-address.
PUT add_wireguard_peer Add a WireGuard peer to an interface.
PATCH update_wireguard_peer Update a WireGuard peer (allowed-address, endpoint, keepalive, comment, disabled).
DELETE delete_wireguard_peer Remove a WireGuard peer.
GET list_ip_addresses List all configured IPv4 addresses with address (CIDR), network, interface, dynamic (yes for DHCP-acquired), disabled, comment.
PUT add_ip_address Assign an IPv4 address to an interface.
PATCH update_ip_address Update an IP address record (address, interface, comment, disabled).
DELETE delete_ip_address Remove an IPv4 address. May disconnect remote sessions if the deleted address is the management IP.
GET list_ip_routes List the IPv4 routing table. Each route has dst-address (CIDR), gateway, distance, scope, target-scope, routing-mark, active, dynamic, suppress-hw-offload. Filter active=true to see only currently used routes.
PUT add_ip_route Add a static IPv4 route. Default route: dst-address='0.0.0.0/0' with a gateway.
PATCH update_ip_route Update a static route.
DELETE delete_ip_route Delete a static route.
GET list_ip_arp List the ARP (IPv4-to-MAC) table. Includes static and dynamic entries with address, mac-address, interface, complete (yes/no), dynamic.
PUT add_ip_arp Add a static ARP entry (useful for ARP reply-only mode).
DELETE delete_ip_arp Remove an ARP entry.
GET list_ip_neighbors List devices discovered via MNDP/CDP/LLDP on directly connected interfaces. Useful for topology discovery.
GET list_ip_services List the management services and their state: api, api-ssl, ftp, ssh, telnet, winbox, www (HTTP), www-ssl (HTTPS REST). Each has port, address (allowed source CIDR), disabled, certificate, tls-version.
POST set_ip_service Update a management service (enable/disable, change port, restrict source 'address' list, bind to certificate). NOTE: /ip/service is one of the few RouterOS endpoints that does NOT support PATCH -- use this POST /set form (mirrors the CLI '/ip/service set ...' command). Reference services via 'numbers' as the service name (e.g. 'telnet', 'www-ssl') or .id ('*0'). Be careful disabling the service you are currently connected through.
POST disable_ip_service Convenience wrapper to disable one or more services. Pass service name(s) or .id(s) as comma-separated 'numbers'.
POST enable_ip_service Convenience wrapper to enable one or more services. Pass service name(s) or .id(s) as comma-separated 'numbers'.
GET list_ip_pools List IP address pools (used by DHCP server, PPP server, etc.). Each has name, ranges (CIDR or IP range), next-pool.
GET get_ip_cloud Get MikroTik IP Cloud (dynamic DNS) status: ddns-enabled, dns-name (xxxxx.sn.mynetname.net), public-address, status.
POST set_ip_cloud Update MikroTik IP Cloud (dynamic DNS) settings. Singleton — toggle ddns-enabled='yes' to register the device's WAN IP with mynetname.net. Disable update-time='yes' if you do NOT want IP Cloud to push device time (e.g. when you have your own NTP servers).
GET get_dns_settings Get DNS resolver settings: servers (upstream), dynamic-servers, allow-remote-requests, cache-size, max-concurrent-queries.
POST update_dns_settings Update DNS resolver settings.
GET list_dns_static List static DNS entries (local DNS records). Each has name, type (A|AAAA|CNAME|NS|MX|SRV|TXT), address/cname/target, ttl.
PUT add_dns_static Add a static DNS entry. Use either name+address (A record) or name+cname.
PATCH update_dns_static Update a static DNS entry.
DELETE delete_dns_static Remove a static DNS entry.
GET list_dns_cache List currently cached DNS resolutions on the device.
POST flush_dns_cache Clear the DNS resolver cache.
GET list_dhcp_servers List DHCP server instances. Each has name, interface, address-pool, lease-time, authoritative, disabled.
PUT add_dhcp_server Create a DHCP server. Requires interface and address-pool.
PATCH update_dhcp_server Update a DHCP server.
POST set_dhcp_server Atomically update one or more DHCP server instances via CLI-style '/ip/dhcp-server set'. Reference via 'numbers' (server name or .id). Use this when changing lease-time / authoritative across multiple servers in one go.
DELETE delete_dhcp_server Delete a DHCP server instance. Clients will fail to renew leases.
GET list_dhcp_leases List DHCP leases (both dynamic and static reservations). Key fields: address, mac-address, server, host-name, dynamic (yes/no), status (bound | waiting | offered | expired), last-seen, comment.
PUT add_dhcp_lease Create a static DHCP reservation.
DELETE delete_dhcp_lease Delete a DHCP lease/reservation.
POST make_dhcp_lease_static Convert a dynamic DHCP lease into a static reservation. Most common workflow for reserving an IP for a known device.
GET list_dhcp_networks List DHCP network options (subnet, gateway, dns-server, ntp-server, domain) advertised to clients.
PUT add_dhcp_network Add DHCP network options for a subnet.
PATCH update_dhcp_network Update a DHCP server network (gateway, dns, ntp, domain, comment).
DELETE delete_dhcp_network Remove a DHCP server network. Existing leases remain but new clients will get no options.
GET list_dhcp_clients List DHCP client instances. Each has interface, status (bound|searching|stopped), address, gateway, primary-dns, secondary-dns, expires-after.
PUT add_dhcp_client Enable a DHCP client on an interface (typical WAN setup).
PATCH update_dhcp_client Update a DHCP client (interface, add-default-route, use-peer-dns, etc.).
DELETE delete_dhcp_client Delete a DHCP client. WAN-side delete may sever connectivity — confirm before invoking.
POST release_dhcp_client Release the current lease on a DHCP client and re-discover. Brief connectivity drop expected.
POST renew_dhcp_client Force a DHCP renew on a client. Useful when DNS/gateway info has changed on the upstream server.
GET list_firewall_filter List IPv4 firewall filter rules. Each rule has chain (input|forward|output|<custom>), action (accept|drop|reject|jump|log|...), protocol, src-address, dst-address, src-port, dst-port, in-interface, out-interface, connection-state, comment. Rules are evaluated TOP-TO-BOTTOM per chain.
PUT add_firewall_filter Add an IPv4 firewall filter rule. Required: chain and action. New rules are appended to the END of the chain -- use move_firewall_filter to reorder.
PATCH update_firewall_filter Update an existing filter rule (any field).
DELETE delete_firewall_filter Delete a filter rule. Removing an accept rule can lock you out -- check before deleting.
POST move_firewall_filter Reorder filter rules. Move rule(s) in 'numbers' to position before 'destination'.
GET list_firewall_nat List IPv4 NAT rules (srcnat/dstnat). Common actions: masquerade (srcnat to outgoing interface), dst-nat (port forward), src-nat, redirect.
PUT add_firewall_nat Add a NAT rule. Common patterns -- Masquerade (LAN to WAN): {chain:'srcnat',action:'masquerade',out-interface-list:'WAN'}. Port forward (DNAT): {chain:'dstnat',action:'dst-nat',protocol:'tcp',dst-port:'80',in-interface:'ether1',to-addresses:'192.168.1.10',to-ports:'8080'}.
PATCH update_firewall_nat Update a NAT rule.
DELETE delete_firewall_nat Delete a NAT rule. Removing masquerade can break LAN-to-WAN traffic.
POST move_firewall_nat Reorder NAT rules. Move rule(s) in 'numbers' to position before 'destination'.
GET list_firewall_mangle List mangle rules (packet marking, MSS clamping, TTL, DSCP). Chains: prerouting, postrouting, input, forward, output.
PUT add_firewall_mangle Add a mangle rule (mark-packet, mark-connection, change-mss, change-ttl, change-dscp, ...).
PATCH update_firewall_mangle Update a mangle rule (any field).
DELETE delete_firewall_mangle Delete a mangle rule. Removing mark-routing rules can break policy routing.
POST move_firewall_mangle Reorder mangle rules. Move rule(s) in 'numbers' to position before 'destination'.
GET list_firewall_raw List firewall raw rules (pre-conntrack, used for DDoS mitigation and bypassing connection tracking).
PUT add_firewall_raw Add a raw firewall rule. Raw rules run BEFORE connection-tracking and are evaluated for every packet — keep them lean. Common patterns: notrack for high-volume known-good traffic, drop for known-bad source IPs, ICMP rate-limit pre-conntrack.
PATCH update_firewall_raw Update a raw firewall rule.
DELETE delete_firewall_raw Delete a raw firewall rule.
POST move_firewall_raw Reorder raw firewall rules. Move rule(s) in 'numbers' to position before 'destination'.
GET list_firewall_address_lists List firewall address-list entries (named groups of IPs/CIDRs used by other firewall rules).
PUT add_firewall_address_list Add an entry to a firewall address-list.
PATCH update_firewall_address_list Update an existing address-list entry (address, list, timeout, comment).
DELETE delete_firewall_address_list Remove an entry from an address-list.
GET list_firewall_connections List currently tracked connections (connection-tracking table). Key fields: src-address, dst-address, protocol, tcp-state, timeout, orig-bytes, repl-bytes, reply-src-address (for NAT), reply-dst-address.
GET list_ipv6_addresses List configured IPv6 addresses. Includes link-local (FE80::/10), GUA, and ULA addresses.
PUT add_ipv6_address Assign an IPv6 address to an interface.
PATCH update_ipv6_address Update an IPv6 address record.
DELETE delete_ipv6_address Remove an IPv6 address.
GET list_ipv6_routes List the IPv6 routing table.
PUT add_ipv6_route Add a static IPv6 route. Default route: dst-address='::/0' with a gateway.
PATCH update_ipv6_route Update a static IPv6 route.
DELETE delete_ipv6_route Delete a static IPv6 route.
GET list_ipv6_firewall_filter List IPv6 firewall filter rules. Same chain/action semantics as IPv4.
PUT add_ipv6_firewall_filter Add an IPv6 firewall filter rule. Required: chain and action.
PATCH update_ipv6_firewall_filter Update an IPv6 firewall filter rule.
DELETE delete_ipv6_firewall_filter Delete an IPv6 firewall filter rule.
POST move_ipv6_firewall_filter Reorder IPv6 filter rules. Move rule(s) in 'numbers' to position before 'destination'.
GET list_ipv6_neighbors List the IPv6 neighbor table (NDP, equivalent to ARP for IPv6).
GET list_ipv6_nd List IPv6 Neighbor Discovery / Router Advertisement settings per interface (M, O flags, RA interval, RA lifetime, MTU). This controls RA SENDING (the device acting as an IPv6 router for its LAN), not RA receiving (SLAAC client behavior). For SLAAC client behavior, see get_ipv6_settings / set_ipv6_settings.
GET get_ipv6_settings Get the global IPv6 stack settings. Key fields: disable-ipv6 (yes/no), forward (yes/no -- 'yes' makes the device a router; 'no' a host), accept-router-advertisements (yes | no | yes-if-forwarding-disabled -- the last is the default and means the device accepts RAs only when acting as a host), accept-redirects, max-neighbor-entries, soft-headers, multipath-hash-policy. SLAAC client behavior requires forward='no' AND accept-router-advertisements in {yes, yes-if-forwarding-disabled}.
POST set_ipv6_settings Update global IPv6 settings. To enable SLAAC on a host/L2-switch: {forward:'no', accept-router-advertisements:'yes'}. Note: changing 'forward' may affect routing behavior across all interfaces -- do this only on devices that should NOT route IPv6 (e.g. switches, end hosts).
GET list_ipv6_dhcp_clients List DHCPv6 clients (stateful IPv6 address/prefix from a DHCPv6 server). SLAAC (RA-only) does NOT show up here -- only DHCPv6 client instances do. Each entry has interface, request (address|prefix), status, address, prefix.
GET list_ppp_secrets List PPP user accounts (used for PPPoE/L2TP/SSTP/PPTP/OVPN servers). Each has name, password (hidden), profile, service, local-address, remote-address.
PUT add_ppp_secret Create a PPP user account.
PATCH update_ppp_secret Update a PPP user (password, profile, service, addresses, comment, disabled).
DELETE delete_ppp_secret Delete a PPP user account.
GET list_ppp_active List currently connected PPP sessions (active PPPoE/L2TP/SSTP/PPTP/OVPN clients). Includes name, service, address, uptime, encoding, caller-id.
GET list_ppp_profiles List PPP profiles (templates for sessions: local-address, remote-address pool, dns-server, rate-limit, encryption).
PUT add_ppp_profile Create a PPP profile. Use to template L2TP/SSTP/PPTP/OVPN session settings (DNS, address pool, rate-limit, encryption).
PATCH update_ppp_profile Update a PPP profile.
DELETE delete_ppp_profile Delete a PPP profile. Cannot delete 'default' or 'default-encryption' built-in profiles.
GET list_routing_table List routing tables (multi-table support in RouterOS 7). Default is 'main'; custom tables used with routing-mark.
GET list_bgp_peers List BGP peer connections (RouterOS 7 BGP). Each has name, remote.address, remote.as, local.address, local.role, established.
PUT add_bgp_connection Add a BGP peer connection (RouterOS 7 BGP). Required: name and remote.address. Use templates for common AS/role config and reference via 'template='.
PATCH update_bgp_connection Update a BGP peer connection.
DELETE delete_bgp_connection Delete a BGP peer connection. Will tear down the BGP session immediately.
GET list_bgp_sessions List currently established BGP sessions with state, uptime, prefix-count, last-error.
GET list_bgp_templates List BGP templates (reusable peer-config bundles). RouterOS 7 BGP requires at least one template — usually 'default'.
GET list_ospf_instances List OSPF instances. Each has name, version, router-id, vrf.
PUT add_ospf_instance Create an OSPF instance (RouterOS 7). Required: name, router-id, version (default '2' for OSPFv2).
DELETE delete_ospf_instance Delete an OSPF instance. All adjacencies in this instance go down.
GET list_ospf_areas List OSPF areas. Each binds an instance to an area-id and type (default | stub | nssa | backbone).
PUT add_ospf_area Create an OSPF area (RouterOS 7).
DELETE delete_ospf_area Delete an OSPF area.
GET list_ospf_interface_templates List OSPF interface templates (which interfaces speak OSPF, in which area, with which cost/network type).
GET list_ospf_neighbors List OSPF neighbors with router-id, address, area, state (Down|Init|2-Way|ExStart|Exchange|Loading|Full), priority.
GET list_routing_filters List routing-filter rules (RouterOS 7 unified filter system). Each rule belongs to a chain (referenced from BGP/OSPF in/out filter-chain fields). Fields: chain, rule (filter DSL: 'if (...) {...}'), comment, disabled.
PUT add_routing_filter Add a routing-filter rule. RouterOS 7 uses a unified rule DSL across all protocols. Example: chain='bgp-in', rule='if (dst in 0.0.0.0/0) { accept } reject'. Rules in a chain are evaluated top-to-bottom.
PATCH update_routing_filter Update a routing-filter rule.
DELETE delete_routing_filter Delete a routing-filter rule. Removing a deny-all leaf can flood the route table — audit first.
GET list_simple_queues List simple queues (per-IP/per-subnet bandwidth limits). Each has name, target (IP/CIDR/interface), max-limit, burst-limit, parent, queue (queue-type).
PUT add_simple_queue Add a simple queue for bandwidth shaping.
PATCH update_simple_queue Update a simple queue.
DELETE delete_simple_queue Remove a simple queue.
GET list_queue_tree List queue tree entries (HTB-based hierarchical shaping using packet marks from mangle).
GET list_queue_types List queue disciplines (default-small, default, ethernet-default, wireless-default, fq-codel, cake, pcq, sfq, red, pfifo, bfifo).
POST ping Send ICMP echo requests to a target. CRITICAL: always pass count (1-10) to bound runtime -- the REST API has a 60s hard timeout. Each iteration is returned as one object in the response array.
POST traceroute Trace the network path to a target. ALWAYS set count and timeout to bound runtime. Returns one row per hop with address, loss, sent, last, avg, best, worst.
POST bandwidth_test Run a bandwidth test against another MikroTik device (target must run bandwidth-server). ALWAYS pass duration to bound runtime. Resource-intensive.
GET list_netwatch List netwatch monitors (ICMP/TCP/HTTP/HTTPS uptime checks against external hosts). Each has host, status (up|unknown|down), type, since.
PUT add_netwatch Create a netwatch monitor.
PATCH update_netwatch Update a netwatch monitor (host, type, interval, scripts, port, http-codes, comment, disabled).
DELETE delete_netwatch Remove a netwatch monitor.
GET get_email_settings Get the SMTP client settings. Singleton — required for send_email and for the 'email' /system/logging/action. Fields: server, port, start-tls, user, password (hidden), from, vrf.
POST set_email_settings Update the SMTP client settings. RouterOS 7.13+ uses the field 'tls' (no | starttls | tls-only); older releases used 'start-tls' as a boolean — both are accepted on 7.13+ for backward compatibility but prefer 'tls'. STARTTLS submission (port 587): {server:'smtp.example.com', port:'587', tls:'starttls', user:'noreply@x', password:'<pwd>', from:'router@x'}. Implicit TLS (port 465): tls='tls-only'. Cleartext (port 25): tls='no'.
POST send_email Send an email via the configured /tool/e-mail SMTP settings. Useful for alerting from scripts/scheduler.
GET list_users List local user accounts. Each has name, group, address (allowed source CIDR), last-logged-in, disabled.
GET get_user Get a single user by name or .id.
PUT add_user Create a local user.
PATCH update_user Update a user (password, group, source restriction, comment, disabled).
DELETE delete_user Delete a user. Cannot delete the user you're authenticated as.
GET list_user_groups List user groups (named bundles of policies). Default groups: read, write, full. Each has name and policy field (comma-separated).
PUT add_user_group Create a custom user group with specific policies.
PATCH update_user_group Update an existing user group's policies, skin, or comment. Cannot rename built-in 'read', 'write', 'full' groups.
DELETE delete_user_group Delete a custom user group. Built-in groups (read/write/full) cannot be deleted. Users assigned to a deleted group are orphaned — re-assign first.
GET list_active_users List currently authenticated user sessions. Includes name, address (source IP), via (ssh|winbox|webfig|api|rest|console), when.
GET list_user_ssh_keys List installed SSH public keys for user authentication.
POST import_user_ssh_key Import an SSH public key from a file in /file for a user.
GET list_certificates List installed certificates and CAs. Each has name, common-name, subject-alt-name, issuer, expires-after, days-valid, fingerprint, private-key (yes/no).
POST sign_certificate Sign a certificate request with a CA certificate. Used in PKI workflows.
POST import_certificate Import a certificate from a file in /file (PEM or PKCS#12).
GET list_files List files stored on the device flash. Includes name, type (file|directory|disk|.backup|.rsc|.crt|.key|.umb), size, creation-time.
DELETE delete_file Delete a file from device flash. Cannot delete in-use files.
GET list_logs List system log entries. Each has time, topics (e.g. 'system,info'), message. Logs are circular -- old entries are overwritten. Filter by topics= via query for targeted lookups.
GET list_logging_rules List logging rules — each routes a topic pattern to an action. Fields: topics (comma-separated AND-list, '!' to negate), action (action name, e.g. 'memory', 'remote', 'graylog'), prefix, regex, disabled. Rules are evaluated for every log line; matching is a logical OR across multiple rules.
PUT add_logging_rule Add a logging rule. Most common pattern for remote forwarding: {topics:'', action:'remote'} forwards EVERY topic to the remote action. Narrower: {topics:'system,info', action:'graylog'} forwards only system-info lines. Negation: {topics:'firewall,!debug', ...} excludes debug-severity firewall messages.
PATCH update_logging_rule Update a logging rule (topics, action, prefix, regex, comment, disabled).
DELETE delete_logging_rule Delete a logging rule. The 5 default actions remain available; only your custom rules are removed.
GET list_logging_actions List logging actions — destinations for log lines. RouterOS ships with 5 default actions that CANNOT be deleted or renamed: memory, disk, echo, remote, email. Add new actions for additional targets (multiple Graylog inputs, secondary syslog, etc.).
PUT add_logging_action Add a logging action (destination). Common pattern for Graylog (CEF over TCP): {name:'graylog', target:'remote', remote:'192.168.100.15', remote-port:'514', remote-protocol:'tcp', remote-log-format:'cef', syslog-time-format:'iso8601'}. For a second memory ring buffer: {name:'audit', target:'memory', memory-lines:'5000'}.
PATCH update_logging_action Update a custom logging action. NOTE: for the 5 built-in actions (memory, disk, echo, remote, email) PATCH on the path is unreliable — use set_logging_action with numbers='remote' (etc.) instead.
POST set_logging_action Atomically update one or more logging actions via CLI-style '/system/logging/action set'. THIS IS THE WAY to re-aim the built-in 'remote' or 'email' actions: {numbers:'remote', remote:'10.0.0.5', remote-protocol:'tcp', remote-log-format:'cef'} — the built-ins can be re-configured but not renamed/deleted. Reference via 'numbers' (action name or .id).
DELETE delete_logging_action Delete a custom logging action. The 5 default actions (memory/disk/echo/remote/email) cannot be deleted.
GET get_snmp_settings Get SNMP agent settings: enabled, contact, location, engine-id, src-address, trap-target.
POST update_snmp_settings Update SNMP agent settings.
GET list_snmp_communities List SNMP v1/v2c communities and v3 users. Includes name, addresses (source CIDRs), security, read-access, write-access.
GET get_l2tp_server Get L2TP server config (singleton). Fields: enabled, max-mtu, max-mru, mrru, authentication (comma list of mschap2,mschap1,chap,pap), default-profile, use-ipsec ('no'|'yes'|'required'), ipsec-secret, caller-id-type, allow-fast-path.
POST set_l2tp_server Update L2TP server config. To enable plain L2TP: {enabled:'yes', authentication:'mschap2', default-profile:'default-encryption'}. For L2TP/IPsec: {enabled:'yes', use-ipsec:'required', ipsec-secret:'<psk>'}. Per-user accounts live in /ppp/secret with service='l2tp'.
GET get_sstp_server Get SSTP server config (singleton). Fields: enabled, port, certificate, authentication, default-profile, max-mtu, max-mru, mrru, tls-version, verify-client-certificate, force-aes.
POST set_sstp_server Update SSTP server config. Required: a TLS certificate (certificate=<name>). Default port is 443 — make sure it does NOT collide with www-ssl (REST API). Common: {enabled:'yes', certificate:'sstp-cert', port:'8443', authentication:'mschap2', default-profile:'default-encryption'}.
GET get_pptp_server Get PPTP server config (singleton). Fields: enabled, max-mtu, max-mru, mrru, authentication, default-profile, keepalive-timeout. NOTE: PPTP is cryptographically broken — use L2TP/IPsec, SSTP, or WireGuard for new deployments.
POST set_pptp_server Update PPTP server config. Discouraged for new deployments.
GET get_ovpn_server Get OpenVPN server config (singleton). Fields: enabled, port, mode, netmask, mac-address, max-mtu, certificate, require-client-certificate, auth (md5|sha1|sha256|sha512), cipher (blowfish128|aes128-cbc|aes192-cbc|aes256-cbc|aes128-gcm|aes192-gcm|aes256-gcm), default-profile, tls-version, redirect-gateway.
POST set_ovpn_server Update OpenVPN server config. RouterOS supports TCP only (no UDP). Modern interop: {enabled:'yes', mode:'ip', port:'1194', certificate:'ovpn-cert', require-client-certificate:'yes', auth:'sha256', cipher:'aes256-gcm,aes256-cbc', default-profile:'default-encryption'}.
GET list_ipsec_peers List IPsec peers. Each peer = remote endpoint + auth method + exchange-mode. Fields: name, address, profile, exchange-mode (ike2 recommended), passive, send-initial-contact, comment, disabled.
PUT add_ipsec_peer Add an IPsec peer. For IKEv2 modern setup: {name:'site-a', address:'203.0.113.5/32', profile:'default', exchange-mode:'ike2'}.
PATCH update_ipsec_peer Update an IPsec peer.
DELETE delete_ipsec_peer Delete an IPsec peer. Tears down all SAs to that peer.
GET list_ipsec_identities List IPsec identities — bind peers to auth credentials + mode-config + policy template.
PUT add_ipsec_identity Add an IPsec identity (peer + auth credentials). For PSK: {peer:'site-a', auth-method:'pre-shared-key', secret:'<psk>'}. For IKEv2 EAP: {peer:'rw', auth-method:'eap', eap-methods:'eap-mschapv2', username:'alice', password:'<pwd>'}.
PATCH update_ipsec_identity Update an IPsec identity.
DELETE delete_ipsec_identity Delete an IPsec identity.
GET list_ipsec_profiles List IPsec IKE profiles (Phase-1 / IKE_SA_INIT proposals). Each has name, hash-algorithm, enc-algorithm, dh-group, lifetime, nat-traversal.
PUT add_ipsec_profile Add an IPsec profile. Modern IKEv2: {name:'strong', hash-algorithm:'sha256', enc-algorithm:'aes-256', dh-group:'modp2048,ecp256', lifetime:'1d', nat-traversal:'yes'}.
PATCH update_ipsec_profile Update an IPsec profile.
DELETE delete_ipsec_profile Delete an IPsec profile. Cannot delete 'default'.
GET list_ipsec_proposals List IPsec ESP/AH proposals (Phase-2 / CHILD_SA crypto). Each has name, auth-algorithms, enc-algorithms, pfs-group, lifetime.
PUT add_ipsec_proposal Add an IPsec ESP/AH proposal.
PATCH update_ipsec_proposal Update an IPsec proposal.
DELETE delete_ipsec_proposal Delete an IPsec proposal. Cannot delete 'default'.
GET list_ipsec_policies List IPsec policies. Each policy = src/dst selector + action (encrypt|none|discard) + proposal + peer.
PUT add_ipsec_policy Add an IPsec policy. Static site-to-site: {peer:'site-a', src-address:'10.0.0.0/24', dst-address:'10.1.0.0/24', action:'encrypt', tunnel:'yes', proposal:'default', sa-src-address:'<local>', sa-dst-address:'<peer>'}. Road-warrior dynamic template: {peer:'rw', template:'yes', dst-address:'0.0.0.0/0', action:'encrypt'}.
PATCH update_ipsec_policy Update an IPsec policy.
DELETE delete_ipsec_policy Delete an IPsec policy. Active SAs are torn down.
GET list_ipsec_active_peers List currently negotiated IPsec peers. Fields: id, state (established | half-open | ...), uptime, side, remote-address, dynamic-address.
GET list_ipsec_installed_sa List currently installed IPsec SAs (Phase-2 ESP/AH security associations). Useful for debugging which selectors negotiated and how much data has flowed.
POST flush_ipsec_sa Tear down all currently installed IPsec SAs. They will renegotiate on next traffic. Use to recover from stuck SA state.
GET get_ipsec_settings Get global IPsec settings (singleton). Fields: accept-redirects, interim-update, max-events-per-second, xauth-use-radius.
POST set_ipsec_settings Update global IPsec settings.
GET list_containers List Docker-like containers configured on RouterOS (v7.4+ on supported hardware). Each has name, root-dir, mounts, interface, status, dns.
GET list_container_envs List container environment variables defined for use across containers.
GET list_container_mounts List defined container mount points (host directory to container path mappings).
View on GitHub Raw DADL