# Mikrotik MCP Server — 297 tools via DADL The Mikrotik DADL turns Mikrotik's API into an MCP server that Claude, GPT or any MCP-compatible agent can consume directly. One YAML file declares all 297 tools — system, firewall, ipsec, dhcp, ipv6, bridge — and ToolMesh serves them at runtime. No Python boilerplate, no per-endpoint code, no separate MCP server process. Below: the endpoint coverage matrix, a two-block ToolMesh setup, the full tool reference grouped by Mikrotik feature area, required credential scopes. **Source:** [MikroTik RouterOS REST API](https://help.mikrotik.com/docs/spaces/ROS/pages/47579162/REST+API) **Updated:** 2026-05-25 **Tags:** networking, crud, user-management, authentication, logging, monitoring, file-management, deployment, auth:basic ## Which Mikrotik endpoints are covered? **65%** (297 of ~450 endpoints). **Focus:** system (resource, identity, clock, health, license, package, script, scheduler, reboot/shutdown, backup, note, logging rules + actions with /set twin), interfaces (generic set, list/CRUD, ethernet + atomic /set + switch chip + switch port, bridge + /set + port /set + VLAN CRUD + /set + /remove + host/FDB table, vlan, bonding CRUD, wireless legacy, wifi, lte + /set, wireguard + interface CRUD + peers, list/member + list CRUD), IP (address, route, ARP, neighbor, service set/enable/disable, pool, cloud + /set), DNS (settings, static, cache), DHCP server (CRUD + /set + delete, lease, network CRUD, make-static, client CRUD + release/renew), firewall (filter, NAT, mangle full CRUD + move, raw full CRUD + move, address-list update, connection tracking), IPv6 (address full CRUD, route CRUD, firewall filter CRUD + move, ND, settings /set), PPP (secret, active, profile CRUD), routing (BGP connection CRUD, BGP templates/sessions, OSPF instance + area CRUD, interface-templates, neighbors, routing-filter rules CRUD), queues (simple full, tree, type), tools (ping, traceroute, bandwidth-test, netwatch CRUD, email SMTP settings get/set + send), users (user, group CRUD, ssh-keys, active sessions), logs, certificates, files, SNMP, VPN servers (L2TP/SSTP/PPTP/OVPN singleton get/set), IPsec (peer, identity, policy, profile, proposal full CRUD; active-peers, installed-sa, flush, settings), container (RouterOS 7), MPLS basics **Missing:** CAPsMAN controller endpoints (out of scope: CRS354 is Ethernet-only), RADIUS server config, hotspot user profiles/walled garden, /interface/wireless deep config (legacy stack; tooling focuses on the modern /interface/wifi stack), BGP VPN/VPLS, OSPFv3 (instance.version=3 supported but no separate tooling), MPLS LDP detail, RIPv2, traffic-flow exporter, traffic monitor, GPS, ROMON, dude integration, dot1x, w60g, modem deep config, /tool/fetch (file upload/download via REST), file repository sync, certificate ACME plugin, /caps-man for new wifi stack (intentional: per-device wifi-config exposes set already). Also broken until ToolMesh wrapper fix (2026-05-25): every update_*/delete_* using PATCH/DELETE /xxx/{*N-id} returns HTTP 400 due to missing percent-encoding of the .id asterisk — see top-of-file 'Known ToolMesh wrapper bugs' note. Workarounds via POST /xxx/set + 'numbers' (and POST /xxx/remove + 'numbers' where exposed, e.g. remove_bridge_vlan) are unaffected. *Last reviewed: 2026-05-25* ## How do you configure the Mikrotik DADL? 1. Log in to your MikroTik device via Winbox, SSH, or WebFig as an admin 2. Enable the REST API service: /ip/service> set www-ssl disabled=no (HTTPS) or set www disabled=no (HTTP, NOT recommended for production) 3. Ensure www-ssl has a valid certificate: /ip/service> set www-ssl certificate= 4. Create a dedicated API user: /user/add name=api-user password= group=read (or 'full' / a custom group) 5. For least-privilege custom groups: /user/group/add name=api-readonly policy=api,read,test,winbox 6. Verify access: curl -k -u api-user: https:///rest/system/resource 7. Store the credentials: CREDENTIAL_MIKROTIK_USERNAME=api-user and CREDENTIAL_MIKROTIK_PASSWORD= **Environment variable:** `CREDENTIAL_MIKROTIK_USERNAME and CREDENTIAL_MIKROTIK_PASSWORD` [Authentication docs](https://help.mikrotik.com/docs/spaces/ROS/pages/47579162/REST+API) *RouterOS v7.1+ required (v7.9+ recommended). Most MikroTik devices ship with self-signed certificates -- ToolMesh must skip TLS verification or you must install a trusted certificate via /certificate/import. The 'api' policy is REQUIRED on the user's group for any REST access. For read-only monitoring, use group with policy=api,read,test,winbox; for full management add write,policy,reboot,ftp,sensitive. Known ToolMesh wrapper bugs (2026-05-25): (1) PATCH/DELETE /xxx/{*N-id} return HTTP 400 — use POST /xxx/set + 'numbers' (e.g. set_bridge_vlan) and POST /xxx/remove + 'numbers' (e.g. remove_bridge_vlan) instead. (2) set_bridge_port 'numbers' must be the bridge-port .id, not interface name. (3) JSON null is dropped by the wrapper — use empty string '' to clear fields. Full detail in the comment block at the top of this file.* ## How do you install the Mikrotik MCP server with ToolMesh? Add to your `backends.yaml`: ```yaml - name: mikrotik transport: rest dadl: mikrotik.dadl url: "https://10.0.0.1/rest" # HTTPS (recommended) -- requires www-ssl service # url: "http://10.0.0.1/rest" # plain HTTP -- requires www service (RouterOS v7.9+) ``` Set the credential: ``` CREDENTIAL_MIKROTIK_USERNAME and CREDENTIAL_MIKROTIK_PASSWORD=your-token-here ``` ## What 297 tools does the Mikrotik DADL expose? - **GET** `get_system_resource` — Get the device's hardware and runtime resource summary: architecture (mipsbe/arm/arm64/x86_64/tile), board-name, CPU model and count, CPU load, RAM (free/total), HDD (free/total), uptime, RouterOS version, build-time. Returns a single JSON object (NOT an array). - **GET** `get_system_identity` — Get the device's identity (hostname shown in Winbox, neighbor discovery, and the CLI prompt). Returns a single-field object: {"name":""}. - **POST** `set_system_identity` — Set the device's hostname/identity. Send {name: ''}. - **GET** `get_system_clock` — Get the current date, time, timezone, and DST setting on the device. Useful for verifying NTP sync and timezone configuration. - **POST** `set_system_clock` — Set the device clock. Useful fields: time-zone-name (e.g. 'Europe/Berlin'), time-zone-autodetect ('yes'/'no'), date ('YYYY-MM-DD'), time ('HH:MM:SS'). - **GET** `get_ntp_client` — Get NTP client config and live sync state. Key fields: enabled ('true'/'false'), mode (unicast|broadcast|multicast|manycast), servers (comma-separated upstream NTP server IPs/FQDNs), vrf. Read-only status fields: status (started|stopped| synchronized|using-local-clock|error|search), synced-server, synced-stratum, system-offset (e.g. '0.5ms'), freq-diff. If 'status' is anything other than 'synchronized', the device clock is drifting on its own RTC/quartz. - **POST** `set_ntp_client` — Update the NTP client. Most common change: provide a comma-separated list of trusted NTP servers and enable the client. Example body: {enabled:'yes', servers:'time.cloudflare.com,ptbtime1.ptb.de', mode:'unicast'}. Apply takes effect immediately; allow a few seconds for first sync attempt. - **GET** `get_ntp_server` — Get the device's NTP SERVER config (whether this router serves time to other clients). Fields: enabled, broadcast, multicast, manycast, use-local-clock, local-clock-stratum, vrf, broadcast-addresses. Most edge devices keep this disabled and rely solely on the client. - **POST** `set_ntp_server` — Update the NTP server config (enable broadcast/multicast/manycast NTP serving). - **GET** `get_system_health` — Get hardware sensor readings: CPU temperature, board temperature, fan speeds, voltage, PSU state. Available sensors vary by hardware model; small devices (hAP lite, hEX lite) expose only a subset. - **GET** `get_system_health_settings` — Get the cooling/fan control settings (separate from the read-only sensor values in /system/health). Typical fields: fan-mode (auto|manual), fan-min-speed-percent (PWM floor, e.g. 30), fan-target-temperature (target CPU/board temp for PWM control, e.g. 55), and PSU-related toggles (use-fan, fan-failure-trigger). Available only on devices with controllable fans (CCR, CRS3xx with PWM headers, RB5009, etc.). On fan-less hardware (cAP, hAP, hEX, CHR) this endpoint typically returns an empty object. - **POST** `set_system_health_settings` — Configure cooling/fan behavior. Common changes -- quieter idle: {fan-mode:'auto', fan-min-speed-percent:'20', fan-target-temperature:'55'}. Force constant high RPM (e.g. dusty environment): {fan-mode:'manual', fan-min-speed-percent:'100'}. CAUTION: setting fan-target-temperature too high (>70C) or fan-min-speed-percent too low on a thermally constrained chassis can cause throttling or shutdown. Verify with get_system_health afterwards. - **GET** `get_system_license` — Get the RouterOS license level (0-6), software-id, and CHR upgrade state. Level 6 = CHR/x86, levels 4-5 = WISP/Controller. - **GET** `get_routerboard` — Get RouterBOARD hardware info: model, serial-number, firmware-type, factory-firmware (the firmware that shipped from the factory), current-firmware (running), upgrade-firmware (latest available bundled with the running RouterOS package), routerboot version. The 'routerboard' flag is 'true' on physical MikroTik hardware and 'false' on CHR/x86 (where this endpoint typically returns empty). For CRS3xx switches this is the canonical source for the factory firmware revision and the bootloader (RouterBOOT) version that the device shipped with. - **POST** `upgrade_routerboard_firmware` — Trigger a RouterBOOT firmware upgrade to the version reported in 'upgrade-firmware'. The new firmware is staged for the next boot -- the device MUST be rebooted (POST /system/reboot) for the upgrade to take effect. Different from RouterOS package upgrades (see install_package_updates) -- this updates ONLY the bootloader/CPLD/SoC firmware bundled with the running RouterOS package. Returns no body on success; check get_routerboard afterwards to confirm current-firmware matches upgrade-firmware. - **POST** `downgrade_routerboard_firmware` — Downgrade RouterBOOT firmware to the factory firmware. Same reboot requirement as upgrade. Rarely needed; use only when a RouterBOOT upgrade caused issues and you need to revert. - **GET** `list_system_packages` — List all installed RouterOS packages with version, build time, and disabled state. Standard package set: system, wireless, ipv6, advanced-tools, routing, security, wifi-qcom-ac, etc. Disabled packages remain on flash but are not loaded. - **POST** `enable_system_package` — Enable a package by name. Requires reboot to take effect. - **POST** `disable_system_package` — Disable a package by name. Requires reboot to unload. - **POST** `check_for_package_updates` — Check the MikroTik update server for available RouterOS updates. Returns installed-version, latest-version, status ('System is already up to date', 'New version is available'). Does NOT install -- use install_package_updates. - **POST** `install_package_updates` — Download and install RouterOS updates from MikroTik servers. The device WILL reboot after install. Channel must be set first via set channel (stable, long-term, testing, development). - **GET** `list_system_scripts` — List all stored scripts on the device with name, source code, run-count, last-started, owner, and policies. - **GET** `get_system_script` — Get a single script by .id or name. Returns the full source field. - **PUT** `add_system_script` — Create a new script. Provide name and source (RouterOS scripting language). - **PATCH** `update_system_script` — Update an existing script's source, policies, or comment. - **DELETE** `delete_system_script` — Delete a script by .id or name. - **POST** `run_system_script` — Execute a stored script by .id. Output (if any) is appended to the system log. - **GET** `list_system_scheduler` — List scheduled tasks (cron-like). Each has name, start-date, start-time, interval, on-event (script to run), policy, run-count, next-run. - **PUT** `add_system_scheduler` — Schedule a script to run at a specific time or interval. - **PATCH** `update_system_scheduler` — Update a scheduled task (name, on-event, start-date/time, interval, policy, comment, disabled). - **DELETE** `delete_system_scheduler` — Delete a scheduled task by .id or name. - **POST** `reboot_system` — Reboot the device immediately. Disconnects ALL sessions; device will be offline for 30-90 seconds. There is no undo. Confirm intent before calling. - **POST** `shutdown_system` — Power-off the device immediately. Device requires physical power-cycle to come back online. Use only when you have on-site access. - **POST** `create_backup` — Create a binary backup of the running configuration. Stored on device flash as .backup. Retrieve via FTP/SFTP -- the REST API does not stream file contents. - **POST** `load_backup` — Restore configuration from a backup file. Device WILL reboot. Backup must already exist in /file (uploaded via FTP/SFTP or made via create_backup). - **POST** `export_config` — Export the running configuration as an RSC script. If 'file' is provided, writes to /file/.rsc on the device; otherwise returns the script text inline. 'compact' (yes/no) and 'verbose' (yes/no) control verbosity. - **GET** `get_system_note` — Get the login banner / system note shown on console login. Often used for ownership/contact info. - **POST** `set_system_note` — Set the login banner / system note. - **GET** `list_interfaces` — List all interfaces (physical and virtual) with name, type, MTU, MAC address, running/disabled state, rx/tx-byte counters, last-link-up/down. Type values: ether, vlan, bridge, wireless, wifi, wireguard, lte, ppp-client, ovpn-server, ovpn-client, l2tp-server, sstp-server, pptp-server, eoip, ipip, gre, vrrp, etc. - **GET** `get_interface` — Get a single interface by name (e.g. 'ether1', 'bridge1') or .id (e.g. '*1'). - **PATCH** `update_interface` — Update common interface properties: name, comment, mtu (L3), l2mtu (L2), disabled, arp mode. NOTE on jumbo frames: RouterOS clamps L3 'mtu' to l2mtu - 14 bytes. To run mtu=9000 you must FIRST raise 'l2mtu' to at least 9014 (or use the max-l2mtu the hardware reports). On CRS3xx switch-chips the per-port l2mtu IS writable and changes the chip's accepted frame size on that port. - **POST** `enable_interface` — Enable one or more interfaces by .id or name (comma-separated in 'numbers'). - **POST** `disable_interface` — Disable one or more interfaces. - **POST** `monitor_interface_traffic` — Sample rx/tx rates for an interface. ALWAYS pass once='' to avoid the 60s timeout, otherwise the API streams indefinitely. - **POST** `set_interface` — Atomically update one or more interfaces (any type) via the CLI-style '/interface set'. Use this when you need to change name/comment/mtu/disabled across MIXED interface types in one transaction (CLI: '/interface set [find ...] mtu=9000'). For ether-specific atomic edits (l2mtu, speed, duplex) use set_ethernet_interface; for cellular APN/mode use set_lte_interface. The generic /interface/set only touches L3 mtu and cannot raise l2mtu on Ethernet ports. - **GET** `list_ethernet_interfaces` — List physical Ethernet ports with name, default-name, MAC, MTU, speed, auto-negotiation, full-duplex, SFP details. - **POST** `set_ethernet_interface` — Atomically update one or more Ethernet ports via the CLI-style '/interface/ethernet set' command. PREFERRED for jumbo-frame setup on switches: PATCH /interface/ethernet/{id} returns HTTP 400 when a port is a bridge slave (slave='true') OR when mtu would exceed current l2mtu - 14. This POST endpoint sets l2mtu and mtu in a single atomic transaction so the validator sees both new values together. Reference ports via 'numbers' (comma-separated names or .ids). - **PATCH** `update_ethernet_interface` — Update an Ethernet port's properties (name, speed, advertise, full-duplex, auto-negotiation, comment, disabled, MTU/l2mtu, MAC override). Jumbo-frame note: raise l2mtu (e.g. to 9014 or up to max-l2mtu) BEFORE setting mtu=9000, otherwise RouterOS silently clamps mtu to l2mtu - 14. For slave (bridge-member) ports this PATCH frequently returns HTTP 400 when changing mtu/l2mtu -- use set_ethernet_interface instead, which sets both values atomically via the /set endpoint. - **GET** `list_ethernet_switches` — List hardware switch chips (CRS3xx-series and similar). Each chip has name (e.g. 'switch1'), type, mirror-source, mirror-target, cpu-flow-control. On boxes with no switch chip (RB4011, hAP family) this returns an empty array. - **GET** `list_ethernet_switch_ports` — List per-port switch-chip configuration (separate from /interface/ethernet L2/L3 view). Fields: name (chip-port id like 'switch1-cpu' or 'ether1'), l2mtu, vlan-mode, vlan-header, default-vlan-id, mirror, mirror-egress. On CRS3xx the chip enforces its own per-port l2mtu — this is the cap that /interface/ethernet l2mtu is clamped against. For end-to-end jumbo you usually need set_ethernet_interface (raises ether l2mtu) AND, on older firmwares, set_ethernet_switch_port (raises chip-port l2mtu). - **POST** `set_ethernet_switch` — Atomically update one or more switch chips. Reference via 'numbers' (chip name or .id). Use for changing mirror-source/mirror-target, cpu-flow-control. Rarely needed on a 'just give me jumbo frames' workflow — try set_ethernet_interface first. - **POST** `set_ethernet_switch_port` — Atomically update one or more switch-chip ports. Reference via 'numbers' (port name like 'ether1' or chip-port .id). Most relevant field is 'l2mtu' on older RouterOS releases where the chip cap needs explicit bumping for jumbo. On RouterOS 7.10+ the chip auto-tracks /interface/ethernet l2mtu; this endpoint is the fallback if your hardware does not. - **GET** `list_bridges` — List bridge interfaces (Layer-2 software switches). Returns name, mtu, protocol-mode (none|rstp|stp|mstp), vlan-filtering, igmp-snooping, fast-forward. - **PUT** `add_bridge` — Create a new bridge interface. At minimum provide name; common options: protocol-mode (rstp), vlan-filtering ('yes' for VLAN-aware bridge). - **PATCH** `update_bridge` — Update bridge properties (name, protocol-mode, vlan-filtering, igmp-snooping, fast-forward, mtu, admin-mac, comment). - **POST** `set_bridge` — Atomically update one or more bridges via CLI-style '/interface/bridge set'. Useful when you need to flip vlan-filtering or protocol-mode on multiple bridges in one transaction. Reference via 'numbers' (bridge name or .id). - **DELETE** `delete_bridge` — Delete a bridge by .id or name. Removes all port memberships. - **GET** `list_bridge_ports` — List bridge port memberships (which interfaces are members of which bridges). Key fields: bridge, interface, pvid, frame-types, ingress-filtering. - **PUT** `add_bridge_port` — Add an interface to a bridge. - **DELETE** `delete_bridge_port` — Remove a port from a bridge. - **POST** `set_bridge_port` — Atomically update one or more bridge ports via CLI-style '/interface/bridge/port set'. Use this instead of PATCH when you need to flip pvid/frame-types/ingress-filtering on many ports together; PATCH on individual bridge-port records can interact awkwardly with hardware offload and slave validation. IMPORTANT (verified 2026-05-25, RouterOS 7.x): 'numbers' MUST be the bridge-port record's .id (e.g. '*2E'). Passing the interface name (e.g. 'ether47') returns HTTP 404 — unlike the CLI, the REST endpoint does NOT resolve interface→bridge-port. Lookup pattern: call list_bridge_ports, find the row where .interface matches the port you want, take its .id, then pass that as 'numbers'. - **GET** `list_bridge_hosts` — List the bridge forwarding database (FDB) — every MAC the bridge has learned, plus where (which port). Fields: mac-address, on-interface, bridge, age, local (yes=our own MAC), external (yes=learned from another switch), dynamic. Essential for debugging "host disappeared" issues — confirms whether the bridge ever saw the MAC. - **GET** `list_bridge_vlans` — List bridge VLAN configurations (which VLAN IDs are tagged/untagged on which bridge ports). Used with vlan-filtering=yes bridges. - **PUT** `add_bridge_vlan` — Configure VLAN tagging on a bridge. - **PATCH** `update_bridge_vlan` — Update an existing bridge-vlan record (tagged/untagged port lists, comment, disabled). KNOWN BROKEN (ToolMesh wrapper bug, 2026-05-25): this PATCH returns HTTP 400 on RouterOS because the wrapper does not percent-encode the leading asterisk in the .id URL segment (e.g. '*6' should be '%2A6'). Reproduced empirically on a freshly-added empty test VLAN with a trivial comment change. WORKAROUND: use set_bridge_vlan (POST /interface/bridge/vlan/set with 'numbers') instead — it passes the .id in the body and is not affected by the bug. See top-of-file 'Known ToolMesh wrapper bugs' note. - **DELETE** `delete_bridge_vlan` — Remove a bridge-vlan record. KNOWN BROKEN (ToolMesh wrapper bug, 2026-05-25): this DELETE returns HTTP 400 — same .id URL-encoding bug as update_bridge_vlan. WORKAROUND: use remove_bridge_vlan (POST /interface/bridge/vlan/remove with 'numbers') instead. - **POST** `set_bridge_vlan` — Update a bridge-vlan record via CLI-style '/interface/bridge/vlan set'. Reference via 'numbers' = the .id of the bridge-vlan record (e.g. '*6'). PREFERRED over update_bridge_vlan until the ToolMesh wrapper bug for PATCH /xxx/{*N-id} URL encoding is fixed — see the top-of-file 'Known ToolMesh wrapper bugs' note. Lookup the .id with list_bridge_vlans first. Note: although the CLI accepts multi-record selectors (e.g. `[find vlan-ids=10,20]`), the REST docs only show single-.id examples for /set. Treat this endpoint as one .id per call; loop in a composite if you need batch. - **POST** `remove_bridge_vlan` — Remove a bridge-vlan record via CLI-style '/interface/bridge/vlan remove'. Reference via 'numbers' = the .id of the bridge-vlan record. PREFERRED over delete_bridge_vlan until the ToolMesh wrapper bug for DELETE /xxx/{*N-id} URL encoding is fixed. Lookup the .id with list_bridge_vlans first. Single .id per call (see set_bridge_vlan note). - **GET** `list_vlan_interfaces` — List VLAN interfaces (802.1Q sub-interfaces). Each has name, vlan-id, interface (parent), mtu. - **PUT** `add_vlan_interface` — Create a VLAN sub-interface on a physical or bridge interface. - **DELETE** `delete_vlan_interface` — Delete a VLAN interface. - **GET** `list_bonding_interfaces` — List bonding (link aggregation) interfaces. Modes: 802.3ad (LACP), balance-rr, balance-xor, broadcast, active-backup, etc. - **PUT** `add_bonding_interface` — Create a bonding interface that aggregates physical Ethernet ports. For switch-side LACP both sides must speak 802.3ad. - **PATCH** `update_bonding_interface` — Update a bonding interface (slaves, mode, lacp-rate, hash policy, comment). - **DELETE** `delete_bonding_interface` — Delete a bonding interface. Member ports return to individual L2 state. - **GET** `list_interface_lists` — List interface lists (named groups of interfaces, used in firewall rules as 'in-interface-list' / 'out-interface-list'). Default lists: WAN, LAN. - **PUT** `add_interface_list` — Create a new interface list. Use to group interfaces for firewall in-/out-interface-list matching. - **DELETE** `delete_interface_list` — Delete an interface list. Firewall rules referencing it will break — audit first. - **GET** `list_interface_list_members` — List members of all interface lists. Key fields: list, interface. - **PUT** `add_interface_list_member` — Add an interface to an interface list. - **DELETE** `delete_interface_list_member` — Remove an interface from an interface list. - **GET** `list_wireless_interfaces` — List legacy wireless interfaces (cAP, hAP ac, RB devices). Each has ssid, mode (ap-bridge|station|station-bridge|bridge), band, channel-width, frequency, security-profile, radio-name, master-interface. Use list_wifi_interfaces for newer cAP ax / hAP ax / Audience devices. - **GET** `list_wireless_security_profiles` — List wireless security profiles (WPA/WPA2/WPA3 PSK and EAP). Key fields: name, mode, authentication-types, wpa2-pre-shared-key, group-ciphers, unicast-ciphers. - **GET** `list_wireless_registrations` — List currently associated wireless clients (CAPsMAN/wireless). Returns mac-address, interface, signal-strength, tx-rate, rx-rate, uptime. - **GET** `list_wifi_interfaces` — List newer 802.11ax wifi interfaces (cAP ax, hAP ax, Audience family). Newer stack than /interface/wireless. - **GET** `list_wifi_registrations` — List clients connected to the new wifi stack interfaces. - **POST** `monitor_wifi` — Sample current wifi interface state (channel, tx-rate, noise floor). ALWAYS pass once=''. - **GET** `list_lte_interfaces` — List LTE/cellular modem interfaces. Each has name, apn, pin, network-mode, status, imei. - **POST** `set_lte_interface` — Update an LTE modem interface (APN, network selection, PIN, name). Reference via 'numbers' (lte interface name). Carrier change normally triggers a brief re-attach (5-10s). For per-APN profile work see /interface/lte/apn (singleton APN list is queryable via the modem itself). - **POST** `monitor_lte` — Sample LTE modem state (signal RSSI/RSRP/RSRQ, technology, current-operator, cell-id). ALWAYS pass once=''. - **GET** `list_wireguard_interfaces` — List WireGuard VPN interfaces. Each has name, public-key, private-key (hidden unless 'sensitive' policy), listen-port, mtu. - **PUT** `add_wireguard_interface` — Create a WireGuard interface. RouterOS auto-generates a key pair if private-key is omitted. - **PATCH** `update_wireguard_interface` — Update a WireGuard interface (listen-port, private-key, mtu, comment, disabled). Rotating private-key requires re-distributing the resulting public-key to every peer — handle with care. - **DELETE** `delete_wireguard_interface` — Delete a WireGuard interface. ALL associated peers are removed implicitly. - **GET** `list_wireguard_peers` — List configured WireGuard peers. Key fields: interface, public-key, endpoint-address, endpoint-port, allowed-address, last-handshake, rx, tx, current-endpoint-address. - **PUT** `add_wireguard_peer` — Add a WireGuard peer to an interface. - **PATCH** `update_wireguard_peer` — Update a WireGuard peer (allowed-address, endpoint, keepalive, comment, disabled). - **DELETE** `delete_wireguard_peer` — Remove a WireGuard peer. - **GET** `list_ip_addresses` — List all configured IPv4 addresses with address (CIDR), network, interface, dynamic (yes for DHCP-acquired), disabled, comment. - **PUT** `add_ip_address` — Assign an IPv4 address to an interface. - **PATCH** `update_ip_address` — Update an IP address record (address, interface, comment, disabled). - **DELETE** `delete_ip_address` — Remove an IPv4 address. May disconnect remote sessions if the deleted address is the management IP. - **GET** `list_ip_routes` — List the IPv4 routing table. Each route has dst-address (CIDR), gateway, distance, scope, target-scope, routing-mark, active, dynamic, suppress-hw-offload. Filter active=true to see only currently used routes. - **PUT** `add_ip_route` — Add a static IPv4 route. Default route: dst-address='0.0.0.0/0' with a gateway. - **PATCH** `update_ip_route` — Update a static route. - **DELETE** `delete_ip_route` — Delete a static route. - **GET** `list_ip_arp` — List the ARP (IPv4-to-MAC) table. Includes static and dynamic entries with address, mac-address, interface, complete (yes/no), dynamic. - **PUT** `add_ip_arp` — Add a static ARP entry (useful for ARP reply-only mode). - **DELETE** `delete_ip_arp` — Remove an ARP entry. - **GET** `list_ip_neighbors` — List devices discovered via MNDP/CDP/LLDP on directly connected interfaces. Useful for topology discovery. - **GET** `list_ip_services` — List the management services and their state: api, api-ssl, ftp, ssh, telnet, winbox, www (HTTP), www-ssl (HTTPS REST). Each has port, address (allowed source CIDR), disabled, certificate, tls-version. - **POST** `set_ip_service` — Update a management service (enable/disable, change port, restrict source 'address' list, bind to certificate). NOTE: /ip/service is one of the few RouterOS endpoints that does NOT support PATCH -- use this POST /set form (mirrors the CLI '/ip/service set ...' command). Reference services via 'numbers' as the service name (e.g. 'telnet', 'www-ssl') or .id ('*0'). Be careful disabling the service you are currently connected through. - **POST** `disable_ip_service` — Convenience wrapper to disable one or more services. Pass service name(s) or .id(s) as comma-separated 'numbers'. - **POST** `enable_ip_service` — Convenience wrapper to enable one or more services. Pass service name(s) or .id(s) as comma-separated 'numbers'. - **GET** `list_ip_pools` — List IP address pools (used by DHCP server, PPP server, etc.). Each has name, ranges (CIDR or IP range), next-pool. - **GET** `get_ip_cloud` — Get MikroTik IP Cloud (dynamic DNS) status: ddns-enabled, dns-name (xxxxx.sn.mynetname.net), public-address, status. - **POST** `set_ip_cloud` — Update MikroTik IP Cloud (dynamic DNS) settings. Singleton — toggle ddns-enabled='yes' to register the device's WAN IP with mynetname.net. Disable update-time='yes' if you do NOT want IP Cloud to push device time (e.g. when you have your own NTP servers). - **GET** `get_dns_settings` — Get DNS resolver settings: servers (upstream), dynamic-servers, allow-remote-requests, cache-size, max-concurrent-queries. - **POST** `update_dns_settings` — Update DNS resolver settings. - **GET** `list_dns_static` — List static DNS entries (local DNS records). Each has name, type (A|AAAA|CNAME|NS|MX|SRV|TXT), address/cname/target, ttl. - **PUT** `add_dns_static` — Add a static DNS entry. Use either name+address (A record) or name+cname. - **PATCH** `update_dns_static` — Update a static DNS entry. - **DELETE** `delete_dns_static` — Remove a static DNS entry. - **GET** `list_dns_cache` — List currently cached DNS resolutions on the device. - **POST** `flush_dns_cache` — Clear the DNS resolver cache. - **GET** `list_dhcp_servers` — List DHCP server instances. Each has name, interface, address-pool, lease-time, authoritative, disabled. - **PUT** `add_dhcp_server` — Create a DHCP server. Requires interface and address-pool. - **PATCH** `update_dhcp_server` — Update a DHCP server. - **POST** `set_dhcp_server` — Atomically update one or more DHCP server instances via CLI-style '/ip/dhcp-server set'. Reference via 'numbers' (server name or .id). Use this when changing lease-time / authoritative across multiple servers in one go. - **DELETE** `delete_dhcp_server` — Delete a DHCP server instance. Clients will fail to renew leases. - **GET** `list_dhcp_leases` — List DHCP leases (both dynamic and static reservations). Key fields: address, mac-address, server, host-name, dynamic (yes/no), status (bound | waiting | offered | expired), last-seen, comment. - **PUT** `add_dhcp_lease` — Create a static DHCP reservation. - **DELETE** `delete_dhcp_lease` — Delete a DHCP lease/reservation. - **POST** `make_dhcp_lease_static` — Convert a dynamic DHCP lease into a static reservation. Most common workflow for reserving an IP for a known device. - **GET** `list_dhcp_networks` — List DHCP network options (subnet, gateway, dns-server, ntp-server, domain) advertised to clients. - **PUT** `add_dhcp_network` — Add DHCP network options for a subnet. - **PATCH** `update_dhcp_network` — Update a DHCP server network (gateway, dns, ntp, domain, comment). - **DELETE** `delete_dhcp_network` — Remove a DHCP server network. Existing leases remain but new clients will get no options. - **GET** `list_dhcp_clients` — List DHCP client instances. Each has interface, status (bound|searching|stopped), address, gateway, primary-dns, secondary-dns, expires-after. - **PUT** `add_dhcp_client` — Enable a DHCP client on an interface (typical WAN setup). - **PATCH** `update_dhcp_client` — Update a DHCP client (interface, add-default-route, use-peer-dns, etc.). - **DELETE** `delete_dhcp_client` — Delete a DHCP client. WAN-side delete may sever connectivity — confirm before invoking. - **POST** `release_dhcp_client` — Release the current lease on a DHCP client and re-discover. Brief connectivity drop expected. - **POST** `renew_dhcp_client` — Force a DHCP renew on a client. Useful when DNS/gateway info has changed on the upstream server. - **GET** `list_firewall_filter` — List IPv4 firewall filter rules. Each rule has chain (input|forward|output|), action (accept|drop|reject|jump|log|...), protocol, src-address, dst-address, src-port, dst-port, in-interface, out-interface, connection-state, comment. Rules are evaluated TOP-TO-BOTTOM per chain. - **PUT** `add_firewall_filter` — Add an IPv4 firewall filter rule. Required: chain and action. New rules are appended to the END of the chain -- use move_firewall_filter to reorder. - **PATCH** `update_firewall_filter` — Update an existing filter rule (any field). - **DELETE** `delete_firewall_filter` — Delete a filter rule. Removing an accept rule can lock you out -- check before deleting. - **POST** `move_firewall_filter` — Reorder filter rules. Move rule(s) in 'numbers' to position before 'destination'. - **GET** `list_firewall_nat` — List IPv4 NAT rules (srcnat/dstnat). Common actions: masquerade (srcnat to outgoing interface), dst-nat (port forward), src-nat, redirect. - **PUT** `add_firewall_nat` — Add a NAT rule. Common patterns -- Masquerade (LAN to WAN): {chain:'srcnat',action:'masquerade',out-interface-list:'WAN'}. Port forward (DNAT): {chain:'dstnat',action:'dst-nat',protocol:'tcp',dst-port:'80',in-interface:'ether1',to-addresses:'192.168.1.10',to-ports:'8080'}. - **PATCH** `update_firewall_nat` — Update a NAT rule. - **DELETE** `delete_firewall_nat` — Delete a NAT rule. Removing masquerade can break LAN-to-WAN traffic. - **POST** `move_firewall_nat` — Reorder NAT rules. Move rule(s) in 'numbers' to position before 'destination'. - **GET** `list_firewall_mangle` — List mangle rules (packet marking, MSS clamping, TTL, DSCP). Chains: prerouting, postrouting, input, forward, output. - **PUT** `add_firewall_mangle` — Add a mangle rule (mark-packet, mark-connection, change-mss, change-ttl, change-dscp, ...). - **PATCH** `update_firewall_mangle` — Update a mangle rule (any field). - **DELETE** `delete_firewall_mangle` — Delete a mangle rule. Removing mark-routing rules can break policy routing. - **POST** `move_firewall_mangle` — Reorder mangle rules. Move rule(s) in 'numbers' to position before 'destination'. - **GET** `list_firewall_raw` — List firewall raw rules (pre-conntrack, used for DDoS mitigation and bypassing connection tracking). - **PUT** `add_firewall_raw` — Add a raw firewall rule. Raw rules run BEFORE connection-tracking and are evaluated for every packet — keep them lean. Common patterns: notrack for high-volume known-good traffic, drop for known-bad source IPs, ICMP rate-limit pre-conntrack. - **PATCH** `update_firewall_raw` — Update a raw firewall rule. - **DELETE** `delete_firewall_raw` — Delete a raw firewall rule. - **POST** `move_firewall_raw` — Reorder raw firewall rules. Move rule(s) in 'numbers' to position before 'destination'. - **GET** `list_firewall_address_lists` — List firewall address-list entries (named groups of IPs/CIDRs used by other firewall rules). - **PUT** `add_firewall_address_list` — Add an entry to a firewall address-list. - **PATCH** `update_firewall_address_list` — Update an existing address-list entry (address, list, timeout, comment). - **DELETE** `delete_firewall_address_list` — Remove an entry from an address-list. - **GET** `list_firewall_connections` — List currently tracked connections (connection-tracking table). Key fields: src-address, dst-address, protocol, tcp-state, timeout, orig-bytes, repl-bytes, reply-src-address (for NAT), reply-dst-address. - **GET** `list_ipv6_addresses` — List configured IPv6 addresses. Includes link-local (FE80::/10), GUA, and ULA addresses. - **PUT** `add_ipv6_address` — Assign an IPv6 address to an interface. - **PATCH** `update_ipv6_address` — Update an IPv6 address record. - **DELETE** `delete_ipv6_address` — Remove an IPv6 address. - **GET** `list_ipv6_routes` — List the IPv6 routing table. - **PUT** `add_ipv6_route` — Add a static IPv6 route. Default route: dst-address='::/0' with a gateway. - **PATCH** `update_ipv6_route` — Update a static IPv6 route. - **DELETE** `delete_ipv6_route` — Delete a static IPv6 route. - **GET** `list_ipv6_firewall_filter` — List IPv6 firewall filter rules. Same chain/action semantics as IPv4. - **PUT** `add_ipv6_firewall_filter` — Add an IPv6 firewall filter rule. Required: chain and action. - **PATCH** `update_ipv6_firewall_filter` — Update an IPv6 firewall filter rule. - **DELETE** `delete_ipv6_firewall_filter` — Delete an IPv6 firewall filter rule. - **POST** `move_ipv6_firewall_filter` — Reorder IPv6 filter rules. Move rule(s) in 'numbers' to position before 'destination'. - **GET** `list_ipv6_neighbors` — List the IPv6 neighbor table (NDP, equivalent to ARP for IPv6). - **GET** `list_ipv6_nd` — List IPv6 Neighbor Discovery / Router Advertisement settings per interface (M, O flags, RA interval, RA lifetime, MTU). This controls RA SENDING (the device acting as an IPv6 router for its LAN), not RA receiving (SLAAC client behavior). For SLAAC client behavior, see get_ipv6_settings / set_ipv6_settings. - **GET** `get_ipv6_settings` — Get the global IPv6 stack settings. Key fields: disable-ipv6 (yes/no), forward (yes/no -- 'yes' makes the device a router; 'no' a host), accept-router-advertisements (yes | no | yes-if-forwarding-disabled -- the last is the default and means the device accepts RAs only when acting as a host), accept-redirects, max-neighbor-entries, soft-headers, multipath-hash-policy. SLAAC client behavior requires forward='no' AND accept-router-advertisements in {yes, yes-if-forwarding-disabled}. - **POST** `set_ipv6_settings` — Update global IPv6 settings. To enable SLAAC on a host/L2-switch: {forward:'no', accept-router-advertisements:'yes'}. Note: changing 'forward' may affect routing behavior across all interfaces -- do this only on devices that should NOT route IPv6 (e.g. switches, end hosts). - **GET** `list_ipv6_dhcp_clients` — List DHCPv6 clients (stateful IPv6 address/prefix from a DHCPv6 server). SLAAC (RA-only) does NOT show up here -- only DHCPv6 client instances do. Each entry has interface, request (address|prefix), status, address, prefix. - **GET** `list_ppp_secrets` — List PPP user accounts (used for PPPoE/L2TP/SSTP/PPTP/OVPN servers). Each has name, password (hidden), profile, service, local-address, remote-address. - **PUT** `add_ppp_secret` — Create a PPP user account. - **PATCH** `update_ppp_secret` — Update a PPP user (password, profile, service, addresses, comment, disabled). - **DELETE** `delete_ppp_secret` — Delete a PPP user account. - **GET** `list_ppp_active` — List currently connected PPP sessions (active PPPoE/L2TP/SSTP/PPTP/OVPN clients). Includes name, service, address, uptime, encoding, caller-id. - **GET** `list_ppp_profiles` — List PPP profiles (templates for sessions: local-address, remote-address pool, dns-server, rate-limit, encryption). - **PUT** `add_ppp_profile` — Create a PPP profile. Use to template L2TP/SSTP/PPTP/OVPN session settings (DNS, address pool, rate-limit, encryption). - **PATCH** `update_ppp_profile` — Update a PPP profile. - **DELETE** `delete_ppp_profile` — Delete a PPP profile. Cannot delete 'default' or 'default-encryption' built-in profiles. - **GET** `list_routing_table` — List routing tables (multi-table support in RouterOS 7). Default is 'main'; custom tables used with routing-mark. - **GET** `list_bgp_peers` — List BGP peer connections (RouterOS 7 BGP). Each has name, remote.address, remote.as, local.address, local.role, established. - **PUT** `add_bgp_connection` — Add a BGP peer connection (RouterOS 7 BGP). Required: name and remote.address. Use templates for common AS/role config and reference via 'template='. - **PATCH** `update_bgp_connection` — Update a BGP peer connection. - **DELETE** `delete_bgp_connection` — Delete a BGP peer connection. Will tear down the BGP session immediately. - **GET** `list_bgp_sessions` — List currently established BGP sessions with state, uptime, prefix-count, last-error. - **GET** `list_bgp_templates` — List BGP templates (reusable peer-config bundles). RouterOS 7 BGP requires at least one template — usually 'default'. - **GET** `list_ospf_instances` — List OSPF instances. Each has name, version, router-id, vrf. - **PUT** `add_ospf_instance` — Create an OSPF instance (RouterOS 7). Required: name, router-id, version (default '2' for OSPFv2). - **DELETE** `delete_ospf_instance` — Delete an OSPF instance. All adjacencies in this instance go down. - **GET** `list_ospf_areas` — List OSPF areas. Each binds an instance to an area-id and type (default | stub | nssa | backbone). - **PUT** `add_ospf_area` — Create an OSPF area (RouterOS 7). - **DELETE** `delete_ospf_area` — Delete an OSPF area. - **GET** `list_ospf_interface_templates` — List OSPF interface templates (which interfaces speak OSPF, in which area, with which cost/network type). - **GET** `list_ospf_neighbors` — List OSPF neighbors with router-id, address, area, state (Down|Init|2-Way|ExStart|Exchange|Loading|Full), priority. - **GET** `list_routing_filters` — List routing-filter rules (RouterOS 7 unified filter system). Each rule belongs to a chain (referenced from BGP/OSPF in/out filter-chain fields). Fields: chain, rule (filter DSL: 'if (...) {...}'), comment, disabled. - **PUT** `add_routing_filter` — Add a routing-filter rule. RouterOS 7 uses a unified rule DSL across all protocols. Example: chain='bgp-in', rule='if (dst in 0.0.0.0/0) { accept } reject'. Rules in a chain are evaluated top-to-bottom. - **PATCH** `update_routing_filter` — Update a routing-filter rule. - **DELETE** `delete_routing_filter` — Delete a routing-filter rule. Removing a deny-all leaf can flood the route table — audit first. - **GET** `list_simple_queues` — List simple queues (per-IP/per-subnet bandwidth limits). Each has name, target (IP/CIDR/interface), max-limit, burst-limit, parent, queue (queue-type). - **PUT** `add_simple_queue` — Add a simple queue for bandwidth shaping. - **PATCH** `update_simple_queue` — Update a simple queue. - **DELETE** `delete_simple_queue` — Remove a simple queue. - **GET** `list_queue_tree` — List queue tree entries (HTB-based hierarchical shaping using packet marks from mangle). - **GET** `list_queue_types` — List queue disciplines (default-small, default, ethernet-default, wireless-default, fq-codel, cake, pcq, sfq, red, pfifo, bfifo). - **POST** `ping` — Send ICMP echo requests to a target. CRITICAL: always pass count (1-10) to bound runtime -- the REST API has a 60s hard timeout. Each iteration is returned as one object in the response array. - **POST** `traceroute` — Trace the network path to a target. ALWAYS set count and timeout to bound runtime. Returns one row per hop with address, loss, sent, last, avg, best, worst. - **POST** `bandwidth_test` — Run a bandwidth test against another MikroTik device (target must run bandwidth-server). ALWAYS pass duration to bound runtime. Resource-intensive. - **GET** `list_netwatch` — List netwatch monitors (ICMP/TCP/HTTP/HTTPS uptime checks against external hosts). Each has host, status (up|unknown|down), type, since. - **PUT** `add_netwatch` — Create a netwatch monitor. - **PATCH** `update_netwatch` — Update a netwatch monitor (host, type, interval, scripts, port, http-codes, comment, disabled). - **DELETE** `delete_netwatch` — Remove a netwatch monitor. - **GET** `get_email_settings` — Get the SMTP client settings. Singleton — required for send_email and for the 'email' /system/logging/action. Fields: server, port, start-tls, user, password (hidden), from, vrf. - **POST** `set_email_settings` — Update the SMTP client settings. RouterOS 7.13+ uses the field 'tls' (no | starttls | tls-only); older releases used 'start-tls' as a boolean — both are accepted on 7.13+ for backward compatibility but prefer 'tls'. STARTTLS submission (port 587): {server:'smtp.example.com', port:'587', tls:'starttls', user:'noreply@x', password:'', from:'router@x'}. Implicit TLS (port 465): tls='tls-only'. Cleartext (port 25): tls='no'. - **POST** `send_email` — Send an email via the configured /tool/e-mail SMTP settings. Useful for alerting from scripts/scheduler. - **GET** `list_users` — List local user accounts. Each has name, group, address (allowed source CIDR), last-logged-in, disabled. - **GET** `get_user` — Get a single user by name or .id. - **PUT** `add_user` — Create a local user. - **PATCH** `update_user` — Update a user (password, group, source restriction, comment, disabled). - **DELETE** `delete_user` — Delete a user. Cannot delete the user you're authenticated as. - **GET** `list_user_groups` — List user groups (named bundles of policies). Default groups: read, write, full. Each has name and policy field (comma-separated). - **PUT** `add_user_group` — Create a custom user group with specific policies. - **PATCH** `update_user_group` — Update an existing user group's policies, skin, or comment. Cannot rename built-in 'read', 'write', 'full' groups. - **DELETE** `delete_user_group` — Delete a custom user group. Built-in groups (read/write/full) cannot be deleted. Users assigned to a deleted group are orphaned — re-assign first. - **GET** `list_active_users` — List currently authenticated user sessions. Includes name, address (source IP), via (ssh|winbox|webfig|api|rest|console), when. - **GET** `list_user_ssh_keys` — List installed SSH public keys for user authentication. - **POST** `import_user_ssh_key` — Import an SSH public key from a file in /file for a user. - **GET** `list_certificates` — List installed certificates and CAs. Each has name, common-name, subject-alt-name, issuer, expires-after, days-valid, fingerprint, private-key (yes/no). - **POST** `sign_certificate` — Sign a certificate request with a CA certificate. Used in PKI workflows. - **POST** `import_certificate` — Import a certificate from a file in /file (PEM or PKCS#12). - **GET** `list_files` — List files stored on the device flash. Includes name, type (file|directory|disk|.backup|.rsc|.crt|.key|.umb), size, creation-time. - **DELETE** `delete_file` — Delete a file from device flash. Cannot delete in-use files. - **GET** `list_logs` — List system log entries. Each has time, topics (e.g. 'system,info'), message. Logs are circular -- old entries are overwritten. Filter by topics= via query for targeted lookups. - **GET** `list_logging_rules` — List logging rules — each routes a topic pattern to an action. Fields: topics (comma-separated AND-list, '!' to negate), action (action name, e.g. 'memory', 'remote', 'graylog'), prefix, regex, disabled. Rules are evaluated for every log line; matching is a logical OR across multiple rules. - **PUT** `add_logging_rule` — Add a logging rule. Most common pattern for remote forwarding: {topics:'', action:'remote'} forwards EVERY topic to the remote action. Narrower: {topics:'system,info', action:'graylog'} forwards only system-info lines. Negation: {topics:'firewall,!debug', ...} excludes debug-severity firewall messages. - **PATCH** `update_logging_rule` — Update a logging rule (topics, action, prefix, regex, comment, disabled). - **DELETE** `delete_logging_rule` — Delete a logging rule. The 5 default actions remain available; only your custom rules are removed. - **GET** `list_logging_actions` — List logging actions — destinations for log lines. RouterOS ships with 5 default actions that CANNOT be deleted or renamed: memory, disk, echo, remote, email. Add new actions for additional targets (multiple Graylog inputs, secondary syslog, etc.). - **PUT** `add_logging_action` — Add a logging action (destination). Common pattern for Graylog (CEF over TCP): {name:'graylog', target:'remote', remote:'192.168.100.15', remote-port:'514', remote-protocol:'tcp', remote-log-format:'cef', syslog-time-format:'iso8601'}. For a second memory ring buffer: {name:'audit', target:'memory', memory-lines:'5000'}. - **PATCH** `update_logging_action` — Update a custom logging action. NOTE: for the 5 built-in actions (memory, disk, echo, remote, email) PATCH on the path is unreliable — use set_logging_action with numbers='remote' (etc.) instead. - **POST** `set_logging_action` — Atomically update one or more logging actions via CLI-style '/system/logging/action set'. THIS IS THE WAY to re-aim the built-in 'remote' or 'email' actions: {numbers:'remote', remote:'10.0.0.5', remote-protocol:'tcp', remote-log-format:'cef'} — the built-ins can be re-configured but not renamed/deleted. Reference via 'numbers' (action name or .id). - **DELETE** `delete_logging_action` — Delete a custom logging action. The 5 default actions (memory/disk/echo/remote/email) cannot be deleted. - **GET** `get_snmp_settings` — Get SNMP agent settings: enabled, contact, location, engine-id, src-address, trap-target. - **POST** `update_snmp_settings` — Update SNMP agent settings. - **GET** `list_snmp_communities` — List SNMP v1/v2c communities and v3 users. Includes name, addresses (source CIDRs), security, read-access, write-access. - **GET** `get_l2tp_server` — Get L2TP server config (singleton). Fields: enabled, max-mtu, max-mru, mrru, authentication (comma list of mschap2,mschap1,chap,pap), default-profile, use-ipsec ('no'|'yes'|'required'), ipsec-secret, caller-id-type, allow-fast-path. - **POST** `set_l2tp_server` — Update L2TP server config. To enable plain L2TP: {enabled:'yes', authentication:'mschap2', default-profile:'default-encryption'}. For L2TP/IPsec: {enabled:'yes', use-ipsec:'required', ipsec-secret:''}. Per-user accounts live in /ppp/secret with service='l2tp'. - **GET** `get_sstp_server` — Get SSTP server config (singleton). Fields: enabled, port, certificate, authentication, default-profile, max-mtu, max-mru, mrru, tls-version, verify-client-certificate, force-aes. - **POST** `set_sstp_server` — Update SSTP server config. Required: a TLS certificate (certificate=). Default port is 443 — make sure it does NOT collide with www-ssl (REST API). Common: {enabled:'yes', certificate:'sstp-cert', port:'8443', authentication:'mschap2', default-profile:'default-encryption'}. - **GET** `get_pptp_server` — Get PPTP server config (singleton). Fields: enabled, max-mtu, max-mru, mrru, authentication, default-profile, keepalive-timeout. NOTE: PPTP is cryptographically broken — use L2TP/IPsec, SSTP, or WireGuard for new deployments. - **POST** `set_pptp_server` — Update PPTP server config. Discouraged for new deployments. - **GET** `get_ovpn_server` — Get OpenVPN server config (singleton). Fields: enabled, port, mode, netmask, mac-address, max-mtu, certificate, require-client-certificate, auth (md5|sha1|sha256|sha512), cipher (blowfish128|aes128-cbc|aes192-cbc|aes256-cbc|aes128-gcm|aes192-gcm|aes256-gcm), default-profile, tls-version, redirect-gateway. - **POST** `set_ovpn_server` — Update OpenVPN server config. RouterOS supports TCP only (no UDP). Modern interop: {enabled:'yes', mode:'ip', port:'1194', certificate:'ovpn-cert', require-client-certificate:'yes', auth:'sha256', cipher:'aes256-gcm,aes256-cbc', default-profile:'default-encryption'}. - **GET** `list_ipsec_peers` — List IPsec peers. Each peer = remote endpoint + auth method + exchange-mode. Fields: name, address, profile, exchange-mode (ike2 recommended), passive, send-initial-contact, comment, disabled. - **PUT** `add_ipsec_peer` — Add an IPsec peer. For IKEv2 modern setup: {name:'site-a', address:'203.0.113.5/32', profile:'default', exchange-mode:'ike2'}. - **PATCH** `update_ipsec_peer` — Update an IPsec peer. - **DELETE** `delete_ipsec_peer` — Delete an IPsec peer. Tears down all SAs to that peer. - **GET** `list_ipsec_identities` — List IPsec identities — bind peers to auth credentials + mode-config + policy template. - **PUT** `add_ipsec_identity` — Add an IPsec identity (peer + auth credentials). For PSK: {peer:'site-a', auth-method:'pre-shared-key', secret:''}. For IKEv2 EAP: {peer:'rw', auth-method:'eap', eap-methods:'eap-mschapv2', username:'alice', password:''}. - **PATCH** `update_ipsec_identity` — Update an IPsec identity. - **DELETE** `delete_ipsec_identity` — Delete an IPsec identity. - **GET** `list_ipsec_profiles` — List IPsec IKE profiles (Phase-1 / IKE_SA_INIT proposals). Each has name, hash-algorithm, enc-algorithm, dh-group, lifetime, nat-traversal. - **PUT** `add_ipsec_profile` — Add an IPsec profile. Modern IKEv2: {name:'strong', hash-algorithm:'sha256', enc-algorithm:'aes-256', dh-group:'modp2048,ecp256', lifetime:'1d', nat-traversal:'yes'}. - **PATCH** `update_ipsec_profile` — Update an IPsec profile. - **DELETE** `delete_ipsec_profile` — Delete an IPsec profile. Cannot delete 'default'. - **GET** `list_ipsec_proposals` — List IPsec ESP/AH proposals (Phase-2 / CHILD_SA crypto). Each has name, auth-algorithms, enc-algorithms, pfs-group, lifetime. - **PUT** `add_ipsec_proposal` — Add an IPsec ESP/AH proposal. - **PATCH** `update_ipsec_proposal` — Update an IPsec proposal. - **DELETE** `delete_ipsec_proposal` — Delete an IPsec proposal. Cannot delete 'default'. - **GET** `list_ipsec_policies` — List IPsec policies. Each policy = src/dst selector + action (encrypt|none|discard) + proposal + peer. - **PUT** `add_ipsec_policy` — Add an IPsec policy. Static site-to-site: {peer:'site-a', src-address:'10.0.0.0/24', dst-address:'10.1.0.0/24', action:'encrypt', tunnel:'yes', proposal:'default', sa-src-address:'', sa-dst-address:''}. Road-warrior dynamic template: {peer:'rw', template:'yes', dst-address:'0.0.0.0/0', action:'encrypt'}. - **PATCH** `update_ipsec_policy` — Update an IPsec policy. - **DELETE** `delete_ipsec_policy` — Delete an IPsec policy. Active SAs are torn down. - **GET** `list_ipsec_active_peers` — List currently negotiated IPsec peers. Fields: id, state (established | half-open | ...), uptime, side, remote-address, dynamic-address. - **GET** `list_ipsec_installed_sa` — List currently installed IPsec SAs (Phase-2 ESP/AH security associations). Useful for debugging which selectors negotiated and how much data has flowed. - **POST** `flush_ipsec_sa` — Tear down all currently installed IPsec SAs. They will renegotiate on next traffic. Use to recover from stuck SA state. - **GET** `get_ipsec_settings` — Get global IPsec settings (singleton). Fields: accept-redirects, interim-update, max-events-per-second, xauth-use-radius. - **POST** `set_ipsec_settings` — Update global IPsec settings. - **GET** `list_containers` — List Docker-like containers configured on RouterOS (v7.4+ on supported hardware). Each has name, root-dir, mounts, interface, status, dns. - **GET** `list_container_envs` — List container environment variables defined for use across containers. - **GET** `list_container_mounts` — List defined container mount points (host directory to container path mappings). ## Which DADLs are related to Mikrotik? - [Alertmanager](https://www.dadl.ai/d/alertmanager/) — Prometheus Alertmanager API v2 -- alerts, silences, receivers, alert groups, status, and operational health - [NetBox](https://www.dadl.ai/d/netbox/) — NetBox DCIM/IPAM API -- full v4 coverage: sites, racks, devices, modules, interfaces, cables, power, IPAM (prefixes, IPs, VLANs, VRFs, route-targets, VLAN translation), virtualization, circuits (including virtual circuits), tenants, contacts, VPN (IKE/IPSec/L2VPN), wireless, extras (webhooks, event-rules, scripts, config-templates, bookmarks, notifications), users/permissions/tokens, and core data sources & jobs - [Xen Orchestra](https://www.dadl.ai/d/xen-orchestra/) — Xen Orchestra REST API (XO 6.4+) -- complete coverage: VMs, hosts, pools, storage (SR/VDI/VBD), networks (VIF/PIF/PBD), VM/VDI snapshots, VM templates, hardware (PCI/PGPU/SM), tasks, backups (jobs/logs/repositories/restore), schedules, messages, alarms, events (SSE), RBAC v2 (users/groups/acl-roles/acl-privileges), proxies, servers, dashboards, auth tokens, health check - [DokuWiki](https://www.dadl.ai/d/dokuwiki/) — DokuWiki JSON-RPC API — wiki pages, media files, search, ACL management, and user administration - [Graylog](https://www.dadl.ai/d/graylog/) — Graylog REST API -- log search (Views/Search + legacy universal), streams, pipelines, inputs, alerts, events, dashboards, users, roles, sidecars, index management, and cluster administration. Targets Graylog 6.x. - [Stripe](https://www.dadl.ai/d/stripe/) — Stripe REST API — payment processing, billing, subscriptions, invoices, products, and financial infrastructure --- **Canonical URL:** https://www.dadl.ai/d/mikrotik/ **Raw DADL:** https://github.com/DunkelCloud/dadl-registry/blob/main/mikrotik.dadl