MikroTik RouterOS CLI Cheat Sheet 2026 — Quick Command Reference
MikroTik RouterOS CLI Cheat Sheet is the complete quick-reference of MikroTik RouterOS CLI commands grouped by function. Copy any command with one click and find what you need with Ctrl+F in under 3 seconds.
Contents
Interfaces & Ports IP Addressing Routing (OSPF, BGP, RIP) Firewall & NAT VLAN & Bridge VPN (L2TP, PPPoE, SSTP) MPLS & Traffic Engineering System & Diagnostics ⚠️ Dangerous Commands FAQ
Interfaces & Ports
Action
Command
Useful flags
Ethernet switch
/interface ethernet switch acl add dst-l3-port=67-68 ip-protocol=udp mac-protocol=ip new-customer-vid=10 src-ports=switch1-cpu
-cpu -customer-vid -l3-port -ports
Firewall nat
/ip firewall nat add chain=dstnat dst-port=80 protocol=tcp in-interface=ether1 action=dst-nat to-addresses=192.168.88.10 to-ports=80
-addresses -interface -nat -port
List all interfaces
/interface print
detail brief
Enable an interface
/interface set ether1 disable=no
Add interface to bridge
/interface bridge port add bridge=bridge1 interface=ether2
Create VLAN on interface
/interface vlan add name=vlan10 vlan-id=10 interface=ether1
-id
Monitor interface traffic
/interface monitor-traffic ether1 once
once
Set interface MTU
/interface set ether1 mtu=1500
Port mirroring on switch
/interface ethernet switch set switch1 mirror-source=ether2 mirror-target=ether3
-source -target
Show bridge port list
/interface bridge port print
detail
IP Addressing
Action
Command
Useful flags
Ethernet switch
/interface ethernet switch acl add dst-l3-port=67-68 ip-protocol=udp mac-protocol=ip new-customer-vid=10 src-ports=switch1-cpu
-cpu -customer-vid -l3-port -ports
Address
/ip address
Firewall filter
/ip firewall filter
Firewall mangle
/ip firewall mangle
Hotspot
/ip hotspot
Route print
/ip route print
Firewall/filter/add chain=forward
/ip firewall/filter/add chain=forward place-before=[find where comment=CommentX]
-before
Routing (OSPF, BGP, RIP)
Action
Command
Useful flags
Is the
interface is the VLAN trunk that will send traffic further to do InterVLAN routing.
Firewall mangle
/ip firewall mangle add chain=prerouting src-address=192.168.88.0/24 action=mark-connection new-connection-mark=lan-conn
-address -conn -connection -connection-mark
Firewall mangle
/ip firewall mangle add chain=prerouting connection-mark=lan-conn action=mark-packet new-packet-mark=lan-packet
-conn -mark -packet -packet-mark
Add
/system script add name=backup-daily source={ /system backup save name=daily-backup }
-backup -daily
Run
/system script run backup-daily
-daily
Script print
/system script print
Add
/system scheduler add name=weekly-task interval=7d on-event=my-script start-date=2025-11-29
-date -event -script -task
Firewall & NAT
Action
Command
Useful flags
Firewall nat
/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade
-interface
Firewall nat
/ip firewall nat add chain=dstnat dst-port=80 protocol=tcp in-interface=ether1 action=dst-nat to-addresses=192.168.88.10 to-ports=80
-addresses -interface -nat -port
Firewall nat
/ip firewall nat print
Firewall filter
/ip firewall filter
Firewall mangle
/ip firewall mangle
Allow established input
/ip firewall filter add chain=input connection-state=established action=accept
chain connection-state action
Allow ICMP input
/ip firewall filter add chain=input protocol=icmp action=accept
chain protocol action
Allow established forward
/ip firewall filter add chain=forward connection-state=established,related action=accept
chain connection-state action
FastTrack connections
/ip firewall filter add chain=forward in-interface=ether2 out-interface=ether1 action=fasttrack-connection
chain in-interface out-interface action
Add address list entry
/ip firewall address-list add list=blocked address=192.168.1.100
list address
Drop from address list
/ip firewall filter add chain=forward src-address-list=blocked action=drop
chain src-address-list action
SSH port forwarding
/ip firewall nat add chain=dstnat dst-port=22 protocol=tcp in-interface=ether1 action=dst-nat to-addresses=192.168.88.10 to-ports=22
chain dst-port protocol in-interface action to-addresses to-ports
VLAN & Bridge
Action
Command
Useful flags
Bridge vlan
/interface bridge vlan
Set
/interface bridge set bridge1 vlan-filtering=yes
-filtering
Set
/interface bridge set bridge1 frame-types=admit-only-vlan-tagged
-only-vlan-tagged -types
Bridge vlan
/interface bridge vlan mvrp
Bridge vlan
Configure bridge VLAN (tagged)
Bridge vlan
/interface bridge vlan add bridge=bridge1 tagged=ether1 vlan-ids=20
-ids
Bridge vlan
Configure bridge VLAN (untagged)
Bridge vlan
/interface bridge vlan add bridge=bridge1 untagged=ether2 vlan-ids=10
-ids
VPN (L2TP, PPPoE, SSTP)
Action
Command
Useful flags
Add
/interface pppoe-client add name=pppoe-out1 interface=ether1 user=username password=password add-default-route=yes use-peer-dns=yes
-client -default-route -out1 -peer-dns
Pppoe-client print
/interface pppoe-client print detail
-client
Pppoe-client monitor
/interface pppoe-client monitor pppoe-out1
-client -out1
Add
/ip pool add name=pppoe-pool ranges=192.168.100.2-192.168.100.254
-pool
Pppoe server
Configure PPPoE server
Pppoe-server server
/interface pppoe-server server add service-name=myPPPoE interface=ether2 default-profile=default-encryption
-encryption -name -profile -server
MPLS & Traffic Engineering
Action
Command
Useful flags
Is the
interface is the VLAN trunk that will send traffic further to do InterVLAN routing.
Monitor-traffic ether1
/interface monitor-traffic ether1
-traffic
System & Diagnostics
Action
Command
Useful flags
Resource print
/system resource print
Clock print
/system clock print
Identity print
/system identity print
System identity
Set system identity
Set
/system identity set name=MyRouter
Routerboard print
/system routerboard print
Set
/system clock set time-zone-name=America/New_York
-zone-name
⚠️ Dangerous / Destructive Commands
These commands are irreversible . Verify your environment (dev/staging vs prod) before running them.
Action
Command
Warning
⚠️ Firewall filter
/ip firewall filter add chain=forward src-address-list=blocked action=drop
Irreversible — verify the target before running
FAQ — Frequently Asked Questions
What is the difference between Interfaces & Ports and IP Addressing?
Each group in this MikroTik RouterOS CLI cheat sheet covers a distinct area. Interfaces & Ports focuses on its specific scope, while IP Addressing and the remaining groups cover networking, storage, security and diagnostics respectively.
How do I check the installed MikroTik RouterOS CLI version?
Run the version command (usually mikrotik version or mikrotik --version). The output shows the client and, when applicable, the server version.
Why does MikroTik RouterOS CLI return ‘permission denied’?
A ‘permission denied’ error in MikroTik RouterOS CLI usually means the current user lacks sufficient privileges or credentials are not configured. Check: (1) assigned IAM/RBAC roles, (2) an active authentication context via the corresponding login command.
How do I filter MikroTik RouterOS CLI output by status or name?
Use flags such as --filter, --selector or --query depending on the tool. You can also pipe into grep or jq to process JSON:
mikrotik list | grep RUNNING
What is the fastest way to debug a MikroTik RouterOS CLI error?
Add the verbose flag (--verbose, -v or --debug) to the failing command. This reveals the underlying HTTP/API calls and the full error response body.
Official sources & references
Commands cross-checked against vendor documentation and high-authority repositories:
