The console allows configuration of the router settings using text commands. The command structure is similar to the Unix shell. Since there's a lot of available commands, they're split into hierarchy. For example, all (well, almost all) commands that work with routes start with ip route:
[admin@MikroTik] > ip route print Flags: X - disabled, I - invalid, D - dynamic, J - rejected, C - connect, S - static, R - rip, O - ospf, B - bgp # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0.0.0.0/0 r 10.0.0.1 1 ether6 r 192.168.1.254 ether4 1 DC 192.168.1.0/24 r 0.0.0.0 0 ether4 2 DC 10.10.10.0/24 r 0.0.0.0 0 prism1 3 DC 10.0.0.0/24 r 0.0.0.0 0 ether6 [admin@MikroTik] > ip route set 0 gateway=10.0.0.1 [admin@MikroTik] > ip route print Flags: X - disabled, I - invalid, D - dynamic, J - rejected, C - connect, S - static, R - rip, O - ospf, B - bgp # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0.0.0.0/0 r 10.0.0.1 1 ether6 1 DC 192.168.1.0/24 r 0.0.0.0 0 ether4 2 DC 10.10.10.0/24 r 0.0.0.0 0 prism1 3 DC 10.0.0.0/24 r 0.0.0.0 0 ether6 [admin@MikroTik] >
Instead of typing ip route before each command, ip route can be typed once to "change into" that particular branch of command hierarchy. Thus, the example above could also be executed like this:
[admin@MikroTik] > ip route [admin@MikroTik] ip route> print Flags: X - disabled, I - invalid, D - dynamic, J - rejected, C - connect, S - static, R - rip, O - ospf, B - bgp # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0.0.0.0/0 r 10.0.0.1 1 ether6 1 DC 192.168.1.0/24 r 0.0.0.0 0 ether4 2 DC 10.10.10.0/24 r 0.0.0.0 0 prism1 3 DC 10.0.0.0/24 r 0.0.0.0 0 ether6 [admin@MikroTik] ip route>
Notice that prompt changes to show where in the command hierarchy you are located at the moment. To change to top level, type /
[admin@MikroTik] ip route> / [admin@MikroTik] >
To move up one command level, type ..
[admin@MikroTik] ip route> .. [admin@MikroTik] ip>
You can also use / and .. to execute commands from other levels without changing the current level:
[admin@MikroTik] ip route> /ping 10.0.0.10 10.0.0.10 64 byte pong: ttl=128 time=5 ms 10.0.0.10 64 byte pong: ttl=128 time=6 ms 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 5/5.5/6 ms [admin@MikroTik] ip route>
Or alternatively, to go back to the base level you could use multiple .. commands:
[admin@MikroTik] ip route> .. .. ping 10.0.0.10 10.0.0.10 64 byte pong: ttl=128 time=8 ms 10.0.0.10 64 byte pong: ttl=128 time=6 ms 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 6/7.0/8 ms [admin@MikroTik] ip route>
[admin@MikroTik] > interface print Flags: X - disabled, D - dynamic, R - running # NAME TYPE MTU 0 R ether1 ether 1500 1 R ether2 ether 1500 2 R ether3 ether 1500 3 R ether4 ether 1500 4 R prism1 prism 1500 [admin@MikroTik] >
To change parameters of an item (interface settings in this particular case), you have to specify it's number to the set command:
[admin@MikroTik] interface> set 0 mtu=1460 [admin@MikroTik] interface> print Flags: X - disabled, D - dynamic, R - running # NAME TYPE MTU 0 R ether1 ether 1460 1 R ether2 ether 1500 2 R ether3 ether 1500 3 R ether4 ether 1500 4 R prism1 prism 1500 [admin@MikroTik] interface>
Numbers are assigned by print command and are not constant - it is possible that two successive print commands will order items differently. But the results of last print commands are memorized and, thus, once assigned item numbers can be used even after add, remove and move operations (after move operations, item numbers are moved with the items). Item numbers are assigned for sessions, they will remain the same until you quit the console or until the next print command is executed. Also, numbers are assigned separately for every item list, so ip address print won't change numbers for interface list.
Let's assume interface prism print hasn't been executed in this session. In this case:
[admin@MikroTik] interface> prism set 0 ssid=mt ERROR: item numbers not assigned
Console is telling that there has been no interface prism print command, and thus, it cannot (and also you) know which PRISM interface number 0 corresponds to.
To understand better how do item numbers work, you can play with from argument of print commands:
[admin@MikroTik] interface> print from=1 Flags: X - disabled, D - dynamic, R - running # NAME TYPE MTU 0 R ether2 ether 1500 [admin@MikroTik] interface>
The from argument specifies what items to show. Numbers are assigned by every print command, thus, after executing command above there will be only one item accessible by number - interface ether2 with number 0.
[admin@MikroTik] interface> set prism1 mtu=1460
You don't have to use the print command before accessing items by name. As opposed to numbers, names are not assigned by the console internally, but are one of the items' properties. Thus, they won't change on their own. However, there are all kinds of obscure situations possible when several users are changing router configuration at the same time. Generally, item names are more "stable" than numbers, and also more informative, so you should prefer them to numbers when writing console scripts.
/inte[TAB]_ becomes /interface _
Here, "_" is the cursor position. And [TAB] is pressed TAB key, not '[TAB]' character sequence.
If there's more than one match, but they all have a common beginning, which is longer than that what you have typed, then the word is completed to this common part, and no space is appended:
/interface set e[TAB]_
becomes
/interface set ether_
because "e" matches both "ether5" and "ether1" in this example
If you've typed just the common part, pressing the tab key once has no effect. However, pressing it for the second time shows all possible completions in compact form:
[admin@MikroTik] > interface set e[TAB]_ [admin@MikroTik] > interface set ether[TAB]_ [admin@MikroTik] > interface set ether[TAB]_ ether1 ether5 [admin@MikroTik] > interface set ether_
The tab key can be used almost in any context where the console might have a clue about possible values - command names, argument names, arguments that have only several possible values (like names of items in some lists or name of protocol in firewall and NAT rules).You can't complete numbers, IP addresses and similar values.
Note that pressing [TAB] key while entering IP address will do a DNS lookup, instead of completion. If what is typed before cursor is a valid IP address, it will be resolved to a DNS name (reverse resolve), otherwise it will be resolved directly (i.e. to an IP address). To use this feature, DNS server must be configured and working. To avoid input lockups any such lookup will timeout after half a second, so you might have to press [TAB] several times, before name is actually resolved
It is possible to complete not only beginning, but also any distinctive substring of name: if there is no exact match, console starts looking for words that have string being completed as first letters of a multiple word name, or that simply contain letters of this string in the same order. If single such word is found, it is completed at cursor position. For example:
[admin@MikroTik] > interface x[TAB]_ [admin@MikroTik] > interface export _
x is completed to export, because no other word in this context contains 'x'.
[admin@MikroTik] > interface mt[TAB]_ [admin@MikroTik] > interface monitor-traffic _
No word begins with letters 'mt', but it is an abbreviation of monitor-traffic.
Another way to press fewer keys while typing is to abbreviate command and argument names. You can type only beginning of command name, and, if it is not ambiguous, console will accept it as a full name. So typing:
[admin@MikroTik] > pi 10.1 c 3 s 100 equals to: [admin@MikroTik] > ping 10.0.0.1 count 3 size 100
Note: As an implication of internal number format, you should not use item names that begin with asterisk (*).
[admin@MikroTik] > interface print Flags: X - disabled, D - dynamic, R - running # NAME TYPE MTU 0 R ether1 ether 1500 1 R ether2 ether 1500 2 R ether3 ether 1500 3 R ether4 ether 1500 [admin@MikroTik] > interface set 0,1,2 mtu=1460 [admin@MikroTik] > interface print Flags: X - disabled, D - dynamic, R - running # NAME TYPE MTU 0 R ether1 ether 1460 1 R ether2 ether 1460 2 R ether3 ether 1460 3 R ether4 ether 1500 [admin@MikroTik] >
This is handy when you want to perform same action on several items, or do a selective export. However, this feature becomes really useful when combined with scripting.
The print command shows all information that's accessible from particular command level. Thus, /system clock print shows system date and time, /ip route print shows all routes etc. If there's a list of items in this level and they are not read-only, i.e. you can change/remove them (example of read-only item list is /system history, which shows history of executed actions), then print command also assigns numbers that are used by all commands that operate on items in this list.
If there's list of items then print usually can have a from argument. The from argument accepts space separated list of item numbers, names (if items have them), and internal numbers. The action (printing) is performed on all items in this list in the same order in which they're given.
Output can be formatted either as a table, with one item per line or as a list with property=value pairs for each item. By default print uses one of these forms, but it can be set explicitly with brief and detail arguments. In brief (table) form, column argument can be set to a list of property names that should be shown in the table:
[admin@MikroTik] interface ethernet> print Flags: X - disabled, R - running # NAME MTU MAC-ADDRESS ARP 0 R ether1 1460 00:50:08:00:00:F5 enabled 1 R ether2 1460 00:50:08:00:00:F6 enabled [admin@MikroTik] interface ethernet> print brief Flags: X - disabled, R - running # NAME MTU MAC-ADDRESS ARP 0 R ether1 1460 00:50:08:00:00:F5 enabled 1 R ether2 1460 00:50:08:00:00:F6 enabled [admin@MikroTik] interface ethernet> print detail Flags: X - disabled, R - running 0 R name="ether1" mtu=1460 mac-address=00:50:08:00:00:F5 arp=enabled disable-running-check=yes 1 R name="ether2" mtu=1460 mac-address=00:50:08:00:00:F6 arp=enabled disable-running-check=yes [admin@MikroTik] interface ethernet> print brief column=mtu,arp Flags: X - disabled, R - running # MTU ARP 0 R 1460 enabled 1 R 1460 enabled [admin@MikroTik] interface ethernet> print
Rules that do some accounting (for example, ip firewall or queue rules) may have two additional views of packets and of bytes matched these rules:
[admin@MikroTik] ip firewall rule forward> print packets Flags: X - disabled, I - invalid # SRC-ADDRESS DST-ADDRESS PACKETS 0 0.0.0.0/0:0-65535 0.0.0.0/0:0-65535 0 [admin@MikroTik] ip firewall rule forward> print bytes Flags: X - disabled, I - invalid # SRC-ADDRESS DST-ADDRESS BYTES 0 0.0.0.0/0:0-65535 0.0.0.0/0:0-65535 0 [admin@MikroTik] ip firewall rule forward>To reset these counters reset-counters command is used.
Some items might have statistics other than matched bytes and packets. You can see it by using print stats command:
[admin@MikroTik] ip ipsec> policy print stats Flags: X - disabled, I - invalid 0 src-address=10.0.0.205/32:any dst-address=10.0.0.201/32:any protocol=icmp ph2-state=no-phase2 in-accepted=0 in-dropped=0 out-accepted=0 out-dropped=0 encrypted=0 not-encrypted=0 decrypted=0 not-decrypted=0 [admin@MikroTik] ip ipsec>There migtht also be print status command:
[admin@MikroTik] routing bgp peer> print status # REMOTE-ADDRESS REMOTE-AS STATE ROUTES-RECEIVED 0 159.148.42.158 2588 connected 1 [admin@MikroTik] routing bgp>Normally, the print command pauses after the screen is full and asks whether to continue or not. Press any key other from [Q] or [q] to continue printing.
The without-paging argument suppresses prompting after each screen of output.
You can specify interval for repeating the command until [Ctrl]+[C] is pressed. Thus, you do not need to repeatedly press the [Up-Arrow] and [Enter] buttons to see repeated printouts of a changing list you want to monitor. Instead, you use the argument interval=2s for print.
The other useful parameter is count-only, that shows the total number of items in the table.
[admin@MikroTik] interface> print Flags: X - disabled, D - dynamic, R - running # NAME TYPE MTU 0 R ether1 ether 1460 1 R ether2 ether 1460 2 R ether3 ether 1460 3 R ether4 ether 1500 [admin@MikroTik] interface> print count-only 4 [admin@MikroTik] interface>
The set command allows you to change values of general parameters or item parameters. The set command has arguments with names corresponding to values you can change. Use ? or double [TAB] to see list of all arguments. If there is list of items in this command level, then set has one unnamed argument that accepts the number of item (or list of numbers) you wish to set up. set does not return anything.
Examples are given above.
The add command usually has the same arguments as set, minus the unnamed number argument. It adds new item with values you've specified, usually to the end of list (in places where order is relevant). There are some values that you have to supply (like interface for new route), and other values that are set to defaults if you don't supply them. The add command returns internal number of item it has added.
You can create a copy of an existing item by using copy-from argument. It takes default values of new item's properties from another item. If you don't want exact copy, you can specify new values for some properties. When copying items that have names, you will usually have to give new name to a copy.
You can place a new item before an existing item by using place-before argument. Thus, you do not need to use the move command after adding an item to the list. You can control disabled/enabled state of new items by using disabled argument, if present. You can supply description for new item using comment argument, if present:
[admin@MikroTik] ip route> set 0 comment="our default gateway" [admin@MikroTik] ip route> set 1 comment="wireless network gateway" [admin@MikroTik] ip route> print Flags: X - disabled, I - invalid, D - dynamic, J - rejected, C - connect, S - static, R - rip, O - ospf, B - bgp # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 0 S ;;; our default gateway 0.0.0.0/0 r 10.0.0.1 1 ether6 1 S ;;; wireless network gateway 10.100.0.0/16 r 10.0.0.254 1 ether6 2 DC 192.168.1.0/24 r 0.0.0.0 0 ether4 3 DC 10.10.10.0/24 r 0.0.0.0 0 prism1 [admin@MikroTik] ip route>
The remove command has one unnamed argument, which contains number(s) or name(s) of item(s) to remove.
[admin@MikroTik] ip route> print Flags: X - disabled, I - invalid, D - dynamic, J - rejected, C - connect, S - static, R - rip, O - ospf, B - bgp # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 0 S ;;; our default gateway 0.0.0.0/0 r 10.0.0.1 1 ether6 1 S ;;; wireless network gateway 10.100.0.0/16 r 10.0.0.254 1 ether6 2 DC 192.168.1.0/24 r 0.0.0.0 0 ether4 3 DC 10.10.10.0/24 r 0.0.0.0 0 prism1 [admin@MikroTik] ip route> remove 0 [admin@MikroTik] ip route> print Flags: X - disabled, I - invalid, D - dynamic, J - rejected, C - connect, S - static, R - rip, O - ospf, B - bgp # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 0 S ;;; wireless network gateway 10.100.0.0/16 r 10.0.0.254 1 ether6 1 DC 192.168.1.0/24 r 0.0.0.0 0 ether4 2 DC 10.10.10.0/24 r 0.0.0.0 0 prism1 [admin@MikroTik] ip route>
[admin@MikroTik] ip firewall mangle> print brief Flags: X - disabled, I - invalid, D - dynamic # SRC-ADDRESS DST-ADDRESS 0 0.0.0.0/0:80 0.0.0.0/0:0-65535 1 1.1.1.1/32:80 0.0.0.0/0:0-65535 2 2.2.2.2/32:80 0.0.0.0/0:0-65535 3 3.3.3.3/32:80 0.0.0.0/0:0-65535 [admin@MikroTik] ip firewall mangle> move 0 [admin@MikroTik] ip firewall mangle> print brief Flags: X - disabled, I - invalid, D - dynamic # SRC-ADDRESS DST-ADDRESS 0 1.1.1.1/32:80 0.0.0.0/0:0-65535 1 2.2.2.2/32:80 0.0.0.0/0:0-65535 2 3.3.3.3/32:80 0.0.0.0/0:0-65535 3 0.0.0.0/0:80 0.0.0.0/0:0-65535 [admin@MikroTik] ip firewall mangle> move 0 2 [admin@MikroTik] ip firewall mangle> print brief Flags: X - disabled, I - invalid, D - dynamic # SRC-ADDRESS DST-ADDRESS 0 2.2.2.2/32:80 0.0.0.0/0:0-65535 1 3.3.3.3/32:80 0.0.0.0/0:0-65535 2 1.1.1.1/32:80 0.0.0.0/0:0-65535 3 0.0.0.0/0:80 0.0.0.0/0:0-65535 [admin@MikroTik] ip firewall mangle> move 3,2,0 0 [admin@MikroTik] ip firewall mangle> print brief Flags: X - disabled, I - invalid, D - dynamic # SRC-ADDRESS DST-ADDRESS 0 0.0.0.0/0:80 0.0.0.0/0:0-65535 1 1.1.1.1/32:80 0.0.0.0/0:0-65535 2 2.2.2.2/32:80 0.0.0.0/0:0-65535 3 3.3.3.3/32:80 0.0.0.0/0:0-65535 [admin@MikroTik] ip firewall mangle>
[admin@MikroTik] interface> print Flags: X - disabled, D - dynamic, R - running # NAME TYPE MTU 0 R ether1 ether 1500 1 R ipip1 ipip 1480 2 R eoip-tunnel1 eoip-tunnel 1500 [admin@MikroTik] interface> print from=1 Flags: X - disabled, D - dynamic, R - running # NAME TYPE MTU 0 R ipip1 ipip 1480 [admin@MikroTik] interface> print from=[find mtu=1500] Flags: X - disabled, D - dynamic, R - running # NAME TYPE MTU 0 R ether1 ether 1500 1 R eoip-tunnel1 eoip-tunnel 1500 [admin@MikroTik] interface> print Flags: X - disabled, D - dynamic, R - running # NAME TYPE MTU 0 R ether1 ether 1500 1 R ipip1 ipip 1480 2 R eoip-tunnel1 eoip-tunnel 1500 [admin@MikroTik] interface> print from=[find mtu=1500 from=0,1] Flags: X - disabled, D - dynamic, R - running # NAME TYPE MTU 0 R ether1 ether 1500 [admin@MikroTik] interface>
The export command prints a script that can be used to restore configuration. If it has the argument from, then it is possible to export only specified items. Also, if the from argument is given, export does not descend recursively through the command hierarchy. The export command also has the argument file, which allows you to save the script in file on router to retrieve it later via ftp. Note that it is not possible to bring back router configuration after reset just from the export scripts. Some important things like interface name assignment, or user passwords just cannot be saved in export script. To back up all configuration, use /system backup save command.
You can enable/disable some items (like ip address or default route). If an item is disabled, it is marked with the X flag. If an item is invalid, but not disabled, it is marked with the I flag. All such flags, if any, are described at the top of the print command's output.
[admin@MikroTik] > ip route print Flags: X - disabled, I - invalid, D - dynamic, J - rejected, C - connect, S - static, R - rip, O - ospf, B - bgp # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0.0.0.0/0 r 10.0.0.1 1 ether6 1 DC 192.168.1.0/24 r 0.0.0.0 0 ether4 2 DC 10.10.10.0/24 r 0.0.0.0 0 prism1 3 DC 10.0.0.0/24 r 0.0.0.0 0 ether6 [admin@MikroTik] >
Safe mode is entered by pressing [Ctrl]+[X]. To quit safe mode, press [Ctrl]+[X] again.
[admin@MikroTik] ip firewall rule input> [Ctrl]+[X] [Safe Mode taken] [admin@MikroTik] ip firewall rule input<SAFE>Message Safe Mode taken is displayed and prompt changes to show that session is now in safe mode. All configuration changes that are made (also from other login sessions), while router is in safe mode, are automatically undone if safe mode session terminates abnormally. You can see all such changes that will be automatically undone tagged with an F flag in system history:
[admin@MikroTik] ip firewall rule input<SAFE> add [admin@MikroTik] ip firewall rule input<SAFE> /system history print Flags: U - undoable, R - redoable, F - floating-undo ACTION BY POLICY F rule added admin write [admin@MikroTik] ip firewall rule input<SAFE>Now, if telnet connection is cut, then after a while (TCP timeout is 9 minutes) all changes that were made while in safe mode will be undone. Exiting session by [Ctrl]+[D] also undoes all safe mode changes, while /quit doesn't.
If another user tries to enter safe mode, he's given following message:
[admin@MikroTik] > Hijacking Safe Mode from someone - unroll/release/don't take it [u/r/d]:
[admin@MikroTik] ip firewall rule input[Safe mode released by another user]
If too many changes are made while in safe mode, and there's no room in history to hold them all (currently history keeps up to 100 most recent actions), then session is automatically put out of the safe mode, no changes are automatically undone. Thus, it is best to change configuration in small steps, while in safe mode. Pressing [Ctrl]+[X] twice is an easy way to empty safe mode action list.