MikroMCP
MikroMCP turns MikroTik RouterOS into an AI-native MCP server, enabling AI agents to inspect, diagnose, and safely manage routers through ~77 structured tools.
System Management: Retrieve system status (CPU, memory, identity, license, health sensors), manage the clock, reboot devices, and execute guarded RouterOS console commands via SSH.
Interfaces & IP: List and manage network interfaces (Ethernet, VLANs, bridges, WiFi, WireGuard), IP addresses, and bridge ports.
DHCP & DNS: Manage DHCP servers, pools, and leases; manage static DNS records and read resolver settings.
Firewall & Policy: Inspect and manage firewall filter, NAT, and mangle rules, address lists, and IPSec peers/policies.
Routing: Manage static routes, policy routing rules, and custom routing tables; view BGP peer and OSPF neighbor states.
Security & Users: Manage certificates and local RouterOS user accounts.
QoS, HA & Monitoring: Manage simple queues, VRRP instances, Netwatch entries, and read SNMP/NTP settings.
Diagnostics: Run ping, traceroute, and torch from the router; filter system logs; discover neighbors via CDP/LLDP/MNDP; view ARP table.
Automation: Manage and execute RouterOS scripts, scheduled jobs, packages, containers, and files.
Safe Change Management: Preview changes with dry-run, plan/apply/rollback workflows with journaling, idempotent writes, and confirmation tokens for destructive actions.
Fleet Operations: Health-check individual routers and bulk-execute tools across multiple routers in parallel by ID or tag.
Production Features: RBAC, bearer tokens, per-router credentials, TLS, audit logging, circuit breakers, retry policies, rate limiting, and maintenance windows.
Provides tools for managing and automating MikroTik RouterOS devices, including system status, network operations, firewall, routing, diagnostics, and change management.
MikroMCP
AI-native network automation for MikroTik RouterOS. MikroMCP exposes RouterOS as a typed, auditable Model Context Protocol server so Claude, Cursor, Codex, and other MCP clients can inspect, diagnose, and safely operate MikroTik routers in natural language.
MikroMCP exists because raw router CLI access is the wrong abstraction for AI agents. RouterOS is powerful, but asking an LLM to improvise shell commands against production network gear is risky. MikroMCP gives agents a controlled tool surface: strict schemas, idempotent writes, dry-run previews, per-router circuit breakers, retry policies, RBAC, audit logs, snapshots, and rollback-aware change workflows.
In one sentence: MikroMCP turns MikroTik RouterOS into a production-minded MCP control plane for AI infrastructure, DevOps automation, and modern router management.
Why It Matters
Instead of... | MikroMCP gives you... |
Hand-written RouterOS CLI snippets from chat | Typed MCP tools with strict Zod validation |
Blind config changes | Dry-run previews, idempotency checks, snapshots, and rollback tooling |
One-off scripts per router | A multi-router registry with per-router credentials, tags, TLS, SSH, and maintenance windows |
Raw network access for every assistant | RBAC identities, bearer tokens for HTTP mode, tool allowlists, and audit trails |
Fragile troubleshooting workflows | Router-originated ping, traceroute, torch, logs, interfaces, DHCP, firewall, routes, WiFi, WireGuard, and more |
Feature Showcase
Category | What MikroMCP covers |
๐งญ Router management | System status, clock, reboot, packages, files, scripts, scheduler jobs, containers |
๐ Network operations | Interfaces, VLANs, IP addresses, DHCP leases, DNS static records, bridge ports, WiFi clients |
๐ฅ Firewall and policy | Filter/NAT rules, mangle rules, address lists, route tables, routing rules |
๐ฐ๏ธ Routing visibility | Static routes, routing tables, BGP peers, OSPF neighbors |
๐ Secure access | HTTP bearer auth, bcrypt token hashes, RBAC, router/tool restrictions, confirmation tokens |
๐งช Diagnostics | Router-originated |
๐ก๏ธ Change safety | Dry-run, idempotent writes, snapshots, write journal, |
โ๏ธ Production behavior | Retries for read tools, per-router circuit breakers, correlation IDs, structured logs, audit logs |
๐ค AI-agent fit | Human-readable responses plus structured JSON content for reasoning, chaining, and automation |
๐งฉ MCP compatibility | stdio for desktop clients, Streamable HTTP and legacy SSE for remote or service-style clients |
Demo
Usage
MCP Inspector
Quick Start
Prerequisites
Node.js 22 or newer (for npm install) โ or use a standalone binary below
MikroTik RouterOS 7.x with the REST API enabled
A RouterOS user with the policies your tools require
Recommended RouterOS policies for full tool coverage:
read, write, api, rest-api, test, ssh, sniff, ftp
sshis required forping,traceroute,torch, andrun_command.sniffis required bytorch.ftpis required only forupload_file.
Install
npm (recommended)
npm install -g mikromcpStandalone binaries
Download the binary for your platform from the latest GitHub release โ no Node.js required.
Docker
docker pull ghcr.io/alikarami/mikromcp:latestSet Up With the Init Wizard
Run the interactive setup wizard:
mikromcp initThe wizard will ask for your router details and write everything to ~/.mikromcp/:
~/.mikromcp/
โโโ routers.yaml # router registry
โโโ identities.yaml # RBAC identities (HTTP mode)
โโโ .env # credentials and runtime settings~/.mikromcp/.env is loaded automatically every time MikroMCP starts โ no shell exports or Claude Desktop env blocks needed. Fill in the credentials it generates:
# ~/.mikromcp/.env (generated by mikromcp init)
ROUTER_CORE01_USER=
ROUTER_CORE01_PASS=To edit your router registry directly:
nano ~/.mikromcp/routers.yamlrouters:
core-01:
host: "192.168.88.1"
port: 443
tls:
enabled: true
rejectUnauthorized: true
credentials:
source: "env"
envPrefix: "ROUTER_CORE01"
tags: ["core"]
rosVersion: "7"Verify With Doctor
mikromcp doctorDoctor checks Node version, config files, router reachability, Claude Desktop registration, and whether a newer version is available.
Run
stdio (for Claude Desktop and other desktop MCP clients)
mikromcp serveHTTP mode (for service deployments)
MIKROMCP_TRANSPORT=http mikromcp serveConnect An MCP Client
Claude Desktop
Run mikromcp init and choose Register with Claude Desktop โ it patches claude_desktop_config.json automatically.
Or add it manually to ~/Library/Application Support/Claude/claude_desktop_config.json on macOS:
{
"mcpServers": {
"mikromcp": {
"command": "mikromcp",
"args": ["serve"]
}
}
}No env block needed โ credentials are loaded from ~/.mikromcp/.env at startup. Restart Claude Desktop, then ask:
Use MikroMCP to show CPU, memory, uptime, active interfaces, and warning logs for core-01.HTTP / SSE Mode
HTTP mode is useful for service deployments and MCP clients that connect over a network endpoint.
Set in ~/.mikromcp/.env:
MIKROMCP_TRANSPORT=http
MIKROMCP_PORT=3000
MIKROMCP_CONFIRMATION_SECRET=<openssl rand -hex 32>Then run:
mikromcp serveEvery HTTP request must include:
Authorization: Bearer <token>Tokens are configured as bcrypt hashes in ~/.mikromcp/identities.yaml. Use mikromcp init to generate them.
Docker
docker run --rm \
-e MIKROMCP_TRANSPORT=http \
-e MIKROMCP_PORT=3000 \
-e MIKROMCP_CONFIRMATION_SECRET="$(openssl rand -hex 32)" \
-e ROUTER_CORE01_USER=mcp-api \
-e ROUTER_CORE01_PASS=your-router-password \
-e MIKROMCP_CONFIG_PATH=/config/routers.yaml \
-v "$HOME/.mikromcp:/config:ro" \
-p 3000:3000 \
ghcr.io/alikarami/mikromcp:latestPass MIKROMCP_CONFIG_PATH and MIKROMCP_IDENTITIES_PATH explicitly when running in Docker since ~/.mikromcp/ inside the container refers to the container's home directory.
Configuration Reference
All settings can be placed in ~/.mikromcp/.env or passed as environment variables. Values in ~/.mikromcp/.env are loaded at startup; explicit environment variables always take precedence.
Variable | Default | Purpose |
|
|
|
|
| Router registry path |
|
| Identity and bearer-token registry |
| built-in superadmin | Named identity for stdio mode |
|
| HTTP transport port |
|
| HTTP bind address |
| unset | HMAC secret for destructive-action confirmation tokens |
| unset | Optional NDJSON audit log file path |
|
| Snapshots and write-journal directory |
|
| HTTP request body cap |
|
| Requests per minute per IP; |
|
| SSH command timeout |
|
| SSH output cap |
| unset | Global allowlist patterns for |
| unset | Global denylist patterns for |
| unset | Router username from |
| unset | Router password from |
Available Tools
MikroMCP currently registers 77 MCP tools.
Area | Tools |
System |
|
Interfaces and IP |
|
DHCP and DNS |
|
DHCP Servers & Pools |
|
Routing |
|
Routing protocols |
|
Firewall |
|
Bridge, WiFi, WireGuard |
|
IPSec/VPN |
|
Certificates |
|
Users |
|
Queues/QoS |
|
VRRP |
|
SNMP & NTP |
|
Netwatch |
|
Discovery & ARP |
|
Diagnostics |
|
Automation |
|
Runtime |
|
Change management |
|
Fleet operations |
|
mindmap
root((MikroMCP tools))
Operations
System status
Logs
Clock
Reboot
Network
Interfaces
VLANs
DHCP
DNS
WiFi
WireGuard
Policy
Firewall
NAT
Mangle
Address lists
Routing rules
Automation
Scripts
Scheduler
Files
Containers
Safety
Plan changes
Apply plan
Rollback changeReal-World Usage Examples
Router Inspection
Use MikroMCP to inspect core-01. Summarize system resources, RouterOS version,
running interfaces, active routes, DNS settings, and recent warning/error logs.
Flag anything that looks operationally risky.Firewall Management
List firewall filter and NAT rules on edge-01. Identify disabled rules,
overlapping port forwards, broad accept rules, and anything without comments.
Do not change anything yet.Safe Static Route Change
Dry-run a route on core-01 for 10.20.0.0/16 via 192.168.88.1 in the main table.
Show the exact planned diff and tell me whether an existing route conflicts.WireGuard Operations
Show WireGuard peers on branch-02. Sort by last handshake age and flag peers
that have not handshaken recently or have no transfer counters.Interface Diagnostics
Check interface health on edge-01, then run ping and traceroute from the router
to 1.1.1.1. If packet loss is present, use torch on the WAN interface for a
short traffic snapshot.Plan / Apply / Rollback Workflow
Create a change plan that adds a DNS record and a firewall address-list entry
on edge-01. Use dry-run first, explain the plan, then wait for approval before
applying anything.Why MikroMCP Is Useful For AI Agents
MCP gives LLMs a standard way to call tools. MikroMCP makes RouterOS a high-quality MCP target by turning network operations into well-described, machine-readable, permission-aware actions.
AI assistants can use MikroMCP to:
Investigate router state without memorizing RouterOS command syntax.
Chain tool calls across interfaces, routes, firewall rules, logs, and diagnostics.
Return both operator-friendly summaries and structured JSON for follow-up reasoning.
Preview changes before mutation and explain exactly what would happen.
Respect tool-level authorization, router scoping, maintenance windows, and confirmation gates.
Documentation
Resource | Use it for |
Shipped milestones and planned work | |
Install, configure, and connect in 15 minutes | |
Enable the REST API, create a user, TLS and firewall | |
Router registry, credentials, all environment variables | |
Register MikroMCP in Claude Desktop | |
Claude Code, Cursor, Codex, HTTP/Docker/systemd | |
All 77 tools โ parameters and example prompts | |
System layers, request pipeline, auth model | |
Error categories, retry engine, circuit breaker | |
Run commands, HTTP transport, troubleshooting | |
Project structure, tests, MCP Inspector workflow | |
Adding tools, coding conventions, PR checklist |
Development
npm run dev # tsx watch hot-reload
npm run build # build ESM output to dist/main.js
npm start # run built server
npm test # vitest + tsc + eslint
npm run format # PrettierKey project paths:
Path | Purpose |
| Loads |
| Registers tools and applies auth, retry, circuit breaker, audit, snapshots, and credentials |
| Tool definitions and handlers |
| Snapshot, diff, and write-journal support |
| RouterOS REST API client |
| SSH execution adapter for diagnostics and guarded commands |
| Router inventory loader |
| Interactive setup wizard ( |
| Health check command ( |
| Example multi-router registry |
| Example RBAC identity registry |
Roadmap
Milestone | Status | Focus |
v0.1-v0.6 | โ Shipped | Foundation, core tools, diagnostics, services, firewall, routing, automation, files, containers |
v0.7 | โ Shipped | Identity, bearer auth, RBAC, audit log, confirmation gate |
v0.8 | โ Shipped | Snapshots, write journal, plan/apply, rollback, maintenance windows |
v0.9 | โ Shipped | Fleet operations, IPSec, certificates, users, DHCP servers/pools, queues/QoS, VRRP, SNMP/NTP, Netwatch, discovery, ARP, health checks |
v1.0 | โ Shipped | npm package, standalone binaries, Docker images, |
See ROADMAP.md for the complete milestone plan.
Contributing
Issues, bug reports, tool requests, documentation improvements, and pull requests are welcome.
Good first contributions:
Add a read-only tool for an uncovered RouterOS surface.
Add screenshots, demo GIFs, or topology diagrams.
Expand tests around RouterOS response normalization and idempotency edge cases.
Help validate RouterOS version compatibility across real MikroTik devices and CHR.
Development standards:
TypeScript strict mode, ESM imports with
.jsextensionsZod schemas with
.strict(), idempotency anddryRunfor write toolsMikroMCPErrorfor domain errors, focused Vitest coverage for every tool
Please open an issue before large changes so maintainers can align on scope.
Security
MikroMCP controls real network devices. Treat it like an operations system.
Use least-privilege RouterOS users.
Prefer TLS verification and certificate fingerprint pinning.
Keep router credentials in
~/.mikromcp/.env, not in YAML or shell history.Use HTTP mode behind a trusted network boundary.
Configure identities with the smallest practical
allowedRoutersandallowedToolPatterns.Enable audit logging (
MIKROMCP_AUDIT_LOG_PATH) for shared or production use.Test write tools with
dryRun: truebefore applying changes.
For vulnerabilities or unsafe behavior, open a private security advisory or contact the maintainer before publishing details.
Community And Support
โญ Star the repository if MikroMCP helps your MikroTik or MCP workflow.
๐ด Fork it to add RouterOS surfaces your network depends on.
๐งต Open an issue for bugs, feature requests, compatibility notes, or documentation gaps.
License
MikroMCP is released under the MIT License.
Maintenance
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/AliKarami/MikroMCP'
If you have feedback or need assistance with the MCP directory API, please join our Discord server