Retrieve system status information from a MikroTik router including resource usage, identity, license, routerboard details, health sensors, and clock.

List network interfaces on a MikroTik router with optional filtering by type and status. Supports pagination and optional traffic counters.

Create a new VLAN interface on a MikroTik router. Performs idempotency checks: if a VLAN with the same name already exists with matching configuration, returns success without changes. Supports dry-run mode.

Add, update, or remove an IP address on a MikroTik router interface. Performs idempotency checks for add operations and supports dry-run mode for all actions.

List DHCP leases on a MikroTik router with optional filtering by server, status, and MAC address. Supports pagination.

List static routes on a MikroTik router with optional filtering by active status and dynamic status. Supports pagination.

Add or remove a static route on a MikroTik router. Performs idempotency checks for add operations and supports dry-run mode for all actions.

List firewall rules from the filter or nat table on a MikroTik router. Supports filtering by chain and disabled state, with pagination.

Add, remove, disable, or enable a firewall rule on a MikroTik router. Uses comment as idempotency key for deduplication and identification. Supports dry-run mode.

Send ICMP echo requests from the router to a target address. Returns per-packet RTT and summary statistics. 100% packet loss is a valid result, not an error.

Trace the network path from the router to a target address. Returns an ordered hop list with RTT per hop. Timeouts and partial results are valid responses.

Capture a real-time traffic snapshot on a router interface. The tool call blocks for the duration (seconds) and returns top flows by bytes. readOnlyHint true — auto-retry enabled.

Read and filter the system log from a MikroTik router. Supports filtering by topic, message prefix, and a time window (last N minutes). Entries with unparseable timestamps are included conservatively.

Read the current date, time, and timezone from a MikroTik router. Focused single-purpose alternative to the clock section in get_system_status.

Set the system date, time, and/or timezone on a MikroTik router. Idempotent: returns already_set if the values already match. Supports dry-run.

Trigger a controlled router reboot with an optional delay. Supports dry-run. Use this tool instead of run_command for reboots — run_command's deny list blocks /system reboot*.

Execute an arbitrary RouterOS console command via SSH. Protected by a configurable allow/deny policy — built-in deny list blocks destructive commands; optionally restrict further with an explicit allow list (cmdAllow in routers.yaml or MIKROMCP_CMD_ALLOW). Use dedicated tools (reboot, etc.) for controlled operations. Output capped at 4000 characters.

List bridge interfaces and their port members on a MikroTik router.

Create or remove a bridge interface on a MikroTik router. Idempotent: create returns already_exists if bridge with same name exists.

Add or remove an interface from a bridge on a MikroTik router. Idempotent: add returns already_exists if the port assignment already exists.

List WiFi/wireless interfaces on a MikroTik router. Uses /interface/wifi on ROS 7.x, /interface/wireless on older versions.

List currently connected WiFi clients (stations) with signal strength and transfer rates.

Enable, disable, or update SSID settings on a WiFi interface. At least one of disabled or ssid must be provided.

List WireGuard interfaces and their status on a MikroTik router.

List WireGuard peers with last handshake time and transfer statistics.

Add or remove a WireGuard peer. Idempotent by public key: add returns already_exists if a peer with the same public key already exists on the interface.

List static DNS entries on a MikroTik router with optional filtering by name and type.

Add or remove a static DNS entry. Idempotent by name+type: add returns already_exists if the same record already exists.

Read DNS resolver configuration: upstream servers, cache size, cache TTL, and whether remote DNS requests are allowed.

List firewall mangle rules on a MikroTik router in evaluation order. Supports filtering by chain, action, and disabled state.

Add, remove, enable, or disable a firewall mangle rule. Uses comment as idempotency key. Supports dry-run mode.

List firewall address list entries on a MikroTik router. Supports filtering by list name and address.

Add or remove a firewall address list entry. Idempotent by list name + address. Supports dry-run mode.

List policy routing rules on a MikroTik router in evaluation order. Supports filtering by table and disabled state.

Add, remove, enable, or disable a policy routing rule. Idempotent by srcAddress+dstAddress+interface+table composite key. Supports dry-run mode.

List custom routing tables on a MikroTik router.

Create or remove a custom routing table. Idempotent by table name. Supports dry-run mode.

List BGP sessions on a MikroTik router (RouterOS 7+). Returns state, remote AS, prefix counts, and uptime.

List OSPF neighbors on a MikroTik router (RouterOS 7+). Returns neighbor state, interface, DR/BDR, and uptime.

List RouterOS scripts on a MikroTik router. Supports optional name filter.

Add, update, or remove a RouterOS script. Idempotent by name. add throws CONFLICT if the name already exists; update throws NOT_FOUND if it does not. Supports dry-run.

Execute a named RouterOS script. Fire-and-forget — the script runs asynchronously and its output is written to the router system log. Use get_log after calling this tool to see results.

List RouterOS scheduler entries on a MikroTik router with next-run time, interval, and disabled state.

Add, update, remove, enable, or disable a RouterOS scheduler entry. Idempotent by name. add throws CONFLICT if name exists; update throws NOT_FOUND if it does not. Supports dry-run.

List installed RouterOS packages with version and enabled status.

Enable or disable a RouterOS package. Changes take effect only after a router reboot — use the reboot tool to apply. Idempotent: no-op if already in the target state.

List files on a MikroTik router filesystem. Supports filtering by name and type.

Read a text file's contents from a MikroTik router. Only suitable for text files — binary files will return garbled content.

Upload a text file to a MikroTik router via FTP using the router's credentials. Overwrites any existing file with the same name. Requires FTP permission on the router user — see config/routers.example.yaml for setup instructions. Supports dry-run (tests FTP connectivity only).

List RouterOS container instances with status, image, and network information.

Create, start, stop, or remove a RouterOS container. create requires a pre-configured veth interface. start/stop are no-ops if the container is already in the target state. remove throws NOT_FOUND if the container does not exist. Supports dry-run.

List IPSec peers on a MikroTik router.

List IPSec policies on a MikroTik router.

Add, remove, enable, or disable an IPSec peer. Idempotent by name: add returns already_exists if a peer with the same name and address already exists.

List certificates on a MikroTik router.

Remove, trust, or untrust a certificate. Idempotent: trust/untrust return early if already in the target state.

List local users on a MikroTik router. Passwords are never returned.

Add, remove, enable, disable, or set the password for a local RouterOS user. Idempotent by name: add returns already_exists if a user with the same name and group already exists.

List DHCP servers on a MikroTik router.

Add, remove, enable, or disable a DHCP server. Idempotent by name: add returns already_exists if a server with the same name, interface, and address pool already exists.

List IP pools on a MikroTik router.

Add or remove an IP pool. Idempotent by name: add returns already_exists if a pool with the same name and ranges already exists.

List simple queues on a MikroTik router.

Add, remove, enable, or disable a simple queue. Idempotent by name: add returns already_exists if a queue with the same name and target already exists.

List VRRP instances on a MikroTik router.

Add, remove, enable, or disable a VRRP instance. Idempotent by name: add returns already_exists if an instance with the same name, interface, and VRID already exists.

Retrieve SNMP settings from a MikroTik router.

Retrieve NTP client settings from a MikroTik router.

List Netwatch monitoring entries on a MikroTik router.

Add, remove, enable, or disable a Netwatch monitoring entry. Idempotent by host+port: add returns already_exists if an entry with the same host and port already exists.

List discovered neighbors (CDP/LLDP/MNDP) on a MikroTik router.

List ARP table entries on a MikroTik router.

Preview a sequence of write operations without applying them. Each step is run with dryRun=true against the live router state. Returns the current state of affected RouterOS paths plus the predicted action for each step. Use apply_plan to execute the same steps for real.

Execute a sequence of write operations in order. Stops on the first failure. Each step is snapshotted and journaled individually. Requires a confirmationToken for non-admin identities (same two-step flow as other destructive tools). Use rollback_change with any resulting journal IDs to undo individual steps.

Restore the RouterOS state to what it was before a write, identified by its journal ID. Reads the before-snapshot from disk, computes the diff against live state, and applies the reverse diff. Use dryRun=true to preview the restore plan without applying. Requires MIKROMCP_DATA_DIR (or defaults to data/) to be configured.

Probe a router by fetching system/resource. Returns health status, ROS version, uptime, CPU load, and memory info. Unlike other tools, this never throws — unreachable routers are reported as healthy=false.

Fan out a single-router tool to multiple routers in parallel (up to concurrency at a time). Target routers via explicit routerIds or by tag. Destructive tools are not allowed. Returns per-router results with succeeded/failed counts.