Retrieve system status information from a MikroTik router including resource usage, identity, license, routerboard details, health sensors, and clock.

List network interfaces on a MikroTik router with optional filtering by type and status. Supports pagination and optional traffic counters.

Add, update, or remove an IP address on a MikroTik router interface. Performs idempotency checks for add operations and supports dry-run mode for all actions.

List DHCP leases on a MikroTik router with optional filtering by server, status, lease type (dynamic/static), and MAC address. Supports pagination.

Convert a dynamic DHCP lease to static (make-static) or remove a lease. Idempotent by MAC address.

List static routes on a MikroTik router with optional filtering by active status and dynamic status. Supports pagination.

Add or remove a static route on a MikroTik router. Performs idempotency checks for add operations and supports dry-run mode for all actions.

List firewall rules from the filter or nat table on a MikroTik router. Supports filtering by chain and disabled state, with pagination.

Add, remove, disable, or enable a firewall rule on a MikroTik router. Uses comment as idempotency key for deduplication and identification. Supports dry-run mode.

Send ICMP echo requests from the router to a target address. Returns per-packet RTT and summary statistics. 100% packet loss is a valid result, not an error.

Trace the network path from the router to a target address. Returns an ordered hop list with RTT per hop. Timeouts and partial results are valid responses.

Capture a real-time traffic snapshot on a router interface. The tool call blocks for the duration (seconds) and returns top flows by bytes. readOnlyHint true — auto-retry enabled.

Read and filter the system log from a MikroTik router. Supports filtering by topic, message prefix, and a time window (last N minutes). Entries with unparseable timestamps are included conservatively.

Read the current date, time, and timezone from a MikroTik router. Focused single-purpose alternative to the clock section in get_system_status.

Set the system date, time, and/or timezone on a MikroTik router. Idempotent: returns already_set if the values already match. Supports dry-run.

Trigger a controlled router reboot with an optional delay. Supports dry-run. Use this tool instead of run_command for reboots — run_command's deny list blocks /system reboot*.

Execute an arbitrary RouterOS console command via SSH. Guarded by an allow/deny policy (built-in deny list blocks destructive commands; tighten via cmdAllow in routers.yaml or MIKROMCP_CMD_ALLOW). Prefer dedicated tools (reboot, etc.) where available. Output capped at 4000 characters.

List bridge interfaces and their port members on a MikroTik router.

Create or remove a bridge interface on a MikroTik router. Idempotent: create returns already_exists if bridge with same name exists.

Add or remove an interface from a bridge on a MikroTik router. Idempotent: add returns already_exists if the port assignment already exists.

List WiFi/wireless interfaces on a MikroTik router. Uses /interface/wifi on ROS 7.x, /interface/wireless on older versions.

List currently connected WiFi clients (stations) with signal strength and transfer rates.

Enable, disable, or update SSID settings on a WiFi interface. At least one of disabled or ssid must be provided.

List WireGuard interfaces and their status on a MikroTik router.

List WireGuard peers with last handshake time and transfer statistics.

Add or remove a WireGuard peer. Idempotent by public key: add returns already_exists if a peer with the same public key already exists on the interface.

Add, remove, enable, or disable a WireGuard interface. Idempotent by name. RouterOS generates the private key on create — it is never passed in. The public key is returned after creation.

List static DNS entries on a MikroTik router with optional filtering by name and type.

Add or remove a static DNS entry. Idempotent by name+type: add returns already_exists if the same record already exists.

Read DNS resolver configuration: upstream servers, cache size, cache TTL, and whether remote DNS requests are allowed.

Update DNS resolver settings (upstream servers, cache size, cache TTL, allow-remote-requests). Idempotent: returns no_change if nothing differs.

List firewall mangle rules on a MikroTik router in evaluation order. Supports filtering by chain, action, and disabled state.

Add, remove, enable, or disable a firewall mangle rule. Uses comment as idempotency key. Supports dry-run mode.

List firewall address list entries on a MikroTik router. Supports filtering by list name and address.

Add or remove a firewall address list entry. Idempotent by list name + address. Supports dry-run mode.

List policy routing rules on a MikroTik router in evaluation order. Supports filtering by table and disabled state.

Add, remove, enable, or disable a policy routing rule. Idempotent by srcAddress+dstAddress+interface+table composite key. Supports dry-run mode.

List custom routing tables on a MikroTik router.

Create or remove a custom routing table. Idempotent by table name. Supports dry-run mode.

List BGP sessions on a MikroTik router (RouterOS 7+). Returns state, remote AS, prefix counts, and uptime.

List OSPF neighbors on a MikroTik router (RouterOS 7+). Returns neighbor state, interface, DR/BDR, and uptime.

List RouterOS scripts on a MikroTik router. Supports optional name filter.

Add, update, or remove a RouterOS script. Idempotent by name. add throws CONFLICT if the name already exists; update throws NOT_FOUND if it does not. Supports dry-run.

Execute a named RouterOS script. Fire-and-forget — the script runs asynchronously and its output is written to the router system log. Use get_log after calling this tool to see results.

List RouterOS scheduler entries on a MikroTik router with next-run time, interval, and disabled state.

Add, update, remove, enable, or disable a RouterOS scheduler entry. Idempotent by name. add throws CONFLICT if name exists; update throws NOT_FOUND if it does not. Supports dry-run.

List installed RouterOS packages with version and enabled status.

Enable or disable a RouterOS package. Changes take effect only after a router reboot — use the reboot tool to apply. Idempotent: no-op if already in the target state.

List files on a MikroTik router filesystem. Supports filtering by name and type.

Read a text file's contents from a MikroTik router. Only suitable for text files — binary files will return garbled content.

Upload a text file to a router via FTP using the router's credentials, overwriting any existing file of the same name. Requires FTP permission on the router user (see config/routers.example.yaml). Dry-run tests FTP connectivity only.

Delete a file from the router filesystem by name. Idempotent: returns not_found gracefully if the file does not exist.

List RouterOS container instances with status, image, and network information.

Create, start, stop, or remove a RouterOS container. create needs a pre-configured veth interface; start/stop are no-ops when already in the target state; remove throws NOT_FOUND when absent. Supports dry-run.

List IPSec peers on a MikroTik router.

List IPSec policies on a MikroTik router.

Add, remove, enable, or disable an IPSec peer. Idempotent by name: add returns already_exists if a peer with the same name and address already exists.

Add, remove, enable, or disable an IPSec policy. Idempotent by composite key (srcAddress + dstAddress + tunnel).

List certificates on a MikroTik router.

Remove, trust, or untrust a certificate. Idempotent: trust/untrust return early if already in the target state.

List local users on a MikroTik router. Passwords are never returned.

Add, remove, enable, disable, or set the password for a local RouterOS user. Idempotent by name: add returns already_exists if a user with the same name and group already exists.

List local user groups on a MikroTik router.

Add, update, or remove a local RouterOS user group. Idempotent by name: add returns already_exists if a group with the same name and policy already exists.

List DHCP servers on a MikroTik router.

Add, remove, enable, or disable a DHCP server. Idempotent by name: add returns already_exists if a server with the same name, interface, and address pool already exists.

List IP address pools on a MikroTik router. Supports filtering by name and pagination.

Add or remove an IP address pool. Idempotent by name: add returns already_exists if a pool with the same name and ranges already exists.

List simple queues on a MikroTik router.

Add, remove, enable, or disable a simple queue. Idempotent by name: add returns already_exists if a queue with the same name and target already exists.

List VRRP instances on a MikroTik router.

Add, remove, enable, or disable a VRRP instance. Idempotent by name: add returns already_exists if an instance with the same name, interface, and VRID already exists.

Retrieve SNMP settings from a MikroTik router.

Retrieve NTP client settings from a MikroTik router.

List Netwatch monitoring entries on a MikroTik router.

Add, remove, enable, or disable a Netwatch monitoring entry. Idempotent by host+port: add returns already_exists if an entry with the same host and port already exists.

List discovered neighbors (CDP/LLDP/MNDP) on a MikroTik router.

List ARP table entries on a MikroTik router.

Update NTP client settings on a MikroTik router. Idempotent: returns already_set if no changes are needed.

Add, remove, enable, or disable a VLAN interface. Idempotent by name: add returns already_exists when a VLAN with matching name, vlan-id, and parent interface exists. Supports dry-run mode.

List DHCP client configurations on a MikroTik router. Shows which interfaces obtain their IP via DHCP, current status, and assigned address.

Add, remove, enable, or disable a DHCP client on an interface. Idempotent by interface name: add returns already_exists if a DHCP client is already configured on the same interface.

List IP services on a MikroTik router (api, api-ssl, ssh, telnet, www, www-ssl, winbox, ftp) with their port numbers and enabled/disabled status.

Enable or disable a RouterOS IP service (api, api-ssl, ssh, telnet, www, www-ssl, winbox, ftp). Port number changes are intentionally not supported to prevent accidental lockout.

List PPPoE client interfaces on a MikroTik router. Shows name, parent interface, ISP username, and connection status.

Add, update, or remove a PPPoE client interface. Idempotent by name (already_exists on matching name+interface+user; CONFLICT on differing config; no_change when an update differs in nothing). Password is always written when provided since RouterOS does not return it on GET.

List OpenVPN client interfaces on a MikroTik router. Shows name, remote server, and connection status.

Add, update, or remove an OpenVPN client interface. Idempotent by name (already_exists on matching name+connectTo; CONFLICT on differing connectTo; no_change when an update differs in nothing). Password is always written when provided since RouterOS does not return it on GET.

Get the OpenVPN server configuration on a MikroTik router. Throws NOT_FOUND if the OpenVPN package is not installed.

Enable, disable, or configure the OpenVPN server (a per-router singleton). Throws NOT_FOUND if the OpenVPN package is not installed. The set action requires at least one configuration field.

List PPP profiles including the built-in default and default-encryption profiles.

Add, update, or remove a PPP profile. Idempotent by name. update returns no_change when requested values match. Built-in profiles (default, default-encryption) cannot be removed — RouterOS blocks this and the error is surfaced.

Read the current RouterOS package upgrade status and routerboard firmware versions. Shows installed version, latest available version, update channel, and firmware upgrade availability.

Trigger a RouterOS package update check or install. 'check' queries the update server for new packages. 'install' downloads and applies the update — the router will reboot automatically. Supports dry-run.

Create a binary configuration backup on a MikroTik router. The backup is saved as .backup on the router's filesystem. Supports optional encryption via password and dry-run mode.

Export the router configuration as a RouterOS script. When no file is specified, returns the script text inline. When a file is specified, saves it as .rsc on the router's filesystem. Supports compact mode to show only non-default values.

List RouterOS logging rules (system/logging) with optional topic substring and action exact-match filtering.

Add, remove, enable, or disable a RouterOS logging rule. Idempotent by topics+logAction (add → already_exists on match; remove → not_found handled gracefully; enable/disable throw NOT_FOUND when absent). Supports dry-run.

List RouterOS logging action targets (system/logging/action) with optional type filter.

Add or remove a RouterOS logging action target. Idempotent by name. add throws VALIDATION if type is missing; returns already_exists if name found. remove returns not_found gracefully. Supports dry-run.