Remote Access to RouterOS (MikroTik router) and devices behind the router

Author: Vladimír Nepor
Updated on

No matter which MikroTik router you have, its operating system and administrative interface, Router OS, are always the same. You can easily connect to the router from a local network, typically through a URL pointing to the router's default IP address http://192.168.88.1/. This wiki page describes the options for accessing the router remotely.

The Most Common Connection Options to RouterOS

  • WebFig is a web user interface for administering Mikrotik Router OS devices. It is operated by the router service www running on port 80, listening on the local IP address of the router.
  • WinBox is software through which the UI environment of SW Router OS can be displayed. The environment and functionality are similar to the WebFig environment. It is operated by the router service winbox running on port 8291. WinBox is suitable for remote connections to the UI of Router OS. It can be downloaded from https://mikrotik.com/download and runs without the need for installation.
  • SSH (Secure Shell) allows advanced administration of RouterOS devices using the command line through an encrypted connection. It listens by default on port 22.

All services and their associated ports can be found in the Services section.

Methods of Remote Access to Router OS

For all methods, it is necessary to have the router accessible via an IP address. When exposing direct access to the router through a public IP address, the router is potentially exposed to a wider range of internet threats, including unsolicited access attempts and port scanning. Security here relies mainly on a strong password and properly configured firewall. Accessing the router via VPN is usually a safer choice, for the following reasons:

  • VPN creates an encrypted tunnel between your device and the router, protecting all data transmitted between these two points.
  • VPN allows access to the router only to users who are part of the VPN network, significantly reducing the risk of unauthorized access.
  • VPN isolates remote access from the public internet, meaning that traffic is not accessible or visible on the public network.
  • VPN may support more advanced authentication mechanisms, including certificates or two-factor authentication, which provide an additional layer of security.

VPN here does not replace the public IP address. The purpose of VPN is such that first we connect from the client using a VPN encrypted connection to the internal network of the router, from which we subsequently have access to the settings of the router itself - services like SSH, WebFig, and similar after entering access credentials.

Remote Access to RouterOS from a Public IP

  1. Enabling Services for Router Access

    RouterOS offers a number of router services that allow access to the router in various ways. These services always create an interface on the specified port for connecting to the router.

    In IP/Services, enable the service through which you want to allow connection.

  2. Allowing Internet Access to Service Ports

    By default, the router blocks incoming traffic, making the services enabled in the previous step inaccessible from the external network. To allow access to a specific router service from the external network, it is necessary to add a rule to IP/Firewall → Filter Rules:

    • Comment: Enable WebFig Remote access
    • Chain: input
    • Protocol: tcp
    • Dst. Port: The port assigned for the service. By default 80 for www and 443 for www-ssl.
    • Src. Address: restriction to a specific IP address or range of addresses from which access is allowed. If not set, connection to the specified port is possible from any IP address.
    • Action: accept

    Note: Winbox runs natively only on 64-bit Windows devices.

    • Comment: Enable Winbox Remote access
    • Chain: input
    • Protocol: tcp
    • Dst. Port: The port assigned for the winbox service. By default, this is port 8291.
    • Src. Address: restriction to a specific IP address or range of addresses from which access is allowed. If not set, connection to the specified port is possible from any IP address.
    • Action: accept
    • Comment: Enable SSH Remote access
    • Chain: input
    • Protocol: tcp
    • Dst. Port: The port assigned for the ssh service. By default, this is port 22.
    • Src. Address: restriction to a specific IP address or range of addresses from which access is allowed. If not set, connection to the specified port is possible from any IP address.
    • Action: accept

    Save the rule by clicking the Apply button.

Remote Connection to the Router via Public IP

  1. In the browser, enter the URL in the format http://IPofRouter:port, or: http://IPofRouter:port/webfig.
  2. On the login screen, enter your username and password.
  3. Click on Login.
  1. In the Connect To field, enter according to the preferred identifier:
    • IP address:WinboxPort - e.g., https://111.222.33.1:8291
    • DNS Name:WinboxPort - e.g., adgfs54gsdfg.sn.mynetname.net:8291
  2. Enter your username and password.
  3. Click on Connect.

It is possible to connect to the Mikrotik Router via a standard SSH connection, in the usual way.

  • On Windows OS using an SSH client, such as Putty
  • On Linux/Mac via the ssh command in terminal:
    ssh user@router_ip -p 22

Remote Access to RouterOS via VPN

Using a VPN creates a virtual private network, so, in terms of functionality and access, there's no difference from accessing the router on a private network. It will be available at its local address, with the VPN tunnel being encrypted. This makes it a suitable solution even for using WebFig available through a browser on all OS, not just on Windows, as is the case with Winbox.

  1. Activating a Pre-configured VPN Service

    • In the QuickSet window, section "VPN", check the VPN Access option.
    • Choose a password for the vpn user.
    • Confirm with the Apply Configuration button.

  2. MikroTik Cloud in RouterOS

    Activating the pre-configured service should have automatically activated DDNS. Verify that it is indeed activated.

    • Go to the section IP/Cloud
    • Check that DDNS Enabled is checked (= service is active)
    • It may also be necessary to check Use Local Address
    • If you see a warning Router is behind a NAT. Remote connection might not work., it may indicate that your router is connected to the internet through another device performing NAT (Network Address Translation), typically another router or modem from your Internet Service Provider (ISP). Depending on the settings of this upstream device, access may or may not be allowed.
    • If you see another window BTH VPN - ignore it (leave at revoked and disabled)
    • Save the Public Address and DNS Name - both can be used for server access
    • Click on Apply

Configuring VPN (L2TP server) in RouterOS

  1. Setting up the L2TP Server

    • Go to the section PPP, tab Interface.
    • Click on the L2TP Server button.
      • Ensure that Enabled is checked
      • Default Profile: default-encryption
      • By choosing Use IPsec, activate (Internet Protocol Security) for securing data transmissions.
        • Yes: IPSec is preferred and will be used to secure the L2TP connection if possible. However, if IPSec cannot be used, an L2TP connection can still be established without it.
        • Required: The use of IPSec is strictly required. L2TP connection will not be allowed without successful IPSec setup.

      • The hidden value in IPSec Secret shared key matches the password set for vpn user. It is the key that will be used for authenticating IPSec connections. This key must be shared with clients who will be connecting to the VPN, and must be the same at both ends.

        For security reasons, it is advisable here to change the IPSec identifier so that it is not the same as the vpn user's password. By changing it, you also update the Secret key of the identity in IP/IPSec.Identities (it's the same key).

        At the same time, it is advisable to limit Service from any to l2tp.

  2. IPSec Configuration

    • Go to the section IP/IPSec.
    • In the Peers tab, you should see the created peer l2tp-in-server:
      • Name: l2tp-in-server
      • Address: ::/0 (allowing connection from any IP address - can be modified)
      • Profile: default
      • Exchange mode: main

      If you do not have any peer here, or if you want to define your own allowing IP restrictions, create a new peer - click on the Add New button and add a peer.

      • Name: Choose the name of the peer
      • Address: 0.0.0.0/0 (allowing connection from any IP address)
    • In the Identities tab, you should see the following:
      • Peer: l2tp-in-server
      • Auth. Method: pre-shared-key

      If you do not have any identity here, or if you want to work with your own allowing IP restrictions, click on the Add New button.

      • Peer: Choose the name of the peer created in the previous step
      • Auth Method: pre shared key
      • Secret: enter the pre-shared key (choose one). The pre-shared key is a secret key used at both ends of an IPSec VPN tunnel for authentication and securing communication.
    • In the Proposals tab, ensure that you have set and enabled the default proposal.

  3. PPP

    Go to the section PPP.

    PPP profile

    • In the Profiles tab, you should see 2 profiles:
      • default
      • default-encryption

        for this profile, Local Address=192.168.89.1 and Remote Address=vpn should be set.

        Remote Address=vpn refers to IP/Pool, where the pool is defined. Within the definition, a range of addresses for VPN connections is set between 192.168.89.2-192.168.89.255.

    PPP user

    • In the Secrets tab, you should see the following user:
      • Name: vpn - the username for connection through VPN
      • Password: **** - the password for the user to connect through VPN
      • Profile: default

      For security reasons, it is recommended to click on the user and rename it. Note that renaming will remove the checkmark from VPN in QuickSet - this is due to the fact that the user vpn, to which the service is linked, will no longer exist.

      At the same time, you can click on the Add New button to add more users, for example, a separate user for each device. These users will use their own name and password to connect to the VPN, and at the same time a common IPSec Secret key.

      • Enter Name and Password for the user who will be able to connect via VPN.
      • Service choose l2tp.
      • Profile set to the same profile you used or created for the L2TP server.

  4. Setting up Firewall

    • Comment: Enable WebFig Remote access
    • Chain: input
    • Protocol: tcp
    • Dst. Port: The port assigned for the service. By default 80 for www and 443 for www-ssl.
    • Src. Address: 192.168.89.2-192.168.89.255
    • Action: accept

    Note: Winbox runs natively only on 64-bit Windows devices.

    • Comment: Enable Winbox Remote access
    • Chain: input
    • Protocol: tcp
    • Dst. Port: The port assigned for the winbox service. By default, this is port 8291.
    • Src. Address: 192.168.89.2-192.168.89.255
    • Action: accept
    • Comment: Enable SSH Remote access
    • Chain: input
    • Protocol: tcp
    • Dst. Port: The port assigned for the ssh service. By default, this is port 22.
    • Src. Address: 192.168.89.2-192.168.89.255
    • Action: accept

    Save the rule by clicking the Apply button.

    IP SEC rules

    • Go to the section IP/Firewall.

    • Allowing L2TP and IPSec (IKE + ESP) Traffic in Firewall Rules

      In the Filter Rules tab, check for the presence of the following rules, or add them.

      • Allowing IKE (Internet Key Exchange) traffic:
        • Comment: Allow IKE for IPSec
        • Chain: input
        • Protocol: udp
        • Dst. Port: 500
        • Action: accept
      • Allowing NAT (NAT Traversal) traffic:
        • Comment: Allow IPSec NAT-T
        • Chain: input
        • Protocol: udp
        • Dst. Port: 4500
        • Action: accept

        (Optional) In the General section, you can also specify In. Interface as your WAN interface to increase security by restricting the rule only to traffic coming from the internet.

      • Allowing L2TP traffic:
        • Comment: Allow L2TP
        • Chain: input
        • Protocol: udp
        • Dst. Port: 1701
        • Action: accept
      • Allowing ESP (Encapsulating Security Payload) traffic:
        • Comment: Allow ESP for IPSec
        • Chain: input
        • Protocol: ipsec-esp
        • Action: accept

    • Allowing NAT for VPN Devices

      • If devices behind the VPN need access to the internet, it is necessary to set up NAT rules that will allow internet packets to pass through the router.

        In the NAT, section IP/Firewall, check for the presence of the following rule, or add it.

      • MASQUERADE for VPN Clients
      • Comment: NAT for VPN Clients
      • Chain: srcnat
      • Src. Address: The range of IP addresses that are assigned to VPN clients (e.g., 192.168.89.0/24, if you used this range for VPN clients).
      • Out. Interface: The interface leading to your ISP (typically ether1 or another WAN interface).
      • Action: masquerade

Setting up VPN on the Client Device

  1. Open the Ethernet menu
  2. Go to the "Network and Sharing Center" menu (Control Panel / Network and Internet / Network and Sharing Center)
  3. Click on the option "Set up a new connection or network"
  4. Select "Connect to a workplace" and click "Next"
  5. Choose the option "Use my Internet connection (VPN)"
  6. Fill in the details for the VPN connection
    • Internet address:
    • Destination name: Choose any network name - e.g., the name of the router
  7. Go to Settings → VPN, where you will find your newly created VPN network. Click on it and select "Advanced options" and then "Edit"
    • Fill in the username and password
  1. Click on the Apple icon in the upper left corner of the screen and select System Preferences
  2. In System Preferences, click on Network.

  3. Adding a New VPN on MacOS

    • Click the + button at the bottom of the list on the left side of the window to add a new service.
    • In the drop-down menu Interface, select VPN.
    • For the VPN type, select L2TP over IPSec.
    • As the service name, you can enter any descriptive name, for example, "Mikrotik VPN".
    • Click Create

  4. Configuring the VPN

    • In the Configuration field, leave the default setting or add a new configuration as needed.
    • Enter the public IP address or DNS name of your Mikrotik router in the Server Address field.
    • Enter the username for the VPN in the Account Name field.
    • Click on Authentication Settings... to enter the password and pre-shared key:
      • In the Password field, enter the password for your VPN account.
      • In the Shared Secret field, enter the pre-shared key for IPSec that you set up on the Mikrotik router.
    • In Advanced, make sure the option Send all traffic over VPN connection is checked if you want all internet traffic of your MacBook to go through the VPN. This can be useful for security or accessing network resources that are otherwise unavailable.
    • Click Apply to save your authentication settings.

  5. Connecting to the VPN

    • Check the option Show VPN status in menu bar for easy access to connecting and disconnecting.
    • Click Apply to save your VPN configuration.
    • Now you can click on Connect to establish a VPN connection with the Mikrotik router.

Remote Connection to the Internal Network

Through the VPN on the router, an internal network is created, which includes all devices connected to the router. Once connected to the VPN created by the router, you can connect to any device, including the router itself, via its local IP address (found in the IP/APR section).

Procedure for Accessing Devices Behind the Remote Router

Through the VPN section, connect to the VPN router.

From the menu bar or network menu, connect to the VPN router.

Once you are connected to the VPN router network, you can connect to both the router and end devices in any way - localhost url address, ssh, etc.

DNS Alias for Public IP

If the router is assigned a dynamic public IP address, the option to connect using the IP requires knowledge of the current IP address at all times. With the help of DDNS (Dynamic Domain Name System) service, it's possible to activate on RouterOS the ability to maintain its current IP address under DNS, using the service mynetname.net - this allows for connection by entering the DNS identifier of the router instead of the IP, to which the current IP is automatically maintained through the service mynetname.net.

The mynetname.net service thus provides a DNS alias for your IP address, just as your ISP might (often you can choose your own alias in the form of a subdomain on the ISP's domain). The primary purpose of DNS is that it is easier to remember than an IP address.

  • In RouterOS, in the menu IP/Cloud, check DDNS Enabled and Use Local Address.
  • Confirm the settings by clicking the Apply button.
  • Save the generated DNS Name referring to the mynetname.net service

After enabling DNS, it's possible to use DNS Name instead of IP address.