RouterOS services on Mikrotik router

Author: Vladimír Nepor
Updated on

Overview of Services Running on a Mikrotik Router

Existing services in the Mikrotik Router are found in the menu IP/Services. Through this menu, it is possible to enable, disable, and edit these services.

Service Parameters:

  • Name: Service name
  • Port: Port on which the service listens for requests
  • Available From: List of IP addresses for which the service is allowed. If empty, it is available for all IPs.
  • VRF: (Virtual Routing and Forwarding) refers to the ability to restrict access to the router's network services (such as SSH, WinBox, WebFig, etc.) only to a specific VRF. VRF is a technology that allows the existence of multiple independent routing tables on a single physical router. By using VRF in service settings, you can specify that a certain network service will be available only for network traffic that is part of a certain VRF - for example, WebFig will only be available for the network's administrative segment.
  • Certificate: certificate used by services for secure connection.
  • TLS version: version of the Transport Layer Security protocol used for encrypting and securing communication between the client and the server.

Description of Services:

  • api / api-ssl

    The API (Application Programming Interface) service, or its encrypted variant Api-ssl, allows remote automated management and configuration of Mikrotik devices using scripts or custom applications. The API provides programmatic access to RouterOS functions, enabling developers and network administrators to interact with the router programmatically instead of manual configuration through the graphical user interface or command line.

  • ftp

    The FTP (File Transfer Protocol) service facilitates the transfer of files between a computer and the router. FTP is a standard network protocol used to transfer files from one host to another over TCP/IP networks, such as the internet.

  • ssh

    The SSH (Secure Shell) service is a protocol used for secure remote access to the router over the network. SSH provides an encrypted channel for logging in, transferring files, and other network services between the client and the Mikrotik router.

  • telnet

    The Telnet service is an older network protocol used for remote access to a device's command line over the network. Unlike SSH, Telnet does not provide an encrypted connection, which means all data sent between the client and server, including login credentials, is transmitted in readable form. This poses a significant security risk.

  • winbox

    The Winbox service provides an interface for remote access to Mikrotik devices through Winbox, which is a native graphical configuration tool from Mikrotik. Winbox allows administrators to easily configure and manage Mikrotik devices using a user-friendly graphical interface similar to that known from the Webfig environment - a web interface at the router's local address (typically 192.168.88.1).

  • www

    The WWW service denotes the web server integrated into the Mikrotik router. This service allows remote access to the device's web interface, known as WebFig, through a web browser. WebFig provides a graphical user interface for configuring and managing the router, similar to Winbox, but without the need for any special client – just through a web browser.

  • www-ssl

    WWW service utilizing SSL/TLS encryption for securing communication between the web browser and the Mikrotik router. A valid SSL certificate is required for using HTTPS. The service is disabled by default.

Console Commands:

Services are available at the address /ip service. Listing is done by the command print.

  • Disabling a service: set [service_name] disabled=yes, e.g., set winbox disabled=yes
  • Enabling a service: set [service_name] disabled=yes, e.g., set winbox disabled=no
  • Restricting a service to access from specific IP addresses: set winbox address="192.168.88.0/24,10.5.8.0/24"
    • Changing addresses by rewriting: set winbox address="192.168.80.0/24,12.5.8.0/24"
    • Removing restrictions: set winbox address=""
  • Changing the port of a service: /ip service set winbox port=2222

Certificates for Router Services

  • Generating a Certificate in RouterOS

    /certificate add name=myCert common-name=my.router.com key-usage=key-cert-sign,crl-sign
    • name: the name of the certificate, e.g., myCert
    • common-name: the fully qualified domain name (FQDN) or IP address of the device for which the certificate is issued
    • key-usage: the purpose of the key
      • key-cert-sign allows this certificate to sign other certificates
      • crl-sign allows the certificate to sign a list of revoked certificates (CRL)
      • In the context of a self-signed certificate for general use, digital-signature for server authentication can be considered.

  • Signing the Certificate

    /certificate sign myCert ca-crl-host=my.router.com name=myCert days=365
    • myCert you specify the name of the certificate request from the previous step.
    • days specifies the desired validity of the certificate

  • Assigning the Certificate to a Service

    /ip service set www-ssl certificate=myCert