Export vs binary backup — what each one is for, when to use which, and how to automate both. Plus the complete Netinstall recovery procedure for when a router won't boot.
Most MikroTik operators have done a backup exactly once — right after setup — and never touched it again. Then one day the flash storage fails, a firmware update goes wrong, or someone accidentally deletes all the firewall rules, and that backup from 18 months ago is all that exists. This tutorial builds a backup discipline: what each format does, when to use which, how to automate both offsite, and what to do when a router won't even boot.
The Netinstall section at the end is the one you'll be grateful you read before you need it. Recovering a completely unresponsive MikroTik is a 15-minute process if you know the steps. It's a panic spiral if you don't.
01
They are not alternatives — they serve different purposes and you should run both regularly.
| Feature | /export (.rsc) | /system backup (.backup) |
|---|---|---|
| Format | Plain text — RouterOS CLI commands | Binary — proprietary format |
| Readable | Yes — open in any text editor | No — binary blob |
| Includes passwords | No — passwords are omitted | Yes — all credentials included |
| Includes certificates | No | Yes |
| Migrate to different hardware | Yes — hardware-independent | Partial — same board family recommended |
| Migrate to different ROS version | Usually yes — commands are stable | Same version recommended |
| Restore method | Import via CLI or paste | System › Backup › Restore or drag to Files |
| Git versioning | Yes — text diffs work perfectly | No — binary, not diff-able |
| Best for | Auditing, migration, version control, email backup | Disaster recovery, quick same-device restore |
The correct backup strategy is both: a nightly export emailed offsite (readable, portable, auditable) and a weekly binary backup saved locally or to FTP (complete state including credentials).
02
Export generates a .rsc file of CLI commands. You can read it, diff it, paste it, and restore from it on any MikroTik hardware.
# Export entire config to a file on router flash [admin@MikroTik] > /export file=Hotel-01-backup # Creates Hotel-01-backup.rsc on the router's flash storage # Export with passwords included (for disaster recovery — store securely) [admin@MikroTik] > /export file=Hotel-01-full show-sensitive # WARNING: this includes all passwords in plain text. # Treat this file with the same care as your password manager. # Export only a specific section [admin@MikroTik] > /ip firewall filter export file=firewall-rules [admin@MikroTik] > /interface bridge export file=bridge-config # Partial exports are useful for documentation or sharing specific configs. # View export in terminal (without saving to file) [admin@MikroTik] > /export # Prints entire config to terminal. Pipe through less: # /export | /file print (not supported — use file= and view via Winbox Files) # List files on flash storage [admin@MikroTik] > /file print # NAME TYPE SIZE DATE 0 Hotel-01-backup.rsc .rsc 48KiB may/02 02:00:01
.rsc or .backup file and click Download to save to your laptop. You can also drag files directly from this panel to your desktop. Use Upload to push a restore file back to the router.# Method A: import via CLI (after uploading .rsc to router flash) [admin@MikroTik] > /import file=Hotel-01-backup.rsc Opening script file Hotel-01-backup.rsc Script file loaded and executed successfully # The .rsc file is executed as a script — each line is a CLI command. # Any command that fails (e.g. duplicate entry) prints an error but # continues executing — it won't stop at the first failure. # Method B: paste into terminal (for small configs or partial restore) # Open the .rsc file in a text editor, copy all lines, # paste into Winbox terminal. Same effect as import. # Method C: clean restore — reset first, then import [admin@MikroTik] > /system reset-configuration \ no-defaults=yes \ run-after-reset=Hotel-01-backup.rsc # Clears ALL config, then immediately runs the .rsc on reboot. # Use this for a fresh start from a known-good export. # WARNING: router will reboot and you will lose your SSH session.
03
The binary backup captures everything the export misses: user passwords, certificates, SSH keys, and system settings. Use it for same-device disaster recovery.
# Create binary backup (without password encryption) [admin@MikroTik] > /system backup save name=Hotel-01 Saving system configuration Configuration backup saved # Creates Hotel-01.backup on flash storage. # File size is larger than .rsc — includes everything. # Create encrypted binary backup (recommended for offsite storage) [admin@MikroTik] > /system backup save \ name=Hotel-01-secure \ password=YourStrongBackupPassword # Encrypted with AES. Requires password to restore. # Store the password separately from the backup file. # Restore from binary backup [admin@MikroTik] > /system backup load name=Hotel-01 Restore and reboot? [y/N]: y # Router reboots and restores to the backed-up state. # All current config changes since the backup are lost. # Or in Winbox 4.1:
.backup file on flash. Set a password for encrypted backups stored offsite. Restore loads the file and immediately reboots — upload the file via Files panel first if it's not already on the router.A .backup file created on RouterOS 7.10 may not restore cleanly on 7.15. MikroTik generally supports restoring from recent previous versions, but not from significantly older ones, and not from a completely different major version. Always note the RouterOS version in your backup filename: Hotel-01-v7.15.backup. If you're restoring to a new device after hardware replacement, use the .rsc export instead — it's version-independent and works across hardware models.
04
Local backups protect against config mistakes. Offsite backups protect against hardware failure. Run both on a schedule.
# Script name: ftp-backup # Run nightly at 03:00 :local hostname [/system identity get name] :local date [/system clock get date] :local filename ($hostname . "-" . $date) # Create both backup types /export file=$filename /system backup save name=$filename # Upload .rsc to FTP server :do { /tool fetch \ address=192.168.20.100 \ src-path=($filename . ".rsc") \ dst-path=("/" . $hostname . "/" . $filename . ".rsc") \ user=backupuser \ password=ftppassword \ upload=yes \ mode=ftp :log info ("FTP backup uploaded: " . $filename) } on-error={ :log warning ("FTP backup FAILED: " . $filename) } # Clean up old local files — keep last 7 :local rscFiles [/file find where name~($hostname) \ and name~".rsc"] :while ([:len $rscFiles] > 7) do={ /file remove ($rscFiles->0) :set rscFiles [/file find where name~($hostname) \ and name~".rsc"] }
# USB appears as a disk in /file — check it's present first :local usbDisk [/file find where type=disk] :if ([:len $usbDisk] = 0) do={ :log warning "USB disk not found — backup skipped" :error "no USB" } :local diskName [/file get ($usbDisk->0) name] :local hostname [/system identity get name] :local date [/system clock get date] :local target ($diskName . "/" . $hostname . "-" . $date) /export file=$target /system backup save name=$target :log info ("USB backup saved to " . $target) # Files are saved directly to the USB disk path. # Useful for routers at remote sites where email/FTP isn't reliable.
05
When RouterOS won't boot, Netinstall reinstalls the OS over Ethernet from a Windows PC. Fifteen minutes from brick to working router.
Netinstall is a Windows utility that boots a MikroTik device into a special network bootstrap mode and writes a fresh RouterOS installation directly to its flash. It works on completely unresponsive routers — no RouterOS running, no Winbox access, no SSH. As long as the hardware isn't physically damaged, Netinstall can recover it.
Download Netinstall from mikrotik.com/download — Windows only. Also download the RouterOS .npk package for your board architecture (ARM, MIPSBE, x86, etc.). Check your board's architecture in /system resource print before it bricks, or look it up on the MikroTik wiki by model name.
Configure your PC's Ethernet adapter to a static IP: 192.168.0.1 / 255.255.255.0, no gateway, no DNS. Connect a direct Ethernet cable from your PC to the MikroTik's ether1 port (or the port labelled "Boot" on some models). Disable WiFi on your PC — Netinstall must use only the wired adapter.
Open Netinstall as Administrator. Set the "Net booting" IP to 192.168.0.100 (this is the IP Netinstall will assign to the router during flashing). Tick "Net boot" to enable. Select the .npk package file. Do not tick "Keep old configuration" if you're doing a clean recovery.
Boot the MikroTik into Netinstall mode. Hold the Reset button while connecting power. Keep holding until the ACT/USR LED starts blinking rapidly (usually 3–5 seconds). Release. The router is now in Netinstall network boot mode. The device should appear in Netinstall's device list within 10–15 seconds.
Select the device in Netinstall and click Install. Flashing takes 1–3 minutes. The router reboots automatically when done. Do not disconnect power during this process.
After reboot, connect to the router at 192.168.88.1 (default IP after clean install). Username admin, no password. Immediately upload your latest .rsc export via Winbox Files and run /import file=your-backup.rsc. Your full config is restored.
# After Netinstall, router is at factory defaults. # Connect via Winbox to 192.168.88.1, admin / no password. # Upload your .rsc file via Files panel, then: [admin@MikroTik] > /import file=Hotel-01-backup.rsc Script file loaded and executed successfully # Then set the admin password (not in the export): [admin@MikroTik] > /user set admin password=YourNewPassword # Router is back. Total recovery time from brick: ~15 minutes.
Three things to check: first, your PC's Ethernet adapter must be set to static IP 192.168.0.1 — DHCP won't work. Second, disable Windows Firewall temporarily — it can block Netinstall's TFTP traffic. Third, make sure you're holding Reset before connecting power, not after. On some models the boot sequence is very fast — you have less than 1 second after power-on to trigger network boot mode. If it still doesn't work, try a different Ethernet cable and confirm you're on ether1 specifically.
After Netinstall installs a fresh RouterOS 7.15, attempting to restore a .backup file from RouterOS 7.10 often results in a partial restore or boot loop. The binary backup format is version-sensitive. The correct approach: after Netinstall, restore from the .rsc export (which is version-independent), then manually reconfigure any passwords and certificates. This is exactly why you need both backup types — the .rsc is your safety net when the binary backup can't be used.
The 3-2-1 rule for router configs. Three copies: the live router, a local backup on your NAS or FTP server, and one offsite (email or cloud). Two formats: .rsc export and binary .backup. One offsite location. If you only have a local backup and the router room floods or burns, you have nothing. Email is the simplest offsite — a nightly .rsc in your inbox means you can restore from anywhere with just a laptop.
Version the export in git. Because .rsc is plain text, it's perfect for git. git diff between two exports shows you exactly what changed between Monday and Friday — which firewall rules were added, which IPs changed, which VLANs were modified. For a property managed by multiple people, this audit trail is invaluable. Even a private GitHub repo with a nightly commit script is enough.
Keep a Netinstall USB stick at every site. A USB stick with the Netinstall executable and the correct RouterOS .npk for each site's hardware model means any staff member can hand it to a technician and recovery can begin without waiting for downloads. Label it with the board model and the last tested RouterOS version.
Test your restore procedure before you need it. Once per year, take a spare router (or a CHR VM), do a clean Netinstall, restore from your latest backup, and verify everything works. The backup that has never been tested is not a backup — it's a hope.
Takeaways
.rsc export for portability, auditability, and cross-version restore. Binary .backup for complete same-device disaster recovery including passwords and certificates. One without the other leaves gaps..rsc, you must reset the admin password and any API credentials manually. Document these separately from the backup file..rsc export for restore.192.168.0.1 on your PC, disable WiFi. The whole process takes 15 minutes. Read the procedure before you need it, not during a 02:00 outage..rsc not binary backup. The fresh RouterOS version may differ from the backup version. The text export is always safe to import regardless of version.NOCTIS sets up automated backup systems for every property we manage — nightly exports emailed offsite, binary backups to local NAS, and Netinstall recovery kits at each site. If your router has never been backed up, one hardware failure away from starting from scratch. Book a call to fix that.
Book a Discovery Call →