MikroTik / RouterOS · Tutorial · May 2026

RouterOS Terminal
for MTCNA Students

You know the theory. Now learn to type it. The RouterOS CLI is faster, more precise, and more scriptable than Winbox — this tutorial gets you comfortable in it from scratch.

RouterOS CLI Terminal SSH Winbox Terminal MTCNA Beginner

Every Winbox click maps to a CLI command. Once you know that, the terminal stops being intimidating and starts being faster. You can configure 20 firewall rules in the time it takes to click through 3 in Winbox. You can paste a script, grep output, and pipe results — none of which Winbox supports. And in the field, when Winbox won't connect, SSH always will.

This tutorial is built for MTCNA students who already understand what an IP address, a bridge, and a firewall chain are — but who have been avoiding the black box at the bottom of Winbox. We start with zero-risk read commands, build up to confident edits, and finish with the keyboard shortcuts and patterns that make experienced operators fast.

Prerequisites

A MikroTik router running RouterOS v7.x (physical or CHR)
Access via SSH or the Winbox 4.1 built-in terminal (New Terminal button)
MTCNA-level conceptual knowledge — you know what bridges, IPs, and firewall chains are
No prior CLI experience required — but no fear of a blank prompt either

Opening the Terminal

Two ways in — SSH from your machine, or the built-in terminal in Winbox 4.1. Both give you the same RouterOS shell.

Method A — Winbox 4.1 Built-in Terminal

The easiest starting point. Open Winbox 4.1, connect to your router, then click New Terminal in the top toolbar. A terminal panel opens inside the Winbox window. You're already connected — no SSH setup needed.

Tools › New Terminal

Winbox 4.1 → click New Terminal in the top toolbar. The terminal panel opens on the right. The MikroTik logo appears, then the prompt. You're in.

Method B — SSH from Your Machine

SSH gives you the same shell but from any device on the network — or remotely via Tailscale. RouterOS runs an SSH server on port 22 by default.

Your laptop — connect via SSH

# Replace 192.168.88.1 with your router's IP address
user@laptop:~$ ssh admin@192.168.88.1
admin@192.168.88.1's password: 
# Type your password — nothing appears as you type, that's normal.

  MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  ...
  RouterOS 7.15 (c) 1999-2026
  Press F1 for help

[admin@MikroTik] >   ← you are now in the RouterOS shell

⚠ Gotcha — SSH Not Connecting?

If SSH is refused, check two things. First: /ip service print — SSH (port 22) must not be disabled. Second: your firewall input chain must accept TCP port 22 from your source IP. If you locked SSH to a management VLAN (as recommended in the Firewall tutorial), you must connect from a device on that VLAN. If you're locked out entirely, use Winbox terminal instead — it bypasses the firewall.

Anatomy of the Prompt

The prompt tells you exactly where you are and who you are. Read it before you type anything.

The RouterOS prompt has three parts:

RouterOS — prompt anatomy

[admin@MikroTik] >
 │      │          │
 │      │          └─ > means you're at the root context
 │      └──────────── hostname of this router
 └─────────────────── username you logged in as

[admin@MikroTik] /ip/firewall/filter>
 │                    │
 │                    └─ current context path — like a folder you're "inside"
 └──────────────────── username@hostname (always shown)

The context (the path after the hostname) is RouterOS's equivalent of a directory. When you navigate into a context, commands apply to that section of the router. /ip/firewall/filter> means every command you type acts on firewall filter rules. This is why you don't have to type the full path every time.

RouterOS — navigating contexts

# Start at root
[admin@MikroTik] > ip firewall filter
[admin@MikroTik] /ip/firewall/filter> ← now inside filter context

# Go up one level with ".."
[admin@MikroTik] /ip/firewall/filter> ..
[admin@MikroTik] /ip/firewall>

# Go back to root with "/"
[admin@MikroTik] /ip/firewall> /
[admin@MikroTik] >

# Jump directly to any context from anywhere using full path
[admin@MikroTik] > /interface bridge
[admin@MikroTik] /interface/bridge>

Your Best Friends: Tab and ?

You don't need to memorise commands. Tab completes them. ? lists what's available. These two keys make the CLI faster than Winbox.

Tab — Autocomplete

Press Tab after typing the first few letters of any command or parameter. RouterOS completes it. If there are multiple matches, press Tab again to cycle through them.

RouterOS — Tab autocomplete in action

[admin@MikroTik] > in[Tab]
interface             ← completed to "interface"

[admin@MikroTik] > interface bri[Tab]
interface bridge      ← completed to "bridge"

[admin@MikroTik] > ip fir[Tab] filt[Tab] pr[Tab]
ip firewall filter print   ← entire command built with Tab

# Tab also completes parameter names and values:
[admin@MikroTik] /ip/firewall/filter> add chain=[Tab]
forward  input  output   ← shows valid options for chain=

? — Context-Sensitive Help

Type ? at any point to see what commands or parameters are available. Works at the root, inside a context, mid-command, or after a parameter name.

RouterOS — ? help at different points

# ? at root — lists all top-level menus
[admin@MikroTik] > ?
  interface      -- Interface configuration
  ip             -- IP configuration
  bridge         -- Bridge configuration
  routing        -- Routing configuration
  system         -- System settings
  ...

# ? after a command — lists parameters
[admin@MikroTik] /ip/firewall/filter> add ?
  action         -- Rule action (accept/drop/reject/log...)
  chain          -- Chain name (input/forward/output)
  comment        -- Short description
  connection-state -- established/new/related/invalid
  dst-address    -- Destination address
  ...

# ? mid-parameter — shows valid values
[admin@MikroTik] /ip/firewall/filter> add action=?
  accept  drop  reject  log  passthrough  tarpit  return

F1 — Full Help Page

Press F1 at any prompt to see a formatted help page for the current context. More detailed than ?, less cluttered than the wiki.

↑ ↓ — Command History

Press ↑ to cycle through previously typed commands. Saves enormous time when repeating similar commands with minor changes.

💡 Pro Tip — Build Commands with Tab Before Pressing Enter

The professional workflow: type 2–3 characters, press Tab, check the autocomplete, continue. Never type a full command from memory. This catches typos before they execute and helps you discover parameter names you didn't know existed. If you're unsure whether a command is safe to run, use ? to read what it does first.

Safe Read Commands Safe to Run

Start here. These commands read and display information — they change nothing. Run them freely on any live router.

Every section of RouterOS has a print command. It's always safe. It shows you the current state of whatever context you're in. This is where all CLI sessions should begin — understand what's there before you change anything.

RouterOS — essential print commands (all read-only)

# Who am I connected to? What version?
[admin@MikroTik] > /system identity print
  name: MikroTik

[admin@MikroTik] > /system resource print
  uptime: 14d 06:22:11
  version: 7.15 (stable)
  board-name: RB750Gr3
  cpu-load: 3 %
  free-memory: 89.6MiB

# What interfaces exist?
[admin@MikroTik] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
 #     NAME       TYPE    MTU    L2MTU  MAX-L2MTU
 0  R  ether1     ether   1500   1598   4074
 1  R  ether2     ether   1500   1598   4074
 2  R  wlan1      wlan    1500   1600   2290
 3  R  bridge1    bridge  1500

# What IP addresses are assigned?
[admin@MikroTik] > /ip address print
 #   ADDRESS           NETWORK        INTERFACE
 0   192.168.88.1/24   192.168.88.0   bridge1
 1   192.168.10.1/24   192.168.10.0   vlan10

# What routes exist?
[admin@MikroTik] > /ip route print
 #    DST-ADDRESS   GATEWAY       DISTANCE
 0 A  0.0.0.0/0     192.168.1.1   1        ← default route (A = active)

# What firewall rules are configured?
[admin@MikroTik] > /ip firewall filter print
 0  chain=input  action=accept  connection-state=established,related
 1  chain=input  action=drop    connection-state=invalid
 2  chain=input  action=drop    (final drop-all)

# What DHCP leases are active?
[admin@MikroTik] > /ip dhcp-server lease print
 #  ADDRESS          MAC-ADDRESS        HOST-NAME    STATUS
 0  192.168.10.100   AA:BB:CC:DD:EE:FF  staff-pc     bound

Filtering Print Output

print can be filtered with where to narrow results. This is one of the most useful CLI patterns — equivalent to searching in Winbox but faster.

RouterOS — filtered print with where

# Show only running interfaces
[admin@MikroTik] > /interface print where running=yes

# Show only active routes
[admin@MikroTik] > /ip route print where active=yes

# Show firewall rules that use action=drop
[admin@MikroTik] > /ip firewall filter print where action=drop

# Find a DHCP lease by hostname (~ means "contains")
[admin@MikroTik] > /ip dhcp-server lease print where host-name~"camera"
 0  192.168.40.12   AA:BB:CC:11:22:33  camera-lobby  bound

# Show the default route only
[admin@MikroTik] > /ip route print where dst-address=0.0.0.0/0

print detail — See Everything

Regular print shows a summary table. Add detail to see every parameter of every entry — useful when debugging or when you need a field that's hidden in the table view.

RouterOS — print detail

[admin@MikroTik] > /interface bridge print detail
 0  R  name="bridge1" mtu=1500 actual-mtu=1500 l2mtu=1596
        arp=enabled arp-timeout=auto mac-address=AA:BB:CC:DD:EE:FF
        protocol-mode=rstp fast-forward=yes
        vlan-filtering=yes frame-types=admit-all
# Every field is shown, including ones not visible in regular print.

Understanding Command Structure

Every RouterOS command follows the same pattern. Learn the pattern once and you can construct any command without memorising it.

The path can be given inline (before the verb) or you can navigate into the context first. Both are equivalent:

RouterOS — inline path vs context navigation (same result)

# Style A: full inline path (good for scripts and one-liners)
[admin@MikroTik] > /ip firewall filter print

# Style B: navigate first, then command (good for interactive sessions)
[admin@MikroTik] > /ip firewall filter
[admin@MikroTik] /ip/firewall/filter> print

# Both produce identical output. Use Style A in scripts, Style B when
# making multiple changes to the same section interactively.

Making Changes Modifies Config

Add, set, remove, enable, disable — the five verbs that change things. Always print first, change second, verify third.

⚠ Use Safe Mode Before Making Changes

Type /system safe-mode before making changes on a live router. Safe mode gives you a 9-minute automatic rollback window — if you lock yourself out or break something, the router automatically reverts all changes when the timer expires. Confirm with Ctrl+X to keep changes, or just disconnect to roll back. This is non-negotiable on any router that has active users.

RouterOS — add, set, remove, enable, disable

# ── ADD: create a new entry ───────────────────────────────────────────────
[admin@MikroTik] > /ip dns set servers=8.8.8.8,1.1.1.1
# No output = success. RouterOS is silent on successful changes.

[admin@MikroTik] > /ip firewall filter add \
    chain=input \
    protocol=tcp \
    dst-port=22 \
    src-address=192.168.10.0/24 \
    action=accept \
    comment="Allow SSH from MGMT VLAN"
# The \ at end of each line continues the command on the next line.
# This is just for readability — you can also type it all on one line.

# ── PRINT to verify what was added ────────────────────────────────────────
[admin@MikroTik] > /ip firewall filter print
 0  chain=input  action=accept  protocol=tcp  src-address=192.168.10.0/24
    dst-port=22  comment="Allow SSH from MGMT VLAN"
# Always print after adding to confirm the rule looks correct.

# ── SET: edit an existing entry by row number ─────────────────────────────
[admin@MikroTik] > /ip firewall filter set 0 comment="SSH from MGMT only — updated"
# "0" = row number from print output. Only changes the specified field.

# ── SET using find — safer than hardcoded row numbers ─────────────────────
[admin@MikroTik] > /ip firewall filter set \
    [find comment~"SSH from MGMT"] \
    comment="SSH MGMT — reviewed May 2026"
# [find ...] locates entries by a field value instead of a fixed row number.
# This is safer in scripts — row numbers shift when rules are added/removed.

# ── DISABLE / ENABLE: toggle without deleting ─────────────────────────────
[admin@MikroTik] > /ip firewall filter disable 0
# Disabled entries show an X flag in print output — they exist but don't fire.

[admin@MikroTik] > /ip firewall filter enable 0

# ── REMOVE: delete an entry permanently ───────────────────────────────────
[admin@MikroTik] > /ip firewall filter remove 0
# Permanent. No confirmation prompt. Always print first to confirm
# the correct row number before removing.

⚠ Gotcha — Row Numbers Shift After Remove

After you remove row 0, what was row 1 becomes row 0, row 2 becomes row 1, and so on. If you're removing multiple entries in a loop, remove from the bottom up (highest number first), or use [find ...] selectors instead of row numbers. Removing row 0 twice in a row deletes two different entries.

The find Selector — Your Most Powerful Tool

[find ...] returns the internal ID of entries matching a condition. Use it with set, remove, enable, and disable instead of row numbers. It works even if rows are reordered.

RouterOS — [find] selector patterns

# Find by comment (contains match)
[admin@MikroTik] > /ip firewall filter remove [find comment~"temp"]

# Find by exact value
[admin@MikroTik] > /interface disable [find name="ether3"]

# Find disabled entries and enable all of them
[admin@MikroTik] > /ip firewall filter enable [find disabled=yes]

# Find by chain and action together
[admin@MikroTik] > /ip firewall filter print \
    where chain=forward and action=drop
# print where also uses the same field=value syntax as find.

Keyboard Shortcuts Cheatsheet

These shortcuts work in every RouterOS terminal session. Memorise the top five and you'll edit ten times faster.

Key	What it does
`Tab`	Autocomplete command, parameter, or value. Press twice to see all options.
`?`	Show available commands or parameter options at current cursor position.
`↑` / `↓`	Cycle through command history. Edit the recalled command before pressing Enter.
`Ctrl`+`C`	Cancel current command or interrupt a running command (e.g. a long ping).
`Ctrl`+`X`	Confirm and exit safe mode, keeping all changes made during the session.
`F1`	Show full help page for current context or command.
`Home` / `End`	Jump to beginning or end of the current input line.
`Ctrl`+`A`	Jump to start of line (same as Home — useful in SSH sessions).
`Ctrl`+`E`	Jump to end of line (same as End).
`Ctrl`+`K`	Delete from cursor to end of line — useful for rewriting the tail of a command.
`Ctrl`+`U`	Delete from cursor to start of line.
`Ctrl`+`W`	Delete the previous word.
`/`	Return to root context from anywhere.
`..`	Go up one context level.
`q` or `Q`	Quit interactive output (e.g. a long print with many entries).

Winbox vs CLI — Side by Side

Every Winbox action has a direct CLI equivalent. Once you see the mapping, the CLI stops being a foreign language.

Winbox action	CLI equivalent
IP › Addresses › + Add	`/ip address add address=192.168.10.1/24 interface=vlan10`
Bridge › VLANs › double-click to edit	`/interface bridge vlan set [find vlan-ids=10] tagged=bridge1,ether2`
IP › Firewall › Filter › + Add	`/ip firewall filter add chain=input action=drop comment="test"`
IP › Firewall › Filter › tick checkbox to disable a rule	`/ip firewall filter disable [find comment~"test"]`
IP › DHCP Server › Leases (list)	`/ip dhcp-server lease print`
System › Identity (change hostname)	`/system identity set name="Hotel-Router-01"`
IP › Routes › + Add static route	`/ip route add dst-address=10.0.0.0/8 gateway=192.168.1.254`
Tools › Ping (ping test)	`/ping 8.8.8.8 count=4`
Tools › Torch (live traffic)	`/tool torch interface=ether1`
System › Reboot	`/system reboot`

A Full Workflow — Start to Finish

Putting it all together: enter safe mode, read the current state, make a change, verify it, confirm.

This example adds a DNS server entry and verifies the result. It demonstrates the full discipline: safe mode → read → write → verify → confirm.

RouterOS — complete workflow with safe mode

# Step 1: Enter safe mode (automatic rollback if something goes wrong)
[admin@MikroTik] > /system safe-mode
Entering Safe Mode
Press Ctrl+X to exit safe mode
[Safe Mode][admin@MikroTik] >
# Prompt now shows [Safe Mode] — changes will auto-revert in 9 minutes
# if you don't confirm with Ctrl+X.

# Step 2: Read current state
[Safe Mode][admin@MikroTik] > /ip dns print
         servers: 8.8.8.8
  dynamic-servers: 203.0.113.1
   use-doh-server:
# Currently only 8.8.8.8 — we want to add 1.1.1.1 as backup.

# Step 3: Make the change
[Safe Mode][admin@MikroTik] > /ip dns set servers=8.8.8.8,1.1.1.1
# No output = success.

# Step 4: Verify
[Safe Mode][admin@MikroTik] > /ip dns print
         servers: 8.8.8.8,1.1.1.1  ← both servers now listed

# Step 5: Test the change works
[Safe Mode][admin@MikroTik] > /ping 1.1.1.1 count=2
  0 1.1.1.1  56  55  12ms  echo reply
  1 1.1.1.1  56  55  11ms  echo reply
  sent=2 received=2 packet-loss=0%

# Step 6: Confirm changes (exit safe mode, keeping everything)
[Safe Mode][admin@MikroTik] > Ctrl+X
Exiting Safe Mode — changes kept
[admin@MikroTik] >
# Safe Mode prefix is gone. Changes are permanent.

💡 The Golden Rule — Always add a comment=

Every add command should include a comment="..." parameter. Six months from now, you will not remember why a firewall rule exists. Your colleague won't either. A comment like "Allow CCTV outbound — requested by manager 2026-03" takes 5 seconds to write and saves hours of debugging. The [find comment~"..."] selector also becomes much more useful when everything has a meaningful comment.

Takeaways

Tab and ? are not cheating — they're the professional workflow. Every experienced operator uses Tab constantly. It prevents typos and surfaces parameters you didn't know existed. Never type a full command from memory when Tab can do it for you.
Always print before you change, and print again after. Read the current state, make one change, verify the output. This discipline catches mistakes before they cause problems and confirms your change actually did what you expected.
Use safe mode for every change on a live router. /system safe-mode costs nothing and gives you a 9-minute rollback. The one time you skip it and break SSH access to a remote hotel router is the time you'll wish you hadn't.
Use [find comment~"..."] instead of row numbers in scripts and frequent operations. Row numbers shift. Comments don't. Any script or procedure that references rules by position will eventually break — comments are stable identifiers.
The CLI is not a different tool from Winbox — it's the same tool. Every Winbox click is a CLI command. Once you see the mapping, the CLI becomes more natural than Winbox for most tasks: it's faster, copy-pasteable, scriptable, and SSH-accessible from anywhere.
Silence means success. RouterOS does not print a confirmation message when a command succeeds. It only prints output when there's something to show, or an error message when something fails. If you type a command and nothing appears — it worked. Verify with print.
Always add a comment to every entry you create. Six months from now, comments are the difference between instantly understanding your config and spending an hour reverse-engineering it.

Running a hotel, villa, or SMB in Crete?

NOCTIS provides managed network services and on-site configuration for hospitality properties — and we document everything we do so your team can understand and maintain it. No black-box configs, no dependency on a single person who knows the CLI.

Book a Discovery Call →