RouterOS Interfaces: A Complete Overview
RouterOS Interfaces: A Complete Overview
Section titled âRouterOS Interfaces: A Complete OverviewâTL;DR (Quick Start)
Section titled âTL;DR (Quick Start)âRouterOS interfaces are the building blocks of your network configuration. Every packet enters and exits through an interface.
# View all interfaces/interface print
# View interface details/interface print detail
# Monitor real-time status/interface monitor-traffic ether1Overview
Section titled âOverviewâWhat this covers: Interface types, naming conventions, interface lists, and how interfaces work together in RouterOS.
When you need this: Before configuring any network service - understanding interfaces is foundational to everything else in RouterOS.
Key concepts:
- Physical interfaces (Ethernet, SFP, wireless)
- Virtual interfaces (VLAN, bridge, bonding)
- Interface lists for firewall organization
- Hardware offload and performance considerations
Interface Types in RouterOS
Section titled âInterface Types in RouterOSâRouterOS supports many interface types, each serving different purposes:
Physical Interfaces
Section titled âPhysical Interfacesâ| Type | Description | Common Names |
|---|---|---|
| Ethernet | RJ45 copper ports | ether1, ether2, etc. |
| SFP/SFP+ | Fiber or copper modules | sfp1, sfp-sfpplus1 |
| Wireless | WiFi radios | wlan1, wlan2 |
| LTE | Cellular modems | lte1 |
Virtual Interfaces
Section titled âVirtual Interfacesâ| Type | Description | Use Case |
|---|---|---|
| VLAN | 802.1Q tagged sub-interface | Network segmentation |
| Bridge | Layer 2 switching | Combining ports |
| Bonding | Link aggregation (LACP/802.3ad) | Redundancy and bandwidth |
| PPPoE | Point-to-Point over Ethernet | ISP connections |
| Tunnel | VPN endpoints (WireGuard, IPSec) | Site-to-site connections |
Physical Interface Management
Section titled âPhysical Interface ManagementâViewing Interface Status
Section titled âViewing Interface Statusâ# List all interfaces with status/interface print
# Detailed view with MAC addresses/interface print detail
# Real-time monitoring/interface ethernet monitor ether1 onceUnderstanding Interface Flags
Section titled âUnderstanding Interface FlagsâWhen you print interfaces, flags indicate their state:
| Flag | Meaning |
|---|---|
R | Running - interface is operational |
S | Slave - part of a bridge or bond |
D | Dynamic - created automatically |
X | Disabled - administratively shut down |
Ethernet Interface Configuration
Section titled âEthernet Interface Configurationâ# View current settings/interface ethernet print detail
# Disable an interface/interface ethernet disable ether5
# Set auto-negotiation (recommended)/interface ethernet set ether1 auto-negotiation=yes
# Force specific speed (only when needed)/interface ethernet set ether1 auto-negotiation=no speed=100M-baseT-fullCommon Mistake
Donât disable auto-negotiation unless you have a specific reason. Gigabit and faster speeds require auto-negotiation to be enabled on copper interfaces. Forcing speed incorrectly causes link failures or duplex mismatches.
Interface Lists
Section titled âInterface ListsâInterface lists group interfaces for use in firewall rules. Theyâre essential for scalable configurations.
Why Use Interface Lists?
Section titled âWhy Use Interface Lists?âWithout lists, you write separate rules for each interface:
# Without lists - hard to maintain/ip firewall filter add chain=input in-interface=ether1 action=drop/ip firewall filter add chain=input in-interface=pppoe-out1 action=drop/ip firewall filter add chain=input in-interface=lte1 action=dropWith lists, one rule covers all:
# With lists - clean and maintainable/interface list add name=WAN/interface list member add interface=ether1 list=WAN/interface list member add interface=pppoe-out1 list=WAN/interface list member add interface=lte1 list=WAN
/ip firewall filter add chain=input in-interface-list=WAN action=dropDefault Interface Lists
Section titled âDefault Interface ListsâRouterOS creates default lists that correspond to the default configuration:
| List | Purpose |
|---|---|
WAN | Untrusted external interfaces |
LAN | Trusted internal interfaces |
Managing Interface Lists
Section titled âManaging Interface Listsâ# Create a new list/interface list add name=DMZ
# Add interfaces to a list/interface list member add interface=ether5 list=DMZ/interface list member add interface=ether6 list=DMZ
# View list membership/interface list member print
# Use in firewall rules/ip firewall filter add chain=forward in-interface-list=DMZ out-interface-list=LAN action=acceptBridges: Layer 2 Switching
Section titled âBridges: Layer 2 SwitchingâBridges combine multiple interfaces into a single Layer 2 domain, functioning like a switch.
Basic Bridge Creation
Section titled âBasic Bridge Creationâ# Create a bridge/interface bridge add name=bridge1
# Add ports to the bridge/interface bridge port add bridge=bridge1 interface=ether2/interface bridge port add bridge=bridge1 interface=ether3/interface bridge port add bridge=bridge1 interface=ether4
# Assign IP to the bridge (not individual ports)/ip address add address=192.168.1.1/24 interface=bridge1Hardware Offload
Section titled âHardware OffloadâHardware offload allows the switch chip to forward packets without CPU involvement, dramatically improving performance.
# Check hardware offload status/interface bridge port print# Look for "H" flag - indicates hardware offloading activeCommon Mistake
Multiple bridges disable hardware switching. Keep ports that need high-speed switching on the same bridge and switch chip. âMultiple bridges are not recommended as hardware switching between switch ports is disabled on all but the first bridge.â
Bridge Port Behavior
Section titled âBridge Port BehaviorâWhen an interface becomes a bridge member (slave):
- DHCP client must run on the bridge, not slave ports
- Firewall rules reference the bridge, not slave interfaces
- IP addresses should be on the bridge, not slave ports
Common Mistake
802.1x (dot1x) authentication does not work when the interface is a bridge member. The EAPOL process cannot complete on slave ports. Configure the port outside the bridge during authentication, or consider alternative authentication approaches.
VLAN Interfaces
Section titled âVLAN InterfacesâVLANs create virtual network segments on a single physical interface.
Creating VLAN Interfaces
Section titled âCreating VLAN Interfacesâ# Create VLAN interface on a bridge/interface vlan add name=vlan100-servers vlan-id=100 interface=bridge1/interface vlan add name=vlan200-users vlan-id=200 interface=bridge1
# Assign IP addresses/ip address add address=10.100.0.1/24 interface=vlan100-servers/ip address add address=10.200.0.1/24 interface=vlan200-usersBridge VLAN Filtering vs. VLAN Interfaces
Section titled âBridge VLAN Filtering vs. VLAN InterfacesâThere are two approaches to VLANs in RouterOS:
| Approach | Use Case | Hardware Offload |
|---|---|---|
| VLAN interfaces | Router participates in VLAN (gateway, DHCP) | CPU-bound |
| Bridge VLAN filtering | Switch traffic between ports | CRS3xx only |
Common Mistake
Enabling VLAN filtering on bridges disables hardware offload on most devices. Only CRS3xx series supports bridge VLAN filtering with hardware offload. On older devices (RB2011, etc.), configure VLANs through /interface ethernet switch for hardware acceleration.
Bonding: Link Aggregation
Section titled âBonding: Link AggregationâBonding combines multiple physical interfaces into a single logical interface for redundancy and increased bandwidth.
LACP Bonding Example
Section titled âLACP Bonding Exampleâ/interface bonding add name=bond-core mode=802.3ad \ slaves=sfp-sfpplus1,sfp-sfpplus2 \ transmit-hash-policy=layer-2-and-3Common Mistake
Donât confuse bonding with bridging. Bonding (802.3ad) creates a single aggregated channel between two devices. Bridging creates separate paths that RSTP will likely block to prevent loops. For true link aggregation, use bonding.
SFP/SFP+ Interfaces
Section titled âSFP/SFP+ InterfacesâSFP ports accept fiber or copper modules for flexible connectivity.
Common SFP Configuration
Section titled âCommon SFP Configurationâ# View SFP status and diagnostics/interface ethernet monitor sfp-sfpplus1 once
# For 1G SFP modules in SFP+ ports/interface ethernet set sfp-sfpplus1 auto-negotiation=no speed=1G-baseXSFP Naming Convention
Section titled âSFP Naming Conventionâ| Name Pattern | Meaning |
|---|---|
sfp-sfpplusX | SFP+ port capable of 1G and 10G |
sfpplusX | SFP+ port for 10G only |
sfpX | SFP port (1G max) |
Management Interface Considerations
Section titled âManagement Interface ConsiderationsâRouterOS responds to management IPs from any interface at Layer 3. This surprises users expecting interface-specific isolation.
How Management Works
Section titled âHow Management WorksâWhen you SSH or WebFig to a MikroTik:
- The connection arrives via the input chain
- Itâs processed at L3, not L2
- The router responds from any interface that can reach you
True Management Isolation
Section titled âTrue Management IsolationâFor dedicated management access:
# Create management VLAN/interface vlan add name=vlan-mgmt vlan-id=99 interface=bridge1/ip address add address=10.99.0.1/24 interface=vlan-mgmt
# Restrict management access via firewall/ip firewall filter add chain=input in-interface=!vlan-mgmt \ dst-port=22,80,443,8291 protocol=tcp action=dropInterface Monitoring
Section titled âInterface MonitoringâReal-Time Traffic Monitoring
Section titled âReal-Time Traffic Monitoringâ# Monitor traffic on interface/interface monitor-traffic ether1
# Monitor multiple interfaces/interface monitor-traffic ether1,ether2
# Monitor with interval/interface monitor-traffic ether1 interval=2Statistics and Counters
Section titled âStatistics and Countersâ# View interface statistics/interface ethernet print stats
# Reset counters for clean baseline/interface ethernet reset-counters ether1Cable Testing (Copper Only)
Section titled âCable Testing (Copper Only)â# Test cable quality (interface must be down)/interface ethernet cable-test ether2Results show distance to faults:
open:X- Cable disconnected at X metersshort:X- Cable shorted at X meters
Troubleshooting Common Issues
Section titled âTroubleshooting Common IssuesâInterface Shows âNo Linkâ
Section titled âInterface Shows âNo Linkââ| Check | Command | What to Look For |
|---|---|---|
| Physical connection | Visual inspection | Cable seated, LEDs |
| Cable quality | /interface ethernet cable-test | Open/short faults |
| Speed mismatch | /interface ethernet monitor | Auto-negotiation status |
| Module issues (SFP) | /interface ethernet monitor | sfp-rx-loss, sfp-tx-fault |
Interface Running but No Traffic
Section titled âInterface Running but No Trafficâ| Check | Command | Solution |
|---|---|---|
| Bridge membership | /interface bridge port print | Verify port in correct bridge |
| VLAN configuration | /interface bridge vlan print | Check tagged/untagged settings |
| Firewall rules | /ip firewall filter print | Look for blocking rules |
Performance Issues
Section titled âPerformance Issuesâ| Symptom | Likely Cause | Solution |
|---|---|---|
| High CPU with traffic | No hardware offload | Check bridge and VLAN config |
| Speed negotiating low | Cable/module issue | Test cable, check SFP compatibility |
| Intermittent connectivity | Duplex mismatch | Enable auto-negotiation |
MTU and Fragmentation Issues
Section titled âMTU and Fragmentation IssuesâMTU misconfigurations cause subtle problems: websites that partially load, VPN tunnels with limited throughput, or connections that stall on large transfers.
Common MTU scenarios:
| Tunnel Type | Recommended MTU | MSS Setting |
|---|---|---|
| L2TP | 1300 (max-mtu/max-mru) | n/a |
| IPIP with IPSec | 1420 | 1380 |
| EoIP | 1458 | n/a |
| WireGuard | 1420 | 1380 |
Diagnosing MTU problems:
# Test MTU by pinging with do-not-fragment flag# Decrease size until packets get through:put [/ping 8.8.8.8 size=1500 do-not-fragment count=1]Auto-Recovery for Frozen Interfaces
Section titled âAuto-Recovery for Frozen InterfacesâSome interfaces, particularly SFP modules, may freeze in âno-linkâ state after the connected device reboots. This script monitors and auto-recovers affected interfaces:
# Create the recovery script/system script add name=interface-recovery source={ :local ifName "sfp-sfpplus1" :local ifStatus ([/interface ethernet monitor [find default-name=$ifName] once as-value]->"status") :if ($ifStatus = "no-link") do={ /interface disable $ifName :delay 2s /interface enable $ifName :log warning "Auto-recovered interface $ifName from no-link state" }}
# Schedule periodic execution/system scheduler add name=interface-watchdog interval=1m \ on-event="/system script run interface-recovery"Customize ifName to match the interface that experiences freeze issues on your device.
Related Topics
Section titled âRelated TopicsâInterface Types
Section titled âInterface Typesâ- Ethernet Interfaces - physical Ethernet ports
- Bridge Configuration - software bridging
- VLAN Configuration - virtual LANs
- Bonding/LACP - link aggregation
Common Configurations
Section titled âCommon Configurationsâ- IP Address Configuration - assign IPs to interfaces
- DHCP Server - DHCP on interface
- Firewall Basics - interface lists in rules
Wireless
Section titled âWirelessâ- WiFi Basic Setup - wireless interfaces
- CAPsMAN - managed wireless
Reference
Section titled âReferenceâOfficial Documentation
Section titled âOfficial DocumentationâQuick Reference Commands
Section titled âQuick Reference Commandsâ# View all interfaces/interface print
# View running interfaces only/interface print where running
# Find interface by name pattern/interface print where name~"ether"
# Enable/disable interface/interface enable ether5/interface disable ether5
# View interface lists/interface list print/interface list member printResearch compiled from MikroTik forums and official documentation.