MikroTik MCP / Docs / API reference

API reference

Every tool the server exposes, grouped into 17 categories (160+ tools total). Each entry shows the name, what it does, its parameters (required vs optional), and a canonical example.

Naming convention. Most tools are prefixed with mikrotik_ followed by a verb — create, list, get, update, remove, plus category-specific verbs. Four categories are exceptions: Interfaces, PoE, Queues, and Safe Mode tools are called without the prefix (e.g. list_interfaces, create_simple_queue, enable_safe_mode). The category headers below flag which convention applies.

Categories

01Interfaces4 tools 02PoE3 tools 03VLAN5 tools 04IP Address4 tools 05IP Pool7 tools 06DHCP6 tools 07DNS15 tools 08Routes14 tools 09Firewall9 tools 10NAT8 tools 11WireGuard15 tools 12Wireless18 tools 13Queues19 tools 14Users18 tools 15Backup & Export10 tools 16Logs10 tools 17Safe Mode4 tools

Interfaces — All Interface Types

List and manage every interface on the device — ethernet, bridge, WireGuard, PPPoE, VLAN, WiFi, SFP, LTE, loopback. The equivalent of /interface print in RouterOS. For type-specific create/remove, use the dedicated categories (VLAN, WireGuard, Wireless).

no mikrotik_ prefix on this category
4 tools
category 01
list list_interfaces

Lists all interfaces, with optional filtering by type, name, or running/disabled state.

type_filteroptionalFilter by type — ether, bridge, vlan, wg, pppoe-out, wifi, lte, loopback, …
name_filteroptionalPartial name match — "ether" matches ether1, ether2
running_onlyoptionalOnly currently-running interfaces
disabled_onlyoptionalOnly disabled interfaces
Exampleslist_interfaces() list_interfaces(type_filter="ether") list_interfaces(running_only=true)
get get_interface

Returns detailed information about a single interface by exact name.

namerequiredExact interface name — "ether1", "bridge", "pppoe-out1", "wg0"
Exampleget_interface(name="ether1-wan")
enable · disable enable_interface · disable_interface

Bring an interface up or take it down without removing it.

namerequiredExact interface name
Examplesdisable_interface(name="ether4") enable_interface(name="ether4")

PoE — Power over Ethernet

Read-only monitoring of Power-over-Ethernet status and per-port configuration on PoE-capable devices, under /interface ethernet poe. On hardware without PoE-out ports (e.g. CHR / virtual routers) these tools report that no PoE data is available.

no mikrotik_ prefix on this category · read-only
3 tools
category 02
monitor get_poe_monitor

Reads real-time PoE-out telemetry — status, voltage, current, and power — for one or more ethernet interfaces. Runs /interface ethernet poe monitor … once.

interfacesrequiredComma-separated ethernet interface name(s)
Examplesget_poe_monitor(interfaces="ether1") get_poe_monitor(interfaces="ether9-ap,ether10-ap,ether11-ap")
list list_poe

Lists the PoE-out configuration (PoE-out mode, priority) of PoE-capable ethernet interfaces. Runs /interface ethernet poe print.

interface_filteroptionalPartial name match — "ether" matches ether1, ether2
Exampleslist_poe() list_poe(interface_filter="ether")
get get_poe_settings

Gets the detailed PoE-out settings of a specific ethernet interface — mode, priority, voltage, and low/high thresholds. Runs /interface ethernet poe print detail where name=….

namerequiredExact ethernet interface name — "ether1"
Exampleget_poe_settings(name="ether1")

VLAN — Tagged Interfaces

Create, list, inspect, update, and remove tagged 802.1Q interfaces. Parent interfaces can be any physical port or bridge.

5 tools
category 03
create mikrotik_create_vlan_interface

Creates a VLAN interface on a parent port.

namerequiredVLAN interface name
vlan_idrequiredVLAN ID (1–4094)
interfacerequiredParent interface
commentoptionalDescription
disabledoptionalCreate in disabled state
mtuoptionalMTU size
use_service_tagoptional802.1ad service tag
arpoptionalARP mode
arp_timeoutoptionalARP timeout
Examplemikrotik_create_vlan_interface(name="vlan100", vlan_id=100, interface="ether1")
list mikrotik_list_vlan_interfaces

Lists VLAN interfaces, optionally filtered.

name_filteroptionalFilter by name
vlan_id_filteroptionalFilter by VLAN ID
interface_filteroptionalFilter by parent interface
disabled_onlyoptionalShow only disabled interfaces
Examplemikrotik_list_vlan_interfaces(vlan_id_filter=100)
get mikrotik_get_vlan_interface

Returns full details for a specific VLAN interface.

namerequiredVLAN interface name
Examplemikrotik_get_vlan_interface(name="vlan100")
update mikrotik_update_vlan_interface

Updates an existing VLAN interface in place. Pass only the fields you want to change.

namerequiredCurrent name
new_nameoptionalRename to
vlan_idoptionalNew VLAN ID
interfaceoptionalNew parent interface
commentoptionalNew description
disabledoptionalEnable / disable
mtuoptionalNew MTU
arpoptionalARP mode
Examplemikrotik_update_vlan_interface(name="vlan100", comment="Production VLAN")
remove mikrotik_remove_vlan_interface

Removes a VLAN interface. Dependent IP addresses, DHCP servers, and firewall rules that reference the interface will be orphaned — clean them up first.

namerequiredVLAN interface name
Examplemikrotik_remove_vlan_interface(name="vlan100")

IP Address — Interface Bindings

Assign and remove IPv4 addresses on physical, bridge, or VLAN interfaces.

4 tools
category 04
addmikrotik_add_ip_address

Bind an address to an interface.

addressrequiredCIDR, e.g. 192.168.100.1/24
interfacerequiredInterface name
commentoptionalDescription
Examplemikrotik_add_ip_address(address="192.168.100.1/24", interface="vlan100")
list · getmikrotik_list_ip_addresses · mikrotik_get_ip_address

Inspect bindings — list takes optional filters (by interface, address, or dynamic flag); get returns one address record by ID.

removemikrotik_remove_ip_address
address_idrequiredRouterOS address record ID

IP Pool — Named Address Pools

Named ranges used by DHCP, hotspot, PPP, and VPN servers. Pools can be inspected, updated, and expanded without disruption.

7 tools
category 05
createmikrotik_create_ip_pool
namerequiredPool name
rangesrequirede.g. "192.168.1.100-192.168.1.200"
next_pooloptionalChain to another pool when exhausted
commentoptionalDescription
Examplemikrotik_create_ip_pool(name="dhcp-pool", ranges="192.168.1.100-192.168.1.200")
list · get · usedmikrotik_list_ip_pools · mikrotik_get_ip_pool · mikrotik_list_ip_pool_used

Inspect pool definitions, fetch a single pool by name, plus the live used-address table (which addresses are currently leased from a pool).

update · expandmikrotik_update_ip_pool · mikrotik_expand_ip_pool

update edits a pool's name, ranges, or next-pool chain; expand appends additional ranges without disrupting existing leases.

Examplemikrotik_expand_ip_pool(name="dhcp-pool", additional_ranges="192.168.1.201-192.168.1.250")
removemikrotik_remove_ip_pool

Remove a pool. Servers using it will refuse new leases.

DHCP — Pools, Networks, Servers

Three-piece model: a pool defines the address range, a network defines gateway and DNS, and a server binds them to an interface.

6 tools
category 06
create mikrotik_create_dhcp_pool · mikrotik_create_dhcp_network · mikrotik_create_dhcp_server

Build a DHCP service for a subnet in three steps. create_dhcp_server takes name + interface (plus optional lease_time defaulting to "1d", address_pool, authoritative, …).

Example — Guest VLAN DHCPmikrotik_create_dhcp_pool(name="pool-vlan100", ranges="192.168.100.10-192.168.100.200") mikrotik_create_dhcp_network(network="192.168.100.0/24", gateway="192.168.100.1", dns_servers=["8.8.8.8", "8.8.4.4"]) mikrotik_create_dhcp_server(name="dhcp-vlan100", interface="vlan100", address_pool="pool-vlan100")
list · getmikrotik_list_dhcp_servers · mikrotik_get_dhcp_server

List all DHCP servers or fetch one by name.

removemikrotik_remove_dhcp_server

Removes a DHCP server. The underlying pool and network records survive.

DNS — Resolution & Static Records

Set upstream servers (with optional DNS-over-HTTPS), manage static A/CNAME/MX/SRV/TXT records, regex blocklists, and inspect or flush the cache. Run live test queries with mikrotik_test_dns_query.

15 tools
category 07
createmikrotik_set_dns_servers · mikrotik_add_dns_static · mikrotik_add_dns_regexp

Configure upstream resolvers, add static records, and define regex-based blocklists. set_dns_servers also accepts allow_remote_requests, cache sizing, and DoH options (use_doh, doh_server, verify_doh_cert).

Examplemikrotik_set_dns_servers(servers=["8.8.8.8", "1.1.1.1"], allow_remote_requests=true) mikrotik_add_dns_static(name="router.local", address="192.168.1.1")
read · testmikrotik_get_dns_settings · mikrotik_list_dns_static · mikrotik_get_dns_static · mikrotik_get_dns_cache · mikrotik_get_dns_cache_statistics · mikrotik_test_dns_query

Inspect resolver settings, list or fetch static records, dump the cache and its statistics, and run a live test query.

Examplemikrotik_test_dns_query(name="example.com", server="8.8.8.8", type="A")
update · toggle · flush · exportmikrotik_update_dns_static · mikrotik_enable_dns_static · mikrotik_disable_dns_static · mikrotik_flush_dns_cache · mikrotik_export_dns_config

Edit a static record, enable/disable it without deleting, clear the resolver cache, or dump the full DNS configuration to a file.

removemikrotik_remove_dns_static
entry_idrequiredStatic record ID

Routes — Routing Table

Add static, default, and blackhole routes. Inspect active routes, check the path to a destination, dump routing tables, and read the route cache and statistics.

14 tools
category 08
createmikrotik_add_route · mikrotik_add_default_route · mikrotik_add_blackhole_route

Three flavors of route creation. add_route takes dst_address + gateway (plus optional distance, scope, routing_mark, pref_src, check_gateway, …).

Examplesmikrotik_add_default_route(gateway="192.168.1.1", distance=1) mikrotik_add_route(dst_address="10.0.0.0/8", gateway="192.168.1.254")
readmikrotik_list_routes · mikrotik_get_route · mikrotik_check_route_path · mikrotik_get_routing_table · mikrotik_get_route_cache · mikrotik_get_route_statistics

Inspect the routing table from several angles: list all, single route, traceroute-style path check, full table dump (table_name defaults to "main"), the kernel route cache, and aggregate statistics.

Examplemikrotik_check_route_path(destination="8.8.8.8")
update · toggle · flushmikrotik_update_route · mikrotik_enable_route · mikrotik_disable_route · mikrotik_flush_route_cache

Edit a route in place, toggle individual routes by ID, or flush the route cache.

removemikrotik_remove_route
route_idrequiredRouterOS route ID

Firewall — Filter Rules

Manage filter rules across the input, forward, and output chains. Includes rule ordering, enable/disable, and basic firewall scaffolding.

9 tools
category 09
create mikrotik_create_filter_rule

Creates a new firewall filter rule. Most match parameters are optional — combine them to build whatever predicate you need.

chainrequiredChain — input, forward, or output
actionrequiredaccept, drop, reject, log, jump, …
src_addressoptionalSource address / CIDR
dst_addressoptionalDestination address / CIDR
src_port · dst_portoptionalSource / destination port
protocoloptionaltcp, udp, icmp, …
in_interface · out_interfaceoptionalMatch by interface
connection_stateoptionale.g. "established,related"
src_address_listoptionalNamed address list
tcp_flags · limitoptionalTCP flag matches; rate limit
comment · disabledoptionalDescription; create disabled
log · log_prefixoptionalEnable logging; log prefix string
place_beforeoptionalInsert before this rule ID
Example — allow SSH from LANmikrotik_create_filter_rule( chain="input", action="accept", protocol="tcp", dst_port="22", src_address="192.168.1.0/24" )
list · getmikrotik_list_filter_rules · mikrotik_get_filter_rule

List rules with optional filters (chain, action, addresses, protocol, interface, disabled/invalid/dynamic), or fetch a single rule by ID.

Examplemikrotik_list_filter_rules(chain_filter="input")
update · move · togglemikrotik_update_filter_rule · mikrotik_move_filter_rule · mikrotik_enable_filter_rule · mikrotik_disable_filter_rule

Edit a rule in place, reorder it within its chain (critical for ordered evaluation), or toggle it on/off without removing it.

Example — move rule to topmikrotik_move_filter_rule(rule_id="*1", destination=0)
removemikrotik_remove_filter_rule
rule_idrequiredRule ID
scaffoldmikrotik_create_basic_firewall_setup

Creates a sensible baseline: accept established/related, drop invalid, accept ICMP, drop everything else on input. Useful for fresh routers.

no paramsTakes no arguments
Examplemikrotik_create_basic_firewall_setup()

NAT — Translation Rules

Source-NAT (masquerade) for outbound, destination-NAT (port forwarding) for inbound, plus rule ordering and toggle.

8 tools
category 10
create mikrotik_create_nat_rule

Creates a NAT rule on the srcnat or dstnat chain.

chainrequiredsrcnat or dstnat
actionrequiredmasquerade, dst-nat, src-nat, redirect, …
to_addressesoptionalTarget address for dst-nat
to_portsoptionalTarget port(s)
protocol · dst_port · …optionalSame predicate set as firewall rules
Example — port-forward HTTPmikrotik_create_nat_rule( chain="dstnat", action="dst-nat", dst_port="80", protocol="tcp", to_addresses="192.168.100.10", to_ports="80", comment="Web server" )
list · getmikrotik_list_nat_rules · mikrotik_get_nat_rule

Inspect NAT rules — optionally filtered by chain. get returns one rule's full record.

Examplesmikrotik_list_nat_rules(chain_filter="srcnat") mikrotik_get_nat_rule(rule_id="*1")
update · move · togglemikrotik_update_nat_rule · mikrotik_move_nat_rule · mikrotik_enable_nat_rule · mikrotik_disable_nat_rule

Same edit / reorder / toggle surface as the firewall counterparts.

removemikrotik_remove_nat_rule
rule_idrequiredRule ID

WireGuard — Tunnels & Peers

Create WireGuard interfaces, add peers with allowed-IPs and endpoints, and generate ready-to-paste client configs. The interface's public key is returned by get_wireguard_interface — hand it to clients.

15 tools
category 11
createmikrotik_create_wireguard_interface

Stands up a WireGuard interface. If no private key is supplied, one is generated; read the matching public key back via get_wireguard_interface.

namerequiredInterface name, e.g. "wg0"
listen_portoptionalUDP listen port (default 13231)
private_keyoptionalAuto-generated if omitted
mtuoptionalMTU (default 1420)
comment · disabledoptionalDescription; create disabled
Examplemikrotik_create_wireguard_interface(name="wg0", listen_port=13231)
interface readmikrotik_list_wireguard_interfaces · mikrotik_get_wireguard_interface

List all WireGuard interfaces or fetch one — the latter includes the device's public key for clients to use.

interface update · toggle · removemikrotik_update_wireguard_interface · mikrotik_enable_wireguard_interface · mikrotik_disable_wireguard_interface · mikrotik_remove_wireguard_interface

Edit, toggle, or remove an interface.

peer addmikrotik_add_wireguard_peer

Attaches a peer to an interface.

interfacerequiredWireGuard interface name
public_keyrequiredPeer's public key
allowed_addressrequiredAllowed IPs for this peer
endpoint_address · endpoint_portoptionalRemote endpoint
preshared_key · persistent_keepaliveoptionalExtra security; keepalive interval
Examplemikrotik_add_wireguard_peer(interface="wg0", public_key="<peer-pubkey>", allowed_address="10.0.0.2/32")
peer readmikrotik_list_wireguard_peers · mikrotik_get_wireguard_peer

Inspect peers and their handshake state.

peer update · toggle · removemikrotik_update_wireguard_peer · mikrotik_enable_wireguard_peer · mikrotik_disable_wireguard_peer · mikrotik_remove_wireguard_peer

Edit, toggle, or remove peers. Identifiers are RouterOS peer IDs.

generatemikrotik_generate_wireguard_client_config

Produces a complete client .conf (the [Interface] / [Peer] blocks) ready to paste into a WireGuard client.

client_private_keyrequiredClient's private key
client_addressrequiredClient tunnel address
server_public_keyrequiredServer's public key
server_endpointrequiredServer host / IP
server_port · allowed_ips · dns · persistent_keepaliveoptionalDefaults: 51820, 0.0.0.0/0, keepalive 25

Wireless — WiFi Interfaces & Security

Manage wireless interfaces, security profiles, access lists, and scanning. Call check_wireless_support first — wireless tooling depends on the device's RouterOS wireless package.

18 tools
category 12
interface createmikrotik_create_wireless_interface

Creates / configures a wireless interface (SSID, band, channel, mode, and an attached security profile).

Examplemikrotik_create_wireless_interface(name="wlan1", ssid="HomeNet", band="2ghz-b/g/n")
interface readmikrotik_list_wireless_interfaces · mikrotik_get_wireless_interface

List wireless interfaces or fetch one's full configuration.

interface update · toggle · removemikrotik_update_wireless_interface · mikrotik_enable_wireless_interface · mikrotik_disable_wireless_interface · mikrotik_remove_wireless_interface

Edit, toggle, or remove a wireless interface.

security profilesmikrotik_create_wireless_security_profile · mikrotik_list_wireless_security_profiles · mikrotik_get_wireless_security_profile · mikrotik_set_wireless_security_profile · mikrotik_remove_wireless_security_profile

Full lifecycle for security profiles — WPA/WPA2/WPA3 modes, passphrases, encryption. set attaches a profile to an interface.

Examplemikrotik_create_wireless_security_profile(name="wpa2-home", mode="dynamic-keys", authentication_types="wpa2-psk", wpa2_pre_shared_key="SecurePass123")
scan · registrationmikrotik_scan_wireless_networks · mikrotik_get_wireless_registration_table

Scan for nearby networks (optional duration) and list currently-associated clients with signal data.

access listmikrotik_create_wireless_access_list · mikrotik_list_wireless_access_list · mikrotik_remove_wireless_access_list_entry

MAC-based allow/deny entries with optional signal-range and time constraints.

Examplemikrotik_create_wireless_access_list(interface="wlan1", mac_address="AA:BB:CC:DD:EE:FF", action="accept")
supportmikrotik_check_wireless_support

Reports whether the device's RouterOS build supports the wireless tooling. Call this first.

no paramsTakes no arguments

Queues — Traffic Shaping

Simple queues for per-target rate limits, queue trees for hierarchical policies, and queue types for the underlying discipline (CAKE, fq-codel, SFQ, RED, PCQ, …).

no mikrotik_ prefix on this category
19 tools
category 13
simple queuecreate_simple_queue · list_simple_queues · get_simple_queue · update_simple_queue · remove_simple_queue · enable_simple_queue · disable_simple_queue

Per-target rate limits — the simplest way to throttle a host or subnet. max_limit takes an upload/download pair like "10M/20M".

Example — limit a host to 10M/20Mcreate_simple_queue(name="limit-guest", target="192.168.100.0/24", max_limit="10M/20M")
queue treecreate_queue_tree · list_queue_trees · get_queue_tree · update_queue_tree · remove_queue_tree · enable_queue_tree · disable_queue_tree

Hierarchical HTB shaping. Attach to a parent, match traffic by packet_mark, set max_limit / limit_at / burst, and priority (1–8).

queue typecreate_queue_type · list_queue_types · get_queue_type · update_queue_type · remove_queue_type

Define reusable queue disciplines. kind is one of cake, fq-codel, sfq, red, pcq, pfifo, bfifo, …

Users — Accounts, Groups & SSH Keys

Local users, groups, policies, active sessions, and SSH key management. Used to provision scoped accounts for tooling rather than sharing admin.

18 tools
category 14
createmikrotik_add_user · mikrotik_add_user_group

Create users and permission groups. Groups take a policy list (e.g. read,write,ssh).

Examplemikrotik_add_user(name="automation", password="SecurePass123", group="write")
readmikrotik_list_users · mikrotik_get_user · mikrotik_list_user_groups · mikrotik_get_user_group · mikrotik_get_active_users

Inspect users, groups, and currently-connected sessions.

update · togglemikrotik_update_user · mikrotik_enable_user · mikrotik_disable_user · mikrotik_update_user_group · mikrotik_disconnect_user

Edit users / groups, toggle accounts, or forcibly disconnect an active session.

ssh keysmikrotik_set_user_ssh_keys · mikrotik_list_user_ssh_keys · mikrotik_remove_user_ssh_key

Import a user's SSH public key (key-based auth), list installed keys, or remove one by ID.

Examplemikrotik_set_user_ssh_keys(username="automation", key_file="id_ed25519.pub")
exportmikrotik_export_user_config

Dumps the full user / group configuration to a file.

removemikrotik_remove_user · mikrotik_remove_user_group

Remove a user or a group.

Backup & Export — Configuration State

Binary backups, RouterOS .rsc exports, section dumps, file transfer, restore, and import.

10 tools
category 15
createmikrotik_create_backup · mikrotik_create_export · mikrotik_export_section

Three formats: a binary .backup (full snapshot), a .rsc export (declarative, choose rsc/json/xml and full/compact/verbose), or a single-section dump.

Examplemikrotik_create_backup(name="pre-change") mikrotik_export_section(section="/ip/firewall/filter")
readmikrotik_list_backups · mikrotik_backup_info · mikrotik_download_file

List backup files, inspect a backup's metadata, and download files off the device.

restore · import · uploadmikrotik_restore_backup · mikrotik_import_configuration · mikrotik_upload_file

Restore a binary backup, import a .rsc config, or upload an arbitrary file (base64) to the device.

removemikrotik_remove_file

Removes any file from the device's filesystem.

Logs — System Events

Stream and analyze RouterOS logs by topic, severity, or free-text search. Pull system events and security logs, aggregate statistics, live-tail, and export to CSV.

10 tools
category 16
readmikrotik_get_logs · mikrotik_get_logs_by_severity · mikrotik_get_logs_by_topic · mikrotik_search_logs · mikrotik_get_system_events · mikrotik_get_security_logs · mikrotik_get_log_statistics

Seven lenses on the log buffer — by topic, by severity (debug/info/warning/error/critical), free-text search, system events, the security topic, or aggregate stats.

Examplesmikrotik_get_logs(topics="firewall", limit=100) mikrotik_search_logs(search_term="login failure", case_sensitive=false)
stream · exportmikrotik_monitor_logs · mikrotik_export_logs

Live-tail logs for a duration, or dump them to plain / csv.

clearmikrotik_clear_logs

Clears the in-memory log buffer. Doesn't affect file-backed logs.

Safe Mode — Atomic Sessions

RouterOS safe-mode wraps a sequence of changes; if the management session drops before you commit, every change auto-reverts. Highly recommended when editing firewall or connectivity rules remotely.

no mikrotik_ prefix on this category · no parameters
4 tools
category 17
enableenable_safe_mode

Starts a safe-mode session. Subsequent changes are journaled and will roll back automatically if the connection drops before commit.

no paramsTakes no arguments
commit · rollbackcommit_safe_mode · rollback_safe_mode

Persist the journaled changes, or revert them immediately.

statussafe_mode_status

Reports whether a safe-mode session is currently active.

Pattern — risky firewall edit under safe modeenable_safe_mode() mikrotik_create_filter_rule(chain="input", action="drop", src_address="0.0.0.0/0") # test reachability from another window; if you're locked out, just # disconnect and the rule auto-reverts. If still reachable: commit_safe_mode()
REMEMBER
Every tool returns structured JSON. Models that don't natively support function calling can still invoke them via JSON-mode prompts — the schemas are introspectable through the MCP handshake. See the Examples page for end-to-end workflows.
← previous Integrations