What is the MikroTik RouterOS? Features & Capabilities

MikroTik RouterOS is an open-source network operating system that provides routing, wireless networking, and firewall services for home and small office networks. The software was developed by the MikroTik company, a Latvia-based maker of routers and other networking hardware. 

The MikroTik suite of hardware and software is designed to meet diverse needs, ensuring reliable and efficient networking for everyone. RouterOS comes preloaded with a free license on MikroTik routers but a higher level license is available for those who require a x86 PC installation. 

MikroTik RouterOS provides a lot of flexibility for the user with its open-source nature. It allows the user to customize their router to their specific needs. Users can download additional packages from the official website to add more features to their router.

What is a MikroTik RouterOS cloud-hosted router?

The MikroTik CHR (cloud-hosted router) is a virtual private server (VPS) that enables users to run their servers in the cloud. It comes with a pre-installed Linux distribution, which can be easily upgraded using open-source software.

A MikroTik router with a VPS is an affordable way for small and medium-sized businesses to establish their network. It provides an easy way to manage security and connectivity on the go with its built-in firewall and VPN capabilities.

A MikroTik VPS can be installed using any of two methods; the command line or GUI interface. The former requires basic knowledge of Linux commands while the latter requires you to download an installer from their website and follow its steps.

Features of MikroTik RouterOS

MikroTik RouterOS's rich feature set significantly enhances network functionality and security, making it an invaluable tool for most companies. Here are some of the router operating system's notable features and capabilities:

Advanced routing capabilities

MikroTik is packed with features that can handle complex network scenarios with ease. One of those is its implementation of dynamic routing protocols. 

MikroTik supports most routing protocols, including OSPF, BGP, and RIP. This flexibility means you can integrate MikroTik routers into almost any existing network infrastructure seamlessly. 

For example, you can set up OSPF to manage multiple routing paths efficiently in a large distributed network, ensuring that your data always takes the optimal route.

Another powerful feature of RouterOS is Policy-Based Routing (PBR). With PBR, you can set rules that direct traffic based on specific criteria like source or destination IP addresses, ports, or even the type of service. This is useful for prioritizing business-critical applications. 

Configuring PBR to route VoIP traffic over a faster, low-latency link while pushing bulk data transfers to a secondary connection significantly improves call quality and overall network performance.

MikroTik's support for MPLS (Multiprotocol Label Switching) is highly convenient for companies with large and complex networks. MPLS allows for end-to-end circuits across any type of transport medium, using any protocol. 

You can use MPLS to create virtual private networks (VPNs) for different departments within a company, ensuring that each team’s traffic remains isolated and secure, all while using the same physical network infrastructure.

The VRF (Virtual Routing and Forwarding) feature is also worth mentioning. VRFs create isolated routing tables, which can help segment network traffic logically. You can use it to separate a department's network from the rest of the company for security reasons. This isolation is achievable without additional hardware.

Users also find utility in ECMP (Equal-Cost Multi-Path) routing, which allows multiple routing paths for data to be used simultaneously. This is useful for load balancing and redundancy. 

For instance, you can set up ECMP across three different WAN links. This not only improves bandwidth utilization but also provides a failover mechanism. If one link goes down, the traffic will still flow smoothly through the other links.

MikroTik firewall and security features

MikroTik RouterOS provides a powerful firewall that improves data flow management and boosts network security. It uses stateful packet inspection, meaning it keeps track of the state of active connections and makes decisions based on this state. This is critical for effective network traffic management and security.

MikroTik's firewall uses Layer-7 protocol detection, which helps in identifying and managing traffic based on the application layer. It's practical for filtering peer-to-peer protocols, which can consume a lot of bandwidth.

The firewall rules in RouterOS consist of a matcher and an action. The matcher identifies the traffic based on specified conditions, while the action determines what to do with the matched packets. For example, you can create a rule to allow traffic from a specific IP address or block traffic to a particular port.

Connection tracking is another vital component of the router OS. It lets the kernel keep track of all network connections, which is essential for both NAT and firewall functionalities. If there's no connection entry for a packet in the connection table, the packet is considered new. For example, with TCP, a new connection starts with a packet that has the SYN flag.

To efficiently manage traffic, you can set up rules to drop invalid connections and accept established or related connections. This approach helps speed up packet filtering and reduces CPU load. Here’s an example of a rule you can use:

When it comes to NAT, RouterOS excels with both source and destination NAT. Source NAT, or src-nat, is used to change the source IP address of packets leaving the local network. Here's a basic example:

‍

For dynamic IP addresses, the masquerade action in src-nat is invaluable. It adjusts connections when a public IP changes. A typical rule would look like:

‍

Destination NAT, or dst-nat, is used for port forwarding, making a service inside the network accessible from the outside. For instance, to map an external port to an internal IP and port, I use:

‍

Mangle is an advanced feature for marking packets. These marks can be used by other RouterOS facilities like queue trees, NAT, and routing. Mangle can also modify IP header fields such as TOS and TTL. For example, to handle VPN links with smaller MTUs, you can adjust the MSS value using:

‍

Address lists in RouterOS help group IP addresses under a common name for easier management. You can dynamically update these lists with NAT, Mangle, and Filter rules. For example:

‍

RouterOS's firewall and security features, with their extensive configurability, provide robust protection and traffic management for networks of any size.

VPN support and remote access

MikroTik RouterOS offers versatile VPN options. You can use both PPTP and L2TP/IPsec VPNs to securely connect remote employees to your office network. Setting up these VPNs is straightforward. 

With many employees now working from home, this VPN support becomes an absolute necessity. It is essential for maintaining secure and reliable connections. For instance, setting up an IPsec VPN for secure site-to-site connections lets you connect your branch offices seamlessly, ensuring data security across all locations. 

Using the L2TP/IPsec protocol, you can provide remote access to employees working from home. It's as simple as configuring the L2TP server on the MikroTik router and setting up user profiles. What's great is that it works well with both Windows and macOS clients, so no one gets left out.

The WireGuard VPN protocol is a newer addition to MikroTik RouterOS, but it’s been a game changer for many users. It's incredibly fast and easier to configure compared to traditional VPNs. You can use the WireGuard plugin with Netmaker and create secure access to, from and between networks served by MikroTik routers.

For simpler needs, you can always go with a PPTP VPN. Although not the most secure option, it's incredibly easy to set up and can be useful for non-critical applications. It’s usually reserved for quick, temporary access.

The WebFig and WinBox tools make setting up these VPNs straightforward. You can visually navigate through the settings rather than typing out commands. This usability makes MikroTik a favorite for both newbies and seasoned network administrators.

Network monitoring

The monitoring and logging capabilities in RouterOS give users deep insights into network health. The tools allow you to see real-time traffic statistics and historical data. 

When you experience unusual traffic spikes, you can quickly identify the source and take necessary actions. This is crucial for proactive network management.

User management system

RouterOS lets you create different user profiles with specific permissions, which is great for delegating tasks without compromising security. Thanks to its excellent access control capabilities, junior IT staff can manage basic configurations while senior admins have access to critical settings.

Bandwidth management

The integrated QoS (Quality of Service) rules of the router OS let you prioritize critical applications over less important ones, which optimizes bandwidth usage. Your VoIP calls and video conferences remain smooth even when someone decides to download a big file.

How Netmaker Helps

Netmaker gives you two options for integrating MikroTik routers into a VPN. You can generate configuration files using Netmaker, and use them with the WireGuard plugin on MikroTik, to directly integrate your router into the VPN. Alternatively, you can deploy our VPN client on the local site behind the router, and set forwarding rules on MikroTik, so that the local network will send traffic through the VPN endpoint. To learn more, check out our guides here and here.