Prerequisites

Minimum requirements and compatibility notes.

Back to About Us

Prerequisites

The following requirements describe the minimal environment and RouterOS prerequisites needed to use mTikOps for remote management of MikroTik devices.

RouterOS requirement

Each managed device must run MikroTik RouterOS with API support enabled. mTikOps uses the RouterOS API to send commands and receive data. Supported RouterOS versions should include the API package (most modern RouterOS releases include this by default).

Network connectivity

  • Reachability: The RouterOS device must be reachable from the mTikOps server. This typically means the device is accessible via IP over the internet or via a private network/VPN.
  • If devices are behind NAT, configure port forwarding to permit API connections, or use a VPN / management tunnel between the server and the devices.

Credentials & access

  • Valid user credentials: You must provide a RouterOS username and password with sufficient privileges to perform the actions you intend to use through mTikOps (for example, hotspot, PPP, queues, and monitoring commands).
  • For security, use accounts scoped to the minimum privileges required and rotate credentials periodically.

API access

mTikOps communicates with RouterOS using the RouterOS API. Ensure the API port is open and reachable (default TCP port 8728 for plaintext API, 8729 for API over TLS if configured). Recommended best practices:

  • Prefer API over a secured channel (VPN or TLS) when possible.
  • Restrict access to the API port using firewall rules to allow only the mTikOps server IP(s).
  • Test connectivity using a simple API client before adding the device to mTikOps.

Example connection checklist

  1. Confirm RouterOS device is reachable from the mTikOps server (ping or telnet to API port).
  2. Verify API service is running on the RouterOS device.
  3. Validate credentials by logging in with a RouterOS API client (or via WinBox/SSH).
  4. If using NAT, ensure port forwarding or VPN is configured for API access.

Security notes

Because mTikOps can perform configuration changes, follow security best practices: keep the RouterOS updated, ensure HTTPS for the web UI is active before continuing, restrict API access by IP/website, and use least-privilege RouterOS accounts (sufficient for intended tasks).

Firewall rules example (RouterOS)

To allow end-to-end API communication only from a trusted IP and reject other API attempts, add the following rules in your RouterOS firewall (Terminal or WinBox). Place the accept rule above the reject rule so the allowed host is matched first.

/ip firewall filter add chain=input action=accept protocol=tcp dst-port=8728,8729 src-address=139.162.8.0/22 comment="Allow API Access from mTikOps Server"
/ip firewall filter add chain=input action=reject protocol=tcp dst-port=8728,8729 reject-with=icmp-port-unreachable comment="Deny API Access to Others"

Notes: port 8728 is the default RouterOS API port (plaintext); 8729 is commonly used for API over TLS. Restricting API access by source IP and using a reject rule helps reduce unauthorized connection attempts.