GUIDE / REMOTE ACCESS
Remote access.
You need to reach your router from somewhere that isn't its LAN. The obvious move is to port-forward Winbox or expose SSH on a public IP. Don't. RouterOS management services have a history of CVEs, and a public-facing management port is in the first sweep of every botnet that scans port 8291 or 22. This page walks the safer paths.
The right answer, in order of preference
- WireGuard VPN to your router (v7 only). Lowest setup cost, smallest attack surface, ships built in.
- IPsec site-to-site when you're connecting an office network and want a permanent tunnel.
- L2TP/IPsec when WireGuard isn't available (RouterOS v6 routers, or clients without WireGuard support). Older but reliable.
- SSH on a non-standard port, key-only auth, source-restricted — when a VPN is genuinely impractical (e.g. you need to script from a cloud CI box that won't carry a VPN). Defence-in-depth required; see Winbox / SSH hardening.
- Never: Winbox on a public port. Webfig on a public
port.
/ip service apiexposed. The CVE list is long enough that any of these is a "when", not "if", problem.
Before any of this works
Remote access requires a way for the outside world to reach something on your router. Three common shapes:
- Public IPv4 on the WAN — your ISP gives you a routable
IPv4 address (not RFC1918, not CGN). Check with
/ip address print; if WAN address is 100.64.0.0/10 you're behind CGN and need a different shape. - IPv6 — most ISPs delegate a /56 or /60. Your router gets a routable IPv6 address automatically. Works for VPN endpoints but client OSes need IPv6 connectivity at the other end.
- An overlay you control — Tailscale, Cloudflare Tunnel, a relay VM. None of these need ISP cooperation and they neatly avoid the "what's my WAN IP today" problem on dynamic-IP connections. The VPN endpoint becomes the overlay's address, not your ISP's IP.
Dynamic-IP / DDNS
If your WAN IP changes daily, you have two viable options:
- MikroTik IP cloud DDNS — built in.
/ip cloud set ddns-enabled=yesgives you a<serial>.sn.mynetname.nethostname that tracks the router's WAN address. Free, no third-party account. - Third-party DDNS (DuckDNS, no-ip, dynu) via a scheduled script that POSTs the current IP. More work, but lets you pick a hostname.
/ip cloud set ddns-enabled=yes update-time=yes
/ip cloud print
# the hostname is the "dns-name" field /ip/cloud set ddns-enabled=yes update-time=yes
/ip/cloud print
# the hostname is the "dns-name" field Behind carrier-grade NAT (CGN)
A surprising number of residential and mobile connections sit behind CGN — your router's "WAN" IP is in the 100.64.0.0/10 range and the real internet-routable IP belongs to your ISP's NAT box. Port-forwards don't work; you can't open ports on a NAT you don't control. Options:
- Ask the ISP for a public IPv4 (some offer it as a paid upgrade).
- Use IPv6 if the ISP delegates it — IPv6 doesn't traverse CGN.
- Use an overlay (Tailscale, ZeroTier, Cloudflare Tunnel) so the "where are you reachable" question moves to a third party.
- Run a small VM with a public IP and use it as a VPN concentrator — your router dials out to it permanently, you VPN to the VM.
Once you're inside the VPN
From a connected VPN client you can use Winbox, Webfig, or SSH normally — the router treats VPN-side addresses as LAN-equivalent. Two things to set up first:
- Restrict management services to the VPN subnet.
/ip service set winbox address=10.10.10.0/24(where10.10.10.0/24is your VPN subnet). Anything outside that range gets refused without a response. See IP services. - Firewall rule to accept management traffic from the VPN subnet — input chain, accept TCP/SSH+Winbox+Webfig from the VPN range, before the default-drop. See input chain.
What never goes public
For the avoidance of doubt, the management surface that should never be reachable from the open internet:
- Winbox (port 8291).
- SSH (port 22), unless source-restricted to specific known IPs.
- Webfig over HTTPS (port 443) — and definitely not HTTP (port 80).
/ip service api(port 8728) orapi-ssl(8729).- SNMP (port 161) — read-only or otherwise.
- Bandwidth Test Server (port 2000).
Everything in that list goes behind the VPN. Yes, even SSH with keys. The cost of a CVE in any one of them is a re-flashed router; the cost of a VPN is one extra hop.