GUIDE / TROUBLESHOOTING

Troubleshooting.

Most RouterOS bugs you'll meet aren't bugs — they're a config that doesn't match the operator's mental model. This page covers the methodical approach (bisect from "what changed") and the small handful of commands that answer 80% of questions.

Step 0 — bisect from "what changed"

Before you look at anything: what did you change between "working" and "not working"? If the answer is "nothing", check /system history:

/system history print
# Lists the last ~100 config-changing commands with timestamps + actor.

Common culprits:

  • A RouterOS upgrade — see upgrades for the rollback path.
  • A firewall rule added above the established/related accept.
  • An interface list membership changed (rules referencing the list silently start matching differently).
  • DHCP lease changed an IP that's hardcoded somewhere.

Connectivity

/interface print
# Look for "R" (running) flag on the interface you care about.
/interface ethernet print
# Look at the "rate" column — "10Mbps" on a gigabit link usually means a bad cable or auto-neg mismatch.

Can the router reach the next hop?

/ping count=4 1.1.1.1
/ping count=4 192.168.88.1  routing-table=main
# /tool traceroute is the fuller picture
/tool traceroute count=1 1.1.1.1

Ping from the router lets you split "router → internet" from "client → router". If the router can ping the internet but the client can't, the problem is between the client and the router (NAT, DNS, firewall forward chain).

DNS

/resolve example.com
# Times out → upstream DNS is unreachable or /ip dns servers= isn't set.
/ip dns print
/ip dns cache print where name~"example.com"

Firewall

Counters tell you what's matching

v6 3 lines · 116 bytes
/ip firewall filter print stats
# Watch a specific rule's hit count rise:
/ip firewall filter print stats interval=1
v7 2 lines · 74 bytes
/ip/firewall/filter print stats
/ip/firewall/filter print stats interval=1

Re-trigger the failing action, watch the stats. The rule whose counter goes up is the one matching first. If nothing increments, the packet isn't reaching the firewall at all — check NAT, then the interface.

Live packet flow

/tool torch interface=ether1 src-address=192.168.88.50
# Shows every flow currently passing through that interface, broken down by
# src/dst/protocol. Better than tcpdump for "what's actually going through this
# port right now" questions.

Packet capture

/tool sniffer set interface=ether1 file-name=trace.pcap
/tool sniffer start
# ... reproduce the problem ...
/tool sniffer stop
# File lives at /file — download via WinSCP or /file/<filename> via SSH.

Open the pcap in Wireshark on your laptop. tool sniffer is the RouterOS equivalent of tcpdump — same output format. Filter by IP or port via the filter-* parameters to keep file sizes manageable.

NAT

Two common NAT failures:

  • "Internet works but I can't reach my port-forward from INSIDE the LAN" — you need hairpin NAT. The router gets the packet from inside, sees its public IP as the destination, doesn't NAT it back, source-IP looks external to the target — connection breaks.
  • "My VPN tunnel works in one direction" — the forward NAT rule is matching site-to-site traffic before the IPsec policy sees it. See IPsec NAT exemption.

When in doubt, check the log

/log print where topics~"warning,error,critical"
/log print where time>"2026-05-20 14:00:00"
# Combined — recent warnings + errors:
/log print where time>"-1h" and topics~"warning,error,critical"

See monitoring & logging for setting up remote syslog — the local 1000-line buffer wraps fast on a busy router.

Last resorts

Safe mode

When you're about to do something that might lock you out (firewall rule edits, IP address changes via Winbox over the LAN), enable safe mode FIRST. If you disconnect within 9 minutes, RouterOS rolls back the changes automatically.

# In CLI: press Ctrl+X to enter safe mode. "Safe Mode" appears in the prompt.
# Make your changes, verify they work, then Ctrl+X again to commit.
# If you disconnect (or get locked out) before that second Ctrl+X, RouterOS
# reverts everything you did in safe mode.

Config rollback

RouterOS keeps an auto-saved backup of the last working boot config. From the boot loader (serial console + RouterBOOT keypress) you can boot to "backup" which rewinds to the previous boot.

From a working session, rollback an export-based backup:

# See available named backups
/system backup print
# Restore (warning: reboots the router)
/system backup load name=pre-change-2026-05-20

See backup & restore for the full lifecycle.

Factory reset

When all else fails and you have physical access: hold the reset button while powering on. Different boards have different durations — see factory reset. This wipes everything. Have a backup before you press the button.

Getting help

The RouterOS forum (forum.mikrotik.com) and the #mikrotik Libera IRC channel are the canonical community sources. When you ask, include:

  • /system resource print output (model + RouterOS version + memory + CPU).
  • The relevant config sections — /ip firewall filter export, /interface bridge export etc. Redact passwords + IPs.
  • The exact symptom: what you tried, what happened, what you expected.
  • Recent log entries from the affected subsystem.

Posting "my internet doesn't work" without that context is a fast way to get ignored. With it, you'll usually get a useful answer in minutes.