Version: current

Services

IP/Services lists the protocols and ports used by various MikroTik RouterOS services and containers, including those for incoming connections.

It helps to determine which MikroTik services (or containers) are listening on specific ports, and what needs to be blocked or allowed if you want to restrict or permit access to certain services.

The default services that can be configured from the IP/Services section:

Property	Description
telnet	Telnet service
ftp	FTP service
www	WebFig HTTP service
ssh	SSH service
www-ssl	WebFig HTTPS service
api	API service
winbox	Responsible for WinBox tool access, as well as MikroTik smartphone app and Dude
api-ssl	API over SSL service
reverse-proxy	Reverse Proxy service

Properties

Note that it is not possible to add new services, only existing service modifications are allowed.

Sub-menu: /ip/service

Property	Description
address (IP address/netmask \| IPv6/0..128; Default: )	List of IP/IPv6 prefixes from which the service is accessible. When this parameter is set, packets are not dropped at the network level, but access to the service is denied for sources not matching the specified addresses. This option is best suited for restricting access within trusted networks. To block access from external or untrusted networks, we recommend using a Firewall instead.
certificate (name; Default: none)	The name of the certificate used by a particular service. Applicable only for services that depend on certificates (www-ssl, api-ssl)
name (name; Default: none)	Service name
max-sessions(integer: 1..1000; Default: 20)	Max simultaneous session count for service
port (integer: 1..65535; Default: )	The port a particular service listens on
tls-version (any \| only-1.2; Default: any)	Specifies which TLS versions to allow by a particular service
vrf (name; Default: main)	Specifies which VRF instance to use by a particular service

Read-only properties

Property	Description
Container	Name of the container listening on the port
Local	Router local address used for the connection
Remote	Remote address that established the connection to the service

Example

For example, allow API only from a specific IP/IPv6 address range

[admin@dzeltenais_burkaans] /ip/service/set api address=10.5.101.0/24,2001:db8:fade::/64
[admin@dzeltenais_burkaans] /ip/service/print where !dynamic      
Flags: X - DISABLED, I - INVALID
Columns: NAME, PORT, PROTO, ADDRESS, CERTIFICATE, VRF, MAX-SESSIONS
 #   NAME     PORT  PROTO  ADDRESS             CERTIFICATE  VRF   MAX-SESSIONS
 0   ftp        21  tcp                                     main            20
 1   ssh        22  tcp                                     main            20
 2   telnet     23  tcp                                     main            20
 7   www        80  tcp                                     main            20
 9 X www-ssl   443  tcp                        none         main            20
13   winbox   8291  tcp                                     main            20
15   api      8728  tcp    10.5.101.0/24                    main            20
                           2001:db8:fade::/64                                 
16   api-ssl  8729  tcp                        none         main            20

Example that shows dynamic services that listen or have established connections to router services

[admin@dzeltenais_burkaans] /ip/service/print where dynamic  
Flags: D - DYNAMIC; c - CONNECTION
Columns: NAME, NETNS, CONTAINER, PORT, PROTO, LOCAL, REMOTE
 #    NAME        NETNS  CONTAINER  PORT  PROTO  LOCAL         REMOTE            
D  resolver                        53  tcp                                    
D  resolver                        53  udp                                    
D  dhcp                            67  udp                                    
D  dhcpclient                      68  udp                                    
D  snmp                           161  udp                                    
D  btest                         2000  tcp                                    
D  loader                        3986  tcp                                    
D  discover                      5678  udp                                    
Dc winbox                        8291  tcp    10.155.221.4  10.145.221.15:51595
D  pihole-FTL     16  Pi-hole      53  tcp                                    
D  pihole-FTL     16  Pi-hole      53  udp                                    
D  lighttpd       16  Pi-hole      80  tcp                                    
Dc lighttpd       16  Pi-hole      80  tcp    172.55.1.2    10.145.221.15:52298
Dc lighttpd       16  Pi-hole      80  tcp    172.55.1.2    10.145.221.15:52333
Dc lighttpd       16  Pi-hole      80  tcp    172.55.1.2    10.145.221.15:52339
Dc lighttpd       16  Pi-hole      80  tcp    172.55.1.2    10.145.221.15:52340
Dc lighttpd       16  Pi-hole      80  tcp    172.55.1.2    10.145.221.15:52341
Dc lighttpd       16  Pi-hole      80  tcp    172.55.1.2    10.145.221.15:52342
D  pihole-FTL     16  Pi-hole    4711  tcp

Protocols and ports

The table below shows the list of protocols and ports used by RouterOS.

Proto/Port	Description
20/tcp	FTP data connection
21/tcp	FTP control connection
22/tcp	Secure Shell (SSH) remote login protocol
23/tcp	Telnet protocol
53/tcp 53/udp	DNS
67/udp	Bootstrap protocol or DHCP Server
68/udp	Bootstrap protocol or DHCP Client
80/tcp	World Wide Web HTTP
123/udp	Network Time Protocol (NTP
161/udp	Simple Network Management Protocol (SNMP
179/tcp	Border Gateway Protocol (BGP
443/tcp	Secure Socket Layer (SSL) encrypted HTTP
500/udp	Internet Key Exchange (IKE) protocol
520/udp 521/udp	RIP routing protocol
546/udp	DHCPv6 Client message
547/udp	DHCPv6 Server message
646/tcp	LDP transport session
646/udp	LDP hello protocol
1080/tcp	SOCKS proxy protocol
1698/udp 1699/udp	RSVP TE Tunnels
1701/udp	Layer 2 Tunnel Protocol (L2TP)
1723/tcp	Point-To-Point Tunneling Protocol (PPTP)
1900/udp 2828/tcp	Universal Plug and Play (uPnP)
1966/udp	MME originator message traffic
1966/tcp	MME gateway protocol
2000/tcp	Bandwidth test server
5246,5247/udp	CAPsMAN
5350/udp	NAT-PMP client
5351/udp	NAT-PMP server
5678/udp	Mikrotik Neighbor Discovery Protocol
6343/tcp	Default OpenFlow port
8080/tcp	HTTP Web Proxy
8291/tcp	Winbox
8728/tcp	API
8729/tcp	API-SSL
20561/udp	MAC winbox
/1	ICMP
/2	[Multicast
/4	IPIP encapsulation
/41	IPv6 (encapsulation)
/46	RSVP TE tunnels
/47	General Routing Encapsulation (GRE) - used for PPTP and EoIP tunnels
/50	Encapsulating Security Payload for IPv4 (ESP)
/51	Authentication Header for IPv4 (AH)
/89	OSPF routing protocol
/103	[Multicast
/112	VRRP

Web server

The table below shows the list of properties that can be enabled/disabled for web services. All of properties are enabled by default and can be disabled if desired.

In this table "plain" refers to HTTP connections and "secure" to HTTPS connections.

Property	Description
index-plain: (Default: yes)	Home page/login page (Can be disabled when webfig-plain and graphs-plain are disabled)
webfig-plain: (Default: yes)	WebFig interface
graphs-plain: (Default: yes)	Graph page
rest-plain: (Default: yes)	REST API support
crl-plain: (Default: yes)	CRL(Certificate Revocation List)
scep-plain: (Default: yes)	SCEP(Simple Certificate Enrollment Protocol)
acme-plain: (Default: yes)	ACME Challenge
index-secure: (Default: yes)	Home page/login page (Can be disabled when webfig-secure and graphs-secure are disabled)
webfig-secure: (Default: yes)	WebFig interface
graphs-secure: (Default: yes)	Graph page
rest-secure: (Default: yes)	REST API support

Properties​

Read-only properties​

Example​

Protocols and ports​

Web server​

Properties

Read-only properties

Example

Protocols and ports

Web server