Preamble and disclaimer:
The following is a numbered list of what is usually considered good practice or common sense advice when choosing, using, setting up or maintaining a Mikrotik router.
It is my personal take on the matter, and in no way approved, endorsed or recommended, officially or unofficially, by Mikrotik or their partners or by anyone else.
In other words you are perfectly free to ignore its contents, though they represent (IMHO) a sort of (useful) check list for people starting to use these devices.
Unlike Mikrotik Club Rules:
(or firewall filter rules) that have a strict order of relevance, these are added and numbered (starting from 13) as soon as I come across the idea or it is suggested by some other member, in pseudo-random order, and the list is potentially endless.
The last number item is intentionally left blank to underline the always evolving nature of the list.
Experts already know all these little tricks or habits (and many more) and they already have their own ways to implement them or however manage properly their devices.
Good practice and common sense advice::
13. When buying a device, take your time studying its specifications, searching the forum for threads where the same device is involved and in case of doubts ask for advice on the forum before buying it.
14. Be aware that some settings may cause the device to “phone home” or however transmit and receive packets when idle.
15. Mikrotik SoHo devices come with a default complete or almost complete basic default configuration, most settings in it sport the comment “defconf”.
When you change any of the setting with comment “defconf” you should ALSO either remove the comment or - better - change it to something like “myconf” or “moddedconf” or - when possible - a more descriptive one.
16. When writing a script, or even in command line, you should NEVER use a ROS property or command as name for a variable, this can lead to unpredictable results.
17. Backup (binary) is a misnamer, it is much more similar to an image of the system that can ONLY be restored to the SAME device or to an identical one (i.e. producing a “clone”). Since some settings (namely MAC addresses) are recorded in the backup and cannot be changed before restoring, restoring the backup of one device to another (identical) one on the same network can create havoc.
18. Making (often) exports of the configuration is instead very useful, as such exports are plain text files, they can be modified and re-imported (not by using “import” that is likely to create a mess, but rather by copying and pasting relevant snippets/sections).
19. PoE (on both Mikrotik and non-Mikrotik devices) is a mess. Devices can be (passive) non-standard or namely standard (802.3/af, 802.3at or 802.3bt) but still not fully compliant to the cited standard, you must be very, very careful when designing a setup and choosing the devices.
20. Always remember that most changes in the configuration take effect immediately, so, particularly when experimenting new, strange settings, using Safe Mode could be your saviour. As mentioned in the corollary to Rule #7, as BartoszP suggests:“Safe mode” is your all time & forever friend. Use it.
21. Quite often when fiddling with settings it may happen that something (an interface, a bridge, etc.) is accidentally either removed or renamed and not all references to it are correspondingly edited/fixed. The Ros in these cases replaces the reference with a sort of placeholder in the form of “" (asterisk) followed by a (hex) number, so it is a good idea to export the configuration, open it in a text editor and search in it for occurrences of "” (asterisk), normally there are none (except maybe in some keys/hashes or similar) so finding one or more of them might be a sign that something needs to be done to correct the configuration…
22. When attempting to connect to the device from factory, use any port BUT ether1, notwithstanding what the Quick Guide night be saying, more generally if connecting to an ether port does not allow connection, try the other ports.
23. When you change settings, most of the times (like 90-95% of the times) these settings take effect immediately, but since some do not, it is a good idea to reboot the router before testing the new/modified/added feature/behaviour.
24. When some member provides a reply/answer to your question or doubt, rarely it will be a simple one-liner, make sure to go through the whole reply and understand it in its entirety, not only the first, middle or last part of it, before posting “it doesn’t work”.
25. And BTW you should NEVER post “it doesn’t work”, specify WHAT (exactly) you did and HOW (exactly) it behaves differently from what you would expect.
26. When your question receives multiple replies, suggesting different things, you should choose only one of them and test that, if it doesn’t work, try the second and so on, DO NOT mix different suggestion from different people.
27. Generally speaking, helping members do not trust you when you reply “Ok, I have done that, but …”, they want to see an updated version (after the changes) of your configuration, in order to make sure that the suggested changes were correctly implemented.
28. Still generally speaking, the most convenient way to access a Mikrotik device running RouterOS is the Winbox program (v.3.x).
29. …
Corollaries:
[13] As a common example at the time of this writing ( with Ros around versions 7.17-7.18) buying new a device with only 16 Mb of storage is generally considered an extremely sophisticated path to self-injury. The new versions of Ros are simply too large to fit in that tiny space of storage and upgrading these devices often if not always involves to netinstall from scratch (and if you haven’t tried netinstall you cannot imagine how painful and frustrating the process can be). This does not mean that 16 Mb devices are to be thrown in the dustbin, if you have one of them or if you happen to find used ones on the cheap they can still be very valid devices, in the appropriate cases, possibly running long term 6.49.x. But buying new ones? Don’t.
[14] Known settings that may cause this are:
a. auto timezone detect enabled [ System → Clock — Tab: Time ]
b. update time enabled [ IP Cloud → Tab: Cloud ]
[15] Otherwise in a few days/weeks time when you will need to review the configuration you won’t be able to distinguish what is really “defconf” and comes standard from Mikrotik and what you changed.
This is general good practice, in the specific case of (usually more complex) added or modified entries in:
a. /ip firewall mangle
b. /ip firewall filter
c. /ip routing rules
d. /ip routes
it is VITAL that the comment is meaningful, otherwise you risk spending hours to “reverse engineer” the clever setting you made earlier to try and understand what it does.
[16] This not limited to RoS, in any scripting language variable should have names different from any reserved one in the environment.
[17] Knowing its features/peculiarities binary backup can be very useful, still it is something that you should not use if not for recovery of the SAME device or of an IDENTICAL one, and Identical means: same model and revision as models are sometimes silently “upgraded” with no public announcement so in one delivery different revisions could be found or during RMA the newer revision could be received. No way to know in advance if the replication on a same model but different revision will succeed or fail. This said, in SOME LIMITED cases it is actually possible to restore a binary backup on a different model, but it is strongly discouraged, and if you attempt it, be prepared to netinstall to recover the bricked device.
[18] Even if you cannot fully manage/understand the contents of the export, it is something you can post on the board to ask for help with.
It is suggested using terse parameter for export (for future restore/recovery) as each exported setting is complete, not split into many lines, commands are ready to be used in CLI without worries that they can be pasted in the wrong menu context.
/export terse ← terse - the export command will output only configuration parameters, without defaults.or extended version
/export terse verbose ← verbose - the export command will output whole configuration parameters and items including defaults.
To save sensitive data add show-sensitive=yes for v7 ( v6 always exports sensitive data)
For posting on the forum it is instead advised to NOT use terse as this way the output is more readable (grouped in sections), a simple /export file=anynameyouwish will do, more detailed instructions here:
[19] In case of any doubt, again ask for clarifications before buying new devices and also connecting existing ones to PoE supplies/sources, while most modern devices (both Mikrotik and non-Mikrotik) have protections against overvoltage, reverse polarity and power on the “other” set of pairs (Mode A vs. Mode B), older or cheaper devices may lack them and letting the magic smoke out is a concrete possibility.
[20] Be anyway aware that using Safe Mode, while often being capable of reverting wrong settings, is not the perfect solution that protects you from everything, it should be intended as an additional safety, not as a “feel free to do whatever crosses your mind as you have the get out of jail free card”.
[21] These placeholders are anyway uniquely set, i.e. as an example all occurrences of (say) *A refer to the same missing/deleted/removed data so it is generally easy, finding all occurences of “*A”. to understand what was the original item and correct the configuration. There are exceptions of course, one is
‘’‘’
/ppp profile set *FFFFFFFE …
‘’‘’
here *FFFFFFFE is the way RoS addresses the default encryption profile, see:
[22] SoHo devices come from factory with a default configuration that makes ether1 WAN and other ports LAN, so to connect you need to use any port BUT ether1, professional devices should be shipped with no default configuration and the QUick Guide recommends to use ether1 for connection, but some devices, for one reason or the other do not anyway allow connection from ether1, so if following the instructions doesn’t work try another ethernet port.
[23] The issue is with the 5%-10% that appear to take effect but actually don’t (or don’t fully). In any case - before or later - the router will need to be rebooted and you want to make sure that it will work as expected just after a reboot, since it takes only a handful of seconds, when you change something and it doesn’t work as expected, it is worth to try rebooting the device before starting looking (invain) for the whatever remained “sticky” from the previous configuration that prevents the device working as it should.
[24] You have to understand how frustrating it can be for a willing helping member to see that only 1/3 or 1/4 of the answer has been digested and implemented.
[25] The board is not like sending a telegram at a post office, you don’t pay a fee per word, even without being verbose you should transmit as much information as possible.
[26] When the replies from different people are diverging it usually means that there is more than one way to skin a cat, but the cat (who won’t be happy anyway) can only be skinned once.
[27] There are reasons for this, it is extremely common that while changing something something else is inadvertently changed and when there are multiple changes suggested one or two are skipped accidentally, the more expert members can usually spot an issue when reviewing a whole configuration file but they may miss some interconnected settings when separate snippets are posted.
[28] see here why:
[29] …
.
in something a bit less blunt and direct 
.