Preamble and disclaimer:
The following is a numbered list of what is usually considered good practice or common sense advice when choosing, using, setting up or maintaining a Mikrotik router.
It is my personal take on the matter, and in no way approved, endorsed or recommended, officially or unofficially, by Mikrotik or their partners or by anyone else.
In other words you are perfectly free to ignore its contents, though they represent (IMHO) a sort of (useful) check list for people starting to use these devices.
UnlikeMikrotik Club Rules:
(or firewall filter rules) that have a strict order of relevance, these are added and numbered (starting from 13) as soon as I come across the idea or it is suggested by some other member, in pseudo-random order, and the list is potentially endless.
The last number item is intentionally left blank to underline the always evolving nature of the list.
Experts already know all these little tricks or habits (and many more) and they already have their own ways to implement them or however manage properly their devices.
Good practice and common sense advice:
Corollaries:
[13] As a common example at the time of this writing ( with Ros around versions 7.17-7.18) buying new a device with only 16 Mb of storage is generally considered an extremely sophisticated path to self-injury. The new versions of Ros are simply too large to fit in that tiny space of storage and upgrading these devices often if not always involves to netinstall from scratch (and if you haven't tried netinstall you cannot imagine how painful and frustrating the process can be). This does not mean that 16 Mb devices are to be thrown in the dustbin, if you have one of them or if you happen to find used ones on the cheap they can still be very valid devices, in the appropriate cases, possibly running long term 6.49.x. But buying new ones? Don't.
[14] Known settings that may cause this are:
a. auto timezone detect enabled [ System --> Clock --- Tab: Time ]
b. update time enabled [ IP Cloud --> Tab: Cloud ]
[15] Otherwise in a few days/weeks time when you will need to review the configuration you won't be able to distinguish what is really "defconf" and comes standard from Mikrotik and what you changed.
This is general good practice, in the specific case of (usually more complex) added or modified entries in:
a. /ip firewall mangle
b. /ip firewall filter
c. /ip routing rules
d. /ip routes
it is VITAL that the comment is meaningful, otherwise you risk spending hours to "reverse engineer" the clever setting you made earlier to try and understand what it does.
[16] This is not limited to RoS, in any scripting language variable should have names different from any reserved one in the environment.
[17] Knowing its features/peculiarities binary backup can be very useful, still it is something that you should not use if not for recovery of the SAME device or of an IDENTICAL one, and Identical means: same model and revision as models are sometimes silently "upgraded" with no public announcement so in one delivery different revisions could be found or during RMA the newer revision could be received. No way to know in advance if the replication on a same model but different revision will succeed or fail. This said, in SOME LIMITED cases it is actually possible to restore a binary backup on a different model, but it is strongly discouraged, and if you attempt it, be prepared to netinstall to recover the bricked device.
[18] Even if you cannot fully manage/understand the contents of the export, it is something you can post on the board to ask for help with.
It is suggested using terse parameter for export (for future restore/recovery) as each exported setting is complete, not split into many lines, commands are ready to be used in CLI without worries that they can be pasted in the wrong menu context. /export terse <- terse - the export command will output only configuration parameters, without defaults or extended version /export terse verbose <- verbose - the export command will output whole configuration parameters and items including defaults.
To save sensitive data add show-sensitive for v7 ( v6 always exports sensitive data)
For posting on the forum it is instead advised to NOT use terse as this way the output is more readable (grouped in sections), a simple /export file=anynameyouwish will do, more detailed instructions here:
I posted here a couple spreadsheets that may come handy to compare and convert exported configurations:
And the Configuration Parser spreadsheet here (work in progress):
may be useful to quickly check settings grouped by section.
[19] In case of any doubt, again ask for clarifications before buying new devices and also connecting existing ones to PoE supplies/sources, while most modern devices (both Mikrotik and non-Mikrotik) have protections against overvoltage, reverse polarity and power on the "other" set of pairs (Mode A vs. Mode B), older or cheaper devices may lack them and letting the magic smoke out is a concrete possibility.
[20] Be anyway aware that using Safe Mode, while often being capable of reverting wrong settings, is not the perfect solution that protects you from everything, it should be intended as an additional safety, not as a "feel free to do whatever crosses your mind as you have the get out of jail free card".
[21] These placeholders are anyway uniquely set, i.e. as an example all occurrences of (say) *A refer to the same missing/deleted/removed data so it is generally easy, finding all occurences of "*A". to understand what was the original item and correct the configuration. There are exceptions of course, one is
/ppp profile set *FFFFFFFE ...
here *FFFFFFFE is the way RoS addresses the default encryption profile, see:
[22] SoHo devices come from factory with a default configuration that makes ether1 WAN and other ports LAN, so to connect you need to use any port BUT ether1, professional devices should be shipped with no default configuration and the QUick Guide recommends to use ether1 for connection, but some devices, for one reason or the other do not anyway allow connection from ether1, so if following the instructions doesn't work try another ethernet port.
[23] The issue is with the 5%-10% that appear to take effect but actually don't (or don't fully). In any case - before or later - the router will need to be rebooted and you want to make sure that it will work as expected just after a reboot, since it takes only a handful of seconds, when you change something and it doesn't work as expected, it is worth to try rebooting the device before starting looking (invain) for the whatever remained "sticky" from the previous configuration that prevents the device working as it should.
[24] You have to understand how frustrating it can be for a willing helping member to see that only 1/3 or 1/4 of the answer has been digested and implemented.
[25] The board is not like sending a telegram at a post office, you don't pay a fee per word, even without being verbose you should transmit as much information as possible.
[26] When the replies from different people are diverging it usually means that there is more than one way to skin a cat, but the cat (who won't be happy anyway) can only be skinned once.
[27] There are reasons for this, it is extremely common that while changing something something else is inadvertently changed and when there are multiple changes suggested one or two are skipped accidentally, the more expert members can usually spot an issue when reviewing a whole configuration file but they may miss some interconnected settings when separate snippets are posted.
[28] see here why:
[29] more on the matter:
[30] When in six month or one year time you will need to review the firewall filter rules you will appreciate this piece of advice.
[31] Nothing to add, if not the (heavily redundant by now) "DO NOT use Quickset".
[32] The files that may be corrupted are usually strored as .viw in path %APPDATA%\MikroTik\WinBox\sessions , try moving the one(s) corresponding to the devices you have issues with to a new subfolder (or delete them) so that the Winbox will initiate a new session.
Reference thread: WinBox window closes automatically when accessing router
[33] Here it would be a nice place for a rant about the risks implied in installing beta (and also "stable") versions, but I will instead post a link to a new, nice song: https://suno.com/s/mNnn2UygsgfTDUp6
For (18) i suggest using terse param for export as each exported setting is complete, not split into many lines, command ready to be used in CLI without worries that is pasted in the wrong menu context.
/export terse
or extended version /export terse verbose
terse - the export command will output only configuration parameters, without defaults.
verbose - the export command will output whole configuration parameters and items including defaults.
To save sensitive data add show-sensitive for v7 as v6 always exports it
Identical means: same model and revision as models are sometimes silently “upgraded” with no public announcement so in one delivery different revisions could be found or during RMA the newer revision could be received
I would propose an addition:
#24: The user usually is not able to follow or understand multiple information in a single post, so either he only considers the first one or the last one ignores all the previous ones.
The other extreme case is: user comes with a problem, a few random users of forum respond, each with their own solution (or "solution"), which can be orthogonal to each other ... and user then tries to apply all of them at the same time. Most often this approach doesn't stand a chance ...
Jaclaz … may I suggest editing each point as a quote what makes reading each advice easier?
13. When buying a device, take your time studying its specifications, searching the forum for threads where the same device is involved and in case of doubts ask for advice on the forum before buying it.
14. Be aware that some settings may cause the device to “phone home” or however transmit and receive packets when idle.
is IMHO better then constant stream: 13. When buying a device, take your time studying its specifications, searching the forum for threads where the same device is involved and in case of doubts ask for advice on the forum before buying it. 14. Be aware that some settings may cause the device to “phone home” or however transmit and receive packets when idle.
Good idea, done.
I added also a new line between the points of the corollaries, as some of them already contain quotes using quote also there didn’t look good, but for the main points it works very well.
Added also links to the Configuration compare, converter and parser spreadsheets.
Done (inserted separator lines).
Only for the record in theory both “—” and “***” preceded and followed by a space should result in a separator line, but in practice only the latter actually works on this board.
I understand that time has passed, but “polishing” the configuration, I had some questions and came across this post in the search.
I read the ROS documentation and realized that, unfortunately, it describes /export very superficially.
The terse command parameter is not just a short way to export default configuration changes.
The shortest way is /export with no parameters at all.
The terse changes the formatting of the export to a line-by-line format, where each line is a separate complete configuration command. /export
output: /interface list add name=LAN add name=WAN
/export terse
output: /interface list add name=LAN /interface list add name=WAN
But:
The "show-sensitive=yes" parameter is incorrect (ROS v7.2x), you just need to specify "show-sensitive": /export show-sensitive file="filename";
Please note that the system, in case of output to file, will assign the ".rsc" extension “automatically-by-force”, regardless of the specified file name.
.
in something a bit less blunt and direct 
.
