Why you should use Winbox

jaclaz · June 25, 2025, 10:24am

Preamble and disclaimer:
The following is a set of considerations that are intended as advice useful to avoid the most common issues when accessing or configuring a Mikrotik device running RouterOS.
It is my personal take on the matter, and in no way approved, endorsed or recommended, officially or unofficially, by Mikrotik or their partners or by anyone else.
In other words you are perfectly free to ignore them.

Why you should use Winbox

There are mainly 3 ways to access a Mikrotik router, here are all 4 of them:
1) telnet/SSH (CLI only)
2) WebFig (GUI)
3) Winbox (GUI) v.3.x
4) Winbox (GUI) v.4.x

The Mikrotik RouterOS is derived from (or based on) Linux, so it is born essentially CLI (Command Line Interface) only.
Both the Webfig and Winbox are graphical wrappers around the underlying command line and both offer an access to it through "terminal".
When something is changed in the RouterOS new releases it is generally speaking added first to CLI (and terminal), later to Winbox and last to Webfig.

In detail:

2) WebFig
This is an interface directly accessible by any browser when connecting to the device IP address via http, it is very similar to what all SoHo devices from any manufacturer usually offer.
Since it is web browser based, it implies that for it to work you need:
a. a correct IP address assigned to the device
b. a correct IP address assigned to the computer you are using to connect to the device
c. no particular firewall rules preventing access to the device

In normal operation it works just fine, but it has the above prerequisites that - particularly #a and #c above - may be missing in case of mis-configuration (it works at L3 level).

You can normally make in it any change/setting, BUT it is a single window interface, so it is not particularly flexible/doesn't allow to see at the same time the settings in various sections of the configuration.

3) Winbox v.3.x
This is a (Windows only) executable (that normally works just fine also under WINE).
It's interface is multi-window, so - given that the computer you are using has a large enough screen/resolution - you can open in it different windows pointed to different areas of the configuration, allowing you to observe in most cases the effects of the changes you are doing (in terminal or in another section of the configuration).
It allows 2 modes of connection:
a. same as WebFig, via IP (L3)
b. direct, via MAC (L2)
While the former has the same limitations about the need of correct IP addresses, the latter has not them, so it can usually allow access to the Mikrotik device in many cases of mis-configuration of IP's and more generally when there are problems at L3 level.
But there are anyway some limitations, namely the (proprietary) protocol leverages on a service (that must be running on the device) and that may be limited to a given (or given set) of interfaces.
Connecting with Winbox via MAC is often the only easy way to re-access a device that has been mis-configured at L3 level.^[1]

Here Rule #7 applies:
The twelve Rules of Mikrotik Club

Unless really-really needed^[2], right now you will be better served by Winbox v. 3.x, at least until v.4.x will exit the current "unfinished" or "work in progress" status^{[3] [4]}.

In a nutshell, when dealing with a Mikrotik device running RouterOS:

if you really know what you are doing, and ONLY if you really do, use CLI.
otherwise use Winbox v.3.x, in any case in the terminal you can issue all the command lines while having easier access/login to the device.
if you really need to, use Winbox v.4.x
there is no valid reason to prefer WebFig to any of the above, but if you like it and you can do with it what you need to do, it is fine.

Which can further be simplified into:

^[1] It is not immediate/evident that WInbox can connect in two ways:
If you click on the IP of a device that is listed in the lower part of the opening window:

the "Connect To:" field will be filled with the IP, but if you click on the MAC of the same device, the field will be filled with the MAC.

When you press the Connect button the connection will be (hopefully) established with the chosen device using the one or the other method.

In the example screenshot on the help page you can see that a few devices show an IP address of 0.0.0.0, this means that the connection is to a port that has no IP assigned.

Still, you can connect via MAC to those devices, in theory you could keep your Mikrotik devices without IP assigned and still be able to connect via MAC.

Even if possible, it is generally speaking not a very good idea, as while fiddling you could accidentally disable the MAC-server on the router or mis-configure the allowed interface-list and thus lock you out of MAC access.

A common enough issue when fiddling with IP addresses is that you change the IP (and/or netmask) of the port of the router but the IP (and/or netmask) of the computer you are using is not changed accordingly, connection via MAC bypasses this problem.

^[2] A simple, exemplificative and not exhaustive list of people that may actually need v.4.x:

Linux users that do not have already WINE installed for one reason or the other (all 37 of them)
Mac users that do not have WINE installed
People affected by particular eye conditions that require dark mode
Hipsters (Winbox 4.x UI is waay cooler than 3.x, which vaguely reminds of Win95 interface)

^[3] The related topic is this one, judge for yourself if it can be considered "mature":

^[4] ... or trust rextended's opinion on the matter:

erlinden · June 25, 2025, 10:31am

What I’m missing are the options API and App(s) MikroTik and MikroTik Home.

But still…thanks for the overview and your opinion.
What is the purpose of this topic?

jaclaz · June 25, 2025, 12:54pm

It is something that is simply missing from the twelve rules and good practice topics, and deserves its own separate thread.
The purpose is explaining in a simple way to newcomers which options they have for connecting to a Mikrotik device for configuration.

Well, you won't find them here.

Personally I have no idea on how those can (or should be) used.

If you believe they can be of any use to a new user, I could mention them, possibly linking to a separate dedicated topic.

infabo · June 25, 2025, 1:32pm

This topic inspires me to write a topic with title “Why you should use CLI”

Amm0 · June 25, 2025, 4:04pm

Or you can use both. It’s nice to have the “real-time list” in a window, when doing things on CLI. Now if I could just “tile” windows, I’d be happier than always arranging windows.

@jaclaz, normally we agree… but…I’m not sure of the post messaging here. Seems more a diatribe against WinBox4 than useful info.

The real value in WinBox is its layer2 abilities – connection using MAC address – and also it’s the only way to connect to RoMON. MikroTik does not tout these ability enough, which is one the key value of RouterOS.

And, while plenty of UI quibbles about WinBox4, I would not classified as buggy/unstable – it just does not do UI things old WinBox did.

Now if you have Windows, WinBox3 would be a good recommendation I’d imagine still IMO… But if you have Mac/Linux, the hassle of wine is not worth the few UI nicety missing in WinBox4. I still use wine for Dude, but I haven’t not launched WinBox3 is weeks.

Also, there are a few advantage of WebFig. First, it has best support for “skins” (which should work in WinBox but that part was added later and still WIP in WinBox4 AFAIK). Skin let you create a more “friendly” interface to remove stuff like BGP on a home router.

And WebFig supports viewing Dude network maps, while WinBox cannot. Plus, for a web app, WebFig extreme responsive of showing real-time stats every few seconds – most devices web UI you have to refresh or update is much slower. Finally, since you have SSL (now made easier with LE auto-renewing certs in 7.20) which is actually more secure than WinBox protocol.

infabo · June 25, 2025, 4:24pm

I do use both. CLI for the actual configuration or “following” log. And for “real time dashboard” I have my workspace in Winbox - logged-in as user with read-only permissions (because I am frightened to death to unintentionally save/modify something in Winbox and mess up my config). And I would be super happy, when Winbox could just tile the windows inside the workspace (than manually sizing windows which is really annoying).

jaclaz · June 25, 2025, 4:37pm

Sure, and I am now highlighting it.

Yep, very useful to a new user that is learning how to deal with the RouterOS configuration.

I am afraid you have largely misunderstood the scope of this thread, it is not intended as a learned dissertation among expert members on all the possibilities offered by the various ways to access RouterOS, the forum has heaps of them, here or there.

This is only (and is aptly titled like that) a simple piece of advice to newcomers, it needs to be synthetic and straight to the point.

And the point is:
Use Winbox (preferably version 3.x).

anav · June 25, 2025, 8:13pm

Winbox4 by far. One can use the CLI interface available on the command line interface GUI selection. Best of both worlds!! Just to note that webconfig is useful to view some graphs NOT available in winbox3/4.

jaclaz · August 19, 2025, 5:10pm

Added a reference to rextended's own take on the matter (18th August 2025).

hukka · August 20, 2025, 4:37pm

Is WinBox available for computers based on Arm processors too?

BartoszP · August 20, 2025, 5:12pm

What kind of ARM computers?
It's available for MacOS https://mikrotik.com/download which is ARM based.

hukka · August 20, 2025, 5:40pm

My main and secondary computers are both Radxa Rock 5B single board computers, based on the Rockchip RK3588 SoC. ...running openSUSE Tumbleweed aarch64.

optio · August 20, 2025, 6:04pm

There is no Winbox 4 Linux build for ARM architecture (nor 32 or 64 bit). You may try run it with Box64 or Windows build with Wine.
See also Winbox on arm64

hukka · August 20, 2025, 6:37pm

OK. I was just curious. ...and I'll keep using webfig. Thanks for replying.

Josephny · August 21, 2025, 5:33am

I endorse it!

Unfortuntely, as we used to say in NYC, that and a token will get you a subway ride (now you need a metrocard or iphone or an ability to jump).

anav · October 3, 2025, 2:19pm

I stick with proven secure protocols, webconfig probably relies on http or https which is at issue with latest CVE............ Dont know why they dont port the graph ability over to winbox????

holvoetn · October 3, 2025, 2:31pm

Which graphs ?
(sounds too much like witchcraft, I know ...)

anav · October 4, 2025, 10:07pm

Log in using www or webconfig whatever its dang name is and have a look around.......