Mikrotik
MikroTik RouterOS — interfaces, firewall, NAT, DHCP leases, wireless, routes
weave mikrotik
Env: MIKROTIK_HOSTNAME
Setup
Configure credentials via environment variables. We recommend sourcing them through 1Password or your secrets manager rather than committing them to the shell rc.
Official API reference
weave commands for this module are checked against the vendor's published API.
| Variable | Description | Status |
|---|---|---|
| MIKROTIK_HOSTNAME | Required for authentication. | required |
| MIKROTIK_USERNAME | Required for authentication. | required |
| MIKROTIK_PASSWORD | Required for authentication. | required |
| MIKROTIK_PORT | API port (default: 8728 plain / 8729 TLS). | optional |
| MIKROTIK_USE_SSL | Set to 1 to use RouterOS API-SSL. | optional |
| MIKROTIK_PLAINTEXT_LOGIN | Set to 1 for older RouterOS that rejects secure login. | optional |
Sanity-check the wiring:
weave secrets check weave mikrotik --help weave doctor # reports MIKROTIK_HOSTNAME status
Capabilities
What this module can do, by entity and verb. ✓
means a working CLI surface; · means
not (yet) wired.
| Entity | find | list | show | do | snapshot | diff | apply |
|---|---|---|---|---|---|---|---|
| dhcp-lease | ✓ | ✓ | · | · | · | · | · |
| firewall-filter | · | · | · | · | ✓ | ✓ | ✓ |
| firewall-rule | · | ✓ | · | ✓ | · | · | · |
| interface | ✓ | ✓ | · | · | · | · | · |
| ip-address | · | ✓ | · | · | · | · | · |
| nat-rule | · | ✓ | · | · | · | · | · |
| route | · | ✓ | · | · | · | · | · |
| wireless-client | · | ✓ | · | · | · | · | · |
Commands
Every registered CLI command, grouped by verb. Each example uses placeholder arguments — substitute real values for your environment.
find (2)
find interface
readFind a network interface by name.
weave mikrotik find interface <name>
find lease
readFind a DHCP lease by MAC.
weave mikrotik find lease <mac>
list (7)
list addresses
readList /ip/address entries.
weave mikrotik list addresses <arg>
list firewall
readList /ip/firewall/filter rules.
weave mikrotik list firewall <arg>
list interfaces
readList network interfaces.
weave mikrotik list interfaces <arg>
list leases
readList active DHCP leases.
weave mikrotik list leases <arg>
list nat
readList /ip/firewall/nat rules.
weave mikrotik list nat <arg>
list routes
readList /ip/route entries.
weave mikrotik list routes <arg>
list wireless
readList wireless registration table.
weave mikrotik list wireless <arg>
do (2)
do disable-rule
writeDisable a firewall filter rule by id.
weave mikrotik do disable-rule <rule-id>
do enable-rule
writeEnable a firewall filter rule by id.
weave mikrotik do enable-rule <rule-id>
snapshot → edit YAML →
diff → apply --yes (or confirm
interactively; apply --dry-run previews the same diff).
State kinds
Resources this module can snapshot and
diff; apply where the kind supports
live writes (see Round-trip per kind). Always run
diff before apply; use
--yes in automation after review. Files live under
.weave-state/mikrotik/.
This module is on the thinner integration path — use snapshot / diff for audit; confirm apply per kind below before relying on writes.
firewall-filter
All /ip/firewall/filter rules on the router.
State file skeleton
module: mikrotik kind: firewall-filter items: - # <fields specific to this kind — see snapshot output>
Workflows
End-to-end recipes from operators who already run this module in production. Copy, adapt, and put under change-control.
Firewall change with review
weave mikrotik snapshot firewall-filter $EDITOR .weave-state/mikrotik/firewall-filter.yaml weave mikrotik diff firewall-filter weave mikrotik apply firewall-filter --yes
Find a DHCP lease by MAC
weave mikrotik find lease aa:bb:cc:dd:ee:ff weave mikrotik list leases
Emergency disable a filter rule
weave mikrotik list firewall weave mikrotik do disable-rule <rule-id> --yes
Wireless client hunt
weave mikrotik list wireless weave mikrotik find lease aa:bb:cc:dd:ee:ff weave mikrotik list interfaces
Terraform parity
For each Terraform resource in the canonical provider, here's the equivalent live-API verb in weave. Use this as a migration cheat-sheet, not a 1:1 contract — weave deliberately stays in the live-state lane, not the desired-state lane.
| Terraform resource | weave equivalent |
|---|---|
| routeros_ip_firewall_filter | weave mikrotik snapshot/diff/apply firewall-filter + list firewall + do disable-rule/enable-rule |
| routeros_ip_firewall_nat | weave mikrotik list nat |
| routeros_interface | weave mikrotik find interface / list interfaces |
| routeros_ip_dhcp_server_lease | weave mikrotik find lease / list leases |
| routeros_ip_route | weave mikrotik list routes |
Troubleshooting & source
Run weave doctor — it reports which env
vars (including MIKROTIK_HOSTNAME) are set
and which are blank.
Re-run weave mikrotik diff <kind>
to confirm the controller's current state, then re-snapshot
before the next apply. The driver always re-snapshots
before diffing.
The module lives at https://github.com/andy-broyles/weavewhatever/tree/main/src/weave/modules/mikrotik. File a bug or feature request at https://github.com/andy-broyles/weavewhatever/issues.